Zum Inhalt springen
Personal, from the Hildesheim region
Recht und Datenschutz

Cookie Banners 2026: Getting GDPR Right Online

What does Section 25 TDDDG require? When you need a cookie banner, how to build it GDPR-compliant and which mistakes get you fined - a practical guide.

13 min read DSGVOTDDDGCookie-ConsentWebsite-Recht

Cookie banners annoy many businesses - a nuisance for visitors, unclear for operators and a legal minefield. In 2026 the topic is back in focus: with the Telecommunications Digital Services Data Protection Act (TDDDG), Germany has a clear rule for when a website needs active consent - and the supervisory authorities are enforcing it more firmly (DSK). For small and medium-sized businesses in and around Hildesheim, this means a banner alone is not enough - it has to be built correctly. This article explains, factually, what Section 25 TDDDG requires, when you actually need a banner, what a compliant banner looks like in practice and which mistakes get you warned or fined. As a web agency from the Hildesheim region, we help local businesses handle data protection and cookie consent calmly and correctly - without panic, but with the seriousness it deserves.

Day-Care Website: fill vacant places fasterOccupancy plan for day care todayoccupiedfree - bookable now6 free places - visible on the website at onceFrom the website to a booking request1Relatives search onlinemostly mobile and evenings (Bitkom)2Website shows free placescurrent occupancy visible3Daily routine and transportclearly explained4Booking request submitteda visit becomes contact70.5%day-care occupancy, Oct. 2023 (pflegemarkt.com)86%of people in need of care live at home (Fed. Stat. Office)89.7%residential care occupancy, 2023 (Statista)Show free places | Explain the daily routine | Show transport | Build trust | Booking request

Why Cookie Banners Are Back in 2026

Since May 2024 the legal basis for cookies is no longer called TTDSG but the Telecommunications Digital Services Data Protection Act, TDDDG for short (TDDDG). In substance the core is unchanged: the central Section 25 governs when a website may store information on or read it from an end device. What is new is the tone of enforcement. Faulty banners were tolerated for a long time, but the supervisory authorities now check more consistently whether consent is really obtained freely and on an informed basis (DSK).

That this is no trifle is shown by recent proceedings abroad: France's supervisory authority CNIL imposed fines of 150 million euros and 325 million euros on two corporations in September 2025 because their cookie and consent design steered users towards accepting (CNIL). Such sums concern large enterprises - for the German mid-market the national ceiling is more relevant: breaches of Section 25 TDDDG can be punished with up to 300,000 euros (Section 28 TDDDG). On top of that comes the practical risk of competition-law warning letters from competitors.

Two Laws, Two Layers

Cookie consent touches two sets of rules at once. In Section 25 the TDDDG governs the purely technical act - storing or reading information on the end device, regardless of whether personal data is involved (TDDDG). If personal data is then processed, the General Data Protection Regulation applies as well, with its requirements for valid consent (GDPR). Both layers must be satisfied - one does not replace the other.

What Section 25 TDDDG Actually Requires

The rule is short and far-reaching at once: any storage of information on a user's end device and any access to already stored information is only permitted with prior consent based on clear and comprehensive information (Section 25 TDDDG). This applies not only to classic cookies but to any comparable technique - such as local storage, tracking pixels or device fingerprinting. What matters is the access to the device, not the label of the technology.

The core rule: ask first, set second

Non-essential cookies may only be set after the user has actively agreed - not before and not on suspicion. Mere prior information without consent is not enough, and neither are pre-ticked boxes: the Court of Justice of the European Union has already ruled that consent via an already-ticked box is invalid (CJEU, Planet49). The German Federal Court of Justice has confirmed this line for Germany and made active consent mandatory (BGH).

For consent to be valid it must meet the requirements of the GDPR: freely given, specific, informed and unambiguous (Art. 4(11) GDPR). And it must be as easy to withdraw as it was to give - the user must be able to change their decision at any time (Art. 7(3) GDPR). A banner that appears only once on the first visit and leaves no way back does not meet this requirement.

When You Actually Need a Banner

A common misconception is that every website needs a cookie banner. That is not true. The law clearly distinguishes between technically necessary cookies that make the site work in the first place and everything beyond that. Technically necessary storage is expressly exempt from the consent requirement (Section 25(2) TDDDG). Analytics and marketing techniques, by contrast, are almost never necessary in this narrow sense - they require consent.

Shopping cart and checkout

A cart that keeps your selection across pages, and the session cookies of a checkout or login flow, are technically necessary. Without them the core of the site does not work - so no banner is needed (Section 25(2) TDDDG).

Security and basic function

Cookies for load balancing, fraud protection or storing the selected language usually count as necessary. The cookie that remembers your cookie decision itself is also permitted without consent.

Reach and analytics tools

Tools that measure which pages are visited how often are not a necessary part of the offering. They process usage data for evaluation purposes and therefore require active consent.

Marketing, retargeting and embeds

Marketing and retargeting pixels, embedded maps or videos from external providers and A/B testing tools almost always set cookies or load third-party content. They fall under the consent requirement.

Purpose of the cookieConsent needed?Reasoning
Shopping cart and login sessionnot included Technically necessary for operation
Remembered language or cookie choicenot included Basic function, expressly exempt
Reach measurement and analyticsincluded Serves evaluation, not operation
Marketing and retargeting pixelsincluded Processing for advertising purposes
Embedded map or videoincluded Loads third-party content and sets cookies

How to check your needs

First get an overview of which cookies and external services your site actually loads. If only technically necessary cookies are used - for example on a pure information site with a contact form - you usually need no banner. But as soon as an analytics tool, a marketing pixel or an embedded map is added, proper consent becomes mandatory. If in doubt, we clarify your specific range of features together before any effort arises.

When a banner is needed, its design decides legal certainty. The Conference of Independent Data Protection Supervisory Authorities of the Federation and the States has published guidance for providers of digital services (as of November 2024) that sets the benchmark (DSK). Its core idea: the user must have a genuine, free choice - and rejecting must not be harder than accepting.

  • No pre-ticked boxes: all consent-requiring categories are off at the start. Consent arises only through an active action by the user.
  • Reject as easy as accept: on the first layer of the banner, an equivalent reject button sits next to the accept button - equally visible, on the same level, not hidden in text (DSK).
  • Granular information: the user learns which services from which providers are used, for what purpose and how long the cookies are stored.
  • Third-country notice: if data is transferred to countries outside the EU, this must be disclosed transparently.
  • Withdraw at any time: a permanently accessible route - such as a footer link - lets the user change a decision later (Art. 7(3) GDPR).
  • No coercion: colour tricks that hide the reject button, or an interface that effectively leaves only the path to consent, are not permitted.

Reject as easy as accept

Probably the single most important requirement: the authorities demand that rejection is offered as an equivalent alternative to acceptance. Equivalence here means not only the design but also the position - an identical-looking button is not enough if it is not on the same level and equally reachable as the accept button (DSK). A banner with only an accept button does not meet the requirements.

These requirements can be implemented cleanly without cluttering the site. The key is that the banner genuinely waits for active consent before any consent-requiring service loads - and that it shows the same care on every device. On the phone in particular, banners quickly become too large or cover the content; how usability and banners get along on small screens is part of a well-considered mobile-first web design.

Common Mistakes That Get Warned or Fined

Where banners fail, the patterns are similar. The European Data Protection Board, through its Cookie Banner Taskforce - a group made up of the Board and 18 national supervisory authorities - published a catalogue of typical violations in January 2023 that still shapes the review benchmark today (EDPB). The most common mistakes are not grey areas but clearly named.

  • No reject on the first layer: a banner shows only accept and pushes rejection into a submenu. The majority of authorities treat this as a violation (EDPB).
  • Misleading colours and contrasts: the accept button glows while the reject button blends into the background - a design that steers the user instead of letting them choose freely (EDPB).
  • Rejection hidden in body text: the way to continue without consenting is buried in a block of text and hard to find (EDPB).
  • Miscategorised cookies: analytics or marketing cookies are declared necessary in order to bypass consent (EDPB).
  • Pre-selected consent: boxes are already ticked - not permitted, even on the second layer of the settings (EDPB).
  • Cookies before the decision: probably the most common technical error is that tracking loads before the user has even reacted (EDPB).

Consent that leaves no real choice is not consent. Anyone who makes rejection harder risks the entire consent being deemed invalid - and with it any data processing built upon it.

The authorities' core principle on freely given consent

EinwV and Tougher Enforcement

One building block is meant to ease the banner flood in the long run: the Consent Management Ordinance (EinwV), in force since 1 April 2025 (EinwV). It rests on Section 26 TDDDG and creates the framework for central consent services - the idea that users store their cookie preferences centrally once instead of setting them on every website. The first such service was officially recognised on 17 October 2025 (BfDI). In practice this changes little for website operators for now: as long as barely any recognised services are available and there is no obligation to honour central consents, your own banner remains the decisive solution.

More important day to day is enforcement. Violations can take two routes: official market surveillance, which identifies defects, sets deadlines and can impose fines of up to 300,000 euros (Section 28 TDDDG), and the data protection layer of the GDPR. Failures in the principles of consent fall there into the highest fine category of up to 20 million euros or 4 percent of worldwide annual turnover (Art. 83 GDPR). For local businesses the real danger is rarely the maximum fine, but rather a competition-law warning letter from a competitor - annoying, but avoidable.

Warning-letter and fine risk

That authorities mean business on consent design is shown by the multi-million fines against large platforms (CNIL). For small and medium-sized businesses the likelihood of such proceedings is low - the real nuisance is warning letters and the legal uncertainty of a faulty banner. Both can be defused from the outset with a clean implementation. This article does not replace legal advice; the amounts named are statutory ceilings, not automatic sanctions.

A compliant banner is not a one-off task you tick off. The reality of a website is in motion: a new tool is added, an embedded video is inserted, a service provider changes vendor - and suddenly the cookie list stored in the banner no longer matches what the site actually loads. The legal assessment also evolves, for instance when the authorities update their guidance (DSK). A banner that was correct two years ago may be incomplete today.

Keep the consent tool current

The consent tool in use is maintained and adapted to new requirements, so that reject button, layers and withdrawal continue to meet the rules.

Maintain cookie list and texts

New services are added to the cookie list, discontinued ones removed and the privacy policy updated accordingly - so that banner and reality match.

Watch the legal situation

When laws or the authorities' guidance change, the banner is adjusted in good time, rather than only reacting after a complaint.

This is exactly where ongoing website maintenance from Hildesheim comes in: it keeps the consent tool, cookie list and privacy texts current when tools or the legal situation change. This is deliberately different from technical protection against attacks - what protection from hackers and outages involves we described in the article on website maintenance and security. Cookie consent is about data protection alone: the right consent, documented and permanently maintained.

For local businesses a clean implementation pays off twice. A correct banner creates legal certainty, and consent that fairly offers rejection feels more trustworthy than an intrusive layout. Data protection thus joins the same care with which we build websites, make them visible in search and construct them to be accessible under the BFSG. Anyone already thinking about the build and cost of a new website, or weighing whether the budget is better spent on Google Ads or SEO, should plan correct consent in from the start - it is far easier to maintain in a cleanly built web presence than in a grown legacy structure.

This article is based on data from: the Telecommunications Digital Services Data Protection Act (TDDDG, in particular Sections 25, 26 and 28) on the consent requirement, necessary cookies and the fine framework, the General Data Protection Regulation (GDPR, Art. 4(11), Art. 7 and Art. 83) on valid consent and sanctions, the Conference of Independent Data Protection Supervisory Authorities of the Federation and the States (DSK) with its guidance for providers of digital services, the Consent Management Ordinance (EinwV) and the Federal Commissioner for Data Protection and Freedom of Information (BfDI) on central consent management, the European Data Protection Board (EDPB) with the report of the Cookie Banner Taskforce, the Court of Justice of the European Union (CJEU, Planet49) and the German Federal Court of Justice (BGH) on active consent, and the Commission nationale de l'informatique et des libertes (CNIL) on recent fines. This article does not replace legal advice; the amounts named are statutory ceilings and not automatic sanctions.