How German Cookie Law Works: TTDSG and DSGVO
Germany does not rely on a single statute for cookie regulation. Two laws operate in tandem: the Telekommunikation-Telemedien-Datenschutz-Gesetz (TTDSG, renamed TDDDG in 2024) and the Datenschutz-Grundverordnung (DSGVO), which is the German implementation of the EU General Data Protection Regulation.
Section 25 of the TTDSG transposes Article 5(3) of the ePrivacy Directive into German law. It governs the act of storing or reading information on a user's device - cookies, local storage, fingerprinting scripts, and similar technologies. The DSGVO then applies to any personal data collected through those technologies.
The practical effect: you need a legal basis twice. Section 25 TTDSG covers the placement of the cookie. The DSGVO covers what you do with the data it collects.
Section 25 TTDSG: The Core Consent Rule
Section 25(1) TTDSG states that storing information on, or retrieving information from, an end user's terminal equipment is only permitted with that user's consent. Consent must meet the standard set out in Article 7 DSGVO: freely given, specific, informed, and unambiguous.
Section 25(2) provides a narrow exemption. Cookies are allowed without consent only when they are strictly necessary to provide a service explicitly requested by the user. A session cookie that keeps a shopping cart alive qualifies. An analytics cookie like _ga or a marketing pixel like _fbp does not.
The exemption mirrors the ePrivacy Directive almost word for word. German courts and regulators interpret it strictly.
The Planet49 Ruling and Its Impact
The landmark CJEU judgment in Case C-673/17 (Planet49) originated from a German referral. In October 2019, the Court of Justice ruled that pre-ticked checkboxes do not constitute valid consent for cookies - regardless of whether the cookies process personal data. The German Federal Court of Justice (BGH) confirmed this in its own follow-up decision in May 2020.
Planet49 settled a long-standing ambiguity in German law. Before the ruling, some operators relied on implied consent or browser settings as a legal basis. That argument is now closed.
The BGH decision also clarified that cookie consent requirements apply to all types of stored information, not just personal data. If your site drops a tracking identifier onto a visitor's device, you need opt-in consent regardless of how you classify the data downstream.
Who Enforces Cookie Rules in Germany
Germany's enforcement landscape is unusually fragmented. Two tiers of authority oversee compliance.
The Bundesbeauftragte fur den Datenschutz und die Informationsfreiheit (BfDI) is the federal data protection commissioner. The BfDI has direct supervisory powers over federal public bodies and telecommunications providers. For cookie-related TTDSG violations, the BfDI shares jurisdiction with the Bundesnetzagentur (Federal Network Agency).
At the state level, 16 independent Landesdatenschutzbehoerden (state data protection authorities) enforce the DSGVO for private-sector organisations. Each German state - from Bavaria's BayLDA to Hamburg's HmbBfDI - runs its own supervisory body. The Datenschutzkonferenz (DSK), a coordinating body of all federal and state authorities, publishes joint guidance to reduce inconsistency.
| Authority | Scope | Law Enforced | Max Fine |
|---|---|---|---|
| BfDI / Bundesnetzagentur | Telecom providers, federal bodies | TTDSG Section 25 | EUR 300,000 |
| 16 State DPAs (LfDI/LDA) | Private-sector organisations | DSGVO | EUR 20 million or 4% global turnover |
| DSK (coordinating body) | Joint guidance, no direct fining power | TTDSG + DSGVO | N/A |
Consent Management Ordinance (EinwV) from April 2025
On 24 November 2024, the Bundesrat approved the Einwilligungsverwaltungsverordnung (EinwV), a new ordinance under Section 26 TTDSG. It took effect on 1 April 2025.
The EinwV introduces a framework for recognised consent management services. The idea: a user sets cookie preferences once through an accredited service, and those preferences are transmitted automatically to every participating website. The goal is to reduce so-called "cookie fatigue" - the endless repetition of cookie banners across different sites.
Participation is voluntary. No website is required to integrate a recognised consent management service. But the ordinance signals Germany's regulatory direction: standardised, user-centric consent flows.
What Your Cookie Banner Must Include
The DSK published detailed guidance on cookie banners (Orientierungshilfe fur Anbieter von Telemedien). Combined with TTDSG and DSGVO requirements, your banner must meet these criteria:
An Accept button and a Reject button of equal visual prominence on the first layer
Clear information about which cookie categories are used and why
Granular controls allowing users to consent to individual categories (analytics, marketing, functional) rather than only an all-or-nothing choice
No pre-ticked checkboxes for non-essential cookies
A link to your full cookie policy with details on each cookie, its provider, purpose, and retention period
An accessible method to withdraw consent at any time - just as easy as granting it
Reject buttons hidden behind a "Manage Preferences" link, or styled in a less visible colour, risk being treated as a dark pattern. German state DPAs have explicitly warned against such designs.
TTDSG Fines and DSGVO Penalties
TTDSG violations under Section 25 carry a maximum fine of EUR 300,000. This applies specifically to the act of placing or reading cookies without valid consent.
DSGVO violations - such as processing personal data collected through cookies without a legal basis - attract fines up to EUR 20 million or 4% of global annual turnover, whichever is higher. German DPAs have issued substantial DSGVO fines. In 2019, the Berlin DPA fined Deutsche Wohnen EUR 14.5 million (later reduced on appeal) for data retention violations. Cookie-specific enforcement often takes the form of warnings and orders rather than headline fines, but the legal ceiling remains high.
The BfDI has emphasised verifiability (Nachweisbarkeit) as a core expectation. You must be able to demonstrate that consent was obtained, when it was given, and what the user agreed to. Consent logs are not optional.
Compliance Checklist for German Cookie Rules
Use this checklist to audit your site against TTDSG and DSGVO requirements.
Scan your website - identify every cookie and tracking technology. Tools like the Kukie.io cookie scanner detect cookies automatically, including third-party scripts.
Classify each cookie - strictly necessary (
PHPSESSID,pll_language), analytics (_ga,_gid), marketing (_fbp,_gcl_au), or functional.Block non-essential cookies before consent - no analytics or marketing cookies may fire until the user opts in. Use Google Consent Mode v2 for GA4 and Google Ads.
Build a compliant banner - equal Accept and Reject buttons, granular category toggles, no pre-ticked boxes, and clear information on each category.
Store consent records - log the timestamp, consent choices, and banner version for each visitor. Retain these records for the duration required by your DPA.
Allow easy withdrawal - a persistent link in your footer or privacy centre that lets visitors change their preferences without navigating away.
Apply geo-detection - if you serve visitors in Germany alongside other countries, configure your banner to apply TTDSG rules specifically for German users.
Review quarterly - re-scan your site to catch new cookies introduced by third-party scripts or CMS updates.
How TTDSG Relates to the EU ePrivacy Framework
The TTDSG is Germany's national transposition of Article 5(3) of the ePrivacy Directive (2002/58/EC). Every EU member state has its own version: France has CNIL guidelines, Italy follows the Garante's cookie rules, and the Netherlands applies AP guidance. The core obligation - opt-in consent for non-essential cookies - is the same across borders, but enforcement intensity and specific guidance vary by country.
For a broader comparison, see the cookie consent laws by country overview.
Frequently Asked Questions
Do I need cookie consent for a German website?
Yes. Section 25 TTDSG requires opt-in consent before placing any non-essential cookies on a visitor's device. Only strictly necessary cookies, such as session identifiers, are exempt.
What is the TTDSG and how does it relate to GDPR?
The TTDSG (now TDDDG) is Germany's national implementation of the EU ePrivacy Directive. It governs access to a user's device (cookies, local storage). The DSGVO (German GDPR) then applies to the processing of any personal data collected through those cookies. Both laws apply simultaneously.
What fines can German authorities impose for cookie violations?
TTDSG violations carry fines up to EUR 300,000. DSGVO violations related to unlawful data processing through cookies can result in fines up to EUR 20 million or 4% of annual global turnover.
Is a reject button required on cookie banners in Germany?
Yes. German DPA guidance (DSK Orientierungshilfe) requires a reject option that is equally prominent and accessible as the accept button on the first layer of the banner.
Does the Planet49 ruling affect my website?
If your site uses cookies in Germany, yes. The CJEU ruling in Planet49 (Case C-673/17) confirmed that pre-ticked checkboxes are not valid consent, and that opt-in consent is required for all non-essential cookies regardless of whether they process personal data.
What changed with the German Consent Management Ordinance in 2025?
The EinwV, effective from April 2025, introduced a voluntary framework for accredited consent management services. Users can set preferences once and have them applied across participating websites. Adoption is optional for site operators.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of German law.
