New Data Privacy Law TTDSG: What Insurance Companies & Brokers Must Know for Compliance

As an insurance professional, you handle sensitive client data daily. Whether you're advising on private health insurance (PKV), comparing statutory health insurance (GKV) plans, or selling life insurance policies, data protection is paramount. A new law, the Telekommunikation-Telemedien-Datenschutz-Gesetz (TTDSG), comes into force on December 1, 2021, introducing stricter rules for online data collection. This guide, featuring insights from Andreas Sutter of disphere, explains what the TTDSG means for your insurance website, digital marketing, and overall compliance strategy.

What is the TTDSG and Who Must Comply?

The TTDSG consolidates regulations from the old Telecommunications Act (TKG) and Telemedia Act (TMG), aligning them with European directives like the ePrivacy Directive. If you are a "telemedia service provider," you must comply. This includes any insurance company, broker, or agent who:

• Operates a website, landing page, or online portal for quotes or information.
• Uses an insurance app or client communication tools.
• Runs an online shop for insurance products.
• Utilizes internet-based communication services.

Critical Warning for Employers: If you allow employees private use of company phones, internet, or email, you may be classified as a telecommunications provider under the TTDSG, subject to extensive secrecy obligations. The safest course is to explicitly prohibit private use and regularly enforce this policy.

The Core Change: Stricter Consent for Cookies and Tracking

The most significant shift affects how you collect information from a user's device (smartphone, laptop, etc.). Under the TTDSG:

Explicit user consent is now mandatory for storing or accessing information on an end-user's device. This includes:

• All cookies (except strictly necessary ones).
• Tracking technologies like fingerprinting.
• Third-party requests (e.g., loading external fonts or scripts).
• Marketing pixels and retargeting tools.

It no longer matters if the data is anonymized or pseudonymized. The act of accessing the device itself requires consent. Relying on "legitimate interest" under the GDPR (DSGVO) is no longer sufficient for these technical actions; the TTDSG takes precedence here.

What Are the Exceptions?

Consent is not required for cookies or processing that is strictly necessary for the website or app to function. This includes:

• Session cookies for login authentication.
• Cookies remembering language settings.
• Shopping cart functionality.
• Cookies related to the consent management tool itself.

High-Risk Practices to Eliminate Immediately

Certain common practices now pose a high compliance risk because they run before consent can be obtained:

• External Google Fonts: Loading fonts from Google's servers often transmits IP addresses before consent.
• Integrated Review Platforms: Widgets from sites like ProvenExpert can track users immediately.

The previous justification of "anonymization" or "legitimate interest" is invalid under TTDSG. The safest recommendation is to remove or self-host these services to avoid violations.

Requirements for Legally Valid Consent Under TTDSG

To obtain consent that withstands legal scrutiny, you must ensure it is:

1. Informed: Users must be clearly told what they are consenting to.
2. Unambiguous: Pre-ticked boxes or implied consent are illegal.
3. Voluntary: Access to your core services cannot be conditional on accepting marketing cookies.
4. Specific: Granular choices must be offered (e.g., separate toggles for necessary, statistical, and marketing cookies).
5. Easily Revocable: Users must be able to withdraw consent as easily as they gave it.

Beware of "nudging" (designing the consent interface to push users toward acceptance) or poorly programmed consent management tools—these can lead to hefty fines.

Enforcement, Fines, and Legal Risks

Supervision of the TTDSG falls to the Federal Commissioner for Data Protection and Freedom of Information (BfDI). The financial risks are substantial:

• Fines up to €300,000 for operating without valid consent.
• Increased Risk of Legal Warnings (Abmahnungen): Unlike some GDPR violations, TTDSG breaches are fully actionable by competitors or consumer groups. The legal protection for small businesses (<250 employees) under the German Unfair Competition Act (UWG) does not apply here. Expect a rise in warnings targeting non-compliant websites.

Action Plan for Insurance Professionals

1. Audit Your Website & App: Identify all cookies, trackers, and third-party scripts. Categorize them as "necessary" or "consent-required."
2. Implement a Robust Consent Tool: Choose a consent management platform (CMP) that meets TTDSG standards for granularity, transparency, and revocability.
3. Remove High-Risk Elements: Eliminate or self-host external resources like fonts and widgets that load without consent.
4. Update Privacy Policies & Imprints: Clearly document your data practices under the new law.
5. Train Your Team: Ensure everyone involved in your digital insurance marketing understands the new consent requirements.

For insurance companies and brokers, the TTDSG is not just a technicality—it's a fundamental shift in how you engage with clients online. Proactive compliance protects you from severe penalties and builds trust by demonstrating respect for client privacy. In an industry built on trust, robust data protection is your most valuable policy.

Insurers and brokers are struggling in claims management with high backlogs, increasing claim frequencies, a shortage of skilled workers, and growing customer expectations. Manual processes are expensive and slow.