Prior consent before any non-essential cookie — what Section 25 TDDDG actually demands of German websites.
In Germany, the rule that governs cookies and tracking is Section 25 of the Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TDDDG), which transposes Article 5(3) of the ePrivacy Directive and requires a website to obtain the user's prior consent before storing or accessing any information on their device — except where a cookie is strictly necessary for a service the user expressly requested. Once a cookie involves personal data, the GDPR and the Bundesdatenschutzgesetz (BDSG) apply on top, so consent must meet the full GDPR standard. Supervision sits not with the federal BfDI but with the competent Landesdatenschutzbehörde of the company's Bundesland, coordinated through the Datenschutzkonferenz (DSK), whose Orientierungshilfe for digital-service providers sets the practical benchmark German regulators audit against.
Section 25 TDDDG requires prior consent before storing or accessing information on a user's device, i.e. before any non-essential cookie or tracker.
Applicable laws
Supervisory authority
Landesdatenschutzbehörden
The competent Landesdatenschutzbeauftragte of the company's Bundesland (16 state DPAs)
www.datenschutzkonferenz-online.de€300,000
Maximum fine for storing or accessing information in violation of Section 25 TDDDG
TDDDG (Section 28 penalty provisions)
350+ sites, 15 apps
Suspected of setting cookies without consent in the Bavarian DPA's 2024 sweep
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), 9 Feb 2024
16
Independent state data protection authorities enforcing the rules for the private sector
Datenschutzkonferenz (DSK)
Nov 2024 (v1.2)
Current DSK Orientierungshilfe for digital-service providers, the practical audit benchmark
Datenschutzkonferenz, Orientierungshilfe digitale Dienste
Under Section 25(1) TDDDG, no analytics, advertising, or other non-essential cookie or tracker may fire before the user has actively consented. Only strictly necessary cookies and those needed purely to transmit a communication are exempt under Section 25(2).
The DSK Orientierungshilfe and the VG Hannover ruling of 19 March 2025 require an equally prominent 'reject all' option on the first banner layer wherever an 'accept all' button exists. Burying rejection in a sub-menu is treated as invalid consent.
The DSK states that consent is not freely given where rejecting takes more clicks or less visual prominence than accepting. Pre-ticked boxes, colour manipulation, and deceptive design invalidate consent.
The banner must give a clear overview of every processing operation requiring consent, naming relevant third parties and their functions, so users can consent specifically and on an informed basis to each purpose.
Controllers must be able to demonstrate that valid consent was obtained (GDPR Art. 7) and let users withdraw consent as easily as they gave it, for example via a persistent settings control.
German cookie compliance runs on two layers. Section 25 TDDDG governs the act of reading from or writing to a user's device — this is where 'prior consent' bites, and it applies regardless of whether the cookie contains personal data. Where the cookie does process personal data, which most analytics and advertising cookies do, the GDPR and BDSG apply in parallel, setting the standard the consent itself must meet: freely given, specific, informed, unambiguous, and revocable.
The practical consequence is that 'legitimate interest' is not available as a basis for setting non-essential cookies — Section 25 demands consent, full stop. The only carve-outs are cookies needed to transmit a communication or strictly necessary to deliver a service the user expressly asked for, such as a shopping-cart or login session cookie.
Germany has no single private-sector regulator. The federal BfDI supervises federal bodies and telecoms, but for an ordinary company the competent authority is the Landesdatenschutzbehörde of the state where the business is established — for example the BayLDA in Bavaria, the LfDI in Baden-Württemberg, or the Berlin BlnBDI. These sixteen authorities coordinate through the Datenschutzkonferenz (DSK).
The DSK's Orientierungshilfe für Anbieter digitaler Dienste, updated to version 1.2 in November 2024, is the document German regulators actually measure banners against. It alone does not create law, but it tells you precisely how the supervisory authorities read Section 25 and the GDPR together — making it the single most useful reference for getting a German cookie setup right.
German DPAs are not waiting for complaints. In February 2024 the Bavarian authority (BayLDA) published the results of a large-scale, partly automated sweep and flagged at least 350 websites and 15 apps suspected of setting cookies without consent. The Verwaltungsgericht Hannover then confirmed in March 2025 that a manipulative banner without a first-layer 'reject all' button is unlawful.
Violations of Section 25 TDDDG can draw fines of up to €300,000, and where unlawful cookie processing also breaches the GDPR, the far higher GDPR ceilings apply. The recurring failure regulators find is not a missing banner but pre-consent tracking: scripts that fire the moment the page loads, before the visitor has clicked anything.
The storage of information in the end user's terminal equipment or access to information already stored in the terminal equipment is only permitted if the end user has consented on the basis of clear and comprehensive information.
Formerly Section 25 TTDSG, the provision was renamed when the law became the TDDDG in 2024. It transposes Article 5(3) ePrivacy into German law and requires prior consent for any storage or access on a device, with narrow exemptions in Section 25(2).
The BfDI does not supervise the private sector. Your competent authority is the Landesdatenschutzbehörde of your Bundesland; they jointly issue guidance via the Datenschutzkonferenz (datenschutzkonferenz-online.de).
The DSK Orientierungshilfe for digital-service providers (v1.2, November 2024) defines what German authorities expect: prior consent, equal reject, no nudging, named third parties, and a clear purpose overview.
CookieSentry scans your live site and flags every cookie and tracker that fires before consent — the failure Landesdatenschutzbehörden is most likely to act on — and names the source so you can fix it. It also generates GDPR documents localized to Germany's requirements, so your policies match the rules Landesdatenschutzbehörden applies. It is not a consent banner — keep your banner and add the audit and evidence layer on top.
Section 25 of the TDDDG (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz) governs storing or accessing information on a user's device and requires prior consent for non-essential cookies. It implements Article 5(3) of the ePrivacy Directive. When personal data is involved, the GDPR and BDSG apply as well.
Yes. Section 25(1) TDDDG requires the user's prior consent before any non-essential cookie or tracker is set or read. Only cookies strictly necessary to deliver a service the user expressly requested, or needed to transmit a communication, are exempt under Section 25(2). Legitimate interest is not a valid basis.
Not the federal BfDI for private companies — the competent authority is the Landesdatenschutzbehörde of the state where your business is established (for example BayLDA in Bavaria). These 16 authorities coordinate through the Datenschutzkonferenz (DSK), which publishes the binding-in-practice Orientierungshilfe.
CookieSentry loads your site like a real visitor and detects cookies and trackers that fire before consent — exactly the Section 25 breach German DPAs target — naming each source and producing exportable PDF evidence. It also generates GDPR-aligned privacy and cookie documents. CookieSentry is an audit and documentation tool, not a consent banner: keep your banner and use CookieSentry to prove it actually blocks tracking until consent.
Operating across the EU? The rules differ by market — check the country that applies to you.
Run a free CookieSentry scan on your live pages, catch cookies firing before consent, and export evidence mapped to Germany's rules — no signup required.
Run a free scan →Last reviewed 2026-06-14. General information on Germany cookie rules, not legal advice; verify current requirements with Landesdatenschutzbehörden or qualified counsel.