YOUR
Search

    09.09.2024

    Consent Management Regulation - Goodbye cookie banner?


    According to a recent study by Bitkom, 76% of internet users feel annoyed by cookie banners. The German government therefore passed the so-called Consent Management Regulation (EinwV) last week, which is intended to reduce the number of cookie banners and improve the user experience on the internet.

    Section 26 of the German Telecommunications Digital Services Data Protection Act (TDDDG), which was introduced in December 2021 as the "TTDSG", provides the Federal Government with the power to issue regulations to govern so-called consent management services.

    The original idea of such services, which are also discussed under the keyword of "Personal Information Management System (PIMS)", was that the internet user would submit their personal cookie preferences once to the PIMS and the providers of digital services would be able to request these preferences from the PIMS. Users would have the option of agreeing to all cookies, generally accepting or rejecting individual categories of cookies across the board (e.g. statistics cookies or marketing cookies) or rejecting all unnecessary cookies.

    (In)permissibility of general consents

    The problem with such blanket consent to the use of cookies, even if it is only given for certain categories of cookies, is that the internet user cannot really give informed consent in this case. Even though providers of digital services often use similar cookies and tools, they are not exactly the same. Each provider uses different cookies in some cases and therefore also transmits information from internet users to different recipients. Internet users would thus never know exactly what processing they are consenting to at the time of giving their consent, let alone to whom their data is being transmitted. For this reason, the German government has also decided against blanket default settings and comments on this in the explanatory memorandum to the regulation:

    “General default settings for possible consent requests from the provider of digital services, which are made by the end user without reference to the specific use of a digital service, do not meet the requirements for the management of consent.”

    However, this also means that the desired effect of PIMS, namely, to reduce the number of cookie banners, is lost. 

    Solution through the EinwV?

    Section 3 (1) of the now adopted Consent Regulation (EinwV) stipulates that the approved consent management service (i.e. the PIMS) stores the end user's cookie settings when they use a digital service for the first time. According to its wording, internet users will still have to see a cookie banner every time they visit a website for the first time.
    The approved service must also be user-friendly, i.e. transparent and comprehensible, and a request to review the end user's settings may only be made after one year at the earliest (Section 4 EinwV). It must also be possible to switch to another approved consent management service at any time (Section 5 EinwV). Furthermore, in accordance with Section 6, a competition-compliant procedure is required for providers of digital services. Finally, integration into so-called retrieval and display software (usually presumably Internet browsers) should be made possible (Section 7 EinwV).

    As the name "approved consent management service" makes clear, the service must be approved. This is done in accordance with the procedure described in Part 3 of the Regulation. The competent body for this is the Federal Commissioner for Data Protection and Freedom of Information (Section 8 EinwV).

    Part 4, the last part of the regulation, defines technical and organizational measures for providers of digital services as well as manufacturers and providers of retrieval and display software. Particular attention should be paid to Section 18 (1) of the Consent Regulation, which declares the integration of approved consent management services by digital service providers to be voluntary. This provision has been criticized by consumer advocates as the requirements of the regulation can easily be circumvented in this way. Moreover, the fact that the use of consent management services is voluntary will probably result in them rarely being used, especially in practice. In light of the study cited at the beginning, the proportion of those who use such a service to generally reject non-optional cookies is likely to be very high. The providers of digital services will also assume this and therefore have no interest in using such services. They will be inclined to continue to use cookie banners to access the data of at least those users who click on "accept all" because they actually want to give their consent, do not really care or simply like to press green buttons.

    Conclusion

    There are major doubts as to whether the adopted regulation can really reduce the number of cookie banners on the internet. It can also only regulate consent in accordance with Section 25 (2) TDDDG. In practice, however, consent is often also obtained via cookie banners in accordance with the GDPR (in particular also in accordance with Article 49 para. 1 a) GDPR). Strictly speaking, these cannot then be obtained through the consent management service, which would probably entail that the previous cookie banners would have to remain in place for these consents in any case.

    However, another argument against the regulation is that the use of the consent management service does not appear to have any added value for either users or service providers. Users would still have to make a setting at least for every new website and even several times if the website uses new cookies or other tools, because no blanket default setting for different providers of digital services is to be legally permissible. Service providers, on the other hand, are presumably not interested in participating in consent management, which will probably result in more refusals of optional cookies.

    Ultimately, though, the relevance of the services for consent management will depend on the specific technical design. If this is kept as easy to install and low-threshold as possible, it could perhaps be attractive for some digital service providers. With a well-functioning solution that actually makes things easier for the user, these service providers could then advertise particularly user-friendly cookie handling.

    Fabian Eckstein

    E-Commerce Action Plan: Germany’s Strategy…
    On 6 September, the German Federal Ministry of Economics and Technology (“BMWK”)…
    Read more
    Consent Management Regulation - Goodbye co…
    According to a recent study by Bitkom, 76% of internet users feel annoyed by coo…
    Read more
    ADVANT Beiten Advises Aesculap on Sale of TETEC AG to the Canadian Octane Group
    Dusseldorf, 26 June 2024 – The international law firm ADVANT Beiten has provided interdisciplinary advice to Aesculap AG, a subsidiary of the B. Braun group seated in Melsungen, Germany, on the sale of its…
    Read more
    Silent whistleblowers? Effects of the Whistleblower Protection Act on confidentiality agreements
    In addition to the much-publicised obligations, in particular the establishment of reporting channels, the new Whistleblower Protection Act (HinSchG) primarily contains rights for whistleblowers. They now …
    Read more
    Update AI Act - the ten most important questions for users of AI systems
    After the political agreement on the AI Act was effectively announced in the media in December 2023, the now provisionally final version was adopted on 13 March 2024. The AI Act was approved by the Europea…
    Read more
    Artificial intelligence: what is more important than the AI Act?
    The EU recently passed the EU Artificial Intelligence Act (AI Act) with much fanfare. The Act is a milestone (see our blog post for more details). It is really relevant for providers and deployers of AI…
    Read more
    The Cyber Resilience Act: What You Should Know Now
    Almost unnoticed in the shadow of the AI Regulation, the so-called Cyber Resilience Act ("CRA") was passed by the European Parliament on March 12, 2024. This comprehensive law introduces extensive security…
    Read more
    Cloud, SaaS and edge business models under fire
    The EU Data Act came into force on January 11, 2024. Up to now, connected products have been the main focus of public interest. However, providers of cloud, SaaS, edge and similar services are also affe…
    Read more
    The AI Act - The Agreement and What It Means
    As Ursula von der Leyen, President of the European Commission, put it: This is a historic moment. On 8 December 2023, after a three-day-marathon of negotiating, the European regulation efforts were awarded…
    Read more