According to a recent study by Bitkom, 76% of internet users feel annoyed by cookie banners. The German government therefore passed the so-called Consent Management Regulation (EinwV) last week, which is intended to reduce the number of cookie banners and improve the user experience on the internet.
Section 26 of the German Telecommunications Digital Services Data Protection Act (TDDDG), which was introduced in December 2021 as the "TTDSG", provides the Federal Government with the power to issue regulations to govern so-called consent management services.
The original idea of such services, which are also discussed under the keyword of "Personal Information Management System (PIMS)", was that the internet user would submit their personal cookie preferences once to the PIMS and the providers of digital services would be able to request these preferences from the PIMS. Users would have the option of agreeing to all cookies, generally accepting or rejecting individual categories of cookies across the board (e.g. statistics cookies or marketing cookies) or rejecting all unnecessary cookies.
The problem with such blanket consent to the use of cookies, even if it is only given for certain categories of cookies, is that the internet user cannot really give informed consent in this case. Even though providers of digital services often use similar cookies and tools, they are not exactly the same. Each provider uses different cookies in some cases and therefore also transmits information from internet users to different recipients. Internet users would thus never know exactly what processing they are consenting to at the time of giving their consent, let alone to whom their data is being transmitted. For this reason, the German government has also decided against blanket default settings and comments on this in the explanatory memorandum to the regulation:
“General default settings for possible consent requests from the provider of digital services, which are made by the end user without reference to the specific use of a digital service, do not meet the requirements for the management of consent.”
However, this also means that the desired effect of PIMS, namely, to reduce the number of cookie banners, is lost.
Section 3 (1) of the now adopted Consent Regulation (EinwV) stipulates that the approved consent management service (i.e. the PIMS) stores the end user's cookie settings when they use a digital service for the first time. According to its wording, internet users will still have to see a cookie banner every time they visit a website for the first time.
The approved service must also be user-friendly, i.e. transparent and comprehensible, and a request to review the end user's settings may only be made after one year at the earliest (Section 4 EinwV). It must also be possible to switch to another approved consent management service at any time (Section 5 EinwV). Furthermore, in accordance with Section 6, a competition-compliant procedure is required for providers of digital services. Finally, integration into so-called retrieval and display software (usually presumably Internet browsers) should be made possible (Section 7 EinwV).
As the name "approved consent management service" makes clear, the service must be approved. This is done in accordance with the procedure described in Part 3 of the Regulation. The competent body for this is the Federal Commissioner for Data Protection and Freedom of Information (Section 8 EinwV).
Part 4, the last part of the regulation, defines technical and organizational measures for providers of digital services as well as manufacturers and providers of retrieval and display software. Particular attention should be paid to Section 18 (1) of the Consent Regulation, which declares the integration of approved consent management services by digital service providers to be voluntary. This provision has been criticized by consumer advocates as the requirements of the regulation can easily be circumvented in this way. Moreover, the fact that the use of consent management services is voluntary will probably result in them rarely being used, especially in practice. In light of the study cited at the beginning, the proportion of those who use such a service to generally reject non-optional cookies is likely to be very high. The providers of digital services will also assume this and therefore have no interest in using such services. They will be inclined to continue to use cookie banners to access the data of at least those users who click on "accept all" because they actually want to give their consent, do not really care or simply like to press green buttons.
There are major doubts as to whether the adopted regulation can really reduce the number of cookie banners on the internet. It can also only regulate consent in accordance with Section 25 (2) TDDDG. In practice, however, consent is often also obtained via cookie banners in accordance with the GDPR (in particular also in accordance with Article 49 para. 1 a) GDPR). Strictly speaking, these cannot then be obtained through the consent management service, which would probably entail that the previous cookie banners would have to remain in place for these consents in any case.
However, another argument against the regulation is that the use of the consent management service does not appear to have any added value for either users or service providers. Users would still have to make a setting at least for every new website and even several times if the website uses new cookies or other tools, because no blanket default setting for different providers of digital services is to be legally permissible. Service providers, on the other hand, are presumably not interested in participating in consent management, which will probably result in more refusals of optional cookies.
Ultimately, though, the relevance of the services for consent management will depend on the specific technical design. If this is kept as easy to install and low-threshold as possible, it could perhaps be attractive for some digital service providers. With a well-functioning solution that actually makes things easier for the user, these service providers could then advertise particularly user-friendly cookie handling.