What you should know about the supervisory authorities’ new guidance for websites and apps

von Olaf Brandt

On November 15, 2024, the new version of the guidance of the supervisory authorities for providers of digital services (OH Digital Services) of the Conference of Independent Federal and State Data Protection Supervisory Authorities was adopted.

The first thing that stands out is that the antiquated term “telemedia” has finally disappeared.

The revision takes into account the new regulations of the Digital Services Act (DDG) and the Telecommunications Digital Services Data Protection Act (TDDDG) as well as the new EU-U.S. Data Privacy Framework.

This means that the guidance for providers of digital services, i.e. websites and apps, is up to date with the latest legal requirements.

But does it also provide clarity on the most important questions regarding legally compliant tracking? Unfortunately, only partially.

This is what the new guidance says about the key issues in tracking:

1. how must consent dialogs be designed with regard to the consent and refusal function?

Even if most websites are still doing it wrong, the requirements are now very clear:

• The option to refuse consent must be
  • clearly and unambiguously recognizable,
  • easily perceptible and unambiguous, in size, color, contrast and typeface of the buttons comparable to the consent and
  • be possible at the same level as consent.
• It must be possible to give granular consent for certain purposes or to refuse it.
• The option to withdraw consent must be just as simple as giving it.

Effective implementation of the consent requirements (equivalent buttons and purpose selection) can be done either via one or two levels.

Example of compliant design across two levels

Example of compliant design on one level

There are also two options for the practical implementation of the equally simple revocation option:

• floating button that is displayed on all pages or
• Link in the footer on all pages,

which can be used to call up the consent dialog again.

2. what information must consent dialogs contain?

If cookies requiring consent are used, data processing requiring consent usually also takes place. An exception to this is etracker analytics: as a rule, only the use of statistical cookies requires consent, but not the subsequent data protection-friendly processing. For cookies from Google, Meta, TikTok & Co. on the other hand, both the cookies and the data processing require consent. Accordingly, when using Google, Meta, TikTok & Co. it must be clear in the consent dialog that two consents are given: for access to the terminal equipment and for the processing of personal data.

Information must be provided at the highest level with regard to processing operations requiring consent:

• “specific purposes of the processing,
• when individual profiles are created and enriched with data from other websites to create comprehensive user profiles,
• if data is also processed outside the EEA and
• to how many controllers the data is disclosed.”

It is unclear which basic information regarding access to end devices (cookies) must be included at the top level. As a minimum, information should be provided “in clear and concise form”, but nevertheless precisely and specifically about all individual purposes in simple language. Very general and vague formulations should be avoided, as should the mention of only selected purposes.

At a second level, or in linked detailed information, information must also be provided on:

• the data recipients and processors
• Form of access to the end device and duration of function of the cookies
• that a later revocation no longer affects the lawfulness of the access or storage carried out up to the time of revocation

Example of top-level information:

We use cookies that are necessary for the operation of our website. If you give your consent, we and 10 partners use additional cookies and process personal data to embed third-party content, perform data-based testing and provide enhanced functionality and personalization (Functional), measure the number of unique visits and the success of advertisements across multiple touchpoints (Statistical), and show you ads based on your activity on this or other websites (Marketing). For this purpose, our advertising partners process data outside the European Economic Area and create a profile of your interests. You can revoke your consent at any time for the future via the floating icon on each page. Detailed information on these cookies and data processing can be found via the links below.

Example of detailed information on an actor that can be accessed at second level or via a link:

YouTube

Description of the service

YouTube is an online video platform where users can watch, share, comment on and upload videos.

Purpose

Functional: We use the service to display videos.

Processing company

Google Ireland Limited

Processed data

• Device information
• IP address
• Referrer URL
• Viewed videos

Maximum limit for the storage of non-essential cookies

179 days

Data recipient

• Alphabet Inc.
• Google LLC
• Google Ireland Limited

Transfer to third countries

For data transfers to the USA, the provider’s parent company has signed up to the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission.

Data protection provisions of the data processor https://www.google.de/policies/privacy/

3. when can consent be waived for web analysis?

In addition to consent, there are two legal bases for web analysis: absolute necessity and legitimate interest. However, the legitimate interest cannot be used for cookies for analytical purposes.

The guidance opens up the possibility of understanding web analytics in the sense of reach measurement with cookies as a necessary basic service. However, the wording is very vague: “Even the simple measurement of visitor numbers is therefore not to be classified per se as part of the basic service, but depends on the specific purpose pursued in each case. For example, the error-free delivery of the website may be covered by the user’s request, while the profitability of advertisements usually only serves the primary interests of the website operator.” If the sole purpose of web analysis is therefore to ensure the needs-based and error-free design of the website, even tracking with cookies without consent could be justified.

If web analysis is also used for campaign and conversion tracking, this can be done without cookies on the legal basis of legitimate interest. However, according to the guidance, it must be ensured that

• no properties of a terminal device are actively read out – for example using JavaScript code – as would be the case with the screen resolution (see recital 24).
• the transmitted browser information that can be collected without consent is not used for fingerprinting (see recital 25).
• processors involved do not also process data for their own purposes (as Google reserves the right to do when using Google Analytics; see recital 111).
• only the data necessary for the purpose are processed (data minimization or mildest means for the purpose; see recital 108).
• service providers can provide evidence of independent audits and not just blanket statements (see para. 110).
• a balancing of interests proves that the interests actually prevail (see recital 112).

The fact that etracker analytics fulfills all of the aforementioned requirements is an absolute exception in the field of tracking, especially with regard to the predominant use of tools from “hungry data octopuses” such as Meta and Google or US software companies such as Oracle. In this respect, it is understandable that the supervisory authorities only see this fulfilled in rare cases (see recital 109).

You can find more information on the consent-independent use of etracker analytics here.

Conclusion

The new guidance (OH Digital Services) makes the requirements for the design of consent dialogs very clear. The textual and content-related requirements, on the other hand, have to be gathered from various paragraphs. On the other hand, the definitions of the conditions under which web analytics can be operated as a necessary basic service, under legitimate interest or only with consent remain vague. As nothing has substantially changed in terms of the respective legal requirements, the independent expert opinion of the ePrivacy Award and the many regulatory audits of websites that use etracker and have no complaints in this regard continue to provide legal certainty. Furthermore, data protection-friendly web analysis protects both the privacy of users and the database of website and app operators.