Since December 1, 2021, the German Telecommunications-Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz – TTDSG) has governed, among other things, the protection of privacy when using end-user devices. We’ve already covered this topic in previous blog posts.
Just before Christmas, on December 20, a data protection conference held by Germany’s independent supervisory authorities issued an update to its official guidance. According to the Data Protection Conference (Datenschutzkonferenz), the term “end-user devices” includes not only websites and apps, but also all other internet-connected devices, such as smart home applications. For example, a washing machine that notifies a user via smartphone when a cycle has finished must not send data to third countries for further processing. Years ago, Amazon introduced its “Dash Replenishment Service” for connected devices—operators are now strongly advised to review their use of cookies and similar technologies.
A particularly interesting case is the use of Google Analytics, since users of this service transfer data outside the EU. The timing, nature, and duration of storage, as well as subsequent data processing, must comply with the requirements of the TTDSG and the EU General Data Protection Regulation (GDPR / DS-GVO). Although Google offers anonymization of data on its servers, the data has already been transferred overseas by that point. Even Google Analytics’ "IP anonymization function" is not sufficient under current standards. The data protection authorities of the EU are expected to weigh in on this issue soon, as it is currently under discussion in several European countries.
As such, Google Analytics should be viewed critically and is not currently considered compliant under existing conditions. As a website operator, one option is to position yourself as a first-party data owner, acting as an intermediary between the user and Google. An additional step is to use a compliance tool that encrypts personal data within Europe.
Each company must make its own decision about using Google Analytics—and bear the responsibility. There is no fixed deadline for compliance, which is risky, as deadlines often arrive at the worst possible time. This leads to unnecessary costs. The new TTDSG will almost certainly push the EU and the U.S. to reach a new legally secure agreement on the transfer of personal data.
We’re happy to advise you on your specific situation—especially if your company operates in both the U.S. and Europe, where this can quickly become a legal tightrope.
Additional helpful links:
