Third-party cookie
provider are now
directly.
Third-party cookie
provider are now
directly.
from
Can cookie providers hide behind website operators? Are contractual agreements sufficient to avoid liability? And what is an excuse if technical implementation becomes difficult? The Frankfurt Higher Regional Court provides clear answers – with far-reaching consequences for the entire tracking industry.
Liability of third-party cookie providers: What is the judgment about?
In March 2022, an internet user visited several websites and discovered that a technology and analytics company was storing cookies on his devices – without his consent. The user had the setting of cookies documented by an expert, issued a cease and desist letter to the company and sued for injunctive relief and damages.
The Frankfurt Regional Court ruled in favor of the plaintiff and ordered the company to cease and desist and to pay EUR 1,500 in damages. The defendant company appealed against this ruling to the Frankfurt Higher Regional Court.
OLG Frankfurt: Cookie consent must be obtained by third-party providers themselves
The Frankfurt Higher Regional Court essentially confirmed the first-instance ruling, but reduced the compensation for pain and suffering to 100 euros. The Decision of 11.12.2025 -Az. 6 U 81/23 contains several groundbreaking statements on the liability of third-party cookie providers under the Telecommunications Telemedia Data Protection Act (TDDDG).
Who sets cookies, who is liable? The cookie ban applies to everyone
The court first clarified that the legal ban on storing cookies without consent is not limited to website operators. The ban applies to anyone who sets cookies – regardless of whether it is the website operator itself or a third-party provider such as an analytics company.
In other words: If a third-party provider technically ensures that cookies end up on a user’s device, it must itself ensure that consent has been obtained. This case law on cookie liability applies in particular to tracking providers, analysis tools and advertising platforms.
Cookie liability: Contracts with website operators do not protect against damages
The court’s finding on personal liability for cookie violations is particularly controversial in practice. The analysis company had argued that it had contractually agreed with the website operators that cookies could only be set if consent had been given. However, this contractual safeguard did not protect the company from liability.
The court justified this by stating that the company itself stores the cookies on users’ devices. The company could not rely on the fact that website operators do not adhere to the contractual agreements.
By failing to act in accordance with its duties, the company commits the breach adequately and causally.
In other words: Anyone who sets cookies must ensure themselves that consent has been given – regardless of what is written in any contracts. This case law on cookie consent significantly tightens the requirements for third-party providers.
Technical impossibility with cookie consent: not a recognized excuse
The defendant company had argued that it was not technically possible to ensure that effective consent had been given. The court did not accept this argument regarding the technical feasibility of cookie consent either. The question of whether something is technically possible could at best play a role in another form of liability, but not in direct perpetrator liability.
The court sees no reason why the company should not be able to store cookies on users’ devices only after consent has been demonstrably given. This requirement for cookie management poses new technical challenges for third-party providers.
Burden of proof for cookie consent lies with the third-party provider
Another important aspect of the decision concerns the burden of proof for cookie violations. The court made it clear that the company must prove that consent was given. In practical terms, this means that anyone who sets cookies must be able to prove that consent has been given in cases of doubt.
This reversal of the burden of proof in the case of cookie consent is in line with the General Data Protection Regulation (GDPR) and further increases the liability risk for third-party providers.
Compensation for cookie violations: Only 100 euros for test purchase
The Frankfurt Higher Regional Court reduced the compensation for the cookie infringement from 1,500 euros to 100 euros. The reasoning is remarkable: the plaintiff had deliberately caused the infringement for evidence purposes, comparable to a test purchase. He was aware that he could have prevented any further tracking by simply deleting the cookies.
In this situation, the plaintiff was aware that he could prevent any further traceability for the defendant by simply deleting the cookies.
Under these special circumstances, the court considered the impairment to be very low. This decision on the amount of damages for cookie violations could have a signal effect for future cases.
No abuse of rights in the case of systematic action against cookie infringements
The company had argued that the plaintiff was systematically persecuting companies for cookie violations and was acting abusively. The court did not follow this argument. The targeted detection of cookie infringements, just like the test purchase, was not objectionable in principle. The plaintiff was only documenting how the company that was willing to act had behaved.
The fact that the plaintiff had taken parallel action against four other companies for cookie infringements was also not considered an abuse of rights. This case law may encourage further lawsuits against third-party cookie providers.
Practical consequences for third-party cookie providers and tracking services
The decision of the Higher Regional Court of Frankfurt on cookie liability has significant practical implications for third-party cookie providers, tracking services and analysis tools:
- Direct liability for cookie violations unavoidable
Third-party providers can no longer rely on website operators to properly obtain cookie consent. They are personally and directly liable for any violation of the TDDDG. This direct liability for cookie infringements affects all third-party services equally. - Technical solutions for cookie consent required
The argument that it is not technically possible to check cookie consent is not accepted by the Higher Regional Court of Frankfurt. Third-party providers must develop mechanisms for cookie consent management with which they ensure that consent is verifiably transmitted to them before cookies are set. - Consent management platforms are not enough
The mere provision of cookie consent tools or participation in industry frameworks such as the Transparency & Consent Framework is not enough to exclude liability for cookie violations. Third-party cookie providers must actively verify consent. - No differentiation according to cookie purpose
Whether cookies are set for advertising purposes or “only” for reach measurement is irrelevant for liability in the event of cookie infringements. The TDDDG makes no such differentiation in cookie consent. - Burden of proof for cookie consent increases risk
As third-party providers bear the burden of proof for the existence of cookie consent, they must document this and be able to present it in the event of a dispute. This documentation requirement for cookie consent significantly increases the administrative burden.
Conclusion
The Frankfurt Higher Regional Court has allowed an appeal to the Federal Court of Justice. The court justified this with the fundamental importance of the question of the scope of liability for providers of cookie services under the TDDDG.
It remains to be seen whether and how the Federal Court of Justice will rule on the legal issue of third-party cookie liability. If the Federal Court of Justice confirms the decision on cookie consent, this is likely to have far-reaching consequences for the entire cookie and tracking industry.
Pending the decision of the Federal Court of Justice, third-party cookie providers should review their compliance processes and ensure that they can verify cookie consent themselves.
We are happy to
advise you about
Data protection!
