Consent management: German government wants to combat flood of cookie banners
A recognized consent management service will provide users with a transparent tool for managing consents and refusals.
(Image: Datenschutz-Stockfoto/Shutterstock.com)
The German government has agreed on a course of action to curb cookie banners. On Wednesday, the Federal Cabinet launched a draft ordinance. This was preceded by years of negotiations. Specifically, it concerns paragraph 26 of the Telecommunications Digital Services Data Protection Act (TDDDG). Telemedia providers must, in principle, ask users for their consent to the various types of cookie use each time they use their service in accordance with the General Data Protection Regulation (GDPR). Once consent has been given and documented, users should no longer be bothered by a query from the banner in the future.
The core provision of the government draft is as follows: By integrating a recognized service for consent management, end users should have a transparent tool at their disposal with which they can give their consent permanently or opt out, as well as understand and review their decisions at any time. Recognition by an independent body should provide an incentive for consumers and digital service providers to use such management services and strengthen confidence in a legally secure procedure. The services should also be able to take over the assertion of data protection data subject rights or the administration of consent to the processing of personal data, for example.
Once decisions have been made, they do not have to be constantly repeated if providers of digital services accept the stored settings, explains the Federal Ministry for Digital and Transport Affairs (BMDV), which is responsible for the draft. This procedure also offers advantages for digital service providers: they can request consent or rejection "in a user-friendly, legally secure procedure without disrupting the design of their website with a banner".
Reminder after one year at the earliest
A declaration made should not be limited in time. It remains valid "until revoked, unless the context or the expectations of the parties indicate otherwise". The recognized consent management service may remind users of their settings for consent requests after one year at the earliest. In a first draft from 2022, users were still to be prompted to review their settings "after a reasonable period of time, but at the latest after six months".
New consent management services are to be approved once the new Federal Data Protection Commissioner Louisa Specht-Riemenschneider has presented a security concept. The government has set annual costs of around 79,000 euros for approval by the data protection authority. These costs are to be passed on to the economy – and possibly ultimately to the users. In addition, there is a one-off compliance cost of 187,200 euros for the introduction of the innovations.
A cookie management service may only manage consents for which the provider of digital services has "at least informed" the user before granting their decision, including about "third parties that store information in the end user's terminal equipment" or can access it. The stored data should also be made clear together with the purposes and periods of its processing and the option to withdraw consent at any time.
Export function included
To ensure user-friendliness, the user interface of the consent management service must be designed to be "transparent and understandable". The user should also be able to export the settings to common file formats. In addition, there is the right to simply switch to another recognized service at any time and transfer the settings.
In the "spirit of technological neutrality", the government does not want to make "any specifications for technical implementation". An administrative service could be a retrievable digital service on a central platform or a technical application in a browser, for example. However, the state of the art must be observed. This means using a standard programming language or a communication protocol such as HTTP and HTTPS. Another conceivable technology would be to add a signal to the header of the HTTP/HTTPS request "that indicates the integration of the recognized consent management service".
The technology is intended to improve the browsing experience
Originally, the BMDV wanted to declare consent banners for tracking user activities as permissible, as many media sites use them as an alternative to a paid service. The telemedia provider should be able to point out to users that the provision of content is "wholly or partly financed by advertising", was the original approach. This makes the use of cookies "necessary for these purposes". This passage can no longer be found in the government draft. Data protection authorities have now approved "pure subscription models" in principle.
The BMDV explains that this is a new approach – also at European level. Within the limits of European data protection law, a legal framework is being established for the first time to counter the flood of cookie banners. This strengthens the informational self-determination of users on the Internet. Its success depends largely on providers developing on the market and users and service providers making use of the new consent procedures. The effectiveness of the requirements is to be evaluated two years after the regulation comes into force. The Bundestag and Bundesrat still have to give their approval.
(anw)
