No. Section 25 par. 1 of the Act Regulating Data Protection and Privacy in Telecommunications and Telemedia (TTDSG) in conformity with the Directive 2002/58/EC (e-Privacy Directive, also see Planet 49 case (no. I ZR 7/16) of the German Federal Court of Justice – “Bundesgerichtshof”):
Yes.
Yes. Sec. 25 par. 2 TTDSG
No consent required:
Necessary cookies, yes.
i. Analytics cookies: No
ii. Advertising cookies: No
iii. Social media cookies: No
iv. Performance cookies/functionality cookies: No
No.
No.
Section 25 par. 1 sentence 2 TTDSG (since 1 December 2021).
No. According to some German DPAs, a cookie management tool may be avoided if only necessary cookies are used, the transparency requirements remain applicable.
In principle yes, but there is guidance from the Data Protection Conference (DSK – the joint body of German DPAs) that needs to be taken into consideration. In the context of cookie walls the DSK inter alia stresses that:
That if multiple processing purposes significantly differ from each other, granular consent must be obtained from the data subjects. This means that they must have the ability to actively select and consent to individual purposes (opt-in). Only when purposes are closely related bundling of purposes may be considered in the consent form. A blanket consent for various purposes is not deemed to be valid by German DPAs.
Yes.
Cookie rules have not been heavily enforced recently. However, we are seeing and handling more and more enforcement and DPA actions, particularly on the use of cookies and similar technologies. Several German DPAs conducted a joint audit on the use of advertising/ tracking cookies in different sectors (with possible fines/ warnings which are not entirely public yet). Note that the majority of DPA enforcement actions/investigations are not made public (i.e. we assume that many proceedings are ongoing).
It should also be noted that, besides regulatory actions, more and more users (both B2B and B2C) are familiar with the cookie (consent) requirements. Thus, we are seeing and handling more and more cease and desist letters (“private enforcement”). Also the question of whether incompliant cookie set-ups may be subject to damage claims is controversial and a topic of discussion in Germany, but we have seen first proceedings in this respect.
This topic forms part of the above-mentioned audits in question 9.
On 1 December 2021, the TTDSG came into force (implementation of the cookie rules of the e-Privacy Regulation and consideration of the case law of the Federal Court of Justice (ref. I ZR 7/16) and the European Court of Justice – “CJEU” (ref. C 673/17) – Planet49. As a result, we see a clear focus of the German data protection authorities regarding the enforcement of the use of cookies. In addition, there are more and more private enforcement proceedings.