What just happened? The Hanover Administrative Court has issued a ruling that sharpens digital privacy protections in Germany. The decision requires websites to offer users a clear, easy, and genuine choice on cookie consent. Manipulative consent banners that push users toward accepting cookies are not just unfair – they violate German and European data protection laws.
Lower Saxony Data Protection Officer Denis Lehmkemper has won a legal battle in his push for fairer digital privacy practices in Germany. The Hanover Administrative Court ruled that websites must display a clearly visible "reject all" button on cookie banners if they offer an "accept all" option.
The recently unsealed March 19 decision aims to curb manipulative designs that pressure users into consenting to cookies and reinforces the principle that users deserve a clear, genuine choice.
The case that led to this landmark decision centered on NOZ (Neue Osnabrücker Zeitung), a major media company in Lower Saxony. Lehmkemper's office ordered NOZ to redesign its cookie banner, arguing it failed to obtain valid, informed, and voluntary user consent before placing cookies and processing personal data.
NOZ challenged the order, insisting its consent process was effective, did not involve personal data processing, and that cookie compliance was outside the data protection authority's jurisdiction.
After reviewing the case, the court sided with the data protection authority. Judges ruled that NOZ's cookie banner made rejecting cookies significantly harder than accepting them. Users faced repeated consent prompts, and the banner's language – such as the headline "optimal user experience" and the "accept and close" button – misled users. It omitted any mention of the word "consent," and buried information about third-party partners and cross-border data transfers behind scrolling.
The court concluded that NOZ failed to obtain the informed, voluntary, and unambiguous consent required under the General Data Protection Regulation (GDPR). It ruled that consent secured through manipulative design is invalid, violating both the Telecommunications Digital Services Data Protection Act and the GDPR.
The judgment reinforces that websites must not nudge users into agreeing to cookies or make refusal unnecessarily difficult. Instead, the option to reject all must be as prominent and accessible as "accept all."
Lehmkemper welcomed the court's ruling, hoping it would set a precedent for other website operators. He acknowledged that many find cookie banners frustrating but emphasized their importance in safeguarding online privacy. The decision should prompt more providers to adopt consent solutions that comply with data protection standards.
Recent audits by data protection authorities, such as the Bavarian State Office for Data Protection Supervision, found many websites still use cookie banners that fall short of legal standards, often making it easier to accept cookies than to reject them. The Hanover court's ruling should push website operators to improve consent mechanisms and uphold online privacy rights.
German court rules cookie banners must offer "reject all" button
