Consent regulation to reduce the overflow of cookie banners takes effect

From Tuesday, users will not have to consent to the use of cookies again and again. Instead, they will be able to permanently store their decisions regarding the browser files used for targeted advertising, for example. In principle, this is made possible by the new regulation on consent management services. It establishes a legal framework for an alternative procedure that enables the integration of independent services. The Bundestag and Bundesrat approved the regulation last year. It will now apply from April 1.

Using the information stored in a cookie or through similar technologies, a web server can, for example, recognize the end user, restore user-specific settings, measure reach, track activities or display individual advertising. In accordance with the General Data Protection Regulation (GDPR), telemedia providers must ask users for their consent each time they use their service. Once consent has been given and documented, users should no longer be constantly bothered by banner ads in future.

The regulation is based on Section 26 of the Telecommunications Digital Services Data Protection Act (TDDDG). It provides for the development of recognized consent management services that enable "user-friendly and competition-compliant procedures" and technical applications for obtaining and managing cookie decisions. One sticking point of the regulation: the integration of relevant services is voluntary. There are also no blanket default settings for tracking cookies.

Consumer and data protection advocates are skeptical

With the new approach, "we are reducing the number of clicks required and giving users a better overview and more control over their consent", says Federal Digital Minister Volker Wissing (non-party) with conviction. This strengthens data protection and digital self-determination. According to the regulation, decisions made are valid "until revoked, unless the context or the expectations of the parties indicate otherwise". The recognized consent management service may remind users of their settings for relevant requests after one year at the earliest.

Technically, "Personal Information Management Systems" (PIMS) or single sign-on solutions can be considered as management services. However, concrete providers as defined by the regulations are few and far between. Their approval is granted following the submission of a security concept by the Federal Data Protection Commissioner Louisa Specht-Riemenschneider. She recently explained the requirements and published an application form online. Various technical and organizational protective measures must be presented. However, Specht-Riemenschneider has still not received any applications for recognition.

Consumer advocates complain that website operators do not have to accept decisions that have been made. If users do not give their consent to the setting of cookies, online services can ask for consent as often as they like. Only an opt-in is permanent. Users who are annoyed and click on "accept" can no longer rely on being protected from tracking and profiling by the privacy-friendly settings they have made in their browser. Browsers would have to store cookies – against the wishes of users. This would put manufacturers at a disadvantage if they shielded their users with "Do not track" default settings, for example. Denis Lehmkemper, the data protection officer for Lower Saxony, also fears that the regulation will miss its target.

(mma)