Whoever uses web tracking in 2026 will be working at the interface of two sets of regulations that are constantly confused: the TDDDG (the law you knew as TTDSG until May 2024) and the GDPR. The first determines whether you are allowed to store or read anything at all on your visitors' end devices. The other determines what you are allowed to do with the data afterwards. This is exactly where the expensive mistakes occur: an incorrectly constructed cookie banner can be penalised with up to 300,000 euros in accordance with Section 28 TDDDG, and on the GDPR side, the framework is even higher.
This article shows what legally compliant tracking actually requires: when you need consent in accordance with Section 25 TDDDG, what a banner that stands up to scrutiny must look like, and how Google Consent Mode v2, the "pure subscription" model and the new consent services (PIMS) are to be classified. This is about the tracking part, not the entire GDPR documentation. And it is a technical orientation, not legal advice in individual cases.
TTDSG, TDDDG, GDPR: who regulates what?
First the question of names, because it confuses many people. The TTDSG (Telecommunications Telemedia Data Protection Act) was renamed TDDDG on 14 May 2024, which stands for Telecommunications Digital Services Data Protection Act. This was done as part of the new Digital Services Act (DDG), which transposes the EU Digital Services Act into German law. Nothing has changed in terms of content: The decisive provision for cookies is still called § 25, only now § 25 TDDDG. If you still have "TTDSG" in your head, you mean the right law under the old name.
More important than the name is the division of labour. § Section 25 TDDDG regulates access to the end device: As soon as you store information on a user's device (e.g. set a cookie) or read out information stored there, this standard applies, regardless of whether personal data is involved. The GDPR only applies afterwards, to the processing of the data obtained in this way. An example makes the separation tangible: The setting of an analytics cookie falls under the TDDDG. The subsequent analysis of the resulting user profile falls under the GDPR. You need both sides clean, and both have their own range of fines. Violations of Section 25 TDDDG cost up to 300,000 euros according to Section 28 TDDDG; on the GDPR side, Art. 83 goes up to 20 million euros or 4 per cent of annual global turnover. Both can affect the same process at the same time.
§ 25 TDDDG: when you need consent and when you don't
The principle of § 25 para. 1 TDDDG is strict: every storage or reading process on the end device requires consent. The exceptions in paragraph 2 are narrow. Access is only exempt from consent if it serves the sole purpose of transmitting a message or is "absolutely necessary" for a service expressly requested by the user to function at all.
A central, often overlooked point: Section 25 TDDDG does not recognise any legitimate interest as a legal basis. In contrast to pure data processing in accordance with Art. 6 GDPR, you cannot rely on a balancing of interests to access the end device. Either the exception applies or you need consent. This also includes pure reach measurement. The exception for statistics cookies that was temporarily planned in the ePrivacy draft never became law.
Consent-free vs. consent-based - an orientation:
| Consent-free (technically necessary) | Consent required (opt-in necessary) |
|---|---|
| Session cookie, Login status | Google Analytics, any reach measurement |
| Cart in the online shop | Marketing and retargeting pixel (e.g. B. Meta, Google Ads) |
| Load balancing, security token | Google Tag Manager, if it loads tracking |
| Saving the consent decision itself | Browser fingerprinting, Device IDs |
| Language setting actively chosen by the user | A/B testing and personalisation tools |
In case of doubt: Anything that is not absolutely necessary for the expressly requested service is subject to consent. The Hanover Administrative Court shows how far this goes. In its judgement of 19 March 2025 (case no. 10 A 5385/22), it confirmed that the use of Google Tag Manager alone requires prior consent because the retrieval of the gtm.js script already accesses the end device and transfers data to Google. The Tag Manager is not data protection-neutral.
What constitutes effective consent
The standards have been clarified by the highest courts. In 2019, the ECJ ruled in the Planet49 case (C-673/17) that a pre-ticked box does not constitute effective consent. The Federal Court of Justice adopted this for Germany on 28 May 2020 ("Cookie Consent II" ruling, I ZR 7/16). Since then, the rule has been unequivocal: an active opt-in is required. "Continue surfing is deemed to be consent" is not permitted, nor are pre-set checkmarks.
Consent is only valid if it fulfils four characteristics, each of which has a typical counterexample. It must be informed: Anyone who asks for consent across the board "for a better experience" without specifying tools and purposes has missed the mark. It must be voluntary: A banner that blocks the page until you accept is coercive. It must be granular: A single "Accept all" button without a separate choice by purpose is not a real yes. And it must be as easily revocable as it was given: If accepting is a click, but cancelling is an email to support, the relationship is not right. The German Data Protection Conference (DSK) specifies these requirements in its guidance for providers of digital services, the successor to the former "OH Telemedien".
Cookie banner richtig konfigurieren
These requirements result in manageable, concrete levers. The most important concerns the first level of the banner: a "Reject" button must be placed on an equal footing with "Accept", with the same click distance and the same visual weighting. The classic pattern that falls down in court is the large green "Accept all" button next to a pale, lower-case "Settings" link. This is considered a dark pattern and makes consent vulnerable. The Hanover Administrative Court also expressly required an equivalent "Reject all" option in the aforementioned judgement.
The technical behaviour behind this is just as crucial. Tracking scripts may only be loaded after consent has been given. If you start Google Analytics, the meta pixel or the Tag Manager when the page is accessed and only show the banner afterwards, the data has already been collected. Consent then comes too late. In addition, there are granular switches according to purpose, a revocation that is just as easily accessible as the granting of consent (for example via a permanent "cookie settings" link in the footer), and the documentation of each consent as proof of accountability. This last point is often forgotten and is the one that counts in the event of a dispute. If you want to merge tracking and compliance properly, it is best to plan this as part of the technical security and compliance concept and not as an afterthought.
Google Consent Mode v2: Technique, no free ride
Since 6 March 2024, Google Consent Mode v2. Since 6 March 2024, Google Consent Mode v2 has been a de facto requirement for using Google Ads and Google Analytics in the EEA with full functionality. This was triggered by the Digital Markets Act, not the TDDDG. It is important to classify it correctly: Consent Mode is a signalling layer between your consent tool (CMP) and Google. It does not replace consent and is not itself a legal basis.
The distinction between the two variants is of practical relevance. In Basic Mode, Google tags are only loaded and fired after the user has given their consent. Nothing happens without consent. In Advanced Mode, the tag loads as soon as the page is accessed and sends anonymised, cookie-free pings to Google even without consent. Basic mode is the less risky choice in terms of data protection, as no access to the end device takes place without consent. Advanced mode provides more modelled conversion data, but is legally trickier and should be checked under data protection law before use.
Pur-Abo and "Consent or Pay": possible, but linked to conditions
Many media offerings have introduced the "pay or okay" model ("Pay or Okay", Pur-Abo) in recent years. The legal situation is differentiated. In its Opinion 08/2024, the European Data Protection Board (EDPB) stated that for large platforms, a mere binary choice between payment and consent does not generally result in free consent. The German supervisory authorities do not reject pur models across the board, but do tie their admissibility to clear conditions, first and foremost that users can consent to or reject individual processing purposes on a granular basis.
A decision by the Austrian Federal Administrative Court on 13 August 2025 shows just how strict this standard is: it declared the specific banner of the newspaper Der Standard inadmissible because the blanket consent did not allow for a granular choice between advertising, profiling and analysis. In practice, this means that a pur model may be permissible, but it is not a licence. It requires an appropriate fee as a genuine alternative and granular consent. A single yes/no hurdle is not enough.
EinwV und PIMS: das Ende der Cookie-Banner?
The Consent Management Ordinance (EinwV) came into force on 1 April 2025. It is based on Section 26 TDDDG and aims to relieve users of the flood of banners. The idea: recognised consent management services (PIMS) manage cookie preferences centrally, for example via a browser plugin, so that not every website has to ask individually.
In practice, this is still in its infancy. The first recognised service "Consenter", developed by Berlin-based Law & Innovation Technology GmbH, was recognised by the BfDI on 17 October 2025 and entered in the public register; the associated browser plugin has been available since the end of 2025. Until mid-2026, the actual distribution is low and use is voluntary for website operators and users. The sober categorisation: PIMS is a topic to watch, but no reason to do without a clean banner today.
Legally compliant tracking: the short checklist
The most important points can be summarised for implementation:
- Load tracking scripts only after consent, no pre-start on page view.
- "Reject" is equivalent to "Accept" at the first banner level.
- Consent granular by purpose, no blanket collective yes.
- Withdrawal as easy as granting (permanent footer link).
- Document each consent as proof of accountability.
- Correctly connect Google Consent Mode v2, in case of doubt Basic Mode.
- Pure model only with appropriate fee and granular choice.
Legally compliant tracking does not require special technology, but it does not tolerate shortcuts. The sequence of first consent, then data collection must be technically and organisationally correct, and this is precisely the pattern behind all three current special topics: Consent Mode v2 is not a free pass, the pure subscription is not a carte blanche, and PIMS is not yet a banner abolition. If you are waiting for the cookie banner to be abolished, you are still waiting. Until then, it's better to build the banner correctly, preferably together with the marketing and analytics page, so that "legally clean" and "still provides usable data" don't fall apart. The legally compliant evaluation of your specific setup ultimately belongs in the hands of data protection and legal experts.