Interview with Thomas Schwenke
Interview

Expert Interview on the Cookie Regulation: "Well-intentioned, but poorly executed"

The central consent management system, recently approved by the German Bundesrat, aims to accomplish one primary goal: to reduce the overwhelming flood of cookies. Rather than individually giving consent on each website and navigating through countless banners, users would have the option to centrally store their consent or objections.

This concept sounds promising. Following the substantial media coverage in December 2024, we decided to examine this initiative thoroughly: How does this new system in Germany function? What are the benefits? Where does it draw criticism? How does it operate in reality? Will it genuinely curb the cookie overflow? Is the system practical for website owners? And does it hold any relevance for other countries? All these questions and more are addressed in this post:

Germany’s Central Consent Management Regulation
News on the new german cookie law

BUT we still had some lingering questions. Are we being too critical because we naturally approach the topic from a different angle? If it were up to us, we wouldn't opt for a standalone German solution; instead, we'd aim for solutions where the problem doesn't arise at all. In our context, that means video hosting completely without the need for consent and cookies, tailored for Europe.

To get some clarity on our concerns, we consulted Dr. jur. Thomas Schwenke, LL.M. (UoA). Thomas is a German lawyer and data protection expert who advises companies on marketing and AI usage. He also hosts a podcast at Rechtsbelehrung.com and provides a popular tool for creating data protection statements and AI guidelines on Datenschutz-Generator.de.

Image: Thomas Schwenke

Teaser: Unfortunately, our opinion on central consent management has not improved, as Thomas concludes:

"[...] The Cookie Regulation is a good example of the 'well-intentioned, but poorly executed' approach. It appears that the authors have overlooked that the rules for consent are mandated by the EU. Therefore, an efficient simplification of cookie consent can only succeed at the EU level.[...]" (Note: this quote is translated)

Our main inquiries were focused on:

  • the scope of the consent management application,
  • its international applicability, given that few websites operate solely within Germany,
  • and liability issues in practice, especially since a significant number of websites remain non-compliant with GDPR to this day.

We have addressed each of these concerns with practical examples. You can find the answers to these questions in our interview with Thomas.

Interview: With Thomas Schwenke on Central Consent Management

Hi Thomas, let's dive right into the first question.

Topic #1:
Limited Scope of Consent Management

Critics argue that central consent management only covers the scope of § 25 TDDSG. Many consents, such as those required for the processing of personal data under the GDPR, are not captured.

Example:

  • I use Google Analytics on my website. § 25 TDDSG (technology-related) regulates that I can store a tracking cookie on the user's end device – for which I need consent.
  • However, what § 25 TDDSG does not regulate is the processing of data collected through this cookie. This includes the IP address and usage behavior. These data can only be processed according to the requirements of the GDPR (data-related), which requires a separate consent.

For companies, does this mean they must continue to operate parallel systems? How can the regulations of the TDDSG and the GDPR be sensibly combined in practice?

"It is possible to obtain multiple consents with one consent click, for example, by clicking on the 'Accept all cookies' button. This is already happening in every cookie banner today. This means a system that collects central consents under the TDDSG can also collect consents under the GDPR. However, it is important that users are informed about the scope of their consent and that it serves other website operators as well.

Another question, however, is whether it is permissible to declare a consent that affects all website operators, as the Consent Management Regulation (EinwV) intends. This borders on a general consent, which in turn is not allowed by the GDPR. This means it is not certain that the EinwV is legally permissible under EU law." (Note: this quote is translated)

Inaccurate cookie classification

Topic #2: Liability Issues with Errors in the Central Service

According to studies, 54% of websites (source) are not implemented in compliance with GDPR. When a website operator uses the German central consent service, and it malfunctions on another website, it remains unclear who is liable.

Example:

  1. Another website stores an incorrect user-consent because a service is wrongly categorized as "essential," and I as the website operator can neither trace nor see this.

Who is legally responsible in such cases? How can companies safeguard themselves when using central consent services?

"The data protection responsibility for the services integrated on the website lies with the website provider. The German regulation does not provide any relief that exempts the website operator from liability. This means that if he operates an external system, the website provider can only seek warranty claims from the provider of the service. Since the "EinwV" stipulates that providers of 'recognized consent management services' must not have an economic interest in the users' data, they would need to develop a different business model to offer such a warranty.

Alternatively, liability would need to be excluded, which is legally problematic and is unlikely to enhance website operators' trust in such a system." (Note: this quote is translated)

Topic #3: Complexity of GDPR Compliance

The GDPR mandates that consents be "voluntary, specific, and informed." Ensuring this is also crucial when utilizing a central service. In practice, there is a broad range of consent banners, some of which are legally controversial. As of now, there is no one-size-fits-all solution.

Example: Let's say consent is garnered through a legally contentious "Pay-or-Okay" banner, as many media outlets employ, resulting in near-universal consent rates. I use the same service on my B2B website ...

What do you see as the biggest challenges in bridging the gap between legal requirements and practical implementation? Should there continue to be different versions of these consent banners?

"The main challenge lies in the adoption of centralized consent. Given that it's a local German statute, it’s unlikely that browser providers will voluntarily integrate it. Additionally, the deterrents for commercial providers mentioned in Question 2 apply. A further complication is that consent must be applicable to each specific service, its correct version, and the chosen settings. This complexity makes it risky for website operators, who could be held liable for any invalid consents.

However, regarding the example mentioned, a 'Consent-or-Pay' banner isn't inherently illegal. Its legality depends significantly on how it's designed."

Cookie Banner in different languages

Topic #4: International Challenges

The regulation is only applicable in Germany, while other EU countries may have their own, often stricter, rules for cookie banners. This poses challenges for internationally operating companies trying to create uniform solutions.

Example:

  • I have a website in German and French. In France, there is no central collection system.

How can companies manage such regional differences?

"Companies have the option to either adhere to the stricter regulations within the EU or develop tailored cookie solutions for different countries. Most companies opt for the former approach. Although consent for cookie use is regulated uniformly across the EU, there is little leeway for member states to deviate in terms of facilitating or complicating the process of obtaining this consent. The German EinwV serves as a prime example of the difficulties in diverging from EU rules." (Note: this quote is translated)

Visualization of the quote: The Cookie Regulation is a textbook case of the 'well-intentioned, but poorly executed' approach. It appears that the drafters overlooked that consent regulations are mandated by the EU. Thus, an effective simplification of cookie consent can only be achieved at the EU level.

Topic #4: How Realistic is the Regulation?

Based on your previous answers and the general criticism, your conclusion doesn't seem very positive. Which brings us to the final question:

Is the goal of the regulation realistic, or does it lead to more complexity for companies and users?

"The Cookie Regulation is a good example of the 'well-intentioned, but poorly executed' approach. It appears that the authors have overlooked that the rules for consent are mandated by the EU. Therefore, an efficient simplification of cookie consent can only succeed at the EU level.

The German Cookie Regulation could at best serve as a proposal for what such a simplification might look like at the EU level. In practice, the implementation of the German Cookie Regulation would only provide relief to those users who are generally willing to give consent generously. Users who refuse could, on the other hand, face even greater confusion due to different cookie procedures. Out of frustration, this might lead them to eventually just click 'Accept All.'

There is a significant risk that the EinwV, from a consumer protection standpoint, might end up doing more harm than good." (Note: this quote is translated)

Thank you for your responses to our questions, Thomas!

For those interested, feel free to take another look at our general presentation of the EinwV. More about Dr. jur. Thomas Schwenke can be found here:

drschwenke.de Datenschutz-generator.de
Thomas on LinkedIn Rechtsbelehrung Podcast