Featured image for news: Data Protection, Tracking, and Consent
5 min read

Symbolbild mithilfe von KI erstellt

Data Protection, Tracking, and Consent

What You Really Reveal About Your Data With One Click

A consent button may seem trivial – but technically and legally, it often bundles several data flows that go far beyond “just a few cookies.” The underlying consent and privacy notice here shows how tracking, advertising funding, and embedded third-party content are combined into a single consent.

At its core, it’s about the decision of whether users agree to the processing of certain device data and personal data. The text states that this is not only done by the provider itself, but – according to the wording of the notice – also by a large number of other recipients (“up to 230 partners”). This scope is crucial for classification: the more parties involved, the harder it is for individual users to fully understand the actual processing in all its details.

Which Data Is Affected – and Why It’s Practically Relevant

Cookies, device identifiers, and identifiers such as IP addresses are mentioned. These are not just technical auxiliary data. In practice, such features can be used to

  • recognize users across sessions and websites,
  • create profiles from usage and interest patterns,
  • display advertising and content based on a presumed “interest profile.”

The notice thus makes it clear: it’s not just about storing information in the browser, but about the ability to link usage across different services – especially when third-party advertising and external services are integrated.

Which Legal Bases Are Invoked – and What That Means for Consent

§ 25 (1) TDDDG and Art. 6 (1) lit. a GDPR are cited as legal bases. This combination describes a two-stage concept that is behind many consent banners in practice:

  • § 25 TDDDG addresses access to information on the end device – i.e., storing and reading cookies or querying comparable identifiers.
  • Art. 6 (1) lit. a GDPR forms the basis for subsequently processing personal data that arises or can be linked in this context.

This makes consent the linchpin of legality. Data protection authorities have emphasized for years that web tracking – especially with third-party services – requires explicit, informed consent. In this logic, a banner that only informs or already contains pre-activated options is not sufficient. What matters is whether the consent is actually given voluntarily, specifically, and understandably – and whether users have a real choice.

Why Third-Party Advertising Is More Than Just “Funding”

The notice also justifies the use of data with the funding of the journalistic offering through third-party advertising. This is a plausible economic explanation – but it does not change the fact that third-party advertising is typically associated with measurement and profiling logics.

When tracking technologies are used to personalize ads or measure their effectiveness, information is stored or retrieved on the device and merged with usage data. Depending on the technical integration, this can mean that several actors receive data as soon as the page is loaded – and that this data is not limited to a single service, but becomes usable for the advertising ecosystem.

External Content (“Embeds”): The Invisible Data Outflow When Loading the Page

The consent text also mentions external content and third-party services – such as interactive graphics, videos, or podcasts. Such integrations are often editorially useful because they make content more vivid. Technically, however, an embed often means that loading the content establishes a connection to a third-party provider’s servers.

Depending on the service and configuration, information can be read or stored on the end device and personal data can be generated. Even the transmission of the IP address can be enough for a third party to log usage or combine it with existing information. Media and data protection guidelines therefore often recommend privacy-friendly default settings, such as solutions where external content is only loaded after a conscious interaction.

Data Processing Outside the EU: Consent Can Have Cross-Border Consequences

Particularly sensitive is the notice that data can also be processed in countries outside the EU where a lower level of data protection applies. Thus, consent touches not only the question “Who is tracking me?” but also “Where does my data end up – and under what rules?”

According to the GDPR, transfers to third countries are subject to strict requirements: either there is an adequacy decision by the EU Commission, or appropriate safeguards must be provided (for example, standard contractual clauses). Since 2023, an adequacy framework (EU–US Data Privacy Framework) applies again for the USA, but only for certified companies; for other scenarios, additional safeguards are needed. For users, it remains relevant that consent can effectively cover such transfers – and that the actual level of protection varies greatly depending on the recipient and legal framework.

What This Click Means in Practice

The text shows how many purposes and actors can converge in a single “Accept and continue”: device-related access (cookies, identifiers), profiling, personalized advertising, measurement, integration of external platforms, and potential data flows to third countries. This is precisely the significance: a button reduces complexity for the interface – but not for data processing.

For users, the central question remains whether they can really understand and consciously control this bundling. Because the more comprehensive the consent is formulated and the more third parties are involved, the less the click corresponds to a clearly defined decision – and the more it becomes a blanket release for an entire tracking and service network.

Frequently Asked Questions

Published: