Since the ECJ’s “Fashion ID” ruling in 2019, it has been clear that a website operator is a joint data controller with the third-party providers whose plugins or tracking tools it integrates for the correct collection of user data under the GDPR. Both parties decide on the means and purposes of the processing and must therefore both be accountable for its legality. For third-party providers, this means that before deploying (‘firing’) their tracking tools, they must ensure that the user’s effective consent has been obtained. For this reason, correspondingly strict clauses can be found in the respective terms and conditions.
The Higher Regional Court of Frankfurt am Main took up this principle in December 2025 in a much-discussed ruling – with an outcome that was ultimately not surprising. After a user noticed that cookies were stored on his computer without his consent when he visited a website, he sued the third-party provider whose tracking tool was integrated into the website. The court then awarded him compensation for immaterial damages. In its ruling, the Higher Regional Court of Frankfurt clarified that the prohibition on storing or reading cookies without the user’s prior consent applies to all Joint Controllers, regardless of the identity of the website ‘publisher’. Therefore, all businesses that provide tracking tools, integrate them, or initiate their execution are responsible to ensure valid consent. This means that, in addition to the website operator itself, the integrated service providers are also liable.
This responsibility of third-party providers has significant consequences because, unlike in many other areas of law, data protection law does not require a de minimis threshold to be exceeded in order for the data subject to be entitled to compensation for immaterial damages: According to the Frankfurt Higher Regional Court, even the feeling of being monitored is sufficient to justify a claim for compensation for immaterial damages in the amount of €100.
Overall, this once again makes it clear that website operators (so-called publishers) and tracking providers (so-called vendors) must clearly and unambiguously regulate their shared responsibilities in a clear contractual agreement. For third-party providers, it is particularly important and also common practice to reserve the right of recourse against their website provider customers, as they will generally have no direct means of ensuring the legality of the consent themselves. Otherwise, offering a tracking tool would quickly lead to an unmanageable liability risk.
(Dr. Lukas Mezger, UNVERZAGT Rechtsanwälte)