Cookies or personal data? The dispute over data protection remains!

Veröffentlicht:

Von:

Learn everything about cookies, your obligation to consent and the regulations of the TDDDG and the GDPR in data protection.
Learn everything about cookies, your obligation to consent and the regulations of the TDDDG and the GDPR in data protection. (Symbolbild/NAGW)

On April 24, 2025, the legal regulation of cookies and its status as personal data is the focus of the discussion. The current status is largely shaped by the General Data Protection Regulation (GDPR) and the telecommunications telemedia data protection law (TTDSG) that came into force on December 1, 2021. This law deals with the conditions under which cookies can be stored on end devices and accessed.

cookies are small data storage tanks that are managed on the end device of a user. They consist of a pair of data that consists of a name and value. When using websites, these cookies are saved by the browser and returned to the servers each time the website is accessed. The distinction between the first party cookies that come from the website visited and third-party cookies, which are set by third parties, is crucial here. According to dr-dsgvo.de , cookies can store data that can potentially be considered personal-related, such as clear identifiers or location data.

legal framework conditions

The GDPR itself regulates the handling of personal data, but not specifically with cookies. The Federal Court of Justice (BGH) decided in the so-called Planet49 judgment in 2020 that cookies should be classified as personal data. This vaccinates the discussion about the need for the user's consent when setting cookies. The TTDSG specifies these regulations and states that cookies may only be stored with the explicit consent of the user, unless they are technically necessary for the provision of a service.

The essential exceptions to this obligation to consent are, for example, for the transfer of messages or for absolutely necessary services, such as technically necessary cookies that are required for the meeting management. The law obliges website operators to provide their users clear information about the use of cookies and offer an opt-in function. Furthermore, so-called "nudging" techniques and "Dark Patterns", which are supposed to move users to consent, are inadmissible.

Current challenges

violations of the TTDSG can be punished with fines of up to 300,000 euros. The implementation is the responsibility of the data protection supervisory authorities of the federal states. There have already been the first convicts for illegal cookie banners. This development shows that digital data protection is also taken seriously in Germany and that progressive sensitization is to be expected in public.

The discussion about cookies and their legal status will continue to be intensively conducted in the coming months. dr datatenschutz.de emphasizes that the TTDSG essentially combines the provisions of the Telemedia Act (TMG) and the Telekommunikation Act (TKG) implemented, which was previously unclear in Germany. This ensures that the regulations are consistent in both national and European context.

Although the German legislator is often in order to meet the legal requirements of the EU, it can currently be seen that the complete implementation of the Eprivacy Directive and the corresponding protection of privacy when using cookies requires more attention. The developments in recent years make it clear that users are increasingly wanting to be deliberately informed about data storage and that corresponding measures are requested.

In summary, it can be said that cookies are considered personal data according to the latest legal definition and that the handling of strict regulations is subject. The protection of privacy and transparency towards users will continue to focus in the future in order to strengthen trust in digital services.

Further information can be found on worms.de .

Details
Quellen