Cookies under German data protection law

The Data Protection Conference of the German supervisory authorities has published an orientation guide for telemedia providers (in German)

Accordingly, the supervisory authorities do not consider the provisions of the German Telemedia Act (Section 4; §§ 11 et seq. TMG) to be applicable, as the provisions of the Telemedia Act do not implement the ePrivacy Directive 2002/58/.

For this reason, the lawfulness of processing is governed by the provisions of the GDPR.

In summary, the following rules apply:

  1.  The informed consent of the user is required before cookies are set. The conditions of consent are set out in Art. 4 No. 11 and Art. 7 DSGVO. Consent must be given explicitly, i.e. not simply by an already set “OK” in the content banner.
  2. Website operators must inform users in a clear, precise and easily understood language that cookies are set on the website, e.g. by a banner or active textboxes. The information must be given before the cookies are placed. 
  3. The information must also contain details of the purpose of storing of, or access to, information in the end-user’s terminal equipment. It is not enough merely to advise that this is done. Therefore, stating that “we use cookies to improve your experience on the website” without further clarification is not considered to be compliant with the rules. 
  4. The information must further contain detail about who is setting cookies. Where third parties set, store or gain access to information in a user’s terminal equipment via the provider’s service, exact identificationindication of the third parties must be given. 
  5. Website users must be able to withdraw a consent already given. At the moment it seems to be sufficient to simply inform users about this right in the privacy policy. 


If the use of cookies and the storage of data on the user’s terminal equipment is a technical prerequisite for the provision of a service expressly requested by the user, such cookies are generally excluded from the rules, as their processing may be based on a legitimate interest in accordance with Art. 6 para. 1 lit. f) GDPR.

Such exceptions are shown in the following examples of this are: provision of Internet access, booking systems, web forms, and electronic shopping carts.

Contact us!

Secure the knowledge of our experts!

Subscribe to our free newsletter: