Skip to main content
Data Protection / GDPR

Cookie consent

Cookie consent is the prior, informed and freely given approval of the user that, under Section 25 TTDSG, must be obtained before non-essential cookies or comparable technologies may be stored on or read from the user's terminal device.

Cookie consent refers to the approval a website operator must obtain from a user before deploying cookies or similar technologies that are not strictly necessary for the service the user has explicitly requested. Since 1 December 2021 the legal basis in Germany is Section 25 (1) TTDSG, which transposes Article 5 (3) of the ePrivacy Directive into German law. The provision protects the integrity of the terminal device regardless of whether the stored or accessed information is personal data, and therefore also covers pixels, local storage, fingerprinting and comparable techniques.

The consent must meet the requirements of the GDPR: it is only valid if it is freely given, specific, informed and an unambiguous indication of the user's wishes given through a clear affirmative action (Article 4 (11) in conjunction with Article 7 GDPR). Pre-ticked boxes, buttons without a genuine choice or merely continuing to browse do not suffice. The Court of Justice of the European Union clarified this in the Planet49 judgment (C-673/17 of 1 October 2019), declaring pre-checked boxes unlawful; the German Federal Court of Justice confirmed this approach in its follow-up ruling Cookie-Einwilligung II (I ZR 7/16). Consent must also be as easy to withdraw as it was to give.

In practice, cookie consent is obtained through a consent banner or a consent management platform that must offer a real choice between accepting and rejecting; supervisory authorities consider an equally prominent reject option on the first layer to be required. Strictly necessary cookies that support, for example, the shopping cart or the session do not require consent. Under Article 7 (1) GDPR the controller must be able to demonstrate the consent given and should log it in an audit-proof manner, since violations can lead to fines and warning letters.

Legal Basis

Section 25 TTDSG; Article 5 (3) ePrivacy Directive 2002/58/EC; Article 4 (11), Article 6 (1) (a), Article 7 GDPR; CJEU Planet49 (C-673/17); German Federal Court of Justice, Cookie-Einwilligung II (I ZR 7/16)

Practical Example

An online retailer embeds Google Analytics and a marketing pixel to measure reach. The data protection officer finds that the existing banner already sets analytics cookies on page load and offers only an Accept button. He introduces a consent management platform that loads analytics and marketing cookies only after active approval, shows equally prominent Accept and Reject buttons on the first layer, allows granular choices by purpose, and logs each consent with a timestamp and banner version, so that proof towards the supervisory authority can be provided at any time.

FAQ

Consent under Section 25 TTDSG is required for all cookies and comparable technologies that are not strictly necessary for the service requested by the user. This applies in particular to analytics, tracking and marketing cookies. Technically essential cookies such as session or shopping-cart cookies are exempt.
No. In the Planet49 judgment the CJEU held that pre-checked boxes do not constitute valid consent. Approval must be given through an active, unambiguous action by the user, for example by deliberately clicking a button.
According to the German supervisory authorities, yes. An equally prominent reject option should be available on the first banner layer, otherwise the consent is not considered freely given. In addition, withdrawal must be possible at any time and as easily as the consent was given.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Consent TTDSG Legal basis Consent management Prohibition of bundling
Back to Glossary