Articles
Country guides
German consent management ordinance: All you need to know
Country guides
new

German consent management ordinance: All you need to know

Published  

4/1/2025

7
min read

Published  

April 1, 2025

by 

Peter Oladimeji

10 min read
Summary

German public discourse has focused on the issue of 'cookie consent fatigue', a phenomenon caused by overexposure to consent banner, leading to the creation of the Consent Management Ordinance (Einwilligungsverwaltungsverordnung -- EinwV) under the Telecommunications Digital Services Data Protection Act (TDDDG). 

On October 17, 2024, the German Parliament (Bundestag) announced its approval. Later, on November 24, 2024, the Bundesrat also approved the ordinance, adding that it would enter into effect on April 1, 2025

If you run a website, app, or platform in Germany, then you might want to know about these developments. Keep reading for all the details, and to learn whether you should take any action as our Chief Privacy Officer breaks down the actual consequences of the ordinance towards the end of the article.

What is the German Consent Management Ordinance?

The Consent Management Ordinance was introduced by the German Federal Ministry of Digital Affairs and Transport (BMDV) to fix the ‘cookie consent fatigue’ problem. 

Among other things, the law sets out user-friendly consent processes and guidelines for companies seeking to integrate standard consent management services in a user-friendly manner (including technical and organizational measures), 

In addition, it protects data portability rights of users, and restricts consent management services from processing personal data beyond the purpose for which it was originally collected and stored. 

It is to note that the law does not make the integration of these recognized consent management services mandatory. However, it spells out user-friendly consent management procedures (for instance, transparent and understandable UI/UX)  for companies who wish to adopt this approach. 

Legal basis 

Section 26(2) of the Telecommunications Digital Services Data Protection Act (TDDDG) provides the legal basis for the creation of this ordinance. 

The provision authorizes the Federal Government to, through a statutory order jointly approved by the Bundesrat and the Bundestag, regulate the following:

  • The requirements for user-friendly and competition-compliant procedures that a consent management service must offer to be recognized;
  • The procedure for recognition; and
  • The technical and organizational measures so that software for retrieving and displaying information from the Internet and providers of digital services can take into account the end user's settings managed via an integrated recognized consent management service (in line with consent requirement obligations set out under Section 25 (1) TDDDG).

In exercise of this mandate, the BMDV on September 4, 2024 announced the Federal Government’s adoption of the Consent Management Ordinance. The same has now also been approved by the Bundesrat and the Bundestag.

Scope of application 

The ordinance regulates the activities of several players in the consent management service system. It covers the following: 

  • Obligations of a “recognized consent management service provider”; 
  • The process of recognizing a consent management services; and 
  • Technical requirements expected of a provider of digital services (for instance, a website owner deploying cookies to track users in line with Section 25 of the TDDDG) and retrieval and display software providers.

Consent management services: an overview

For a web provider to use non-essential cookies on their website, an end-user must provide consent in line with Art. 5 para. 3 of the ePrivacy Directive. 

Cookie consent requirements also appear in Section 25 of the TTDSG, which requires the valid consent of an end user before using cookies or other technical tools not essential to the website’s functions. 

User consent within this context must also meet the threshold for valid consent per the GDPR: it must be freely given, specific, informed, unambiguous, explicit, revocable, and demonstrable

To help service providers meet consent requirements in a user-friendly way, the ordinance provides the legal workbench for companies looking to switch from traditional cookie banners to new consent management services. 

How does consent management services work?

It begins with a user setting their consent preferences (i.e., choosing what cookies to consent to, withdraw consent from, or object to) with a consent management service saddled with the obligation to store such settings upon first use.

When this happens, a "recognized consent management service" is formed, essentially acting as ‘data trustees’ (not a formal legal designation under German law) that keep/store consent preferences in trust on behalf of the user, the ‘data beneficiary’.

Once the user visits a website, the service provider (in this case, the website owner) requests the end user’s preference from the recognized consent management service. 

In turn, the recognized consent management service provides information about the user’s preference  (provided the user has already logged their consent preferences with the service). The website owner may then rely on such settings to honor the user’s consent preferences. 

This procedure allows users to centrally grant, object to, and freely manage their consent regarding the storage of and access to information on their devices, without much manual involvement that may disrupt their user experience (UX). 

Consent requirements under the ordinance 

The ordinance establishes rules for managing user consent. First and foremost, recognized consent management services must save user consent preference made at the user’s first interaction with the telemedia service (e.g., website). 

The same would apply where the telemedia service provider requests consent from the user under Section 25(1) of the TDDDG. 

Consent management services are obliged to only manage consent that is obtained after informing the user (informed consent). Accordingly, when obtaining consent, telemedia service providers must detail the following:

  • What service providers or third parties can store or assess information on the user’s device;
  • Exactly what information will be stored or accessed;
  • The purpose for which this information is collected and how it will be used;
  • How long the information will remain stored; and
  • The users’ right to revoke consent at any time, and that revoking consent will not render actions taken before the withdrawal illegal

According to the ordinance, a consent management procedure is user-friendly when: 

  • The user interface of the consent management service is designed to be so transparent that it does not impair or hinder the ability of end users to make a free and informed decision;
  • End users can view the consent they have declared or rejected, including the timestamp for declared consents and the information provided to the end user in the consent management service at any time;
  • Decisions to reject or grant consent can be changed at any time; and
  • End users are reminded of their consent settings and prompted to review them through the user interface of the consent management service when there are changes to the access and storage processes relevant under Section 25 of the TDDDG.

Meanwhile, a consent management service can only ask users to view their preferences after a period of one year unless it is changed. 

In recognizing users' portability rights, the consent management service must also allow people to export their preferences with any related information in a common file format. 

Users also retain the right to switch allegiances (i.e., bank their preferences with another recognized consent management service) without restrictions.

How to become a registered consent management service under the ordinance?

Key requirements are laid out for consent management services seeking ‘recognition’ status to be granted by the Federal Commissioner for Data Protection and Freedom of Information (BfDI). 

To qualify, providers must first apply to the BfDI. When applying, they must affirm that they will not use personal data collected through their services for reasons unrelated to the original purpose of managing user consent.

Upon submitting the request for approval, the applicant must include a detailed security documentation that explains: 

  • Where information relating to user preferences will be stored;
  • What Technical and Organizational Measures (TOMs) would they deploy to protect this information against unauthorized access; and
  • How they will maintain reliable access to the information while keeping it secured. 

Our interpretation: What does the German consent ordinance mean for companies and for users?

From a compliance viewpoint, the ordinance does not impact companies that already have a mechanism to obtain valid cookie consent under the GDPR  and Section 25 of the TDDDG in any new way.

Its success will largely depend on two factors: the emergence of new consent management services on the market and the willingness of telemedia providers to implement these new consent procedures.

While adoption of consent management services is voluntary, it's worth noting companies that choose to implement them must fully comply with all technical requirements and honor user preferences.

We already identified major challenges with this approach almost two years ago, when our Chief Privacy Officer, Thomas Adhumeau, commented on similar initiatives looking to solve consent fatigue:

In essence, the idea is great: Users can set their preferences related to data collection once in their browser, and the technology does the rest, by communicating these preferences to every single website the person visits. That communication occurs in the backend, and users are thus less exposed to consent banners - while their choices are respected.

In practice, however, it’s not so simple.

The lack of standardization makes the idea very impractical. When user choices can reach a high level of complexity, how can we ensure that they are accurately respected and carried over without a clear framework to refer to?

From one website to another and one service to the next, the categories of purposes for data collection, third-party vendors, and the overall set of choices might be vastly different.

Then, how can the technology effectively and accurately enforce user choices? Is that consent still valid?

Take, for instance, the use of personal data for "analytics" purposes. While one website might label it as 'site performance', another could call it 'user behavior measurement,' and yet another might refer to it as 'visitor insights.'

This disparity in language makes it nearly impossible for technology to consistently and accurately communicate a user's preferences across different websites or apps, further complicating the validity of the consent provided.

- Thomas Adhumeau, Chief Privacy Officer at Didomi (source: Cookies, consent fatigue, and privacy standards: What's next for the AdTech industry?, 9/14/2023, Didomi Blog)


Our leadership team has discussed this need for standardization in various verticals and industries, including our CEO in his 2025 predictions. We will naturally follow future developments closely, including those regarding the German consent ordinance.

In the meantime, for companies looking to simplify compliance, a Consent Management Platform remains the go-to solution by providing structured, user-friendly consent interfaces that align with regulatory expectations. Get in touch with our team to discuss how we could help:

{{talk-to-an-expert}}

Frequently Asked Questions (FAQs)

Do I have to update my cookie policy to comply with the ordinance? 

No. You do not have to change your cookie policy to comply with the ordinance, even when you integrate consent management services.

Are we required to change our cookie management tools? 

No. If your existing tech stack helps you stay compliant with the requirements of Section 25 of the TDDDG and the GDPR, you don’t need to change them. 

Are there any consequences for not using consent management services?

The ordinance does not make using consent management services mandatory. Rather, it is purely voluntary. Companies have the sole discretion in choosing between sticking with their current tools or a recognized consent management service. 

 

What is the penalty for not implementing consent management services? 

Since the use of consent management services is not an obligation, there will be no penalties for companies who fail to integrate it. However, violating cookie consent requirements under Section 25 of the TTDSG will attract a maximum fine of EUR 300,000. 

Additionally, if non-compliance leads to personal data breaches, companies could face GDPR fines of up to 4% of global annual revenue.

Can the BfDI revoke my recognition as a consent management service provider?

Yes. Consent management providers may have their recognition revoked if the BfDI is led to believe that the conditions for recognition are no longer complied with. The ordinance recommends annual checks with the requirements to avoid this. 

The author
Peter Oladimeji
Freelance writer
Content writer and copywriter for Legal tech, IT Compliance, MarTech, and Digital Transformation.
Access author profile