Cookie banners annoy many businesses - a nuisance for visitors, unclear for operators and a legal minefield. In 2026 the topic is back in focus: with the Telecommunications Digital Services Data Protection Act (TDDDG), Germany has a clear rule for when a website needs active consent - and the supervisory authorities are enforcing it more firmly (DSK). For small and medium-sized businesses in and around Hildesheim, this means a banner alone is not enough - it has to be built correctly. This article explains, factually, what Section 25 TDDDG requires, when you actually need a banner, what a compliant banner looks like in practice and which mistakes get you warned or fined. As a web agency from the Hildesheim region, we help local businesses handle data protection and cookie consent calmly and correctly - without panic, but with the seriousness it deserves.
Why Cookie Banners Are Back in 2026
Since May 2024 the legal basis for cookies is no longer called TTDSG but the Telecommunications Digital Services Data Protection Act, TDDDG for short (TDDDG). In substance the core is unchanged: the central Section 25 governs when a website may store information on or read it from an end device. What is new is the tone of enforcement. Faulty banners were tolerated for a long time, but the supervisory authorities now check more consistently whether consent is really obtained freely and on an informed basis (DSK).
That this is no trifle is shown by recent proceedings abroad: France's supervisory authority CNIL imposed fines of 150 million euros and 325 million euros on two corporations in September 2025 because their cookie and consent design steered users towards accepting (CNIL). Such sums concern large enterprises - for the German mid-market the national ceiling is more relevant: breaches of Section 25 TDDDG can be punished with up to 300,000 euros (Section 28 TDDDG). On top of that comes the practical risk of competition-law warning letters from competitors.
Two Laws, Two Layers
What Section 25 TDDDG Actually Requires
The rule is short and far-reaching at once: any storage of information on a user's end device and any access to already stored information is only permitted with prior consent based on clear and comprehensive information (Section 25 TDDDG). This applies not only to classic cookies but to any comparable technique - such as local storage, tracking pixels or device fingerprinting. What matters is the access to the device, not the label of the technology.
The core rule: ask first, set second
For consent to be valid it must meet the requirements of the GDPR: freely given, specific, informed and unambiguous (Art. 4(11) GDPR). And it must be as easy to withdraw as it was to give - the user must be able to change their decision at any time (Art. 7(3) GDPR). A banner that appears only once on the first visit and leaves no way back does not meet this requirement.
When You Actually Need a Banner
A common misconception is that every website needs a cookie banner. That is not true. The law clearly distinguishes between technically necessary cookies that make the site work in the first place and everything beyond that. Technically necessary storage is expressly exempt from the consent requirement (Section 25(2) TDDDG). Analytics and marketing techniques, by contrast, are almost never necessary in this narrow sense - they require consent.
Shopping cart and checkout
A cart that keeps your selection across pages, and the session cookies of a checkout or login flow, are technically necessary. Without them the core of the site does not work - so no banner is needed (Section 25(2) TDDDG).
Security and basic function
Cookies for load balancing, fraud protection or storing the selected language usually count as necessary. The cookie that remembers your cookie decision itself is also permitted without consent.
Reach and analytics tools
Tools that measure which pages are visited how often are not a necessary part of the offering. They process usage data for evaluation purposes and therefore require active consent.
Marketing, retargeting and embeds
Marketing and retargeting pixels, embedded maps or videos from external providers and A/B testing tools almost always set cookies or load third-party content. They fall under the consent requirement.
| Purpose of the cookie | Consent needed? | Reasoning |
|---|---|---|
| Shopping cart and login session | not included | Technically necessary for operation |
| Remembered language or cookie choice | not included | Basic function, expressly exempt |
| Reach measurement and analytics | included | Serves evaluation, not operation |
| Marketing and retargeting pixels | included | Processing for advertising purposes |
| Embedded map or video | included | Loads third-party content and sets cookies |
How to check your needs
What a Compliant Banner Must Look Like
When a banner is needed, its design decides legal certainty. The Conference of Independent Data Protection Supervisory Authorities of the Federation and the States has published guidance for providers of digital services (as of November 2024) that sets the benchmark (DSK). Its core idea: the user must have a genuine, free choice - and rejecting must not be harder than accepting.
- No pre-ticked boxes: all consent-requiring categories are off at the start. Consent arises only through an active action by the user.
- Reject as easy as accept: on the first layer of the banner, an equivalent reject button sits next to the accept button - equally visible, on the same level, not hidden in text (DSK).
- Granular information: the user learns which services from which providers are used, for what purpose and how long the cookies are stored.
- Third-country notice: if data is transferred to countries outside the EU, this must be disclosed transparently.
- Withdraw at any time: a permanently accessible route - such as a footer link - lets the user change a decision later (Art. 7(3) GDPR).
- No coercion: colour tricks that hide the reject button, or an interface that effectively leaves only the path to consent, are not permitted.
Reject as easy as accept
These requirements can be implemented cleanly without cluttering the site. The key is that the banner genuinely waits for active consent before any consent-requiring service loads - and that it shows the same care on every device. On the phone in particular, banners quickly become too large or cover the content; how usability and banners get along on small screens is part of a well-considered mobile-first web design.
Common Mistakes That Get Warned or Fined
Where banners fail, the patterns are similar. The European Data Protection Board, through its Cookie Banner Taskforce - a group made up of the Board and 18 national supervisory authorities - published a catalogue of typical violations in January 2023 that still shapes the review benchmark today (EDPB). The most common mistakes are not grey areas but clearly named.
- No reject on the first layer: a banner shows only accept and pushes rejection into a submenu. The majority of authorities treat this as a violation (EDPB).
- Misleading colours and contrasts: the accept button glows while the reject button blends into the background - a design that steers the user instead of letting them choose freely (EDPB).
- Rejection hidden in body text: the way to continue without consenting is buried in a block of text and hard to find (EDPB).
- Miscategorised cookies: analytics or marketing cookies are declared necessary in order to bypass consent (EDPB).
- Pre-selected consent: boxes are already ticked - not permitted, even on the second layer of the settings (EDPB).
- Cookies before the decision: probably the most common technical error is that tracking loads before the user has even reacted (EDPB).
Consent that leaves no real choice is not consent. Anyone who makes rejection harder risks the entire consent being deemed invalid - and with it any data processing built upon it.
EinwV and Tougher Enforcement
One building block is meant to ease the banner flood in the long run: the Consent Management Ordinance (EinwV), in force since 1 April 2025 (EinwV). It rests on Section 26 TDDDG and creates the framework for central consent services - the idea that users store their cookie preferences centrally once instead of setting them on every website. The first such service was officially recognised on 17 October 2025 (BfDI). In practice this changes little for website operators for now: as long as barely any recognised services are available and there is no obligation to honour central consents, your own banner remains the decisive solution.
More important day to day is enforcement. Violations can take two routes: official market surveillance, which identifies defects, sets deadlines and can impose fines of up to 300,000 euros (Section 28 TDDDG), and the data protection layer of the GDPR. Failures in the principles of consent fall there into the highest fine category of up to 20 million euros or 4 percent of worldwide annual turnover (Art. 83 GDPR). For local businesses the real danger is rarely the maximum fine, but rather a competition-law warning letter from a competitor - annoying, but avoidable.
Warning-letter and fine risk
Ongoing Maintenance: Consent Is a Permanent Task
A compliant banner is not a one-off task you tick off. The reality of a website is in motion: a new tool is added, an embedded video is inserted, a service provider changes vendor - and suddenly the cookie list stored in the banner no longer matches what the site actually loads. The legal assessment also evolves, for instance when the authorities update their guidance (DSK). A banner that was correct two years ago may be incomplete today.
Keep the consent tool current
The consent tool in use is maintained and adapted to new requirements, so that reject button, layers and withdrawal continue to meet the rules.
Maintain cookie list and texts
New services are added to the cookie list, discontinued ones removed and the privacy policy updated accordingly - so that banner and reality match.
Watch the legal situation
When laws or the authorities' guidance change, the banner is adjusted in good time, rather than only reacting after a complaint.
This is exactly where ongoing website maintenance from Hildesheim comes in: it keeps the consent tool, cookie list and privacy texts current when tools or the legal situation change. This is deliberately different from technical protection against attacks - what protection from hackers and outages involves we described in the article on website maintenance and security. Cookie consent is about data protection alone: the right consent, documented and permanently maintained.
For local businesses a clean implementation pays off twice. A correct banner creates legal certainty, and consent that fairly offers rejection feels more trustworthy than an intrusive layout. Data protection thus joins the same care with which we build websites, make them visible in search and construct them to be accessible under the BFSG. Anyone already thinking about the build and cost of a new website, or weighing whether the budget is better spent on Google Ads or SEO, should plan correct consent in from the start - it is far easier to maintain in a cleanly built web presence than in a grown legacy structure.