Consenter Documentation

Legal Context

A cookie banner is a user interface that enables end users to actively provide consent to the processing of their personal data. It should clearly explain which types of data are collected, for which purposes, with whom the data is shared, where it is stored, and any other relevant information.

For consent to serve as a valid legal basis, it must be obtained before any personal data is collected or processed (“opt-in”).

Contextual consent
For certain purposes, it is advisable to complement the cookie banner with contextual consent. Unlike a cookie banner, contextual consent is not shown when users first visit a website, but only when they interact with specific content. A common example is the activation of “additional features” such as maps, videos, or social media content.

Because such services often involve the processing of personal data, users may only access them after giving consent. Contextual consent helps users better understand the specific purpose of the processing and allows risks to be communicated in a more intuitive and situation-specific way.

Opt-out instead of opt-in
For some purposes, it may be sufficient to offer users the option to object to the processing of their data (“opt-out”). In this case, personal data may be processed unless and until the user objects. This differs from the opt-in model, where processing is only permitted after consent has been given.

Whether an opt-in or opt-out mechanism is appropriate depends on the level of risk associated with the processing and the applicable legal requirements.

The following legal provisions are particularly relevant when implementing a cookie banner:

  • General Data Protection Regulation (GDPR), in particular:

    • Article 5 (principles such as lawfulness, fairness, transparency, purpose limitation, data minimisation, integrity and confidentiality, accountability)
    • Article 6 (lawfulness of processing)
    • Article 7 (conditions for consent)
    • Articles 12–14 (information obligations)
    • Article 21 (right to object)
    • Articles 25 and 32 (data protection by design and by default; security of processing)

  • ePrivacy requirements (in Germany, in particular the TDDDG), which regulate the storage of and access to information on end-user devices:

    • Section 25 (protection of privacy in relation to end devices)
    • Section 26 (recognised consent management services and end-user settings)

While the GDPR governs the processing of personal data, ePrivacy rules specifically address access to end-user devices (e.g. via cookies or similar technologies). Together, these provisions form the legal framework for configuring your cookie banner and designing consent processes.

For consent to be legally valid, it must be freely given, informed, specific, unambiguous, and data subjects must be able to withdraw it at any time. In practice, the main challenge lies in ensuring that consent is truly informed.

Empirical studies show that conventional cookie banners often fail to provide users with sufficient understanding of what they are consenting to. As a result, the validity of such consent is questionable.

“Informed” means that users must be able to understand—before making their decision—which data is processed, for what purposes, which third parties are involved, and what impact this may have for them.

The Consenter Risk Assessment supports you in systematically capturing these information requirements and presenting them in a transparent and comprehensible way.

Before obtaining consent, website operators must provide clear, comprehensive, and easily accessible information. This includes, in particular:

  • The specific purposes of processing.
  • The technologies used (including third-party technologies, where applicable).
  • The benefits and data protection risks for website visitors.
  • How these technologies are configured, including:
    • The role of third-party providers (e.g. processor, joint controller, or independent controller).
    • Whether tracking is used and, if so, which type (e.g. first-party or third-party tracking).
    • Whether personalisation or profiling is applied (e.g. group-based or individual profiling).
  • The categories of personal data processed.
  • The storage period.
  • Whether data is transferred outside the EU and, if so, to which countries and under which safeguards for ensuring an equivalent level of protection.

This information must be presented in a clear, understandable, and accessible manner. Consenter supports this by providing a structured, visual, and technical framework for communicating these details effectively.

Within the Consenter Manager, you will be prompted to provide this information as part of the configuration process. These inputs are not optional—they are essential for obtaining valid, informed consent.

State of the art (Articles 25 and 32 GDPR)

According to Articles 25 and 32 GDPR, you are required to implement appropriate technical and organisational measures to ensure data protection by design and the security of processing.

This includes designing consent mechanisms in a way that effectively protects users from risks to their fundamental rights. In doing so, you must take into account the “state of the art,” meaning the most effective and advanced methods currently available for implementing informed consent.

Demonstration of effectiveness (Article 25(1) GDPR)

In its Guidelines 4/2019 on Article 25 (Data Protection by Design and by Default), the European Data Protection Board (EDPB) emphasises that demonstrating effectiveness is a central requirement for complying with Article 25 GDPR and thus for implementing GDPR obligations in general.

To demonstrate effectiveness, you must define performance indicators that allow you to measure whether and how effectively informed consent is implemented. These indicators may be quantitative or qualitative. Based on more than ten years of research, the Consenter research group has developed a range of such methods.

In practice, most existing cookie banners neither demonstrate effectiveness nor reflect the state of the art. Instead, they typically apply best practice implementations. However, such best practices differ from the “state of the art” required under Articles 25 and 32 GDPR: while widely used, their effectiveness is often unproven and they do not necessarily represent the most effective available solutions.

Moreover, substantial empirical evidence shows that conventional cookie banners fail to provide users with sufficient information. As a result, valid consent in accordance with Article 6(1)(a), in conjunction with Articles 25 and 32 GDPR, is often not obtained.

Consenter not only provides templates and evidence for the effective implementation of informed consent in accordance with Articles 25 and 32 of the GDPR, but also, for the first time, significantly advances the state of the art.

As a website operator, you can adopt these directly or indirectly. Direct adoption means that you integrate the Consenter cookie banner into your website. This automatically ensures you meet the current state of the art. An indirect implementation means that you develop your own cookie banner by simply adopting Consenter’s templates and specifications. This also allows you to comply with the current state of the art.

Incidentally, you can also further develop the state of the art yourself. To do so, you can apply the methods we have summarised in our freely accessible User Experience Design Toolkit.

Informed consent (Articles 5, 6, 7 in conjunction with Article 25 GDPR)

The following design principles enable significantly more informative and effective consent mechanisms compared to conventional approaches:

  • Specification of purposes: Processing purposes must be defined in a way that allows users to understand the associated benefits and risks to their fundamental rights. Users typically base their decisions on such a balancing of benefits and risks.

  • Configuration of technologies: The specific configuration of third-party services directly affects the level of risk. These implications must be transparently communicated to users.

  • Information distribution, layout, and visualisation: Information should be structured across multiple layers according to relevance, in order to avoid overwhelming users. Key information—particularly purposes, benefits, and risks—should be presented at the first level of the cookie banner. Visual elements, such as privacy icons, should be used to enhance clarity.

  • Integration of consent agents: Website operators should integrate signals from consent agents, as these significantly improve the level of informed consent. Consent supported by such agents is generally more informed and therefore more effective.

Side note: The integration of consent agents is foreseen in Section 26 TDDDG and is currently being discussed at EU level. Given that agent-supported consent mechanisms are already available and provide a higher level of informed consent, they represent the emerging state of the art. Accordingly, their consideration may already be required under Article 25 GDPR.

Data minimisation, Article 5 in conjunction with Article 25 of the GDPR

Website operators may only process as much personal data as they genuinely require. This is particularly important when they use third-party technologies. They must therefore check what the technology actually does and whether the processing can be restricted (“Know Your Tools”).

  • Adjusting the configuration: When website operators use third-party technologies, they should not adopt the default configuration but should adjust the settings to their actual needs. The default configuration is often very broad and processes more data than is usually required.
  • Advertising purposes of the technology provider: Some third-party providers also process the data for their own advertising purposes. In this case, website operators must inform their visitors of this and obtain consent for this purpose. A blanket reference to the third-party provider’s privacy policy, without specifying their processing purposes, is not sufficient.
  • Alternative technologies: Website operators must assess whether they can use a technology that poses fewer risks to their visitors, provided that the technology posing greater privacy risks is not necessary. The fact that a technology posing greater privacy risks is the most widely used technology does not constitute a necessity.

Apart from the effective implementation of the data minimisation principle, website operators can achieve not only greater trust but also higher consent rates among their visitors by choosing a more privacy-friendly technology and configuring it appropriately.

Control options, Articles 5, 6, 7 and Article 25 GDPR

Website operators must also integrate consent agents because this enables them to provide visitors to their website with significantly more effective control options:

  • Informed decisions: With the help of a consent agent, website visitors can make significantly more informed decisions about the disclosure of their data. Website operators can thereby achieve not only greater trust but also higher consent rates.
  • Adaptation to system changes: Once website visitors have made a decision, this must be respected on subsequent visits; their ability to make informed decisions must not be disrupted by the repeated display of a banner, as this increases consent fatigue and thus leads to less informed decisions.
    • The use of consent agents is superior to the use of cookies because the former are persistent and ‘remember’ the decisions made by website visitors for as long as they use the agent. Cookies that store users’ decisions, on the other hand, are regularly deleted, with the result that the cookie banner appears on a return visit even though the user has already made a decision.
    • Returning visitors must and may only be informed of changes to the website operator’s system that alter the data protection risk. As the basis for decision-making has thus changed, the control mechanisms must be adapted accordingly:
      • If consent has already been given and the risk to the same fundamental rights subsequently increases, at least a notice of the increased risk is required, combined with the immediate option to withdraw consent.
      • If the user did not grant consent for a specific purpose during the last visit and the website operator has since been able to reduce the risk, they may, conversely, ask for consent again for this purpose during a subsequent visit, as there is now a new basis for decision-making in this case as well.
  • Proof of consent: Website operators must provide visitors with proof of whether and for what purposes they have obtained consent. The integration of a consent agent is a suitable solution for this, as it provides the agent’s users with an automated overview of to whom they have granted which consents. Equally effective alternatives are also permissible (see, for example, ISO/IEC TS 27560:2023 – Consent Records and Receipts).

Side note: Using these techniques, website operators can achieve greater trust – and thus higher consent rates – not only in the short term but also in the long term across multiple repeat visits.

Documentation requirements and signal integrity, Articles 5, 6, 7 and Article 32 GDPR

Website operators must be able to demonstrate that consent has been validly obtained and that legal requirements have been met.

This includes, in particular, the traceability of the chosen configuration, the transparency of the information provided and the documented granting of consent. Here too, Consenter is significantly advancing the state of the art.

In particular, website operators must store consents in such a way that they can demonstrably no longer be altered – usually via a signature procedure.

Involvement of consent agents, §§ 25 and 26 TDDDG

The obligation to accept signals from recognised consent agents arises from Sections 25 and 26 TDDDG. This is a German federal regulatory requirement that applies to all websites targeting or operating in Germany. Pursuant to Section 25 TDDDG, a website operator must obtain consent from its visitors if it wishes to store information on their device or access it. To address the issue of consent fatigue, Section 26 TDDDG builds on this provision and obliges operators to take into account signals from consent management services (hereinafter: consent agents), insofar as these have been recognised on the basis of a statutory instrument. The Federal Government has established this statutory instrument in the form of the so-called Einwilligungsverordnung (EinwV) (official text at gesetze-im-internet.de). Consenter was recognised as a consent management service pursuant to Section 10 EinwV on 17 October 2025 (BfDI recognition decision), meaning that websites must take its signals into account.

Responsibility of the website operator

As the operator of your website, you are generally the controller within the meaning of the GDPR and the TDDDG. You determine the purposes and means of data processing and are responsible for compliance with the relevant requirements.

This also applies if you use third-party technologies. The use of external services does not relieve you of your legal responsibility.

Last updated on

What is Consenter?

Previous Page

Consenter Risk-Assessment

Next Page

On this page

What is a cookie banner and when is it required?Key legal provisionsRequirements for valid consentTransparency obligations for informed consentState of the art (Articles 25 and 32 GDPR)Demonstration of effectiveness (Article 25(1) GDPR)Informed consent (Articles 5, 6, 7 in conjunction with Article 25 GDPR)Data minimisation, Article 5 in conjunction with Article 25 of the GDPRControl options, Articles 5, 6, 7 and Article 25 GDPRDocumentation requirements and signal integrity, Articles 5, 6, 7 and Article 32 GDPRInvolvement of consent agents, §§ 25 and 26 TDDDGResponsibility of the website operator