The current requirements of the supervisory authorities
In order to be able to use web analytics services in accordance with the current guidance of the German supervisory authorities for telemedia providers in a legally compliant manner without an obligation of consent, it is a prerequisite according to the TTDSG and the GDPR to manage without analytical cookies and to ensure data protection-friendly processing under the overriding legitimate interest of the website operator.
1. Consent-free under TTDSG (cookies-less)
The Telecommunications Telemedia Data Protection Act (TTDSG) contains regulations on access to the user’s terminal equipment. By default, etracker Analytics only uses functional or absolutely necessary cookies. Active access to the user’s end device does not take place. According to the supervisory authorities, the processing of browser and header information used by etracker does not require consent:
„Access requires a targeted transmission of browser information that is not initiated by the end user. If only information, such as browser or header information, is processed, which is transmitted inevitably or due to (browser) settings of the terminal device when calling up a telemedia service, this is not to be considered as ‘access to information already stored in the terminal device’.“
(see: https://www.datenschutzkonferenz-online.de/media/oh/20211220_oh_telemedien.pdf, page 8)
(Translated by the author)
For session tracking, etracker Analytics does not store any data in the user’s end device, but assigns interactions to the respective visits purely on the server side via securely hashed session tokens:
“Examples of information transmitted when a telemedia service is called up are:
- the public IP address of the terminal device,
- the address of the website called up (URL),
- the user agent string with browser and
- operating system version and
- the language set.”
(Translated by the author)
The following technically necessary accesses to the terminal equipment may take place within the meaning of Section 25 (2) No. 2 TTDSG:
(a) Should users object to data processing for analysis purposes via the data protection notice on the website, the objection will be stored in a cookie (_et_oi_v2). If this cookie is set and has the content “NO”, no data will be collected for this user.
(b) The website operator can obtain consent to the setting of cookies for analysis purposes at any time by opt-in. For this purpose, etracker provides a consent banner and function calls that can be connected to external consent management platforms. Corresponding instructions are available at https://www.etracker.com/en/docs/integration-setup-2/consent-management-tools/. Upon consent, a cookie is set to indicate that etracker may set cookies. If consent is revoked, the cookie is deleted.
(c) The scroll depth measurements for the scrollmap report are temporarily stored in the session storage so that not every scroll movement leads to a data transmission, but the scroll depth data is sent to etracker “bundled” every few seconds. The use of session storage for scroll depth measurement is a purely technical delay of the transmission in order not to negatively affect the user experience due to longer loading times. Scroll depth measurement can also be optionally deactivated or configured so that scroll tracking only takes place after consent.
2. Consent-free under GDPR (overriding legitimate interest)
The General Data Protection Regulation (GDPR) regulates the processing of personal data. Reporting in etracker Analytics is based on anonymised and mainly aggregated data. However, anonymisation already constitutes a processing operation in accordance with the GDPR, i.e. also the automatic and earliest possible shortening of the IP address in the RAM of the data acceptance server by default.
Two legal bases come into question for this (anonymisation) processing: consent and overriding legitimate interest. The current guidance confirms that the legal basis of consent is not preferable to legitimate interest in terms of data protection law, i.e. it is not more data protection-friendly:
“The processing of personal data is only lawful if at least one of the conditions of Art. 6 (1) GDPR is met. All of the legal bases mentioned in this norm are of equal rank and value. For the processing of personal data by non-public controllers in the provision of telemedia services, it is generally possible to invoke consent pursuant to Art. 6(1)(a) GDPR, contractual obligations pursuant to Art. 6(1)(b) GDPR or overriding legitimate interests pursuant to Art. 6(1)(f) GDPR.”(Translated by the author)
The legal basis of overriding legitimate interest places high demands on processing in terms of data protection friendliness and requires a balancing of interests under the criteria already mentioned by the Data Protection Conference in 2019. These criteria were the basis for the independent audit of etracker Analytics by ePrivacy Consult and are recorded in this sample balance of interests.
The result of the audit reads:
„“[…] Based on our detailed audit, we consider it justified to use the legal basis of Art. 6 (1) f) GDPR (legitimate interest) to justify the data processing of etracker Analytics and etracker Optimiser, also with regard to the DSK paper from December 2021 and the ECJ ruling from 01.10.2019. In cookie-less mode (standard mode), the use of etracker Analytics is legal according to the GDPR and TTDSG without any obligation of consent.“
The French supervisory authority CNIL also confirms that etracker Analytics can be used free from the obligation of consent: https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/cookies-solutions-pour-les-outils-de-mesure-daudience
ePrivacy Consult certifies etracker Analytics among other things:
However, if a website operator comes to the conclusion that its legitimate interests do not prevail due to its individual circumstances, such as the possible enrichment of web analytics data or its further processing in third-party systems, the tracking opt-in option can be used.
This document does not claim to be legal advice and cannot replace individual legal advice. We work closely with lawyers specialised in data protection and are happy to pass on the contacts for individual consultations.