Data protection: Bundestag approves regulation against cookie banner flood

The German government wants to open up a new way to stem the flood of cookie banners. With the votes of the "Ampel" parliamentary groups and the abstention of the Left Party, the Bundestag approved a regulation on Thursday evening, which the federal government introduced in September after years of blocking. The aim is to create a "user-friendly alternative to the large number of individual decisions to be made" for consent banners. Recognized services should enable end users to give their consent on a permanent basis. According to the plan, it will also be possible to track and review decisions at any time.

However, participation is voluntary for website operators. Moreover, the project is not even threatened by the fate of the largely ignored "Do not track" option in common web browsers: The German plan does not provide for any blanket default settings on tracking cookies at all; rather, users must decide individually for each website. And even then, participating websites only have to take consent into account; if the user has declined via a recognized service, the website may still repeatedly display the cookie banner.

If they use one of the "recognized services", web servers should be able to use cookies or similar methods to recognize their users, restore settings, measure reach, track activities ("tracking") or display individual advertising, according to the regulation, which has been adopted unchanged. This should eliminate the need for daily consent clicks on banners on the same websites.

Criticism from consumer advocates and the opposition

In September, the German Federation of Consumer Organizations (vzbv) criticized the fact that website operators do not have to accept decisions made. If users do not give their consent to the setting of cookies, online services can ask for consent again as often as they like. Only opt-ins are permanent. Furthermore, users who clicked on "accept" in annoyance could no longer rely on being protected from tracking and profiling by the privacy-friendly settings they had made in their browser. Browsers would have to store cookies – contrary to the user's wishes –. This would put manufacturers who seek to protect their users from tracking at a disadvantage.

The regulation is to be evaluated two years after it comes into force. The government factions would then like to determine whether voluntariness is sufficient and how the market has developed. Representatives of the opposition question the entire effort. Doubts have also been expressed as to who might be interested in developing a consent service in the first place. Digital State Secretary Daniela Kluckert (FDP) already stated the following at the decisive committee meeting on Wednesday: "We enable such services to be created, but do not prescribe them."

Government relies on incentive instead of obligation

Decisions made are valid "until revoked, unless the context or the expectations of the parties indicate otherwise". The recognized consent management service may remind users of their settings for consent requests after one year at the earliest. According to an initial draft from 2022, users should still be prompted to review their settings "after a reasonable period of time, but at the latest after six months".

The Federal Data Protection Commissioner is to decide whether a service is "recognized" after submitting a security concept. This review is subject to a fee "based on time spent", as the government does not want to be left with the expected annual costs of around 79,000 euros. The government hopes that recognition by the independent body will provide incentives for consumers and website operators to use such services.

The new regulation is based on Section 26 of the Telecommunications Digital Services Data Protection Act (TDDDG). The Federal Council still has to give its approval.

(ds)