As of: May 28, 2026

1. Legal Background

With the entry into force of the Telecommunications Digital Services Data Protection Act (TDDDG, formerly TTDSG) on May 14, 2024, in conjunction with Art. 6 Para. 1 GDPR, the following applies:

  • § 25 Para. 1 TDDDG: The storage of information on the user's terminal device and access to it is only permitted with consent.
  • § 25 Para. 2 No. 2 TDDDG: Only cookies and technologies that are strictly necessary to provide the telemedia service expressly requested by the user are exempt from consent.

The currently used simple "Accept" banner on iqbid.ai is not legally compliant. It lacks an equivalent reject option, granular selection, and a revocation mechanism.

2. Requirements for a Legally Compliant Cookie Banner

The banner must meet the following requirements:

  1. Active Consent: No pre-checked boxes for non-essential cookies.
  2. Equal-Priority Buttons: "Accept All" and "Reject All" must be visually equivalent (color, size, position) and available on the first level of the banner.
  3. Granular Selection: Users must be able to select individual categories (e.g., "Statistics", "Marketing").
  4. Transparent Information: Prior to consent, the purpose, recipients (including in third countries), storage duration, and revocation option must be disclosed.
  5. Revocation Option: Revocation must be as easy as granting consent at any time (footer link "Cookie Settings" or "Privacy Settings").
  6. No Cookie Walls: Access to mandatory content (e.g., legal notice, privacy policy) must not be made conditional on consent.
  7. Blocking Prior to Consent: Tracking and marketing scripts (analytics, pixels, external fonts like Google Fonts when loading live) may only be loaded after consent has been granted.
  8. Logging: Consents must be documented in an audit-proof manner (consent logs, ID, timestamp, banner version).

3. Recommended Technical Implementation

You basically have two options:

Option A: Use a Consent Management Platform (CMP)

A professional CMP handles all requirements and is the legally safest solution. Recommended providers with German or EU headquarters:

  • Usercentrics CMP (Munich, Germany) – market leader, GDPR-compliant, IAB TCF v2.2
  • CCM19 (Germany) – cost-effective solution with German hosting
  • Cookiebot (Cybot A/S, Denmark) – Caution: partially uses Akamai Cloud (USA)
  • Klaro! (Open Source, used by kicker.de and the German Federal Government) – Self-Hosted

Option B: Custom Implementation

Useful if the number of trackers remains low. See requirements in Section 2. In particular, central cookie blocking prior to consent and logging must be ensured.

4. Recommended Categorization for IQBID AI

Category Name / Provider Purpose Storage Duration
Necessary
(always active)		 PHPSESSID (own server), Login-Token, CSRF-Token, Consent-Status-Cookie Login, Session, Security Session / max. 12 months
Necessary
(always active)		 Stripe (m, __stripe_*) Fraud prevention for payment processes max. 12 months
Statistics
(Consent)		 Google Analytics 4 (_ga, _ga_*) – if used Reach measurement, usage analysis max. 14 months
Marketing
(Consent)		 Meta Pixel, Google Ads, LinkedIn Insight – if used Conversion tracking, advertising max. 13 months
Comfort
(Consent)		 YouTube/Vimeo (Embeds), external fonts Embedding of external content depending on provider

5. Cookie Banner: Text and Design Template

Headline

"We Respect Your Privacy"

Introductory Text (Suggestion)

"We use cookies and similar technologies to ensure the operation of our platform and – with your consent – to statistically analyze usage and improve our offerings. Your data may be transferred to service providers, including in third countries (e.g., USA), where the level of protection may be lower than in the EU. You can change your selection at any time via 'Cookie Settings' in the footer."

First-Level Buttons (all designed equally)

  • "Reject All"
  • "Settings"
  • "Accept All"

In the Detail Section per Category

A toggle with the following information:

  • Category name
  • Purpose (short, understandable)
  • List of providers / cookies with storage duration
  • For third-country transfers: explicit notice

6. Special Case: AI Models (Transparency Obligation)

Independent of the cookie banner, the EU AI Regulation (Regulation (EU) 2024/1689, "AI Act") prescribes additional transparency obligations:

  • Users must be clearly informed that they are interacting with an AI system (Art. 50 Para. 1 AI Act).
  • AI-generated image, audio, and video content must be labeled as AI-generated if they could appear authentic (Art. 50 Para. 4 AI Act).
  • Recommendation: Notice banner in the AI chat (e.g., "You are chatting with an AI system.") as well as automatic watermark/metadata labeling for image outputs.

7. Special Case: Third Countries: DeepSeek (China)

DeepSeek is operated in China. There is no adequate level of data protection there within the meaning of the GDPR. Data transfers may only occur if:

  • explicit, informed consent pursuant to Art. 49 Para. 1 lit. a GDPR is given (separate checkbox before first use); or
  • the user actively enables the model (opt-in in account).

Recommendation: Disable DeepSeek by default and display a separate risk notice and consent dialog before first use, which is logged separately.

8. Checklist Before Going Live

  • Legal notice complete (see separate document)
  • Privacy policy linked and updated
  • Cookie banner with equal-priority buttons live
  • Tracking scripts actually blocked prior to consent (browser test with DevTools / Network tab)
  • Consent logs stored in database (GDPR proof)
  • Footer link "Cookie Settings" accessible at any time
  • In payment process: "order with obligation to pay" button
  • In payment process for digital content: checkbox for waiver of right of withdrawal
  • Cancellation button in login area for subscriptions
  • AI notice banner in chat ("You are interacting with an AI system")
  • DeepSeek special consent implemented
  • Data processing agreements (DPA) concluded with all processors (AWS, Stripe, CMP if applicable, AI providers)
  • Record of processing activities (Art. 30 GDPR) created

9. Recommended Next Steps

  1. Selection and integration of a CMP (suggestion: Usercentrics or CCM19).
  2. Audit actual tracker list on iqbid.ai with DevTools and transfer to CMP.
  3. Review DPA contracts: AWS, Stripe, all AI providers (available via their self-service portals).
  4. Create record of processing activities (Art. 30 GDPR).
  5. Review Data Protection Impact Assessment (DPIA) – likely required for AI services with extensive data processing (Art. 35 GDPR).
  6. Have a lawyer specializing in IT/e-commerce law conduct a final review before going live in Germany.
This website uses cookies to improve your interaction with the website. Learn more.