Skip to main content
Back to Guides
Compliance8 min read

Germany's TDDDG: Cookie Consent Rules for 2026

Germany renamed its cookie law in May 2024, and §25 TDDDG still governs every read or write to a visitor's device. Here's how the two-layer German model works, what the new consent-management ordinance changes, and which of the 16 regulators actually enforces it.

If you last checked German cookie law under the name TTDSG, that name is gone. Since 14 May 2024, the statute is called the Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TDDDG). The rename came in with Germany's Digital Services Act implementation, which swapped the old term "Telemedien" for "digitale Dienste" throughout German law. The substance barely moved: the cookie rule that used to sit in §25 TTDSG now sits in §25 TDDDG, word for word.

That matters because a lot of guidance still circulating online references the TTDSG. It's the same law. This guide covers how Germany actually regulates cookies in 2026: the two legal layers you have to satisfy, what §25 demands, the new consent-management ordinance that took effect in April 2025, who enforces all of this, and how to configure a compliant setup for German traffic.

Two Laws, Not One

German cookie compliance is a stack of two regimes, and you need both.

Layer one is the TDDDG. §25(1) transposes Article 5(3) of the EU ePrivacy Directive. It says that storing information on a user's terminal equipment, or gaining access to information already stored there, requires the user's prior consent after clear and complete information. This is about the technical act of reading or writing to the device. It applies to cookies, but also to localStorage, device fingerprinting, pixel tags, and SDK identifiers. It doesn't matter whether the data is "personal" in the GDPR sense. If your script touches the device, §25 is engaged.

Layer two is the GDPR. Once a cookie has been set and starts processing personal data (an analytics ID, an advertising profile), the GDPR governs that processing: your legal basis, transparency, retention, data-subject rights, international transfers. The two layers stack. §25 controls getting the cookie onto the device; the GDPR controls what you then do with the data it collects.

The practical upshot: a consent that satisfies §25 for placing the cookie usually doubles as your GDPR Article 6(1)(a) consent for the processing, so one well-built opt-in flow covers both. But you can't skip either analysis.

What §25 Actually Requires

§25(1) sets the default: prior, informed consent for anything non-essential. §25(2) carves out two narrow exceptions where no consent is needed:

  • Storage or access whose sole purpose is carrying out the transmission of a communication over a network.
  • Storage or access that is strictly necessary for the provider to supply a telemedia service the user has explicitly requested.

"Strictly necessary" is read narrowly. A shopping-cart cookie, a load-balancing cookie, or a session token for a logged-in area fits. Analytics, A/B testing, advertising, and social-media widgets do not. Those need opt-in every time.

The consent itself has to meet the GDPR standard: freely given, specific, informed, and unambiguous. Germany's Federal Court of Justice settled the pre-ticked-box question in its Cookie-Einwilligung II ruling (28 May 2020), following the CJEU's Planet49 decision. Pre-checked boxes are not valid consent. Silence or continued browsing is not consent. And the German data protection authorities have been consistent that rejecting must be as easy as accepting, which in practice means a "Reject all" button with the same prominence as "Accept all", on the first layer of the banner.

Who Enforces It: 16 Regulators, One Coordinating Body

Germany has no single national data protection authority for the private sector. It has 16 state-level supervisory authorities (Landesdatenschutzbehörden), one per Bundesland, plus the Federal Commissioner for public bodies and telecoms. The authority with jurisdiction over your business is generally the one for the state where you're established.

To keep 16 regulators aligned, they coordinate through the Datenschutzkonferenz (DSK). The DSK's guidance for telemedia providers (the Orientierungshilfe für Anbieter von Telemedien, last substantially updated in December 2021 and still the reference document in 2026) is the closest thing Germany has to a national cookie-banner rulebook. It's where the equal-prominence expectation, the ban on nudging dark patterns, and the granularity requirements are spelled out. You can find the DSK's resolutions and guidance at the DSK's official site, and the full statute at the German Federal law portal, gesetze-im-internet.de/tdddg.

German regulators are among the more active in Europe on banner design. Several state authorities have run automated sweeps of cookie banners, sent warning letters over missing reject buttons, and scrutinised Google Analytics deployments. Treat German traffic as high-attention.

The New Piece: §26 and the Consent-Management Ordinance

Here's what's genuinely new. §26 TDDDG created a framework for recognised consent-management services, sometimes called PIMS (personal information management systems). The idea is that a user sets their cookie preferences once, in a browser setting or a dedicated service, and websites read and honour those preferences instead of showing a banner every time. It's Germany's attempt to fix banner fatigue.

§26 was just an enabling clause until the implementing ordinance landed. The Einwilligungsverwaltungsverordnung (EinwV) was approved by the Bundesrat on 20 December 2024 and came into force on 1 April 2025. It sets the technical and organisational criteria a consent-management service must meet to get recognised by an independent certification body: it has to be user-friendly, competition-neutral, and free of a self-interest in any particular consent outcome.

Two things to keep straight. First, using a recognised service is voluntary. Nothing forces you to adopt it, and nothing forces users to use one. Second, legal commentators have flagged real doubts about whether it works in practice, because the recognised service can only manage the §25 TDDDG consent, while the parallel GDPR consent for the downstream processing may still need to be captured the traditional way. Early uptake has been cautious. For now, treat the EinwV as an option to watch rather than a reason to tear out your banner. A law-firm analysis of the mechanics is available from ADVANT Beiten.

Fines and Enforcement Exposure

Cookie violations in Germany are punished mainly through the GDPR's fining regime, since invalid consent means the downstream processing has no lawful basis. That exposes you to administrative fines of up to €20 million or 4% of global annual turnover, whichever is higher. The TDDDG also carries its own administrative-fine provisions for breaches of the device-access rules, layered on top.

In reality, most German enforcement starts softer: a supervisory authority sends a formal complaint or an order to fix the banner within a deadline. Ignoring that escalates fast. The bigger day-to-day risk for many businesses isn't the headline fine, it's the German market's unusually active competitor-warning system (Abmahnungen), where competitors and consumer associations can challenge non-compliant tracking directly.

A Practical Setup for German Traffic

You don't need a Germany-only banner. Germany sits inside the EU/EEA, so a solid GDPR-grade opt-in flow already covers most of the ground. The German-specific discipline is about rigour:

  1. Block first, consent second. No non-essential cookie, pixel, or SDK fires before opt-in. §25 is about the technical act of writing to the device, so pre-consent script blocking is the whole game.
  2. Give reject equal prominence. "Reject all" on the first layer, same visual weight as "Accept all". This is the single most-cited failure German regulators pick up.
  3. Be granular. Purpose-level toggles (analytics, marketing, functional), not one lump switch.
  4. Write in German. Notices and controls should be available in German for a German audience, in clear language, not legalese.
  5. Log every decision. Keep a timestamped, exportable record of who consented to what and when, so you can demonstrate valid consent if a state authority asks. Our guide on consent logging and audit requirements covers what to retain.
  6. Re-ask on a sensible cadence. German guidance leans toward refreshing consent rather than treating it as permanent.

How CookieBeam Handles Germany

Germany doesn't get its own preset in CookieBeam, and it doesn't need one. Because it's part of the EU/EEA, German visitors are covered by CookieBeam's GDPR framework preset, which sets the banner to opt-in, blocks non-essential scripts until consent, and applies the equal-prominence reject button that §25 and the DSK expect. The regional consent engine serves that behaviour to German traffic from the same banner you use everywhere else, with German-language text, while a US visitor sees an opt-out flow and a Swiss visitor sees the Swiss model.

Every consent decision is logged with a timestamp and purpose-level detail, which is the record you'd hand a German supervisory authority. To be clear about scope: CookieBeam is the consent tool you deploy on your own site. It isn't a §26-recognised consent-management service under the EinwV, and it doesn't need to be for you to comply. If recognised PIMS gain traction in Germany, honouring a user's stored preference is a natural extension of the same consent signal the banner already produces.

Before you finalise, check the current DSK guidance and your own state authority's position. German banner expectations have tightened year on year, and this guide reflects the position as of mid-2026.

Related Guides

For the EU baseline German rules build on, see the GDPR cookie compliance checklist and EDPB cookie guidance. For the reject-button rule in depth, read one-click reject and dark-pattern laws. For how a single banner adapts per country, see regional consent for global sites. Comparing across Europe? Our guides on France's CNIL guidelines and Switzerland's revised FADP sit alongside this one.

Germany TDDDG Cookie Consent 2026: §25, §26 & the EinwV | CookieBeam | CookieBeam