The introduction of the TTDSG (German Telecommunications and Telemedia Data Protection Act) standardized numerous German and European data protection provisions. But in order to comply with this legislation, users need to observe several things and implement some specific requirements. In this article, you will learn what the TTDSG is, who it applies to, and what provisions it contains. We will also focus on the biggest new change in more detail: handling cookies. In addition, you will also learn how Stripe can support you in complying with the TTDSG, and what penalties exist for noncompliance.

What’s in this article?

• What is the TTDSG?
  
• Who does the TTDSG apply to?
  
• How does the TTDSG regulate the handling of cookies?
  
• What other significant provisions are set out in the TTDSG?
  
• What are the penalties for noncompliance with the TTDSG?
  
• How can Stripe help you comply with the TTDSG?
  

What is the TTDSG?

TTDSG stands for Telekommunikation-Telemedien-Datenschutz-Gesetz—or in English, the Telecommunications and Telemedia Data Protection Act—which was enacted in Germany on December 1, 2021. The full name of this federal law is the “Act on data protection and protection of privacy in telecommunications and telemedia.” The TTDSG harmonizes and facilitates the application of law. It also provides legal clarity by consolidating and simplifying the data protection regulations existing to date at the national and European level: the Telecommunications Act (TKG), the Telemedia Act (TMG), the General Data Protection Regulation (GDPR), and the data protection directive for electronic communication (Directive 2002/58/EC, also known as the “ePrivacy Directive”). The TTDSG guarantees a fair balance between the interests of digital services users, and the interests of businesses.

The primary aim of the TTDSG is data protection and the protection of privacy in the digital world. As a result, TTDSG contains numerous provisions, including on the use of cookies, protection of user data, processing of the personally identifiable information of underage persons, privacy in telecommunications, digital acquisition, and the issuing of information on stock and use data by service providers.

The TTDSG is structured in four sections: Sections 1 and 4 govern the general provisions, regulations on penalties and fines, and supervision. Section 2 sets out provisions on data protection and the protection of privacy in telecommunications. Section 3 regulates data protection in telemedia and terminal equipment.

Who does the TTDSG apply to?

According to Section 2, the TTDSG applies to all providers of telemedia—in other words, “any natural or legal person providing their own or third-party telemedia, involved in such provision, or who brokers access to the use of their own or third-party telemedia.” The term “telemedia” is not explicitly explained in the TTDSG, but it is defined in Section 1 of the TMG as “all electronic information and communication services.” This means websites, search engines, online shops, and mobile apps. However, providers acting purely as private individuals who do not fall under the scope of the TMG—and, therefore, also do not fall under the scope of the TTDSG—are exempted. In case of doubt, clarification on what constitutes a “private individual” should be sought from the tax office. What is decisive here is the question of whether the tax office sees telemedia, such as a website, as a source of income. The TTDSG applies, without exception, to all businesses registered in Germany and businesses that offer goods and services on the German market.

How does the TTDSG regulate the handling of cookies?

A new feature of the TTDSG is how it governs the handling of cookies compared to the previous data protection regulations in Germany. Cookies are data in the form of small text files, which are temporarily stored on users’ browsers when they enter a website. These cookies are then retrieved by the operator’s web servers when a user returns to the website. This can be used to ensure, for example, that the right language is displayed. Cookies are also used for customized ads or when greeting users by name, and so they are particularly useful for advertisers. Cookies can be used by operators of websites or by third parties.

In Section 25 (Protection of privacy in terminal equipment), the TTDSG clearly establishes that cookies, and comparable tracking techniques such as browser fingerprinting or using MAC addresses, are only permitted when the end users have given their consent on the basis of clear and comprehensive information. Businesses that operate websites also need to expressly enquire about the extent users consent to the processing of their personally identifiable information. Technical cookies required for a website’s operation are exempt, however. Consent does not need to be obtained for such cookies. Examples of these are cookies for shopping cart contents and language versions, in addition to payment cookies as well as cookies used for granting or revoking consent.

Businesses that use cookies must display a corresponding notice on their website. The notice must satisfy specific legal requirements to prevent supervisory authorities, consumer protection associations, or competitors from taking action against the business. In addition, private individuals can also claim compensation. The cookie banner should be clearly displayed upon entering a website, with information and clickable options. Users must also be able to decide whether they accept all, or only essential, cookies. It is also possible to allow users themselves to configure detailed privacy settings for specific types of processing and third-party providers.

In order to ensure all legal requirements are met, businesses should check carefully what information needs to be included in the wording of their cookie notice. The following template can be used as a rough guide:

“We and our third-party providers use cookies and other technologies to store and retrieve information on user devices, in order to process personal data such as IP addresses or browser data. You can consent to the processing of your personal data for the processing purposes listed below. Alternatively, you can configure your preferred settings before you consent or decline. You can amend your data protection settings at any time, or withdraw your consent in the cookie settings.”

As a further example for drafting the required cookie information, you can use the statements on the Stripe website, where its cookie policy can also be found. What is important is that the cookie banner corresponds to the legal minimum requirements—see the checklist below.

Cookie banner checklist

• Cookies need to be deactivated until consent has been granted.
  
• Consent must be actively granted by users themselves—a prefilled option is not permitted.
  
• The banner must, at a minimum, contain “Accept” and “Decline” buttons.
  
• These buttons must be presented with equal prominence. In other words, the “Accept” button, for example, must not be highlighted in a brighter color.
  
• Users must be fully informed about the respective intended processing purpose of the individual tools (to be listed in the privacy policy), the number of providers and tools, and the registered office of the tracking service employed if outside the EU.
  

What other significant provisions are set out in the TTDSG?

Among other things, the TTDSG also regulates the security of data processing. Telemedia providers are compelled to implement technical and organizational data protection measures. In addition, children and young persons must be explicitly protected so that data collected from them to establish their age must not be used for commercial purposes. Telemedia providers are also only permitted to disclose certain data on their users—even in connection with official investigations.

In addition, the TTDSG contains provisions on the confidentiality of communication (Sections 9 to 13), on traffic and location data (Sections 14 to 16), and on the disclosure of telephone numbers used for unsolicited calls, the displaying and concealing of the caller’s number, automatic call redirection, and on telephone directories (Sections 17 to 18).

What are the penalties for noncompliance with the TTDSG?

Paragraphs 27 to 30 of the TTDSG set out the penalties and fines, in addition to the corresponding responsibilities for supervision and penalties, in the event of breaches. Businesses that breach Section 25 (1) (the facility for users to consent to the activation of cookies described above), may be liable to a fine of up to 300,000 euros. Other breaches may also prove expensive, with penalties rising to five or six figures. Confidentiality breaches may be sanctioned with financial penalties and also with custodial sentences of up to two years. One exception to this is privacy in telemedia: this is part of the general criminal code (StGB), which according to Section 206, provides for a financial penalty or custodial sentence of up to five years for breaches.

The Federal Commissioner for Data Protection and Freedom of Information (BfDI) is responsible for supervising the processing of natural and legal persons’ personally identifiable information. The Federal Network Agency (BNetzA) supervises compliance with the provisions in the first and second sections of the TTDSG.

How can Stripe help you comply with the TTDSG?

Stripe supports businesses and merchants in complying with the TTDSG, primarily through the legally-secured use of cookies. Stripe uses cookies not only on its own website, but also on those of businesses and merchants using Stripe services.

The following cookies, among others, are used on Stripe’s website:

• Functionality cookies: These serve to ensure that the website and the services offered function correctly. For example, these will show the right information for a user’s location.
  
• Security cookies: These protect user data against unauthorized access.
  
• Authentication cookies: These can be used by Stripe to “remember” users so they do not need to reregister each time they use Stripe services.
  
• Analytics cookies: These enable Stripe to track how visitors interact with offers, in order to evaluate and improve its service.
  
• Advertising cookies: These enable users on other websites to be shown adverts for Stripe and to measure their reactions.
  
• Third-party cookies: Stripe also uses cookies from third parties such as Facebook, Google, and LinkedIn, which also use marketing and analysis cookies.
  

These and other cookies can also be used on websites of Stripe customers. Again in this case, the explicit consent of the website users must be obtained. Regardless of which Stripe service you wish to embed—for example, accepting and optimizing payments, or automating financial processes—our Sales Team will be happy to give you comprehensive advice on the content and technical options, in addition to the legal provisions required to comply with the TTDSG.