The Hanover Administrative Court in Germany delivered a landmark ruling that strengthens digital privacy protections by targeting manipulative cookie banners as Germany continues to take a strong stance against manipulative cookie consent banners that engage in dark patterns. This decision, led by Lower Saxony Data Protection Officer Denis Lehmkemper, mandates that websites must provide users with a clear, easy, and genuine choice to reject cookies, specifically requiring a visible “reject all” button alongside any “accept all” option. This ruling addresses the pervasive issue of “cookie fatigue” and manipulative consent designs, aligning with the European Union’s General Data Protection Regulation (GDPR) and Germany’s Telecommunications Digital Services Data Protection Act (TDDDG). Below, we explore the details of the ruling, its implications, and related developments in cookie consent regulations.
Background on Cookie Banners
Cookie banners or consent banners have become a ubiquitous feature when you first land on a website, prompting users with options or at least a good CMP will allow this. While others have a notification asking you if you want to consent to data tracking when visiting a website. However, many banners employ manipulative design —often referred to as “dark patterns” that make it difficult for users to opt out of non-essential cookies. These designs may hide the “reject” option, require multiple clicks to decline, or use misleading language to nudge users toward accepting cookies. Such practices undermine the GDPR’s requirement for informed, voluntary, and unambiguous consent, leading to widespread frustration among users and prompting regulatory action across Europe. Across the pond in California Honda Motors was fined for not having symmetry on their banner and thus ended up with a $632,500 fine from the CPPA.
The Hanover Court Ruling
The Hanover Administrative Court’s decision stemmed from a case involving NOZ, a media company whose cookie banner was found to violate GDPR and TDDDG standards. The court ruled that NOZ’s banner failed to provide a straightforward way to reject cookies, rendering the consent obtained invalid. Key points of the ruling include:
- Mandatory “Reject All” Button: Websites offering an “accept all” button must include an equally prominent “reject all” option to ensure users can easily decline non-essential cookies. This addresses the imbalance where accepting cookies is often a one-click process, while rejecting them requires navigating complex menus.
- Compliance with GDPR and TDDDG: The ruling reinforces that consent must be freely given, specific, informed, and unambiguous. Manipulative designs that pressure users into consenting violate these principles.
- Impact on Digital Privacy: By curbing manipulative practices, the decision aims to empower users with greater control over their personal data, aligning with GermanyDark patterns are deceptive design practices used on websites and apps to trick users into doing things they might not want to do, but which benefit the business or website owner. In the context of cookie banners, dark patterns might include making the “accept all” button more prominent than the “reject” option, using confusing language, or requiring multiple clicks to opt out of non-essential cookies. These tactics undermine user choice and often lead to unintended consent for data collection.
Examples of Dark Patterns in Cookie Banners
- Visual Prominence: The “accept all” button is brightly colored and centrally placed, while the “reject” or “customize” option is in small, low-contrast text or hidden in a submenu.
- Confusing Language: Using terms like “decline” instead of “reject” or phrasing that implies rejecting cookies will limit website functionality.
- Excessive Clicks: Requiring users to navigate multiple screens or toggle numerous settings to opt out, while accepting all cookies is a single-click process.
By addressing these manipulative tactics, the German court’s ruling seeks to restore user autonomy and ensure compliance with privacy laws and let business owners know that they can’t think that they will get away with deceiving visitors.
Broader Context and Related Developments
This ruling is part of a broader push in Germany and the EU to enhance digital privacy and reduce “cookie fatigue” the frustration caused by repetitive cookie banners. Germany’s Einwilligungsverwaltungsverordnung (EinwV) Ordinance, introduced in early 2025, aims to streamline consent management by promoting centralized consent systems, potentially reducing the need for repetitive banners. The ordinance, grounded in Section 26(2) of the TDDDG, encourages a more user-friendly approach to data protection, though it does not mandate that digital service providers honor universal opt-out signals, leaving room for businesses to continue using banners if they choose.
Other European regulators have also taken action against manipulative cookie practices. For instance, in 2021, France’s CNIL fined Google €90 million for making it harder for YouTube users to refuse cookies than to accept them, highlighting a similar issue with consent design. The EU Commission has expressed intentions to address the broader issue of cookie banner fatigue, signaling a growing regulatory focus on user-friendly privacy protections.
However, some posts on X have suggested that the Hanover ruling does not explicitly mandate a “reject all” button in all cases, indicating potential nuances in how the ruling is interpreted or implemented. Despite this, the ruling’s core message is clear: websites must prioritize user choice and transparency in their consent mechanisms.
Implications for Businesses and Users
For businesses, the ruling necessitates a review of cookie banner designs to ensure compliance with GDPR and TDDDG and this is not just those who are based in Germany but all over the world as long as your website accepts visitors and traffic from Deutschland. Non-compliance will eventually lead to fines or legal challenges, as seen in the NOZ case and prior GDPR enforcement actions. For users, the ruling offers hope for a more seamless and empowering online experience, where rejecting cookies is as straightforward as accepting them. This could reduce cookie fatigue and enhance trust in digital services especially when its at an all time low.
The ruling also sets a precedent for other jurisdictions. As privacy concerns grow globally, other countries may adopt similar measures to combat manipulative consent practices. For example, regulations like the UK’s Data Protection Act and California’s CCPA/CPRA also emphasize transparent consent mechanisms, suggesting a global trend toward stronger data protection standards.
How To Place a Cookie Banner on a German Website?
The Hanover Administrative Court’s ruling on March 19, 2025, marks a significant step toward fairer digital privacy practices in Germany and potentially beyond. By requiring websites to offer a clear “reject all” button and condemning manipulative cookie banner designs, the decision upholds the principles of informed and voluntary consent under GDPR and TDDDG. As Germany leads the way with initiatives like the EinwV Ordinance, the fight against cookie fatigue and deceptive design practices is gaining momentum, promising a more user-centric internet. Businesses must adapt to these changes to avoid penalties, while users can look forward to greater control over their personal data. If you have a website and need help getting compliant look no further than Captain Compliance the leading data privacy software solution.
