The design of cookie banners is legally significant. Data protection law stipulates certain requirements for effective consent. Nevertheless, many cookie banners are designed manipulatively and steer users towards consent, criticizes the State Commissioner for Data Protection. Data protection Lower Saxony. In a recent case, the supervisory authority has enforced this: Anyone who offers a clearly visible "Accept all" button must also provide an equivalent button for "Reject all".
Dispute over cookie banner ends up in administrative court
The case in question concerned the cookie banner of a large media company in Lower Saxony. The data protection supervisory authority of Lower Saxony (the State Commissioner for Data Protection of Lower Saxony, LfD) had ordered the company to redesign its banner. The reason was that the existing banner did not offer users a real choice between using cookies or not. The authority criticized the fact that no informed and voluntary consent was obtained from users before unnecessary cookies were set.
The media company countered that their cookie consents were effectively obtained. Furthermore, the company denied processing any personal data at all. It also questioned the competence of the data protection authority for cookie issues.
The company resisted this order and took the matter to court. The administrative court (case no. 10 A 5385/22) therefore had to decide on the legality of the official intervention.
Legal assessment of the VG Hannover
The Hanover Administrative Court dismissed the complaint and thus confirmed the official order. The judges found that the design of the cookie banner in its present form violated applicable law in several respects. In particular, the user consents obtained in this way were invalid. This constituted a violation of Section 25 TTDSG and the General Data Protection Regulation (GDPR).
The Chamber came to the conclusion that the users had not given informed, voluntary and unambiguous consent within the meaning of the GDPR. Accordingly, the use of non-essential cookies took place without a lawful basis. The objection that the data protection authority lacked jurisdiction did not prevail either.
Source: Judgment of the Hanover Administrative Court dated 19.03.2025 (10 A 5385/22)
Requirements for effective consent for cookie banners
The ruling underlines the general legal requirements for effective consent. According to the GDPR, consent must be voluntary, informed, specific and unambiguous.
The most important criteria can be summarized as follows:
- Voluntary: Consent must be given without coercion. The user must have genuine freedom of choice to reject or accept cookies. "Reject" must be just as easy as "Accept".
- Informed: The user must be clearly and fully informed about data processing. This includes information on the cookies used and their purpose. Information must also be provided about all integrated third-party providers, possible data transfers to third countries and the right to withdraw consent.
- Specific: Consent must relate to specific processing purposes. Ideally, users should have the option of consenting to individual cookie categories or purposes separately.
- Unambiguous: Consent must be given by a clear, unambiguous action on the part of the user. An active click on a clearly labeled consent button is required. Pre-ticked boxes or simply navigating further are not sufficient.
Reading tip: Acceptance or rejection of cookies must be equally possible
Users are pressured into giving their consent
In the specific case, the court objected to the following points in particular:
- Difficult rejection: Rejecting cookies was much more complicated than accepting them.
- Pressure to give consent: Users were pressured into giving their consent by constantly being shown new banners.
- Misleading labels: The headline "optimal user experience" and the button text "accept and close" were misleading.
- No reference to consent: The term "consent" was completely missing from the banner.
- Non-transparent partner list: The number of integrated partners and third-party providers was not recognizable.
- Hidden information: References to the right of withdrawal and to data processing in third countries were only visible after scrolling.
All these deficiencies meant that the consents obtained were to be regarded as invalid.
"Reject" button belongs in cookie banner
In practice, many banners currently contain a clearly visible "Accept all" button, but no equivalent offer to decline. This tends to steer users towards consent, which is known as "nudging".
The Administrative Court clarifies: A consent banner must not be specifically aimed at obtaining consent. It must also not prevent users from rejecting cookies.
This requirement is in line with the principles of the supervisory authorities. As early as 2021, the Data Protection Conference clarified that a banner with only the options "Accept all" and "Settings" is not legally compliant. The Higher Regional Court of Cologne also ruled in 2024 that the "Reject" option must be just as easily accessible as "Accept".
Reference to GDPR, § 25 TTDSG and Google Tag Manager
The VG Hannover also confirmed the legal opinion of the LfD Lower Saxony that the use of the Google Tag Manager requires consent in accordance with Art. 25 Para. 1 TDDSG and Art. 6 Para. 1 lit. a GDPR.
The Google Tag Manager is used to integrate tracking codes and scripts, particularly from advertising service providers, into the website.
This is neither a service that is expressly requested by the user of the website, nor does it offer any added value for the user of the website, explains the LfD Niedersachsen.
A common mistake is that GTM scripts are already loaded when the page is accessed - i.e. before consent has been given. As a result, data can flow to Google or other third-party providers even before consent is given. Correct configuration is therefore crucial: all tracking tags must be blocked until consent is given. The sole use of a Consent Management Platform (CMP) does not automatically lead to legally effective consent.
Implications for website operators
For website operators, the ruling provides clear guidance on the design of content banners. Anyone who uses a cookie banner on their website should now critically review its legal compliance and improve it if necessary.
The following principles can be derived from the decision:
- Add a clearly visible "Reject all" button on the first banner level.
- Make rejecting just as easy as accepting.
- No constant banner repetitions if the user does not consent.
- Clear, truthful wording: no misleading headlines or button texts.
- Full transparency on partners, third country transfers and right of withdrawal.
- No tracking tags or cookies without prior consent - not even via GTM.
Conclusion: Website users must have a real choice when giving consent
The judgment of the VG Hannover sends a clear signal for data protection-compliant cookie banners. Operators must give users a real choice. Manipulative consent dialogs must be avoided.
Would you like to make your cookie banners legally compliant?
The ruling by the VG Hannover increases the pressure on website operators to obtain consent in compliance with data protection regulations. Our specialized team at 2B Advice supports you in the legally compliant implementation of your consent management - efficiently, pragmatically and tailored to your business model.
✔ Legally compliant banner design
✔ Implementation of current GDPR and TTDSG requirements
Integration into your existing website infrastructure
✔ Optional: Certification with the CookieProof® seal
Get non-binding advice now:
www.2b-advice.com/de/cookieproof
Protect your website - we help you to avoid warnings and fines.
German 
English 
Italian 
French