Germany TTDSG Cookie Consent: The 2026 Publisher and Advertiser Guide to the Telecommunications and Telemedia Data Protection Act
Germany is the largest advertising market in continental Europe, and it is also one of the strictest when it comes to cookies. Since December 2021, German law has layered a dedicated cookie consent regime — the Telekommunikation-Telemedien-Datenschutz-Gesetz (TTDSG) — on top of the GDPR. In 2024 the law was renamed TDDDG (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz) to align with the EU Digital Services Act, but the substance and its practical obligations have not changed. If you run digital advertising, analytics, or any third-party tracking into the German market in 2026, you are subject to TTDSG/TDDDG in addition to GDPR, and the German DPAs are far from shy about enforcement. This guide explains what the law covers, how it differs from GDPR alone, and what your CMP and ad stack need to do to stay compliant in Germany.
What the TTDSG and TDDDG Actually Regulate
TTDSG transposes the EU ePrivacy Directive into German law with unusual precision. Where GDPR regulates the processing of personal data, TTDSG regulates any storage of information in, or access to information already stored on, a user's terminal equipment — regardless of whether that information is personal data. In plain terms: every cookie, every pixel, every local storage write, every fingerprinting script is in scope, even if it collects zero personal data.
Section 25 — The Core Consent Rule
The pivotal provision is Section 25 of TTDSG (now Section 25 TDDDG). It prohibits storing or accessing any information on a user's terminal equipment unless one of two conditions is met:
- The user has given informed, voluntary, specific, and active consent after being informed in a clear and comprehensive way, or
- The storage or access is strictly necessary for providing a telemedia service the user has expressly requested.
There is no legitimate interest basis. There is no soft opt-in. The German interpretation of strictly necessary is narrower than many other European jurisdictions — it covers session cookies, load balancing, and payment processing, but not analytics, not advertising, and not most personalization.
Interaction with GDPR
TTDSG does not replace GDPR. It sits on top of it. Even if you clear the TTDSG hurdle for the act of setting a cookie, you still need a GDPR lawful basis for any personal data processing that follows. A clean German compliance posture requires passing both gates. A common mistake is to collect consent under GDPR's Article 6(1)(a) and assume that covers TTDSG as well — it does, provided the consent also meets the TTDSG specificity requirements, which are stricter than GDPR's in several respects.
How Germany Differs from the Rest of the EU
Regulators across the EU interpret ePrivacy in slightly different ways. Germany is at the strict end of the spectrum on several counts.
Explicit Consent Required for Analytics
German DPAs have consistently held that Google Analytics, Matomo (cloud), Adobe Analytics, Mixpanel, and similar tools require opt-in consent. Self-hosted, anonymized analytics with short retention can sometimes qualify as strictly necessary, but the bar is high and varies by DPA. Bavaria, Baden-Württemberg, Berlin, and Hamburg each publish detailed technical guidance, and they are not identical.
Schrems II and US Transfers
German DPAs have been among the most aggressive in Europe on Schrems II transfer issues. Running a US-hosted tracker — even with a Data Privacy Framework certification — attracts scrutiny if the tracking is pervasive or involves special category data. The Datenschutzkonferenz (DSK), the joint body of German federal and state DPAs, has issued repeated guidance that telemetry sent to US processors without a valid transfer mechanism violates both GDPR and TTDSG simultaneously.
Dark Patterns Explicitly Prohibited
Several German DPAs have issued enforcement guidance that confirmation shaming, preselected checkboxes, unequal button prominence, and forced-disclosure patterns are incompatible with valid TTDSG consent. A banner where "Accept all" is visually dominant and "Reject all" is buried behind a second click will fail a German audit in 2026.
Practical CMP Requirements for the German Market
To satisfy TTDSG/TDDDG in a production environment, your consent management platform and tag manager need to enforce several specific behaviors.
Equal Prominence for Accept and Reject
The first-layer banner must show a Reject All button with visual parity to Accept All. Color, size, position, and interaction cost must be balanced. Many CMPs ship a default template that does not meet this bar in their German locale.
Per-Vendor Granularity
German regulators expect users to be able to consent on a per-vendor or per-purpose basis, not just a single global toggle. IAB TCF v2.2 meets this expectation, but only if your vendor list is current and the purposes are plainly explained.
Blocking Before Consent
No third-party script may load, no cookie may be written, and no pixel may fire before affirmative consent is recorded. This applies to Google Analytics, Meta Pixel, LinkedIn Insight Tag, Hotjar, Criteo, TikTok, and every ad server. The use of tag management consent-aware modes — such as Google Tag Manager's consent initialization — is the expected pattern.
Withdrawable with One Click
German DPAs require that withdrawing consent is as easy as granting it. A persistent, visible mechanism — a floating re-open button, a footer link, or an equivalent UI affordance — must be available on every page of the site.
Consent Records and Audit Trail
TTDSG inherits GDPR Article 7(1): the controller must be able to demonstrate that consent was given. Retain records of when, how, and for what purposes consent was granted, ideally for at least 36 months given German civil statute of limitations. Most Google-certified CMPs handle this by default.
Mobile Apps and SDK Tracking
TTDSG applies to mobile apps with equal force. The identifier-for-advertising on Android, the idfa on iOS, any SDK-level fingerprinting, and any cross-app cookie behavior are all subject to the consent rule.
Android and iOS Parity
In practice, publishers who rely on the iOS App Tracking Transparency prompt cannot assume it satisfies TTDSG — Apple's prompt is a platform-level control and not a valid TTDSG consent in itself. You need an in-app CMP layer that collects TTDSG-compliant consent before any non-strictly-necessary SDK initializes.
In-App Consent Strings
For mobile app advertising, the IAB TCF string or IAB GPP string must be generated and propagated to every SDK that participates in the bid pipeline. Without a valid consent string, every bid is legally exposed regardless of how the SDK configures its own behavior.
Enforcement Landscape in 2026
German DPAs have become significantly more active on TTDSG enforcement in 2024 and 2025. The Landesdatenschutzbeauftragte of Bavaria alone has opened hundreds of investigations per year, and the Berlin DPA has issued fines specifically citing cookie-banner violations.
Fines Seen So Far
TTDSG itself sets a maximum administrative fine of EUR 300,000 per violation. But because any TTDSG violation is typically also a GDPR violation, DPAs have often stacked the higher GDPR penalty — up to EUR 20 million or 4 percent of global annual turnover. Publishers and e-commerce operators in the German market should plan for stacked liability when scoping exposure.
Civil Liability
Germany is one of the few EU jurisdictions where individual users have sued successfully for non-material damages under Article 82 GDPR in relation to cookie violations. Expect mass consumer claims, often organized through Verbraucherzentralen and plaintiff law firms, to continue in 2026.
Audit Checklist for German Traffic
- CMP presents Accept All and Reject All with equal visual prominence on the first layer
- No cookies, pixels, or third-party scripts load before consent, including analytics and A/B testing
- Per-purpose and per-vendor granularity is offered, with plain-language purpose descriptions in German
- Withdraw-consent mechanism is persistent and reachable from every page
- Consent records are retained with timestamp, consent version, and granted purposes
- Mobile apps enforce TTDSG consent before initializing any non-strictly-necessary SDK, independently of the iOS ATT prompt
- Data Processing Addendums and Schrems II transfer assessments are documented for every US-based vendor
- Dark pattern review is completed against the latest DSK guidance
- Privacy policy names all processors, identifies lawful basis under GDPR and consent basis under TTDSG separately, and is available in German
- Vendor list is synchronized with IAB TCF v2.2 and updated when new partners are added
The 2026 Outlook
The rebranding to TDDDG in 2024 did not soften German enforcement. If anything, DPAs are better resourced and more coordinated through the DSK than they were two years ago. The trajectory is clear: consent bars will get higher, dark-pattern scrutiny will intensify, and Schrems II transfer assessments will become a standard audit focus. Publishers and advertisers operating in Germany who invested in a proper consent stack in 2024-2025 are broadly in good shape. Those who left German compliance for later are entering 2026 with known gaps and rising regulatory interest. The right move is to close those gaps now — before a Landesdatenschutzbeauftragte investigation forces the question on a timeline you do not control.