On November 21, 2024, the German Data Protection Conference (DSK) published version 1.2 of the guidance on providers of digital services. The guidance details the requirements under the Telecommunications Digital Services Data Protection Act (TDDDG) and supplements the European Data Protection Board (EDPB) Guidelines on Technical Scope of Article 5(3) of the Directive on Privacy and Electronic Communications (as amended) (the ePrivacy Directive).

What are the key takeaways from the guidance?

The guidance explains that the TDDDG regulates the protection of privacy when using terminal equipment, regardless of whether or not there is a personal reference. In addition, the TDDDG contains special provisions on technical and organizational measures to be observed by digital service providers and the requirements for the provision of information on inventory and usage data. The guidance, among other things, discusses the: 

• scope and application of the TDDDG;
• delimitation of the areas of application of the TDDDG and the General Data Protection Regulation (GDPR);
• requirements for consent; 
• lawful basis for processing under the GDPR; 
• design of consent banners; and
• data subject rights. 

Importantly, regarding consent banners, the guidance states that there is no general standard for the design of consent banners in terms of color, size, or contrast, leaving a certain amount of leeway. Controlling behavior through design, which is typically referred to as nudging, is therefore not generally impermissible. However, it has its limits, where the requirements for effective consent within the meaning of Articles 4(11) and 7 of the GDPR are no longer met. Consent banners should be designed in such a way that users can recognize their options for action at a glance, regardless of the screen size of the device used. Additionally, the opt-out option must be clearly recognizable, easily perceptible, and unambiguous as an alternative to consent.

You can read the guidance, only available in German, here.