Contact form SSL Obligation Legal security

Is SSL mandatory for contact forms? How a US initiative creates more legal certainty

The non-profit Let's Encrypt initiative from San Francisco has been offering free SSL certificates since May of this year. According to its own statements, the aim is to democratize the Internet and make it more secure. The Americans are thus ensuring greater legal certainty in Germany. For example, when it comes to the question of whether SSL is mandatory for a contact form.

HTTPS is set to become the new standard on the Internet. At least if the US Internet Security Research Group has its way. With the Let's Encrypt project, the group wants to provide every website operator worldwide with a free SSL certificate. Regardless of their origin or ability to pay.

German website operators in particular can benefit from this noble idea. Thanks to sponsors such as Facebook, Mozilla and Linux, Let's Encrypt certificates enjoy a high level of trustworthiness. And the free SSL is technically no different from the paid version.

This means that operators of smaller blogs or company websites can also enjoy the benefits of HTTPS: more speed thanks to HTTP/2, more data security and, above all, more legal certainty. Or rather, less legal uncertainty, because until now bloggers and operators of smaller sites in particular have been faced with the question of whether SSL is mandatory for a contact form, for example, and whether there is a risk of a warning.

Is SSL encryption mandatory?

Backing up sensitive data has been mandatory in Germany for years. At least in theory. Because according to §13 of the Telemedia Act:

"Service providers [...], insofar as this is technically possible and economically reasonable, shall, within the scope of their respective responsibility for commercially offered telemedia, take technical and organizational precautions to ensure that [...] the technical facilities used [...] are secured against breaches of the protection of personal data [...]"
- Telemedia Act §13

The unclear wording in particular has caused a great deal of uncertainty among German website operators: Is one's blog business-like? When can it be classified as such? What is technically possible? What is economically reasonable? These and other questions have been discussed at great length in some cases. Without a clear result.

However, the tenor seems to be: SSL encryption is not mandatory. But securing the data is. This does not have to be done via an SSL certificate. However, encrypting communication between the browser and web server is a very good way of protecting the sensitive data of website visitors.
The unclear legal formulations are compounded by the lack of precedents.

The risk of warnings should be quite low

This also has to do with problems on the part of the authorities. This is because the supervisory authorities usually simply do not have the resources to systematically scan all websites in their jurisdiction for infringements. The risk of actually being warned is therefore likely to be quite low. But you can't be sure about this.

As a website operator, you can now protect yourself effectively and, above all, easily against all these imponderables and legal gray areas. This is because the free SSL certificates from Let's Encrypt have put the German hosting landscape under pressure. As a result, hosting companies have created several opportunities to obtain free SSL certificates.

Theoretically, anyone can obtain a free SSL certificate today

At least the customers of the large and specialized German providers no longer have to pay for simple SSL certificates. This is because providers have responded to the free SSL from America with at least three different approaches:

  • Full integration of Let's Encrypt: A few hosters have fully integrated the certificates from San Francisco into their offering. With Raidboxes, for example, you can set up SSL with just one click.
  • Partial integration of Let's Encrypt: Other hosting companies have taken Let's Encrypt into account and allow the installation. In some cases, the Let's Encrypt option is tariff-dependent. However, the free SSL has not been integrated into the hosting user interface here. The user must take action themselves and set up their free SSL certificate using the software called Certbot.
  • Bypassing Let's Encrypt: Large hosters such as 1und1 or Mittwald in particular have completely decided against integrating Let's Encrypt certificates. Instead, they offer free SSL certificates from their cooperation partners.

Conclusion: Fewer worries about legal uncertainty for German website operators

Whether you run a blog, a company website or a store: thanks to the current movements in the hosting market, free certificates are already available to many users today. These make it very easy to eliminate legal uncertainties surrounding the Telemedia Act and the obligations for website operators. Because regardless of whether the certificate is free or fee-based, sensitive data is reliably encrypted and thus protected against unauthorized access.

Did you like the article?

With your rating you help us to improve our content even further.

Write a comment

Your e-mail address will not be published. Required fields are marked with *