Article 26 TTDSG provides that the legislator will issue a regulation within two years, i.e. the end of 2023. This regulation aims to explain how users can store their data protection preferences ex ante in a center called PIMS, which must then be taken into account on websites that are visited later. This should lead to fewer so-called cookie pop-ups. The opposite is correct. One of 66 reasons.
Over the next few weeks and months, I’ll list 66 reasons why centralized consent management will fail. I mainly mention purely logical and practical reasons. Legal issues don’t even have to be used to PIMs or ADPC, as the central administration department is also called, ad absurdum. Another Latin formulation is mentioned in the introductory text: ex ante. It means “looking ahead” or “in advance”. What has to do with the future is usually surrounded by great uncertainty. Here also.
PIMs stands for pstaff linformation mmanagement ssystem. Every now and then it is p also for Private and the s in front of maintenance. ADPC means AAdvanced data Protection Ccheck and is intended as a browser plug-in. PIMS can be designed as a central website or as a browser plugin. Anyway, it won’t work.
Central management of cookie permissions
Reason 1 for failure of PIMS addresses § 26 TTDSG. This section is intended to introduce consent management, in particular for consents to be obtained pursuant to Section 25 (1) TTDSG. Article 25 of the TTDSG, on the other hand, deals exclusively with this entrances on end devices and end devices, in particular the storage of data in these devices.
Types of Processes Requiring Consent
As many of you no doubt know, it’s not just about cookies. the word cookie does not even appear in the legal text of the AVG and TTDSG.
I see at least the following processes that require permission:
- Processing of personal cookie data: Article 6 (1) GDPR.
- Data transfer to unsafe third countries: Article 44ff GDPR + ECJ ruling Schrems II.
- Creation of user profile: see § 15 para. 3 TMG as reference point and article 5 para. 1 DSGVO (Principles of data processing).
- Milder means available: see article 5 paragraph 1 GDPR.
Where are the cookies? Either in the oven or in the list above under points one and two, but not under points three through five.
Central permission management falls far below par
Thus, a consent management of § 26 TTDSG can only obtain consent for one or two of at least five different types of processes that require consent.
Even worse: § 25 TTDSG refers only to the storage and access of cookies. So only point one of my above list is taken into account. The TTDSG is a special law (lex specialis) to the GDPR. It actually blocks the GDPR when it contains more specific (and stricter) rules than the GDPR.
From 15 to 17 September 2022, the Autumn Academy of the German Foundation for Law and Computer Science (DSRI) in Hanover. There I was not the only one to give a presentation on § 26 TTDSG (from a technical and somewhat legal point of view), but also – completely independent of me – Bernhard Harle (as a lawyer). Mr. Harle also notes that § 26 TTDSG only refers to § 25 TTDSG and not to permissions arising from other legal provisions.
As a result, PIMS, as the central consent management system, is limited to accessing cookies.
It’s just stupid that a cookie, which in my opinion always represents a personal reference, is meaningless if you get its value but are not allowed to work with this value (see § 25 TTDSG). The processing of the cookie value is regulated in the GDPR, but not in the TTDSG. Anyone who denies that cookies actually have a personal reference through the personal IP address, which is always sent along with a cookie, should check out the following examples. The examples show cookie values that already allow a personal reference because of their value.
- identification: nfdmsnd3457sl. See for example Google Analytics (therefore also problematic without cookies for that reason, see customer identification). The value does not have to be very long. For 8 billion people, with an alphabet of 36 characters (26 lowercase letters + 10 numbers), two numbers are enough (2^36 = 68,719,476,736 possible combinations = 68 billion)! Three digits are enough for all terminal devices in the world (3^36 = 150 quadrillion).
- Email address: [email protected]. See, for example, forms for newsletters on websites.
- IP address in the cookie as value: This also happens occasionally (at that time with Google Analytics, nowadays in many other tools. example not at hand).
- Cookie ID: Invented CMP providers as a construct. This is to prove consent, which is nonsense because a user-deleted cookie containing the cookie ID would destroy the process.
- geo-coordinate: OneTrust includes these according to my observation. If it is accurate enough and/or if more information is available, it can identify a person. There would be people who live in sparsely populated areas.
- clientnumber: Online store or similar, no problem if registered as a customer. But what if you are not registered?
- fingerprint: View numerous analysis tools and trackers that want or have to do without cookies.
Even stupid that the other three types of processes that don’t require consent are not covered at all by the PIMS of 26 TTDSG. For example, these processes include on websites:
- Google Fonts
- Adobe Fonts (typekit.net), Monotype Fonts, Fast Fonts (often also use tracking pixels, supposedly for billing purposes)
- Google Tag Manager (without cookies)
- Google Maps (without cookies)
- Google Analytics (without cookies)
- YouTube video player (without cookies, but with DoubleClick ad tracker script)
- Google all plugins without cookies
- Facebook all plugins without cookies
§ 26 TTDSG and PIMS are designed to eliminate cookie pop-ups as much as possible. If you think of cookie popups as cookie consent requests, that’s at least half true. If you understand the pop-up of cookies as a consent request, only one fifth agree.
However, PIMS is a doomed approach. Even if this minor problem of 26 TTDSG lack of coverage should be resolved, there are 65 other reasons against PIMS. You’re all going to hear about it unless lawmakers see in advance that it makes sense to repeal the consent management regulation.
There will be no regulation for the management of consent. If she sees the light of day, the disaster will be huge and hard to beat in terms of embarrassment.
It doesn’t matter if you want browser plugins or a central website to manage the permission. Both approaches cannot work. For browser plugins, I will soon give purely logical reasons for their failure. Incidentally, the above mentioned Mr. Harle also explains some of these reasons in his contribution to the work of the DSRI Autumn Academy 2022.
If you want fewer popups, you have two options: Make sure your own websites don’t contain processes that require permission. If you want to know how to do this, ask. Permission can also be requested for visual elements such as videos on the spot, ie at the location of the element. The annoying and page wide popup is then omitted for the visual. The second option is to ensure that website operators are held accountable for data protection violations. There are several for that escalation levelsthat you can use as an individual:
- Clear application letter by e-mail with threat of further consequences
- Non-anonymous complaint to a supervisory authority (anonymous is almost useless, non-anonymous almost nothing)
- Warning as a private person
- Complaint as a private person
- Class action (consumer center or similar)
There are privacy-friendly solutions for many purposes. Here’s a selection:
- Google Maps: My Map Plugin
- Google Analytics: Matomo
- Google Fonts: Embed fonts locally
- Google Tag Manager: No tag manager or untag manager
- Facebook Pixel: Choosing a Better Marketing Approach
- Shopify: Different store system (otherwise unfortunately not possible)
- Homepage building kits from Wix etc.: German providers or even better: Host it yourself on a German server
- Consent tools from UserCentrics (Google Cloud), Cookiebot (Akamai) or OneTrust (US parent company): Not a consent tool or one from a purely European provider + storage or my consent tool that can only do the bare minimum (namely what really only possible).
- VG Wort Pixel: There is a legal basis for this. Anyone who disagrees should write to VG Wort: [email protected] and [email protected]
- Advisors to the previous federal government: New advisors (maybe they already exist?). Just ask: [email protected] (Federal Ministry for Digital Affairs and Transport – Department DP 25 – Data Protection in the Digital World, Cyber Security, Trust Services)