DPDPA is now in force in India. Run a free privacy scan on your site. Scan now

🇩🇪 European Union

Cookie consent in Deutschland

Consent and privacy law in Deutschland

In short
Germany layers the GDPR with the federal BDSG and 16 separate state data protection laws, so the supervisory authority depends on where the controller is established. For cookies and similar technologies the TDDDG (formerly TTDSG) transposes the ePrivacy storage rule, meaning any access to or storage on a device that is not strictly necessary needs prior opt-in consent. German regulators reject pre-ticked boxes and treat continued browsing as invalid consent. They also scrutinise consent banners that make rejecting harder than accepting. Public bodies fall under the BfDI, while most private companies answer to the relevant state authority such as the Berlin or Bavarian DPA.
Authority
Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI)
Status

GDPR applies since 25 May 2018, with the federal BDSG and 16 state laws

Primary law
GDPR
Languages

de

Who must comply

Any organization that offers goods or services to people in the EU or monitors their behavior, wherever the organization is based.

Penalties

Up to 20 million euros or 4 percent of global annual turnover, whichever is higher

Key obligations

  • Obtain prior, opt-in consent before non-essential cookies
  • Make refusing as easy as accepting
  • Keep records that prove consent
  • Honor withdrawal at any time
  • Respect data subject rights (access, erasure, portability)

Local guidance

  • Map your establishment to the correct state DPA, as Germany has 16 state authorities plus the federal BfDI
  • Follow the TDDDG (formerly TTDSG) for cookies, which requires prior opt-in for all non-essential storage and access
  • Give Reject the same prominence as Accept on the first banner layer
  • Keep auditable consent logs, as German authorities frequently request proof of consent

How ConsentX helps

  • Prior-script blocking for true opt-in
  • Equal-weight Allow and Reject controls
  • Tamper-evident consent receipts and evidence
  • One-click withdrawal trigger
  • Built-in DSAR workflow with 30-day SLA
Get started free
yoursite.com
🇩🇪 Germany

We value your privacy

We ask for your consent before any non-essential cookie, with the rules that apply in your region.

Allow allReject non-essentialManage preferences

This page is a plain-English summary for general information and is not legal advice. Confirm your obligations with qualified local counsel.

How to comply with Germany using ConsentX

  1. 1

    Scan your website

    Run a free scan to find every cookie and tracker on your site, so you know exactly what needs consent under Germany.

  2. 2

    Show a geo-aware consent banner

    Add the ConsentX banner. It detects each visitor region and shows the consent experience that Germany requires, automatically.

  3. 3

    Block trackers until consent

    Keep non-essential cookies and trackers blocked until the visitor agrees, so nothing fires before consent.

  4. 4

    Record tamper-evident proof

    Every choice is stored as a tamper-evident consent receipt you can produce in a Germany audit.

  5. 5

    Handle data requests on time

    Use the built-in DSAR workflow with SLA timers to answer access, deletion and opt-out requests within the legal deadline.

Frequently asked questions

Do I need a cookie consent banner in Germany?+

Yes. Under the TDDDG any storage of or access to information on a user device that is not strictly necessary requires prior opt-in consent, so non-essential cookies and trackers must be blocked until the user agrees.

Which authority enforces data protection in Germany?+

Enforcement is split. The federal BfDI covers federal public bodies and telecoms, while each of the 16 states has its own DPA that supervises most private companies based in that state.

Are reject buttons required on German cookie banners?+

German regulators expect rejecting to be as easy as accepting. A banner that only offers Accept on the first layer while hiding the reject option is treated as failing to obtain valid consent.

Governing law

🇪🇺 GDPR

Other countries in European Union

🇫🇷 France🇪🇸 España🇮🇹 Italia🇳🇱 Nederland🇧🇪 België / Belgique🇵🇱 Polska🇵🇹 Portugal🇸🇪 Sverige🇦🇹 Österreich🇮🇪 Éire / Ireland🇩🇰 Danmark🇫🇮 Suomi