Under the GDPR, informing website users about their personal data collection and obtaining user consent for cookies is a fundamental requirement. Germany, like many other European countries, also has specific requirements for obtaining user consent.
In Germany, besides the GDPR, Cookie Consent is regulated by:
Telecommunications Telemedia Data Protection Act (TTDSG), published on 30 November 2022.
Data Protection Authority, Datenschutzkonferenz (DSK) guidelines, addressing Section 25 of the TTDSG, an updated version was published on 24 November 2022.
In this article, we will explore the Cookie Consent requirements in Germany and how to ensure compliance. It includes the usage of cookies, and similar trackers that can collect user information or track user activity, for example, spyware, web bugs, or hidden identifiers, except for strictly necessary cookies.
Scope of the Guidelines
When personal data is not involved, TTDSG should be used as the main act. The updated TTDSG act incorporates Article 5(3) of the e-Privacy Directive into the national law and sets requirements for data controllers, including telecommunications service providers and Telemedia services providers.
When personal data is also involved in the company’s activities, both TTDSG and GDPR should be used. TTDSG regulates in more detail the collection and storage of the data, while GDPR is more concerned about further data processing.
The DSK has clarified the need for the end user’s prior cookie consent and the storage of cookies and other tracking technologies in the user’s browsing devices.
This article combines the requirements mandated by both the above-mentioned regulatory laws and the GDPR.
Cookie Consent Requirements in Germany
The valid Cookie Consent must satisfy the following criteria and must be:
- Informed. Users must be informed clearly about the types of cookies used, their purposes, the duration of cookie storage, and any third-party involvement.
- Freely given. Users should have a real and free choice for accepting or rejecting cookies, without facing any negative consequences if they refuse cookies. Websites should not use techniques like dark patterns or cookie walls to pressure users into accepting cookies.
- Specific. Consent must be specific to the purpose for which cookies are used. If there are multiple purposes, each of them should have separate consent requests. For example, separate consent is needed for analytics cookies, advertising cookies, functional cookies, etc.
- Granular. Users should have the ability to consent or refuse cookies on a granular level. They should be able to accept some types of cookies while rejecting others.
- Easy to withdraw. Users must be able to withdraw their consent as easily as they gave it. Websites should provide clear instructions on how to do this.
- Prior Cookie Consent. Websites should ask for the user’s consent and get consent prior to placing any cookies on a device. It’s not allowed to set cookies without getting their permission first.
CookieScript Cookie Consent provides a detailed Cookie Banner, so users can provide informed, freely given, specific, and granular Cookie Consent.
Other Requirements for Cookie Consent and Cookies in Germany
Cookie Banners
Websites in Germany, like in other countries covered by the GDPR, must use cookie banners to inform users about the use of cookies and request their consent. The banner should include clear and easily understandable information about the types of cookies used and their purposes, it must have a granular option for the selection of types of cookies and should not obscure the main content of the website.
With CookieScript, you can automatically scan your website for cookies and add them to your site’s list of cookies.
Pre-checked boxes
Pre-checked boxes for automatically accepting all cookie types are not allowed in Germany. Users must make an explicit selection of their cookie preferences, including the option to reject all cookies except for strictly necessary cookies.
Duration of consent
Consent for cookies in Germany has a limited duration. Users should be asked to renew their consent at reasonable intervals, like every 6 to 12 months.
Children's data
Special care should be taken when processing children’s personal data. When the child is below the age of 16 years, cookie consent is needed from parents or other authorized individuals.
Documentation of cookie consent
Websites should collect and store cookie consent and be able to deliver them for proof of compliance with data protection regulations. The information should include when and how users gave their consent and the types of cookies.
Clear accept and reject choices
Use simple and straightforward language for consent options, such as “Agree” or “Accept.” Terms like “Okay” are not valid consent since it does not provide unambiguous action.
Present users with equal choices for giving or rejecting consent, otherwise it will be considered invalid. Both options should be easily visible on the Cookie Banner, without pressing any additional buttons.
Layered approach requirements
Consent banners can have multiple layers of information. The first layer must have basic information for accepting or rejecting of cookies, while the second layer could provide detailed information. The second layer could be accessed by clicking on a button or link in the first layer of the banner.
If the first layer has a consent button, it must provide specific details about cookies and the reasons for data collection. The consent wouldn’t be considered valid if detailed cookie information and separate consent choices were provided only in the second layer.
The first layer should allow both accepting and rejecting cookies easily.
Cookie consent by scrolling or by continued browsing
Under German law, consent by scrolling does not provide a valid indication of affirmative cookie consent. As with consent on scroll, continuing scrolling a webpage also does not recognize consent to be valid.
Use of Third-Party Cookies
The German guidelines do not set requirements for identifying third parties. However, if third parties have the ability to access user’s personal data, this information must be disclosed. In addition, if users have activated their devices to protect their personal data like using the “Do Not Track” feature, websites should respect such choice, it is not allowed to use any technical settings to bypass it.
Freedom to withdraw consent
Users have the freedom to withdraw their consent at any time and without any need to provide a reason for it. Websites must provide an easy way to withdraw consent. For example, websites could place a link in the website’s footer or Privacy Policy that directs users to a page where they can easily review their granted consent.
Cookies walls
The use of cookie walls is commonly not allowed. Consent earned in this way is not freely given. However, it’s acceptable if the Cookie Banner provides a “Reject cookies” option that closes the Cookie Banner and allows users to continue navigating the website.
So-called “paywalls” are allowed, which are granting access to the website without requiring cookie consent, but for a fee. Nevertheless, users should be provided with clear information about the cookies and the collection of their personal information.
Cross-border data transfers
Special care must be taken while using any cookies or other tracking technologies that provide information for international data transfers. Entities, using cross-border data transfers, should inform users about it and get consent for it, and use adequate data protection techniques while transferring data.
Privacy or Cookie Policy
To provide users with the necessary information about cookies, your website needs to have a Cookie Policy. This can be a section in your Privacy Policy, or it could be a standalone Cookies Policy. Either way, you must provide users with the following data: what cookies are, the purposes for which you use cookies, the types of cookies you use, the duration of cookies, any third parties that you share users’ personal data, how users can manage or revoke their cookie consent, etc.
CookieScript Cookie Consent Solution helps companies and organizations to create a Privacy Policy and comply with applicable cookie consent legal requirements.
Consequences of Non-Compliance
Failure to comply with cookie consent requirements in Germany can result in significant fines. The exact amount of money depends on the severity of the violation, but under the GDPR, fines can reach up to €20 million or 4% of the company's global annual revenue, whichever is higher.
How to Get Cookie Consent?
The most common approach to obtaining cookie consent is to use a cookie banner: a pop-up notification providing information about cookies and asking the user whether they consent to them.
CookieScript Consent Management Platform is an optimal solution for creating a valid Cookie Banner and being compliant with the GDPR, TTDSG, and DSK guidelines.
CookieScript CMP Privacy Policy Generator helps you to create the German privacy laws-compliant Privacy Policy for your company or website.
Our Cookie Scanner scans your website for cookies and other tracking technologies and provides a detailed scan report including details about your website’s cookies with their provider, duration, and third parties if any.
CookieScript CMP allows you to create a fully customizable and configurable Cookie Banner. You can personalize colors, fonts, text, and style, and adjust the banner to your website's design.
It also can help you comply with the EU – US Data Privacy Framework for international data transfers.
Frequently Asked Questions
Is cookie consent by scrolling allowed under German law?
No. Under German law, consent by scrolling does not provide a valid indication of affirmative cookie consent. As with consent on scroll, continuing scrolling a webpage also does not recognize consent to be valid. Use CookieScript to create a valid, fully customizable, and configurable Cookie Banner.
Are pre-checked boxes on a Cookie Banner allowed under German law?
No, pre-checked boxes for automatically accepting all cookie types are not allowed in Germany. Users must make an explicit selection of their cookie preferences, including the option to reject all cookies except for strictly necessary cookies. Use CookieScript to create a valid cookie banner that complies with German privacy laws.
What are the requirements for user consent in Germany?
According to the TTDSG and DSK, the valid cookie consent be informed, freely given, specific, granular, easy to withdraw, and obtained prior to placing any cookies on a device. With CookieScript, you can easily create a cookie banner to obtain valid cookie consent, that complies with German privacy laws.
What are cookie banner requirements under German law?
The valid cookie banner should include clear and easily understandable information about the types of cookies used and their purposes, it must have a granular option for the selection of types of cookies and should not obscure the main content of the website. With CookieScript, you can easily create a valid, fully customizable, and configurable cookie banner, that complies with German privacy laws.
Are cookie walls allowed under German law?
The use of cookie walls is commonly not allowed in Germany. Consent earned in this way is not freely given. However, it’s acceptable if the cookie banner provides a “Reject cookies” option that closes the cookie banner and allows users to continue navigating the website. Use CookieScript CMP to comply with German privacy laws.
How to get valid cookie consent in Germany?
The most common approach to obtaining cookie consent is to use a cookie banner: a pop-up notification providing information about cookies and asking the user whether they consent to them. CookieScript Consent Management Platform is an optimal solution for creating a valid cookie banner and being compliant with the GDPR, TTDSG, and DSK guidelines.