Thuringian Higher Regional Court sentences Meta Group to pay €3,000 in GDPR damages for large-scale tracking of internet use without valid consent, including sensitive health data.
Germany's wave of court rulings against Meta's data collection practices reached a new appellate level on March 2, 2026, as the 3rd Civil Senate of the Jena Higher Regional Court - the appeal court for Thuringia - sentenced the Meta Group to pay €3,000 in damages to a single consumer for systematic data protection violations. The judgment, issued under case reference Az. 3 U 31/25, marks the fourth Higher Regional Court ruling in Germany to find in favour of a claimant in such proceedings, and the highest damages amount awarded at that level of German appellate jurisdiction so far.
The Thuringian court published its press release on March 2, 2026, authored by Dr. Gunther Biewald, Deputy Chairman of the Board of Directors and Media Spokesperson. The ruling is not yet final. According to the court, the Senate has allowed an appeal to the Federal Court of Justice - Germany's supreme civil court.
The core of the judgment centres on Meta's Business Tools - a suite of technologies the company distributes to website and app operators. According to the Senate's findings, these tools enable Meta to track internet use by members of its social networks on a large scale. The court identified a particularly sensitive dimension to this tracking. The Business Tools also generate sensitive personal data, including information on health issues - for example, when a user researches mental disorders, searches for therapeutic help via doctor portals, or orders medication from an online pharmacy.
Crucially, the Senate found that this data collection occurs even when the individuals concerned are not logged in to the social network and have not given effective consent to the data transmission. This element - tracking without any active authenticated session and without valid consent - sits at the heart of the legal dispute.
The Senate reached a clear conclusion: the data processing by Meta is not justified. According to the court, it "represents a system of data collection without cause that contradicts basic principles of European data protection law such as transparency, purpose limitation and data minimization." That language references three of the foundational principles established in Article 5 of the General Data Protection Regulation.
The Senate awarded the plaintiff consumer €3,000. The court justified this amount with reference to "a long-lasting and far-reaching record of a considerable part of his private life" - language that anchors the monetary award in the duration and breadth of the privacy intrusion rather than in any specific financial loss suffered by the claimant.
Beyond damages, the Meta Group has also been ordered to provide comprehensive information about the plaintiff's personal data collected by it, and to delete it. This combination - monetary compensation, information access, and deletion - follows a pattern visible in other German court proceedings against Meta.
The Jena ruling does not exist in isolation. It forms part of a broader pattern of German appellate courts issuing judgments against Meta's Business Tools infrastructure. As Thomas Bindl, founder of EuGD.org and a commentator on privacy and marketing strategy, noted in a LinkedIn post following the announcement: out of 24 Higher Regional Court districts in Germany, four have so far ruled, and all four have found in favour of claimants, with damages ranging between €250 and €3,000.
That geographic spread - from Saxony to Thuringia - and the consistent direction of the rulings creates a picture that is significant for any legal assessment of where the Federal Court of Justice might ultimately land.
The Dresden Higher Regional Court delivered what were described as the first legally binding final rulings of their kind in Germany on February 3, 2026, less than four weeks before the Jena judgment. In those proceedings, the 4th Civil Senate ordered Meta to pay €1,500 per plaintiff to four Saxon Instagram and Facebook users, and critically, excluded Meta's right to appeal to the Federal Court of Justice - a particularly severe procedural outcome. The Dresden panel determined the legal situation to be so clear that no further appellate review was warranted.
That contrasts with the Jena approach. In Thuringia, the Senate has allowed revision to the Federal Court, which means the case will likely produce a supreme court ruling at some point. That is a significant difference: whereas the Dresden judgments are final and binding, the Jena ruling opens a path to the highest civil court, where the trajectory of individual claims against Meta's tracking infrastructure will be decided at the national level.
Earlier, on July 4, 2025, the Leipzig District Court awarded €5,000 to a Facebook user for data protection violations involving the same Business Tools framework - the highest individual award in German proceedings to date. That ruling relied exclusively on Article 82 of the GDPR, rather than national personality rights law, distinguishing it methodologically from rulings in other courts.
The Munich Higher Regional Court granted €750 in a December 2025 ruling that did permit revision to the Federal Court. The spread of amounts - €750, €1,500, €3,000, €5,000 - across different courts and different legal bases reflects the absence, so far, of a unified federal standard. The Jena decision now sits toward the top of that range.
Understanding why these rulings matter requires understanding what Meta's Business Tools actually do. The infrastructure operates through technologies including Meta Pixel, Conversions API, App Events via Facebook SDK, Offline Conversions, and App Events API. These tools are embedded by website and app operators across millions of online properties, transmitting user data to Meta's servers where it undergoes processing for purposes that include - but are not limited to - personalised advertising.
The Thuringia court's findings on health-related data deserve particular attention. When a person visits a website that deals with mental health disorders, fertility clinics, addiction treatment, or online pharmacies, the presence of Meta's Business Tools on that site can result in that visit being logged and associated with that user's profile. The court found this occurs regardless of whether the person is logged in to Facebook or Instagram at the time. This is the mechanism that makes the tracking particularly sensitive under Article 9 GDPR, which sets stricter conditions for processing special categories of personal data including health information.
For website operators, this creates a compliance exposure that goes beyond Meta itself. German courts have confirmed that third-party cookie providers bear direct liability without consent under a December 11, 2025 Frankfurt Higher Regional Court ruling in case 6 U 81/23. Under that ruling, website operators implementing Meta's tracking tools may share liability for GDPR violations alongside the platform.
The Jena judgment invokes three core GDPR principles. Transparency requires that individuals know how their data is being used. Purpose limitation requires that data collected for one stated purpose not be repurposed without a fresh legal basis. Data minimisation requires that only the data necessary for the stated purpose be collected. According to the court, Meta's Business Tools system fails on all three counts.
That framing connects to a broader European enforcement trajectory. German data protection authorities established unified fine procedures in June 2025 through model guidelines known as MRiDaVG, designed to create consistent enforcement across federal and state jurisdictions. Total GDPR fines have reached €4.2 billion across the EU since 2018 implementation.
The German Federal Court of Justice issued its own GDPR compensation ruling on January 28, 2025, clarifying that a violation alone does not automatically establish a compensation claim - the plaintiff must separately prove actual damage. The Jena court navigated that requirement by pointing to the long-lasting and far-reaching record of private life data being captured. That formulation - duration and scope - may prove to be the template that successor cases build on.
The Jena ruling is one data point in a much larger map of litigation and regulatory action against Meta across Europe. In November 2025, a Madrid court ordered Meta to pay €479 million to Spanish digital publishers for competitive advantages gained through GDPR violations between 2018 and 2023. That case applied unfair competition law to calculate damages based on advertising revenues derived from unlawful data processing - a different legal mechanism but the same underlying factual findings about how Meta's advertising system operates.
In December 2025, the Austrian Supreme Court issued its final judgment in a case brought by privacy advocate Max Schrems, ordering Meta to provide complete access to all personal data collected about him and awarding €500 in damages. That ruling addressed the right of access under Article 15 GDPR and the prohibition on processing sensitive data without proper legal basis.
Germany itself has emerged as a testing ground for platform accountability across multiple legal frameworks. A November 2025 research paper by EU DisinfoLab mapped how German courts and regulators deploy the Digital Services Act, GDPR, AI Act, and competition law to expose how platform architectures shape visibility and influence user behaviour. The researchers identified Meta's Business Tools specifically as the data infrastructure underlying algorithmic targeting systems.
Meanwhile, Meta's shareholder lawsuit settled for $190 million in November 2025 in a Delaware court filing, resolving seven years of litigation stemming from the Cambridge Analytica scandal. The settlement reflects the cumulative financial weight of years of privacy enforcement across jurisdictions.
The Senate's decision to allow revision to the Federal Court of Justice sets the Jena case apart from Dresden's final rulings. At the Federal Court, the question will shift from whether Meta's practices violate German law to how those violations should be assessed consistently across all German courts. Approximately 10,000 claims from German internet users against Meta Platforms are currently pending in German courts for data protection violations, according to information cited in earlier Dresden proceedings. A Federal Court ruling would set binding precedent for all of those.
The Dott. Chiara Rustici, Chief Privacy Officer and AI governance specialist, asked in comments on the LinkedIn post whether the €3,000 figure represents a single individual's award or a class action amount. The clarification followed quickly: the €3,000 is awarded to a single individual. That matters for the mathematics of potential total exposure. If a Federal Court ruling were to endorse similar compensation amounts for large numbers of claimants, the aggregate figures could become substantial.
Berlin law firm BK Baumeister & Kollegen, which represented the plaintiffs in the Dresden proceedings, reportedly represents more than 7,000 plaintiffs with legal expense insurance coverage in proceedings before German courts. Cases are filing continuously.
For the marketing community, the significance of this ruling - and the broader pattern it represents - lies in what the Business Tools infrastructure actually is to advertisers. Meta Pixel, Conversions API, and related technologies are the measurement and optimisation backbone of countless advertising campaigns. Website operators embed these tools to measure whether ad clicks lead to purchases, to build custom audiences, and to train Meta's automated bidding systems.
The courts are finding that this infrastructure, as currently implemented, violates European data protection law. Every Higher Regional Court in Germany that has examined the question has reached the same conclusion. That is a signal that carries operational weight for marketing teams running campaigns that rely on these tools to track conversions on websites serving European users.
The Frankfurt court's December 2025 ruling extended that liability further: not just to Meta as the tool provider, but to technology companies placing third-party cookies, and potentially to website operators themselves. The ruling in case 6 U 81/23 found that Section 25 of Germany's Telecommunications and Digital Services Act applies to "everyone" involved in cookie placement, not merely website operators.
For advertisers, the core practical question raised by this string of rulings is whether their current consent management implementations - the cookie banners and preference centres that appear on European websites - actually generate the kind of effective consent that courts are requiring. The Jena court found that Meta's data collection continues even when "the data subjects are not logged in to the social network and have not given effective consent to the data transmission." That is the legal standard being applied: not merely that a user clicked accept somewhere, but that the specific data transmission in question was covered by an effective and informed consent.
Who: The 3rd Civil Senate of the Jena Higher Regional Court (the Thuringian appellate court), ruling in case Az. 3 U 31/25, sentenced the Meta Group following a case brought by a private consumer, with the press release authored by Dr. Gunther Biewald, Deputy Chairman of the Board of Directors and Media Spokesperson.
What: The court found Meta's Business Tools - the tracking infrastructure it distributes to website and app operators, including Meta Pixel and related technologies - constitutes a system of data collection without legal justification that violates the GDPR principles of transparency, purpose limitation, and data minimisation. The court awarded €3,000 in damages to a single individual, and ordered Meta to provide full information about and delete the plaintiff's personal data. Sensitive health-related data, gathered even when users were not logged in and had not given effective consent, was central to the findings.
When: The judgment was announced on March 2, 2026, with the Thuringian Higher Regional Court publishing its press release on that date. The verdict is not yet final, with an appeal to the Federal Court of Justice permitted.
Where: The ruling was issued by the Jena Higher Regional Court in Thuringia, Germany. The case has broader implications across the European Union, where Meta's Business Tools infrastructure operates identically across member states under GDPR jurisdiction.
Why: German courts have consistently found that Meta's Business Tools collect personal data - including sensitive health data - from users who are not logged in and have not given effective consent, violating foundational European data protection law. Out of four Higher Regional Court districts in Germany that have ruled on similar cases, all four found in favour of claimants, with damages between €250 and €3,000. The case is part of an ongoing wave of litigation in German courts, where approximately 10,000 claims are pending against Meta for data protection violations.
