New cookie regulation: a step towards simplifying digital consent?

On September 4, 2024, the Federal Government adopted the Consent Management Ordinance (EinwV). This new ordinance is based on Section 26 (2) of the Telecommunications Digital Services Data Protection Act (TDDDG) and aims to stem the flood of cookie banners and significantly simplify the handling of consent on the internet for users.

The EinwV regulates the requirements for “recognized consent management services”, also known as Personal Information Management Services (PIMS). These services are intended to provide a user-friendly alternative to the large number of individual decisions to be made when obtaining consent for the further processing of personal data in accordance with the General Data Protection Regulation (GDPR).

Key points of the regulation:

1. centralized consent management: users should be able to store their preferences once and permanently instead of having to give their consent each time they visit a website.

2. requirements for PIMS: The Regulation stipulates that these services must be user-friendly, transparent and interoperable. They must allow users to check, change or revoke their settings at any time.

3. recognition and monitoring: The Federal Commissioner for Data Protection and Freedom of Information (BfDI) is responsible for the recognition and monitoring of consent management services.

4. competition-compliant design: The Regulation stipulates that the procedures for consent management must be designed in a competition-compliant manner.

5. technical compatibility: Requirements are placed on the technical implementation to ensure smooth integration into websites and apps.

Federal Minister Dr. Volker Wissing emphasizes that the reform aims to provide a more pleasant browsing experience and give users more control over their consent. For providers of digital services, the new procedure offers the advantage of being able to obtain consent in a standardized and legally compliant process without compromising the design of their websites with annoying cookie banners.

Criticism of the initiative

Despite the good intentions, however, there is also criticism of the regulation. Consumer advocates and data protectionists complain that the new regulation may not fully achieve the desired effect. They fear that many providers of digital services will not sufficiently recognize the new consent mechanisms and may continue to repeatedly ask for consent.

Another problem is the legal validity of blanket consent under the GDPR. The Data Protection Conference (DSK) emphasizes that the processing of personal data under the GDPR is ineffective if data subjects are not sufficiently informed about the respective data processing operations. It is therefore questionable whether the new consent procedure can meet the legal requirements for valid consent under the GDPR.

There are also challenges for internationally oriented websites, as country-specific adaptations will be necessary. It is unlikely that Germany will develop a global standard while the EU will not.

The effectiveness of the regulations will be evaluated two years after they come into force. It is recommended that website operators continue to use data protection-friendly measurement methods that do not require the consent of website visitors and closely monitor the development of consent management services.

Ultimately, the GDPR shows that the topic of data protection in the digital space remains highly topical and calls for innovative solutions. It remains to be seen whether the regulation can actually stem the flood of cookies and strengthen users’ digital self-determination, or whether further adjustments will be necessary to strike a balance between data protection and user-friendliness.