Jurisdiction · COUNTRY · DE
🇩🇪 Germany
EU member state. National implementation: TTDSG (cookies, terminal device access) + BDSG (general). Strictest interpretation among EU on cookie consent and Schrems II safeguards.
What a typical site must do
| Requirement | Value | Confidence | Reviewed |
|---|---|---|---|
| analytics_exempt_cookieless | yes | high | 2026-05-04 |
| banner_required | yes | high | 2026-05-04 |
| breach_notification_hours | 72 | high | 2026-05-04 |
| consent_mode_v2_relevant | yes | high | 2026-05-04 |
| consent_model | opt_in | high | 2026-05-04 |
| cookie_policy_required | yes | high | 2026-05-04 |
| dpf_transfers_acceptable | conditional | medium | 2026-05-04 |
| dpo_required | yes_large_scale | high | 2026-05-04 |
| dsr_response_days | 30 | high | 2026-05-04 |
| enforcement_strictness | aggressive | high | 2026-05-04 |
| iab_tcf_required | recommended | medium | 2026-05-04 |
| language_required | german | high | 2026-05-04 |
| pre_consent_pings_allowed | no | high | 2026-05-04 |
| privacy_policy_required | yes | high | 2026-05-04 |
| reject_layer1 | yes_required | high | 2026-05-04 |
| ropa_required | yes_250+ | high | 2026-05-04 |
Editorial notes
Germany layers TTDSG (Telecommunications-Telemedia Data Protection Act, in force 2021-12-01) on top of GDPR + ePrivacy. TTDSG §25 is stricter than EU-level ePrivacy on cookie consent: any storage or read of terminal device requires prior consent regardless of personal-data status.
Federal regulator (BfDI) coordinates with 16 Land-level supervisors. LfDI Baden-Württemberg and BlnBDI Berlin historically issue the most aggressive enforcement actions in the analytics space.
Tool compliance matrix
Default-config verdict per analytics/CMP tool against this jurisdiction.
| Vendor | Status | Rationale |
|---|---|---|
| Addingwell | green | EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic. |
| Cookiebot | green | Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate. |
| Fathom | green | Cookieless by design. EU-routed via Cloudflare. No DPA required for Lite tier (no PII). |
| Iubenda | green | Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan. |
| Klaro | green | Open-source, self-hosted. No managed updates — site owner maintains vendor list. |
| Matomo (self-hosted) | green | Self-hosted on your infrastructure. Full data control, configurable IP anon. Meets every jurisdiction with cookieless config. |
| Matomo Cloud | green | EU-hosted with cookieless mode available. With cookies disabled qualifies for §25(2) exception in Germany. |
| OneTrust | green | GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults. |
| Pirsch | green | German-hosted, cookieless, GDPR-aligned by design. |
| Plausible | green | EU-hosted, no cookies, no PII processed. ePrivacy-exempt for cookieless tracking. No banner required. |
| Stape | green | EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings. |
| Umami | green | Open-source, cookieless, fully self-hostable. Default-green when self-hosted. |
| Usercentrics | green | German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites. |
| Adobe Analytics | yellow | Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation. |
| Amplitude | yellow | EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain. |
| Google Analytics 4 | yellow | Default config sends data to US infrastructure. Needs Consent Mode v2 + IP anonymization + DPF active + signed DPA + reject-all banner. Server-side EU proxy moves to green. |
| Google Tag Manager | yellow | Container only — verdict depends on which tags fire and when. Block until consent. Server-side GTM in EU recommended. |
| Mixpanel | yellow | EU residency available on paid plans; default cloud is US. Identifies users by default — needs config. |
| PostHog | yellow | EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green. |
| Server-side GTM (Google Cloud) | yellow | "EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing. |
| FullStory | red | Full session capture — highest-risk category. Explicit consent + DPIA + strict retention. |
| Heap | red | Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization. |
| Hotjar | red | Session replay — high-risk processing per EDPB Guidelines 3/2019. DPIA + explicit consent required. Cannot run pre-consent. |
| LinkedIn Insight Tag | red | Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set. |
| Meta Pixel | red | Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem. |
| Microsoft Clarity | red | Session replay + Microsoft tracking. DPIA + explicit consent required. |
| TikTok Pixel | red | PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required. |
Recent enforcement
- 2019-12-09 1&1 Telecom GmbH · Insufficient technical/organizational measures (TOMs) for identity verification on customer service hotline. First major BfDI fine. €9.6M