Cookie Consent in Germany: What Startup Founders Need to Know

If your website uses analytics, advertising pixels, A/B-testing, or any third-party tag, two laws apply, not one. The TDDDG governs whether you may put anything on the user's device. The DSGVO governs what you may do with the data afterwards. A banner that satisfies one law and ignores the other is non-compliant. The Bavarian DPA flagged that pattern on more than 350 websites in a single February 2024 sweep, and the cleanup is still running.

The two-layer rule

§ 25 (1) TDDDG (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz, in force as the renamed successor to the TTDSG since 14 May 2024 via BGBl. 2024 I Nr. 149) reads: storing or reading information on the user's device is only permitted with the user's consent, given on the basis of clear and comprehensive information. The same provision says the consent itself must follow the DSGVO standard (Art. 4 (11), Art. 6 (1)(a), Art. 7).

That pulls two separate legal bases into every cookie banner.

The TDDDG layer asks whether you may even touch the device. The DSGVO layer asks whether you may then process the personal data the cookie generates. Both must be cleared. § 25 (2) lists the only two exceptions: cookies whose sole purpose is transmitting a message over a public network, and cookies that are strictly necessary for the digital service the user has explicitly requested. Session cookies on a checkout, the language toggle on a multilingual site, and the load-balancer cookie qualify. Analytics, marketing pixels, fingerprinters, A/B-test tooling, and "improvement" cookies do not. The EDPB Guidelines 2/2023 on the technical scope of Art. 5 (3) ePrivacy Directive confirm that the rule covers pixels and IP-derived identifiers, not just classic HTTP cookies.

What "consent" actually requires

A banner that survives a regulator audit must clear four conditions at once.

Informed. The user knows which providers, which purposes, and which third countries are involved before clicking accept. The EuGH, in its decision of 1 October 2019 (C-673/17, "Planet49"), specified storage duration and third-party access as mandatory disclosures.

Active opt-in. Pre-ticked boxes are out. The same Planet49 ruling, confirmed by the BGH on 28 May 2020 (I ZR 7/16, "Cookie-Einwilligung II"), killed the practice in German law. Auditors still find pre-ticks in 2026.

Reject equally prominent on the first layer. This is the German specificity. The Datenschutzkonferenz (DSK) Orientierungshilfe für Anbieter von digitalen Diensten, version 1.2 of 20 November 2024, requires an equally accessible reject option on the first banner level, with the same colour weight and the same single click as accept. Anything not on the first layer fails. One extra click is already too many under DSK v1.2.

Granular and withdrawable. Each non-essential purpose needs its own toggle, and withdrawal must be at least as easy as the original grant under Art. 7 (3) DSGVO.

Common founder traps

Four banner patterns repeatedly fail in the audits I see.

The dark-pattern textbook is "Accept all" highlighted in colour with "Reject" greyed out or hidden under a settings sub-page. The BayLDA flagged this as the most common defect in its February 2024 batch.

A close second is pre-ticked toggles inside the settings panel: a reader who clicks "settings" finds analytics already on. That is the same Planet49 problem with a different button.

"By continuing to use this site you agree" cookie walls fail the active-action requirement. Both EDPB Guidelines 5/2020 on consent and DSK guidance treat scroll-as-consent as no consent at all.

A pure "consent or leave" wall without a free alternative also fails the freely-given test (Art. 4 (11), Art. 7 (4) DSGVO) for ordinary publishers. A documented Pur-Abo (pay-or-consent) remains permitted under the DSK position of 22 March 2023, but the controlling pan-EU source is now EDPB Opinion 08/2024 of 17 April 2024 on consent-or-pay models for large online platforms, which tightens the equivalence test: the paid alternative must be genuinely tracking-free, functionally equivalent, and reasonably priced, and the EDPB recommends an additional non-paying alternative without behavioural advertising. For a startup SaaS, this model rarely fits. It works for media, not for product pages.

Enforcement reality

Three data points should change how seriously a founder treats this.

The Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) ran an automated, anlasslose Prüfung in early 2024 and announced in its press release of 9 February 2024 that 350+ Bavarian-operator websites and 15 apps had been flagged as non-compliant. Operators were given the chance to remediate before formal Bußgeldverfahren. The tool is open-source, the methodology is public, and similar sweeps have since started in other states.

The maximum direct fine under § 28 TDDDG for a § 25 violation is EUR 300,000 per case (Nr. 13 of the catalogue, the top general TDDDG ceiling under § 28 (2)). The DSGVO sits behind it: any unlawful subsequent processing of personal data through an invalid cookie can independently trigger Art. 83 fines up to EUR 20 million or 4 percent of the undertaking's worldwide annual turnover, whichever is higher (Art. 83 (5) DSGVO; on group-level turnover for parents, see EuGH 5.12.2023, C-807/21, "Deutsche Wohnen").

Then there is the activist layer. noyb (the privacy NGO led by Max Schrems) launched its largest cookie-banner complaint wave at the end of May 2025, with more than 500 draft complaints across 33 countries (noyb.eu press release, 31 May 2025). Several reached German operators. Most lead to a corrective order rather than a fine. The cleanup work and the legal-fee bill are still real.

Among the founders I work with, the cookie banner is usually where a quietly-running compliance gap surfaces. The standard pattern is a launch-day Cookiebot or Usercentrics integration on default settings, then nobody touches it for two years. By the time a regulator letter arrives, or a Mitbewerber-Abmahnung under § 8 UWG, the site has accumulated three rounds of new tools, none of which are listed in the banner. I budget for an annual banner review the same way I budget for an annual Datenschutzerklärung review. It takes an hour, and it neutralises most of the risk.

Pay-or-consent and PIMS, the 2025 layer

The Einwilligungsverwaltungsverordnung (EinwV) entered into force on 1 April 2025 under § 26 TDDDG. It creates a voluntary framework for anerkannte Personal Information Management Services (PIMS): a recognised consent service stores the user's preferences once, websites read them automatically, the banner can disappear. Adoption is voluntary on both sides. As of late April 2026 no fully recognised PIMS provider has reached market saturation. Plan as if cookie banners stay until at least 2027.

Pur-Abo (pay-or-consent) remains the other partial alternative for content publishers. Several German news publishers run it. Most startups have no pure content offering, so the model rarely applies.

Cookie-banner audit checklist

Use this when you review the banner. Ten items, every quarter. If a single item fails, the banner fails.

Bottom line

Two laws, one banner. The cookie layer is § 25 TDDDG, the data layer is the DSGVO, and a startup needs both to clear at the same time. The four hard requirements are informed, active opt-in, equally prominent reject on the first layer, granular per purpose with easy withdrawal. Skip any one and the banner fails an audit. The headline number is EUR 300,000 per § 25 violation under § 28 TDDDG, but the harder cost is the cleanup, the Abmahnung exposure, and the regulator letter that names your specific tools by category and date. Run the audit quarterly. Document the result. Update the banner whenever you add or remove a third-party tag. If you also handle B2B SaaS, pair this review with the GDPR seven-rules check and the DPO threshold review.