Sign in Subscribe
Data

German court holds third-party cookie providers liable without consent

Frankfurt Higher Regional Court rules technology companies placing third-party cookies face direct liability even when website operators fail to obtain user consent, awarding €100 damages in December 2025 decision.

Luis Rijo

21 min read
Official coat of arms of Hessen state representing Frankfurt Higher Regional Court jurisdiction.
Official coat of arms of Hessen state representing Frankfurt Higher Regional Court jurisdiction.

The Frankfurt Higher Regional Court issued a ruling on December 11, 2025, that significantly expands legal liability for third-party cookie providers operating across European Union member states. The court determined that technology companies storing cookies on user devices bear direct responsibility as perpetrators under German privacy law, regardless of contractual arrangements with website operators requiring consent collection. According to the judgment in case 6 U 81/23, the prohibition under Section 25 of Germany's Telecommunications and Digital Services Act applies to "everyone," not merely website operators or primary service providers.

The decision emerged from proceedings initiated in March 2022 when a plaintiff visited multiple websites and subsequently discovered cookies belonging to a technology analytics company stored on personal devices without explicit authorization. The plaintiff commissioned a private expert to document network traffic and cookie placement activities, then issued a cease-and-desist letter on April 22, 2022, demanding the defendant submit a legally binding declaration to refrain from such conduct and provide information about personal data collection.

The Frankfurt court's ruling clarifies that Section 25 of the TDDDG (later renamed TTDSG as of May 14, 2024) creates obligations extending beyond traditional definitions of service providers. According to the judgment, "The prohibition of cookie storage under Section 25 of the German Telemedia Act (TDDDG) is not limited to 'providers' within the meaning of Section 2 Paragraph 2 No. 1 TDDDG; rather, it applies to everyone." This interpretation significantly broadens the scope of entities subject to German privacy enforcement compared to previous assumptions within the advertising technology industry.

The defendant in the case operates as a technology and analysis company with headquarters in an unnamed city and maintains a branch office in Germany. The company provides audience measurement tools enabling website operators to determine reach based on aggregated data. Throughout proceedings, the defendant maintained that services offered in Germany served only visitor counting purposes without individual user attribution. The defendant further argued that technologies deployed were not used for advertising purposes within German markets.

However, the court rejected these distinctions as legally irrelevant for determining liability. The judicial analysis emphasized that anyone who "participates in the provision of telemedia services by a website operator by setting (third-party) cookies is to be considered a provider." This functional interpretation means that technical participation in cookie deployment creates provider status regardless of business model or stated purposes. The court noted that Section 25 TDDDG uses purely behavior-based definitions through the terms "storage" and "access," addressing "any natural or legal person who causally initiates the execution of the source code implementing the storage or access to the terminal equipment."

Follow PPC Land

Follow PPC Land on your socials: LinkedIn, Google, Google News, X, Mastodon, Bluesky, Reddit, Threads or via RSS

Technical evidence and burden of proof considerations

The plaintiff's case relied substantially on technical documentation captured through HTTP Archive (HAR) files recording network traffic during website visits. The Regional Court initially accepted the plaintiff's private expert opinion detailing which websites were visited and demonstrating that defendant's cookies were stored without consent. The appellate proceedings included disputes over whether submitted HAR files adequately proved the plaintiff's claims and whether the defendant bore responsibility for verifying consent before cookie placement.

According to the court record, "The Senate must assume that, when the plaintiff visited several websites, cookies belonging to the defendant were stored on his terminal equipment without his consent." The defendant attempted to challenge the evidentiary value of submitted materials, arguing that HAR files showed no connection to the plaintiff's specific IP address and merely documented "isolated network requests to servers without the outgoing IP address." The Senate addressed these concerns through an informal hearing with the plaintiff conducted under Section 141 of the German Code of Civil Procedure.

The plaintiff testified that the HAR file submitted in proceedings was created personally on a computer with the plaintiff's lawyer virtually present during the process. According to testimony, the lawyer explained proper HAR file creation procedures, the plaintiff then transmitted the file to legal counsel, and a subsequent expert opinion was obtained regarding file contents. The Senate stated it had "no doubt that the HAR file in question was recorded on the plaintiff's computer" based on hearing outcomes, personal impressions, and expert opinion contents.

This evidentiary standard establishes significant precedent for future cookie consent litigation across German courts. The defendant bore the burden of proving valid consent existed before cookie placement, rather than plaintiffs needing to prove consent absence. According to the ruling, "The defendant bears the burden of proof and the burden of production regarding consent, which is a fact favorable to her case." This allocation mirrors the burden of proof structure established in Article 7 Paragraph 1 of the General Data Protection Regulation, which places responsibility on data controllers to demonstrate consent validity.

Advertise on ppc land

Buy ads on PPC Land. PPC Land has standard and native ad formats via major DSPs and ad platforms like Google Ads. Via an auction CPM, you can reach industry professionals.

Learn more

Contractual arrangements provide no liability shield

The defendant's defense strategy emphasized contractual terms with website operators stipulating that automated cookie requests should occur only after obtaining website visitor consent. These contractual provisions, according to the defendant, established website operators as the responsible parties for consent collection failures. The court firmly rejected this argument, determining that contractual risk allocation between business partners cannot shield cookie providers from direct liability under privacy protection statutes.

"If a cookie is set without the website visitor's consent, the cookie setter is liable as a perpetrator even if they have contractually agreed with the website operator that the automated request for the cookie should only occur with the website visitor's consent," the court declared in the judgment's second principle. This determination means that third-party technology providers cannot delegate compliance obligations through service agreements or terms of service requiring partner organizations to handle consent management.

The judicial reasoning emphasized that consent absence constitutes a negative element of the legal offense under Section 25 Paragraph 1 TDDDG. The violation is fulfilled "solely by the defendant's failure to obtain consent and its reliance on the respective website operators having duly obtained it." Within the framework of normative causal attribution, the court examined whether properly acting conduct would have prevented the legally protected interest infringement. The analysis concluded that the defendant's failure to ensure website operators transmitted end user consent before storing cookies on devices caused the TDDDG violation.

The court rejected adequacy defense arguments. The defendant contended that cookie placement without end user consent on third-party websites represented a "particularly peculiar, highly improbable" circumstance under normal event sequences. According to the ruling, this characterization misrepresents industry realities. "On the contrary, it even represents a natural and typical risk when the defendant provides website operators with its source code, which they can then use to initiate data protection-relevant processes involving the defendant, without the defendant being able to verify in any way whether consent has actually been given," the judgment stated.

Damages awarded despite deliberate test scenario

The court awarded the plaintiff €100 in damages under Article 82 Paragraph 1 of the General Data Protection Regulation, significantly reducing the €1,500 initially sought and granted by the Regional Court. This reduction reflected judicial assessment that the plaintiff deliberately created a situation comparable to a consumer test purchase, initiating cookie placement with heightened technical awareness uncommon among ordinary internet users. According to the ruling, "Setting a cookie without consent can give rise to a claim for damages. If the website visitor deliberately caused the cookie to be set without consent for evidentiary purposes, they were aware that they could prevent any further tracking by the defendant simply by deleting the cookies."

The damages calculation under Section 287 of the German Code of Civil Procedure considered that stored data included only anonymized IP addresses and pseudonymized cookie identifiers rather than directly identifiable personal information such as email addresses or telephone numbers. However, the court recognized that "the feeling of being monitored associated with the storage of this data justifies a sum of €100." This monetary threshold establishes a baseline for non-material damages in German cookie consent cases where plaintiffs document violations for enforcement purposes.

The judgment explicitly rejected general preventive considerations when assessing damages amounts, citing the Court of Justice of the European Union's May 4, 2023 ruling in Case C-300/21. This precedent limits damages calculations to actual harms suffered by individual plaintiffs rather than amounts designed to deter broader industry misconduct. The €100 award reflects judicial views that the plaintiff's impairment remained "very minor" given the deliberate nature of website visits and immediate ability to delete problematic cookies, preventing further tracking attribution.

The ruling addressed whether cookie placement for advertising purposes versus audience measurement purposes should influence damages amounts. The court determined this distinction held no legal relevance, stating that Section 25 TDDDG prohibits storage "not only for advertising purposes, but in principle." The plaintiff's decision to limit injunctive relief claims by specifying "for evaluation for the purpose of targeted advertising" potentially demanded less than full legal entitlement, but the court found this limitation "harmless" to case resolution.

International jurisdiction and territorial scope

The appellate court affirmed international jurisdiction under Article 79 Paragraph 2 of the General Data Protection Regulation, which permits claims against data controllers in either the controller's establishment country or the data subject's habitual residence country. While the plaintiff's claim directly invoked TDDDG violations rather than GDPR breaches, Recital 146 of the regulation states that GDPR infringement encompasses "delegated acts, implementing acts, and Member State legislation specifying provisions of the GDPR."

According to the judgment, "'Specifications' in this sense encompass all regulations that implement the regulatory mandates of the General Data Protection Regulation (GDPR) or fill or supplement regulatory gaps." The court classified TDDDG as such a specification, bringing cookie consent violations within Article 79's jurisdictional framework. Alternatively, the court noted that Section 7 Number 2 of the Brussels I Regulation (Recast) would establish jurisdiction for tortious acts at the location where harmful events occurred—in this case, the plaintiff's German residence where Section 25 TDDDG violations materialized through unwanted cookie storage on personal devices.

The defendant's German branch office provided an additional jurisdictional anchor. Section 1 Paragraph 3 of TDDDG alternatively links territorial application to branch existence, service provision participation, or goods market availability within German jurisdiction. According to the legislative history cited in the judgment, "the second and third alternatives of the provision are intended to ensure the application of the market location principle, modeled on the GDPR." This principle targets organizations offering services on German markets regardless of headquarters location or primary operational base.

The market location approach carries significant implications for international technology companies serving European users. Organizations headquartered outside the European Union but operating German branch offices or deploying cookies through websites visited by German residents face direct liability exposure under Section 25 TTDSG. The court emphasized that "the defendant offers services on the German market is undisputed and is also evident from the fact that it has a branch in Germany."

The defendant challenged whether German civil law remedies remained available given the General Data Protection Regulation's comprehensive harmonization objectives. This argument suggested that Article 79 GDPR's judicial remedy provisions occupied the entire field of privacy enforcement, precluding Member States from maintaining parallel civil liability frameworks. The court rejected this interpretation, noting that Section 25 TDDDG implements Article 5 Paragraph 3 of the ePrivacy Directive regardless of broader GDPR harmonization questions.

According to the ruling, the ePrivacy Directive "requires effective, proportionate, and dissuasive sanctions, including criminal sanctions, for its implementation." The directive further mandates that "competent national authorities and other national bodies be equipped with sufficient powers to prosecute violations." These requirements leave Member States discretion in establishing enforcement mechanisms beyond administrative penalties. The court cited the Court of Justice's recent jurisprudence confirming that "a claim for injunctive relief existing under national law is compatible with Article 79 GDPR," referencing the CJEU's 2025 decision published at NJW 2025, 3137.

The judgment emphasized that Part 4 of TDDDG contains criminal and administrative fine provisions while regulating data protection commissioner responsibilities and Federal Network Agency powers. These public enforcement mechanisms coexist with private civil remedies under Sections 1004 and 823 Paragraph 2 of the German Civil Code, which provide injunctive relief and damages for protective statute violations. The court classified Section 25 TDDDG as a protective norm "according to its wording and purpose, serves to protect the end-user's privacy and ultimately the fundamental right to informational self-determination."

This multi-layered enforcement structure enables both regulatory authorities and individual users to address cookie consent violations through separate proceedings. Data protection supervisory authorities can impose administrative fines reaching substantial amounts under GDPR Article 83, while simultaneously affected individuals pursue injunctive relief and compensatory damages through civil courts. The Frankfurt ruling confirms that these parallel tracks remain legally viable despite arguments that GDPR harmonization should preclude fragmented national approaches.

The ruling creates compliance challenges for consent management platform providers and tag management system operators throughout European digital advertising ecosystems. Technology companies providing infrastructure enabling third-party cookie deployment must now verify that valid consent exists before allowing cookie placement, rather than relying on website operator attestations or contractual assurances. According to the judgment, "Section 26 of the German Telemedia Act (TDDDG) assumes that services for managing consent are technically and legally feasible."

The defendant argued throughout proceedings that technical limitations prevented verification of individual user consent before cookie activation. The court dismissed these arguments as insufficient to avoid liability, noting that "it is incomprehensible why the defendant should not be able to store its cookies on users' end devices only after receiving their consent." This technical feasibility assumption places affirmative obligations on third-party providers to implement consent verification mechanisms rather than defaulting to cookie placement pending partner compliance representations.

The decision impacts major consent management frameworks including the Transparency and Consent Framework administered by industry associations. These standardized approaches enable publishers to signal user consent preferences to advertising technology vendors through technical specifications embedded in page code. However, the Frankfurt court's requirement that cookie providers directly verify consent before placement may necessitate architectural modifications ensuring consent signals reach third-party vendors before any storage or access operations occur on end user devices.

Tag management systems face similar scrutiny following a separate March 19, 2025 Hannover administrative court ruling determining that Google Tag Manager requires explicit user consent before activation. That decision found that tag management platforms process personal data including IP addresses and device information without valid legal basis under Article 6 GDPR when automatic data transmission to external servers occurs before users provide consent. Combined with the Frankfurt ruling on third-party cookie liability, these judgments establish that marketing technology infrastructure providers cannot escape direct privacy compliance obligations through contractual arrangements allocating consent responsibilities to website operators.

Enforcement landscape across European jurisdictions

The Frankfurt decision emerges within intensifying regulatory enforcement targeting cookie consent violations throughout European Union member states. France's Commission Nationale de l'Informatique et des Libertés fined SHEIN's subsidiary €150 million on September 28, 2025, for systematic cookie deployment without proper consent, including placement of third-party advertising cookies after users withdrew authorization. That investigation documented continued reading of advertising cookies despite withdrawal requests through consent management platforms, with 10 additional cookies deposited on user terminals after consent withdrawal.

French enforcement precedent established that website publishers authorizing third-party cookie deployment must ensure partner compliance with withdrawal requests. CNIL referenced Conseil d'État jurisprudence requiring publishers to "implement the measures necessary to ensure that new requests to third-party domains were stopped from being made" following consent withdrawal. The authority determined that consent collection mechanisms failed to meet informed consent standards when second-level information did not identify third-party controllers placing advertising cookies on user terminals.

Dutch Data Protection Authority enforcement actions have similarly targeted tracking cookie violations, with AS Watson (Kruidvat's parent company) ultimately fined €50,000 on May 27, 2025, after successfully appealing an earlier enforcement action. The Dutch authority's investigation found that the company processed personal data through tracking cookies without obtaining proper consent from website visitors, violating Articles 5 and 6 of GDPR. In December 2024, the Dutch authority fined Coolblue €40,000 for similar tracking cookie violations involving pre-selected checkboxes for cookie consent.

Belgian Data Protection Authority proceedings against Mediahuis in September 2024 imposed potentially severe penalties including €25,000 per day per website up to €10 million maximum if required changes were not implemented within 45 days. The Belgian authority cited lack of clear "reject all" options on first-layer cookie banners, misleading button colors encouraging acceptance, and improper reliance on legitimate interest for non-essential cookies. These enforcement patterns demonstrate coordinated European regulatory attention to cookie consent mechanism design and third-party tracking accountability.

Technical compliance requirements and practical implications

The Frankfurt judgment establishes that cookie providers must implement technical architectures preventing storage or access operations until receiving affirmative consent signals from individual users. This requirement extends beyond existing consent management framework specifications, which typically enable publishers to block third-party requests after consent denial rather than requiring pre-placement consent verification. According to the ruling, the defendant's provision of source code to website operators enabling cookie placement "without the defendant being able to verify in any way whether consent has actually been given" created impermissible compliance risks.

Consent verification mechanisms must operate independently of website operator implementations to satisfy the court's liability standards. Third-party technology providers cannot rely on Content Management Platform integrations where publishers control consent signal transmission timing and accuracy. The judgment suggests that cookie providers should either implement direct consent collection interfaces or require cryptographically signed consent tokens from verified consent management platforms before initiating any storage operations on end user devices.

The ruling's impact extends to analytics platforms including Microsoft Clarity, which began enforcing cookie consent requirements for European Economic Area, United Kingdom, and Swiss traffic on October 31, 2025. Microsoft mandated implementation of consent signals using Google Consent Mode integration, direct CookieYes integration, or Clarity's Consent API. The company emphasized that requirements apply to traffic originating from specified regions regardless of website operational locations, determining user location through IP address-based geolocation.

Audience measurement providers operating in France face distinct regulatory frameworks following CNIL's July 4, 2025 updated guidelines allowing measurement cookies to operate without consent under strict conditions. The exemption applies when trackers serve strictly limited purposes including performance measurement and technical optimization while meeting data minimization requirements, anonymization standards, first-party cookie restrictions, and cross-site tracking prohibitions. However, these exemptions do not extend to advertising or behavioral profiling purposes, requiring consent mechanisms for most commercial cookie deployments.

Strategic considerations for advertising technology vendors

Technology companies providing cookie-based services throughout European markets must reevaluate operational architectures and contractual relationships following the Frankfurt ruling. Reliance on website operator compliance representations no longer provides adequate liability protection when companies directly implement cookie storage mechanisms. Organizations should consider implementing the following technical and operational modifications to align with emerging judicial interpretations of third-party provider responsibilities.

First, cookie deployment architectures should incorporate mandatory consent verification checkpoints preventing storage or access operations until receiving validated consent signals from individual users. These mechanisms must operate independently of website operator implementations to eliminate reliance on partner compliance. Technical implementations might include requiring cryptographically signed consent tokens, implementing server-side consent validation before responding to cookie placement requests, or deploying client-side JavaScript that queries consent management platforms before executing storage operations.

Second, service agreements with website operators should explicitly allocate consent collection responsibilities while acknowledging that contractual provisions do not eliminate statutory compliance obligations. According to the Frankfurt court, contractual arrangements "cannot shield cookie providers from direct liability under privacy protection statutes" because consent absence constitutes a negative element of legal offenses that cookie providers fulfill through their own actions regardless of partner representations. Nevertheless, indemnification provisions and compliance warranties may provide contractual remedies when website operator consent management failures cause third-party provider liability exposure.

Third, organizations should implement monitoring and audit capabilities verifying that consent mechanisms operate correctly across partner websites and applications. The Frankfurt judgment emphasized that defendants must "ensure that the website operator transmits the end user's consent before storing its cookies on the end user's device." This obligation requires ongoing verification that consent signals reach cookie providers accurately and that storage operations occur only after affirmative authorization. Automated compliance monitoring systems detecting websites deploying cookies without proper consent transmission could provide evidence of reasonable care if subsequent enforcement actions arise.

Fourth, technology providers should evaluate whether business models requiring third-party cookie deployments remain economically viable given liability exposures and technical compliance costs. The Frankfurt ruling establishes that companies placing cookies without verified consent face potential damages awards for each affected individual, injunctive relief preventing future deployments, and associated litigation costs. Organizations with significant European user bases may determine that transitioning to cookieless measurement methodologies or first-party data collection approaches reduces legal risks compared to continued third-party cookie reliance.

Privacy advocacy organization enforcement strategies

The case demonstrates systematic enforcement approaches employed by privacy advocacy organizations identifying websites with alleged cookie consent violations. According to the judgment, the plaintiff "deliberately created a situation comparable to a test purchase, in which he initiated the setting of cookies" with technical awareness enabling documentation of network traffic and cookie placement activities. The plaintiff "commissioned a private expert, Mr. Z, to assess the access of his device by advertising platforms" and documented violations across multiple websites before issuing cease-and-desist demands.

The defendant argued this methodology constituted abuse of rights, noting that "the plaintiff had proceeded against at least three other companies using the same method" implying "that he was systematically searching the internet for websites with alleged legal violations and logging network traffic." The court rejected this characterization, stating that "the deliberate generation of violations, like test purchases, is generally not objectionable." According to the ruling, "The plaintiff is not an 'agent provocateur,' but merely documents how the defendant, who was generally willing to act, behaved."

This judicial validation of systematic compliance testing enables privacy advocacy organizations to identify cookie consent violations at scale across commercial websites. None of Your Business (NOYB) reported filing 210 complaintsleading to over €2 billion in GDPR fines during 2023, contributing to enforcement escalation across multiple European markets. The organization's methodological approach involves identifying consent violations through automated scanning, documenting technical evidence, filing regulatory complaints, and in some jurisdictions pursuing civil litigation seeking damages and injunctive relief.

The Frankfurt court explicitly stated that "the fact that the plaintiff has sued four other companies for a similar infringement does not lead to the conclusion that he is pursuing extraneous motives." This determination means that plaintiffs establishing patterns of cookie consent enforcement across multiple defendants face no procedural disadvantages or abuse of process sanctions despite systematic approaches. Organizations deploying third-party cookies without robust consent verification mechanisms therefore face exposure to parallel enforcement actions from privacy advocacy groups, regulatory authorities, and individual complainants.

The Frankfurt Higher Regional Court granted the defendant permission to appeal to the Federal Court of Justice (Bundesgerichtshof), Germany's highest civil court, based on fundamental legal questions regarding third-party provider liability scope under Section 25 TTDSG. According to the judgment, "The question of the scope of liability under Section 25 of the German Telemedia Act (TDDG) is of fundamental importance for providers of cookie services." However, appellate permission was granted only to the defendant, as "no grounds for appeal are apparent" regarding the plaintiff's claims.

The court declined to refer interpretive questions to the Court of Justice of the European Union despite involving implementation of Article 5 Paragraph 3 of the ePrivacy Directive. According to the ruling, "The Senate does not consider the question of interpretation of Article 5(3) of the Cookie Directive to be problematic under EU law, as it is of the opinion that there are no concerns under EU law and therefore the matter is clear." This determination invokes the acte clair doctrine, which permits national courts to refrain from preliminary references when European law interpretation presents no reasonable doubt.

The Federal Court of Justice appeal may provide definitive guidance on whether third-party cookie providers face direct perpetrator liability or whether website operators bear primary responsibility with technology vendors potentially liable only as accessories or interferers. The Frankfurt court's broad interpretation that Section 25 TDDDG "applies to everyone" rather than being "limited to 'providers' within the meaning of Section 2 Paragraph 2 No. 1 TDDDG" represents an expansive reading that Federal Court review could potentially narrow or confirm as authoritative across German jurisdiction.

Parallel developments at the European Court of Justice may influence ultimate resolution of third-party cookie liability questions. Germany's Federal Court of Justice referred questions about IP address classification to the CJEU on August 28, 2025, in Case C-654/25 addressing whether dynamic IP addresses transferred through Google Fonts integration constitute personal data when recipients cannot reasonably identify users. That preliminary ruling request examines GDPR personal data definitions when controllers transfer information to third parties with varying identification capabilities, potentially affecting cookie provider liability analyses.

Industry response and compliance trajectories

The decision arrives during significant transitions in digital advertising infrastructure following Google's April 22, 2025 announcement maintaining third-party cookie usage in Chrome after five years of Privacy Sandbox development. That reversal came five days after Google was found to be a monopoly in the Department of Justice's AdTech case, creating uncertainty about whether privacy-preserving advertising alternatives would gain widespread adoption. The Frankfurt ruling demonstrates that regardless of browser manufacturer policies regarding cookie support, legal compliance obligations under European privacy laws continue requiring verified user consent before third-party tracking deployments.

Advertising technology vendors have invested substantial resources developing Privacy Sandbox implementations, consent management platform integrations, and cookieless measurement methodologies during Chrome's extended deprecation timeline. The Frankfurt judgment confirms that these investments remain necessary for European market operations regardless of third-party cookie technical availability in major browsers. Companies relying on third-party cookies must implement robust consent verification architectures or face exposure to enforcement actions from regulatory authorities, privacy advocacy organizations, and individual litigants seeking damages.

The €100 damages award, while relatively modest compared to potential GDPR administrative fines reaching €20 million or 4% of global annual turnover, creates scalable liability exposure for technology companies serving millions of European users. Organizations deploying cookies without verified consent across thousands of websites could theoretically face damages claims from each affected individual, generating aggregate liability substantially exceeding single regulatory fine amounts. This distributed enforcement risk incentivizes proactive compliance investments rather than reactive responses to regulatory proceedings.

Consent management platform providers are adapting to heightened compliance requirements through enhanced technical capabilities verifying that cookie placement occurs only after affirmative authorization. These developments include Consent API implementations requiring active verification calls before enabling tracking features, compatibility modes facilitating transitions between different platforms, and integrations with major analytics and advertising technology vendors ensuring consent signals reach third-party providers before storage operations occur.

PPC Land Newsletter

Subscribe PPC Land newsletter ✉️ for similar stories like this one

Subscribe

Timeline

PPC Land Newsletter

Subscribe PPC Land newsletter ✉️ for similar stories like this one

Subscribe

Summary

Who: Frankfurt Higher Regional Court issued judgment in case 6 U 81/23 involving a plaintiff who documented cookie placement violations and a defendant technology analytics company providing audience measurement tools through third-party cookie deployment on German websites.

What: The court established that third-party cookie providers bear direct perpetrator liability under Section 25 of Germany's Telecommunications and Digital Services Act when cookies are placed without user consent, regardless of contractual arrangements with website operators requiring consent collection, awarding €100 in damages to plaintiff for privacy violations.

When: The December 11, 2025 appellate ruling addressed violations occurring on March 22, 2022, when plaintiff visited multiple websites and discovered unauthorized cookies, followed by April 27, 2023 Regional Court decision that defendant appealed, with Higher Regional Court affirming modified judgment after October 2, 2025 informal plaintiff hearing.

Where: Frankfurt Higher Regional Court issued the judgment establishing precedent across German jurisdiction with implications for third-party cookie providers serving European Union markets, while defendant operated as technology analytics company with headquarters outside Germany and branch office within German territory enabling jurisdictional application.

Why: The ruling clarifies that Section 25 TDDDG's cookie storage prohibition applies to "everyone" rather than being limited to primary service providers, determining that contractual arrangements between technology companies and website operators cannot shield cookie providers from direct liability when consent verification obligations are not fulfilled before third-party tracking deployment.

Stories like this, in your inbox

Enter your email
Subscribe