Under the GDPR, informing website users about their personal data collection and obtaining user consent for cookies is a fundamental requirement. Germany, like many other European countries, also has specific requirements for obtaining user consent.
In Germany, besides the GDPR, Cookie Consent is regulated by:
Telecommunications Telemedia Data Protection Act (TTDSG), also called the German cookie law, published on 30 November 2022.
Data Protection Authority, Datenschutzkonferenz (DSK) guidelines, addressing Section 25 of the TTDSG, an updated version was published on 24 November 2022.
In this article, we will explore the Cookie Consent requirements in Germany and how to ensure compliance. It includes the usage of cookies, and similar trackers that can collect user information or track user activity, for example, spyware, web bugs, or hidden identifiers, except for strictly necessary cookies.
Scope of the Guidelines
When personal data is not involved, TTDSG should be used as the main act. The updated TTDSG act incorporates Article 5(3) of the e-Privacy Directive into the national law and sets requirements for data controllers, including telecommunications service providers and Telemedia services providers.
The TTDPA requires implementing secure data processing systems and practices, regularly updating these systems, and ensuring that employees are trained in data protection practices.
When personal data is also involved in the company’s activities, both TTDSG and GDPR should be used. TTDSG regulates in more detail the collection and storage of the data, while GDPR is more concerned about further data processing.
The DSK has clarified the need for the end user’s prior cookie consent and the storage of cookies and other tracking technologies in the user’s browsing devices.
This article combines the requirements mandated by both the above-mentioned regulatory laws and the GDPR.
Who do the German Cookie Rules Apply To?
The German cookie regulations apply to any entity operating a website accessible by German users. If you are using cookies other than strictly necessary cookies on your website, the German cookie rules apply to you.
You must comply with the GDPR, TTDSG, and DSK requirements.
Cookie Consent Requirements in Germany
Obtaining Cookie Consent
The valid Cookie Consent must satisfy the following criteria and must be:
- Informed. Users must be informed clearly about the types of cookies used, their purposes, the duration of cookie storage, and any third-party involvement.
- Freely given. Users should have a real and free choice for accepting or rejecting cookies, without facing any negative consequences if they refuse cookies. Websites should not use techniques like dark patterns or cookie walls to pressure users into accepting cookies.
- Specific. Consent must be specific to the purpose for which cookies are used. If there are multiple purposes, each of them should have separate consent requests. For example, separate consent is needed for analytics cookies, advertising cookies, functional cookies, etc.
- Granular. Users should have the ability to consent or refuse cookies on a granular level. They should be able to accept some types of cookies while rejecting others.
- Easy to withdraw. Users must be able to withdraw their consent as easily as they gave it. Websites should provide clear instructions on how to do this.
- Prior cookie consent. Websites should ask for the user’s consent and get consent prior to placing any cookies on a device. It’s not allowed to set cookies without getting their permission first.
Cookie Banners
Websites in Germany, like in other countries covered by the GDPR, must use cookie banners to inform users about the use of cookies and request their consent. The banner should include clear and easily understandable information about the types of cookies used and their purposes, it must have a granular option for the selection of types of cookies and should not obscure the main content of the website.
With CookieScript, you can automatically scan your website for cookies and add them to your site’s list of cookies.
Pre-checked boxes
Pre-checked boxes for automatically accepting all cookie types are not allowed in Germany. Users must make an explicit selection of their cookie preferences, including the option to reject all cookies except for strictly necessary cookies.
Duration of consent
Consent for cookies in Germany has a limited duration. Users should be asked to renew their consent at reasonable intervals, like every 6 to 12 months.
Children's data
Special care should be taken when processing children’s personal data. When the child is below the age of 16 years, cookie consent is needed from parents or other authorized individuals.
Documentation of cookie consent
Websites should collect and store cookie consent and be able to deliver them for proof of compliance with data protection regulations. The information should include when and how users gave their consent and the types of cookies.
Clear accept and reject choices
Use simple and straightforward language for consent options, such as “Agree” or “Accept.” Terms like “Okay” are not valid consent since it does not provide unambiguous action.
Present users with equal choices for giving or rejecting consent, otherwise it will be considered invalid. Both options should be easily visible on the Cookie Banner, without pressing any additional buttons.
Valid consent requires an equally accessible way to explicitly opt out of consent. If there is an Accept button or link, there would have to be a Reject button or link equal in appearance and accessibility.
Layered approach requirements
Consent banners can have multiple layers of information. The first layer must have basic information for accepting or rejecting of cookies, while the second layer could provide detailed information. The second layer could be accessed by clicking on a button or link in the first layer of the banner.
If the first layer has a consent button, it must provide specific details about cookies and the reasons for data collection. The consent wouldn’t be considered valid if detailed cookie information and separate consent choices were provided only in the second layer.
The first layer should allow both accepting and rejecting cookies easily.
If an Accept option is present on the first layer, then the banner must also state all data collection and processing purposes in the first layer. However, providing the option to make a granular decision in the first layer is unnecessary.
Cookie consent by scrolling or by continued browsing
Under German law, consent by scrolling does not provide a valid indication of affirmative cookie consent. As with consent on scroll, continuing scrolling a webpage also does not recognize consent to be valid.
Use of Third-Party Cookies
The German guidelines do not set requirements for identifying third parties. However, if third parties have the ability to access user’s personal data, this information must be disclosed. In addition, if users have activated their devices to protect their personal data like using the “Do Not Track” feature, websites should respect such choice, it is not allowed to use any technical settings to bypass it.
Freedom to withdraw consent
Users have the freedom to withdraw their consent at any time and without any need to provide a reason for it. Websites must provide an easy way to withdraw consent. For example, websites could place a link in the website’s footer or Privacy Policy that directs users to a page where they can easily review their granted consent.
Cookies walls
The use of cookie walls is commonly not allowed. Consent earned in this way is not freely given. However, it’s acceptable if the Cookie Banner provides a “Reject cookies” option that closes the Cookie Banner and allows users to continue navigating the website.
So-called “paywalls” are allowed, which are granting access to the website without requiring cookie consent, but for a fee. Nevertheless, users should be provided with clear information about the cookies and the collection of their Personal Information.
Cross-border data transfers
Special care must be taken while using any cookies or other tracking technologies that provide information for international data transfers. Entities, using cross-border data transfers, should inform users about it and get consent for it, and use adequate data protection techniques while transferring data.
Privacy or Cookie Policy
To provide users with the necessary information about cookies, your website needs to have a Cookie Policy. This can be a section in your Privacy Policy, or it could be a standalone Cookies Policy. Either way, you must provide users with the following data: what cookies are, the purposes for which you use cookies, the types of cookies you use, the duration of cookies, any third parties that you share users’ personal data, how users can manage or revoke their cookie consent, etc.
CookieScript cookie consent provides a detailed Cookie Banner, so users can provide informed, freely given, specific, and granular cookie consent.
CookieScript Cookie Consent Solution helps companies and organizations to create a Privacy Policy and comply with applicable cookie consent legal requirements.
Consequences of Non-Compliance
Compliance with the TTDSG is supervised by the Federal Commissioner for Data Protection and Freedom of Information (BfDI) and the Federal Network Agency. Failure to comply with cookie consent requirements in Germany can result in significant fines.
Under the TTDSG, fines of up to €300,000 can be imposed for not obtaining consent or insufficiently obtaining consent.
The exact amount of money depends on the severity of the violation, but under the GDPR, fines can reach up to €20 million or 4% of the company's global annual revenue, whichever is higher.
How to Comply with the German Cookie Consent Rules?
Follow these tips to comply with the German cookie rules:
- Inform users about the use of cookies. Provide clear cookie notice to users at or before the point of data collection. The easiest way to inform users is through a cookie banner. The banner should include clear and easily understandable information about the types of cookies used and their purposes it must have a granular option for the selection of types of cookies and should not obscure the main content of the website.
- Publish a Cookie Policy or a Privacy Policy for your business or website. The Privacy Policy must contain information about the types of cookies used and their purposes, about third parties with which the data is shared, the duration of cookies, cross-border data transfers, how users can manage or revoke their cookie consent, and other data related to the management of personal data.
- Do not use pre-checked boxes to automatically accept all cookie types. Users must make an explicit selection of their cookie preferences, including the option to reject all cookies except for strictly necessary cookies.
- Inform users about the use of Third-Party Cookies.
- Get cookie consent from users. According to TTDSG and DSK, the valid cookie consent must be informed, freely given, specific, granular, easy to withdraw, and obtained before placing any cookies on a device.
- In the case of minors under 18, obtain consent from a parent or guardian. Also, take additional steps to safeguard children’s data and ensure that consent is appropriately obtained.
- Cookie consent must be valid. A cookie banner must have clear Accept and Reject choices and an equally accessible way to explicitly opt out of consent. If there is an Accept button or link, there would have to be a Reject button or link that is equal in appearance and accessibility.
- Don’t use dark patterns or cookie walls to obtain user consent. Under German law, consent obtained by dark patterns, cookie walls, scrolling, or continued browsing does not provide a valid indication of affirmative cookie consent.
- Store cookie consent for proof of compliance. The information should include when and how users gave their consent and the types of cookies.
- Respect the “Do Not Track” feature. If users have activated their devices to protect their personal data like using the “Do Not Track” feature, respect their choice.
- Provide an easy way to withdraw consent. The process of withdrawing consent should be as easy as giving it.
How to Get Cookie Consent for German Cookie Laws?
The most common approach to obtaining cookie consent is to use a cookie banner: a pop-up notification providing information about cookies and asking the user whether they consent to them.
CookieScript Consent Management Platform is an optimal solution for creating a valid cookie banner and being compliant with the GDPR, TTDSG, and DSK guidelines.
CookieScript CMP Privacy Policy Generator helps you to create the German privacy laws-compliant Privacy Policy for your company or website.
Our Cookie Scanner scans your website for cookies and other tracking technologies and provides a detailed scan report including details about your website’s cookies with their provider, duration, and third parties if any.
CookieScript CMP allows you to create a fully customizable and configurable cookie banner. You can personalize colors, fonts, text, and style, and adjust the banner to your website's design.
It also can help you comply with the EU – US Data Privacy Framework for international data transfers.
Frequently Asked Questions
Is cookie consent by scrolling allowed under German law?
No. Under German law, consent by scrolling does not provide a valid indication of affirmative cookie consent. As with consent on scroll, continuing scrolling a webpage also does not recognize consent to be valid. Use CookieScript to create a valid, fully customizable, and configurable cookie banner.
Are pre-checked boxes on a cookie banner allowed under German law?
No, pre-checked boxes for automatically accepting all cookie types are not allowed in Germany. Users must make an explicit selection of their cookie preferences, including the option to reject all cookies except for strictly necessary cookies. Use CookieScript to create a valid cookie banner that complies with German privacy laws.
What are the requirements for user consent in Germany?
According to the TTDSG and DSK, the valid cookie consent be informed, freely given, specific, granular, easy to withdraw, and obtained prior to placing any cookies on a device. With CookieScript, you can easily create a cookie banner to obtain valid cookie consent, that complies with German privacy laws.
What are cookie banner requirements under German law?
The valid cookie banner should include clear and easily understandable information about the types of cookies used and their purposes, it must have a granular option for the selection of types of cookies and should not obscure the main content of the website. With CookieScript, you can easily create a valid, fully customizable, and configurable cookie banner, that complies with German privacy laws.
Are cookie walls allowed under German law?
The use of cookie walls is commonly not allowed in Germany. Consent earned in this way is not freely given. However, it’s acceptable if the cookie banner provides a “Reject cookies” option that closes the cookie banner and allows users to continue navigating the website. Use CookieScript CMP to comply with German privacy laws.
How to get valid cookie consent in Germany?
The most common approach to obtaining cookie consent is to use a cookie banner: a pop-up notification providing information about cookies and asking the user whether they consent to them. CookieScript Consent Management Platform is an optimal solution for creating a valid cookie banner and being compliant with the GDPR, TTDSG, and DSK guidelines.
