Home Web Design Online Marketing Print Design Blog Contact Get a Free Consultation →

Cookie Banners Without a Lawyer: The Legally Sound Minimum

What a cookie banner actually has to do to hold up under Germany's TTDSG and the GDPR. And where pricey consent tools are just selling you fear.

A cafe owner from the western edge of Munich called us last year because he wanted his cookie banner "finally done right." He'd been paying a good 15 euros a month for a well-known consent tool, and had been for over a year. We took a look at his site. It loaded exactly one external service: Google Fonts. Nothing else. No analytics, no Facebook pixel, no embedded map. The banner he'd spent more than 180 euros on was there for one single thing you can solve differently in ten minutes. I keep retelling this story because it's so typical.

There's an enormous amount of fear floating around cookie banners. Fear sells subscriptions. So let's sort out what's actually required and what's pure marketing from the consent vendors.

Do you even need a cookie banner?

Short answer: not always. You need a banner as soon as your site stores or reads things in a visitor's browser that aren't strictly technically necessary. In Germany this has been governed since December 2021 by the TTDSG, specifically Section 25. Plain shopping-cart cookies, login sessions, a language preference: all allowed without consent. But the moment tracking, marketing, or embedded third-party content enters the picture, you need a clear yes up front.

The part almost everyone misses: it's not about the word "cookie." It's about loading content from external servers. Google Fonts from Google's CDN, a YouTube video, Google Maps, an Instagram feed. All of that transmits your visitor's IP address to a third party, often over to the US. And that's the real trigger.

With the cafe it was exactly that. Google Fonts from a Google server. We simply downloaded the two typefaces and placed them locally on his own web space (self-hosted). From that moment on, no IP address was traveling to Google anymore. The banner could go entirely. No subscription, no click-hassle for the guests, no cost. Incidentally, the Munich Regional Court I ruled back in 2022 that dynamically embedding Google Fonts without consent is a data-protection violation (a German court decision). Self-hosting solves the problem at the root.

The legally sound minimum: three things, no more

If you do run services that require consent and you genuinely need a banner, then it has to do exactly these three things. Anything beyond that is convenience, not obligation.

1. Rejecting as easy as accepting

The "Accept all" button and the "Reject all" button have to sit on the same level. Same size, same reachability, same visibility. You're not allowed to hide the reject option behind a "Settings" link while the accept button glows green and huge. German data-protection authorities call tricks like that "dark patterns," and the 2023 EDPB guidelines are unambiguous on this. A two-step banner (accept first, then reject somewhere small) is the most common mistake I see.

2. No pre-ticked boxes

Every checkbox for marketing, statistics, or personalized advertising has to start empty. The user actively ticks the box, or nothing happens. A pre-ticked box is not consent. The European Court of Justice established this back in 2019 in the Planet49 ruling, long before the TTDSG arrived. And yet I still find it on sites, sometimes even with the expensive tools when they've been configured wrong.

3. Scripts only after the yes

This is the part where most banners fail technically. A pretty banner does nothing at all if Google Analytics has already loaded and fired while the visitor is still deciding. The tracking scripts are only allowed to start after the user has agreed. Technically that means the scripts hang off the consent, not off the page load. Sounds simple, but it's constantly built wrong. We always check this with the browser's developer tools, the Network tab, and watch what's already going out before the click. At a dentist's office in Germering, the Facebook pixel was happily firing before any consent. The banner sitting above it was pure decoration.

What consent vendors sell you that you don't need

The big consent management platforms aren't evil. For a large online shop with 40 integrated marketing tools, they make sense. They keep consent logs, update the vendor list, cover TCF frameworks. But here's the thing: the vast majority of small-business sites in Fuerstenfeldbruck, Olching, or Puchheim don't have 40 tools. They have zero to three.

What tends to get sold here as "lawsuit-proof" and is usually pointless for a small company site:

  • Automatic scanning of your site for cookies. If you know your own site (and you should), you don't need a scanner that costs money every month.
  • Giant vendor databases with hundreds of services. Useful for ad networks. Irrelevant for a tradesperson's or a medical practice's site.
  • The IAB TCF framework. That's built for programmatic advertising. If you're not serving ads, you simply don't need it.

A cleanly built, lightweight banner that only asks about your actual services and stores the consent properly meets exactly the same legal requirements. Without a monthly subscription. On client projects we often build something like this straight into the code when we're doing the web design anyway.

The honest minimal checklist

Walk through this once before you pay for any tool:

  • Which external services does my site really load? (Open the Network tab in your browser and read along.)
  • Can I self-host any of them? Google Fonts almost always, yes.
  • After that, is there anything consent-requiring left at all? If not, you don't need a banner.
  • If there is: rejecting equal to accepting, no pre-selection, scripts only after the click.
  • Does nothing really fire before consent? Check it yourself.

That's it. No law degree needed.

And when do you actually need a lawyer?

I don't want to sugarcoat anything here. There are situations where a specialist IT lawyer is worth the money, and in those cases I'll say so plainly. For example, if you work with especially sensitive data (health, finances), if you merge user profiles across several channels, if you serve advertising at scale, or if you transfer data to third countries. And if you've already received a warning letter (an Abmahnung under German law): straight to a lawyer, don't tinker with it yourself. We're a web design agency, not a law firm. What we deliver is the technically correct implementation and an honest look at what services your site is actually loading.

The point stands: most small company sites are far simpler than the fear-based messaging from the tool vendors suggests. Often the legally sound minimum is closer than you think. Sometimes it isn't a banner at all.

Not sure what your site loads, or whether your banner even works correctly? We'll take a look as part of a free 30-minute check, tell you honestly whether your consent setup holds up, and whether you can save yourself the subscription. Just reach out through our contact form. Straight from here in Fuerstenfeldbruck.

Ready for more?

bytebrise supports businesses in Fürstenfeldbruck with web design, online marketing and print design.

Free Initial Consultation