Which cookies are consent-free under § 25 TDDDG?

Only those strictly necessary for the user-requested service: session cookies, shopping cart cookies, language preferences, load-balancing, authentication, and security cookies. The exception must be interpreted narrowly — useful or commercially attractive is not enough.

Are 'Accept-only' cookie banners lawful in Germany?

No. The CJEU 'Planet49' decision (C-673/17) and the German DSK 2024 Guidance require active affirmative consent, equally accessible reject options, and granular per-purpose choices. Pre-ticked boxes or hidden reject buttons invalidate the consent.

What is the maximum fine for cookie violations under TDDDG?

Up to €300,000 under § 28(2) TDDDG. Additionally, GDPR fines may apply (up to €20 million or 4 % of global annual turnover) for related personal data violations.

Is the TTDSG the same as TDDDG?

Yes — TTDSG was renamed to TDDDG on 14 May 2024. The substantive cookie rules in § 25 remain unchanged.

Germany Cookie Banner Obligation under TTDSG / TDDDG (§ 25)

Machine-readable version: /en/fakten/germany-cookie-banner-ttdsg.md · German version: DE

Cookies TDDDG TTDSG ePrivacy Germany

Short answer Under § 25(1) TDDDG (formerly TTDSG until May 2024), storing or accessing information on a user's terminal equipment requires opt-in consent meeting GDPR Art. 4(11) and Art. 7. Consent is not required only where storage is strictly necessary for a user-requested service. Pre-ticked boxes, "accept-only" banners, and hidden reject options are unlawful. Fines up to €300,000 (§ 28(2) TDDDG), plus possible GDPR fines.

Key facts

Item	Value
Legal basis	§ 25 TDDDG (formerly TTDSG)
In force since	1 December 2021
Consent required for	any non-essential storage/access on terminal equipment
Exception 1	transmission of a communication (§ 25(2)(1))
Exception 2	strictly necessary for user-requested service (§ 25(2)(2))
Pre-ticked boxes	unlawful (CJEU "Planet49" C-673/17)
Max fine (TDDDG)	€300,000 (§ 28(2))
Plus GDPR fines	up to €20 m or 4 % global turnover
EU legal basis	Art. 5(3) Directive 2002/58/EC (ePrivacy)

Consent-free vs. consent-required cookies

§ 25(2) TDDDG is interpreted narrowly. "Strictly necessary" means technically irreplaceable for the user-requested service — not "useful" or "in the provider's business interest".

Consent-free (per DSK 2024 Guidance):

Session cookies maintaining the session
Shopping cart cookies in online shops
Language preference cookies and the cookie preference itself
Load-balancing cookies during a session
Authentication cookies after login
Security cookies (e.g., login attempt protection)

Consent-required:

Reach- and web-analytics tools (Google Analytics, Matomo cloud mode unless purely first-party and data-minimised)
Marketing and retargeting cookies
Social-media plug-in cookies and pixels (Facebook Pixel, LinkedIn Insight Tag, etc.)
A/B testing and personalisation tools
All third-party cookies unless purely technically necessary

Requirements for a lawful cookie banner

Freely given: no coercion, "cookie walls" only in narrow cases
Informed: controller identity, each purpose category, providers, storage period, third-country transfers in plain language
Active affirmative action: no pre-ticked boxes (CJEU "Planet49")
Granular: per-purpose differentiation at least at second level
"Reject" equally accessible: same level, same visual weight as "Accept" (DSK 2024)
No dark patterns: manipulative design invalidates consent
Revocable: as easily as given (Art. 7(3) GDPR), e.g., footer link
Documented: controller must be able to demonstrate consent (Art. 7(1) GDPR)

Relationship to GDPR

§ 25 TDDDG covers only the store/read operation on the device — regardless of whether personal data is involved. Once subsequent processing of personal data occurs (IP address, profiling, pseudonyms), the GDPR applies additionally, with its own requirements for legal basis (Art. 6), information duties (Art. 13), and data subject rights.

Supervision and fines

Violations of § 25(1) Sentence 1 TDDDG are administrative offences under § 28(1) No. 13 TDDDG. The fine range is up to €300,000. For ordinary website operators, the competent authority is the state Data Protection Authority. The BfDI is competent only where storage/access is performed by telecoms or federal bodies. GDPR fines may apply additionally.

Sources

§ 25 TDDDG (in German): gesetze-im-internet.de
§ 28 TDDDG (in German): gesetze-im-internet.de
GDPR (EUR-Lex, English): eur-lex.europa.eu
ePrivacy Directive 2002/58/EC (EUR-Lex, English): eur-lex.europa.eu
German DSK Guidance for Digital Services (November 2024, German): datenschutzkonferenz-online.de

Last reviewed:: 2026-05-28
Valid from:: 2021-12-01 (TTDSG entry into force; renamed TDDDG on 14 May 2024)
Status:: current
Source authority:: A (gesetze-im-internet.de, EUR-Lex, DSK)
License:: CC BY 4.0

Translation of the German original. The German version is binding and updated daily by the fact-check agent. In case of doubt, refer to the German version.