The Administrative Court of Hanover (VG Hannover, Urteil vom 19.03.2025 – 10 A 5385/22) has ruled that the use of Google Tag Manager (GTM) is not lawful without valid consent. In addition, the court specifies the requirements for the design of cookie banners - in particular with regard to the possibility of declining consent.

What has happened?

The case dealt with the question of whether a website operator may use the GTM without the user's prior consent. The court clarified that the mere use of the GTM - even if no cookies are set - can affect personal data, as third-party providers such as Google Analytics can be integrated via the Tag Manager. Section 25 para. 1 TTDSG (in the version valid until 13.05.2024) and Art. 6 para. 1 lit. a GDPR therefore apply - prior, informed and voluntary consent is mandatory.

The statements on the design of consent banners are of particular importance: According to the court, valid consent only exists if users have the option of rejecting as easily as agreeing. The VG Hannover requires that a “decline” function is designed in the same way as an “agree” function - i.e. in terms of visibility, accessibility and positioning. A decline may not be made via hidden or multi-level menus. Design elements that make rejection more difficult or unattractive (so-called “dark patterns”) are not permitted.

Implications for practice

Website operators must ensure that Google Tag Manager and similar services are only activated with the valid consent of the user. Consent management platforms (CMP) must therefore be technically configured in such a way that such tools are only loaded after explicit consent has been given.

The court's clarification on the design of consent banners is particularly relevant - although not surprising. Cookie banners that only display a highlighted “Agree” button, while the decline option is hidden or difficult to find, do not meet the requirements for effective consent. Such designs do not constitute an informed and voluntary decision within the meaning of the GDPR.

Companies should therefore carefully review existing consent solutions and adapt them if necessary. Those who continue to rely on UX patterns that deliberately make declining more difficult - for example by using smaller fonts, weaker contrasts or additional click levels - risk not only regulatory complaints, but also warnings under competition law.

The court's clarifications are in line with the previously published guidance of the German Data Protection Conference (DSK) for providers of digital services. This clarifies in para. 134 that the opt-out option must be clearly recognizable, easily perceptible and unambiguous as an equivalent alternative. Paragraph 135 states: "The option not to give consent must be clearly presented as an equivalent alternative to the ‘give consent’ option. This can be assumed if, for example, a ‘Continue without consent’ button comparable in size, color, contrast and typeface can be found next to a ‘Give consent’ button."

However, the guidance also emphasizes (para. 124/125) that the rejection function does not necessarily have to be displayed on the first level of the banner in every case. This is permissible if the website can be used without restriction even without consent - for example, because the banner is not displayed as an overlay and does not block any content. In such cases, a rejection option on the second level is sufficient, provided the user is not put under pressure to make a decision.

Recommendations

Enable equal rejection

Website operators should ensure that consent banners always make it just as easy and visible to opt out as to opt in. The “Reject all” option must be integrated at the same level and with a comparable visual design as “Accept all”. A hidden or technically disadvantaged opt-out option does not meet the requirements of the court.

Only load Google Tag Manager after consent

Google Tag Manager may only be used after users have actively given their consent. The container must not be preset or already active in the background. Lawful processing requires an upstream opt-in.

Consistently avoid dark patterns

The design of the cookie banner must be free of manipulative design elements. Unobtrusive or weakened opt-out buttons, misleading wording or hiding the opt-out in submenus are violations of the requirement of voluntariness.

Ensuring proof and documentation

Consent should be documented in an audit-proof manner. This is the only way to provide proof of valid consent in the event of a data protection audit by supervisory authorities. The technical control of the consent logic must also be comprehensibly documented.

Check and adapt systems regularly

Consent management platforms should be reviewed at regular intervals, both technically and legally. Changes in jurisdiction or in the tracking technologies used require ongoing adaptation in order to ensure legal compliance in the long term.

Summary

The ruling by the Administrative Court of Hanover provides important clarity: the integration of tracking tools such as GTM without prior, informed and voluntary consent is not legally permissible. The requirement for the design of cookie banners is just as clear - users must be able to refuse just as easily as to consent. Companies are now obliged to check their websites and consent systems for compliance - otherwise they could face fines and legal risks.