Analytics in Germany. Without an Einwilligungsbanner.
§25 TTDSG governs cookie consent in Germany. The DSK orientation paper and BfDI guidance carve out anonymous audience measurement. This is what the carve-out requires and where the limits are.
The 4 conditions of the §25 TTDSG exemption
§25 TTDSG sets the rule; the DSK paper and BfDI guidance set the exemption boundary. Four conditions, each architectural rather than procedural — they describe how the tool is built, not what notice is shown.
No terminal-device storage
§25 TTDSG requires consent before storing or accessing information on the user's terminal device — cookies, localStorage, fingerprinting.
No cookie is set, no localStorage is written, no fingerprint is generated. The terminal-device trigger never engages.
No personal-data processing
DSK orientation paper: if no personal data is processed, GDPR's material scope does not apply.
Aggregate channel counts only. No IP address collected, no identifier created, no per-visitor profile. Nothing relating to an identifiable person.
No cross-site or fingerprinting
BfDI guidance: tools that enable cross-site tracking or device fingerprinting cannot rely on the exemption.
First-party server-side. Pixel runs on a CNAME under the customer's own domain. No third-party identifier, no fingerprint of IP + User-Agent stored.
EU-only processing
DSK and BfDI positions emphasise EU residency to avoid Schrems II transfer concerns layered on top of TTDSG questions.
Processing exclusively in Dublin, Ireland — within the GDPR adequacy zone. No transfer impact assessment required because no transfer occurs.
Why this matters more in Germany
Germany consistently posts the highest cookie-rejection rates in Europe. The cultural baseline of privacy consciousness, the early hardening of §25 TTDSG (December 2021, ahead of most other EU implementations), and assertive state-level enforcement combine to produce a measurement landscape where banner-dependent analytics is structurally weaker than elsewhere.
60–70%
Consumer B2C average for standard banners. B2B and privacy-aware audiences push higher. Cookie-based analytics measure the consenting minority only.
16 DPAs
Federal BfDI plus 16 state DPAs. Each has Art. 5(3) / §25 TTDSG jurisdiction. LfD Bayern and LDI NRW are historically the most active enforcers.
Common DPO questions
- Does the §25 TTDSG exemption apply to all analytics?
- No. The exemption requires that the analytics is strictly necessary for the operation of the service, OR meets the conditions for anonymous audience measurement — no terminal-device storage, no cross-site tracking, no personal data, EU processing. Cookie-based analytics with a visitor ID does not qualify; SealMetrics' aggregate cookieless architecture does.
- What is the DSK orientation paper?
- The Datenschutzkonferenz — the conference of all German federal and state data protection authorities — publishes joint guidance. The 2022 orientation paper on telemedia consent specifies when §25 TTDSG requires consent and when it does not. The conditions for the exemption align with the EDPB Opinion 5/2019 and the CNIL guidance: aggregate, anonymous, EU-hosted, no identifier on the device.
- Does the BfDI agree with the state authorities?
- Generally yes, on the exemption itself. The BfDI handles federal-level matters; state DPAs (LDI NRW, LfD Bayern, etc.) handle most enforcement. The 2024 BfDI activity report reaffirmed the analytics exemption framing consistent with the DSK position. State authorities can take stronger positions on individual cases — the LfD Bayern is historically the most assertive — but the underlying legal frame is harmonised.
- What about Google Analytics on a German site?
- Google Analytics still requires consent under §25 TTDSG because it sets cookies and processes personal data through Google infrastructure (transfer to the US). The Garante Italian ban on GA4 in 2022 was followed by similar concerns from German authorities. Consent Mode v2 reduces the cookie load but does not change the fundamental processing nature. SealMetrics operates outside that framework entirely.
- Do I still need a Datenschutzerklärung?
- Yes. The privacy policy (Datenschutzerklärung) is required under GDPR Art. 13/14 regardless of consent mechanism. It must mention the analytics tool, its purpose, data categories (channel-level aggregates only), retention period (25 months by default for SealMetrics), and the lawful basis (Art. 6(1)(f) legitimate interest, paired with the §25 TTDSG exemption). A template ships with the TPSR package.
- What's the position on the new Digital Omnibus 2026?
- The Digital Omnibus tightened banner-design enforcement at the EU level and gave authorities sharper Art. 5(3) (and equivalent §25 TTDSG) tools. The analytics exemption itself survived intact. German authorities have welcomed the harmonisation — Germany historically had stricter banner rules than the EU average, and the new floor brings other markets closer to the German position rather than weakening it.
Related reading
Consentless analytics
The full legal framework — GDPR + ePrivacy + 6 EU authorities aligned.
CountryFrance — CNIL exemption
The 5 CNIL criteria and the 14-point self-assessment.
BlogGDPR analytics without consent
The Art. 6 / Art. 5(3) reasoning — equally relevant for §25 TTDSG.
BlogBanner impact on analytics data
Rejection rates by country — Germany at the top of the table.
One DSK review. Done.
Book with the founder. Bring your DPO. We walk through the §25 TTDSG criteria live and ship the DPA + TPSR on the call.
Built by a founder · supported by a founder · EU-hosted by design