LSM Agents

Compliance · TDDDG · Cookie banner

TDDDG: Make your cookie banner compliant — before the next Abmahnung lands.

VG Hannover 19 March 2025 + SHEIN €150M CNIL fine September 2025 set the bar: 'Reject all' must be visually equivalent to 'Accept all'. Pre-checked boxes are illegal. Every dark pattern is now actionable. We audit, replace, and document in 7 days at fixed price.

TL;DR

  • ·VG Hannover 19/03/2025: 'Alle ablehnen' must be visually as prominent as 'Alle akzeptieren'. Hiding it behind 'Settings' is illegal.
  • ·CNIL fined SHEIN €150M (September 2025) for cookie-banner dark patterns. The supervisory authorities are coordinated; expect German actions to follow.
  • ·Cookie consent must be: freely given, specific, informed, unambiguous, opt-in (not opt-out), and revocable as easily as it was given.
  • ·Our delivery: 3-day audit (€1,800) → 7-day replacement with a banner that meets TDDDG, ePrivacy and DSGVO simultaneously.

Who has to comply

TDDDG (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz) applies to anyone storing or accessing information on the user's device — which is essentially anyone using cookies, localStorage, sessionStorage, IndexedDB, or fingerprinting techniques. Strictly necessary cookies (session, CSRF, language preference) are exempt under §25 TDDDG. Everything else — analytics, A/B testing, retargeting, embedded media trackers — needs prior, granular, opt-in consent. The exemption is narrow: 'necessary for the user-requested service' is the test, and analytics never qualifies.

What a compliant banner actually looks like

After VG Hannover and the SHEIN precedent, the technical requirements are unambiguous. Every defect below has been ruled illegal somewhere in the EU.

  • 'Reject all' button missing from the first layer — only 'Settings' shown alongside 'Accept all'
  • 'Reject all' visually deprioritized: smaller, lower contrast, secondary styling
  • Pre-checked consent boxes for non-essential categories
  • Consent stored before the user clicks anything (loaded-on-page-view tracking)
  • Settings dialog requiring multiple clicks to reach the actual toggles
  • No 'Withdraw consent' control accessible after the initial choice
  • Consent expiration longer than 12 months without re-prompt
  • No granular per-category control (lumping analytics + ads + functional together)
  • Consent banner blocking content on first visit (cookie wall) without a paid alternative
  • No record of consent stored server-side for accountability under Art. 7(1) GDPR

What enforcement actually looks like

Two layers. First: data-protection authorities. CNIL (France) fined SHEIN €150M in September 2025 for cookie dark patterns; the BfDI and LfDIs in Germany have been signalling alignment. The German authorities issued joint guidance in October 2024 ('Orientierungshilfe') that mirrors the CNIL approach. Second: competitor and consumer-association Abmahnungen. After BGH 03/2025, the link between DSGVO violations and UWG is established; cookie-banner non-compliance is the most easily-screenshot-able violation, and Abmahnvereine know it. Expected fee per Abmahnung: €1,200–€3,800 plus mandatory remediation.

How we run a TDDDG project

  1. 01

    Audit (3 days): map every cookie, localStorage key, and tracker request. Categorize: strictly necessary, functional, analytics, marketing. Identify all dark patterns.

  2. 02

    Banner design: pick from our compliant template (Klaro, Cookiebot config, or custom Next.js component) and tune for your site.

  3. 03

    Build (4–7 days): replace banner, gate all non-essential trackers behind server-side consent check (not just a JS guard), implement granular per-category controls, log consent server-side.

  4. 04

    Verification: third-party scan to confirm zero non-essential tracker fires before consent. Screenshots of compliant flow saved as evidence.

  5. 05

    Documentation: privacy policy updated with categorical cookie list and lawful bases; 'Withdraw consent' link added to footer.

  6. 06

    Monitoring: Care+ retainer or higher includes quarterly cookie sweep + consent-log review.

Source material

TDDDG cookie banner — frequently asked questions

Can I keep using OneTrust / Usercentrics / Cookiebot?+

Yes if you configure them correctly. Out-of-the-box configurations often violate the equal-prominence rule. We audit the configuration during the 3-day audit and tune it. The CMP is the tool; the configuration is the obligation.

Do I really need a Reject button next to Accept on the first layer?+

Yes. VG Hannover 19 March 2025 and the German supervisory authority joint guidance both require equal visual prominence. 'Reject all' must be the same size, contrast, and click depth as 'Accept all'.

What about cookie walls — block content until accepted?+

Cookie walls are illegal under DSGVO (consent isn't 'freely given' if denied means 'no service') unless you offer a paid alternative without tracking — the 'pay-or-okay' model. EDPB guidance is sceptical even of pay-or-okay; a lower-cost cleaner-content alternative is safer.

Can I just block all third-party scripts and skip the banner?+

For some sites, yes. If you have no analytics, no embedded video, no third-party fonts, no payment widget that requires cookies, no remarketing — and only strictly-necessary cookies — you do not need a consent banner under §25 TDDDG. Most commercial sites do not meet this bar.

How long does the consent record need to be kept?+

Recommended: 3 years. The record needs to demonstrate accountability under Art. 7(1) GDPR. Store: timestamp, banner version, consent state per category, IP-address-hash, user-agent. We log this server-side, not in localStorage (which the user can delete).

How much does it cost?+

Audit only: €1,800 fixed. Audit + replacement: €3,200–€6,500 depending on integration complexity. Configure exact pricing in the calculator.

Configure your scope →

← Back to compliance overview