Germany’s EinwV: A New Era for Cookie Consent

If you sell online in Germany, you know the drill: A customer lands on your store, and before they can begin to explore your products, they’re met with a cookie banner.

It’s an extra step for customers, and a blocker for tracking tools if they hit “Reject”. It’s all because of the way current cookie consent rules work.

To tackle this, Germany has introduced a new regulation: the Consent Management Services Ordinance (or EinwV). It promises a simpler, more user-friendly way for users to set their cookie preferences (and for websites to respect them) without showing a banner over and over again.

This new law was introduced on April 1, 2025, and it could signal a big shift in how consent is handled across Germany (and possibly the EU later on).

TL;DR – Quick Facts for Merchants

• Law: Einwilligungsverwaltungsverordnung (EinwV)

• In force: April 1, 2025 (Germany only)

• What it does: Lets users set cookie consent once via a recognized Consent Management Platform (CMP)

• How it works: Consent applies automatically to all sites using the same recognized CMP — no repeated banners

• Status: No CMPs recognized yet; current GDPR/TTDSG rules still apply

• Merchant must-do’s: Maintain a compliant banner, avoid dark patterns, store consent logs, use Google Consent Mode, and respond to DSARs

One-Click Consent: How Germany Plans to Introduce It

The EinwV introduces something brand new for Germany: a way for users to choose their consent options once (Accept, Reject, or partial acceptance) and then that choice gets transferred to any other site they visit. 

This means they see a cookie banner only once and make the choice there. The consent signal then gets transferred to all websites which use the same CMP.

Here’s how it could look in practice:

1. A customer visits a website that uses CMP A.
2. They click “Accept” on the cookie banner.
3. Your online store also uses CMP A.
4. Because CMP A is officially registered under the EinwV, it shares the consent decision with your store.
5. When that same customer visits your store, their acceptance is already recorded.
6. No banner appears — your tracking and marketing scripts run right away, fully in line with their consent.

No repeated pop-ups. No guessing if you’re allowed to track. Just a smooth, compliant experience.

From One Website to Another: How Consent Signals Travel

Shared consent only works when a CMP has been officially recognized by Germany’s data protection authority. Right now, there aren’t any recognized services yet - as no consent services have applied to be part of the register yet. Not every consent tool will be able to join this new “one-click consent” system. 

To take part, a Consent Management Platform (CMP) must be officially recognized by Germany’s data protection authority - the BfDI (Federal Commissioner for Data Protection and Freedom of Information). 

Providers have to apply and prove they meet strict rules for transparency, user-friendliness, data security, and neutrality. They must submit a detailed security concept, show that they have no financial interest in whether users accept or reject cookies, and demonstrate full compliance with GDPR consent standards. 

Once approved, a CMP is added to a public register on the BfDI’s website. Merchants can check this list at any time to see which services are officially recognized. 

Currently, no CMPs have made it onto the list yet, but once the first approvals happen, this register will be the go-to place for finding trusted, compliant providers.

This is the official link where you can check once a CMP is added.

Why Merchants Should Pay Attention Now - Even Before EinwV Goes Live

The EinwV system is completely optional. You’re not required to use a recognized CMP, and your existing cookie banner setup is still valid, as long as it meets GDPR and TTDSG requirements. 

But when recognized CMPs do start appearing, they could offer some real advantages. By integrating with one, you’d be able to skip showing the cookie banner to returning visitors who have already made their choice elsewhere, creating a smoother, faster shopping experience. 

This can help reduce friction at checkout, improve trust, and even improve conversion rates by removing one of the first obstacles customers face when landing on your site.

It’s also worth noting that adopting a recognized CMP could be a way to stand out as an early mover in compliance. Customers who value privacy will see that you’re not just ticking legal boxes — you’re making their experience easier. 

While this is a Germany-specific law, it’s possible that similar systems could spread to other EU countries in the future, so getting familiar with how it works now could put you ahead of the curve.

7 Key Compliance Actions for Selling Online in Germany

The EinwV may shape the future of consent in Germany, but until recognized CMPs exist and adoption spreads, merchants must stick to current GDPR and TTDSG rules. 

This means your cookie and tracking setup needs to be airtight — both to protect your customers and to avoid penalties. 

Here’s what that should look like today:

1. Have a compliant cookie banner in place

This is the first step. When setting up your banner, keep these requirements in mind:

• Clearly present Accept, Reject, and (if offered) Preferences options.
• Make sure rejecting is as easy and visible as accepting (requirement for equal choice).
• Useful tip: Select a visible placement for your banner and match it with your brand for better opt-in rates.

With the Consentmo app, you have a multitude of design & placement options for your cookie banner.

2. Avoid dark patterns

It may seem tempting to urge users to click the Accept button but regulators are on the lookout for these so-called dark patterns (misleading practices). 

We advise to stay on the safe side and avoid practises like:

• Confusing wording, pre-ticked boxes, or design tricks that push users to “Accept.”
• The user’s choice must be freely given, informed, and unambiguous.
• Cookie walls - meaning website content is blocked until users make a choice on the banner (even if it is Reject).

It is not all talk. Just recently, GDPR regulators in Sweden issued out multiple warnings to websites for engaging in dark patterns.

3. Don’t track before consent!

This is the essence of GDPR. Having a cookie banner does not automatically mean no tracking is present - you are still responsible to make sure everything is setup correctly.

• No marketing pixels, analytics scripts, or ad tracking should run until the user has actively opted in.
• Audit your store after making changes and installing new tracking pixels to make sure all is running compliantly.

Not sure how to check if your current setup is compliant? Consentmo offers a FREE compliance check - just install the app and an expert support agent will make sure your all tracking tools run correctly.

4. Keep proper consent records

Under GDPR, it’s not enough to simply collect consent - you also need to prove it if a regulator asks. That’s where consent records come in. At a minimum, you should log:

• The user’s choice (Accept, Reject, or specific preferences).
• The date and time of that choice.
• The version of your cookie banner or privacy policy the user saw at the time.

These records act as your evidence during audits, showing exactly when and how consent was given. Without them, it’s your word against the regulator’s - and that can lead to fines even if you were otherwise compliant.

With Consentmo, all user interactions are logged automatically in your Consent Records, along with a timestamp, so no need to worry about additional efforts in covering this requirement.

5. Enable Google Consent Mode (v2)

Most likely, you are using at least one Google service on your store which requires prior consent (Google Analytics, Google Ads, Google Tag Manager, etc.). In Germany and the entire EU - you are required to have Consent Mode if you want to send user data to Google.

• Google now requires proper consent signaling to run ads and tracking in the EU.
• Without it, you risk data gaps — or even Google account suspension.

There are a few ways to integrate Consent Mode. Manually - with theme edits and inserting code; or automatically by using a compliance app.

With Consentmo - you just have to set your Google Ids inside the app, and data starts being sent compliantly!

6. Respond promptly to Data Subject Access Requests (DSARs)

Under the GDPR, every customer has specific rights over their personal data. When it comes to Data Subject Access Requests (DSARs), these are your main requirements:

• GDPR gives individuals the right to request access to their data, delete it, or update it.
• Have a clear process for handling these requests within the legal time limits (usually 1 month).

Failing to respond properly or on time can lead to complaints, investigations, and even fines from data protection authorities.

With Consentmo - you get an automated way to do this. Via the app itself, you can generate a page which your customers can use to reach out to you regarding which action they want to take (like edit or delete their account). Then - you automatically get an email regarding the request, and a record of all requests is kept in the app admin for audits! Zero additional effort on your side.

7. Keep your privacy policy up to date

Your privacy policy isn’t just a legal checkbox - it’s your public statement of trust. It must clearly explain:

• What data you collect (e.g., names, emails, browsing behavior, purchase history).
• Why you collect it (e.g., to process orders, improve your store, personalize marketing).
• How you store and protect it.
• Who you share it with (e.g., payment processors, shipping companies, analytics tools).
• How customers can manage or withdraw their consent — including links to cookie preference settings or instructions on contacting you.

Importantly, this document must stay accurate. Every time you add a new analytics tool, change your marketing platform, or start collecting new types of data, your privacy policy should be updated to reflect it.

Closing Thoughts

Germany’s EinwV could mark a turning point in how online consent is handled - replacing the constant “Accept cookies” dance with a smoother, one-time decision that follows the customer wherever they shop. But for now, it’s a future-looking system. 

Until recognized CMPs appear and adoption spreads, your compliance still depends on getting the fundamentals right: a clear and fair cookie banner, no tracking before consent, solid consent records, Google Consent Mode for ad safety, and a process for handling privacy requests.

We’ll be watching the BfDI’s updates closely. When the first recognized CMPs are approved, we’ll share exactly what that means for your store - and how to take advantage of it.

If EU compliance is a relevant topic for your business - we suggest taking a look at our guide on the Google EU User Consent Policy.