Shopify privacy law · Germany
Shopify cookie consent in Germany
Germany applies GDPR with the strictest enforcement in the EU, plus its own TTDSG — Section 25 explicitly requires opt-in consent before any non-essential cookie or local-storage write.
Governing law: GDPR + TTDSG (Telekommunikation-Telemedien-Datenschutz-Gesetz)
Enforcement reality
Germany has 16 state-level Data Protection Authorities (one per Bundesland) plus a federal regulator (BfDI). The Bavarian DPA (BayLDA) and the Berlin DPA (BlnBDI) have been the most active against ecommerce. Enforcement is complaint-driven — once a complaint is filed (often by NOYB or vzbv), DPAs respond within weeks. Double opt-in is the de-facto standard for marketing consent and the cleanest defence against UWG (unfair-competition) lawsuits.
Regulator: Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI)
Recent enforcement actions
- Notebooksbilliger.de·2021·€10.4M
Non-compliant employee surveillance + cookie consent issues
- Vodafone DE·2021·€9.5M
Inadequate verification for customer data access
What Shopify merchants must do in Germany
- Opt-in consent before any non-essential cookie or storage write — TTDSG Section 25 explicit
- Granular per-category consent (essential / functional / analytics / marketing)
- Imprint (Impressum) on every page including privacy contact details
- Double opt-in for email marketing (de-facto standard, defends against UWG claims)
- Privacy policy in German, listing every processor and the lawful basis
- Honour Art. 22 GDPR — no fully-automated decision-making (e.g., dynamic pricing) without explicit consent
How Consentico handles Germany
Consentico's geo-targeting detects Germany visitors at the edge and applies the right banner — opt-in posture for EU/UK rules, with Google Consent Mode v2 signals and a per-decision audit log. The banner survives Shopify theme switches and uninstalls cleanly.
Related concepts
- GDPREU regulation governing how organisations process personal data of EU/EEA residents. Applies to any Shopify store with EU visitors.
- ePrivacy DirectiveEU directive (2002/58/EC, amended 2009) requiring opt-in consent for cookies and similar storage. Enforced together with GDPR.
- Consent (GDPR)Freely given, specific, informed, and unambiguous indication of agreement. No pre-checked boxes, no implied consent from continued browsing.
- Lawful basisUnder GDPR, you must have one of six legal grounds to process personal data. For ecommerce: contract, legitimate interest, or consent.
Compliant in Germany — in five minutes.
Free for stores under 5,000 banner views per month. No code, no theme edits.