Configure Matomo Analytics for TDDDG (TTDSG) compliance

What is TDDDG (previously TTDSG)?

The Telecommunications Digital Services Data Protection Act (TDDDG) is a German law that regulates data protection in digital services and telecommunications. The TDDDG replaced the Telecommunications Telemedia Data Protection Act (TTDSG) on May 14, 2024.

The TDDDG is Germany’s Privacy and Electronic Communications Act that transposes the ePrivacy Directive into national law and specifically regulates how websites and apps handle user data and cookies and tracking technologies in Germany.

When should I care about the TDDDG?

You need to pay attention to the TDDDG if:

  • You are a website operator established in Germany, or your website offers goods or services to visitors from Germany.
  • You use cookies or any tracking technologies.
  • You store data on users’ devices or read information from them.

Note: Some German supervisory authorities, e.g. the Baden-Württemberg SA, have stated that it is possible to carry “reach analysis” (audience measurement) that falls outside the TDDDG (formerly TTDSG) and can be done without consent.

Such audience measurement must:

  • use local log file analysis only.
  • not access the terminal device.
  • involve no external third-party services (allowing third parties to analyse user behaviour or if personal data is passed on to third parties).
  • data-saving configuration.
  • involve no merging of usage data across provider or device boundary.
  • involve no use of information to recognise the user for any other purpose and,
  • the purpose of the processing is the creation of aggregated statistics that cannot be related to individuals.

How is the TDDDG different from the GDPR?

While the GDPR covers general data protection and focuses on protection of personal data, the TDDDG specifically focuses on electronic communications and storage of or access to information on user’s terminal device. The GDPR is a broad privacy framework directly applicable in all of EU member states, while the TDDDG is a national implementation of the ePrivacy directive, adding specific rules about how websites interact with users’ devices in Germany.

For example, the TDDDG makes it clear that you need explicit consent before placing non-essential cookies or tracking technologies on German users’ devices. It also defines what constitutes essential cookies, which are mostly limited to those strictly necessary for the functionality of the website or service or provision of services expressly requested by the visitor.

How to configure Matomo Analytics to be TDDDG compliant

To ensure compliance with German laws, we recommend asking for consent before enabling either cookieless or cookie-based tracking using Matomo. Alternatively, you can use Matomo Log Analytics, which relies solely on server log files for analysis. It can be used without requiring user consent, as it does not interact with or access the user’s terminal device. Analytics based on log files will produce only limited analytics set.

BfDI (Federal Commissioner for Data Protection and Freedom of Information) responsible for supervising federal public bodies (e.g., ministries, federal agencies, and organisations acting on their behalf) and entities in the telecommunications sector, published a guideline on the use of Matomo Analytics by bodies under its supervision BfDI – Übersichtsseite Fachthemen – Der Einsatz des Webseiten-Analysetools Matomo. BfDI confirms that the organisations it supervises must ask for consent before using Matomo Analytics. The guideline notes that secondary use of log analytics for audience measurement results in a change in processing purposes. Therefore, controllers must comply with Article 6(4) GDPR and Section 23 of the Federal Data Protection Act (BDSG) and show legal basis under Article 6(1). Consent is not listed by BfDI as a mandatory legal basis, and legitimate interest is an available option.

Inform visitors to your website

  • About the cookies and tracking technologies that you use (definition, function, type, purpose, parties that will use data collected, type of data collected).
  • How to accept, deny or revoke consent.
  • About data transfers, any automated decision-making (if applicable) and data retention period.
  • Use clear simple language.
  • Make the information easily accessible (e.g. via a clearly visible Cookie or Cookie Policy link).
  • Use a layered approach (essential info in first layer, more details in the second layer).
  • Offer the option to reject cookies in the same layer and level as acceptance.
  • Group cookies at least by their purpose; cookie-by-cookie selection should be avoided as it makes decision making difficult.
  • Make sure you collect valid consent (clear affirmative action).
  • Use a consent management platform that complies with the TDDDG guidelines.
  • If your website or app is directed to minors under 14 years of age, you will need to show that you made reasonable efforts to verify that consent was given by the parent or a guardian.
  • Withdrawing consent must be as easy as giving consent.
  • Periodically update consent to ensure it remains relevant and covers how data is processed and reflects any significant changes to the processing.

Implement and maintain reasonable security procedures and practices to protect consumer data

The most important ones regarding data collected in Matomo include:

Disclaimer: The information provided above is for general informational purposes only and should not be considered legal advice. Please consult your legal team for specific advice and guidance tailored to your needs. If you are interested in Matomo Cloud, learn more by reading our Matomo Cloud Data Processing Agreement (DPA).

Next FAQ: PCI compliance
Previous FAQ: Configure Matomo Analytics for LOPDGDD and LSSI compliance