On 26 April 2018, the Conference of German Data Protection Authorities (German DPAs) released a highly criticised position paper on the applicability of the German Telemedia Act (TMA) after 25 May 2018 (Position Paper). The Position Paper clearly states that tracking and profiling cookies now require informed prior opt-in consent.
Webtracking is governed by the General Data Protection Regulation (GDPR) as well as the ePrivacy Directive. The ePrivacy Directive is currently being revised. A new ePrivacy Regulation was supposed to enter into force in tandem with the GDPR on 25 May 2018, but it is delayed and we do not expect it to enter into force before the end of 2019. The German legislator has not updated the TMA due to the upcoming ePrivacy Regulation.
- Strictly necessary cookies may be justified by Article 6(1)(b) of the GDPR (performance of a contract) or Article 6(1)(f) of the GDPR (legitimate interests); and
- Tracking and profiling cookies require informed prior opt-in consent (Article 6(1)(a) of the GDPR). Cookies may not be dropped before such consent has been obtained.
Implementation of the requirements set out by the German DPAs
- Only strictly necessary cookies can be dropped when a user visits a website. Other tracking and profiling cookies cannot be dropped immediately when a user visits a website.
- Opt-in consent must be obtained on a website, for example, by using a cookie banner that includes an “Accept” button. Only after the user clicks the “Accept” button can tracking and profiling cookies be dropped.
Criticism of the Position Paper
The Position Paper has received a great deal of criticism. For example, Bitkom, the Association for Information Technology, Telecommunications and New Media, has released an opinion (available here) and states that the Position Paper merely sets out a politically desired result. It is incomprehensible why the TMA will no longer applies and why the Position Paper only takes consent into consideration as legal basis for tracking and profiling cookies.
In its analysis of the Position Paper, the German Advertising Association is critical that the German DPAs require consent for all tracking and profiling cookies in an undifferentiated and abstract manner. Instead, the German Advertising Association suggests that legitimate interest might also be a legal basis, taking into consideration the categories of personal data, technologies used, technical and organisational security measures, purposes of processing, use cases, pseudonymisation of data and transparency for each specific cookie.
Reaction to the Position Paper by other supervisory authorities and organisations
Not many organisations have yet implemented the guidance set out in the Position Paper –possibly because of the short time since the publication of the Position Paper and the many concerns and criticism that have been raised regarding the Position Paper. Opt-out consent still seems to be the best practice that most organisations apply.
The intention of the German DPAs in publishing the Position Paper less than a month before the GDPR date and the reason for acting as a “substitute legislator” is not really clear. We also understand that it was not a unanimous decision by the German DPAs to issue the Position Paper.
Further, this Position Paper will force the German view to be applied on an international level. Organisations will likely not provide different solutions on their websites for German users and for users from other countries.
The German DPAs have now reacted to the criticism of many stakeholders and started a consultation with stakeholders on the implementation of the Position Paper (see the German DPAs’ press release here). The consultation period will end on 29 June 2018.