Is your cookie banner actually GDPR-compliant?
By Philipp Kant 5 min read
A GDPR-compliant cookie banner loads no tracking until the visitor actively agrees, and makes refusing as easy as accepting. Under the GDPR and Germany’s Telecommunications Digital Services Data Protection Act (TDDDG), consent for non-essential cookies must be prior, informed, specific, and freely given. Most banners fail on the first word: prior.
Consent must come before the cookie, not after
§ 25 TDDDG is the rule that matters in Germany: storing or reading information on a visitor’s device needs prior consent, unless it is strictly necessary to deliver the service they asked for. Analytics, advertising pixels, maps, third-party fonts, and embedded video are not strictly necessary. They need consent before they run.
“Prior” is the word that does the work. The European Court of Justice settled it in Planet49 (C-673/17): consent must be a clear affirmative act, given before the technology runs. A pre-ticked box is not consent. A banner that sets analytics cookies while you are still reading it is not consent either. The German Federal Court of Justice confirmed the same standard for German law.
So the test is mechanical. Does anything non-essential load or get written before the visitor clicks? If yes, the banner is decoration.
What counts as valid consent under the GDPR
Article 7 of the GDPR sets four conditions. A compliant banner meets all of them, not three.
| Condition | What it means | What breaks it |
|---|---|---|
| Prior | Consent comes before any cookie or script runs | Trackers firing on page load |
| Informed | The visitor knows which tools run, and why | A vague “we use cookies” with no names |
| Specific | A separate choice per purpose, not one bundle | One “Accept” for analytics, ads, and video |
| Freely given | Refusing is as easy as accepting, with no penalty | ”Accept all” up front, reject buried two clicks deep |
Article 7(3) adds one more: withdrawing consent has to be as easy as giving it. If there is an “Accept all” button on the banner but turning tracking back off means digging through a settings page, the banner is not compliant.
A reject that does nothing is the same as no reject
This is the failure that surprises people. A site installs a consent tool, shows a proper banner with a reject option, and still tracks everyone who clicks reject. The banner records the choice; nothing in the code acts on it.
Under the GDPR there is no difference between a banner that ignores “reject” and a site with no banner at all. Both process personal data without a legal basis (Article 6). The reject button has to actually block the scripts, not just close the dialog.
The privacy policy is part of compliance, not a separate task
Article 13 of the GDPR requires you to tell visitors which third parties receive their data. In practice that means every tracking tool on the site is named in the privacy policy: the analytics provider, the tag manager, the ad pixel, the heatmap tool, the embedded video host.
This is the gap we find even on sites that gate consent correctly. The banner works, reject works, and then a tool runs that the privacy policy never mentions. Naming tools is cheap. Leaving one out is an Article 13 problem no matter how good the banner is.
What we found scanning nine German business sites
We ran our Cookie Scanner against nine live German business websites across medical practices, manufacturing, and B2B consulting, then cross-checked every result by hand with a separate script. The pattern was consistent:
- Three of the nine tracked visitors before any consent. Google Analytics and Tag Manager fired on page load, before the banner was touched.
- One had a consent tool that did nothing. Analytics kept running after the visitor clicked reject.
- One had no banner at all while analytics and eight tracking cookies were already active.
- One showed a banner that was decoration. The accept button worked, but the trackers had loaded before any choice was possible.
- Even on a site that gated perfectly, the scan surfaced two services running that the privacy policy never named.
Five of the nine gated correctly or had nothing to gate. The other four were processing personal data without a valid legal basis, and in every case the owner almost certainly believed the banner had it covered.
How to check your own banner
You can run a rough version of this check by hand:
- Open your site in a private browser window with developer tools open, on the Network and Application tabs.
- Load the page and do not touch the banner. Look for requests to analytics, ad, or font domains, and for cookies that are not strictly necessary. Anything there is loading before consent.
- Click reject, then reload. If the same trackers come back, your reject is not wired to anything.
- Open your privacy policy and confirm every tool you saw is named.
For the full version, our free Cookie Scanner drives a real headless browser through all three phases (before consent, after reject, after accept), names the trackers and cookies in each phase, checks the privacy policy for each tool, and produces a report you can hand to whoever maintains the site.
For the specific failures to look for, see 7 cookie consent mistakes that break GDPR, and for how the free tools compare, the best free cookie scanners, ranked. If cookie compliance turns out to be one symptom of a wider gap in how your digital systems are set up, that is the kind of work we pick up, and it comes up often with the German SMBs we work with.
FAQ
Do I need consent for Google Analytics? Yes. Analytics is not strictly necessary to deliver your website, so § 25 TDDDG requires prior consent before it runs. The same applies to Tag Manager whenever it loads tracking tags.
Is a cookie banner legally required? Consent is required for non-essential cookies and trackers. The banner is only how you collect it. A banner that does not actually block tracking until the visitor agrees does not make you compliant. It just looks like it does.
Does “legitimate interest” cover analytics cookies? No. Storing or reading information on a device is governed by § 25 TDDDG, which requires consent regardless of any legitimate-interest argument under GDPR Article 6. Legitimate interest does not replace cookie consent.
Is this legal advice? No. We are a technical partner, not a law firm. A scan gives you technical evidence: what loads, when, and where the data goes. A lawyer interprets what that means for your specific situation.
If you want to know where your site actually stands before someone else points it out, run the Cookie Scanner or talk to us.