Do I need a cookie banner?

Yes, as soon as you use non-technically-necessary cookies or tracking tools (Analytics, Pixel, Maps with tracking). § 25 TDDDG requires informed consent.

What are 'technically necessary' cookies?

Session cookies, login tokens, shopping cart, security tokens, language selection. No consent needed (§ 25(2) TDDDG).

Is 'Accept' and 'Reject' next to each other enough?

Yes, if both buttons are equally prominent (size, color, position). VG Hannover 2024: green/highlighted Accept + gray Reject = dark pattern, invalid.

Is a cookie wall (Pay or OK) allowed?

EDPA 08/2024: Only with genuine equivalent alternative + transparent price. Pure forced solution invalid.

How long is consent valid?

No statutory limit. EDSA recommends 6-12 months, DSK: max 12 months, then re-consent.

DSK fining catalog: 5,000-300,000 EUR per violation. Examples: Vodafone (€1.3M, 2024), Cosmos Direkt (€45k, 2024).

Cookie Banner 2026: Implementing Section 25 TDDDG + Art. 6 GDPR correctly

As of: 02 May 2026 · Last review: 02 May 2026· Category: GDPR

Practitioner note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information, please consult a licensed attorney.

TL;DR

Section 25 TDDDG (formerly TTDSG, Telecommunications Telemedia Data Protection Act) governs storing/reading on end devices — stricter than the GDPR
Art. 6 GDPR governs the subsequent data processing — both apply in parallel
Equal-Choice principle: "Accept" and "Reject" must be equally prominent
Pre-activation is prohibited (CJEU Planet49, C-673/17)
Fine range: EUR 5,000-1,300,000 (DSK 2024)

1. Section 25 TDDDG vs. Art. 6 GDPR — what applies when?

Since 14 May 2024 the statute is no longer called TTDSG but TDDDG (German Telecommunications Digital Services Data Protection Act). The substantive content of Section 25 is unchanged.

Two-step test:

Step 1 — Section 25 TDDDG: Am I allowed to store/read anything at all on the user's end device?
Step 2 — Art. 6 GDPR: If yes, may I subsequently process the data?

Both steps must have separate legal bases. Section 25 only allows two routes: technical necessity or consent. Legitimate interest (Art. 6(1)(f)) is NOT sufficient for Section 25.

2. CJEU + BGH: what has been decided

Short answer: Five landmark rulings shape banner practice: CJEU C-673/17 Planet49 (pre-activated checkbox invalid), BGH I ZR 7/16 Cookie-II (opt-in mandatorily transposed into German law), CJEU C-252/21 Meta-Bundeskartellamt (personalised advertising not "contract-necessary"), OVG Lüneburg 14 LA 1/24 (visually highlighted "Accept" button qualifies as a dark pattern) and CJEU C-446/21 Schrems-Werbung (targeting restrictions for sensitive data).

Ruling	Statement	Practice
CJEU C-673/17 Planet49 (2019)	Pre-activated checkbox = no consent	Default-off obligation
BGH I ZR 7/16 Cookie-II (2020)	Transposition of CJEU ruling into German law	Opt-in mandatory
CJEU C-252/21 Meta-Bundeskartellamt (2023)	"Necessary for contract performance" to be interpreted narrowly	Personalised advertising is NOT contract-necessary
OVG Lüneburg 14 LA 1/24 (2025)	"Accept" button visually highlighted = dark pattern	Equal Choice
CJEU C-446/21 Schrems-Werbung (2024)	Sensitive data must not be inferred from advertising profiles	Restrictions on targeting

3. 7 banner obligations for 2026

Short answer: A legally compliant cookie banner must fulfil seven obligations in 2026: display the banner before any non-essential tag, equal choice (Accept/Reject equally sized and prominent), granular category selection, transparent display of purpose/provider/third-country transfer/storage duration per cookie, withdrawal as easy as consent (Art. 7(3) GDPR), consent logging for 3 years and re-consent after 6-12 months or upon tag change.

Display the banner before any non-essential tag — do not load a "walking cookie"
Equal Choice: Accept/Reject equally sized, equally coloured, equally contrasted
Granular: Categories (statistics / marketing / external media) individually selectable
Transparency: Purpose, provider, third-country transfer, storage duration visible per cookie
Withdrawal as easy as consent (Art. 7(3) GDPR) — re-open link in the footer is mandatory
Consent logging: who/when/which status — retain for 3 years (burden of proof)
Re-consent after 6-12 months or upon tag change

4. Dark patterns that get expensive

Short answer: Supervisory authorities and courts sanction five typical dark patterns: a colourful "OK" button paired with a grey "More options" link (VG Berlin 2024), cookie walls without a pay alternative (EDPB opinion 08/2024), hidden reject behind multiple clicks (DSK fines up to EUR 50,000), "legitimate interest" as a tracking legal basis (Section 25 TDDDG requires consent) and scrolling treated as acceptance (no active action, invalid).

Colourful "OK" button + "More options" as a grey link — VG Berlin 2024, ban imposed on a publisher
Cookie wall without pay alternative — EDPB opinion 08/2024 invalid
Hidden reject behind multiple clicks — DSK fine practice: up to EUR 50,000
"Legitimate interest" for tracking — Section 25 TDDDG requires consent, not legitimate interest
"By continuing to scroll you consent" — no active action, invalid

5. Tools comparison (DACH market)

Short answer: Five banner tools dominate the DACH market: Borlabs Cookie (from EUR 39/year, WordPress, self-hosting in Germany), Cookiebot (from EUR 14/month, EU servers, TCF 2.2), Usercentrics (from EUR 39, enterprise/multi-brand, TCF 2.2), Iubenda (from EUR 9, small businesses and sole traders) and Real Cookie Banner (from EUR 49/year, WordPress with DACH focus, self-hosting in Germany).

Tool	Price/month	GDPR servers	TCF 2.2	Recommendation
Borlabs Cookie	from EUR 39/year	DE (self-hosting)	no	WordPress, small sites
Cookiebot (Cybot)	from EUR 14	DK (EU)	yes	Mid-sized companies with GDPR audit needs
Usercentrics	from EUR 39	DE	yes	Enterprise / multi-brand
Iubenda	from EUR 9	IT	no	Small businesses and sole traders
Real Cookie Banner	from EUR 49/year	DE (self-hosting)	no	WordPress + DACH focus

Want your existing banner reviewed? The Cookie Banner Audit runs 12 checks in 90 seconds.

6. 12-point banner audit

Short answer: A complete banner audit reviews twelve points: Does the banner appear before any marketing tag, is "Reject" as prominent as "Accept", are at least three granular categories selectable, are provider/purpose/storage duration visible per cookie, is third-country transfer (US, UK) explicitly disclosed, is there a re-open link in the footer, is consent stored in the CMP for 3 years, does re-consent run after 12 months, does equal choice work on mobile, is the tag manager default set to denied, is Google Consent Mode v2 implemented, and is the privacy policy linked?

Does the banner appear BEFORE any marketing tag?
Is "Reject" as prominent as "Accept"?
Are granular categories (at least 3) selectable?
Per cookie: are provider, purpose, storage duration visible?
Is third-country transfer (US, UK) explicitly disclosed?
Re-open link in the footer ("Cookie settings")?
Consent stored in the CMP (3 years)?
Re-consent logic after 12 months?
Banner testable on mobile (Equal Choice in portrait)?
Tag manager integration: default = denied?
Google Consent Mode v2 implemented?
Privacy policy linked and visible?

Sources

Section 25 TDDG — consent for storage and access on terminal equipment (As of: 2026-05-02)
Regulation (EU) 2016/679 (GDPR) — Art. 6 lawfulness (As of: 2026-05-02)
CJEU C-673/17 — Planet49 (pre-ticked checkbox = no consent) (As of: 2026-05-02)