Zum Inhalt springen
Website, shop & visibility from one source
Datenschutz

Cookie Banners and Consent Done Right

Cookie banners done right: what the GDPR and the German TTDSG require, when you even need a banner, common mistakes and data-minimising alternatives.

12 min read DatenschutzCookie-BannerConsentDSGVOTTDSG

Few elements on the web are as widespread and as often implemented badly as the cookie banner. Almost every site today greets visitors with a consent dialog, yet many of them neither meet the legal requirements nor respect the people in front of them. A widely cited study found that only 11.8 percent (Nouwens et al., CHI 2020) of the banners examined met the minimal legal requirements. At the same time, a poorly built banner annoys users, slows down the site and can even damage a brand. Yet the basic idea is simple: anyone processing personal data beyond what is technically necessary usually needs genuine, freely given consent for it. This article explains soberly what the GDPR and the German TTDSG require, when a site even needs a banner, which mistakes keep happening and which data-minimising alternatives exist. It does not replace legal advice but describes the technical and design implementation from a web agency's perspective.

Cookie Banners and Consent: when needed, when notAllowed without consentstrictly necessary cookiesLogin and sessionShopping cart in the storeRemembering the languageSecurity and load balancingNo banner requiredessential to run the siteConsent requiredload only after an active clickAnalytics and statisticsMarketing pixelsEmbedded videosMaps and external fontsBanner with a real choicedeclining as easy as acceptingWhat a fair consent dialog looks likeDeclining just as easy as acceptingNo pre-ticked boxes, no nudgingExternal services load only after the clickDecline allAccept allequal size, equal weight

When a Website Even Needs a Banner

A common misunderstanding is that every website absolutely needs a cookie banner. That is not quite true. What matters is not whether a site sets cookies but what for. Cookies and similar techniques that are strictly necessary to run the site may be used without prior consent. These include storing a login, the contents of a shopping cart, the chosen language or measures for security and load balancing. Only when data is processed beyond that, for reach measurement, marketing or embedding external services, does a consent requirement come into play.

A lean information site with no statistics tools, no marketing pixels and no embedded third-party content can therefore work entirely without a consent banner. But as soon as analytics tools, advertising networks, embedded videos, map services or externally loaded fonts come into play, the rules apply. The first step towards clean data protection is therefore not banner software but an honest inventory: which cookies and services actually run, who sets them, and are they really needed. This inventory is also the basis for the GDPR checklist we describe in a separate article.

No banner is a solution too

The most data-minimising route is often to make the banner unnecessary. Anyone who avoids tracking-heavy services, embeds external content locally and uses only strictly necessary cookies needs no consent dialog. Fewer third-party services also mean faster load times and a smaller attack surface. The banner is the answer to a problem that in many places can also be avoided.

What GDPR and TTDSG Actually Require

Two sets of rules interlock. The General Data Protection Regulation (GDPR) governs how personal data may be processed and defines what makes consent valid: it must be freely given, informed, granted for the specific purpose and just as easy to withdraw. The German TTDSG, the Telecommunications Telemedia Data Protection Act, specifically governs access to information on the user's device in Section 25, that is, the setting and reading of cookies and similar identifiers. Only what is strictly necessary for the service the user has expressly requested is exempt from the consent requirement.

The timing matters: consent must be obtained before non-necessary cookies are set, not afterwards. A banner that already starts tracking in the background while the user is still deciding misses its purpose. The Court of Justice of the European Union has also made clear that pre-ticked boxes do not constitute valid consent (CJEU, Case C-673/17, Planet49). Consent arises only through an active, deliberate action. Anyone who knows these basics quickly sees why so many banners in practice do not deliver what they promise.

Briefly explained: TTDSG and the new name TDDDG

The German TTDSG governs the protection of the user's device in Section 25, that is, access to cookies and similar techniques. Since May 2024 the same law has carried the name TDDDG (Telecommunications Digital Services Data Protection Act). In substance the cookie rules have stayed the same; older texts still use the label TTDSG. Together with the GDPR it forms the framework that consent banners in Germany follow.

The four hallmarks of valid consent

Freely given, informed, purpose-bound and withdrawable. If any one of these is missing, the consent is open to challenge. Freely given means declining must bring no disadvantage and be just as easy as accepting. Informed means clearly stating who processes which data for what purpose. Purpose-bound means no blanket consent for everything. Withdrawable means the decision can be changed at any time without hurdles.

Common Mistakes with Cookie Banners

Many banners fail not out of bad intent but because of default templates and the desire to collect as many consents as possible. It is precisely this desire that leads to designs which undermine the freedom to choose. A large, colourful accept button next to a pale, hidden decline link is the classic. Such patterns are often called dark patterns and are a main reason why the study mentioned at the start rated so many banners as non-compliant. The following list sums up the most common problems we encounter in practice (Projekterfahrung).

  • Declining is harder than accepting: no equivalent decline button on the first layer
  • Pre-ticked boxes or a big accept button next to a pale decline link
  • Tracking starts before the user has even clicked
  • A hurry-up-and-accept banner with no genuine choice
  • A consent wall that blocks the whole page and makes declining effectively impossible
  • No easy way to withdraw or change consent later
  • Unclear or incomplete information on which services process which data

A particularly common technical mistake is that external services are already embedded in the source code and load immediately on page load, regardless of the banner. An embedded video, a map or a font import from a third-party server often already transmits the visitor's IP address before any consent is in place. The banner is then mere scenery. It is only clean when such services are loaded after active consent, for example via a preview with a placeholder that reveals the content only on click. Keeping an eye on such services is part of ongoing website care.

Handle consent walls with care

A banner that blocks the entire site and practically offers only an accept button puts users under pressure and undermines the freedom to choose. Supervisory authorities and courts view such forced consent critically. Anyone who wants to measure reach should check whether it can also be done in a data-minimising way and without coercion, instead of effectively forcing consent.

Data-Minimising Alternatives to Tracking

The most elegant way around an intrusive banner is to collect less data. Data minimisation is not a sacrifice but often the better solution: those who measure only what they truly need get cleaner numbers, faster pages and no conflict with data protection. For many small and medium-sized businesses, a rough orientation on visitor numbers and popular pages is entirely enough. There are approaches for this that either work entirely without cookies or anonymise data far enough that no personal reference arises, which often means no consent is needed. The precise assessment in each individual case remains a legal question, but the technical implementation can be designed to minimise data.

Server-Based Measurement

Derive reach from the server requests that occur anyway, without setting cookies in the browser. Rough trends instead of personal profiles.

Anonymous Statistics

Analytics approaches that shorten IP addresses and allow no cross-device recognition, so that often no personal reference arises.

Host External Locally

Serve fonts, scripts and maps from your own server instead of third parties. No data outflow on page load, faster load times.

Embedded content can also be handled in a data-minimising way. Instead of loading a video or a map directly, a preview first shows only a placeholder image and loads the actual content only when the user deliberately clicks it. That way the data outflow occurs only for those who really want to see the content. Fonts and icons belong on your own server, where they are served faster anyway. These measures not only reduce the number of consent-requiring services but also improve load time and security, as we show in our article on the basics of website security.

ApproachUsually needs a bannerCharacteristic
Strictly necessary cookiesNoLogin, cart, language, security
Server-based reach measurementUsually noNo browser cookie, rough trends
Anonymous statistics without recognitionOften noIP shortened, no personal reference intended
External fonts and maps (local)NoFrom your own server, no third-party call
Classic analytics with recognitionYesCookies and profiles, active consent
Marketing pixels and ad networksYesData passed to third parties, consent

The table shows the basic pattern: the less a service collects personal data and passes it to third parties, the more likely it can be used without a banner. Where consent remains necessary, the dialog should be designed fairly. The art is not to build the perfect banner but to keep the number of consent-requiring services as small as possible. Whether a particular service is consent-free in an individual case depends on the details and should be checked legally in case of doubt.

A Clean Consent Dialog: the Building Blocks

When a banner is necessary, the design decides fairness and acceptance. A good consent dialog gives a real, equivalent choice on the first layer: Accept all and Decline all as equally large, equally visible buttons, supplemented by a path to the settings. There are no pre-ticked boxes for non-necessary purposes, no hidden decline links and no colour-based nudging that visually favours consent. Before the click, no tracking runs. And the decision once made can be changed or withdrawn at any time via a permanently reachable link.

  • Decline and accept on the first layer, equally large and equally visible
  • No pre-ticked boxes for analytics, marketing or external media
  • No nudging through colour, size or placement in favour of consent
  • Non-necessary services load only after active consent
  • Clear information on which service processes which data for which purpose
  • Withdrawal possible at any time via a permanently reachable link
  • Link to the privacy policy with details on all services

Practical tip for withdrawal

An often-forgotten building block is easy withdrawal. A small, permanently visible link in the footer, for example Cookie settings, reopens the dialog and lets the choice be adjusted at any time. That not only meets the requirement for withdrawability but also builds trust: visibly putting control in the hands of users comes across as more credible than a site that collects consent once and then hides it.

Honesty includes noting that data protection is a moving field. Laws are amended, courts refine individual questions, and supervisory authorities continually publish new guidance. A banner is therefore never finished for good but part of the ongoing care of a website. Anyone who adds or replaces services must carry the consent dialog along. Secure, up-to-date operation, good hosting in Germany and regular checks of the embedded services belong together. This article is an overview from a technical perspective and, in case of doubt, does not replace the assessment of a legal adviser specialised in data protection.

This article is based on data from: Nouwens et al. (CHI 2020, cookie banner compliance), the Court of Justice of the European Union (Case C-673/17, Planet49), the German TTDSG or TDDDG Section 25 and the General Data Protection Regulation, as well as our own projects. Figures marked (Projekterfahrung) are based on our own website projects. The article is a technical orientation and not legal advice; the assessment in an individual case remains reserved for a qualified legal review.