Business

German website legal requirements: practical checklist for imprint, privacy, and cookies

Running a website from Germany comes with specific legal obligations. This article walks through the core requirements for a business site: imprint (Impressum) under the DDG, privacy notice under the GDPR, and cookie/consent rules under the TDDDG.

Vladimir Siedykh

This article is informational only and does not constitute legal advice. It reflects a general understanding of German and EU law as of late 2025 and may not cover every detail or your specific situation. For concrete decisions, talk to a qualified lawyer in Germany.

Why German website rules matter even for small businesses

Germany has a reputation for taking website compliance seriously. That reputation is earned.

Missing or incomplete legal pages have led to competitors and consumer organisations sending formal warning letters and, in some cases, fines. The amounts can be painful even for small businesses. An incorrect or missing imprint can lead to administrative fines of up to €50,000 under Section 5 of the German Digital Services Act (DDG) and warnings under competition law.citeturn1search1turn1search4

At the same time, tracking tools and marketing pixels that run without proper consent can trigger enforcement under the Telecommunications Digital Services Data Protection Act (TDDDG, formerly TTDSG) and the GDPR, with fines that can reach €300,000 under the TDDDG and up to €20 million or 4% of global annual turnover under the GDPR.citeturn0search0turn2search3turn1search7turn0search8

The goal of this article is not to scare you, but to give you a practical overview of what most business websites operated from Germany need:

  • A legally compliant imprint (Impressum)
  • A GDPR-compliant privacy notice (Datenschutzerklärung)
  • A consent setup for cookies and tracking that reflects the TDDDG and GDPR

We will keep things in plain language and point to the relevant laws so you can go deeper with your own counsel if needed.

1. Imprint (Impressum) under the DDG

Legal basis and scope

Until May 2024, the imprint obligation for websites was set out in Section 5 of the Telemedia Act (Telemediengesetz, TMG). With the German Digital Services Act (Digitale-Dienste-Gesetz, DDG), the TMG has been repealed and the imprint rules moved almost unchanged to Section 5 DDG.citeturn1search1turn2search1turn2search5

Section 5 DDG requires providers of commercial digital services to make certain information easily recognisable, directly accessible, and permanently available. The rule applies to:

  • Companies and freelancers (including solo studios) who use a website in a business context
  • Websites and web apps that are more than purely private projects
  • Typically also professional presences on platforms and social media profiles used for businessciteturn1search1turn1search8

Purely private websites with no commercial intent are generally exempt, but the threshold is low. Regular content related to professional services, advertising, affiliate links, or lead generation normally counts as “commercial”.

What needs to be in the imprint?

The exact details depend on your legal form, but common elements for a business website include:citeturn1search0turn1search3turn1search4

  • Name and address of the provider – Your full name or company name including legal form, plus a physical address where official documents can be served (no PO box).
  • Contact details – At least an email address and another fast way to contact you (usually a phone number).
  • Legal form and authorised representatives – For companies and partnerships, list the legal form (e.g. GmbH) and the person(s) authorised to represent the company (managing director, board).
  • Register information – If you are entered in a trade, association, or partnership register, name the register and include the registration number.
  • VAT ID or tax ID – If you have a VAT identification number or business ID, include it.
  • Regulated professions – If you work in a regulated profession (for example lawyers, tax advisors, doctors), add information on the relevant chamber, the professional title, the state in which it was awarded, and a reference to the professional rules.
  • Editorial responsibility – If you operate journalistic or editorial content (e.g. an online magazine), Section 18 of the Interstate Media Treaty (Medienstaatsvertrag, MStV) may require naming a person responsible for the content.citeturn1search1turn1search4turn1search11

In practice, many German sites add a short line like “Provider identification according to § 5 DDG” above this block of information. This reference is not strictly required, but it is common. Since the TMG no longer applies, any text that still says “§ 5 TMG” should be updated.citeturn1search4turn2search5

Placement and accessibility

The law also requires that the imprint be easy to find. Courts and regulators generally expect:citeturn1search1turn1search5turn1search8

  • A clearly labelled link such as “Imprint” or “Impressum” in the footer of every page
  • Access in at most two clicks from any page
  • Continuous availability (no login requirement, no PDF that might disappear)

For bilingual sites, it is fine to provide both German and English versions. If you only have one, German is safest for local users, but a clear English imprint is better than none.citeturn1search3

2. Privacy notice (Datenschutzerklärung) under the GDPR

The imprint explains who is responsible for the site. The privacy notice explains how that person or company handles personal data.

GDPR requirements in short

Under Articles 12–14 GDPR, controllers must provide data subjects with information that is: concise, transparent, intelligible, easily accessible, and written in clear language.citeturn0search2

For a typical website, that usually includes:

  • Who is responsible (controller) and how to contact them
  • Contact details of the data protection officer, if you have one
  • Which categories of personal data are processed (for example log files, contact form fields, analytics identifiers)
  • For each processing activity: the purposes (why) and legal basis (on what grounds)
  • Recipients or categories of recipients (hosting provider, analytics providers, newsletter service, etc.)
  • Whether data is transferred outside the EU/EEA and, if so, on what safeguards (for example standard contractual clauses)
  • How long data is stored or the criteria used to determine retention periods
  • The rights of users (access, rectification, erasure, restriction, objection, data portability) and how to exercise them
  • The right to withdraw consent at any time where processing is based on consent
  • The right to lodge a complaint with a supervisory authority
  • Whether providing the data is required by law or contract and what happens if someone refuses
  • Whether there is automated decision-making or profiling and what it means in practiceciteturn0search2turn1search7

If you obtain personal data indirectly (for example through third-party tools or imports), Article 14 GDPR adds a few extra information points, including the categories of personal data and when the information must be provided.citeturn0search2

Practical expectations for websites

In practice, regulators and guidance suggest that:citeturn0search2turn1search7

  • The privacy policy should live on its own dedicated page, usually linked as “Privacy Policy” or “Datenschutzerklärung” in the footer.
  • Every page and every form that collects data should link to it.
  • The notice should be updated when you add new tools (for example analytics, A/B testing, chat widgets) or change providers.

For a German site, it is common to have the privacy notice in German, often with an English version alongside it if you target international clients.

3. Cookies and tracking under the TDDDG and GDPR

The basic rule: consent, with narrow exceptions

Website cookies and similar tracking technologies in Germany are governed by Section 25 of the Telecommunications Digital Services Data Protection Act (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz, TDDDG), which was previously known as the TTDSG. The law came into force in December 2021 and was renamed in May 2024 to align terminology with the EU Digital Services Act.citeturn2search2turn2search3turn2search13

Section 25 TDDDG says, in simplified terms:

  • Storing information on, or accessing information from, a user’s device generally requires prior consent.
  • Consent is not required only if the storage or access is strictly necessary to provide a digital service explicitly requested by the user or to transmit a communication.citeturn0search0turn1search7turn2search10

German data protection authorities interpret “strictly necessary” narrowly. In their guidance, they treat things like shopping cart cookies or login sessions as necessary, but analytics, marketing, and user tracking almost always require consent.citeturn0search1turn0search9turn2search10

Consent must meet GDPR standards

Because consent under the TDDDG must meet the GDPR standard, the same rules apply: consent must be freely given, specific, informed, unambiguous, and revocable at any time (Article 4(11) and Article 7 GDPR).citeturn2search3turn0search3turn0search5

Key implications for cookie banners include:

  • No pre-ticked boxes or implied consent. The Planet49 judgment by the Court of Justice of the EU confirmed that pre-checked boxes do not constitute valid consent for cookies.citeturn0search12turn2search10
  • The banner should offer a real choice, typically with equally prominent “Accept” and “Reject” options at the first level. Designs that make rejection significantly harder or hide it behind multiple clicks have been criticised by German courts and regulators.citeturn0search3turn0search7turn0search11
  • Cookies and similar technologies that require consent must not be set until consent is given.
  • Users must be able to withdraw consent later in an easy way, for example via a persistent icon or link to cookie settings.citeturn0search3turn0search10turn2search3

Violations of Section 25 TDDDG can lead to fines of up to €300,000. If personal data is processed without a valid legal basis, GDPR fines (up to €20 million or 4% of global annual turnover) can also apply.citeturn0search0turn0search8turn2search11

Practical options for analytics

Some German guidance and tools explore consent-free analytics approaches—for example, using server log analysis or cookie-less analytics configured under a legitimate interest basis. However, supervisory authorities have taken a strict view, and details matter a lot.citeturn0search1turn0search4turn0search9

The safest default for most business sites in 2025 remains:

  • Use a consent banner for any analytics or marketing tools that store or read identifiers on user devices.
  • Make sure the privacy policy clearly describes those tools and their purposes.
  • If you want to explore consent-free analytics, do so with specialised legal advice and vendor documentation that explicitly addresses German supervisory guidance.

4. A note on the EU ODR platform and other legacy obligations

For several years, EU law required online traders to link to the European Online Dispute Resolution (ODR) platform. That platform has now been shut down. Regulation (EU) 2024/3228 repealed the ODR Regulation and the ODR platform was officially closed on 20 July 2025.citeturn3search0turn3search1turn3search2turn3search10

The practical implication is simple: if your imprint, terms, or email footers still mention the ODR platform or link to it, you should remove those references. Keeping an outdated link can itself become misleading information.

Other information duties under consumer law and the Alternative Dispute Resolution (ADR) framework continue to apply, but they depend on your role and sector. Again, specialised advice is helpful here if you sell directly to consumers online.

Putting it all together for your own site

German website law can feel heavy, especially if you are a solo design studio or a small team. The good news is that the core building blocks are stable and predictable:

Make sure your imprint (Impressum) meets Section 5 DDG requirements and is easy to find from every page.
Publish a GDPR-compliant privacy notice that explains your data processing in clear language and keep it updated when your tools change.
Treat cookies and tracking as opt-in by default unless they are truly technically necessary. Design your banner the way you would want to see it as a user.
Remove outdated ODR platform references and keep an eye on evolving guidance from German regulators.

From there, maintenance is mostly about discipline: review your legal pages when you add new tools, launch campaigns, or significantly change your services. If you want a structured way to think about ongoing support beyond the legal minimum, the article on maintenance costs pairs well with this one.

Frequently asked questions on German website legal requirements

In Germany, most business-related websites need an imprint. Section 5 of the German Digital Services Act (DDG) requires providers of commercial digital services to make certain information easily recognisable, directly accessible, and permanently available. Purely private websites with no commercial intent are generally exempt, but the threshold for “commercial” is low—regular professional content, advertising, or lead generation usually counts as business use.

A typical imprint under Section 5 DDG includes the full name or company name, a postal address that can receive legal documents (no PO box), contact details including at least an email address and another fast contact method, the legal form and authorised representatives for companies, trade register and registration number if applicable, VAT ID if available, and—for regulated professions—details on the relevant chamber, professional title, and professional regulations. Journalistic-editorial services may also need to name a responsible editor.

Yes. The imprint identifies who operates the website, while the privacy notice explains how personal data is processed. Under the GDPR, controllers must provide transparent information under Articles 12–14, typically in a dedicated privacy policy page linked from every page and every form where data is collected.

Under Section 25 of the Telecommunications Digital Services Data Protection Act (TDDDG, formerly TTDSG), storing or accessing information on a user’s device generally requires prior consent unless the technology is strictly necessary for providing the service requested. Analytics, marketing, and tracking tools typically require opt-in consent that also satisfies GDPR standards: active, informed, freely given, and withdrawable. Technically necessary cookies, such as those for a shopping cart or login session, can usually be set without consent.

No. This article summarises public information about German and EU law as of late 2025 and is not legal advice. Specific situations can differ, and legal requirements change over time. For binding guidance on your situation, always consult a qualified lawyer admitted in Germany.

Related Articles

Stay ahead with expert insights

Get practical tips on web design, business growth, SEO strategies, and development best practices delivered to your inbox.