Quick answer: Yes, a cookie banner is mandatory in Germany if your website uses non-essential cookies. This applies to virtually every site running Google Analytics, marketing pixels, or social media embeds. Here's exactly what you need to know about Germany's TTDSG and GDPR cookie requirements.
The Legal Framework: GDPR, TTDSG, and ePrivacy
Cookie consent obligations in Germany arise from the interplay of three laws:
| Law | What It Regulates | Cookie Relevance |
|---|---|---|
| GDPR (EU) | Processing of personal data | Legal basis for data processing, consent requirements |
| TTDSG (§ 25) | Access to terminal equipment | Consent for cookies and similar technologies |
| ePrivacy Directive (EU) | Confidentiality of electronic communications | Foundation for national cookie laws like the TTDSG |
Since December 1, 2021, Germany's Telecommunications Telemedia Data Protection Act (TTDSG) is in force. § 25 TTDSG states: Storing information on the user's device (= setting cookies) or accessing already stored information (= reading cookies) generally requires the user's consent.
When Is a Cookie Banner Required?
The answer depends on the type of cookies used:
| Cookie Type | Example | Consent Required? |
|---|---|---|
| Strictly necessary | Session ID, shopping cart, language setting | No |
| Analytics/Statistics | Google Analytics, Matomo (with cookies) | Yes |
| Marketing/Tracking | Facebook Pixel, Google Ads, Criteo | Yes |
| Personalization | A/B testing, content recommendations | Yes |
| Social Media | YouTube embed, Instagram feed, Like buttons | Yes |
Bottom line: If your website only uses strictly necessary cookies (which is rare), you theoretically don't need a cookie banner. But as soon as you use Google Analytics, social media plugins, or marketing tools, a cookie consent banner islegally required.
Mandatory Elements of a Cookie Banner
A legally compliant cookie banner in Germany must include:
- Clear information: Which cookies are used and for what purpose?
- Genuine choice: Equal buttons for "Accept" and "Reject"
- Granular settings: Option to select individual cookie categories
- Revocation: Ability to change or withdraw consent at any time
- Privacy policy link: Full information as required by Art. 13 GDPR
Common Cookie Banner Mistakes
Dark Patterns — Prohibited Design Tricks
German data protection authorities and the European Data Protection Board (EDPB) have issued clear guidelines against manipulative cookie banner designs:
| Dark Pattern | Description | Illegal? |
|---|---|---|
| Color contrast | "Accept" in bright green, "Reject" in light gray | Yes |
| Hidden rejection | Reject only via "Settings" → sub-page | Yes |
| Cookie wall | Website only usable after clicking "Accept" | Yes |
| Nudging | "Are you sure?" dialog when rejecting | Yes |
| Pre-checked boxes | Cookie categories already enabled | Yes (since BGH Planet49 ruling) |
Technical Mistakes
- Cookies before consent: Tracking cookies set before the user clicks "Accept"
- Banner bypass: Trackers load despite rejection
- Missing documentation: No logging of consent records
- Consent expiration: Consent not periodically renewed (recommendation: every 12 months)
Key Rulings and Enforcement
| Year | Authority/Court | Decision | Fine |
|---|---|---|---|
| 2020 | BGH (Federal Court) | Planet49: Pre-checked checkboxes are not valid consent | — |
| 2022 | LG Munich I | Google Fonts via CDN = GDPR violation | €100/view |
| 2022 | DSK | Guidance on telemedia: Clear cookie banner requirements | — |
| 2023 | Noyb | Mass complaints against cookie banners on German sites | Ongoing |
| 2024 | BfDI | Increased enforcement at federal agencies | Ongoing |
Recommended Cookie Banner Solutions
| Solution | Type | Google Consent Mode v2 | Price |
|---|---|---|---|
| Cookiebot | Cloud (SaaS) | Yes | from €9/month |
| Usercentrics | Cloud (SaaS) | Yes | from €49/month |
| Borlabs Cookie | WordPress Plugin | Yes | from €39/year |
| Klaro! | Open Source (Self-hosted) | Manual | Free |
| CIVIC Cookie Control | Cloud/Self-hosted | Manual | from £39/year |
Checklist: GDPR-Compliant Cookie Banner
- Equal buttons for "Accept" and "Reject" — same size, same contrast
- No pre-checked checkboxes
- No cookies set before consent
- Individual cookie categories selectable
- Revocation option permanently accessible
- Link to privacy policy in the banner
- Consent records documented and stored
- Google Consent Mode v2 implemented (for Google services)
- Cookie banner tested regularly — especially after CMS updates
- Run a free GDPR scan with PrivacyChecker
Frequently Asked Questions
Do I need a cookie banner if I don't set any cookies?
If your website truly sets no cookies and uses no similar tracking technologies (fingerprinting, localStorage for tracking), then no. But this is extremely rare in practice. Even embedded YouTube videos or social media buttons set cookies.
Is a simple "This website uses cookies" notice enough?
No. Since the German Federal Court's Planet49 ruling (2020), it is clear: A simple notice without a genuine choice is not valid consent. Users must be able to actively accept or reject cookies.
What is the difference between GDPR and TTDSG for cookies?
The TTDSG (§ 25) governs the technical access to the user's device (setting/reading cookies). The GDPR governs the subsequent processing of personal data collected via those cookies. In practice, both laws must be complied with simultaneously.