Data protection authorities to ensure compliance with Cookie rules

At the turn of the year, we wrote about the ever increasing focus of European data protection authorities on ‘Cookies’, the importance of having good privacy notices and when you should be obtaining consent prior to dropping Cookies on users' devices. Whilst Europe moves ever closer to the adoption of a new ePrivacy Regulation, the focus on non-compliant Cookie use shows no sign of abating.

The German Telecommunications and Telemedia Data Protection Act (TTDSG)

In February 2021, the German Federal Cabinet adopted the Telecommunications and Telemedia Data Protection Act which, amongst other things, was introduced to provide regulation on Cookies. Such legislation implements the EU Directives (particularly the ePrivacy Directive) into German national law. This follows the increase in attention placed on Cookies by data protection authorities to ensure that businesses act in accordance with the data protection rules relating to Cookies – in particular consent.

Oddly, the adoption of this legislation comes ahead of any finalised version of the much expected EU ePrivacy Regulation, and it is an interesting approach taken by the German Federal Cabinet, not least for how it deals with Cookies. Following recent European case law in this area, the legislation categorises Cookies into Cookies that require consent and Cookies that are strictly necessary to provide a telemedia service which the user has requested. Fundamentally, if the user has not consented or if the Cookie is not facilitating communication over a public telecommunications network, or the strictly necessary exception applies, then the business dropping the Cookies will be acting unlawfully.

Why is the German TTDSG important?

There are two main concerns around this:

  • there is, in general, a growing trend of greater enforcement on compliance with Cookie rules; and
  • the potential for different rules.
Greater enforcement on compliance with Cookie rules

Germany is not the only country to prioritise compliance with Cookie rules. Earlier this year, we wrote about the fines imposed upon Google and Amazon by the CNIL, the French data protection authority. Further to its enforcement action against Google and Amazon, the CNIL has announced that its three main enforcement priorities for 2021 include cybersecurity, security of health data, and Cookies.

In the UK, according to information published by the ICO, the number of complaints relating to Cookies has steadily increased year on year. Extensive guidance on Cookies and compliance with Cookie rules has been published by the ICO. Currently, the ICO has not chosen to prioritise compliance with Cookie rules, with the clear focus being on telemarketing; however, this does not mean that Cookies will not become a priority for the ICO in the future (nor, of course, does it mean any relaxation of compliance more generally).

Impact of differing rules on business

Due to the growing attention placed on compliance with Cookie rules across the EU, any electronic communications services business which has any UK or European (and indeed any other international) aspect to its services should evaluate their current use of Cookies to ensure they comply with the relevant data protection rules. In particular, electronic communications services businesses should ensure compliance with the upcoming ePrivacy Regulations (which will have extraterritorial extent and therefore remain of interest to those in the UK), particularly in relation to consent and Cookie notices. In addition, if your business has an establishment in Germany, you may also need to comply with the TTDSG (which has a more restrictive set of exceptions with regards to Cookies).

How can we help?

For further information on Cookie notices and obtaining consent from users to place Cookies, please get in touch with our specialist GDPR & Cyber Security team.

This article was co-written by Haris Saleem, Trainee Solicitor.

Latest updates from @MacRoberts

  • Would you like to work at one of Scotland’s leading law firms? We currently have a number of opportunities availabl… 21/06/2021
  • We currently have a vacancy for a Customer Due Diligence Administrator based in Glasgow or Edinburgh. Please shar… 18/06/2021
  • Maya Forstater received a lot of media attention around her tweets relating to her beliefs about sex, resulting in… 18/06/2021
  • Applications for our traineeships starting in 2023 are now open! Get your legal career off to the best possible sta… 18/06/2021
  • RT @DundeeAndAngus: Leading Scottish commercial law firm, @MacRoberts has advised BAM on the ‘game-changing’ Atlantic Square development in… 16/06/2021
  • This week on our new IGTV mini-series, giving an insight into what it’s like to begin a legal career during the pan… 16/06/2021
  • Self-employed status: What does the Uber case really mean? 🚖 Kenny Scott explains what the recent ruling means for… 16/06/2021
  • What is the Scottish #gin industry doing to improve #sustainability? Following #WorldGinDay celebrations over the w… 15/06/2021
  • The European Commission has adopted & published versions of two new sets of Standard Contractual Clauses. What ch… 15/06/2021
  • What impact could Ireland High Court's decision to reject an action by Facebook to block an inquiry by the Irish… 14/06/2021
  • Wishing all of our followers a happy #WorldGinDay! ICYMI: Earlier this week, we were delighted to catch up with… 12/06/2021
  • We're #hiring! We have a #vacancy for a Senior #Solicitor or Associate to join our IP, Technology & Commercial team… 10/06/2021
  • Dealing with an employee's misconduct when that employee contends it is linked to a disability can be tricky - read… 09/06/2021
  • MacRoberts' have launched a new IGTV mini-series, giving an insight into what it’s like to begin a legal career dur… 09/06/2021
  • Scotland's new #landownership transparency register - the Register of Persons Holding a Controlled Interest in Land… 09/06/2021