Consent-free in compliance with TTDSG and GDPR

To use web analytics services in compliance with the current guidance of the German supervisory authorities for telemedia providers without an obligation of consent, the TTDSG and GDPR require that analytical cookies are not used, that data protection-friendly processing is guaranteed under the overriding legitimate interest of the website operator, and that processing within the EU is ensured by European processors.

The following graphic illustrates this:

1. Processing in the EU

etracker GmbH is based in Germany, as is the parent company and the IPHH data centre used by etracker (pure housing without data access). This means that there is no EU-US data transfer.

2. Consent-free under TTDSG (cookies-less)

The Telecommunications Telemedia Data Protection Act (TTDSG) contains regulations on access to the user’s terminal equipment. By default, etracker Analytics only uses functional or absolutely necessary cookies. Active access to the user’s end device does not take place. According to the supervisory authorities, the processing of browser and header information used by etracker does not require consent:

„Access requires a targeted transmission of browser information that is not initiated by the end user. If only information, such as browser or header information, is processed, which is transmitted inevitably or due to (browser) settings of the terminal device when calling up a telemedia service, this is not to be considered as ‘access to information already stored in the terminal device’.“

(Translated by the author)

For session tracking, etracker Analytics does not store any data in the user’s end device, but assigns interactions to the respective visits purely on the server side via securely hashed session tokens:

“Examples of information transmitted when a telemedia service is called up are:

the public IP address of the terminal device,
the address of the website called up (URL),
the user agent string with browser and
operating system version and
the language set.”

(Translated by the author)

The following technically necessary accesses to the terminal equipment may take place within the meaning of Section 25 (2) No. 2 TTDSG:

(a) Should users object to data processing for analysis purposes via the data protection notice on the website, the objection will be stored in a cookie (_et_oi_v2). If this cookie is set and has the content “NO”, no data will be collected for this user.

(b) The website operator can obtain consent to the setting of cookies for analysis purposes at any time by opting in. For this purpose, etracker provides function calls that can be connected to the respective consent management platform. Instructions to this can be found at https://www.etracker.com/en/docs/integration-setup-2/consent-management-tools/. If consent is given, a cookie is set to indicate that etracker may set cookies. If consent is revoked, the cookie is deleted.

(c) The scroll depth measurements for the scroll map report are temporarily stored in the session storage so that not every scroll movement leads to a data transmission, but the scroll depth data is sent to etracker “bundled” every few seconds. The use of session storage for scroll depth measurement is a purely technical delay in transmission, which does not increase the availability of the data. The technique is not about the possibility of retrieving information. It is not about fixing information and using it in later activities or even visits to the website, but merely about making the transmission as efficient as possible so that the user experience is not negatively affected by longer loading times. Scroll depth measurement can also be optionally deactivated or configured so that scroll tracking only takes place after consent.

Conclusion

Thus, etracker Analytics fulfils the criteria of freedom from consent according to the TTDSG.

3. Consent-free under GDPR (overriding legitimate interest)

The General Data Protection Regulation (GDPR) regulates the processing of personal data. Reporting in etracker Analytics is based on anonymised and mainly aggregated data. However, anonymisation already constitutes a processing operation in accordance with the GDPR, i.e. also the automatic and earliest possible shortening of the IP address in the RAM of the data acceptance server by default.

Two legal bases come into question for this (anonymisation) processing: consent and overriding legitimate interest. The current guidance confirms that the legal basis of consent is not preferable to legitimate interest in terms of data protection law, i.e. it is not more data protection-friendly:

“The processing of personal data is only lawful if at least one of the conditions of Art. 6 (1) GDPR is met. All of the legal bases mentioned in this norm are of equal rank and value. For the processing of personal data by non-public controllers in the provision of telemedia services, it is generally possible to invoke consent pursuant to Art. 6(1)(a) GDPR, contractual obligations pursuant to Art. 6(1)(b) GDPR or overriding legitimate interests pursuant to Art. 6(1)(f) GDPR.”
(Translated by the author)

The legal basis of overriding legitimate interest places high demands on processing in terms of data protection friendliness and requires a balancing of interests under the criteria already mentioned by the Data Protection Conference in 2019. These criteria were the basis for the independent audit of etracker Analytics by ePrivacy Consult and are recorded in this sample balance of interests.

The result of the audit reads:

„“[…] Based on our detailed audit, we consider it justified to use the legal basis of Art. 6 (1) f) GDPR (legitimate interest) to justify the data processing of etracker Analytics and etracker Optimiser, also with regard to the DSK paper from December 2021 and the ECJ ruling from 01.10.2019. In cookie-less mode (standard mode), the use of etracker Analytics is legal according to the GDPR and TTDSG without any obligation of consent.“

The result of the audit can be found here.

The French supervisory authority CNIL also confirms that etracker Analytics can be used free from the obligation of consent: https://www.cnil.fr/fr/cookies-solutions-pour-les-outils-de-mesure-daudience

ePrivacy Consult certifies etracker Analytics among other things:

Upon registration, a Data Processing Agreement is automatically concluded, see https://www.etracker.com/en/dp-agreement/

The IP address is automatically shortened as soon as possible (in the server cache) and thus only persisted anonymously.

Reporting is carried out with anonymised and almost exclusively aggregated data without the possibility of identifying the user.

Session identifiers for linking individual interactions to visits are limited to a maximum of 24 hours, as a daily time stamp is included in the hash value automatically generated by the server. This excludes the possibility of permanent recognition, unless cookies are activated after consent has been given. Browser fingerprinting in accordance with OH Telemedien or Art. 29 Data Protection Group therefore does not take place.

The data is processed exclusively on behalf of etracker and is not used for etracker’s own purposes or linked with data from other etracker customers.

No personal data is passed on to third parties (Google, Facebook & Co.).

No granular mouse movement recordings are made.

An objection function is provided for the privacy policy.

However, if a website operator comes to the conclusion that its legitimate interests do not prevail due to its individual circumstances, such as the possible enrichment of web analytics data or its further processing in third-party systems, the tracking opt-in option can be used.

Conclusion

When using etracker Analytics, only processing operations that are justified on the basis of the overriding legitimate interest of the website operator are carried out. As a rule, there is no obligation of consent according to the GDPR.

This document does not claim to be legal advice and cannot replace individual legal advice. We work closely with lawyers specialised in data protection and are happy to pass on the contacts for individual consultations.