Consent-free in compliance with TTDSG and GDPR

The current requirements of the supervisory authorities

In order to be able to use web analytics services in accordance with the current guidance of the German supervisory authorities for telemedia providers in a legally compliant manner without an obligation of consent, it is a prerequisite according to the TTDSG and the GDPR to manage without analytical cookies and to ensure data protection-friendly processing under the overriding legitimate interest of the website operator.

1. Consent-free under TTDSG (cookies-less)

The Telecommunications Telemedia Data Protection Act (TTDSG) contains regulations on access to the user’s terminal equipment. By default, etracker Analytics only uses functional or absolutely necessary cookies. Active access to the user’s end device does not take place. According to the supervisory authorities, the processing of browser and header information used by etracker does not require consent:

„Access requires a targeted transmission of browser information that is not initiated by the end user. If only information, such as browser or header information, is processed, which is transmitted inevitably or due to (browser) settings of the terminal device when calling up a telemedia service, this is not to be considered as ‘access to information already stored in the terminal device’.“

(see: https://www.datenschutzkonferenz-online.de/media/oh/20211220_oh_telemedien.pdf, page 8)

(Translated by the author)

For session tracking, etracker Analytics does not store any data in the user’s end device, but assigns interactions to the respective visits purely on the server side via securely hashed session tokens:

“Examples of information transmitted when a telemedia service is called up are:

the public IP address of the terminal device,
the address of the website called up (URL),
the user agent string with browser and
operating system version and
the language set.”

(Translated by the author)

The following technically necessary accesses to the terminal equipment may take place within the meaning of Section 25 (2) No. 2 TTDSG:

(a) Should users object to data processing for analysis purposes via the data protection notice on the website, the objection will be stored in a cookie (_et_oi_v2). If this cookie is set and has the content “NO”, no data will be collected for this user.

(b) The website operator can obtain consent to the setting of cookies for analysis purposes at any time by opt-in. For this purpose, etracker provides a consent banner and function calls that can be connected to external consent management platforms. Corresponding instructions are available at https://www.etracker.com/en/docs/integration-setup-2/consent-management-tools/. Upon consent, a cookie is set to indicate that etracker may set cookies. If consent is revoked, the cookie is deleted.

(c) The scroll depth measurements for the scrollmap report are temporarily stored in the session storage so that not every scroll movement leads to a data transmission, but the scroll depth data is sent to etracker “bundled” every few seconds. The use of session storage for scroll depth measurement is a purely technical delay of the transmission in order not to negatively affect the user experience due to longer loading times. Scroll depth measurement can also be optionally deactivated or configured so that scroll tracking only takes place after consent.

Conclusion

Thus, etracker Analytics fulfils the criteria of freedom from consent according to the TTDSG.

2. Consent-free under GDPR (overriding legitimate interest)

The General Data Protection Regulation (GDPR) regulates the processing of personal data. Reporting in etracker Analytics is based on anonymised and mainly aggregated data. However, anonymisation already constitutes a processing operation in accordance with the GDPR, i.e. also the automatic and earliest possible shortening of the IP address in the RAM of the data acceptance server by default.

Two legal bases come into question for this (anonymisation) processing: consent and overriding legitimate interest. The current guidance confirms that the legal basis of consent is not preferable to legitimate interest in terms of data protection law, i.e. it is not more data protection-friendly:

“The processing of personal data is only lawful if at least one of the conditions of Art. 6 (1) GDPR is met. All of the legal bases mentioned in this norm are of equal rank and value. For the processing of personal data by non-public controllers in the provision of telemedia services, it is generally possible to invoke consent pursuant to Art. 6(1)(a) GDPR, contractual obligations pursuant to Art. 6(1)(b) GDPR or overriding legitimate interests pursuant to Art. 6(1)(f) GDPR.”
(Translated by the author)

The legal basis of overriding legitimate interest places high demands on processing in terms of data protection friendliness and requires a balancing of interests under the criteria already mentioned by the Data Protection Conference in 2019. These criteria were the basis for the independent audit of etracker Analytics by ePrivacy Consult and are recorded in this sample balance of interests.

The result of the audit reads:

„“[…] Based on our detailed audit, we consider it justified to use the legal basis of Art. 6 (1) f) GDPR (legitimate interest) to justify the data processing of etracker Analytics and etracker Optimiser, also with regard to the DSK paper from December 2021 and the ECJ ruling from 01.10.2019. In cookie-less mode (standard mode), the use of etracker Analytics is legal according to the GDPR and TTDSG without any obligation of consent.“

The result of the audit can be found here.

The French supervisory authority CNIL also confirms that etracker Analytics can be used free from the obligation of consent: https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/cookies-solutions-pour-les-outils-de-mesure-daudience

ePrivacy Consult certifies etracker Analytics among other things:

Upon registration, a Data Processing Agreement is automatically concluded, see https://www.etracker.com/en/dp-agreement/

The IP address is automatically shortened as soon as possible (in the server cache) and thus only persisted anonymously.

Reporting is carried out with anonymised and almost exclusively aggregated data without the possibility of identifying the user.

Session identifiers for linking individual interactions to visits are limited to a maximum of 24 hours, as a daily time stamp is included in the hash value automatically generated by the server. This excludes the possibility of permanent recognition, unless cookies are activated after consent has been given. Browser fingerprinting in accordance with OH Telemedien or Art. 29 Data Protection Group therefore does not take place.

The data is processed exclusively on behalf of etracker and is not used for etracker’s own purposes or linked with data from other etracker customers.

No personal data is passed on to third parties (Google, Facebook & Co.).

No granular mouse movement recordings are made.

An objection function is provided for the privacy policy.

However, if a website operator comes to the conclusion that its legitimate interests do not prevail due to its individual circumstances, such as the possible enrichment of web analytics data or its further processing in third-party systems, the tracking opt-in option can be used.

Conclusion

When using etracker Analytics, only processing operations that are justified on the basis of the overriding legitimate interest of the website operator are carried out. As a rule, there is no obligation of consent according to the GDPR.

This document does not claim to be legal advice and cannot replace individual legal advice. We work closely with lawyers specialised in data protection and are happy to pass on the contacts for individual consultations.