Cookies and Tracking Under the TDDDG
What § 25 TDDDG prescribes for the use of cookies and tracking technologies on websites, when consent is required, and which exceptions apply to technically necessary services.
The German Telecommunications Digital Services Data Protection Act (TDDDG, formerly TTDSG) governs in § 25 the use of cookies and comparable tracking technologies on websites and apps. This provision implements the ePrivacy Directive (2002/58/EC) into German law and supplements the GDPR.
Consent Requirement Under TDDDG
Under § 25(1) TDDDG, storing information in a user's end device or accessing information already stored there is as a general rule only permissible with the user's consent. This applies to cookies, tracking pixels, local storage (localStorage, sessionStorage), fingerprinting, and comparable techniques.
Consent must meet GDPR requirements: it must be obtained before cookies are set, and must be freely given, informed, specific, and expressed through an active positive action. A pre-ticked checkbox or the mere continued use of a website is insufficient. At the same time, access to a website may not generally be made conditional on consent to non-essential cookies (pay-or-consent models remain regulatory contentious).
Exceptions for Essential Cookies
Section 25(2) TDDDG provides an important exception: cookies that serve solely to carry out the transmission of a communication over an electronic communications network, or that are strictly necessary to provide an information society service explicitly requested by the user, do not require consent. This covers session cookies for shopping baskets, login cookies, and technical preference cookies.
The relationship between the TDDDG and the GDPR operates in two stages: § 25 TDDDG governs access to the device (whether a cookie may be set), while the GDPR governs the subsequent processing of data (how the data collected may be used). For analytics cookies (e.g. Google Analytics), both consent under § 25 TDDDG and a legal basis under Article 6 GDPR are therefore required.
Cookie Banner Requirements
Cookie banners must be technically implemented so that rejecting cookies is as easy as accepting them. Misleading dark patterns — such as highlighting the accept button or hiding the reject option — are impermissible and have already attracted fines from supervisory authorities.