Few elements on the web are as widespread and as often implemented badly as the cookie banner. Almost every site today greets visitors with a consent dialog, yet many of them neither meet the legal requirements nor respect the people in front of them. A widely cited study found that only 11.8 percent (Nouwens et al., CHI 2020) of the banners examined met the minimal legal requirements. At the same time, a poorly built banner annoys users, slows down the site and can even damage a brand. Yet the basic idea is simple: anyone processing personal data beyond what is technically necessary usually needs genuine, freely given consent for it. This article explains soberly what the GDPR and the German TTDSG require, when a site even needs a banner, which mistakes keep happening and which data-minimising alternatives exist. It does not replace legal advice but describes the technical and design implementation from a web agency's perspective.
When a Website Even Needs a Banner
A common misunderstanding is that every website absolutely needs a cookie banner. That is not quite true. What matters is not whether a site sets cookies but what for. Cookies and similar techniques that are strictly necessary to run the site may be used without prior consent. These include storing a login, the contents of a shopping cart, the chosen language or measures for security and load balancing. Only when data is processed beyond that, for reach measurement, marketing or embedding external services, does a consent requirement come into play.
A lean information site with no statistics tools, no marketing pixels and no embedded third-party content can therefore work entirely without a consent banner. But as soon as analytics tools, advertising networks, embedded videos, map services or externally loaded fonts come into play, the rules apply. The first step towards clean data protection is therefore not banner software but an honest inventory: which cookies and services actually run, who sets them, and are they really needed. This inventory is also the basis for the GDPR checklist we describe in a separate article.
No banner is a solution too
What GDPR and TTDSG Actually Require
Two sets of rules interlock. The General Data Protection Regulation (GDPR) governs how personal data may be processed and defines what makes consent valid: it must be freely given, informed, granted for the specific purpose and just as easy to withdraw. The German TTDSG, the Telecommunications Telemedia Data Protection Act, specifically governs access to information on the user's device in Section 25, that is, the setting and reading of cookies and similar identifiers. Only what is strictly necessary for the service the user has expressly requested is exempt from the consent requirement.
The timing matters: consent must be obtained before non-necessary cookies are set, not afterwards. A banner that already starts tracking in the background while the user is still deciding misses its purpose. The Court of Justice of the European Union has also made clear that pre-ticked boxes do not constitute valid consent (CJEU, Case C-673/17, Planet49). Consent arises only through an active, deliberate action. Anyone who knows these basics quickly sees why so many banners in practice do not deliver what they promise.
Briefly explained: TTDSG and the new name TDDDG
The four hallmarks of valid consent
Common Mistakes with Cookie Banners
Many banners fail not out of bad intent but because of default templates and the desire to collect as many consents as possible. It is precisely this desire that leads to designs which undermine the freedom to choose. A large, colourful accept button next to a pale, hidden decline link is the classic. Such patterns are often called dark patterns and are a main reason why the study mentioned at the start rated so many banners as non-compliant. The following list sums up the most common problems we encounter in practice (Projekterfahrung).
- Declining is harder than accepting: no equivalent decline button on the first layer
- Pre-ticked boxes or a big accept button next to a pale decline link
- Tracking starts before the user has even clicked
- A hurry-up-and-accept banner with no genuine choice
- A consent wall that blocks the whole page and makes declining effectively impossible
- No easy way to withdraw or change consent later
- Unclear or incomplete information on which services process which data
A particularly common technical mistake is that external services are already embedded in the source code and load immediately on page load, regardless of the banner. An embedded video, a map or a font import from a third-party server often already transmits the visitor's IP address before any consent is in place. The banner is then mere scenery. It is only clean when such services are loaded after active consent, for example via a preview with a placeholder that reveals the content only on click. Keeping an eye on such services is part of ongoing website care.
Handle consent walls with care
Data-Minimising Alternatives to Tracking
The most elegant way around an intrusive banner is to collect less data. Data minimisation is not a sacrifice but often the better solution: those who measure only what they truly need get cleaner numbers, faster pages and no conflict with data protection. For many small and medium-sized businesses, a rough orientation on visitor numbers and popular pages is entirely enough. There are approaches for this that either work entirely without cookies or anonymise data far enough that no personal reference arises, which often means no consent is needed. The precise assessment in each individual case remains a legal question, but the technical implementation can be designed to minimise data.
Server-Based Measurement
Derive reach from the server requests that occur anyway, without setting cookies in the browser. Rough trends instead of personal profiles.
Anonymous Statistics
Analytics approaches that shorten IP addresses and allow no cross-device recognition, so that often no personal reference arises.
Host External Locally
Serve fonts, scripts and maps from your own server instead of third parties. No data outflow on page load, faster load times.
Embedded content can also be handled in a data-minimising way. Instead of loading a video or a map directly, a preview first shows only a placeholder image and loads the actual content only when the user deliberately clicks it. That way the data outflow occurs only for those who really want to see the content. Fonts and icons belong on your own server, where they are served faster anyway. These measures not only reduce the number of consent-requiring services but also improve load time and security, as we show in our article on the basics of website security.
| Approach | Usually needs a banner | Characteristic |
|---|---|---|
| Strictly necessary cookies | No | Login, cart, language, security |
| Server-based reach measurement | Usually no | No browser cookie, rough trends |
| Anonymous statistics without recognition | Often no | IP shortened, no personal reference intended |
| External fonts and maps (local) | No | From your own server, no third-party call |
| Classic analytics with recognition | Yes | Cookies and profiles, active consent |
| Marketing pixels and ad networks | Yes | Data passed to third parties, consent |
The table shows the basic pattern: the less a service collects personal data and passes it to third parties, the more likely it can be used without a banner. Where consent remains necessary, the dialog should be designed fairly. The art is not to build the perfect banner but to keep the number of consent-requiring services as small as possible. Whether a particular service is consent-free in an individual case depends on the details and should be checked legally in case of doubt.
A Clean Consent Dialog: the Building Blocks
When a banner is necessary, the design decides fairness and acceptance. A good consent dialog gives a real, equivalent choice on the first layer: Accept all and Decline all as equally large, equally visible buttons, supplemented by a path to the settings. There are no pre-ticked boxes for non-necessary purposes, no hidden decline links and no colour-based nudging that visually favours consent. Before the click, no tracking runs. And the decision once made can be changed or withdrawn at any time via a permanently reachable link.
- Decline and accept on the first layer, equally large and equally visible
- No pre-ticked boxes for analytics, marketing or external media
- No nudging through colour, size or placement in favour of consent
- Non-necessary services load only after active consent
- Clear information on which service processes which data for which purpose
- Withdrawal possible at any time via a permanently reachable link
- Link to the privacy policy with details on all services
Practical tip for withdrawal
Honesty includes noting that data protection is a moving field. Laws are amended, courts refine individual questions, and supervisory authorities continually publish new guidance. A banner is therefore never finished for good but part of the ongoing care of a website. Anyone who adds or replaces services must carry the consent dialog along. Secure, up-to-date operation, good hosting in Germany and regular checks of the embedded services belong together. This article is an overview from a technical perspective and, in case of doubt, does not replace the assessment of a legal adviser specialised in data protection.