German TTDSG enters into force on December 1, are you ready?

New cookie consent requirements transposed into German law


November 29, 2021


On December 1, 2021, the Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia (TTDSG) will enter into force in Germany. The TTDSG aims to consolidate the Telemedia Act 2007 and Telecommunications Act 1996 as well as implement cookie consent requirements in accordance with Article 5(3) of the ePrivacy Directive.

The TTDSG was developed in reaction to the German Federal Court of Justice’s decision on the validity of cookie consent when pre-checked tick boxes were used to obtain the consent. The decision made by the German Federal Court of Justice took into account the Court of Justice of the European Union’s (CJEU) ruling in Planet49 GmbH v. Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (the Planet49 Case).

The German Federal Court of Justice found that the amendments made to Article 5(3) of Directive on Privacy and Electronic Communications (the ePrivacy Directive) were not correctly transposed into German law. Therefore, the TTDSG will implement clear conditions for valid cookie consent in Section 25 of the law.

There are two key areas of the TTDSG that organizations should consider ahead of its entry into force on December 1, 2021. Firstly, despite the TTDSG being a federal law in Germany, it has a broad and wide-reaching scope meaning the law can apply to organizations across the world. And, secondly, the TTDSG outlines two types of cookies: those that are strictly necessary, and those that require consent. However, the term strictly necessary is not explicitly defined.

Join the discussion on the TTDSG: PrivacyConnect Frankfurt on November 30, 2021 at 10:00 CET

What is the Scope of the TTDSG?

Article 5(3) of the e-Privacy Directive applies to any information installed or accessed from an individual’s device meaning that the TTDSG will apply to personal and non-personal data.

Further to this, Section 1(3) of the TTDSG states that “All companies and persons who have an establishment or provide or participate in the provision of services or make goods available on the market within the scope of this Act are subject to this Act”. This will mean that businesses that has any establishment in Germany, regardless of whether processing activities take place within this establishment or not, will fall under the TTDSG’s scope. Therefore, a business must simply have an establishment in Germany for the TTDSG to apply.

Additionally, the TTDSG states that a business that “participates in the provision of services” will also fall under the scope of the law. Therefore, businesses that are in some way involved in services that are offered in Germany will be covered by the TTDSG’s provisions.

This vast scope may cause issues regarding the enforcement of the law. Therefore, organizations should remain vigilant and assess their processing activities to understand to what extent they are bound by the law.

What are Cookie Consent Requirements under the TTDSG?

The TTDSG transposes Article 5(3) of the ePrivacy Directive into German law. Section 25 of the TTDSG is almost an exact copy of ePrivacy’s Article 5(3).

Section 25 of the TTDSG reads:

  1. The storage of information in the end-user’s terminal equipment or the access to information already stored in the terminal equipment shall only be allowed if the end-user has consented on the basis of clear and comprehensive information. The information to the end-user and the consent shall be provided in accordance with Regulation (EU) 2016/679.
  2. Consent under paragraph 1 is not required,
    1. where the sole purpose of storing information in the end-user’s terminal equipment or the sole purpose of accessing information already stored in the end-user’s terminal equipment is to carry out the transmission of a communication over a public telecommunications network; or
    2. where the storage of information in the terminal equipment of the end-user or the access to information already stored in the terminal equipment of the end-user is strictly necessary in order for the provider of a telemedia service to provide a telemedia service explicitly”

Join the discussion on the TTDSG: PrivacyConnect Frankfurt on November 30, 2021 at 10:00 CET

‘Strictly Necessary’: What does it mean?

Section 25(2) of the TTDSG outlines two scenarios whereby consent is not required, the second of which relates to the use of ‘strictly necessary’ cookies. While the TTDSG does not explicitly define the scope of strictly necessary cookies, the Article 29 Working Party’s (WP29) opinion on cookie consent exemptions can bring some clarity to this issue.

In its opinion, WP29 states that for a cookie to be considered ‘strictly necessary’ it must pass the following tests:

  1. A cookie is necessary to provide a specific functionality to the user (or subscriber): if cookies are disabled, the functionality will not be available.
  2. This functionality has been explicitly requested by the user (or subscriber), as part of an information society service.

In addition, organizations may look to guidance issued from other regulators such as the UK Information Commissioner’s Office, or the French data protection authority.

Compliance with the TTDSG

Following the CJEU’s decision in the Planet49 Case and the implementation of Article 5(3) of the ePrivacy Directive into the TTDSG, organizations are not permitted to use pre-checked tick boxes as a valid form of user consent. Additionally, notice-only cookie banners and scrolling or browsing do not indicate that a user has given their explicit consent to the placement of cookies.

Organizations will also need to provide users with clear information about how cookies are used as well as present users with the option to give specific consent for different categories of cookies such as performance cookies or targeting cookies. This information must be provided to users before they give their consent and cookies should not be placed on a user’s device until the appropriate consent has been obtained.

OneTrust Cookie Consent enables businesses to build intelligent, data-driven websites that respect users’ privacy and build trust and brand loyalty. OneTrust Cookie Consent helps businesses to operationalize their cookie compliance program through tailored cookie banners to match your company branding and use geolocation capabilities to display unique consent approaches based on the user’s location. OneTrust Cookie Consent can also help to automate cookie compliance through automated scheduled scans of your website and policy updates as well as helping to maintain a detailed consent transaction database to create an audit trail of what users were told and how they consented.

Follow OneTrust on LinkedInTwitter, or YouTube for the latest on Cookie requirements.

You may also like


Privacy Management

Managing data transfers within the UK & EU

Join our experts as we discuss ways to effectively manage data transfers between the UK & EU while staying compliant with the latest privacy regulations.

October 31, 2023

Learn more


Data Discovery & Security

A guided tour of OneTrust Data Discovery magic

Our expert speaker will demonstrate how common real-world data challenges can be identified, addressed, and reported on, leading to better data governance, security, and alignment with business goals. 

October 26, 2023

Learn more


Data Discovery & Security

Data minimization and risk assessment in data discovery

Explore the concept of data minimization and its crucial role in enhancing security, privacy, and reducing risk.

October 19, 2023

Learn more