Website privacy is about more than cookies

Site compliance
Website privacy is about more than cookies

providers on the subject

It was not just the Telecommunications Telemedia Data Protection Act (TTDSG) that put cookies on the agenda of website operators. But as important as the data protection-compliant use of cookies is, there are other data protection requirements for websites that are often overlooked. We provide an overview of what supervisory authorities have specifically pointed out.

Data protection for websites cannot only be reduced to the problem of cookies.  The topic is as complex as the design and operation of websites.
Data protection for websites cannot only be reduced to the problem of cookies. The topic is as complex as the design and operation of websites.

(Image: Rutmer –

When visiting a website or using an app, users should be able to assume that, without being asked, only data that is actually required to provide the requested service will be processed, such as the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI).

If service providers want to collect and process further data, they must first ask users for their voluntary consent in an informed manner. These requirements are now generally implemented by many operators by means of upstream “consent banners”. However, according to the supervisory authority, this is not always done in accordance with the law.

READ:  What is CCMP?

Observe the TTDSG in addition to the GDPR

The law on data protection and the protection of privacy in telecommunications and telemedia (TTDSG for short), which came into force nationwide on December 1, 2021, sets out, among other things, specifications for cookies and other tracking technologies. The TTDSG protects the integrity of end devices by applying the principle that prior consent is required before information can be stored on end devices or read from them, unless the narrow and final exceptions of the law apply.

Anyone who thinks they are using a legally compliant cookie banner and other tracking technologies only in accordance with data protection should not simply take the topic of data protection from websites off their agenda. More than just the cookies count here, as further information from supervisory authorities shows.

Privacy and Fonts

So it should have come to a warning wave against thousands of website operators. The reason was the dynamic embedding of Google Fonts on their websites without obtaining the prior consent of the website visitors. Complaints about this content against site operators were also received by the Thuringian state commissioner for data protection and freedom of information. The data protection problem is quickly described: In the case of dynamic integration, the fonts from the servers of the US group Google are loaded into the visitor’s browser and personal data, such as e.g. B. the IP address of the user, transmitted to the USA.

READ:  What is Common Criteria Recognition Arrangement (CCRA)?

The recommendation of the supervisory authority for Google Fonts to avoid warnings is therefore: Website operators should check whether they are using Google Fonts and, if so, how the service is integrated into the website. If you use dynamic Google Fonts, you should save these fonts locally and integrate them into your own website from there.

It is better not to rely on consent for Google Fonts

However, Google Fonts is just one example. In general, the following applies: “In order to integrate external fonts into websites in compliance with data protection regulations, I strongly recommend that website operators do not load the fonts directly from the server of the respective provider, but first download them and save them locally on their own server . From there, the fonts can be integrated into the website in compliance with data protection regulations without establishing a connection to external servers,” said the data protection supervisory authority of Saxony-Anhalt.

What’s more, the state commissioner advises against obtaining the consent of the website visitor in accordance with the GDPR (General Data Protection Regulation) for the integration of fonts from external servers. For an effective consent, the user would have to have information according to the GDPR before the data collection in order to know to what extent consent is given. This information would also have to include the risks associated with third-country transfers.

READ:  What is the Diamond Model of Intrusion Analysis?

In addition, according to the supervisory authority, consent can only be given for occasional transfers to a transfer to an insecure third country. If fonts from external servers are loaded and integrated on a website so that the IP address of the website visitor is transmitted to these servers each time the website is accessed, systematic, repetitive data processing can be assumed, so that consent is not possible in this way.

Online translation and spell checking of websites

Another example of data protection requirements for websites that go beyond classic cookies:

Modern web browsers support users in a variety of ways in using the Internet as conveniently as possible. A spell checker, which checks the texts entered on websites for correctness and makes suggestions for improvement, has long been a matter of course, for example the Hessian Commissioner for Data Protection and Freedom of Information.

The data protection problem: When using Internet browsers, unwanted and impermissible transmission of personal data to third countries can occur if cloud-based writing support or translations are activated. For this reason, the state data protection officer of North Rhine-Westphalia recommends that companies, authorities and other responsible bodies in North Rhine-Westphalia check the settings of the browsers used in their organizations.

Spelling aids that check texts for semantic and syntactical correctness are just one example of online support on websites. In addition, web browsers now offer “enhanced”, “enhanced” or “intelligent” other writing support and translations. Among other things, cloud-based functions are used, for example to further optimize the results with the help of so-called “artificial intelligence”. User input in the browser and on the websites can then be transmitted to servers from a specific manufacturer if such a cloud-based writing support is active. In addition to personal data, this may even include entries in password fields.

Many websites that want to offer multilingualism, for example, also use such browser functions and thus cloud functions, which can lead to problematic data transmission.

It turns out that data protection for websites is as complex as the design and operation of websites. Every element that a website is supposed to use must also be considered from a data protection point of view. Privacy by design must also apply to websites.

READ:  What are microservices?