German court ruling on cookie consent could impact tag management practices

A German administrative court has ruled that Google Tag Manager requires user consent before activation, potentially affecting how websites implement digital marketing technologies across Europe.

The Verwaltungsgericht Hannover delivered its judgment on March 19, 2025, determining that Google Tag Manager cannot operate without explicit user consent under both German privacy law and the General Data Protection Regulation.

According to the court documents, the case involved a publishing company operating the noz.de website and Lower Saxony's data protection authority. The proceedings emerged after the authority issued orders in November 2022 requiring implementation of effective consent mechanisms and removal of Google Tag Manager services without proper user authorization.

Technical testing conducted by the data protection authority's IT laboratory revealed critical compliance failures. "Upon initial access to the plaintiff's website without prior consent, the US service Google Tag Manager was contacted," the court documentation states, indicating that Google Tag Manager was contacted upon initial website access without prior user consent.

The testing showed that Google Tag Manager transmitted user device data including IP addresses to US servers before any consent interaction occurred. "Data from the end user's device, particularly the IP address, device configuration, country, and referrer URL were also transmitted," according to the court's technical findings.

Additionally, Google stored a JavaScript file named gtm.js on user devices, which was individually customized for each user. "Subsequently, Google stored a JavaScript named gtm.js on the user's end device, which was individually adapted for each user," the court documented.

Legal framework analysis under TTDSG

The court examined Google Tag Manager under the German Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TTDSG), which implements the EU's ePrivacy Directive. Under Section 25 TTDSG, storing information on user devices or accessing already stored information requires explicit user consent unless the activity is strictly necessary for service provision.

The court determined that Google Tag Manager's functions do not qualify for the technical necessity exception under Section 25(2) TTDSG. "Google Tag Manager is neither expressly desired by the user nor absolutely necessary for the provision of a legal obligation of the telemedia service," the ruling states.

The court emphasized that Google Tag Manager serves website operators' interests in facilitating third-party service integration rather than providing direct user benefits. "Google Tag Manager has the function of integrating various services into the website, in particular inserting any tracking codes on websites," according to the judicial analysis.

The decision rejected arguments that Google Tag Manager was necessary for consent management implementation. The court noted that the publishing company used a separate Consent Management Platform from Sourcepoint for consent collection, making Google Tag Manager's consent-related functions redundant.

GDPR violations through personal data processing

Under GDPR analysis, the court found that Google Tag Manager processes personal data including IP addresses and device information without valid legal basis under Article 6. The automatic data transmission to Google's servers occurred before users could provide consent under Article 6(1)(a) GDPR.

The court rejected legitimate interest justification under Article 6(1)(f) GDPR after applying the required three-stage test. While acknowledging the publisher's economic interest in advertising revenue, the analysis concluded that user privacy rights outweighed commercial considerations.

"The transmission of personal data, particularly to Google as one of the most widespread actors on the internet, whose business model includes collecting data for commercial use, cannot be justified with regard to the affected fundamental rights merely for reasons of convenience," the court stated, emphasizing that convenience cannot justify personal data transmission to major data collectors.

Technical alternatives and compliance requirements

The court explicitly addressed claims about Google Tag Manager's technical necessity, finding that alternative solutions exist for website code management. "Google Tag Manager is neither expressly desired by the user nor absolutely necessary for the provision of a legal obligation of the telemedia service," according to the ruling.

The decision noted that other tag management systems and custom solutions can achieve similar functionality without requiring Google's infrastructure. "The control and management of the sequence and use of program code can also be done with other tools, for example by means of an in-house development, open software or another consent management tool," the court documented.

For compliance, the court ordered the publishing company to either obtain valid consent for Google Tag Manager or remove the service entirely. This dual approach recognizes that organizations can choose between implementing proper consent mechanisms or adopting alternative technical solutions.

Broader implications for tag management

The Hannover decision extends beyond Google Tag Manager specifically to address fundamental questions about tag management consent requirements. The court's reasoning about non-essential services requiring user authorization applies to similar technical implementations across the marketing technology ecosystem.

Most commercial tag management platforms operate through comparable mechanisms of loading third-party code and storing information on user devices. The judicial framework emphasizing user choice over technical convenience suggests similar consent requirements for competing services including Adobe Launch, Tealium IQ, and other major platforms.

The ruling also impacts consent management platform configurations that integrate with tag managers. Organizations must ensure that consent collection occurs before any tag manager activation rather than using tag managers to load consent interfaces, which creates circular dependency issues.

Industry adaptation strategies

Following the judicial decision, digital marketing professionals have begun reassessing tag management implementations to ensure compliance with consent requirements. Best practices now emphasize loading consent management platforms independently from tag managers to maintain proper sequencing.

Some organizations are exploring server-side tag management solutions that minimize client-side processing until after consent collection. This architectural approach addresses the court's concerns about automatic data transmission while preserving marketing technology functionality.

The decision has prompted enhanced documentation of technical necessity claims for various marketing technologies. Organizations must now evaluate whether their implementations truly require specific tag management services or whether alternative solutions could achieve similar objectives with reduced privacy impact.

Timeline

• November 2022: Lower Saxony data protection authority issues orders requiring effective consent mechanisms and Google Tag Manager compliance for noz.de website
• March 19, 2025: Verwaltungsgericht Hannover delivers ruling determining Google Tag Manager requires explicit user consent under TTDSG and GDPR
• July 2021: Google introduces Consent Initialization trigger in Tag Manager for improved consent management
• August 2024: Google Tag Manager introduces Consent Mode Override Setting for enhanced privacy controls
• October 2024: Google introduces new Tag Diagnostics features for data gaps and tag placement
• March 2025: Google tag begins leveraging service workers to enhance data collection capabilities
• June 2025: Google adds Tag Diagnostics to Analytics consent settings hub for streamlined compliance verification

Key Terms Explained

Google Tag Manager

Google Tag Manager represents a widely-used web analytics and marketing tool that enables website owners to deploy tracking codes and third-party services without directly modifying website code. The Hannover court's analysis revealed that Google Tag Manager automatically activates during page loading, storing JavaScript files on user devices and establishing connections to external servers before any consent interaction occurs. According to the court documentation, "upon initial access to the plaintiff's website without prior consent, the US service Google Tag Manager was contacted." This technical behavior formed the foundation for the court's determination that the service requires explicit user authorization under both German privacy law and GDPR frameworks.

TTDSG (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz)

The German Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz implements the European Union's ePrivacy Directive within German national law, establishing specific requirements for accessing and storing information on user devices. Under TTDSG Section 25, any non-essential storage or access requires explicit user consent before implementation. The Hannover court applied this framework to determine that Google Tag Manager constitutes a non-essential service requiring authorization. The court stated that "Google Tag Manager is neither expressly desired by the user nor absolutely necessary for the provision of a legal obligation of the telemedia service."

GDPR (General Data Protection Regulation)

The General Data Protection Regulation provides the overarching European framework for personal data protection, establishing requirements for lawful processing, user consent, and individual rights. The Hannover court's GDPR analysis focused on whether Google Tag Manager's data processing activities met legal basis requirements under Article 6. The decision emphasized that personal data processing for commercial purposes requires either explicit consent or compelling legitimate interests that do not override user privacy rights. The court found that Google Tag Manager processes personal data without valid legal basis under any Article 6 provision.

Personal Data Processing

Personal data processing encompasses any operation performed on information that can identify or relate to specific individuals, including collection, storage, transmission, and analysis activities. The court found that Google Tag Manager processes personal data including IP addresses, device identifiers, and behavioral information through various technical mechanisms. According to the ruling, "data from the end user's device, particularly the IP address, device configuration, country, and referrer URL were also transmitted." This processing occurred without valid legal basis under GDPR Article 6, as the publisher failed to demonstrate either adequate consent or legitimate interests justification.

IP Addresses

Internet Protocol addresses serve as unique identifiers for devices accessing online services and constitute personal data under European privacy frameworks when processors can reasonably identify specific individuals. The Hannover court's technical analysis revealed that Google Tag Manager automatically transmits user IP addresses to external servers during initial page loading without prior consent. These transmissions occurred alongside device configuration data and referrer information, enabling detailed user profiling and tracking across multiple websites. The decision reinforces that IP address processing requires explicit legal basis under GDPR requirements.

JavaScript Storage

JavaScript storage refers to the placement of executable code files on user devices to enable dynamic website functionality and data collection capabilities. The court's technical testing revealed that Google Tag Manager stores customized JavaScript files on user devices without prior consent. "Subsequently, Google stored a JavaScript named gtm.js on the user's end device, which was individually adapted for each user," according to the court documentation. This storage mechanism enables persistent tracking and data collection across website visits, requiring explicit user authorization under TTDSG and GDPR frameworks.

Data Protection Authority

Data protection authorities serve as regulatory enforcement agencies responsible for monitoring compliance with privacy laws and investigating violations within their jurisdictions. Lower Saxony's data protection authority initiated the proceedings against the publishing company after receiving complaints about consent practices and conducting technical testing of the website implementation. The authority's IT laboratory analysis provided crucial evidence about Google Tag Manager's automatic activation and data transmission patterns. These regulatory bodies possess significant enforcement powers including financial penalties and operational restrictions for non-compliant organizations.

Legitimate Interest Assessment

Legitimate interest represents one of six legal bases for personal data processing under GDPR Article 6, requiring organizations to demonstrate compelling business needs that do not override individual privacy rights. The Hannover court applied a three-stage test examining whether legitimate interests existed, whether data processing was necessary for those interests, and whether user rights took precedence. The analysis concluded that advertising revenue generation did not justify extensive personal data collection without consent. The court emphasized that "the transmission of personal data, particularly to Google as one of the most widespread actors on the internet" cannot be justified merely for convenience reasons.

Technical Necessity Exception

Technical necessity exceptions under privacy law allow certain data processing activities without explicit consent when they are essential for providing user-requested services. The court examined whether Google Tag Manager qualified for the technical necessity exception under TTDSG Section 25(2). The analysis determined that Google Tag Manager primarily serves website operators' commercial interests rather than essential technical functions. "Google Tag Manager has the function of integrating various services into the website, in particular inserting any tracking codes on websites," the court noted, emphasizing that these functions benefit publishers rather than users directly.

Consent Management Platform

A Consent Management Platform serves as the technical infrastructure for collecting, storing, and managing user consent preferences across websites and digital services. The court noted that the publishing company used a separate Consent Management Platform from Sourcepoint for consent collection, making Google Tag Manager's consent-related functions redundant. The ruling established that proper consent management must occur before any tag manager activation rather than using tag managers to load consent interfaces. This separation ensures that consent collection happens independently of the services requiring authorization, preventing circular dependency issues in technical implementation.

Summary

Who: The Verwaltungsgericht Hannover (Administrative Court of Hannover) ruled against a German publishing company operating noz.de in a case brought by Lower Saxony's data protection authority.

What: The court determined that Google Tag Manager requires explicit user consent before activation under both German privacy law (TTDSG) and the General Data Protection Regulation, finding that the service automatically processes personal data and stores information on user devices without authorization.

When: The judicial decision was delivered on March 19, 2025, addressing orders originally issued by the data protection authority in November 2022.

Where: The ruling occurred in Germany but establishes precedent that could influence similar cases across the European Union, particularly regarding ePrivacy Directive implementation and GDPR enforcement for tag management services.

Why: The court emphasized that Google Tag Manager serves commercial interests rather than essential technical functions, automatically transmits personal data to external servers, and stores customized JavaScript files on user devices before consent collection, violating both TTDSG requirements for device access and GDPR provisions for personal data processing.