PIMS: new approach to manage user consent?

by Klaus Meffert//

The TTDSG is the new German law for regulating privacy issues, which inter alia will implement the EU ePrivacy directive and will take effect in December 2021.

§ 26 TTDSG introduces the personal information management system (PIMS) as a new concept to managing users consent. The main idea is to reduce the annoying cookie popups which appear on almost any website and in many apps.¹

PIMS requires a global or central consent management platform. It is questionable whether such a platform can be implemented in a way which is compliant with GDPR.

According to German law makers PIMS requires the following steps:

• A person defines a privacy setup by allowing or denying specific purposes for which his personal data shall be processed. These preferences are stored at the PIMS platform, which will be run by an independent instance with no economic interest in the consent data of potentially millions of users.

• When a person visits a website, the website queries the PIMS platform to retrieve the choices of the user.

• Instead of displaying a cookie popup the website is able to request the preferences of the user.

To benefit from a central PIMS platform, the platform must be a one-stop shop to allow or deny common purposes for data processing. Regarding websites and apps, the user needs to be able to consent into online tools. Examples for such tools are Google Maps, the Facebook Pixel or an embedded YouTube video.

However, it would not be GDPR compliant, if a user is asked for consent in a way that aggregates multiple tools under one purpose. Although, this may be feasible in single cases, it will fail as a general rule. It would also not be compliant with European law, if different configurations of a tool are bundled under one purpose. This derives from Article 5 (1) b GDPR which states that personal data must be “collected for specified, explicit and legitimate purposes“. In addition, Article 13 (1) c GDPR demands to inform the user of the purposes for collecting personal data.

The following case will illustrate the challenge when creating a PIMS solution. Three different websites are using the same online tool, Google Analytics (GA). GA is one of the most common tools for websites in Germany and worldwide. Since GA uses non-necessary cookies in most cases, the tool needs explicit user consent:

• Website A uses GA in its standard form, with no configuration done. The purpose of the usage is to know which pages of the website are visited most times.

• Website B uses GA with IP anonymization. The purpose of the usage is the general optimization of online ads by enhancing the conversion rate of users who click on an ad.

• Website C uses GA together with Google Optimize and along with the remarketing option. The purpose of the usage is the optimization of online ads by retargeting, and of the website by split tests.

It follows in our examle, that PIMS needs to ask for three different consents, namely for each different usage type of GA. In practice, hundreds or thousands possible configurations for GA are existing. Soley for one single tool like GA, a consent request for hundreds of purposes would be necessary.

The amount of consent variations is rising further when one considers that thousands of online tools from different vendors are available. Each of those tools can be integrated into websites, apps, or smart TVs. Each of those tools can potentially have numerous configurations. Eventually, users would either deny any consent or allow every purpose. No user would click through an extremely long list, read each entry and choose “Yes” or “No” thousand times.

A central instance, which maintains the privacy preferences of individuals, would need to list all tools and ask the user if he or she accepts the different variations of the tools and their way to collect the user’s data. The consequence is a PIMS, which becomes extremely overloaded and confusing. In practise, it seems impossible to gather any configuration of any tool world-wide in a PIMS. This approach would even fail for the top 100 websites tools.

Since specific purposes of tools, as they are given for individual websites, cannot be communicated in an aggregated platform, the information provided to the user will become inaccurate and misleading. This contradicts Article 12 (1) GDPR that postulates a precise, transparent and clear language.

Therefore, the German approach of a central consent management platform – managed by a data trustee – is not feasible in practise.

An additional question arises, whether the websites or the plattform provider is regarded as controller of the global consent management platform or not? The website or app owners cannot be regarded as responsible, because they cannot influence the information that is displayed when asking the user for consent. On the other side, the intention of the data trustee will not to be legally responsible for the whole PIMS process.

Given that, there is another deep abyss which is often unnoticed. I tested hundreds of websites, each of them utilizing one of the common cookie consent tools. Almost none of those websites complied with the GDPR, even when judging generously (study and results are available in German language from the author).

If almost any consent popup on a single website fails to comply to the GDPR, how can a global consent management platform provide a compliant solution?

One root cause is the lacking transparency of popular tools from globally acting internet companies, like Google or Facebook. Consider Google Maps for example. This service uses a lot of cookies. For most of these Google Maps cookies, Google does not mention their purpose. Recall that the purpose of cookies needs to be provided to the user according to Article 13 (1) lit. c GDPR, as the CJEU held in a judgment called the “Planet49” case (CJEU, C-673/17).

How to eliminate cookie popups without PIMS? Some possible approaches are:

• Controller can use tools that do not require a users consent as legal basis. E.g., use OpenStreetMap instead of Google Maps or Matomo instead of GA

• Tool providers, such as Google, can avoid invasive techniques. However, this is not a realistic scenario.

• Supervisory authorities may impose sanctions.

• Individuals may sue against controller.

In my opinion, the preferred way is using privacy-friendly tools. The obvious benefit is a popup-free online medium with users who are comfortable with their privacy. Another surplus for the controller is legal compliance. According to my own practical insights, the assumption is questionable, that online advertising supported with platforms from global players is a magic bullet.

Selling by making users happy sounds like a long forgotten approach – an approach which eliminates privacy issues without further ado.

Klaus Meffert, Digital Data Protection: Data Protection Consulting in Technology and Law; Website-Check for free (Frankfurt a.M., Germany)