Shortly before Christmas, the supervisory authorities updated the “Orientierungshilfe für Anbieter:innen von Telemedien” (OH Telemedien 2021), which is crucial for the legally compliant use of web analysis. The background to this was the Telecommunications Telemedia Data Protection Act (TTDSG in German), which came into force on 1 December 2021 and in which the ePrivacy Directive was transposed into German law. The corresponding § 25 TTDSG applies to all technologies by means of which information is stored on or read from the user’s terminal equipment.
The guidlines are available at:
https://www.datenschutzkonferenz-online.de/media/oh/20211220_oh_telemedien.pdf
These are the three most important points that we have summarised for you and explained in more detail below:
- Data protection-friendly web analysis, as offered by etracker Analytics in the standard version without cookies, does not require consent.
- The use of US services such as Google Analytics is prohibited in Germany even with user consent.
- Consent banners must contain an equally designed reject button at the same level as the consent.
On 1: Need for consent
The new guidelines confirm the legal basis of consent-exempt session tracking with etracker Analytics.
1. The back-end linking of visit data by means of browser and header information does not require consent according to the TTDSG.
According to the supervisory authorities, this is clearly not active access to the memory of the end device:
“Access requires a targeted transmission of browser information that is not initiated by the end user. If only information, such as browser or header information, is processed, which is transmitted inevitably or due to (browser) settings of the terminal device when calling up a telemedia service, this is not to be considered as ‘access to information already stored in the terminal device’. Examples are:
- the public IP address of the terminal equipment,
- the address of the accessed website (URL),
- the user agent string with browser and operating system version, and
- the language set.”
(Translated by the author)
In order to meet the requirements of the GDPR, etracker automatically cuts the IP address before it is stored and combines the data transmitted by the browser with a random value that changes daily. This limits the anonymous linking of visits to a maximum of 24 hours. Tracking of users over longer periods of time is excluded.
2. Data protection-friendly processing for the purpose of web analysis can still be based on the legal basis of overriding legitimate interest (Art. 6 (1) (f) GDPR).
When using etracker Analytics, the use can still be justified on the basis of legitimate interest. The guidelines clarify that consent is not preferable to predominantly legitimate interest. Both legal bases are of equal rank and value. However, the legal basis of legitimate interest requires an individual weighing of interests. According to the supervisory authorities, the standards of review for this have not changed compared to 2019. Therefore, the template for the balancing of interests that we provide in our documentation is still up to date, because it is based on precisely these standards from 2019. These also form the basis for our audit and the award of the ePrivacyseal.
On 2: US web analytics services such as Google Analytics.
The guidelines leave no doubt that the legal basis of legitimate interest does not apply if the provider reserves the right to use the data for its own purposes:
“Furthermore, in cases where third party service providers are involved as processors in tracking, it is important to consider whether these service providers also process data of data subjects for their own purposes (e.g. to improve their own services or to create interest profiles). In this case – and even if the third-party service provider only reserves the right to do so in the abstract – the framework of a commissioned processing pursuant to Art. 28 GDPR is exceeded. For the transmission of personal data – even if it is only the IP address – to these third party service providers, Art. 6 (1) (f) of the GDPR can generally not form an effective legal basis.”
(Translated by the author)
Even in the case of consent by the user, there is no legal basis for data processing by US providers:
“Especially in connection with the integration of third-party content and the use of tracking services, however, it will often not be possible to take sufficient supplementary measures. In this case, the services concerned may not be used, i.e. they may not be integrated into the website. Personal data processed in connection with the regular tracking of user behaviour on websites or in apps cannot, in principle, be transferred to a third country on the basis of consent pursuant to Art. 49 (1) (a) GDPR.”
(Translated by the author)
On 3: Consent banners
The supervisory authorities have taken a clear position on the design of consent banners. Making refusal more difficult leads to legally ineffective consent:
“If consent banners are displayed in telemedia offerings that only contain an “OK” button, clicking the button does not constitute an unambiguous declaration.”
(Translated by the author)
They further state: “The user must be given an option to refuse consent in the consent banner that is equivalent to consent. If there is a button for consent to certain processes on the first level of the consent banner, there must also be a correspondingly displayed button to refuse these processes.”
(Translated by the author)
In addition, the dialogue must contain all essential information at the top level for the consent to be legally effective:
“In principle, it is possible to design consent banners with several layers, i.e. to provide more detailed information only on a second level of the banner, which users can access via a button or link. However, if a button already exists on the first level of the banner with which consent can be given for various purposes, concrete information on all individual purposes must also be contained on this first level. It would be too vague to merely provide generic, general or vague information on the purposes here, such as ‚In order to provide you with a better user experience, we use cookies.‘”
(Translated by the author)
Disclaimer
These comments do not constitute legal advice and cannot replace individual legal advice. They are a professional discussion and summary of the subject. If wanted, we will be happy to put you in touch with a specialist lawyer.