Suche
Mein Konto
Cookies in sight: data protection authorities threaten high penalties!
Find out how the TDDDG regulates the handling of cookies in Germany and what effects this has on data protection.
Cookies in sight: data protection authorities threaten high penalties!
On March 9, 2025, a current article on the website sheds light on the Friedrich Alexander University Erlangen-Nuremberg the complex legal framework surrounding cookies and their legal classification as personal data. The focus is on the question of what significance the General Data Protection Regulation (GDPR) and the Telemedia and Data Protection Act (TTDSG) have for the storage and processing of these small data stores.
To put it simply, cookies are small text files that store information about users and their interactions with websites. The classification of cookies as personal data has been undisputed since the groundbreaking Planet49 ruling by the Federal Court of Justice (BGH) in 2020. In this ruling, the court noted that cookies often contain personal data, which requires the express consent of users for their use. This means that website operators are only allowed to store or access cookies with the consent of the user, but technically necessary cookies are excluded.
The TTDSG in the context of the GDPR
The TTDSG came into force on December 1, 2021 and supplemented the GDPR by establishing specific regulations for access to data on end devices. It implements the ePrivacy Directive, which was previously only inadequately translated into German law. While the EU prescribes an opt-in principle, before the TTDSG came into force in Germany an opt-out principle applied, which brought with it considerable legal uncertainty for website operators.
With the TTDSG, website operators must ensure that cookies that are not technically necessary are only used with the clear and informed consent of the user. This consent must be obtained through a cookie banner that provides users with all the necessary information, an opt-in function and the opportunity to object. Techniques such as “nudging” and “dark patterns” that force users to consent are not permitted.
Legal consequences and enforcement
Enforcement of the new regulations is the responsibility of the state data protection authorities, which can impose severe fines for violations - up to 300,000 euros. Initial judgments in this area have already shown that illegal cookie banners can lead to sanctions. The federal legal framework for cookies remains critical as there are still uncertainties regarding its practical application.
In summary, in the flood of digital data streams, cookies should not only be viewed as technical elements, but also as personal data that is legally protected. The development of the legal framework in Germany closely follows the requirements of European data protection regulations. Current debates and supervisory measures show that protecting privacy in the digital space is essential and will be pursued vigorously.