Banner2.png

VG Hannover - 10 A 5385/22: Difference between revisions

From GDPRhub
mNo edit summary
mNo edit summary
Line 72: Line 72:
}}
}}


A court ruled that a controller did not collect effective consent to set cookies to use's devices and that their website cookie banner design was deceiving.     
A court ruled that a controller did not collect effective consent in order to set cookies to users' devices and that their website cookie banner design was deceiving.     


== English Summary ==
== English Summary ==

Revision as of 07:37, 4 June 2025

VG Hannover - 10 A 5385/22
Courts logo1.png
Court: VG Hannover (Germany)
Jurisdiction: Germany
Relevant Law: Article 4(11) GDPR
Article 6(1) GDPR
Article 6(1)(a) GDPR
Article 7 GDPR
Article 58(2)(d) GDPR
NDSG
TTDSG
Decided: 19.03.2025
Published:
Parties:
National Case Number/Name: 10 A 5385/22
European Case Law Identifier:
Appeal from:
Appeal to: Unknown
Original Language(s): German
Original Source: Wolters Kluwer (in German)
Initial Contributor: le

A court ruled that a controller did not collect effective consent in order to set cookies to users' devices and that their website cookie banner design was deceiving.

English Summary

Facts

The controller is a publishing house that publishes newspapers and content on the Internet at www.noz.de. The controller uses a consent banner (so-called cookie wall) on its website.The defendant is the DPA of Lower Saxony (LfDI).

In 15 November 2022, the DPA carried out a technical test on the controller’s website and found that when it was first accessed, without prior consent, the US service Google Tag Manager was contacted meaning that user data were transmitted to Google’s US server and data were stored on the user's device. Also, a consent banner titled "optimal user experience" appeared with the options to "Accept all", in the middle of the banner, or "Accept & close x", at the top right (the x referring to the symbol used to close a window). In order to refuse consent users had to scroll down, select the "Settings" button and at the window opened on a second level, the user must check whether the opt-in controls are switched off in order to then select the "Save selection" button.

On 23 November 2022, the DPA issued a decision ordering the controller;

a. To implement the requirements for effective consent in accordance with Article 4(11) and Article 7 GDPR, insofar as this is necessary for the lawfulness of the use of local storage objects, tracking technologies and third-party services;

b. To obtain effective consent for the Google Tag Manager service integrated in the website in accordance with Section 25 (1) of the german Telecommunications-Digital Services Data Protection Act (TTDSG) and Art. 6(1) (a) GDPR or to remove the service; and

c. To comply with the orders within 1 month.

The DPA argued that the consent was not fully informed and voluntary in accordance with Article 4(11) GDPR. At the first level of the banner there was no literal mention that the buttons "Accept all" and "Accept & close x" provide two options for granting consent and also there was no option to refuse consent.


On December 2022, the controller filed a case before Administrative Court of Hanover (Verwaltungsgericht Hannover - VG Hannover) requesting the annulment of the DPA’s order. They argued that the DPA is not responsible for issuing such order, that the controller does not process any personal data, that user’s consent was obtained lawfully and that they process the data to fulfill a legal obligation pursuant to Article 6(1)(c) GDPR.


The DPA responded that the legal basis for the order can be found in Article 58(2)(d) GDPR and § 20 para. 1 of the Lower Saxony Data Protection Act (NDSG).

Holding

First, the court held that the controller processes personal data within the meaning of Article 4(1) GDPR. Cookies stored on end devices that contain IP addresses and individual user’s IDs, as online identifiers, are considered personal data.

Second, the court found that the order under point (a) is materially lawful. The use of cookies and other technologies on the controller's website violates Section 25(1) TTDSG and Article 6(1) GDPR. The setting of these cookies to user’s devices requires effective consent that meets the requirements of Article 4(11) GDPR. The controller’s cookie banner does not meet these requirements because;

1. At the first level the number of the third-party service providers is missing.

2. At the first level the user must scroll down in order to reach the Settings button that gives the possibility to withdraw consent.

3. The overall view of the design of the various levels of the consent banner shows that users are to be specifically directed towards a declaration of consent and their right to choose is to be influenced.

4. The "Accept & close x" button at the top right, is considered non-transparent and surprising design and cannot be assumed that a legally relevant, conscious consent is given.

5. There was no literal mention of “consent”.

Furthermore, the processing of personal data by the controller is not carried out to fulfill a legal obligation.


Third, it held that the order under point (b) is also lawful. The controller is in breach of Section 25 (1) TTDSG and Article 6(1) GDPR for using the Google Tag Manager service itself without obtaining prior consent from users and that this data processing is also not justified under any legal basis Article 6(1) GDPR.


c. Fourth, the order under point (c) is also lawful under Article 58(2)(d) GDPR.


Lastly, the court decided that the case is unfounded.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details. 

Hanover Administrative Court
Judgement of. 19.03.2025, Ref.: 10 A 5385/22

Official guiding principle
1.
The State Commissioner for Data Protection is authorized under Section 20 (1) NDSG in conjunction with Art. 58 GDPR to monitor compliance with Section 25 TTDSG as an "other provision of data protection law".

2.
The design of a cookie consent banner with two levels, in which the first level only contains the options "Accept all", "Accept & close x" and "Settings", the second level contains the options "Accept all" and "Save selection" in addition to various drop-down menus and which always reappears when the "Save selection" button is selected when the website is called up, directs the users of the website in the overall view specifically to the submission of consent. Consent is therefore not voluntary within the meaning of Section 25 (1) TTDSG, Art. 4 No. 11 GDPR.

3.
The design of a cookie consent banner with the button "Accept & close x" in the upper right corner leads to the ineffectiveness of the consent, because it is neither an unambiguously given nor a voluntary declaration within the meaning of Section 25 (1) TTDSG, Art. 4 No. 11 GDPR.

4.
The use of the Google Tag Manager service requires consent in accordance with Section 25(1) TTDSG and Art. 6(1)(a) GDPR.

In the administrative law case
Company A., limited liability company, this legally , A-Straße, A-Stadt
- Plaintiff -
Attorney of record: Attorney B., B-Straße, B-Stadt - - -
against
State Commissioner for Data Protection in Lower Saxony, Prinzenstraße 5, 30159 Hanover - -
- Defendant -
concerning orders for measures pursuant to Art. 58(2) GDPR
the Hanover Administrative Court - 10th Chamber - ruled at the trial on 19 March 2025 by the Vice-President of the Administrative Court, Ms Reccius, Judge Dr Haake, Judge at the Administrative Court, Ms Gogolin, and the honorary judges Mr Fahlbusch and Mr Plate:

Tenor:
The action is dismissed.

The applicant is ordered to pay the costs.

The decision is provisionally enforceable on account of the costs.

The enforcement debtor may avert enforcement by providing security amounting to 110% of the enforceable amount, unless the enforcement creditor provides security amounting to 110% of the amount to be enforced prior to enforcement.

Facts of the case
The plaintiff seeks the annulment of an order by which the defendant instructed the plaintiff to obtain and implement effective consent for the use of cookies on its website.

The plaintiff is a publishing house that publishes newspapers and also publishes journalistic-editorial content on the internet. This also takes place on the plaintiff's website, which can be accessed on the internet at www.noz.de. The plaintiff makes the content on the site available to users partly free of charge and partly for paying subscribers to the "NOZ+" service. It finances the online offering through advertising, among other things.

Following a complaint on December 4, 2018 against the use of numerous cookies from the services and service providers "Google Analytics", "Google Double Click", Facebook Inc, OpenX Software Ltd, Outbrain UK Limited and Teads SA on the plaintiff's website, the defendant issued an order on November 21, 2019 to no longer integrate cookies and third-party services on the website without consent. On November 28, 2019, the plaintiff brought an action against this order before the administrative court in Hanover. The proceedings under case no. 10 A 5580/19 were discontinued by order of January 28, 2021 after the action was withdrawn, meaning that the decision of November 21, 2019 became final.

The plaintiff then redesigned the consent banner on its website several times. In February 2021, at the defendant's request, it completed a questionnaire and supplementary Excel tables on the use of cookies, other tracking mechanisms and third-party services on its website.

By letter dated July 27, 2022, the defendant informed the plaintiff of its legal assessment of the redesigned website and invited it to comment. On August 25, 2022, the plaintiff informed the defendant that it had made its desired adjustments to its website to ensure data protection compliance. Furthermore, it was of the opinion that various requirements asserted by the defendant in the consent banner were not necessary.

On November 15, 2022, the defendant conducted a technical test in its IT laboratory on the plaintiff's website. As part of the test, the defendant found that when the plaintiff's website was first accessed without prior consent, the US service Google Tag Manager was contacted, which facilitates the integration of other code fragments and thus other services into a website. This was done by transmitting an ID to Google and establishing a connection to the US server www.googletagmanager.com. Data from the user's end user device, in particular the IP address, device configuration, country and referrer URL, was also transmitted. Google then stored a Java script called gtm.js on the user's end user device, which was customized for each user.

When the website was first accessed, a consent banner appeared in the middle of the website as an overlay window. At the same time, the main page underneath darkened and, apart from scrolling on the website, no action in the form of opening posts or clicking on links was possible (so-called cookie wall):

vg_hannover_20250319_10a538522_urteil_as1
When scrolling, there were references to the right to revoke the selection made and to the use of technically necessary cookies as well as the information that the consent also authorizes the processing of data in third countries, in particular the USA, in accordance with Art. 49 para. 1 lit. a GDPR.

When clicking on "Accept all" or "Accept & close x", the banner disappeared and the content of the website could be read. When the "Settings" button was selected, a window opened on the second level of the consent banner:

vg_hannover_20250319_10a538522_urteil_as2
When clicking on the drop-down menu, the first three menu items listed different types of cookies, the use of which could be switched on or off using the slider.

There was no such button next to the menu items "Special categories" and "Functions". When clicking on the drop-down menu, further purposes of the processing of personal data were listed and active. When expanding further submenus and selecting the "Show all" function, a list of up to fifty vendors and third-party service providers was displayed, whereby tracking by these was not shown as deselectable. When selecting the "Save selection" button instead of "Accept all" on the first or second level, the consent banner reappeared each time the website was opened.

When clicking on the "Accept all" button on the first or second level or on "Accept & close x" in the consent banner, further cookies were set, third-party service providers were contacted and objects were stored in local storage on the end user devices.

The plaintiff used a so-called Consent Management Platform, or CMP for short, to manage the user preferences set as part of the interaction with the consent banner. This complied with the requirements of an industry standard called "IAB Europe Transparency and Consent Framework (TCF 2.0)". The TCF provides the technical infrastructure for requesting and transmitting user consent between publishers, advertisers, marketers, agencies and the respective technology partners. Once user consent has been requested, the TC string, a coded character string, is stored on the user's device by the CMP. The TC-String contains the relevant information with regard to the user consent and serves as a means of communication.

In a decision dated November 23, 2022, the defendant ordered the plaintiff to pay the costs of the following within one month

1.a. to implement on the website www.noz.de the requirements for effective - in particular informed and voluntary - consent in accordance with Art. 4 No. 11 and Art. 7 GDPR, insofar as this is necessary for the lawfulness of the use of local storage objects, tracking technologies and third-party services,

1.b. to obtain effective consent for the Google Tag Manager service integrated on the website in accordance with Section 25 (1) TTDSG and Art. 6 (1) (a) GDPR or to remove the service from the website www.noz.de (...).

The defendant justified the order under point 1.a. by stating that the consent banner used on the plaintiff's website violated Section 25 (1) TTDSG and Art. 6 (1) GDPR.

User data is obtained and processed through the use of local storage objects and tracking technologies such as cookies and third-party services on the plaintiff's website. Consent is required in accordance with both Section 25 TTDSG and Art. 6 para. 1 GDPR:

The storage of information on users' end user devices and the reading and forwarding of information already stored in users' end user devices requires consent pursuant to Section 25 (1) TTDSG, which must comply with the requirements of the GDPR pursuant to Section 25 (1) sentence 2. Consent is also not dispensable pursuant to Section 25 (2) TTDSG. There is no exception to the consent requirement for the storage and reading of information pursuant to Section 25 (2) No. 2 TTDSG, in particular for the 122 integrated third-party services. The storage and sharing of information on or from the end user devices of the website users also leads to the processing of personal data, namely the IP address and individual user IDs, so that consent is also required in accordance with Art. 6 para. 1 lit. a GDPR.

The user consents obtained on the website by means of the banner are not effective, as the banner does not comply with the requirements of Art. 4 No. 11 and Art. 7 GDPR. In particular, the consent was not fully informed and voluntary in accordance with Art. 4 No. 11 GDPR.

On the one hand, the consent would not be fully informed. The design of the consent banner on several levels is permissible for reasons of practicability. However, before giving consent, the user must be provided with all information that enables them to assess the impact of their consent on them and their personal data. However, since most users only read the first level of a consent banner, it is necessary to provide the relevant information there.

At the first level of the banner, the title is already misleading when it talks about an "optimal user experience". However, there is no literal mention of the fact that clicking on "Accept all" or "Accept & close x" constitutes consent. In this respect, many users may not understand that a legally relevant declaration is being made.

In order to see information about the reservation of revocation and the transfer to third countries such as the USA, the user would also have to scroll down within the banner. However, experience shows that users do not scroll to the end of the banner before selecting a button at the end of the banner.

The scope of the consent given by clicking on the "Accept all" button is also intransparent: it is not clear that several legally binding consents are given in relation to three different legal bases (Section 25 (1) TTDSG, Art. 6 (1) lit. a, Art. 49 (1) lit. a GDPR). In particular, a separate consent pursuant to Art. 49 GDPR is necessary and it is not possible to bundle this with the consents pursuant to Section 25 TTDSG and Art. 6 para. 1 lit. a GDPR. The specific number of third-party service providers involved as recipients of data is also missing. The number is decisive, as this is relevant information for the user's decision as to whether they click on the second level ("Settings") or on the linked list of partners for further information.

On the other hand, consent is not voluntary. On the first level of the consent banner, a rejection button or another clearly recognizable option not to give consent is required due to the specific design through the use of the cookie wall. In the analog world, a data subject does not usually have to declare that he or she does not wish to consent to data processing, but can simply remain inactive. If the design of the consent banner forces a decision for or against consent in order to be able to use the website, a user must at least be able to express their refusal without additional effort compared to giving consent. For consent to be voluntary, the decision not to give consent must be equally possible. If there is only the alternative of leaving the website, this is not sufficient for consent to be given voluntarily, especially as the plaintiff is a daily newspaper with a strong regional presence.

On the plaintiff's website, the design of the consent banner artificially constructs a considerable additional effort. This is also not only marginal, but in the overall view a noticeable disadvantage for the persons concerned:

If a user wanted to deny their consent as far as possible, they would first have to click on the "Settings" button on the first level and then open all the drop-down menus on the second level to check whether there are still setting and selection options on the other levels and how these are preset before clicking on "Save selection". Since the list of third-party services and vendors for the purposes set to "OFF" and the five other purposes listed under "Special categories" and "Functions", which are shown as not deselectable, is almost identical in terms of the number and the specific third-party services, the user has the impression that he can at best only slightly influence the processing of his personal data even at the second level. Using the "Save selection" button at the second level leads to an additional effort of one click plus the very time-consuming unfolding of menu items and scrolling in order to fully grasp the content. Even if the user takes the trouble to open all the submenus, they must ultimately come to the conclusion that even if consent is refused as far as possible, around fifty third-party service providers will remain active on the website and process their user data. Moreover, users could not know at the first level of the consent banner how many further steps would be necessary to finally refuse consent. In this respect, even a slightly higher complexity of the refusal process compared to the granting of consent would be sufficient to tempt users to prefer the "Accept all" button at the first level.

If the user refuses consent, they will be confronted with the consent banner every time they open the website and only when they select the "Accept all" button will the decision be accepted in the long term. By the second time at the latest, a user will therefore no longer make the effort to click through due to the non-transparent effects.

The color design of the "Accept all" button on the first and second level also encourages users to click on these buttons. This is because this button alone is blue with white lettering, while the "Settings" button on the first level and the "Save selection" button on the second level are only partially recognizable as buttons with black lettering on the overall white background of the consent banner and without a border.

On the first level, the buttons "Accept all" and "Accept & close x" provided two options for granting comprehensive consent, but no option to refuse consent. It is easily implementable to provide the user with a clear option on the first level of the consent banner to close the consent banner without consenting to the use of local storage objects, tracking techniques and third-party services as well as downstream processing of personal data. Failure to give comprehensive consent is clearly made difficult for users. Under these circumstances, the consents given by users cannot be considered voluntary, as the design of the consent banner means that it cannot be ruled out that they clicked on the "Accept all" button on the first level by mistake or simply for the sole reason of avoiding additional work. Moreover, the plaintiff also had content that was only made available to paying subscribers to the "NOZ+" service. Even if consent is granted, the user may therefore not be able to read the desired website without taking out a paid subscription.

The defendant justified the order under point 1.b. by stating that the use of Google Tag Manager also requires consent in accordance with Section 25 (1) TTDSG and Art. 6 (1) GDPR, which the plaintiff does not obtain.

The use of Google Tag Manager means that information from Google is stored on the user's end user device and the data stored on the device is accessed when the website is called up again. The test in the IT laboratory had shown, among other things, that user information was transmitted to the Google Tag Manager's US server and that a script was stored on the user's end device, which led to the third-party service provider actively requesting more information from the user's end devices than would be the case with a standard http request.

Contrary to the plaintiff's opinion, there is also no exception to the consent requirement pursuant to Section 25 (2) No. 2 TTDSG for the Google Tag Manager. The service was neither expressly requested by the user nor absolutely necessary for the provision of a legal obligation of the telemedia service.

The Google Tag Manager has the function of integrating various services into the website, in particular inserting any tracking codes on websites. This concerns, for example, the tags for Google Analytics and Google AdWords, the tracking codes for numerous online marketing tools and web analytics tools as well as codes for content management tools. The Google Tag Manager is therefore a service that makes it easier for the website operator to integrate other third-party services. It does not offer users any additional function and does not affect the functionality of the website in any other way, meaning that there is no user interest in the integration of Google Tag Manager. Furthermore, it is not necessary for the Google Tag Manager to store information on the end user device of the website www.noz.de and retrieve it at a later point in time in order to display the website.

The plaintiff filed an action on December 22, 2022. It is of the opinion that the defendant is already not responsible for the order.

As it does not process any personal data, the scope of the GDPR does not apply. The storage and forwarding of IP addresses or individual user IDs is not related to a person. The plaintiff does not establish a personal reference from the stored user ID or the IP addresses of the users. If such a reference is created by third-party service providers through the creation and completion of user profiles, the plaintiff is not responsible for this data processing.

However, the defendant is not responsible for monitoring compliance with Section 25 TTDSG. Section 19 (1) NDSG assigns tasks to the defendant as the supervisory authority for monitoring compliance with the GDPR, the NDSG and "other data protection provisions". However, the provision of Section 25 TTDSG is not a "data protection provision" within the meaning of Section 19 (1) NDSG. § According to the explanatory memorandum to the law (BR-Drs. 163/21, p. 37 f.), Section 25 TTDSG serves to implement the requirements of Art. 5 (3) of the EU ePrivacy Directive 2002/58/EC (as amended by Directive 2009/136/EC). The ePrivacy Directive is only partly based on the right to the protection of personal data within the meaning of Art. 8 of the EU Charter of Fundamental Rights (CFREU), while other parts are based on the protection of privacy under Art. 7 CFREU. Art. 5 para. 3 of the ePrivacy Directive (and thus Section 25 TTDSG as a national implementing provision) does not deal with the processing of personal data, but the provision would apply to all information stored in or read from end user devices, regardless of any personal reference. By setting and reading cookies, a lot of information would be stored without a personal reference. In this respect, Section 25 TTDSG has nothing to do with data protection law and protects a different legal interest. The legal interests of personal data and privacy are decidedly different protected entities and must be viewed in a differentiated manner.

Since § 25 TTDSG is not a data protection regulation and § 29 TTDSG does not provide for any other specific responsibility, the federal states are responsible for implementing the TTDSG as federal law. For the defendant to be responsible, however, a separate assignment by the state legislature is necessary, which does not exist in Lower Saxony. The data protection supervisory authorities of the federal states do not have jurisdiction per se. The reference in Section 1 No. 8 TTDSG also does not lead to a competence of the supervisory authorities of the federal states. Since an explicit definition has not yet been made in Lower Saxony, in contrast to Hamburg, Bremen, Berlin and Baden-Württemberg, for example, the defendant is not responsible for monitoring § 25 TTDSG. In particular, a high standard of authority standards must be applied in the administration of interference.

In addition, the order was also materially unlawful, as there was no violation of § 25 TTDSG. The user consents obtained via the CMP by means of the consent banner were effective. As far as the consent banner was concerned, the option of a "decline all" button or a comparable option for not granting consent at the first level of the banner was not necessary. This could also not be derived from the characteristic of voluntariness in Art. 4 No. 7 GDPR and Art. 7 GDPR. Finally, visitors to the website are free not to use it if they do not wish to give their consent. The plaintiff is not legally obliged to provide an Internet offer and does not have a dominant position from which a corresponding requirement could be derived. The setting of cookies, in particular for the placement of personalized advertising, is necessary to finance the free online offer. Publishers must have the opportunity to offer journalistic content on their website to cover their costs. This is currently only possible via the so-called real-time bidding system, in which personalized advertising space is auctioned off to one of around 150 participating advertising partners within a fraction of a second in real time when the website is accessed using information about the user such as their place of residence, gender or age.

The use of Google Tag Manager also does not require consent in accordance with Art. 6 para. 1 lit. a GDPR or Section 25 para. 1 TTDSG. This serves to implement the requirements of Section 25 (1) TTDSG. The Google Tag Manager is used to control the scripts and applications that are required to obtain consent in accordance with Section 25 (1) TTDSG. The GDPR expressly states that the use of a service provider for the implementation of legal requirements and technical services is permitted. Insofar as personal data is also processed via these technologies, this can be based on both Art. 6 para. 1 lit. c and Art. 6 para. 1 lit. f GDPR.

The plaintiff requested,

annul the defendant's order of 23.11.2022, ref.

The defendant applies,

dismiss the action.

He argues that he is responsible for the order.

The federal states would implement the TTDSG as a federal law in their own affairs in accordance with Art. 83 GG. The respective data protection supervisory authorities were also indisputably responsible for the supervision of the German predecessor regulation of Section 15 (3) TMG. When the TTDSG was introduced as a combination of provisions of telecommunications and telemedia law in conformity with European law, Section 29 TTDSG was introduced for the Federal Data Protection Commissioner; otherwise, the TTDSG was not intended by the federal legislator to change jurisdiction. The legislature had obviously assumed that the supervision of compliance with Section 25 TTDSG was the responsibility of the respective state data protection authorities, unless it was assigned to the Federal Data Protection Commissioner by Section 29 TTDSG. Section 1 (1) no. 8 TTDSG therefore clarifies that the TTDSG does not affect the supervisory responsibility for telemedia as regulated in Section 40 BDSG and the respective state law. The competence of the state data protection authorities should therefore not be curtailed by the new law. The responsibility under state law for the supervision of telemedia is also derived from Section 113 sentence 1 of the Interstate Media Treaty (MStV), according to which the supervisory authorities responsible under the general data protection laws of the federal and state governments would monitor compliance with the general data protection provisions and Section 23 MStV for their area.

Section 29(2) TTDSG reflects the legislative intention that access to terminal equipment pursuant to Section 25 TTDSG and the subsequent processing of personal data should also be supervised uniformly, i.e. by the same authority, as a uniform factual situation.

Pursuant to Section 19 (1) NDSG, it is the competent supervisory authority with regard to the GDPR, the provisions of the first part of the NDSG and other data protection regulations. The TTDSG (Act on Data Protection and the Protection of Privacy in Telecommunications and Digital Services - Telecommunications Digital Services Data Protection Act) is, according to its name, a data protection law. § Section 25 TTDSG is also to be classified as a precautionary provision under data protection law. § Section 4 (1) BDSG - indisputably a data protection provision - similarly places the use of a technology under certain conditions because it is also a precondition for the processing of personal data. The setting of cookies is also such a technical measure that is taken in order to process users' personal data. The function of cookies is to be able to recognize a person on the internet. As a rule, devices on which cookies are stored contain personal data that is read out using cookies.

In addition, Section 25 TTDSG serves to implement Article 5(3) of the ePrivacy Directive. The European legislature assumes that the provisions of the Directive are data protection law. This is already evident from the full title of the Directive ("Directive concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications")). Accordingly, the European legislature has also included a conflict-of-law provision in Art. 95 GDPR, which addresses the relationship between the GDPR and the ePrivacy Directive for certain areas.

Contrary to the plaintiff's opinion, the legally protected entities of Art. 7 and Art. 8 GDPR are not mutually exclusive. This is also shown by the fact that, at national level, both the right to privacy and the right to the protection of personal data are manifestations of the general right of publicity under Article 2(1) in conjunction with Article 1(1) of the Basic Law. The legal interests are therefore not unrelated to each other, but are concretizations of a fundamental right.

Furthermore, there is no legal provision in Lower Saxony that assigns responsibility for the supervision of Section 25 TTDSG to an authority other than the defendant. It is clear from the provision in § 29 para. 2 TTDSG that compliance with § 25 TTDSG is to be monitored by a supervisory authority.

Furthermore, the defendant is also responsible because the scope of application of the GDPR is open. Contrary to the plaintiff's view, it processes personal data within the meaning of Art. 4 No. 1 GDPR. The personal reference of the user data is given either by the IP address or individual user IDs, which are stored by cookies on the end user devices and then read out and queried by Java scripts. Of the cookies used on the website, a value is stored in 40 cookies that represents a user ID and therefore a unique identifier. This is derived from the name of the cookie, for example as UID, user-id or subscriber-id, and the parameters stored in the cookies. The information provided by the third-party services would also confirm the use of cookies for identification purposes: For example, the cookies "consentUUID" and "sp_v1_uid" of CMP are described with the information "Represents user's unique ID". For each of the detected connections to servers of third-party service providers, at least the IP addresses of the users who opened the website were transmitted. Even the IP addresses and IDs as online identifiers are to be classified as personal data. Using the unique user IDs and IP addresses, third-party service providers to whom the plaintiff passes on the data, for example in the context of real-time bidding, create user profiles or supplement existing profiles. This is essential for personalized advertising. It should also be noted that the third-party service providers collect such user data from a large number of websites and thus create a comprehensive, individual user profile. The user data can therefore also be clearly assigned to an individual by the third-party service providers.

As part of the use of CMP and TCF, the TC string is stored as a cookie on the user's end user device after interaction with the consent banner. The TC-String contains at least the relevant information with regard to user consent and also serves to track users across domains for analysis and marketing purposes. It serves as a means of communication with all third-party service providers integrated as vendors on the plaintiff's website, which are able to access the TC-String, read it out and thus obtain information as to whether and to what extent the respective user has given consent. This is also personal data. It is already clear from this specification of the purpose of the processing of personal data that the decision of the respective user to give or refuse consent is assigned to an individual. The logical prerequisite for this is that the respective user can be identified. Even if the TC string itself is not to be assessed as personal data, the personal reference is derived from the user's IP address, which is inevitably also transmitted.

With regard to the substantive lawfulness of its decision, the defendant essentially repeats the arguments put forward in the decision and adds that the Google Tag Manager is not used to obtain consent in accordance with Section 25 (1) TTDSG. The plaintiff itself states that it uses the CMP of the company Sourcepoint for this purpose. Instead, its function is to make it easier for website operators to integrate various services into the website and to manage their data communication. Furthermore, no general obligation to obtain consent arises from Section 25 (1) TTDSG, but only in the event that information is to be stored in the end user's terminal equipment or access to information that is already stored in the terminal equipment is to be read out.

For further details of the facts of the case, reference is made to the contents of the court file.

Reasons for the decision
The action is unsuccessful as it is admissible (I.) but unfounded (II.).

I. The action is admissible. Pursuant to Section 20 (1) sentence 1 BDSG, legal claims arising from the GDPR pursuant to Art. 78 (1) and (2) GDPR are subject to administrative law. The administrative court in Hanover has local jurisdiction pursuant to Section 20 (3) BDSG, as the defendant has its registered office in Hanover. The action against the defendant's orders from the decision of November 23, 2022 is admissible as an action for annulment.

II However, the action is unfounded. The defendant's decision of November 23, 2022 is lawful and does not violate the plaintiff's rights (Section 113 (1) sentence 1 VwGO).

1. the NDSG and the TTDSG in their versions at the time the order of November 23, 2022 was issued are decisive for the assessment of the legality of the orders. later changes, such as the renaming of the TTDSG to the TDDDG and the insertion of § 20a NDSG, are not to be taken into account. This is because when assessing the prospects of success of an action, the relevant date for the decision depends on the substantive legal situation. In the case of actions for annulment that concern the assessment of the unlawfulness of an administrative action, the factual and legal situation at the time of the official decision must generally be taken as a basis (Kopp/Schenke, VwGO, 30th edition 2024, Section 113 para. 41). Administrative actions with permanent effect are an exception: These must be permanently unlawful for them to be unlawful, i.e. they must still be unlawful at the time of the court decision (Kopp/Schenke, VwGO, 30th ed. 2024, Section 113 para. 43 et seq.). The defendant's order to obtain legally effective consent is merely a one-off requirement, but not a permanent administrative act. Although the order lasts until the time of its fulfillment, it is not structurally comparable to a permanent administrative act such as a trade prohibition.

2. the order issued under point 1.a. is lawful.

a. The legal basis for the order can be found in Art. 58 para. 2 lit. d GDPR, insofar as the defendant complains about compliance with the provisions of the GDPR. According to this provision, the supervisory authority has all powers that allow it to order the controller to bring processing operations into compliance with the GDPR in a specific manner and within a specific period of time, if necessary.

If, on the other hand, the defendant complains about compliance with the provisions of the TTDSG, the legal basis for the order results from § 20 para. 1 NDSG in conjunction with Art. 58 para. 2 lit. d GDPR.

Art. 58 GDPR does not apply directly or mutatis mutandis to compliance with the provisions of the TTDSG; instead, in order for the powers under Art. 58 GDPR to apply, the federal states would have to create their own power standards or references to the powers under Art. 58 GDPR (see Benedikt, in Gierschmann/Baumgartner, TTDSG, 1st ed. 2023, Section 29 para. 27, 31-33; Engeler, in Assion, TTDSG, 1st ed. 2022, Section 29 para. 56; Hadidi, in Geppert/Schütz, Beck'scher TKG-Kommentar, 5th ed. 2023, Section 29 TTDSG para. 5; Golland, NJW 2021, p. 2238 (2242)). § Section 29 para. 3 TTDSG creates a reference to the powers of Art. 58 GDPR only for the Federal Data Protection Commissioner; the federal states would have to create such a reference standard for their state data protection commissioners themselves, as in the new Section 20a para. 2 NDSG (Burkhardt/Reif/Schwartmann, in Schwartmann/Jaspers/Eckhardt, TTDSG, 1st ed. 2022, Section 25 para. 159; Engeler, in Assion, TTDSG, 1st ed. 2022, Section 29 para. 54; Piltz, CR 2021, p. 555 (564)).

Section 20(1) NDSG assigns the powers under Art. 58(1) to (3) GDPR to the authority headed by the State Commissioner for Data Protection, also with regard to the provisions of the NDSG and "other provisions of data protection law". This also includes Section 25 TTDSG.

§ Section 25 TTDSG does not constitute a data protection provision in the narrower sense, which is specifically intended to protect personal data within the meaning of Art. 8 GDPR, as Section 25 TTDSG protects information regardless of its personal reference. According to recitals 24, 25, 65 and 66 of the amending Directive 2009/136/EC, the provision, which implements Art. 5 (3) of the ePrivacy Directive, serves to protect the privacy of users as guaranteed in Art. 7 CFREU. However, with regard to its protective purpose, the provision can also be understood as a data protection provision, as the scope of application is broader than that of Art. 6 para. 1 GDPR, but personal data is also covered by the scope of application of the TTDSG (LG Munich I, judgment of November 29, 2022 - 33 O 14776/19 -, juris para. 117; Benedikt in Gierschmann/Baumgartner, TTDSG, 1st ed. 2023, Section 29 para. 21).

Both the legal interests of privacy and personal data are also closely related (ECJ, judgment of November 9, 2010 - C-92/09 and C-93/09 -, juris para. 47). In German Basic Law, both the right to privacy and the right to the protection of personal data would be understood as manifestations of the general right of publicity. There are therefore often overlaps between the two fundamental rights, which are resolved either by giving priority to the more specific right to the protection of personal data (see Jarass, in ders., Charta der Grundrechte der EU, 4th ed. 2021, Art. 8 para. 4) or by applying Art. 7 and Art. 8 CFREU in parallel as a uniform right to "respect for private life with regard to the processing of personal data" (ECJ, judgment of 9 November 2010 - C-92/09 and C-93/09 -, juris para. 47, 52). The European legislature also seems to assume such a relationship between the two legal interests when it forms a lex specialis principle between the GDPR and the ePrivacy Directive for certain areas of application in Art. 95 GDPR. According to Art. 1 (2) ePrivacy Directive, the Directive also aims to "detail and supplement" the provisions of the GDPR in the area of electronic communications.

Whether the TTDSG is an "other provision of data protection law" is also a question of the interpretation of Section 20 NDSG, not just the TTDSG. If "data protection provisions" are understood, as the plaintiff does, solely as the right to protect personal data and thus as a "data protection law in the narrower sense", the TTDSG would not fall under Section 20 (1) NDSG. However, § 20 para. 1 NDSG expressly does not refer to "provisions for the protection of personal data", but merely to "data protection provisions". In this respect, the plaintiff's interpretation that this could only include provisions that are solely intended to protect the legal interest of Art. 8 GrCh is not inherent in the wording of the provision. In particular, the wording "other provisions of data protection law" rather suggests that it is intended to be a catch-all provision for other provisions applicable in addition to the GDPR and the NDSG that are related to the processing of data and the protection of the rights of this data controller, such as Section 25 TTDSG.

The fact that Section 20 (1) NDSG is intended to be a catch-all provision aimed at preventing the divergence of responsibilities in connection with data processing is shown by the example of the supervision of compliance with Section 25 TTDSG:

If this provision were not to fall under Section 20 (1) NDSG in the context of a narrow interpretation, this would possibly lead to a nonsensical division of competences for the supervision of a uniform life situation. This is because the storage and reading of cookies and other information in users' end user devices typically also involves the reading and processing of personal data. A sharp distinction between the processing of personal data and the storage and readout of information such as cookies is often impossible, as the process of real-time bidding described by the plaintiff in particular shows: processes that take place within a few fractions of a second must be distinguished from one another. When information such as cookies is stored and readout, personal data is regularly processed anyway if the cookies are used to create an individual user profile (similar to DSK, Orientierungshilfe der Aufsichtsbehörden für Anbieter:innen von digitalen Diensten, Version 1.2, Stand: November 2024, Rn. 14). If the same supervisory authority were not responsible for this, this would lead to the unnecessary splitting of a single process. On the one hand, this would create additional work for two different supervisory authorities, which would, for example, have the same inspection program when checking the lawfulness of consent to data processing under Art. 6 para. 1 GDPR and to the storage and retrieval of information under Section 25 TTDSG, since Section 25 para. 1 sentence 2 TTDSG expressly refers to the GDPR for consent. The state data protection officers already have the personnel and technical resources to comprehensively investigate the facts. On the other hand, two different supervisory authorities could make divergent, even contradictory decisions. This would be intransparent for both the data subjects and the data controllers and could lead to absurd results. The creation of a catch-all provision in order to prevent such an ultimately legally uncertain separation in the area of the processing of data - personal, but also other - can therefore be understood as the objective of the assignment of powers in Section 20 (1) NDSG uniformly to the defendant.

The legislature of the TTDSG has also assessed access to terminal equipment pursuant to Section 25 TTDSG and the subsequent processing of personal data as a uniform life situation that is to be supervised by the same authority. This legislative intention is made clear in Section 29 TTDSG, which assigns the responsibility and powers for monitoring compliance with Section 25 TTDSG at federal level to the Federal Data Protection Commissioner, who is also responsible for the GDPR at federal level.

Since the state legislature - until the creation of Section 20a NDSG for the purpose of clear clarification for reasons of legal certainty (Nds. LT-Drs. 19/3433, p. 7) - did not create a special power standard for monitoring compliance with the TTDSG and a supervisory-free area would contradict Art. 15a ePrivacy Directive, it can be assumed that the latter also assumed that the defendant had the power to monitor compliance with Section 25 TTDSG as the data protection supervisory authority of Lower Saxony.

"Other data protection provisions" within the meaning of Section 20 (1) NDSG is therefore to be understood as a catch-all provision that also includes Section 25 TTDSG. In particular, this corresponds to the meaning and purpose of assigning powers and responsibilities to a single authority for everything related to the handling of an end user's data.

This reading of Section 20 (1) NDSG can also be reconciled with Section 113 sentence 1 MStV, which is entitled "Data protection supervision of telemedia" and assigns "compliance with general data protection provisions" to the "supervisory authorities responsible under the general data protection laws of the federal and state governments". The provision is also understood to mean that the general data protection supervisory authorities are to be uniformly responsible in the area of data processing by telemedia (for the predecessor provision of Section 59 (1) RStV with the same content, Volkmann, in Spindler/Schuster, Recht der elektronischen Medien, 4th ed. 2019, Section 59 RStV para. 21). In addition to the requirements of the GDPR, BDSG and the former TMG, "general data protection provisions" within the meaning of Section 113 sentence 1 MStV are also understood to include the TTDSG (Cornils, in Binder/Vesting, Beck'scher Kommentar zum Rundfunkrecht, 5th edition 2024, Section 113 MStV para. 2; Fiedler, in Gersdorf/Paal, BeckOK Informations- und Medienrecht, 47th edition, Section 113 MStV para. 5; Hanloser, ZD 2021, p. 399). The aim of this regulation is also to avoid a fragmentation of competences and responsibilities in the area of supervision of the handling of user data by telemedia and instead to place this under the uniform supervision of one authority.

b. The decision is formally lawful.

aa. The defendant is responsible for issuing the decision.

This follows from Section 40 (1) BDSG, Section 22 sentence 1 no. 1 NDSG and Art. 55 f. GDPR. With its order, the defendant complains that the plaintiff is processing personal data of its users without legally valid consent within the meaning of Art. 6 para. 1 lit. a GDPR. In this respect, the defendant is responsible as a supervisory authority for monitoring compliance with the GDPR.

With regard to monitoring compliance with the TTDSG, the responsibility of the defendant arises from Section 1 (1) No. 8 TTDSG in conjunction with Section 19 (1) NDSG. Pursuant to Section 1 (1) No. 8 TTDSG, the responsibility for monitoring compliance with the TTDSG is determined by the respective state law if the addressees of Section 25 TTDSG are public bodies of a state or a private body that is not a provider of a telecommunications service. Pursuant to Section 19 (1) NDSG, the defendant also performs its task as a supervisory authority under the GDPR with regard to the NDSG and other data protection provisions.

bb. The plaintiff was heard on July 27, 2022 before the challenged decision was issued and commented on the violations of the law complained of by the defendant on August 25, 2022.

c. The order under point 1.a. is substantively lawful.

According to Art. 58 para. 2 lit. d GDPR in conjunction with § 20 para. 1 NDSG, the supervisory authority may instruct the controller to bring processing operations into compliance with the GDPR, the NDSG or other data protection provisions in a specific manner and within a specific period of time, if necessary. The prerequisite for an instruction is that the processing operations deviate from the GDPR or other data protection regulations and that the instructions eliminate this deviation.

aa. The use of cookies and other technologies on the plaintiff's website violates Section 25 (1) TTDSG and Art. 6 (1) GDPR.

(1) According to Section 25 TTDSG, the storage of information in the end user's terminal equipment or access to information already stored in the terminal equipment is only permitted if the end user has consented on the basis of clear and comprehensive information, unless the sole purpose is to carry out the transmission of a communication over a public telecommunications network or the storage or access is strictly necessary to enable the provider of a telemedia service to provide a telemedia service expressly requested by the user.

(a) It is undisputed that so-called cookies are stored in the memory of the end user devices of the respective users of the plaintiff's website. Cookies are text files that the provider of a website stores on the user's computer and can retrieve when the website is called up again in order to facilitate navigation on the Internet or transactions or to retrieve information about user behavior (BGH, judgment of 28 May 2020 - I ZR 7/16 -, juris para. 49). The defendant's tests have shown that after clicking on the "Accept all" or "Accept & close x" button in the plaintiff's consent banner, various first and third-party cookies as well as objects in local storage are stored on the user's end devices. Only the number of cookies set is partially disputed by the plaintiff. However, this is not relevant in the present case.

The setting and reading of cookies clearly constitutes the storage of information in the terminal equipment and access to information already stored there within the meaning of Section 25 (1) TTDSG, regardless of whether first or third-party cookies are set and read.

(b) It is neither submitted nor apparent that the cookies set after clicking on "Accept all" or "Accept & close x" in the consent banner are technically necessary cookies for which there is no requirement for consent pursuant to Section 25 (2) No. 2 TTDSG.

(c) According to Section 25 (1) TTDSG, the setting of these cookies requires the effective consent of the user, which meets the requirements of the GDPR. Consent within the meaning of Art. 4 No. 11 GDPR is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. With regard to the time at which consent is granted, a corresponding declaration must already have been made before the access to the terminal equipment requiring consent takes place.

(aa) Neither Section 25 (1) TTDSG nor Art. 4 No. 11, 7 GDPR regulate the requirements for consent to be given "in an informed manner". The ECJ requires as minimum information an indication of the duration of the function as well as details of any recipients of the information contained in the cookies (ECJ, judgment of October 1, 2019 - C-673/17 -, juris para. 75-81). The clear and comprehensive information to be provided must enable the user to easily determine the consequences of any consent given by him and ensure that the consent is given in full knowledge of the facts. It must be clear and detailed enough to enable the user to understand how the cookies used work (ECJ, ibid., para. 74). According to the German Federal Court of Justice, the decisive factor in this respect is what information the user will "regularly" take note of due to the design of the declaration of consent (German Federal Court of Justice, judgment of May 28, 2020 - I ZR 7/16 -, juris para. 33).

Measured against this, it is doubtful whether the characteristic of being informed exists for the user consent given by means of the plaintiff's consent banner.

On the one hand, the number of over one hundred third-party service providers of the plaintiff is missing at the first level of the consent banner. This number is information that may not decide whether or not to grant consent, but may prompt the user not to click on the "Accept all" button at the first level, but to look at the list of partners beforehand, to refuse consent at the second level or to try to reduce the number of partners. On the other hand, at the first level of the consent banner, it is necessary to scroll down in order to reach the reference to data processing by providers in third countries such as the USA and the possibility of withdrawing consent. However, a user who wants to read an article on the plaintiff's website will usually only skim the first level of the consent banner, as it appears when the website is first accessed, without scrolling to the end. His main interest will be to be able to call up the website behind it. Both the integration of over one hundred third-party service providers and the data processing in third countries such as the USA are information that the average user of the plaintiff's website may not be aware of. However, they are relevant for an informed decision in order to gain an overview of the extent of the consent given.

(bb) In any case, the consents obtained by the plaintiff are not based on a voluntary decision of the users. Consent is only considered voluntary if the consent of the data subject actually has a choice, i.e. can waive the granting of consent without disadvantages (Klabunde/Horváth, in Ehmann/Selmayr, GDPR, 3rd ed. 2024, Art. 4 para. 53). Consent must be informed. In any case, the data subject must be informed that they can refuse their consent (Schild, in Wolff/Brink/von Ungern-Sternberg, BeckOK Datenschutzrecht, 51st edition, Art. 4 GDPR para. 128). The data subject must have the opportunity to take note of the content of the declaration expected of them in a reasonable manner. This applies in any case to pre-formulated consents. Hidden references, technical text formats that are not accessible to every user or unclear fonts can hinder this reasonableness just as much as overlong texts (Ernst, in Paal/Pauly, GDPR, 3rd ed. 2021, Art. 4 para. 79, 80).

Whether it can be inferred from these provisions that the option to reject cookies must be designed in the same way as consent to the setting of cookies has not yet been conclusively clarified by case law (see Sesing, MMR 2021, p. 544 (547) with further references; OLG Cologne, judgment of November 3, 2023 - I-6 U 58/23 -, juris para. 50). In any case, however, the cookie banner must not be designed in such a way that it specifically directs the user to give consent and prevents them from rejecting the cookies (Regional Court of Cologne, judgment of May 4, 2023 - 33 O 311/22; similarly BGH, judgment of May 28, 2020 - I ZR 7/16 -, juris para. 32).

However, it is clear from the overall view of the design of the various levels of the consent banner that users are to be specifically directed towards a declaration of consent and their right to choose is to be influenced.

As clearly described by the defendant, there is a considerable additional effort for users if they do not wish to give their consent. While comprehensive consent can be given at the first level by clicking on two buttons ("Accept all" and "Accept & close x"), the "Settings" button must first be selected at the first level in order to refuse consent. On the second level of the banner, five different drop-down menus with further sub-items follow, where the user must check whether the opt-in controls are switched off in order to then select the "Save selection" button. In this case, the user is confronted with the consent banner each time they visit the website, whereas the comprehensive consent is saved and the banner does not reappear each time the website is accessed.

Particularly in view of the fact that users may not be aware of the scope of the consent given, as the references to data processing in third countries or the number of third-party service providers involved are not perceived, they will regularly try to make the banner disappear by interacting with it at first level and being able to read the website behind it. They will therefore make a selection at the first level that makes this possible - in the context of the plaintiff's banner design, therefore, the granting of comprehensive consent, as there is no option to refuse at the first level. Furthermore, there is no indication at the first level of the banner that consent can be refused by clicking on "Settings". Users are therefore not aware at the first level that they have several options. Only when scrolling within the banner at the first level is the wording "there is no obligation to consent to the processing of your data in order to use this offer". However, even this information does not indicate that there is an option to refuse at the next level. In this respect, the design of the consent banner is misleading. The various options at the first level ("Accept all", "Accept & close x", "Settings") may give the impression that there is no option to refuse consent.

In addition, the function of the "Accept all" button on the second level of the consent banner is unclear: this can be used to give comprehensive consent to the storage of cookies and the processing of data. However, users can also understand the button to mean that the settings made are accepted, especially as the button is highlighted in blue in contrast to the "Save selection" button.

Also, "wearing down" users by constantly confronting them with the consent banner when they return to the website until they give their full consent is not technically necessary and is sometimes regarded as an inadmissible manipulation tactic (see Loy/Baumgartner, ZD 2021, p. 404 (406)).

In addition, the design of the button otherwise regularly referred to as "x" at the top right as "Accept & close x". The design violates the principles of transparency and the voluntary nature of consent (see OLG Cologne, judgment of January 19, 2024 - 6 U 80/23 -, juris para. 47). The "x" symbol is usually understood by users as a button to close a window, as such cross buttons do in most operating systems. Consent to the use of cookies and other technologies by clicking on an "x" button at the top right, on the other hand, is surprising and unusual. The average user will therefore not be aware that this constitutes consent. It is true that "Accept & close" is located directly next to the "x" symbol. However, the linking of these two functions is misleading and non-transparent for users. It is also not readily apparent to users that "Accept & close" and the "x" symbol are one and the same button, as the latter is in black lettering on a white background and therefore in the same color scheme as the rest of the banner, i.e. it does not stand out from the banner as a single button.

In view of the above, the design of the consent banner clearly aims to influence users to give their full consent to the use of cookies and other technologies and to distract them from the possibility of rejecting them.

The plaintiff's argument that the granting of consent is essential in particular for real-time bidding and thus the financing of the plaintiff's website also speaks in favor of a targeted steering of users towards granting comprehensive consent. This indicates that, due to the economic interests of the plaintiff, deliberate measures are taken to influence user decisions.

The plaintiff's arguments that users do not have to visit the website if they do not wish to give their consent, on the other hand, are misguided. This is because the possibility of leaving the website and reading another one instead does not change the fact that those users who actually give consent do not do so on the basis of a transparent and free decision, but because the design of the consent banner directs them to do so. The argument is only aimed at the question of whether an option not to give consent in the sense of a "decline all" button is required at the first level of the banner, but not whether this influences users to give comprehensive consent through a targeted design.

(cc) Furthermore, it is not an unequivocal expression of consent within the meaning of Art. 4 No. 11 GDPR. The binding granting of consent, like any binding expression of will in legal transactions, presupposes in its subjective facts a corresponding awareness of declaring something relevant to legal transactions. Art. 4 No. 11 GDPR expressly stipulates the awareness of consent already required by general legal principles (Buchner/Kühling, in Kühling/Buchner, DS-GVO BDSG, 4th ed. 2024, Art. 7 GDPR para. 56). According to recital 32 of the GDPR, unambiguous and unambiguous is, for example, the clicking of a box when visiting a website, the selection of appropriate technical settings or any other statement or conduct "by which the data subject unambiguously indicates his or her consent to the intended processing of personal data in the particular context". The plaintiff's consent banner has an overall ambiguous wording, as at no time is the granting of consent expressly stated, but rather, according to the headline, the aim of the banner is the "optimal user experience". Only when scrolling further within the banner on the first level is there any mention of "consent". However, it must be taken into account that average users of the plaintiff's website will be used to comparable banners, such as those found on almost every website on the Internet, and are therefore aware that they are giving a declaration of consent when they click on the "Accept all" button.

However, the situation is different for those users who click on "Accept & close x" at the top right. Due to the non-transparent and surprising design, it can no longer be assumed that a legally relevant, conscious consent is given (see OLG Cologne, judgment of January 19, 2024 - 6 U 80/23 -, juris para. 47). Instead, the average user is likely to assume that clicking on the "x" symbol at the top right merely closes the consent banner without making a legal declaration.

(2) The use of cookies and other technologies on the plaintiff's website also violates Art. 6 para. 1 GDPR. The storage and readout of cookies and other information by the plaintiff and its third-party service providers results in the processing of personal data of the website's users without there being a criterion for the permissible processing of personal data pursuant to Art. 6 (1) GDPR.

(a) According to Art. 4 No. 1 GDPR, personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or an online identifier. According to Art. 4 No. 2 GDPR, processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

According to the information provided by the plaintiff itself within its consent banner, personal data such as recognition features or profile data are processed in order to enable the identification of end user devices as well as personalized advertising, the measurement of advertising performance and the performance of content, target group research and the improvement of offers.

According to its own information, the plaintiff uses the TCF of IAB Europe when auctioning advertising space by means of real-time bidding, which stores the TC string on the user's device as a cookie after the CMP has requested the user's consent. This coded string contains the user's preferences with regard to their consent to the processing of personal data concerning them by website or application providers, data brokers and advertising platforms, along with the user's IP address and an advertising profile of the user. The more informative the content of the TC-String is about the user, the higher the fees that can be obtained (Steidle/Skistims, in Jandt/Steidle, Datenschutz im Internet, 2nd ed. 2024, ch. V para. 233). According to the case law of the European Court of Justice, the process of storing and reading the TC string constitutes a transfer of personal data (ECJ, judgment of March 7, 2024 - C-604/22 -, juris para. 42 et seq.).

Insofar as the plaintiff states that it is not responsible for the storage and reading of the TC-String, as the responsibility lies instead with the third-party service providers, it does not prevail. Persons who, for reasons of their own interest, influence the processing of personal data and thus participate in the decision on the purposes and means of such processing can be regarded as controllers pursuant to Art. 4 No. 7 GDPR (ECJ, judgment of July 10, 2018 - C 25/17 -, Celex No. 62017CJ0025 para. 68). Through the integration of the CMP and the TCF on its website and the resulting transmission of the TC string and the content contained therein, it is precisely the plaintiff that initiates and enables the processing of personal data by the third-party service providers. Without the plaintiff's website and its mediation, the processing by advertising third parties would not be possible; after all, users visit the plaintiff's website to read its content and not to be shown personalized advertising. Since the plaintiff finances its website by, among other things, using personal data to place third-party advertisements, there is also a self-interest in the processing. The European Court of Justice also assumes that the providers of websites and the industry association IAB Europe share responsibility (ECJ, judgment of March 7, 2024 - C-604/22 -, juris para. 74).

Each time the plaintiff's website is visited, it also processes the full IP address of the user, regardless of the transmission to third-party service providers in the context of real-time bidding (see the plaintiff's privacy statement, available online at https://www.noz.de/datenschutz, last accessed on April 24, 2025). IP addresses stored by a provider of online services such as the plaintiff constitute individual information about factual circumstances, as the data provides information about the fact that certain pages or files were accessed via the internet at certain times. They may therefore constitute personal data if the data processing body has the legal or factual means to determine the identity of the user (BGH, judgment of May 16, 2017 - VI ZR 135/13 -, juris para. 17 et seq.; ECJ, judgment of October 19, 2016 - C-582/14 -, juris para. 49). As the operator of the website, the plaintiff has the legal means that can reasonably be used to have third parties identify the person concerned on the basis of the stored IP addresses. According to the decision of the German Federal Court of Justice, this follows from the fact that these operators could contact the competent authority, in particular in the event of cyberattacks, so that the latter could take the necessary steps to obtain the information in question from the internet access provider and initiate criminal prosecution (German Federal Court of Justice, judgment of May 16, 2017 - VI ZR 135/13 -, juris para. 25). The plaintiff's third-party service providers are therefore also able to carry out such a merger. It is therefore irrelevant that the plaintiff assures that it will not merge the personal data collected, as it would at least be technically and legally possible for it to do so.

Whether individual identifiers (user IDs) are stored in the cookies set by the plaintiff or its service providers, which at least enable the plaintiff and its third-party service providers to identify the user, is ultimately irrelevant. Such an individual identifier could then, in combination with the IP address, also enable a personal reference.

(b) The processing of personal data by the plaintiff is not carried out to fulfill a legal obligation pursuant to Art. 6 para. 1 lit. c GDPR. The prerequisite for this permission is an obligation by law or by order based on a law to process data, i.e. to collect, record, store or pass on data (Frenzel, in Paal/Pauly, DSGVO BDSG, 3rd ed. 2021, Art. 6 para. 16). It is necessary that the obligation standardized in a provision relates directly to the data processing. Typically, the controller is in breach of a legal obligation if it does not carry out the processing in question (Buchner/Petri, in Kühling/Buchner, DS-GVO BDSG, 4th ed. 2024, Art. 6 para. 76). Contrary to the plaintiff's view, Section 25 (1) TTDSG does not create a direct legal obligation to process personal data. The standard merely stipulates that user consent is required for the use of cookies. However, it does not directly impose an obligation to collect, store or share of personal data. The provision does not directly oblige the setting of cookies or the reading of users' IP addresses and IDs. In contrast, the mere fact that a data processing controller must also process personal data in order to fulfill any legal obligation is not sufficient (Buchner/Petri, in Kühling/Buchner, DS-GVO BDSG, 4th ed. 2024, Art. 6 para. 76).

(c) The processing is also not justified under Art. 6 para. 1 lit. f GDPR. According to this provision, data processing is lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. As part of a three-stage examination, it must be determined whether there is a legitimate interest of the controller or a third party to whom the data is transferred at the time of processing, whether the data processing is necessary to achieve this interest and whether the fundamental rights and freedoms of the data subjects affected by the data processing do not override the legitimate interest pursued (ECJ, judgment of 11 December 2019 - C-708/18 -, juris para. 40). It follows from the accountability principle of the controller for compliance with the data protection principles pursuant to Art. 5 para. 2 GDPR that the controller must carry out this balancing on the basis of the specific circumstances of the individual case before processing begins and is obliged to provide evidence of this (Heberlein, in Ehmann/Selmayr, GDPR, 3rd ed. 2024, Art. 6 para. 46). The controller must therefore carry out a balancing of interests themselves, which can be verified by the supervisory authorities and courts (DSK, Orientierungshilfe der Aufsichtsbehörden für Anbieter:innen von digitalen Diensten, Version 1.2, Status: November 2024, para. 110). The plaintiff does not carry out such a three-stage balancing of interests either in the context of its privacy statements on its website or in the legal proceedings, but instead makes a blanket reference to the permission requirement. The creation of editorial content is only possible by financing its offer through advertising and other marketing measures (see the plaintiff's privacy statement, available online at https://www.noz.de/datenschutz, last accessed on April 24, 2025). Furthermore, there is no justification in the context of the balancing of interests.

(aa) Any legal, factual, economic or ideal interest of the controller may be regarded as legitimate, provided that it is not disapproved of by the legal system. The legitimate interest must be directed towards a specific purpose of processing or use. It must arise and exist at the time of data processing and must not be hypothetical at that time (ECJ, judgment of December 11, 2019 - C-708/18 -, juris para. 44). The controller must substantiate and prove its legitimate interest (see Art. 5 para. 2 GDPR; Taeger in Taeger/Gabel, DSGVO-BDSG-TTDSG, 4th ed. 2022, Art. 6 para. 135; see also ECJ, judgment of February 24, 2022 - C-175/20 -, juris para. 77; BVerwG, judgment of March 2, 2022 - 6 C 7.20 -, juris para. 50).

The financing of the plaintiff's journalistic website through advertising, in particular by auctioning personalized advertising space to third-party service providers, is an economic interest that the plaintiff has substantiated in the legal proceedings. In principle, it corresponds to its entrepreneurial freedom to decide to make journalistic content available free of charge and to finance it through advertising.

(bb) However, the data processing is not necessary to protect the interests of the plaintiff. The personal data should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; they should only be processed if the purpose of the processing cannot reasonably be achieved by other means (see recital 39 of the GDPR). The prerequisite for necessity is therefore that no milder, equally effective means are available to achieve the interests of the controller (Buchner/Petri, in Kühling/Buchner, DS-GVO BDSG, 4th ed. 2024, Art. 6 GDPR para. 147c). The mere expediency of the data processing is not sufficient and the desire for "best possible efficiency" does not make the data processing necessary. Accordingly, necessity cannot be justified solely by the fact that the intended data processing is the most economically viable alternative from the perspective of the controller (Buchner/Petri, in Kühling/Buchner, DS-GVO BDSG, 4th ed. 2024, Art. 6 GDPR para. 147c with further references).

Based on this, the necessity of the processing of personal data to finance the plaintiff's website is already doubtful. The plaintiff also has other options at its disposal to cover its economic interests. The plaintiff already uses these by generating revenues with its print edition, which, according to the plaintiff's own submission, are also used to finance the online offer. On the other hand, the plaintiff offers paid content on its website under the online service NOZ+. Although it may therefore be true that there are no other advertising alternatives for the plaintiff than the auctioning of advertising space in the form of real-time bidding, there are nevertheless alternative forms of financing for advertising, which the plaintiff already uses. The plaintiff's situation is therefore not comparable to that of providers of web services whose sole source of income is the placement of personalized advertising.

(cc) In any case, the interests of the users concerned outweigh the plaintiff's interest in data processing. The starting point for the balancing of interests is, on the one hand, the effects that data processing has on the data subject and, on the other hand, the interests of the controller or third parties. In this context, the type, content and significance of the data concerned must be measured against the purpose of the processing of personal data (Buchner/Petri, in Kühling/Buchner, DSGVO BDSG, 4th ed. 2024, Art. 6 GDPR para. 149). When weighing up the interests, the reasonable expectations of the data subjects or the foreseeability of the processing must also be taken into account, as stated in recital 47 of the GDPR.

For the users affected by the data processing, their right to the protection of personal data under Art. 8 GDPR and their right to respect for private and family life under Art. 7 GDPR and Art. 8 ECHR are in dispute. These must be weighed against the economic interests of the plaintiff in the financing of its website through personalized advertising. It must be taken into account that when using a free web service, users must reasonably assume that their data will be used for advertising and cannot simply assume that the internet service will be offered to them without consideration. However, the plaintiff is a publishing house that also earns money with print editions and subscriptions and also offers paid content on its website. In contrast to the offer of social networks, for example, the provision of journalistic content by the plaintiff is therefore not a completely free service. Instead, users could just as well assume that the content published on the plaintiff's website also appears in the plaintiff's paid print edition, which is published daily from Monday to Saturday, and is therefore financed by the revenues from the print edition and online subscriptions. Even for social networks offered completely free of charge, the European Court of Justice has also ruled that the mere fact that a particular service is free of charge does not mean that the data subjects must expect unlimited processing of their data for advertising purposes and that the interests and fundamental rights of a user outweigh the operator's interest in personalizing the advertising with which it finances its activities (ECJ, judgment of 4 July 2023 - C-252/21 -, juris para. 117). As part of the balancing process, it must be taken into account that the placement of third-party cookies by large, globally active companies in particular can be used to create and complete as detailed a user profile as possible in order to predict individual user behaviour and create advertising that is as personalized as possible. For users, this often creates a feeling of being monitored on the internet as a "transparent person" and therefore of an information imbalance, for example when advertising is placed specifically for products that they have previously viewed on another website. In addition, users on the plaintiff's website are not informed in detail and transparently about which information can be used to create profiles, but only general information on recognition features and profile data for the purposes of personalized advertising is provided in the consent banner. The lack of clarity about which data is used for profiling increases users' sense of insecurity and surveillance. Their interests in freedom from surveillance and control over their own data outweigh the financial interest of the plaintiff in the use of personal data for advertising purposes. The real time bidding operated by the plaintiff is also not direct marketing within the meaning of Art. 21 para. 2 GDPR, in the context of which the European legislature considers data processing, including profiling, to be permissible in principle until the data subject objects.

(d) The plaintiff does not obtain legally effective consent from users pursuant to Art. 6 para. 1 lit. a GDPR for the processing of personal data by means of the consent banner. For the assessment of the effectiveness of the consent pursuant to Art. 6 para. 1 lit. a GDPR, essentially the same assessment standards must be applied as for consent pursuant to Section 25 para. 1 sentence 1 TTDSG, as Section 25 para. 1 sentence 2 TTDSG refers to the GDPR for the effectiveness of the consent.

(3) By instructing the defendant to implement effective, in particular informed and voluntary consent on its website, the infringements of Section 25 (1) TTDSG and Art. 6 (1) GDPR are eliminated.

bb. Finally, the defendant has also exercised its discretionary powers of decision and selection under Art. 58 (2) GDPR without error. According to Art. 58 (2) GDPR, the supervisory authority has all remedial powers that allow it to instruct the controller to bring processing operations into compliance with this Regulation in a specific manner and within a specific period of time, if necessary (lit. d). The supervisory authority may make use of its remedial powers if it has identified a breach of data protection provisions. When exercising the discretion granted to it, it must observe the principle of proportionality. If violations are identified, the supervisory authority is generally required to take action with the aim of remedying the violation. With regard to the discretionary power to decide, it can therefore be assumed that the supervisory authority has an intended discretion if - as here - it has found a violation of the law. There is also no evidence of any error in the exercise of the discretionary power. When selecting the appropriate remedial measure pursuant to Art. 58 para. 2 GDPR, the supervisory authority must observe the principle of proportionality and, in this respect, also take into account the intensity of the interference (see VGH Baden-Württemberg, decision of January 22, 2020 - VGH 1 S 3001/19 -, juris para. 61; VG Mainz, judgment of September 24, 2020 - 1 K 584/19.MZ -, juris para. 51). The instruction issued here is suitable for eliminating the violations of the TTDSG and the GDPR. It is also necessary, as there were no milder means of eliminating the infringements. The defendant informed the plaintiff in advance of its legal assessment of the consent banner. Although the plaintiff subsequently made some adjustments, it refused to make any further adjustments, so that the infringements could not be expected to be remedied. In view of the fundamental rights of users under Art. 7 and 8 GrCh and Art. 8 ECHR affected by the unlawful processing of their data by the plaintiff and its more than one hundred third-party service providers for commercial purposes, the instruction is also appropriate.

3. the order issued under point 1.b. is also lawful.

a. The legal basis for the order is Art. 58 para. 2 lit. d GDPR in conjunction with § 20 para. 1 NDSG.

b. The order is formally lawful.

c. The order is also substantively lawful. Pursuant to Art. 58(2)(d) GDPR in conjunction with Section 20(1) NDSG, the defendant was entitled to instruct the plaintiff to bring the use of Google Tag Manager into compliance with the GDPR, the NDSG or other data protection provisions.

aa. By using the Google Tag Manager service without obtaining prior consent from users, the plaintiff is in breach of Section 25 (1) TTDSG and Art. 6 (1) GDPR.

(1) Since the Google Tag Manager program stores information in the end user's terminal equipment or accesses information that is already stored in the terminal equipment, prior user consent is required pursuant to Section 25 (1) TTDSG. The use of the program is also not subject to an exception under Section 25 (2) TTDSG.

(a) The court is convinced that the Google Tag Manager itself sets and reads cookies as a result of the tests carried out by the defendant in its IT laboratory. Google Tag Manager is a tool that helps website creators to load and manage additional website components, such as program code or services, as required (Sächsische Datenschutzbeauftragte, Tätigkeitsbericht Datenschutz 2023, p. 152 f.). It decides when and under what conditions certain program codes or services (tags) are loaded and is used in particular to execute tracking codes and scripts after consent has been granted as part of the interaction with the consent banner.

The plaintiff uses the service for these purposes and claims that the Google Tag Manager itself does not set and read cookies, but only the services managed by the tool. However, tests in the defendant's test laboratory have shown that when the website is accessed before interaction with the consent banner, the end device user's data - namely the IP address and device data - is transmitted to the US server www.googletagmanager.com and a Java script called gtm.js is stored on the user's end device, which contains the plaintiff's Google Tag Manager ID and reads user information. This means that the Google Tag Manager service both stores and reads information on users' end user devices.

(b) Since the information is stored or transmitted before interaction with the consent banner, this is done without the user's consent required under Section 25 (1) TTDSG.

(c) There is also no exception to the consent requirement under Section 25 (2) No. 2 TTDSG for the storage and access to information by Google Tag Manager. Accordingly, consent is not required if the storage of information in the end user's terminal equipment or access to information already stored in the end user's terminal equipment is absolutely necessary so that the provider of a telemedia service can provide a telemedia service expressly requested by the user. The necessity is recognized, for example, for authentication cookies or cookies to implement a shopping cart in an online store (Schmitz, in Geppert/Schütz, Beck'scher TKG-Kommentar, 5th ed. 2023, Section 25 TTDSG para. 73 with further references).

The function provided by Google Tag Manager to load tracking codes and scripts, in particular from advertising service providers, is neither a service that is expressly requested by users of the plaintiff's website, nor does it offer any added value or function for the use of the website. Rather, the loading of scripts from advertising service providers serves the interests of the plaintiff in financing the website through the sale of advertising space, not those of the users.

Contrary to what the plaintiff claims, the Google Tag Manager is also not required to obtain the consent of users in accordance with Section 25 (1) TTDSG. According to its own submission, the plaintiff uses Sourcepoint's CMP for this purpose. The Google Tag Manager is only used to load tools and codes requiring consent after consent has been granted. However, the Google Tag Manager service is not technically required for this either. Rather, the loading process of these marketing tools and cookies can also be accomplished without the Google Tag Manager, for example by programming a separate script. The defendant presented this at the trial to convince the court. Various alternatives are also proposed on the Internet (see e.g. https://european-alternatives.eu/de/alternativen-zu/google-tag-manager;https://omr.com/de/reviews/product/google-tag-manager/alternatives, both last accessed on April 24, 2025). The use of the already existing and functional Google Tag Manager service merely proves to be easier for website operators.

(2) The Google Tag Manager service also processes users' personal data without there being a justification under Art. 6 (1) GDPR.

(a) As the defendant's tests have shown, after accessing the website without requesting consent, the IP addresses of the users and device data are transmitted to Google's US servers (www.googletagmanager.com) and a Java script is stored on the user's device, which requests individual browser data that is generally used for so-called browser fingerprinting, which enables the creation of individual user profiles. Regardless of whether these cookies are personal data, the unencrypted IP address is a date that can be used to establish a personal reference. This means that Google Tag Manager itself, and not just the third-party service providers loaded by the service, also processes users' personal data (similar to Saxon Data Protection Commissioner, Activity Report Data Protection 2023, p. 152 f.).

(b) Processing is not necessary for compliance with a legal obligation within the meaning of Art. 6 para. 1 lit. c GDPR. Section 25 (1) TTDSG does not give rise to a direct legal obligation to process data.

(c) The data processing is also not justified to safeguard the legitimate interests of the plaintiff within the meaning of Art. 6 para. 1 lit. f GDPR. The Google Tag Manager is used to load scripts from third-party service providers, in particular for advertising and marketing purposes, after users have given their consent in the consent banner. Even if this data processing is therefore necessary for economic reasons to enable the integration of third-party service providers in the context of real-time bidding while maintaining the functionality of the applicant's website, this does not outweigh the fundamental rights of the users affected by the data processing to the protection of their personal data under Art. 8 CFREU and their right to respect for private and family life under Art. 7 CFREU and Art. 8 ECHR. As part of the balancing process, it must be taken into account that there is no alternative to the Google Tag Manager service, but that the control and management of the sequence and use of program code can also be carried out with other tools, for example by means of in-house development, open software or another consent management tool (Saxon Data Protection Commissioner, Activity Report Data Protection 2023, p. 152 f.). Using the Google Tag Manager service is merely the easiest option, as the tool is free and works well. The transfer of personal data, in particular to Google as one of the most widespread players on the Internet, whose business model is, among other things, to collect data for its own commercial use, cannot be justified solely on the grounds of simplicity with regard to the fundamental rights concerned.

(d) The plaintiff does not obtain the consent of users within the meaning of Art. 6 para. 1 lit. a GDPR.

(3) By instructing the defendant to obtain effective consent for the Google Tag Manager service or to remove it, the violations of Section 25 (1) TTDSG and Art. 6 (1) GDPR are eliminated.

bb. With the instruction under point 1.b., the defendant has also properly exercised the discretionary power of selection and decision assigned to it. In particular, the instruction issued here is suitable, necessary and appropriate to eliminate the violations of the TTDSG and the GDPR by using Google Tag Manager without consent.

4. the order under point 1.c. to provide evidence of the implementation of the ordered measures within one month is also lawful. It is also based on Art. 58 para. 2 lit. d GDPR and is formally and materially lawful. According to Art. 5 para. 2 GDPR, data processing controllers have the obligation to demonstrate compliance with the principles relating to processing of personal data pursuant to Art. 5 para. 1 GDPR. With regard to the obligation to provide evidence, the instruction is the appropriate, necessary and proportionate means of demonstrating to the defendant as the supervisory authority that the identified breaches in data processing on the website have been remedied.

5 Finally, the order under point 2, which imposes the costs of the proceedings on the defendant on the plaintiff, is also lawful. The plaintiff's obligation to bear the costs follows from Sections 1, 3, 5 of the Lower Saxony Administrative Costs Act (NVwKostG) in conjunction with No. 23.1.10 of the cost tariff for Section 1 of the Ordinance on Fees and Expenses for Official Acts and Services (General Fee Schedule (AllGO)).

6 The decision on costs follows from Section 154 (1) VwGO. The decision on provisional enforceability is based on section 167 VwGO in conjunction with section 708 no. 11 and section 711 sentences 1 and 2 ZPO.

Reccius
Dr. Haake
Gogolin
Retrieved from "https://gdprhub.eu/index.php?title=VG_Hannover_-_10_A_5385/22&oldid=47664"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki
OSZAR »