Data protection: Regulation against cookie banner flood misses its target

After the Bundestag, the Bundesrat voted shortly before Christmas in favor of a controversial regulation aimed at stemming the flood of cookie banners. The legislation is expected to come into force on April 1.

The core of the initiative is to provide end users with a transparent tool via a recognized service with which they can give their consent or opt-out on a permanent basis. However, Denis Lehmkemper, the data protection officer for Lower Saxony, does not think much of the approach adopted. One of his points of criticism: Website operators remain free to implement approved consent management services.

Hardly any changes for website visitors?

Lehmkemper fears that "many providers will continue to rely on conventional consent banners". Accordingly, the benefits for visitors to their websites are likely to be minimal. The data protection expert also points out that the now regulated consent management services only cover opt-ins or refusals in accordance with the Telecommunications Digital Services Data Protection Act (TDDDG), but not those in accordance with the General Data Protection Regulation (GDPR). According to the EU standard, website operators must ask users for their consent to the various types of cookies each time they use their service.

Lehmkemper complains that the administrative services now made possible in Germany are therefore unlikely to simplify the handling of cookie banners. What's more, there are currently no services that meet the requirements of the regulation. It is also unclear who will offer such services in the future, "especially regarding the strict certification requirements".

Personal Information Management Systems (PIMS) or single sign-on solutions could be considered. Lehmkemper therefore assumes "that the current practice of dealing with consent on websites will unfortunately hardly change". According to him, the problem could be solved more easily: website operators should "consistently make their offerings more data protection-friendly", for example by refraining from using third-party services and cookies, especially for excessive and unpredictable digital marketing – for the user.

Federal Data Protection Commissioner explains requirements

The Federal Council's Committees for Home Affairs and Economic Affairs had demanded, among other things, that the requirements for integrating a consent management service should be equally mandatory for all providers of digital services. However, they were unable to get their way in the plenary session. In a resolution, the state chamber appealed to the federal government to carry out the planned evaluation of the regulation "carefully and critically" within two years. As a precautionary measure, the development of alternative approaches should begin at the same time as the evaluation.

According to the ordinance, new consent management services will be approved after the Federal Data Protection Commissioner Louisa Specht-Riemenschneider has presented a security concept. She has explained the requirements and provided an application form online. Accordingly, various technical and organizational protective measures must be presented. Information on the economic and organizational structure as well as financing is also required. The federal government has estimated annual costs of around 79,000 euros for approval by the data protection authority. These costs are to be passed on to the economy. Specht-Riemenschneider has not yet received any applications for recognition.

(emw)