Germany has the strictest cookie compliance requirements in the EU. While GDPR provides the baseline, German courts have consistently ruled that consent must be obtained before analytics cookies are set — even where other EU countries take a more permissive approach. If you have German users, you need to meet German standards.
The Legal Framework: GDPR + TTDSG
Cookie compliance in Germany is governed by two laws:
GDPR (EU-wide) — applies to cookies that process personal data. Sets the rules for consent, lawful basis, and data subject rights.
TTDSG (Telekommunikation-Telemedien-Datenschutz-Gesetz) — the German law transposing the ePrivacy Directive. Applies to storing information on or accessing information from terminal equipment. Sets the rule: cookies that are not strictly necessary require consent.
The TTDSG applies to all cookie access on devices used in Germany — it does not require personal data processing for the rule to kick in. Even a cookie that does not contain personal data requires consent if it is not strictly necessary for the service.
Which Cookies Require Consent
| Cookie type | Example | Consent required (Germany)? |
|---|---|---|
| Strictly necessary | Session cookies, authentication, shopping cart | No |
| Functional | Language preference, user interface settings | Depends — if optional to core service: Yes |
| Analytics | Google Analytics, Matomo, Mixpanel | Yes — even first-party analytics |
| Marketing/advertising | Facebook Pixel, Google Ads | Yes |
| A/B testing | Optimizely, VWO | Yes |
| Chatbot | Intercom, Drift | Yes — if setting non-essential cookies |
| Social media widgets | LinkedIn share buttons, Twitter embeds | Yes — loading these fires third-party cookies |
Key German rule: Analytics cookies are not strictly necessary. German courts have consistently held that website analytics require opt-in consent — even where the analytics are claimed to serve legitimate interests.
What Valid Consent Looks Like in Germany
The German supervisory authorities (DSK — the conference of data protection authorities) have published detailed guidance. Valid consent must be:
Freely Given
- The user must have a genuine choice. Denying access to the website unless consent is given is not freely given consent.
- There must be no significant disadvantage for refusing.
- Accept/reject options must be equally prominent — "accept all" and "reject all" must be the same visual weight and position.
Specific
- Consent must be granted for specific purposes, not for "cookies" in general.
- Each category of cookies must be individually selectable.
Informed
- Users must know what they are consenting to before consenting.
- Cookie categories must be described in plain language.
- Third-party processors receiving data from cookies must be disclosed.
Unambiguous Active Action
- Pre-ticked boxes are not valid.
- Continuing to browse the website is not consent.
- A clear affirmative action (clicking "Accept") is required.
Documented
- You must keep records of what consent was given, when, and by whom.
Cookie Banner Requirements
Based on German court decisions (including the landmark BGH "Cookie II" ruling and subsequent Landgericht and OLG decisions), a compliant German cookie banner must:
Layer 1 (the banner):
- Present a brief explanation of cookie use
- Offer a clearly visible "Accept All" button
- Offer a clearly visible "Reject All" button (or "Only essential cookies") with equal prominence to the accept button
- Link to "Cookie Settings" for granular control
- Not use dark patterns (small reject text, grey reject buttons, hidden reject options)
Layer 2 (settings):
- List all cookie categories with explanations
- Allow granular consent per category
- Allow users to change settings at any time
Rejected by German courts:
- "Accept" and "More options" (no equivalent reject button on layer 1)
- "Accept" and a small text link to "decline"
- Nudging users toward acceptance through design (coloured accept button, grey reject)
- Consent walls (no access without consent)
Google Analytics and German DPAs
German data protection authorities have historically scrutinised Google Analytics specifically. The Bavarian DPA (BayLfD) and others have issued guidance that Google Analytics — as a transfer of personal data to the US — requires:
- Valid opt-in consent before the Google Analytics script loads
- IP anonymisation at minimum (enabled in GA4 by default)
- A Transfer Impact Assessment for the US transfer
- An updated privacy notice disclosing the Google Analytics use and US transfer
Google Analytics 4 (GA4) has improved compliance features including configurable data retention and IP anonymisation. But none of these features remove the need for prior consent in Germany.
If you want analytics without consent requirements, consider server-side analytics (where no cookie is set on the user's device) or privacy-first analytics tools like Plausible, Fathom, or Matomo configured in cookieless mode.
Consent Management Platforms (CMPs)
A Consent Management Platform is the technical implementation of a cookie consent mechanism. Popular options include:
- Usercentrics (German company — well-calibrated to German requirements)
- OneTrust
- Cookiebot
- Osano
CMPs certified by the IAB TCF (Transparency and Consent Framework) are commonly used for advertising consent, but TCF compliance does not automatically satisfy German DPA requirements — especially the equal prominence requirement for reject options.
What to check before selecting a CMP:
- Does it provide an equal-prominence reject option on layer 1?
- Does it block third-party scripts until consent is given?
- Does it maintain consent records with timestamps?
- Is it configurable for German-specific requirements without relying on defaults?
Practical Steps for Germany Compliance
- Audit all cookies on your website using a browser developer tool or cookie audit tool
- Categorise every cookie — strictly necessary, functional, analytics, marketing
- Implement a CMP that blocks non-essential cookies until consent is obtained
- Ensure reject option is equal in visual weight and placement to accept
- Block analytics and advertising scripts from loading before consent
- Record consent — store what was consented to, when, and the consent version
- Update your privacy notice to disclose all cookies, their purpose, and any US transfers
- Review third-party widgets (chat, social share, embedded videos) — these load third-party cookies
- Test the full consent flow — including rejecting all cookies — to confirm no scripts fire
Fines and Enforcement
German DPAs have issued significant fines for cookie non-compliance. The Hamburg DPA fined a German company €900,000 for operating a cookie consent mechanism that did not provide a genuine reject option. The LfDI Baden-Württemberg has investigated numerous companies for cookie walls and pre-ticked boxes.
Cookie complaints in Germany are frequently initiated by data subject complaints — not just authority investigations. Privacy-focused users and competitors have used cookie violations as grounds for unfair competition claims under German UWG (unfair competition law), adding a civil liability dimension beyond GDPR fines.