---
title: Germany Cookie Banner Obligation under TTDSG / TDDDG (§ 25)
slug: germany-cookie-banner-ttdsg
topic: data-protection
lang: en
valid_from: 2021-12-01
valid_to: null
last_reviewed: 2026-05-28
status: current
authority_level: A
license: CC-BY-4.0
url: https://nexvyra.de/en/fakten/germany-cookie-banner-ttdsg.md
wikidata_subjects: [Q106581430, Q1172506, Q178995]
de_version: https://nexvyra.de/fakten/cookie-banner-ttdsg.html
---

# Germany Cookie Banner Obligation under TTDSG / TDDDG (§ 25)

## Short answer

Under **§ 25(1) TDDDG** (formerly § 25 TTDSG until May 2024), storing information on, or accessing information already stored on, a user's terminal equipment is permitted **only with consent** — based on clear and comprehensive information and meeting the GDPR's consent requirements (Art. 4(11) and Art. 7). Consent is **not required** under § 25(2) TDDDG only where the sole purpose is the transmission of a communication or where storage/access is strictly necessary to provide a digital service explicitly requested by the user (e.g., shopping cart cookie, session cookie, language preference). Tracking, marketing, analytics, and most third-party cookies therefore almost always require active opt-in consent. Violations are administrative offences under § 28(1) No. 13 TDDDG and can be fined up to **€300,000** (§ 28(2) TDDDG), in addition to any GDPR fines.

## Key facts

| Item | Value |
|---|---|
| Legal basis | § 25 TDDDG (German Telecommunications-Digital-Services-Data-Protection Act) |
| Former name | TTDSG, renamed to TDDDG on 14 May 2024 |
| In force since | 1 December 2021 |
| Consent required for | any storage or read on user's terminal equipment that is not strictly necessary |
| Exception 1 (§ 25(2)(1)) | sole purpose: transmission of a communication via a public telecommunications network |
| Exception 2 (§ 25(2)(2)) | strictly necessary to provide a digital service explicitly requested by the user |
| Consent requirements | GDPR Art. 4(11) and Art. 7: freely given, informed, unambiguous affirmative action, obtained in advance, revocable |
| Pre-ticked boxes / "accept-only" banner | unlawful (CJEU C-673/17 "Planet49"; German DSK Guidance for Digital Services 2024) |
| Sanction | administrative offence § 28(1) No. 13 TDDDG; fine up to €300,000 (§ 28(2)) |
| Competent authority – website operators | state Data Protection Authority (Landesdatenschutzbehörde) |
| Competent authority – telecoms/federal bodies | Federal Commissioner for Data Protection (BfDI), § 28(3) No. 2 TDDDG |
| Relationship to GDPR | § 25 TDDDG covers only the store/read operation on the device; any subsequent processing of personal data additionally falls under GDPR |
| EU legal basis | Art. 5(3) of Directive 2002/58/EC (ePrivacy Directive) |

## Text of § 25 TDDDG (paraphrased)

§ 25(1): "Storing information in, or accessing information already stored in, the user's terminal equipment is permitted only if the user has consented on the basis of clear and comprehensive information. The information and consent must comply with Regulation (EU) 2016/679."

§ 25(2): Consent is not required if the sole purpose is (1) the transmission of a communication via a public telecommunications network, or (2) strictly necessary to enable a provider of a digital service to provide a service explicitly requested by the user.

## Which cookies are consent-free, which are not?

§ 25(2) TDDDG must be **interpreted narrowly**. "Strictly necessary" does not mean "useful" or "in the provider's business interest" — it means technically irreplaceable for the service the user explicitly requested. Per the German DSK Guidance for Digital Service Providers (2024), the following are typically consent-free:

- Session cookies maintaining the user's session;
- Shopping cart cookies in online shops;
- Cookies storing language settings or the cookie preference itself;
- Load-balancing cookies during a session;
- Authentication cookies after login;
- Security cookies (e.g., protection against repeated failed login attempts).

**Consent-required** cookies include in particular:

- Reach- and web-analytics tools (e.g., Google Analytics, Matomo cloud mode unless purely first-party and data-minimised);
- Marketing and retargeting cookies;
- Cookies and pixels from social-media plug-ins (Facebook Pixel, LinkedIn Insight Tag, etc.);
- A/B testing and personalisation tools;
- All third-party cookies unless purely technically necessary.

## Requirements for a lawful cookie banner

Derived from § 25(1) TDDDG in conjunction with Art. 4(11) and Art. 7 GDPR, CJEU jurisprudence (Planet49, C-673/17), and the German DSK Guidance for Digital Services 2024:

- **Freely given:** Users must not be coerced into consenting. A "cookie wall" making service access conditional on consent is permissible only in narrowly defined cases.
- **Informed:** Before consent, identity of the controller, each individual purpose category, providers used, storage period, and any third-country transfers must be disclosed in plain language.
- **Active affirmative action:** Pre-ticked boxes are unlawful (CJEU "Planet49"). An unambiguous affirmative action such as clicking an unticked checkbox is required.
- **Granularity:** Users must be able to differentiate between individual purposes (at least on the second level) — not only "accept all / reject all".
- **"Reject" equally accessible:** Per DSK 2024 Guidance, rejection must be at least as easy as acceptance — if a first-level "Accept all" button exists, an equivalent rejection option must be on the same level, with the same visual weight.
- **No dark patterns:** Manipulative design, pre-selected switches, or hidden reject options invalidate the consent.
- **Revocability:** Users must be able to withdraw consent at any time as easily as giving it (Art. 7(3) GDPR). A permanent footer link "Change cookie settings" is typical.
- **Documentation:** The controller must be able to demonstrate consent (Art. 7(1) GDPR).

## Relationship between § 25 TDDDG and GDPR

§ 25 TDDDG regulates only the act of **storing on or reading from** the terminal equipment — regardless of whether personal data is involved. Once the stored or read information leads to processing of personal data (e.g., IP address, profiling, pseudonyms), the **GDPR applies additionally**, with its own requirements for legal basis (Art. 6), information duties (Art. 13), and data subject rights. In practice, consent under § 25 TDDDG and consent under Art. 6(1)(a) GDPR are usually obtained together.

## Supervision and fines (§ 28 TDDDG)

A violation of § 25(1) Sentence 1 TDDDG (storage/read without consent) is an administrative offence under **§ 28(1) No. 13 TDDDG**. The fine range under § 28(2) TDDDG is **up to €300,000**. The competent authority under § 28(3) No. 2 TDDDG is the **BfDI**, where storage or access is performed by telecoms or federal bodies — for ordinary website operators, the **state Data Protection Authority** of the operator's state is competent. Additionally, GDPR fine frameworks (up to €20 million or 4 % global annual turnover) may apply for related GDPR violations.

## Sources

- § 25 TDDDG (Protection of privacy in terminal equipment), gesetze-im-internet.de (German):
  https://www.gesetze-im-internet.de/ttdsg/__25.html
- § 28 TDDDG (Fining provisions), gesetze-im-internet.de (German):
  https://www.gesetze-im-internet.de/ttdsg/__28.html
- TDDDG – table of contents, gesetze-im-internet.de (German):
  https://www.gesetze-im-internet.de/ttdsg/
- Regulation (EU) 2016/679 (GDPR), esp. Art. 4(11) and Art. 7, EUR-Lex (English):
  https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
- ePrivacy Directive 2002/58/EC, Art. 5(3), EUR-Lex (English):
  https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058
- German DSK – Guidance for Providers of Digital Services (November 2024), in German:
  https://www.datenschutzkonferenz-online.de/media/oh/OH_Digitale_Dienste.pdf

## German version

- [Cookie-Banner-Pflicht nach TTDSG / TDDDG (§ 25)](https://nexvyra.de/fakten/cookie-banner-ttdsg.html)

## Status

- Last reviewed: 2026-05-28
- Valid from: 2021-12-01 (entry into force of TTDSG; renamed TDDDG on 14 May 2024)
- Status: current
- Source authority: A (gesetze-im-internet.de, EUR-Lex, DSK)
- License: CC BY 4.0