Will cookie banners soon disappear from Germany?

Anyone surfing the internet is often confronted with cookie banners that pop up when a website is visited for the first time. One is asked to give or refuse consent to data processing. This is often annoying and leads to the banner being clicked away as quickly as possible without reading, the so-called "cookie fatigue". In addition, the banners impair the aesthetics and effect of a website. Now, in future, it should be possible to decide once whether consent should be given or not.

For this purpose, the German Federal Ministry of Digital Affairs and Transport published a new draft bill for a "Consent Management Regulation" (Einwilligungsverwaltungsverordnung -- EinwV) on 01 June 2023 (in the following "German Consent Management Regulation"), which is intended to flesh out the existing rules of the German Telecommunications Telemedia Data Protection Act (TTDSG) in more detail.

Scope

The scope of the German Consent Management Regulation shall be as follows:

Telemedia providers (e.g. websites, apps) must obtain consent for data processing if services are stored on the visitor's device (e.g. cookies) or if data is accessed on the visitor's device and this is not technically necessary. It is irrelevant here whether the data is personal data. By accessing this data, a web server can, among other things, recognise the end user and restore user-specific settings, track activities (so-called tracking) or insert individual advertising.

Now, "recognised consent management services" are created, which act as data trustees and store the consent preferences of end users. When visiting a website, the telemedia provider queries the end-user's preference and receives a response from the "recognised consent management service".

Key Objectives

The key objectives of the German Consent Management Regulation are the following:

• Telemedia providers and recognised consent management services must use standard programming languages or communication protocols for this purpose. It would be conceivable, for example, to add a signal to the header of the HTTP/HTTPS request that indicates the integration of the recognised consent management service.[1]
• User-friendliness: The regulation also sets out requirements for the user-friendliness of consent management. For example, the end-user must be able to view his or her declared or rejected consents at any time. In addition, the end user can be reminded of the discontinuation of his consent and asked to review it, but in principle only every 12 months, so that the end user does not feel harassed or pressured to change his decision. The aim is for the end-user to have more control over their data and to be able to track its use transparently.
• Recognition: A consent management service is recognised if it has submitted an application and a security concept. In addition, it must meet the requirements of §§ 3-7 of the German Consent Management Regulation. Furthermore, the consent management service must not have any economic self-interest in the consent of the end user and in the managed data.[2]
• The recognised consent management service may be chargeable to the end-user as well as to the telemedia provider.[3]
• A public register will be kept of recognised consent management services.[4]
• The German Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit, BfDI) is responsible for recognition as a consent management service.[5]
• For telemedia providers, the inclusion of recognised consent management services is voluntary. Consequently, they can retain the use of cookie banners if they wish. However, based on the research report on consent management (Stiemerling/Weiß/Wendehorst), it is expected that telemedia providers will voluntarily set up interfaces for communication with recognised consent management services. This is because telemedia providers can trust that they can thus ask for and receive legally secure consent.

Recipients

The German Consent Management Regulation is aimed at all companies and persons who have a German branch office - in the case of natural persons: a German place of residence - or which provide services in Germany and are involved in the provision of services in Germany (market place principle).

Penalties

None -- penalties are not opportune. The new German Consent Management Regulation offers new voluntary fields of activities for consent management services. The recognition may be revoked if a "recognised consent management service" no longer complies with the conditions of the recognition. However, the responsible authority is not obliged to carry out regular and unannounced inspections.

Outlook / Next steps

Involved parties have until 14 July 2023 to submit their comments to the Federal Ministry of Digital Affairs and Transport. The Federal Government will then have to adopt and decide on the draft.

In the future, the TTDSG and therefore the German Consent Management Regulation will be replaced by the EU's ePrivacy Regulation. According to the current draft, this also provides for simplification by means of a consent management tool. However, it is still unclear when the ePrivacy Regulation will come into force. The ePrivacy Regulation was originally due to come into force in 2018, when the EU Commission published its draft on 10 January 2017, and the EU Parliament subsequently agreed on an amended draft on 26 October 2017.

Following this, the Council of the EU should have published its version of a draft - but the Council could not agree on a common draft. Finally, on 10 February 2021, after years of discussion, the Council published a joint draft. In May 2021, the informal trilogue negotiations between the EU Parliament, the EU Commission and the Council of the EU began.

[1] Begründung RefE EinwV zu § 7 Abs. 1 Nr. 1 und Stiemerling/Weiß/Wendehorst, Forschungsgutachten zum Einwilligungsmanagement nach § 26 TTDSG, 2021, Rn. 23, 208
[2] § 9 I 2 Nr. 7 RefE EinwV
[3] Begründung RefE EinwV zu § 9 Abs. 1 Nr. 7
[4] § 11 IV RefE EinwV
[5] § 12 RefE EinwV