In force as of 1 Decem­ber 2021: the TTDSG and the “new” coo­kie rules

The new Tele­com­mu­ni­ca­ti­ons and Tele­me­dia Data Pro­tec­tion Act (TTDSG) (only in Ger­man) com­bi­nes the data pro­tec­tion pro­vi­si­ons of the Tele­com­mu­ni­ca­ti­ons Act (TKG) (only in Ger­man) and the Tele­me­dia Act (TMG) and ser­ves to imple­ment Euro­pean law requi­re­ments, par­ti­cu­lar­ly the ePri­va­cy Direc­ti­ve. The Act is to take effect on 1 Decem­ber 2021. Are com­pa­nies facing new legal chal­lenges as a result? We pre­sent the changes.

New regu­la­ti­on for the use of cookies?

§ 25 of the TTDSG recei­ved the most atten­ti­on in public dis­cus­sion. This sec­tion con­ta­ins regu­la­ti­ons for the sto­rage and use of data on users’ ter­mi­nal equip­ment. The requi­re­ments for the use of the­se coo­kies, for exam­p­le by ope­ra­tors of Inter­net sites, has a long histo­ry in Germany.

For a long time, it was dis­pu­ted whe­ther Ger­ma­ny was even ade­qua­te­ly imple­men­ting the requi­re­ments of the ePri­va­cy Direc­ti­ve in this regard. Artic­le 5(3) the­reof cla­ri­fies that the sto­rage of and access to infor­ma­ti­on on users’ end devices, usual­ly refer­red to as “coo­kies”, is gene­ral­ly only pos­si­ble if they give their pri­or con­sent or if the coo­kie is tech­ni­cal­ly abso­lut­e­ly necessary.

Howe­ver, Euro­pean direc­ti­ves that impo­se obli­ga­ti­ons on pri­va­te actors are not direct­ly appli­ca­ble, but requi­re imple­men­ta­ti­on through natio­nal law. The rele­vant pro­vi­si­on in Ger­man law was found in the pre­vious­ly appli­ca­ble § 15 III 1 of the Ger­man Tele­me­dia Act (only in Ger­man). Howe­ver, this ina­de­qua­te­ly reflec­ted the requi­re­ment of Artic­le 5(3) of the ePri­va­cy Direc­ti­ve. The Fede­ral Supre­me Court (BGH) the­r­e­fo­re used an inter­pre­ta­ti­on in con­for­mi­ty with the Direc­ti­ve and inter­pre­ted the pro­vi­si­on of the Tele­me­dia Act con­tra­ry to the wor­ding in the favour of the requi­re­ments of Euro­pean law. § 25 TTDSG now pro­vi­des cla­ri­ty here by cle­ar­ly imple­men­ting the requi­re­ments of the ePri­va­cy Direc­ti­ve and also clo­se­ly fol­lo­wing the wor­ding of the Direc­ti­ve. With regard to legal cer­tain­ty, this is to be wel­co­med as oppo­sed to an inter­pre­ta­ti­on bey­ond the limits of the wording.

At the same time, howe­ver, this means that the legal situa­ti­on has remain­ed lar­ge­ly unch­an­ged from the sta­tus quo ante on this issue. Rather, the legal situa­ti­on alre­a­dy estab­lished by the so-called “coo­kie rulings” of the Fede­ral Supre­me Court (BGH) was only set out more cle­ar­ly. The TTDSG also does not spe­ci­fy any fur­ther exact­ly the con­sent must be structured.

Con­sent services

Howe­ver, § 26 TTDSG (only in Ger­man) con­ta­ins a sur­pri­sing inno­va­ti­on. Accor­ding to this pro­vi­si­on, con­sent manage­ment ser­vices are per­mis­si­ble under cer­tain con­di­ti­ons. The­se per­so­nal infor­ma­ti­on manage­ment sys­tems (PIMS) allow for pri­or con­sent through an inde­pen­dent ser­vice. Via this, a user can spe­ci­fy in advan­ce which cate­go­ries of coo­kies he or she gene­ral­ly agrees to and under which con­di­ti­ons. The ser­vices tell the web­sites the set­tings they want. In per­spec­ti­ve, this could pro­ve to be an effec­ti­ve tool for stem­ming the tide of con­sent ban­ners that many per­cei­ve as a burden.

Howe­ver, accor­ding to § 26(2) TTDSG (only in Ger­man), the Fede­ral Govern­ment would first have to spe­ci­fy more pre­cise requi­re­ments in a ordi­nan­ce with the appr­oval of the Fede­ral Coun­cil. In addi­ti­on, pro­vi­ders would have to be found who have the cor­re­spon­ding cer­ti­fi­ca­ti­on requi­red by § 26(1) TTDSG (only in Ger­man) car­ri­ed out for their service.

Exten­ded scope of application

One chan­ge that should be of inte­rest to pro­duct manu­fac­tu­r­ers con­cerns the scope of appli­ca­ti­on of the regu­la­ti­ons. In a depar­tu­re from the ePri­va­cy Direc­ti­ve, § 25 TTDSG (only in Ger­man) does not refer to end devices, but to users’ ter­mi­nal equip­ment. Pur­su­ant to § 2(2)6 TTDSG (only in Ger­man), this term is defi­ned as any device con­nec­ted direct­ly or indi­rect­ly to the inter­face of a public tele­com­mu­ni­ca­ti­ons net­work for the pur­po­se of trans­mit­ting, pro­ces­sing or recei­ving mes­sa­ges. The legis­la­ti­ve intent of this Act sta­tes that this wor­ding is inten­ded to cover a broad scope of appli­ca­ti­on. The requi­re­ments of § 25 TTDSG  thus app­ly not only to Inter­net com­mu­ni­ca­ti­ons, but also to the use of net­work­ed devices (Inter­net of Things) such as smart home devices.


For com­pa­nies, the intro­duc­tion of the TTDSG chan­ges litt­le. The regu­la­ti­ons on coo­kies have alre­a­dy been appli­ca­ble law up to now. It is wel­co­me that legis­la­tors want to enable the use of PIMS. Howe­ver, it is ques­tionable when and whe­ther such ser­vices will be used at all on the basis of § 26 TTDSG, espe­ci­al­ly sin­ce the TTDSG will be super­se­ded in the coming years by the Euro­pean ePri­va­cy Regu­la­ti­on, which has alre­a­dy been in the works for some time. Howe­ver, com­pa­nies that have not yet ade­qua­te­ly imple­men­ted the requi­re­ments of the ePri­va­cy Direc­ti­ve should do so in a time­ly fashion.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.