German Court: Google Tag Manager only permissible with consent
Cookie banners are a recurring topic for supervisory authorities and courts. The Hanover Administrative Court has now once again highlighted formal aspects. It has also ruled that Google Tag Manager may only be used if the user has given their express consent.
The Administrative Court of Hanover (judgment of March 19, 2025, 10 A 5385/22) has issued a ruling on the data protection assessment of the use of Google Tag Manager (GTM). Another subject of the decision was the design of cookie banners.
The subject of the proceedings was the question of whether the operation of a journalistic online portal is designed in compliance with data protection regulations. It specifically concerned the issue of obtaining consent for cookies, third-party tracking, and the use of GTM.
The decision deals with the requirements for voluntary and informed consent within the meaning of Section 25 TTDSG and Art. 6 (1) (a) GDPR.
Note: The TTDSG is now called TDDDG.
Google Tag Manager on website
The plaintiff, a regional publishing house, operates an online journalism service via its website, which is financed by subscriptions and advertising. It used a variety of cookies and third-party services on its website, including the Google Tag Manager.
After a technical review, the State Data Protection Commissioner of Lower Saxony (LfD) prohibited it from using certain services without the effective consent of users.
In particular, the LfD criticized the fact that Google Tag Manager was already active when the page was first loaded. It transmitted data to Google servers in the US without users having given their express consent beforehand. LfD ordered the plaintiff to obtain or implement effective consent for the use of cookies on its website.
The plaintiff appealed against this order before the administrative court.
The plaintiff defended itself by arguing that Google Tag Manager merely served as a technical aid for reloading additional scripts and that, in this respect, no data processing relevant to data protection law took place.
It also disputed that the LfD had any jurisdiction at all, as the TDDDG was not a data protection regulation.
Court decision: LfD has jurisdiction
The Administrative Court of Hanover dismissed the publishing house’s lawsuit.
It first clarified that the State Data Protection Commissioner was indeed responsible for monitoring compliance with Section 25 TTDSGG.
Section 25 TTDSGG is an “other data protection provision” within the meaning of Section 20 (1) of the Lower Saxony Data Protection Act. Even though the TTDSG protects communication secrecy in addition to data protection objectives, there is a close connection to the GDPR in terms of content. Access to end devices and the associated processing of personal data are generally inseparable. A separation of supervisory responsibilities would therefore be contrary to the system and practically unmanageable.
The question of responsibility for compliance with the TTDSG is very important. This law did not come into force until long after the GDPR. If a state data protection authority takes action against a company on the basis of this law, it must first be examined within the state data protection laws whether the authority is even authorized to monitor the TTDSG.
The Administrative Court of Hanover has now clarified this for Lower Saxony. However, the decision on this issue has no significance for other federal states.
Design of the cookie banner
The decision focused on the legal classification of the cookie banner used and the treatment of Google Tag Manager.
In the court’s opinion, the design of the banner did not meet the requirements for informed and voluntary consent.
When the website was accessed, the “first level” of the banner was initially displayed. Here, users could choose between “accept all cookies” or changing the settings. There was no direct rejection option at this level.
Those who chose to change the settings were confronted with sub-levels, complex drop-down menus, and default settings.
In the court’s view, users were thus effectively pressured into giving their consent. In addition, the various sub-levels and categories gave the impression that users could not significantly influence the type of data processing.
To make matters worse, if consent was refused, the banner reappeared every time the page was accessed, whereas if consent was given, surfing was possible without hindrance.
The court assessed this design as a so-called “dark pattern,” i.e., manipulative user guidance. This design, in conjunction with the different color schemes of the options, led the court to deny the voluntary nature of the consent given. This meant that the consent was not effective—neither within the meaning of Section 25 TTDSG nor within the meaning of the GDPR.
Google Tag Manager only with consent?
The ruling pays particular attention to the use of Google Tag Manager. The court clarifies that this is not merely a technical infrastructure that, as a neutral platform, simply reloads other scripts.
Rather, the integration of GTM itself already accesses the user’s end device, and data is transferred to the US – namely by retrieving the gtm.js script from Google servers. Among other things, IP addresses and device properties are transmitted in the process.
The fact that GTM itself does not perform any specific analysis services is irrelevant. The processing of personal data begins as soon as the Google script is called up for the first time. However, this requires consent in accordance with Section 25 TTDSG.
The plaintiff’s attempt to invoke the exemption under Section 25 (2) TTDSG was also unsuccessful. According to this provision, consent is not required if the storage of information in the end user’s terminal equipment or access to information already stored in the end user’s terminal equipment is strictly necessary for the provider of a digital service to provide a digital service expressly requested by the user.
The GTM is neither technically necessary nor expressly requested by the user. The court emphasized that the integration of the GTM is in no way necessary to enable the basic functionality of the website. Rather, the GTM serves exclusively for the flexible reloading of marketing and tracking services. Therefore it is typically associated with processing that is relevant under data protection law.
Consequences for practice
The ruling of the Administrative Court of Hanover sends a clear signal to operators of websites and online platforms: in the court’s opinion, the use of Google Tag Manager – even without directly reloaded tracking scripts – constitutes a measure requiring consent within the meaning of the TTDSG.
Other authorities, such as the LfDI NRW, share this view.
Website operators should therefore ensure that GTM is only loaded once the user has given their consent. This requires a technical implementation that controls the reloading of GTM depending on the user’s consent.
It is equally important that the consent banner is designed in accordance with data protection regulations. The decision makes it clear that users must not be pressured into giving their consent through design, color, placement, or technical hurdles. A simple, equivalent option for refusing consent should already be available on the first level of the banner.
Information about the purposes, scope, and recipients of data processing must also be provided in a clear and understandable manner.
Solution and recommended action
Website operators who use Google Tag Manager should check at short notice whether it is triggered before consent is given. If this is the case, regulatory measures may be imposed.
Technically, this can be achieved by conditional script execution via a consent management platform (CMP). In this case, the GTM script is only loaded once the user has consented to the use of corresponding cookies and third-party technologies.
At the same time, the consent banner should be adjusted: a “Decline” button should be offered on the same level. It must be presented with the same visual weighting as the approval options.
The repeated appearance of the banner in the event of rejection should also be avoided.
Conclusion
The ruling of the court confirms the opinion of many supervisory authorities with regard to the reject function at the first level. The decision also shows that even seemingly neutral services are relevant under data protection law. Operators of digital services should therefore review not only their consent banner but also the entire technical architecture of their website in terms of data protection law.
Author
Verknüpfte Anwälte
Partner, certified specialist for information technology law
