Notes on Cookies

Dr. Verena Jütte

19. April 2025

Mandatory information on cookies

Introduction

Cookie notices can now be found on almost every website. However, many operators do not implement them correctly, which can have legal consequences. The General Data Protection Regulation (GDPR) and the Telecommunications Digital Services Data Protection Act (TDDDG) regulate how and when users must be informed about cookies and asked for their consent. The most important requirements are discussed below.

The legal basis

  1. GDPR and the requirement for consent

GDPR and the consent requirementThe GDPR (Regulation (EU) 2016/679) regulates the protection of personal data in the EU. Article 6 (1) GDPR specifies various legal bases for the processing of personal data. For non-essential cookies, consent is primarily required in accordance with Art. 6 para. 1 lit. a GDPR. According to Recital 32 GDPR, this consent must be ‘freely given, informed, unambiguous and by a clear affirmative action’. A pre-ticked checkbox or simply continuing to surf the website is not sufficient.

  1. TDDDG as a supplementary regulation

Since 1 December 2021, the TTDSG has regulated the use of cookies in Germany. Since the Digital Services Act (DDG) came into force on 14 May 2024, the TTDSG has been called the Telecommunications Digital Services Data Protection Act (TDDDG). Section 25 TDDDG states that access to information in the user’s terminal device – i.e. the setting of cookies – is generally only permitted with prior consent. An exception only applies to technically necessary cookies.

  1. EU law

The EU’s ePrivacy Directive (2002/58/EC), also known as the Cookie Directive, stipulates that information may only be stored or accessed on the user’s device with consent. As this directive does not apply directly in all EU member states, it had to be transposed into national law. In Germany, this was done through the TDDDG.
In future, the ePrivacy Regulation will replace the ePrivacy Directive. It will then apply directly in the member states.

Current case law

  1. ECJ judgement ‘Planet49’ (C-673/17, 2019)

One of the most important rulings on cookies was handed down by the European Court of Justice (ECJ) on 1 October 2019 in the ‘Planet49’ case. The ECJ clarified this:
– Consent to cookies is not permitted by ticking boxes in advance.
– The user must actively consent (‘opt-in’).
– A real choice is required.
– Essential cookies may be set without consent, but all others (e.g. for tracking or advertising) require consent.

  1. BGH judgement on consent (I ZR 7/16, 2020)


On 28 May 2020, the German Federal Court of Justice (BGH) confirmed the ECJ ruling and stated that active consent is required for cookies. This means that ‘cookie banners’ that only contain information but do not offer a real choice are not lawful.

 

  1. Decision of the data protection authorities: Google Analytics & cookie banners

The German data protection authorities have repeatedly made it clear that the use of Google Analytics and similar tracking technologies without consent is illegal. In several cases, data protection authorities have imposed fines, for example against companies that used misleading cookie banners.
Requirements for a legally compliant cookie banner
Cookie banners must fulfil the following requirements:

Requirements for a legally compliant cookie banner

Cookie banners must fulfil the following requirements:

  1. Real choice (so-called opt-in): The user must be able to ‘agree’ and ‘decline’ in equal measure. A design that favours consent (e.g. highlighted in colour) is problematic.
    This follows from the above-mentioned case law and recital 32 GDPR.
  2. Informed consent: Users must be informed about the purpose and type of cookies before giving their consent. A privacy policy alone is not sufficient.
    This follows from Section 25 (1) TDDDG and Recital 32 GDPR.
  3. Technically necessary vs. optional cookies: Essential cookies (e.g. for the shopping basket in an online shop) may be set without consent, all others may not.
    This follows from Section 25 (2) TDDDG. What constitutes optional cookies is determined by the interpretation of this provision.
  4. Right to withdraw consent: Users must be able to easily withdraw their consent at any time, e.g. via a ‘cookie settings’ function.
    This results from Art. 6 para. 1 lit. a, Art. 7 GDPR in conjunction with. § 25 para. 1 TDDG.
  5. No preset checkmarks: Consent must be actively given.
    This follows from the above-mentioned case law and recital 32 GDPR.

Cookies that require consent

In principle, essential cookies (technically necessary) do not require consent.
All other cookies (e.g. for tracking, advertising, analyses) require the active consent of the user.
The guidelines for a user-friendly cookie banner design published on the website of the Federal Ministry for the Environment, Nature Conservation, Nuclear Safety and Consumer Protection are helpful for the design (https://www.bmvd.de/download/guidelines-fuer-eine nutzerfreundliche-Cookie-Banner-Gestaltung).


Examples of essential cookies (no consent required):

– Session cookies for shopping baskets
– Cookies for user authentication (e.g. login)
– Cookies for saving language settings

Examples of cookies requiring consent:

– Tracking cookies (Google Analytics, Facebook Pixel)
– Advertising cookies for personalised ads
– Cookies for A/B tests or heat maps

Conclusion
Website operators should ensure that their cookie banners comply with current requirements. Case law shows that violations can be penalised with fines. Those who implement GDPR-compliant cookie notices not only protect themselves from warnings, but also strengthen the trust of users.

 

Dr. Verena Jütte

Dr. Verena Jütte>7 Beiträge