On December 20, 2024, the Bundestag (German Federal Council) approved the Ordinance on Consent Management Services under the Telecommunications Digital Services Data Protection Act (TDDDG). Officially, the update is called the “Verordnung über Dienste zur Einwilligungsverwaltung nach dem Telekommunikation-DigitaleDienste-Datenschutz-Gesetz (Einwilligungsverwaltungsverordnung, or EinwV)”.

The new Consent Management Ordinance should come into force on April 1, 2025. However, experts are questioning its applicability and expect it to fail.

Read more about what the TDDDG and the Consent Management Ordinance are, how the Consent Management Ordinance is going to work, and what the challenges are.

What is the TDDDG?

The Telecommunications Digital Services Data Protection Act ((TDDDG in German, TTDPA in English) is Germany's Data Protection Law, similar in scope to the General Data Protection Regulation (GDPR). The TDDDG aims to protect user data privacy and user rights while allowing advertising and digital business models for marketing agencies.

The TDDDG came into force in Germany on February 10, 2021.

The TDDDG shares the scope of the ePrivacy Directive: the regulation applies to any company offering goods or services for German citizens if the company accesses personal information and other data stored on a user’s device.

The regulation requires informed and explicit user consent for the collection and management of personal data in line with the GDPR’s consent requirements. It is allowed to use join consent to cover both regulations when providing users with cookie notification, though in many cases there are two legal bases required: one for the GDPR and one for the TDDDG.

Legal basis for the TDDDG of the new Cookie Banner regulation

The new regulation on service providers is based on Section 26 (2) TDDDG.

Section 26 (2) TDDDG sets the following requirements for user consent:

• Service providers must provide user-friendly and compliant procedures to get user consent.
• Service providers must provide the procedures to recognize user consent.
• Service providers must respect the end user's settings with regard to consent in accordance with Section 25 (1) TDDDG.

Section 26(1) of the TDDDG states that an independent body may certify services that offer user-friendly and competition-compliant procedures for managing end-user consent, as required under Section 25(1) of the TDDDG.

What Is the German Consent Management Ordinance?

Cookie consent banners and consent management platforms are used to obtain user consent to collect and store their personal data. When there are so many cookie banners, interacting with them can be annoying for users. Germany wants to counteract this by passing the Consent Management Ordinance (EinwV). This is not a new idea: for a long time, the idea was discussed as the “Personal Information Management System (PIMS)”.

The new German Consent Management Ordinance is based on Section 26 (2) TDDDG and is intended to enable the central management of consent across websites and devices.

The intention of the Consent Management Ordinance is to make individual Cookie Consent banners redundant with the help of “recognized consent management services”. Recognized consent management services are expected to provide a more efficient and user-friendly alternative to cookie banners.

Recognized consent management services should manage user consent choices once they have been documented and transmit them in bundled and automated form to all service providers called trustees. It would then not be necessary to obtain separate consent from each individual service provider. Consent management services should provide end users with an effective and comprehensible tool for managing their consent.

The Consent Management Ordinance sets the following requirements:

• Requirements for approved consent management services (Part 2 of the EinwV),
• The process of approving consent management services (Part 3 of the EinwV), and
• Technical and organizational measures to be taken by providers of digital services and manufacturers and providers of retrieval and display software (Part 4 of the EinwV).

The Consent Management Ordinance also regulates the content of user consent on two levels:

• The relationship between the end user and the CMP (level 1), and
• The relationship between the CMP and the digital service provider (level 2).

A legal framework for consent management services

The Consent Management Ordinance defines a “consent management service” as an application, software, or a digital service that enables end users to manage their personal data preferences. Preferences management means collecting, storing, transmitting, and revoking end users' preferences.

The Consent Management Ordinance establishes a legal framework for officially recognized consent management services and sets out the requirements for consent management services (CMS) if they want to be recognized. A “recognized consent management service” is one that is recognized by the Federal Commissioner for Data Protection and Freedom of Information (BfDI), the competent authority under the Ordinance. To become a “recognized” service, there is an annual certification process for the CMS.

The German Federal Data Protection Commissioner (BfDI) is responsible for certifying the CMS and providing the recognition. The “recognition” process requires showing compliance with current data protection laws, first of all, the GDPR, and passing security audits. The estimated annual certification costs are €79,000.

However, the ordinance’s requirements are voluntary, and this “recognition” does not have any direct legal effects. It only regulates the CMS providers.

Scan your website for free to see what cookies your website uses.

The Challenges to the Implementation of the Consent Management Ordinance

Consent Management Ordinance could be an alternative to cookie banners. Companies can switch from conventional cookie banners to consent management services. To do so, companies must implement certain technical and organizational measures, cooperate with consent management service providers, and provide specific information to end users.

However, experts don’t believe that the Consent Management Ordinance will achieve its purpose. There are the reasons:

• It’s a voluntary standard. The ordinance’s requirements are voluntary for both website operators and users. Website owners can decide whether to support these services or not. Why should they invest their time and money in integrating the Ordinance if they do not derive any benefit from it?
• Consent requests from the provider of digital services are not foreseen. There are requirements for the “blanket default settings for possible consent requests from the provider of digital services” but it is not envisaged. Thus, users would still have to make a consent decision for each individual website. Users would only be prevented from interacting with different banner designs.
• Consent would still be required under the GDPR. The TDDDG sets out consent requirements that could be respected through the EinwV. However, websites or apps would still need consent under the GDPR for the processing of personal data. So, consent management services would therefore only do the job partly. Users would rather have to interact with two separate consent dialogs per website, which makes it even more complicated.
• It does not guarantee valid consent. The Consent Management Ordinance per se does not mean that consents obtained via the CMS are valid. Consent is valid if it meets the GDPR requirements. As mentioned above, GDPR consent and consent obtained via the Ordinance are two separate consents.
• There are too many requirements for consent service providers. Strict certification requirements will prevent consent management providers developing such a service. The required interoperability in particular makes it less attractive.
• Pop-ups would not disappear. Instead of many cookie banners, a single pop-up with comparable information would still have to be displayed to the end user. However, each time a digital service is modified, the pop-up will have to be displayed again, asking for agreement with the changes. Since there would be many websites and digital services combined into one pop-up, the changes of a digital service and thus the pop-up display could be frequent.
• Data protection concerns. For Cookie Consent to be valid broadly, the questions of transparency, purpose limitation, and data retention arise. The GDPR requires companies to use the purpose limitation and data minimization principles and to delete data when it is no longer needed. With deemed consent it could be difficult to execute these principles. Another question to be solved is the joint responsibility of the parties involved in data protection.

Who Will the German Consent Management Ordinance Affect?

The Cookie Consent ordinance applies to any organization offering goods or services in Germany if they access or store information on a user’s device. This includes all information, not just personal data.

• Internet users could benefit from a centralized cookie management system, which would result in fewer Cookie Consent banners and an improved user experience online.
• Website operations and digital service providers can decide to implement the new cookie-related ordinance. As mentioned above, the ordinance is a voluntary standard.
• Consent management service providers will have to develop Ordinance signal integration solutions to work with CMPs to pass the user consent selection and comply with the ordinance and other relevant data privacy regulations, such as the GDPR and ePrivacy Directive. Service providers will also have to pass the certification requirements each year.

How to Comply with the Cookie Control Ordinance?

Website operators and digital service providers in Germany and the EU, already have to comply with the existing privacy regulations like the GDPR and ePrivacy Directive.. They must respect users’ privacy and are required to obtain explicit user consent for collecting and processing personal data.

It is necessary to use a Consent Management Platform (CMP) to comply with current privacy regulations like the GDPR. CMPs are offering cookie banners and collecting user consent, among other functions. Even the Ordinance aims to switch from cookie banners to consent management services, CMPs will not be replaced by consent management services. A CMP will become an intermediate, and consent management services will need to cooperate with CMPs.

So, organizations already using a CMP will need to continue using a CMP further. If an organization does not use a CMP yet, it will need to start using one.

To comply with the Ordinance, website operators need to ensure their CMP can seamlessly accept and process consent information signals from users who have set them using a recognized consent management service.

When organizations implement a recognized consent management service, it will collect user consent choice once, store it centrally, and signal it to other websites and services to provide users with seamless consent management.

So, to comply with the German Consent Management Ordinance, website operations and digital service providers need to use a privacy-laws-compliant CMP and a recognized consent management service. The CMP collects, stores, and processs user consent, while the recognized consent management service signals user consent to the CMP that a website operator has implemented.

However, some ambiguity remains regarding standards and requirements for recognized consent management services and the interaction between recognized consent management services and CMPs. The ordinance also does not specify for how long a user’s consent information remains valid.

How CookieScript CMP Can Help You Manage User Consent and Meet Ordinance Requirements?

As of February 2025, no consent management services have been certified yet.

If a recognized consent management service wants to get certified, it must integrate well with CMPs to ensure legally compliant processing of users’ consent choices. It also needs to maintain good user experience with seamless consent management functionality.

CookieScript CMP allows companies to collect, store, and signal user consent. It also enables a full set of integrations, including integrations with Google Consent Mode v2, IAB TCF v2.2, Global Privacy Control, Google Tag Manager, and CMS like Joomla, WordPress, Shopify, etc.

In 2024, users on G2 ranked CookieScript CMP as the best CMP for small and medium-sized companies.

Frequently Asked Questions

What Is the German Consent Management Ordinance?

The Consent Management Ordinance, or EinwV, is the new German cookie control regulation, that aims to limit the number of consent banners. Recognized consent management services should manage user consent choices once they have been documented and transmit them in bundled and automated form to all service providers called trustees. It would then not be necessary to obtain separate consent from each service provider.

Who does the Cookie Consent ordinance in the TDDDG apply to?

The Cookie Consent ordinance applies to any company offering goods or services in Germany if they access or store information (not just personal data) on a user’s device. However, the requirements of the Ordinance are voluntary for companies. The Ordinance only regulates consent management services.

When will the German Consent Management Ordinance come into effect?

The new Cookie Consent control ordinance comes into effect on April 1, 2025, and will give companies three months to implement a recognized consent management service for compliance. However, it’s a voluntary requirement, so companies can choose whether to implement it or not. In any case, companies will need a CMP like CookieScript to collect and store user consent.

How to comply with the German Cookie Control Ordinance?

When organizations implement a recognized consent management service, it will collect user consent choice once, store it centrally, and signal it to other websites and services to provide users with seamless consent management. To comply with the German Consent Management Ordinance, website operators and digital service providers need to use a privacy-laws-compliant CMP such as CookieScript to collect, store, and process user consent and a recognized consent management service to signal user consent to the CMP.

Will consent management services replace consent management providers?

No, Consent Management Providers (CMPs) will not be replaced by consent management services. A CMP will become an intermediate, and consent management services will need to cooperate with CMPs. The CMP is needed to collect, store, and process user consent, while the recognized consent management service is needed to signal user consent to the CMP that a website operator has implemented. In 2024, users on G2 ranked CookieScript CMP as the best CMP.

Do companies have to implement a recognized consent management service?

No, the Cookie Control Ordinance’s requirements are voluntary, so companies do not have to implement a recognized consent management service. They can continue using a privacy-laws compliant CMP such as CookieScript to collect, store, and manage user consent to comply with privacy laws.