VG Hannover - 10 A 5385/22: Difference between revisions

VG Hannover - 10 A 5385/22
Court:	VG Hannover (Germany)
Jurisdiction:	Germany
Relevant Law:	Article 4(11) GDPR Article 6(1) GDPR Article 6(1)(a) GDPR Article 7 GDPR Article 58(2)(d) GDPR NDSG TTDSG
Decided:	19.03.2025
Published:
Parties:
National Case Number/Name:	10 A 5385/22
European Case Law Identifier:
Appeal from:
Appeal to:	Unknown
Original Language(s):	German
Original Source:	VG Hannover (in German)
Initial Contributor:	le

A court ruled on the requirements for the design of a cookie banner.

English Summary

Facts

The controller is a publishing house that publishes newspapers and content on the Internet at www.noz.de. The controller uses a consent banner (so-called cookie wall) on its website.The defendant is the DPA of Lower Saxony (LfDI).

Following a complaint in December 2018 against the use of numerous cookies, in November 2019 the DPA ordered the controller to stop integrating cookies and third-party services on their website without consent.

In November 2019, the company filed case with the Administrative Court of Hanover against the DPA. The proceedings where discontinued and the DPA’s order became final.

The controller then redesigned the consent banner on its website several times.

In 15 November 2022, the DPA carried out a technical test on the controller’s website and found that when it was first accessed, without prior consent, the US service Google Tag Manager was contacted meaning that user data were transmitted to Google’s US server and data were stored on the user's device. Also, a consent banner titled "optimal user experience" appeared with the options to "Accept all" or "Accept & close x". In order to refuse consent users had to scroll down, select the "Settings" button and at the window opened on a second level, the user must check whether the opt-in controls are switched off in order to then select the "Save selection" button.

On 23 November 2022, the DPA issued a decision ordering the controller;

a. To implement the requirements for effective consent in accordance with Article 4(11) and Article 7 GDPR, insofar as this is necessary for the lawfulness of the use of local storage objects, tracking technologies and third-party services;

b. To obtain effective consent for the Google Tag Manager service integrated in the website in accordance with Section 25 (1) of the german Telecommunications-Digital Services Data Protection Act (TTDSG) and Art. 6(1) (a) GDPR or to remove the service; and

c. To comply with the orders within 1 month.

The DPA argued that the consent was not fully informed and voluntary in accordance with Article 4(11) GDPR. At the first level of the banner there was no literal mention that the buttons "Accept all" and "Accept & close x" provide two options for granting consent and also there was no option to refuse consent.

On December 2022, the controller filed a case before Administrative Court of Hanover (Verwaltungsgericht Hannover - VG Hannover) requesting the annulment of the DPA’s order. They argued that the DPA is not responsible for issuing such order, that the controller does not process any personal data, that user’s consent was obtained lawfully and that they process the data to fulfill a legal obligation pursuant to Article 6(1)(c) GDPR.

The DPA responded that the legal basis for the order can be found in Article 58(2)(d) GDPR and § 20 para. 1 of the Lower Saxony Data Protection Act (NDSG).

Holding

First, the court held that the controller processes personal data within the meaning of Article 4(1) GDPR. Cookies stored on end devices that contain IP addresses and individual user’s IDs, as online identifiers, are considered personal data.

Second, the court found that the order under point (a) is materially lawful. The use of cookies and other technologies on the controller's website violates Section 25(1) TTDSG and Article 6(1) GDPR. The setting of these cookies to user’s devices requires effective consent that meets the requirements of Article 4(11) GDPR. The controller’s cookie banner does not meet these requirements because;

1. At the first level the number of the third-party service providers is missing.

2. At the first level the user must scroll down in order to reach the Settings button that gives the possibility to withdraw consent.

3. The overall view of the design of the various levels of the consent banner shows that users are to be specifically directed towards a declaration of consent and their right to choose is to be influenced.

4. The "Accept & close x" button at the top right, is considered non-transparent and surprising design and cannot be assumed that a legally relevant, conscious consent is given.

5. The concept of “consent” was completely absent.

Furthermore, the processing of personal data by the controller is not carried out to fulfill a legal obligation.

Third, it held that the order under point (b) is also lawful. The controller is in breach of Section 25 (1) TTDSG and Article 6(1) GDPR for using the Google Tag Manager service itself without obtaining prior consent from users and that this data processing is also not justified under any legal basis Article 6(1) GDPR.

c. Fourth, the order under point (c) is also lawful under Article 58(2)(d) GDPR.

Lastly, the court decided that the case is unfounded.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

The Lower Saxony judiciary database documents a large portion of the decisions of the administrative courts of Braunschweig, Göttingen, Hanover, Lüneburg, Oldenburg, Osnabrück, and Stade, as well as the Higher Administrative Court. more