Yes, under certain conditions: shops that only use technically necessary cookies and rely on analytics that do not access the visitor's device generally need no consent under § 25 of the German TDDDG – and therefore no cookie banner. Consent-dependent services such as Google Analytics or advertising pixels must be replaced or removed for this to work.
The legal basis in Germany is § 25 TDDDG (formerly TTDSG), which transposes Article 5(3) of the ePrivacy Directive into national law. The principle: any access to information on the user's device – setting cookies or using local storage – requires prior consent. The key exemption: no consent is needed if the access is strictly necessary to provide a service explicitly requested by the user. A shop that only sets such technically necessary cookies generally does not need a banner.
There are two routes to a banner-free shop: dropping all consent-dependent services, or replacing them with privacy-friendly alternatives. Cookieless web analytics tools such as Matomo (configured cookieless) or Plausible have become established options: they count visitors via a pseudonymised hash that is reset daily instead of using cookies, and they do not access the user's device. Important to know: even "cookieless" Google Analytics generally remains subject to consent, because it still accesses the user's device.
What is allowed without consent
- Session cookies for the cart and checkout process
- Authentication cookies for login areas and customer accounts
- Language preference cookies in multilingual shops
- Payment and CSRF cookies for secure payment processing
- Cookieless analytics that do not access the device – for example tools that count visitors via a pseudonymised hash reset daily
Google Analytics (including GA4), advertising pixels, A/B testing tools, heatmap services and social media plugins, on the other hand, generally remain subject to consent. Switching is still worthwhile: 68.9% of users close or ignore cookie banners without making a choice (Advance Metrics), and consent-dependent tools typically lose around 60% of visitor data (etracker). Cookieless analytics therefore often provides the more complete data basis for SEO and shop optimisation – without consent bias, i.e. without the systematic distortion that arises when only a subset of visitors agrees to tracking.
What a banner-free setup requires
A consent-free shop requires a consistently cleaned-up frontend: anonymise IP addresses, avoid cross-session user IDs and audit every third-party service. A frequently overlooked issue is Google Fonts: if fonts are loaded directly from Google's servers, the visitor's IP address is transmitted – a GDPR violation according to a ruling by the Regional Court of Munich I (case no. 3 O 17493/20). The solution is self-hosted fonts, which also improve loading times. Google Maps and YouTube embeds should likewise be replaced with privacy-friendly alternatives – for example a static map image with a link, or a preview thumbnail that only loads the video after a click.
The transparency obligation applies even without a banner: your privacy policy must state which technically necessary cookies the shop sets, why they are required and which analytics setup is in use. The guidelines of the German data protection conference (DSK) also make clear: if you only use technically necessary cookies, you should not display a consent banner at all – without a genuine choice, a banner would be misleading. A practical way to verify your setup: inspect the shop's network requests in the browser dev tools – every request to a third-party domain is a potential consent trigger.
German data protection authorities interpret "technically necessary" narrowly (DSK guidelines). A cookieless setup is a significantly better legal position, but it must be implemented carefully and documented transparently. With a shop check we identify which services in your shop actually trigger consent requirements. This article does not constitute legal advice.