Starting in June 2026, online retailers will have to offer an electronic withdrawal function, known as the withdrawal button. The aim is to strengthen consumer rights. But what does this mean for businesses?
Withdrawal button: consumer-friendly innovation or new risk for businesses?
With the implementation of the amended EU Consumer Rights Directive 2023/2673, German lawmakers plan to introduce an electronic withdrawal function, according to a current draft bill. The draft was debated in the Bundestag on October 17 in its first reading and is now making its way through the parliamentary process.
In the future, consumers will be able to withdrawal contracts just as easily as they concluded them online – by clicking on a so-called withdrawal button.
What is being heralded as progress in digital consumer protection turns out, on closer inspection, to be a complex undertaking with numerous legal uncertainties for businesses.
The requirements for the design, placement, and technical implementation of the button are high – and the consequences of non-compliance are significant.
New obligation for all online providers
According to the draft law, a new Section 356a BGB is to be introduced.
Entrepreneurs who conclude distance contracts via an online user interface must provide an electronic withdrawal function. This must be easily legible, continously available throughout the withdrawald period, easily accessible, and prominently displayed on the online interface.
But what exactly do these requirements mean? Is a text link in the footer sufficient? Does it have to be a button? Does the function have to be displayed even if the withdrawal period has long since expired? Or would this even constitute misleading advertising that could result in a warning letter?
The legislator remains vague on this point – with considerable risks for business practice and competition.
If the withdrawal function is implemented incorrectly or inadequately, there is a risk of warnings from competitors and associations, fines and, under certain circumstances, an extension of the withdrawal period by up to twelve months and 14 days.
Technical implementation with legal pitfalls
The requirements go far beyond a simple “button.” Companies must also ensure, for example, that a confirmation of receipt is sent immediately and that the communication of the withdrawal can be documented in a traceable manner.
The distribution of the burden of proof is particularly problematic: the consumer must prove that they sent the revocation in good time – which can be difficult if the technical confirmation is delayed or does not take place at all.
More bureaucracy instead of real added value?
The aim of the reform is to offer consumers low-threshold access to revocation. However, it is doubtful whether this is really necessary. Consumers can already declare their withdrawal informally, for example by email, and the high return rates of online retailers show that consumers are well aware of how to declare their withdrawal.
Instead of a real simplification, this creates a considerable bureaucratic and technical burden for companies – especially since many providers have long since established customer-friendly return processes via their online shops.
The German government’s cost assumptions, according to which implementation will only cost around €240 per company, are therefore hardly realistic. In addition to technical implementation, there are legal reviews, legal advice, and adjustments to all information requirements.
Adjustment of the withdrawal policy
The introduction of the electronic withdrawal function will (of course) also result in an adjustment of the withdrawal policy. Once again, legal texts must be adapted and the changes closely monitored to ensure that no errors occur. This means that companies have a lot of work to do in the area of the right of withdrawal.
Need for action and outlook
The national regulations must come into force by December 19, 2025, and will apply from June 19, 2026, provided that implementation is completed on time. Companies should use the remaining time to adapt their systems in good time and examine the legal implications.
That’s still a long way off…
June 19, 2026 sounds like a long way off. However, since new functions will have to be established on the website and possibly even linked to customer accounts, the implementation is likely to involve a great deal of IT work. Adapting the legal texts is likely to be the least of the challenges.
The adjustments should therefore be planned into existing or new projects at an early stage.
Essay on details
Martin Rätze has described in detail in the journal Wettbewerb in Recht und Praxis WRP (Competition in Law and Practice) what effects the law introducing the withdrawal button will have in practice and which questions are still open.
You can download the essay here (in German only)
Conclusion
The electronic withdrawal function is coming, that much is certain. The draft law is now available. In terms of content, little to nothing is likely to change during the parliamentary process, so this can be used as a basis for fundamental preparation. However, the final details will only be known once the Bundestag has passed the law.
We would be happy to assist you in implementing the new legal requirements in your shop. Please feel free to contact us.
Remember? Some time ago, a wave of warning letters swept across Germany because website operators were using Google Fonts. The amounts to be paid were low. One person who paid is now suing for a refund. One of the key questions is: Are damages also payable in cases of abusive behavior?
Background to the proceedings
The starting point for the legal dispute is the mass mailing of warning letters due to the dynamic integration of Google Fonts. The defendant had used a web crawler to automatically visit websites that loaded fonts via Google servers. This type of integration of Google Fonts resulted in the respective IP address being transmitted to Google in the USA.
The defendant then sent standardized letters via his lawyer to the operators of the affected sites, demanding €170 in “compensation for pain and suffering.”
One website operator paid the amount but demanded a refund after learning about the mass warning letters (over 100,000 (!) such warning letters were sent).
The lower courts ruled differently: The Hanover Local Court awarded the plaintiff €70, while the Hanover Regional Court ultimately awarded the full amount. The Regional Court considered the action to be intentional immoral compensation. Interestingly, the defendant was not only the person who used the web crawler, but also his lawyer, who ultimately sent the warnings.
The Regional Court ruled that there was a claim for damages because
- the disclosure of the defendant’s dynamic IP address to Google USA did not involve any personal data;
- no damage had been caused; and
- – even if there had been damage – the claim for compensation would be excluded due to abuse of rights.
The defendants appealed against the decision of the Regional Court, so that the case ended up at the Federal Court of Justice (decision of August 28, 2025 – VI ZR 258/24).
The latter found that the case raised questions of EU law interpretation of the GDPR that went beyond national law. It therefore referred three complex questions to the ECJ for a preliminary ruling.
Is the IP address personal data?
The first question concerns whether dynamic IP addresses are personal data.
Specifically, the Federal Court of Justice wants to know whether personal data already exists if any third party – such as the internet access provider – has additional knowledge that allows identification.
Or whether it depends on whether the controller (in this case, the website operator) or the recipient (in this case, Google) itself has the legal and factual means to determine the identity of the person whose IP address was transmitted.
The BGH thus questions the relative approach that has prevailed to date and suggests a possible objective interpretation.
Damage despite deliberate provocation?
The second question referred for a preliminary ruling concerns the interpretation of Article 82(1) GDPR, according to which any person who has suffered material or non-material damage as a result of an infringement of the GDPR is entitled to compensation. The ECJ is to clarify whether non-material damage can also exist if the data subject deliberately and exclusively provokes the infringement in order to be able to claim compensation.
The BGH refers to recent ECJ case law, according to which even a well-founded fear of misuse of personal data can constitute non-material damage. However, it remains unclear whether this approach also applies if the data subject intentionally causes the data transfer – as in the present case, in which over 100,000 websites were visited automatically.
The Regional Court of Hanover had denied damages because the defendant had voluntarily disclosed his IP address and there was no actual impairment.
Not all damage is the same
However, from the perspective of the Federal Court of Justice, it must be clarified what constitutes damage. In German law, lawyers understand this to mean “any involuntary loss of material and immaterial goods as a result of a specific event.” This understanding excludes compensation for damages if the loss is voluntary.
However, the GDPR does not refer to the respective national law for the concept of immaterial damage, so that a so-called autonomous interpretation under EU law must be made. And only the ECJ is allowed to do this.
In the past, the ECJ has had frequent opportunities to comment on the concept of damage. For example, a mere violation of the GDPR is not sufficient; rather, damage must have occurred as a result of this violation. However, a loss of control may be sufficient. And—very importantly—the burden of proof for the occurrence of damage lies with the data subject.
In principle, according to the BGH, such a loss of control could have occurred as a result of the (unlawful) transfer of data to Google – and thus a compensable damage.
However, this consideration may be countered by the fact that the defendant deliberately intended to transfer the data to the US.
Such provocation to violate the law has not yet been the subject of ECJ case law, which is why the BGH is referring this question to the ECJ.
Abuse of rights and limits under EU law
Finally, the BGH would like to know from the ECJ whether, in cases of this kind, a claim for compensation for non-material damage can be ruled out on the grounds of abuse of rights. According to established case law of the ECJ, abusive reliance on EU law is inadmissible, even in relations between private individuals.
The BGH is seeking clarification as to whether the deliberate creation of the conditions for a data protection violation – combined with the aim of obtaining financial advantages from it – already qualifies as abusive conduct within the meaning of EU law. It also remains unclear whether such conduct is only considered an abuse of rights if the financial motivation was the sole determining factor, or whether “mixed” motives – such as an alleged interest in data protection – are also sufficient.
Significance for practice and data protection law – not only when using Google Fonts
The preliminary ruling is of considerable relevance in practice. On the one hand, it touches on the fundamental question of when technical identifiers such as dynamic IP addresses constitute personal data.
This question is particularly relevant for website operators, e.g. also for the use of Google Tag Manager and the need to obtain consent.
On the other hand, the proceedings concern the increasing trend toward “warning letters and claims for damages” in data protection law. If the ECJ also affirms a claim for damages in the case of provoked data protection violations, this could lead to a new wave of warning letters as a source of income for those affected.
If, on the other hand, the ECJ denies the eligibility for compensation or recognizes an abuse, this would prevent attempts to derive financial benefits from targeted GDPR violations.
Outlook
Until the ECJ’s decision, it remains unclear whether the transmission of a dynamic IP address is in itself personal data and whether deliberately provoked data protection violations can constitute compensable immaterial damage. The decision of the Federal Court of Justice (BGH) makes it clear that the relationship between data protection and abuse of rights under the GDPR remains unclear. The ECJ once again has the opportunity to answer fundamental questions of European data protection law.
We are happy to assist you with any questions you may have about data protection.
Cookie banners are a recurring topic for supervisory authorities and courts. The Hanover Administrative Court has now once again highlighted formal aspects. It has also ruled that Google Tag Manager may only be used if the user has given their express consent.
The Administrative Court of Hanover (judgment of March 19, 2025, 10 A 5385/22) has issued a ruling on the data protection assessment of the use of Google Tag Manager (GTM). Another subject of the decision was the design of cookie banners.
The subject of the proceedings was the question of whether the operation of a journalistic online portal is designed in compliance with data protection regulations. It specifically concerned the issue of obtaining consent for cookies, third-party tracking, and the use of GTM.
The decision deals with the requirements for voluntary and informed consent within the meaning of Section 25 TTDSG and Art. 6 (1) (a) GDPR.
Note: The TTDSG is now called TDDDG.
Google Tag Manager on website
The plaintiff, a regional publishing house, operates an online journalism service via its website, which is financed by subscriptions and advertising. It used a variety of cookies and third-party services on its website, including the Google Tag Manager.
After a technical review, the State Data Protection Commissioner of Lower Saxony (LfD) prohibited it from using certain services without the effective consent of users.
In particular, the LfD criticized the fact that Google Tag Manager was already active when the page was first loaded. It transmitted data to Google servers in the US without users having given their express consent beforehand. LfD ordered the plaintiff to obtain or implement effective consent for the use of cookies on its website.
The plaintiff appealed against this order before the administrative court.
The plaintiff defended itself by arguing that Google Tag Manager merely served as a technical aid for reloading additional scripts and that, in this respect, no data processing relevant to data protection law took place.
It also disputed that the LfD had any jurisdiction at all, as the TDDDG was not a data protection regulation.
Court decision: LfD has jurisdiction
The Administrative Court of Hanover dismissed the publishing house’s lawsuit.
It first clarified that the State Data Protection Commissioner was indeed responsible for monitoring compliance with Section 25 TTDSGG.
Section 25 TTDSGG is an “other data protection provision” within the meaning of Section 20 (1) of the Lower Saxony Data Protection Act. Even though the TTDSG protects communication secrecy in addition to data protection objectives, there is a close connection to the GDPR in terms of content. Access to end devices and the associated processing of personal data are generally inseparable. A separation of supervisory responsibilities would therefore be contrary to the system and practically unmanageable.
The question of responsibility for compliance with the TTDSG is very important. This law did not come into force until long after the GDPR. If a state data protection authority takes action against a company on the basis of this law, it must first be examined within the state data protection laws whether the authority is even authorized to monitor the TTDSG.
The Administrative Court of Hanover has now clarified this for Lower Saxony. However, the decision on this issue has no significance for other federal states.
Design of the cookie banner
The decision focused on the legal classification of the cookie banner used and the treatment of Google Tag Manager.
In the court’s opinion, the design of the banner did not meet the requirements for informed and voluntary consent.
When the website was accessed, the “first level” of the banner was initially displayed. Here, users could choose between “accept all cookies” or changing the settings. There was no direct rejection option at this level.
Those who chose to change the settings were confronted with sub-levels, complex drop-down menus, and default settings.
In the court’s view, users were thus effectively pressured into giving their consent. In addition, the various sub-levels and categories gave the impression that users could not significantly influence the type of data processing.
To make matters worse, if consent was refused, the banner reappeared every time the page was accessed, whereas if consent was given, surfing was possible without hindrance.
The court assessed this design as a so-called “dark pattern,” i.e., manipulative user guidance. This design, in conjunction with the different color schemes of the options, led the court to deny the voluntary nature of the consent given. This meant that the consent was not effective—neither within the meaning of Section 25 TTDSG nor within the meaning of the GDPR.
Google Tag Manager only with consent?
The ruling pays particular attention to the use of Google Tag Manager. The court clarifies that this is not merely a technical infrastructure that, as a neutral platform, simply reloads other scripts.
Rather, the integration of GTM itself already accesses the user’s end device, and data is transferred to the US – namely by retrieving the gtm.js script from Google servers. Among other things, IP addresses and device properties are transmitted in the process.
The fact that GTM itself does not perform any specific analysis services is irrelevant. The processing of personal data begins as soon as the Google script is called up for the first time. However, this requires consent in accordance with Section 25 TTDSG.
The plaintiff’s attempt to invoke the exemption under Section 25 (2) TTDSG was also unsuccessful. According to this provision, consent is not required if the storage of information in the end user’s terminal equipment or access to information already stored in the end user’s terminal equipment is strictly necessary for the provider of a digital service to provide a digital service expressly requested by the user.
The GTM is neither technically necessary nor expressly requested by the user. The court emphasized that the integration of the GTM is in no way necessary to enable the basic functionality of the website. Rather, the GTM serves exclusively for the flexible reloading of marketing and tracking services. Therefore it is typically associated with processing that is relevant under data protection law.
Consequences for practice
The ruling of the Administrative Court of Hanover sends a clear signal to operators of websites and online platforms: in the court’s opinion, the use of Google Tag Manager – even without directly reloaded tracking scripts – constitutes a measure requiring consent within the meaning of the TTDSG.
Other authorities, such as the LfDI NRW, share this view.
Website operators should therefore ensure that GTM is only loaded once the user has given their consent. This requires a technical implementation that controls the reloading of GTM depending on the user’s consent.
It is equally important that the consent banner is designed in accordance with data protection regulations. The decision makes it clear that users must not be pressured into giving their consent through design, color, placement, or technical hurdles. A simple, equivalent option for refusing consent should already be available on the first level of the banner.
Information about the purposes, scope, and recipients of data processing must also be provided in a clear and understandable manner.
Solution and recommended action
Website operators who use Google Tag Manager should check at short notice whether it is triggered before consent is given. If this is the case, regulatory measures may be imposed.
Technically, this can be achieved by conditional script execution via a consent management platform (CMP). In this case, the GTM script is only loaded once the user has consented to the use of corresponding cookies and third-party technologies.
At the same time, the consent banner should be adjusted: a “Decline” button should be offered on the same level. It must be presented with the same visual weighting as the approval options.
The repeated appearance of the banner in the event of rejection should also be avoided.
Conclusion
The ruling of the court confirms the opinion of many supervisory authorities with regard to the reject function at the first level. The decision also shows that even seemingly neutral services are relevant under data protection law. Operators of digital services should therefore review not only their consent banner but also the entire technical architecture of their website in terms of data protection law.
Update: List of currently responsible state authorities added
The Accessibility Enhancement Act (BFSG) will come into force on June 28, 2025. From this date onwards, various products and websites must be made accessible. There is currently a great deal of misunderstanding regarding the content of the “accessibility statement” that companies are required to provide. We explain the details.
Accessibility Enhancement Act – New obligations for companies
In our detailed article on the Accessibility Enhancement Act (BFSG), you can learn the basics, in particular who the law applies to.
We have also created a guide entitled “FAQ – Accessible Websites”, in which we explain the implementation of the BFSG from a technical perspective.
Accessibility statement in accordance with the BFSG
In addition to technical implementation, the BFSG also requires the provision of information in accordance with Annex 3 to the law. In recent weeks, the term “accessibility statement” has become established for this purpose.
This is somewhat unfortunate, as this term is actually already “reserved” for another statement, which leads to many misunderstandings in connection with the BFSG.
The BFSG requires service providers to
“have prepared the information in accordance with Annex 3, Number 1, and have made this information accessible to the general public in an accessible form; the provisions of the statutory order to be issued in accordance with Section 3, Paragraph 2, are decisive for making the information accessible.”
Annex to the BFSG: The accessibility statement
The law therefore refers exclusively to Annex 3, No. 1, which reads as follows:
The service provider shall indicate in its general terms and conditions or in another clearly perceptible manner how its service within the meaning of Section 1 (3) meets the accessibility requirements of the statutory order to be issued pursuant to Section 3 (2). The relevant information shall include a description of the applicable requirements and, insofar as relevant for the assessment, cover the design and implementation of the service.
In addition to the consumer information requirements under Article 246 of the Introductory Act to the Civil Code, the information shall, where applicable, include at least the following elements:
(a) a general description of the service in an accessible format;
(b) descriptions and explanations necessary for understanding the implementation of the service;
c) a description of how the service meets the relevant accessibility requirements listed in the statutory order to be issued pursuant to Section 3 (2);
d) the name of the competent market surveillance authority.
This requirement, which is relevant for the private sector, must be distinguished from the accessibility statement pursuant to Section 12b of the Disability Equality Act (BGG).
Accessibility statement in accordance with the Disability Equality Act
The BGG is a somewhat older law from 2002 that regulates the accessibility requirements that must be met by public authorities. These include, for example, federal administration offices.
The BGG does not apply to private companies.
Section 12b (1) BGG requires federal public authorities to publish an accessibility statement on their website.
The content of this statement is specified in Section 12b (2) BGG:
1. In the event that, in exceptional cases, the design is not completely accessible,
- the designation of the parts of the content that are not completely accessible,
- the reasons for the non-accessible design, and
- if applicable, a reference to accessible alternatives,
2. an immediately accessible, barrier-free option for contacting the agency electronically to report any remaining barriers and to request information on the implementation of accessibility,
3. a reference to the conciliation procedure pursuant to Section 16, which
- explains the possibility of conducting such a conciliation procedure and
- contains a link to the conciliation body.
Federal public authorities are therefore expressly obliged to identify non-accessible parts of the website content.
No listing of non-accessible parts according to BFSG
The information obligation under the BFSG does not include any obligation to list the non-accessible parts of the services (e.g., the website).
The explanatory memorandum to the BFSG expressly states:
This information to be provided by the service provider largely corresponds to the accessibility statement as provided for in Section 12b BGG. However, Directive (EU) 2019/882 does not require the service provider to also indicate in its information which parts of its service are not accessible and how the non-conformity is justified. This is not necessary because the service provider is fundamentally obliged to ensure complete accessibility.
Anyone who lists the non-accessible parts of their website in the declaration provides competitors, consumer centers, and qualified trade associations with a basis for warnings.
In addition, this publicly documents that one is violating the law and thus acting intentionally. This is likely to play a decisive role in the imposition of a possible fine.
Consequences of a non-accessible website
The law provides for several (simultaneous) obligations if the service does not comply with the requirements of the BFSG and the associated BFSGV:
- Prohibition of offering and providing the service (Section 14 (1) No. 1 BFSG)
- Taking the necessary corrective measures to ensure the conformity of the service (Section 14 (4) sentence 1 BFSG)
- Informing the market surveillance authority(ies) that the service does not meet the requirements of the BFSGV (Section 14 (4) sentence 2 BFSG)
The authority can then initiate a multi-stage procedure which, in the worst case, can lead to a ban on the provision of the service. In the case of websites, this means that the non-accessible parts of the website must be shut down.
In addition, fines may be imposed.
Who can help with the creation of the accessibility statement?
If you have your website managed by an agency, their support is essential for creating the accessibility statement in accordance with the BFSG. This does not mean that the agency provides legal advice, but rather that it clearly states the technical means by which accessibility has been achieved.
In addition, legal advice should always be sought when creating the statement. This is because, in addition to the technical requirements, the legal requirements for the information must also be met.
Since the statement must be created on a very individual basis, particularly with regard to the description of the service offered, the description that aids understanding of the service, and the specific technical implementation of the accessibility requirements, there are unlikely to be any suitable standard templates that can be used.
Ultimately, Appendix 3 to the BFSG is the “template” that must be completed by the company.
Where should the accessibility statement be placed?
Annex 3 to the BFSG stipulates that the information must be provided either in the general terms and conditions or “in another clearly noticeable manner.”
In our opinion, the specific information relating to the BFSG does not belong in the general terms and conditions. Instead, a separate page should be provided for this purpose and linked in the footer of the website.
Update: Competent market surveillance authorities under the BFSG
The federal states have concluded a state treaty to create a central market surveillance authority in Saxony-Anhalt. However, this state treaty has not yet been ratified by all federal states, so this authority has not yet been established.
Nevertheless, some federal states have appointed their own market surveillance authorities, which are responsible for the transitional period until the central authority for surveillance under the BFSG is established.
The following overview lists the market surveillance authorities of the federal states that we were able to identify based on publications in the respective law gazettes.
Overview
| State | Competent authority | Legal basis |
| Baden-Württemberg | No competent authority found | |
| Bavaria | For the administrative districts of Lower Franconia, Upper Franconia, Middle Franconia, and Upper Palatinate, the Trade Supervisory Office at the Government of Upper Franconia in Coburg is responsible. Authority name: Government of Upper Franconia – Trade Supervisory Office For the administrative districts of Swabia, Upper Bavaria, and Lower Bavaria, the Trade Supervisory Office at the Government of Lower Bavaria in Landshut is responsible. Authority name: Government of Lower Bavaria – Trade Supervisory Office | https://www.gewerbeaufsicht.bayern.de/marktueberwachung/bfsg.htm |
| Berlin | No competent authority found | |
| Brandenburg | No competent authority found | |
| Bremen | No competent authority found | |
| Hamburg | No competent authority found | |
| Hessen | Giessen Regional Council | Regulation on responsibilities under the Barrier-Free Accessibility Act (BFSGZV) |
| Mecklenburg-Western Pomerania | No responsible authority found | |
| Lower Saxony | No responsible authority found | |
| North Rhine-Westphalia | No responsible authority found | |
| Rhineland-Palatinate | Ministry responsible for social affairs | State ordinance on responsibilities under the Accessibility Enhancement Act |
| Saarland | Ministry of Labor, Social Affairs, Women, and Health | Ordinance on responsibilities for reviewing conformity of products and services under the Accessibility Enhancement Act |
| Saxony | Saxony State Directorate | Accessibility Enhancement Competence Regulation |
| Saxony-Anhalt | Saxony-Anhalt State Office for Consumer Protection | Regulation on competences under the Accessibility Enhancement Act |
| Schleswig-Holstein | Ministry responsible for social affairs | State regulation on the determination of the market surveillance authority under the Accessibility Enhancement Act (MübBFSGVO) |
| Thuringia | No competent authority found |
Name of the competent authority
Until the state treaty on the joint market surveillance authority enters into force, the market surveillance authority responsible for the respective federal state must be named in the accessibility statement.
Conclusion
From June 28, 2025, companies must not only comply with the basic accessibility requirements. They also provide the information specified in Annex 3 – for which already the term “accessibility statement” has become established.
It is important to ensure that this declaration does not put you in the “pillory” and publicly declare that you are not complying with the law.
We are happy to assist you in preparing your accessibility statement.
In a detailed article in the trade journal WRP, we have dealt in detail with the requirements for accessible websites. You can read the full text of the article here:
Accessible websites – An overview of the effects of the BFSG (in German)
On June 28, 2025, the Accessibility Enhancement Act (BFSG) will come into force, bringing with it numerous changes, particularly for website operators. The aim of the BFSG is to improve participation for people with disabilities and to implement EU Directive 2019/882.
Who does the law affect?
The BFSG is primarily aimed at companies in the B2C sector, in particular service providers in electronic commerce – which includes not only traditional online shops but also numerous other offerings on websites.
However, such service providers are exempt if they are micro-enterprises. This means that they have fewer than ten employees and an annual turnover or balance sheet total of no more than € 2 million.
Important: Even companies that are not directly covered by the BFSG – such as agencies or IT service providers that develop websites and other digital solutions for providers of B2C services – should be aware of the requirements of the BFSG and implement them in their services.
Their customers are obliged to offer accessible solutions. In order for these “suppliers” to remain competitive and meet the requirements of their clients, they too must design their products and services to be accessible.
Why accessibility is important
Accessible websites and services enable companies to tap into new target groups. It is not exclusively about people with disabilities, but also about older people or people with temporary limitations.
In addition, accessibility increases user-friendliness (UX) and strengthens a company’s image in the long term.
What are the requirements?
Websites must be clearly structured and should be compatible with screen readers and fully operable via keyboard. High contrast, alternative text for images, and accessible forms are also essential.
In addition, an accessibility statement must be published on the website—in an accessible format, of course.
Consequences of non-compliance
Companies that do not implement the requirements face fines of up to 100,000 Euro. The new market surveillance authority of the federal states for the accessibility of products and services, will be based in Magdeburg. It will be responsible for monitoring compliance.
In addition, warnings under competition law may be issued.
Our guide
We created in collaboration with Ria Weyprecht, owner and founder of the agency stolperfrei.digital, a guide. There you can finde advices how to make your website accessible.
A recent ruling by the Federal Labor Court (BAG) clarifies one of the most common issues in labor law: How can proof of delivery of the termination be provided? This question is particularly relevant because receipt is not only crucial for compliance with notice periods and the start of the period for bringing legal action, but also for determining whether the termination is effective at all.
This decision is also extremely relevant for employers who are not based in Germany but employ workers in Germany.
Facts of the case: The dispute over receipt of the termination
In the underlying case, an employer had terminated an employee’s employment. However, the question arose as to whether the employee had actually received the termination.
Because one thing is certain: if the employee to be terminated does not receive the termination, then it is not effective and the employment relationship is therefore not terminated.
The employer claimed that two employees had put the letter of termination in an envelope together. Then one of them had taken the envelope to the post office. There, she is said to have arranged for it to be sent as registered mail.
The decision of the Federal Labor Court
The Federal Labor Court (judgment of January 30, 2025, 2 AZR 68/24) clarifies that a written termination is deemed to have been received at the moment it enters the sphere of control of the recipient and, under normal circumstances, can be expected to have been noticed.
However, the employer bears the burden of proof for the receipt of a letter of termination. This means that the employer must provide concrete evidence that the termination was actually placed in the employee’s mailbox. Or, even better, that the termination was handed over in person.
Registered mail is not proof
Sending the termination by registered mail is not sufficient to provide this proof.
A printout of the shipment tracking did not help the employer either, because essential information was missing.
The ruling states:
“The printout of the shipment status, which shows the same shipment number as on the proof of posting and the delivery date, also does not provide sufficient guarantee of receipt.
In this case, it is not possible to determine who delivered the shipment, nor is there sufficient evidence that the procedure described by the Federal Court of Justice or the currently valid procedure of Deutsche Post AG for the delivery of mailed items was actually followed.
The shipment status is not a substitute for the delivery receipt.
It does not indicate whether the delivery person actually paid special attention to the specific delivery, which would justify the conclusion that the delivered item was placed in the recipient’s mailbox.”
Furthermore, the shipment status did not indicate to whom the letter was actually delivered. To the recipient personally, to another person living in the household, or simply by being placed in the mailbox? Not even the delivery address was noted. The time of the alleged delivery was also missing. In addition, the shipment status did not contain any information about the person who delivered the letter.
No proof – no termination
Since the employer could not prove that the termination had been delivered, the termination was deemed invalid.
Practical implications for companies
The ruling has far-reaching consequences for employers.
Employers who wish to terminate an employee’s contract must ensure that the termination is delivered within the notice period.
Registered mail is not suitable for this purpose.
Practical tip: Avoid mistakes when delivering termination notices
To ensure that a termination notice is delivered in a legally compliant manner, employers should note the following points:
- Proof of delivery: Ideally, delivery should be documented by witnesses or a courier.
- No electronic means: Termination by email or fax is not sufficient under labor law, as it does not meet the legal requirement for written form. Even “advance transmission” of the termination by email does not help, as this also does not constitute proof that the termination was delivered correctly.
- Time of delivery: Ideally, the letter should be posted in the mailbox in the morning to ensure that the recipient can take note of it on the same day. If the termination is not posted until 11 p.m., it can generally no longer be assumed that it will be received on the same day. This can have consequences for the notice period.
Conclusion
The delivery of a termination notice should ideally be carried out by courier. They collect the letter from the employer and also take note of it before putting it in the envelope. Then they go to the delivery address and document the correct delivery of the item. They then send this documentation to the employer.
This not only provides the employer with sufficient documentation. It also allows them to name the courier as a witness for the delivery in court.
We are happy to answer any questions you may have about termination and unfair dismissal claims.
Since the GDPR came into force in 2018, there has been debate in Germany as to whether competitors and consumer associations can issue warnings for violations of the GDPR. Now, the Federal Court of Justice (BGH) has finally clarified this issue.
The BGH (judgment of March 27, 2025, I ZR 186/17, I ZR 222/19, and ZR 223/19) has ruled that both consumer protection associations (such as consumer centers) and competitors can issue warnings for violations of the GDPR. This increases the risk for companies that (consciously or unconsciously) do not comply with data protection regulations.
Consumer center against Facebook
In one case, the The Federation of German Consumer Organisations (vzbv) sued Meta Platform Ireland Limited, which operates the social network Facebook. The case concerned Facebook’s failure to adequately inform its users about the scope and purpose of the collection and use of their personal data.
After the ECJ had already ruled that consumer protection associations can also pursue GDPR violations by means of injunctions, the BGH has now followed this assessment.
The BGH press release states:
“Art. 80 (2) GDPR provides a suitable basis for associations to pursue violations of the General Data Protection Regulation under the Law Against Unfair Competition and the Injunction Act.
The aforementioned consumer associations are therefore authorized under Section 8 (3) No. 3 UWG and Section 3 (1) Sentence 1 No. 1 UKlaG to take action against violations of information obligations pursuant to Art. 12 (1) Sentence 1 GDPR in conjunction with Art. 13(1)(c) and (e) GDPR for violations of the Unfair Competition Act and a consumer protection law within the meaning of Section 2(1) and (2) sentence 1 No. 13 UKlaG, as well as the use of an invalid general term and condition pursuant to Section 1 UKlaG by way of an action before the civil courts.
In this respect, it is irrelevant that the plaintiff brought his action independently of the specific violation of data protection rights of a data subject and without a mandate from such a person. Since an institution within the meaning of Art. 80 (2) GDPR cannot be required to identify in advance the individual person who is specifically affected by the processing of data that is presumed to violate the provisions of the General Data Protection Regulation, the designation of a category or group of identifiable natural persons is sufficient for the filing of such a class action.
It is also sufficient for the entity to invoke that the violation of the rights of that person occurs in connection with the processing of personal data and is based on a breach of the obligation incumbent on the controller pursuant to Art. 12(1) sentence 1 and Art. 13(1)(c) and (e) of the GDPR, because in the case in dispute it cannot be assumed that the plaintiff is asserting purely hypothetical violations with his action.”
If the information is not communicated to the user in accordance with Art. 13 GDPR, this constitutes a violation of § 5a (1) UWG, as essential information is withheld.
Shipment of medicinal products via Amazon
In the two other proceedings, competing pharmacies disputed the admissibility of distributing medicinal products via the Amazon platform.
On the one hand, this concerned the question of whether competitors can issue warnings to each other for GDPR violations. The other issue was whether the data entered by a customer when ordering medicines from Amazon constitutes health data within the meaning of Art. 9 GDPR.
The BGH answered both questions in the affirmative in its ruling. From the press release:
“The processing and use of data entered by customers of the defendant when ordering a medicine online via a pharmacist’s account on the Amazon Marketplace, such as the customer’s name, delivery address, and information necessary for the individualization of the ordered medicine, violates Art. 9 (1) GDPR if, as in the case in dispute, it is carried out without the express consent of the customers. The order data constitutes health data within the meaning of this provision, even if the medicine does not require a doctor’s prescription.
Article 9(1) GDPR is a market conduct regulation within the meaning of Section 3a UWG, so that a violation of this provision can be prosecuted by a competitor pursuant to Section 8(3)(1) UWG by way of a competition law action before the civil courts. The provisions on the requirement of consent to the processing of personal data serve to protect the personal rights interests of consumers, particularly in connection with their participation in the market. Consumers should be free to decide whether and to what extent they disclose their data in order to participate in the market and conclude contracts.“
In these proceedings, too, the Federal Court of Justice had previously referred the matter to the ECJ.
Conclusion
So far, only the press release of the Federal Court of Justice is available; the full text of the decisions with detailed reasoning is expected to be published in the next few days.
However, it can already be said that the issue of data protection is becoming even more important. The risk of being held liable for violations of the GDPR is increasing as a result of these decisions by the Federal Court of Justice.
And there is a danger that the risk will increase even further.
The Advocate General at the ECJ (C-655/23) expressed the view that data subjects are also entitled to injunctive relief against a company if it has violated the GDPR.
We are happy to assist you with any questions you may have regarding data protection and data security.
The legal framework for advertising and corporate communications is set to be tightened once again. Advertising claims relating to environmental protection and sustainability—known as green claims—as well as product quality are to be more strictly regulated, according to a draft from the Ministry of Justice.
Why is the UWG being amended?
The Federal Ministry of Justice has published a draft for discussion on amending the UWG (Act against Unfair Competition).
The proposed amendments are intended to implement Directive (EU) 2024/825 on empowering consumers for the green transition through better protection against unfair practices and better information.
Particular attention is being paid to greenwashing and environmental advertising claims. The new regulations are intended to ensure greater transparency and enable consumers to make informed purchasing decisions.
Which advertising measures will be prohibited in the future?
- Vague or unsubstantiated environmental claims
General terms such as “climate neutral,” “sustainable,” or “environmentally friendly” will only be permitted in the future if they are clearly defined and substantiated with clear specifications. Companies must either refer to scientifically based environmental standards or publish detailed implementation plans.
- Misleading sustainability labels
Only government-recognized or independently certified environmental and sustainability labels may continue to be used. Proprietary, unverifiable labels will no longer be permitted. In addition, the evaluation criteria must be accessible.
- Compensation for greenhouse gas emissions
Advertising with statements based on the compensation of greenhouse gas emissions will be prohibited. In the future, it will no longer be permitted to advertise with claims such as “climate neutral” if this climate neutrality is only achieved through compensation payments.
- False statements about durability and reparability
Companies may not make exaggerated promises about the longevity or reparability of products. It is also prohibited to advertise goods with deliberately shortened durability or to misrepresent their reparability.
- Environmental claims that refer to the entire product or company will be prohibited if the environmental claim only refers to a part of it.
General terms such as “climate neutral,” “sustainable,” or “environmentally friendly” will only be permitted in the future if they are clearly defined and substantiated with clear specifications. Companies must either refer to scientifically based environmental standards or publish detailed implementation plans.
Advertising with irrelevant information
A new form of misleading advertising is also to be introduced: advertising with a benefit for the consumer that is irrelevant and does not result from a feature of the product or business activity will be prohibited in future.
When exactly a benefit is irrelevant must be determined on a case-by-case basis. Recital 5 of the Directive gives the following two examples:
- Advertising bottled water as “gluten-free”
- Advertising paper sheets as “plastic-free”
What are the consequences of the UWG amendment for companies?
Companies should review their marketing materials (website, flyers, social media presence, etc.) and revise them if necessary. Advertising claims relating to the environment can already be misleading today, but this will be further tightened in the future.
The risks of non-compliance are high: warnings and reputational damage are possible.
Industries that advertise heavily with environmental and sustainability promises, such as the food, furniture, fashion, and electronics industries, are particularly affected.
How can companies prepare?
- Review advertising measures: Check existing marketing campaigns and product labels for legally compliant statements.
- Secure evidence: Back up environmental and sustainability claims with reliable studies, certifications, and publicly available reports. Anyone who wants to advertise with environmental claims after the amendment to the UWG should prepare early, as the relevant certifications take time.
- Use certified seals: If you use your own labels, these should be replaced by seals from recognized certification systems. Your own labels will no longer be permitted!
- Provide clear and accurate product information: Communicate information on durability, reparability, and software updates correctly and transparently.
- Seek legal advice: Early review can help avoid costly violations.
When do the new requirements come into effect?
There is still enough time to prepare for the changes. The EU directive must be implemented by March 27, 2026. The new regulations must then be applied from September 27, 2026.
Due to the early federal elections, the discussion paper from the Ministry of Justice will not find its way into the Bundestag until after the elections. However, as this is the implementation of an EU directive, the current paper can already be used as a guide. We do not expect there to be any significant changes to the content.
If, however, implementation does not take place (in time), the courts would be obliged to interpret existing national law in accordance with European law. This does not pose a major challenge, particularly with regard to the misleading use of green claims. For example, the Federal Court of Justice (judgment of June 27, 2024, I ZR 98/23) has already ruled under current law that advertising with the word “climate neutral” is misleading if no further explanations are provided.
The directive does not apply directly. However, as it clarifies existing unfair practices, national courts can in principle also interpret the provisions of the directive as general misleading practices.
Conclusion: Prepare now to avoid future warnings!
The planned amendment to the UWG will bring about far-reaching changes for advertising and corporate communications. Anyone who wants to continue advertising with environmental and sustainability promises will have to meet stricter documentation requirements in the future. Companies should adapt early on to minimize legal risks and maintain consumer confidence.
In 2016, the EU Commission’s ODR platform for out-of-court dispute resolution was created. Since then, online companies have been required to provide a link to this platform on their websites. This resulted in a massive wave of warning letters. Now the good news: the platform – and with it the obligation to link to it – is being abolished. What does this mean for you?
Background
The ODR platform and the underlying ODR Regulation (Regulation 524/2013) are one of the pillars of an out-of-court dispute resolution system. The second pillar is the ADR Directive (Directive 2013/11/EU), which was promulgated on the same day.
The directive lays the groundwork for EU member states to establish national arbitration bodies that consumers can turn to when they have problems with a company.
These arbitration bodies are supposed to resolve disputes quickly, efficiently and cost-effectively (for the consumer), thus making court proceedings unnecessary. This directive remains in place.
The ODR platform is intended to offer consumers the opportunity to turn to an arbitration board in the event of cross-border problems. The ODR platform itself did not carry out any arbitration. It merely forwarded incoming complaints to the respective company or the respective competent national arbitration board.
Only 2% of all complaints submitted via the platform were even forwarded to a national conciliation body – which means 200 complaints per year.
The usefulness of this platform has been criticized from the outset.
Abolition of the ODR platform on July 20, 2025
Now the ODR platform will be abolished on July 20, 2025, as regulated by Regulation 2024/3228, published on December 30, 2024. In connection with this, the obligation for online businesses to link to this platform will also be eliminated.
Complaints will no longer be accepted after March 20, 2025
Article 2 (2) of Regulation 2024/3228 stipulates that complaints will no longer be accepted on the ODR platform after March 20, 2025.
From that date onwards, consumers will no longer be able to submit complaints.
The information requirement regarding the ODR platform will remain in place until July 20, 2025
However, online businesses will still be required to provide information regarding the ODR platform until July 20, 2025. However, this information requirement will no longer provide any added value after March 20, as consumers will no longer be able to use the platform after that date.
Depending on how companies currently fulfill their information obligation, this notice would have to be adapted. If the notice explicitly states that consumers can use the ODR platform to file a complaint, this information would be incorrect as of March 20.
As of July 20, 2025, the reference to the ODR platform should be removed from the website and from the terms and conditions (and all other places).
Note on participation in conciliation proceedings must continue to be given!
The information on the OS platform is to be distinguished from the information on whether the company is willing or obliged to participate in out-of-court dispute resolution in Germany. This information requirement arises from Section 36 German Verbraucherstreitbeilegungsgesetz (VSBG) and the ADR Directive mentioned above and remains in force!
Currently, the imprint and terms and conditions often contain texts like this on German Websites:
We are not willing or obliged to participate in dispute resolution proceedings before a consumer arbitration board.”
The first sentence must therefore be removed from July 20, 2025. However, the second sentence must remain! However, changes are also pending here. The Federal Ministry of Justice has had a draft bill [only in German] since October 2024, according to which this second information requirement is also to be largely abolished. However, due to the early parliamentary elections, it is questionable whether this change will still come about.
Consider terminating cease-and-desist declarations
In the early years of the ODR platform, there were numerous written warnings on this topic, for example because the platform was not referred to at all or the link was not clickable. As a result of these written warnings, many companies issued a cease-and-desist declaration. This obliges them – to put it simply – to link to the platform for all time.
Despite the abolition of the platform, the obligation under the cease-and-desist declaration continues to apply, as this is a contract.
Companies that have issued a cease-and-desist declaration on the subject should have it checked whether it can be terminated.
Conclusion
It is to be welcomed that the ODR platform is finally being abolished. This results in the following to-do list for online companies:
- Adjusting the imprint and terms and conditions
- Checking cease-and-desist declarations
If you have issued a cease-and-desist declaration, it is essential to check whether it can be terminated. We would be happy to support you in implementing these tasks.
Since 2018, in Germany the question has been whether competitors can issue each other with warnings if the GDPR is violated. Now the ECJ has ruled: they can. In this article, we explain why we do not expect a new wave of warnings despite this ruling.
The ECJ (judgment of October 4, 2024, C-21/23) had to clarify the question of whether competitors can issue warnings to each other for violations of the GDPR.
Sale of medication via Amazon
At issue was a dispute between two pharmacists. One of them was selling prescription-only medicines via Amazon. The other was of the opinion that this distribution via Amazon was unlawful because customers did not consent to the processing of their health data.
The Regional Court of Dessau-Roßlau (in Germany) agreed and ruled that selling prescription-only medicines via Amazon constituted unfair commercial practices.
Ultimately, the case ended up before the German Federal Court of Justice (“BGH”).
Questions referred by the BGH
The BGH suspended the proceedings and referred two questions to the ECJ for a preliminary ruling:
- Do the provisions of Chapter VIII of the GDPR preclude national provisions which, in addition to the powers of intervention of the supervisory authorities responsible for monitoring and enforcing the regulation and the possibilities for legal protection of the data subjects, grant competitors the power to take action against the infringer before the civil courts for violations of the GDPR on the grounds of the prohibition of unfair commercial practices?
- Are the data that customers of a pharmacist who is a seller on an online sales platform enter when ordering medicines that are pharmacy-only but not prescription-only on that platform (customer name, delivery address and information necessary for the individualization of the ordered pharmacy-only medication), health data within the meaning of Art. 9 para. 1 GDPR and data concerning health within the meaning of Art. 8 para. 1 of the Data Protection Directive?
Decision of the ECJ
The ECJ first notes that the wording of the GDPR does not preclude a competitor’s right to injunctive relief.
A violation of the GDPR may not only affect the interests of the data subject, but also those of third parties, such as competitors. Article 82(1) of the GDPR clarifies that “any person who has suffered material or non-material damage as a result of an infringement of this Regulation” has the right to receive compensation.
The Court has also already ruled in previous decisions that a violation of the GDPR may constitute a violation of consumer protection rules or an unfair commercial practice.
“In this context, it should be noted that access to personal data and its use in the digital economy are of considerable importance. Access to personal data and the possibility of processing it have become an important parameter of competition between companies in the digital economy. In order to take account of actual economic developments and to maintain fair competition, it may therefore be necessary to take into account the rules on the protection of personal data when enforcing competition law and the rules on unfair commercial practices.”
In the past, the ECJ had already ruled that consumer protection agencies can issue warnings for violations of the GDPR.
The ECJ sees the possibility for competitors to take action against GDPR violations as a way to strengthen the practical effectiveness of the GDPR. It also believes that this could improve the desired high level of protection of the data subjects with regard to the processing of their personal data.
No restriction of other legal remedies in the GDPR
The ECJ also states that the possibility of injunctive relief does not affect the other legal remedies under the GDPR. For example, a data subject can still lodge a complaint with the supervisory authority.
Fines imposed by the authorities also remain a possibility.
Efficient law enforcement
The ECJ emphasizes that injunctive relief from competitors can help prevent numerous violations of the rights of data subjects.
Cease-and-desist letters are possible
In summary, the ECJ answers that competitors can issue cease-and-desist letters for violations of the GDPR and can also assert their claims for injunctive relief in court.
Health data in der GDPR
In response to the second question, the ECJ ruled that in a case in which a pharmacy operator sells pharmacy-only medicines via an online platform, data that its customers have to enter when ordering these medicines online (such as name, delivery address and information necessary for the individualization of the medicines) constitute health data within the meaning of these provisions, even if the sale of these medicines does not require a medical prescription.
This means that the strict rules of Art. 9 GDPR apply.
No GDPR warning letters to fear
Despite this clarification by the ECJ, new waves of warning letters are not to be expected.
This is partly due to Section 13 (4) no. 2 of the German Unfair Competition Act (UWG). According to this provision, the person issuing the warning will not be reimbursed for their costs if the person being warned has fewer than 250 employees.
On the other hand, however, the admonisher would have to expect a counter-admonishment under certain circumstances. Particularly in the area of data protection, many companies are likely to still have areas that need improvement, since the implementation of the GDPR in practice is associated with numerous challenges.
In this case, the motto “What I can’t do right myself, I won’t criticize in another” should apply.
Conclusion
The ECJ ruling clarifies the legal situation. It does not come as a surprise. Especially in the recent past, there were hardly any voices left that doubted that competitors could also issue warnings for violations of the GDPR.
Despite this possibility, it is not to be expected that waves of warnings will now roll across the country.
