Skip to content
Biscotti CMP
FeaturesPricing🔍 Cookie Check♿ Accessibility📦 DownloadsDocumentationBlog
Login
Home›Blog

The TDDDG Explained: Germany's Strict Stance on Digital Services and Cookies

July 7, 2026 · 15 min read

The TDDDG Explained: Germany's Strict Stance on Digital Services and Cookies

Quick Answer: The TDDDG (Telecommunications Digital Services Data Protection Act) is Germany's national law governing how websites and digital services must handle cookie consent and device storage access. It goes beyond the GDPR by requiring prior, explicit consent before any non-essential cookie or tracking technology is activated, and it applies to every entity operating digitally within Germany, regardless of where they are headquartered.


Key Takeaways

  • The TDDDG was renamed from the TTDSG on May 14, 2024, to align with the EU Digital Services Act, though its core provisions remained unchanged [1]
  • Section 25 of the TDDDG requires prior consent before storing or accessing any information on a user's device, with narrow exemptions for technically necessary cookies [4]
  • Valid consent must be freely given, specific, informed, unambiguous, and revocable, pre-checked boxes and passive browsing do not qualify [3]
  • Non-compliance can trigger TDDDG fines up to €300,000 per infringement, plus GDPR penalties of up to €20 million or 4% of global annual turnover [2]
  • The law applies to businesses, public authorities, educational institutions, associations, and self-employed individuals with an online presence in Germany [1]
  • US companies and non-EU businesses targeting German users must comply with the TDDDG
  • The Consent Management Ordinance (EinwV), effective April 2025, introduced centralized consent management services to reduce user consent fatigue [3]
  • Cookie banners must offer a genuine "reject" option that is as prominent as the "accept" option [5]

What Is the TDDDG? Germany's National Digital Privacy Law Explained

The TDDDG (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz, or Telecommunications Digital Services Data Protection Act) is Germany's primary statute regulating the storage of and access to information on end-user devices. It sits alongside, and supplements, the GDPR, addressing a specific gap the GDPR does not cover directly: the moment a cookie or tracking script first touches a user's browser.

Originally enacted as the TTDSG in December 2021, the law was renamed the TDDDG on May 14, 2024, to reflect the terminology introduced by the EU Digital Services Act. The renaming was largely nominal; the substantive rules, particularly those in Section 25 governing cookie consent, remained unchanged [1].

The law is enforced by a multi-layered authority structure: the Federal Commissioner for Data Protection (BfDI), the Federal Network Agency (BNetzA), and the 16 state data protection authorities coordinated through the Data Protection Conference (DSK) [2]. This distributed enforcement model means there is no single bottleneck, violations can be pursued from multiple directions simultaneously.


How Does the TDDDG Differ from the GDPR?

The TDDDG and the GDPR are complementary, not competing. The GDPR governs what happens to personal data once it is collected and processed. The TDDDG governs the earlier moment: whether a website is even permitted to store or read data on a user's device in the first place [6].

Key distinctions:

Dimension GDPR TDDDG
Scope Processing of personal data Storage/access on user devices
Legal basis options Six lawful bases (consent, legitimate interest, etc.) Consent or technical necessity only
Applies to Data controllers and processors Any entity with a digital presence in Germany
Enforcement Data protection authorities BfDI, BNetzA, state DPAs
Trigger point Data processing activities Cookie/tracker activation

The critical practical difference: under the GDPR, "legitimate interest" can sometimes justify tracking without consent. Under the TDDDG, that option does not exist for device storage. Consent or strict technical necessity are the only two valid grounds [4].


TDDDG Cookie Requirements Explained

Section 25 of the TDDDG is the operational core of the law. It mandates that storing information on a user's terminal device, or accessing information already stored there, requires the user's prior consent, unless the action is strictly necessary to transmit a communication or to deliver a service the user has explicitly requested [4].

This provision covers far more than traditional HTTP cookies. It applies to:

  • Browser localStorage and sessionStorage
  • Tracking pixels and web beacons
  • Device fingerprinting scripts
  • Flash cookies and similar persistent identifiers
  • Any other mechanism that reads from or writes to a user's device

Exemptions are narrow. Shopping cart session cookies, login authentication tokens, and load-balancing cookies qualify as technically necessary. Analytics cookies, advertising trackers, A/B testing scripts, and social media plugins do not, they require prior consent regardless of how they are framed [5].


What Websites Need to Comply with the TDDDG?

The TDDDG applies to all entities that operate in Germany and store or access information on users' devices. This is not limited to German companies. Any business, institution, or individual with a website accessible to German users, and that uses non-essential cookies or tracking, falls within scope [1].

This includes:

  • E-commerce stores and SaaS platforms
  • Media publishers and news outlets
  • Public authorities and government portals
  • Educational institutions with online presences
  • Non-profit associations and NGOs
  • Freelancers and self-employed individuals running business websites

Do US companies need to follow the TDDDG? Yes. If a US-based company's website is accessible in Germany and uses cookies or tracking technologies on German visitors' devices, the TDDDG applies. The law's reach is determined by where the user is located, not where the operator is incorporated [2]. This mirrors the GDPR's territorial logic under Article 3.


TDDDG Consent Requirements for Tracking

Valid consent under the TDDDG must meet five cumulative criteria: it must be freely given, specific, informed, unambiguous, and revocable [3]. Each criterion carries real operational weight.

  • Freely given means the user faces no penalty for refusing. Blocking access to content unless cookies are accepted (a "cookie wall") is legally contested and generally considered non-compliant.
  • Specific means consent is obtained per purpose, analytics cannot be bundled with advertising.
  • Informed means the user knows exactly what they are consenting to before consent is recorded.
  • Unambiguous means an affirmative action is required. Pre-ticked checkboxes, scrolling, or continued browsing do not constitute consent [3].
  • Revocable means withdrawing consent must be as easy as giving it.

Browser-level settings (such as a browser's built-in "do not track" signal) are not accepted as valid consent under the TDDDG [2]. A properly configured consent management platform is the standard mechanism for capturing and documenting compliant consent.


TDDDG Fines and Penalties for Non-Compliance

Violations of the TDDDG can result in administrative fines of up to €300,000 per individual infringement [2]. Because each non-consented cookie placement on each user session could technically constitute a separate infringement, aggregate exposure for high-traffic websites is substantial.

Beyond TDDDG-specific fines, regulators can simultaneously pursue GDPR penalties for the downstream processing of data collected without valid consent. GDPR fines can reach €20 million or 4% of global annual turnover, whichever is higher [2].

What happens if you violate the TDDDG? Enforcement actions can include formal warnings, orders to cease non-compliant practices, and monetary fines. Given that enforcement is distributed across 17 authorities (BfDI plus 16 state DPAs), the probability of scrutiny is meaningfully higher than in jurisdictions with a single regulator.


Who Is Exempt from TDDDG Rules?

Exemptions under the TDDDG are limited to technically necessary cookies and storage operations. An operation qualifies as technically necessary only if it meets both conditions: it is required solely to transmit a communication over a network, or it is strictly necessary to provide a service that the user has explicitly requested [4].

Common exempt use cases:

  • Session cookies that maintain a logged-in state
  • Shopping cart persistence during a single browsing session
  • Load-balancing cookies that route traffic across servers
  • Security cookies that prevent cross-site request forgery (CSRF)

Analytics, personalization, retargeting, and social sharing functionalities are not exempt, even if the operator considers them operationally important. The test is whether the service could function for the requesting user without that specific storage operation, not whether the business would prefer to have the data.


How to Make Your Site TDDDG Compliant

TDDDG compliance is achievable with a structured approach. The following steps reflect the current regulatory standard as of 2026:

  1. Audit all cookies and trackers on your site. Categorize each as strictly necessary or non-essential.
  2. Block all non-essential scripts from loading until the user has given explicit consent.
  3. Implement a compliant consent banner that presents accept and reject options with equal visual prominence. The reject option must not be hidden behind secondary menus [5].
  4. Configure granular consent purposes so users can accept analytics separately from advertising, for example.
  5. Log consent records with timestamps, user identifiers (where applicable), and the specific consent version shown.
  6. Enable easy consent withdrawal, a persistent link to the consent settings must be accessible from every page.
  7. Review the EinwV framework (effective April 2025) if you want to integrate with recognized centralized consent management services, which allow users to store preferences across multiple sites [3].

A consent management platform such as Biscotti CMP is designed to handle the technical implementation of these requirements, including consent logging, banner configuration, and script blocking.


TDDDG Cookie Banner Best Practices

A compliant TDDDG cookie banner is not simply a notice, it is a functional consent mechanism. Regulators have made clear that banners designed to nudge users toward acceptance through dark patterns are non-compliant.

Best practices include:

  • Equal button prominence: The "Accept All" and "Reject All" buttons must be visually equivalent in size, color, and placement.
  • No pre-selected options: Every consent toggle must default to off.
  • No content obstruction: The banner should not prevent users from reading the page, though it may appear as an overlay.
  • Clear purpose descriptions: Each cookie category must be described in plain language, not legal jargon.
  • Accessible withdrawal mechanism: A "Cookie Settings" link in the footer, accessible at all times, satisfies this requirement.
  • No deceptive design: Using grey-out effects on the reject button, or requiring multiple clicks to decline while acceptance is one click, constitutes a dark pattern and is non-compliant.

Common TDDDG Compliance Mistakes to Avoid

Even well-intentioned operators frequently make errors that expose them to enforcement risk.

Mistake 1: Treating GDPR compliance as sufficient. The GDPR and TDDDG address different legal questions. A site can be GDPR-compliant in its data processing practices while still violating the TDDDG by loading trackers before consent is recorded.

Mistake 2: Relying on browser signals as consent. Browser-level privacy settings do not satisfy the TDDDG's consent standard [2].

Mistake 3: Bundling consent purposes. Asking users to accept "all cookies" as a single choice, without the ability to accept analytics but reject advertising, violates the specificity requirement.

Mistake 4: Failing to block third-party scripts. Many third-party tools (analytics platforms, tag managers, advertising pixels) load automatically on page render. Without technical blocking, they activate before consent is obtained, a direct TDDDG violation.

Mistake 5: Not updating consent records. If the purposes for which consent was obtained change, previously collected consent is no longer valid for the new purposes. Users must be re-prompted.


TDDDG vs. ePrivacy Directive: Key Differences

The TDDDG is Germany's national implementation of the ePrivacy Directive (2002/58/EC, as amended in 2009), but it goes further in several respects. The ePrivacy Directive set the EU-wide framework requiring member states to mandate cookie consent; Germany's TDDDG is the domestic statute that fulfills, and in some areas exceeds, that obligation [6].

The anticipated ePrivacy Regulation, which would replace the Directive across all EU member states with a directly applicable regulation, has been in legislative limbo for years. Until it is adopted, national laws like the TDDDG remain the operative standard in Germany. Operators cannot assume that compliance with another EU member state's ePrivacy implementation satisfies German requirements.


Conclusion: Practical Next Steps for TDDDG Compliance in 2026

The TDDDG represents Germany's deliberate choice to enforce digital privacy standards more rigorously than the EU minimum floor. For website owners, developers, and marketing teams operating in the German market, the law's requirements are specific, enforceable, and actively monitored by 17 separate authorities.

Actionable next steps:

  1. Conduct a full cookie audit using a scanning tool to identify every tracker on your site.
  2. Verify that all non-essential scripts are technically blocked prior to consent, not merely disclosed.
  3. Review your consent banner against the equal-prominence and no-pre-selection requirements.
  4. Ensure your consent records are logged with sufficient granularity to demonstrate compliance if audited.
  5. Assess whether the EinwV centralized consent framework is relevant to your user base and technical stack.
  6. Evaluate a purpose-built consent management platform such as Biscotti CMP to automate the technical and documentation requirements.

The cost of non-compliance, up to €300,000 per infringement under the TDDDG, with additional GDPR exposure, far exceeds the investment required to implement a compliant consent workflow. For any entity with meaningful German web traffic, compliance is not optional; it is a baseline operational requirement.


FAQ

What does TDDDG stand for? TDDDG stands for Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz, translated as the Telecommunications Digital Services Data Protection Act. It is Germany's national law governing cookie consent and device storage access.

When was the TTDSG renamed to the TDDDG? The renaming took effect on May 14, 2024. The change aligned the law's terminology with the EU Digital Services Act. The substantive cookie consent rules in Section 25 were not altered [1].

Does the TDDDG apply to small businesses? Yes. The TDDDG applies to all entities with an online presence in Germany that store or access information on users' devices, including small businesses, freelancers, and associations [1].

Can legitimate interest be used instead of consent under the TDDDG? No. Unlike the GDPR, the TDDDG does not permit legitimate interest as a legal basis for device storage or access. Only consent or technical necessity are valid grounds [4].

What is the EinwV and how does it relate to the TDDDG? The Einwilligungsverwaltungsverordnung (EinwV), effective April 2025, established a framework for recognized centralized consent management services. It allows users to store cookie preferences across multiple websites, reducing repetitive consent prompts [3].

Are analytics cookies exempt from TDDDG consent requirements? No. Analytics cookies are not technically necessary and require prior user consent under Section 25 of the TDDDG, regardless of whether they process personal data [5].

What makes a cookie banner non-compliant under the TDDDG? Common non-compliance indicators include: a reject option that is harder to find than the accept option, pre-selected consent toggles, banners that load tracking scripts before consent is recorded, and the absence of granular purpose-level controls [2].

Is the TDDDG only for German websites? No. The TDDDG applies based on where the user is located, not where the website operator is based. Any website accessible to users in Germany that uses non-essential cookies must comply [2].

What is the maximum fine for violating the TDDDG? The TDDDG itself provides for fines up to €300,000 per infringement. Separately, GDPR violations triggered by non-consented data collection can result in fines up to €20 million or 4% of global annual turnover [2].

How does the TDDDG relate to the ePrivacy Directive? The TDDDG is Germany's national implementation of the EU ePrivacy Directive. It fulfills and in some respects exceeds the Directive's requirements, and it remains the operative standard in Germany until the proposed ePrivacy Regulation is adopted at EU level [6].


References

[1] Tdddg - https://skill-sprinters.de/foerderungen/glossar/tdddg/?utm_source=openai [2] De Tdddg - https://www.consentstack.io/regulations/de-tdddg?utm_source=openai [3] Germany Gdpr Compliance Bdsg Dpo Rules And Penalties - https://legalclarity.org/germany-gdpr-compliance-bdsg-dpo-rules-and-penalties/?utm_source=openai [4] Cookies Einwilligung Tdddg - https://konfora.de/ratgeber/cookies-einwilligung-tdddg?utm_source=openai [5] Cookie Banner Pflicht - https://cookie-consent-tools.com/cookie-banner-pflicht.html?utm_source=openai [6] Ttdsg - https://www.preeco.de/en/glossary/data-protection/ttdsg?utm_source=openai


← Back to blog
Biscotti CMP

Consent Management and Legal Text Generator by Campcruisers GmbH (Falkensee). Can support your website compliance.

Product

🏢 About UsFeaturesPricingDocumentation🔍 Cookie Check📦 Downloads📚 Privacy & Consent Knowledge Base📝 Blog📖 Cookie Consent & Privacy Glossary🌍 Jurisdictions♿ WCAG 2.2 Accessible Consent Banner

Legal

ImprintPrivacy PolicyTerms of ServiceRight of WithdrawalDPACookie Policy

Contact

Contact
© 2026 Biscotti – A service of Campcruisers GmbH🍪 Change cookie settings