Why the Latest German Ruling Should Alarm Every Website Owner

The Leipzig Court's Groundbreaking Decision and What It Means for Digital Privacy Compliance Across the EU

Last week, the Regional Court of Leipzig in Germany issued a landmark ruling (05 O 2351/23, dated July 4, 2025), awarding €5,000 in damages to a user for the unauthorized use of tracking pixels embedded across third-party websites and mobile apps. This judgment is among the clearest signals yet that European courts are prepared to enforce data privacy laws with significant financial consequences - not just for data breaches or security lapses, but for how digital tracking tools are deployed before user consent is properly obtained.

A Wake-Up Call for the Digital Industry

The defendant in the Leipzig case, a major platform operator, was held liable for processing extensive personal data via embedded tracking tools, including:

• Hashed identifiers such as email, phone number, and subscription / lead ID
• IP address, user agent, referrer URLs, internal click and browser IDs
• URL visits, timestamps, and on-page user interactions
• Events tracked via app SDKs and server-side APIs (Conversions API)

The court found that these data points, collected through pixels and SDKs placed on high-traffic third-party sites and apps, constituted unlawful surveillance - especially since the user had never consented to such tracking and was not logged into the platform during those visits.

Key Legal Takeaways

• Explicit Consent Is Mandatory: The court emphasized that even hashed personal identifiers and telemetry data fall under the definition of personal data and require valid, informed consent under both GDPR and the ePrivacy Directive.
• Server-Side Tracking Isn't Exempt: Technologies like the Conversions API and App Events API - often framed as alternatives to cookie-based tracking - were deemed equally invasive, especially when users cannot detect or block their activity.
• Fingerprinting is Under Scrutiny: The ruling described how the combination of browser headers, device information, and behavioral signals enabled effective user fingerprinting - a clear violation of user rights when done without consent.

What Happens on Most Websites Today?

In practice, most websites still load third-party trackers (like Google Analytics, Google Tag Manager, Facebook Pixel, or LinkedIn Insight Tag) the moment a visitor lands on a page - long before any consent is collected. Even so-called compliant setups using Google Consent Mode 2.0 or similar mechanisms often activate scripts or transmit telemetry data prematurely.

This approach is now legally risky. As the Leipzig ruling shows, even technically "hashed" data is not exempt if it's processed prior to consent, particularly when it's combined and identifiable.

Practical Steps for Website Operators

If your site uses third-party business tools for advertising, analytics, or user tracking, here’s what you need to do immediately:

• Audit and Inventory: Identify all scripts and trackers embedded on your site, especially those loaded via tag managers or SDKs.
• Defer Loading Until Consent: Configure your site to delay the execution of any non-essential tracking scripts until after valid, informed consent has been recorded.
• Replace Third-Party Tools with First-Party Alternatives: Adopt solutions like AesirX Analytics or first-party hosted consent management systems to retain control over user data and reduce dependency on external vendors.
• Log and Prove Consent: Maintain robust logs of every consent interaction to demonstrate compliance in the event of audits or legal challenges.
• Use Compliance Tools: Leverage platforms like the AesirX Privacy Scanner to simulate what loads before and after consent is given - and identify any hidden risks.

Why Google Tag Manager Isn’t a Free Pass - Client-Side, Server-Side, or GTM Gateway

To understand how these risks play out in real-world tech stacks, we need to examine one of the most widely used (and misunderstood) platforms: Google Tag Manager.

The Leipzig ruling, together with the recent decision from the Administrative Court of Hanover (VG Hannover, 10 A 5385/22, March 2025), should raise immediate red flags for organizations relying on Google Tag Manager (GTM), Server-Side GTM, GTM Gateway, and Google's Consent Mode 2.0. While these tools offer significant operational flexibility, each carries substantial compliance risks, particularly if strict consent enforcement is not in place before any tags are activated or data transfers initiated.

Client-Side GTM:
On most websites, GTM loads among the very first scripts - often even before users are presented with a consent modal. According to the Hanover court’s decision, even if configured to delay certain third-party scripts, GTM itself initiates early connections with external domains such as googletagmanager.com. Any pre-consent transmission of telemetry data or personally identifiable information (such as IP addresses, device information, or referrer URLs) explicitly violates both GDPR and Germany's updated telecommunications and telemedia data protection law (§ 25 TDDDG), which implements Article 5(3) of the ePrivacy Directive.

Server-Side GTM & GTM Gateway:
These distinct Google solutions relocate data collection from the user's browser to servers managed by the website operator or hosted service providers like Google Cloud. Although marketed as privacy-enhancing, server-side methods create compliance risks comparable - and often less visible - than their client-side counterparts, unless explicit consent is consistently enforced before any data is collected or transmitted. The Leipzig court specifically criticized similar server-side technologies (notably Facebook's Conversions API) for circumventing browser-based consent controls. This critique applies equally to Server-Side GTM and GTM Gateway implementations that track user identifiers, interactions, or sessions without valid, informed consent. Even data considered hashed or anonymized can still constitute unlawful processing if it can be linked or aggregated back to individual users without explicit consent.

Google Consent Mode 2.0:
As explicitly confirmed by the Hanover ruling (VG Hannover, 10 A 5385/22), Google's Consent Mode 2.0 - which permits GTM and associated scripts to load prior to consent - is also non-compliant with GDPR, § 25 TDDDG, and the ePrivacy Directive. Despite industry positioning, Consent Mode 2.0 does not adequately prevent premature tracking. This legal clarification reinforces that GTM and related scripts must remain inactive until valid, explicit user consent has been actively granted.

Key Compliance Risks Across GTM Variants:

• Lack of Built-in Consent Enforcement:
  GTM and Google Consent Mode 2.0 do not inherently enforce strict consent requirements, making complex custom configurations necessary and prone to misconfiguration or oversight.
• False Sense of Compliance:
  Server-side setups and Consent Mode 2.0 reduce transparency for users and regulatory auditors, potentially masking underlying compliance violations.
• Legal Exposure from Indirect Tracking:
  Both Leipzig and Hanover rulings emphasize clearly: no matter how or where data is collected, processing identifiable information without explicit consent remains unlawful.

For organizations committed to data privacy compliance, Google Tag Manager - in any form - must be treated as a significant compliance risk. Implementing a robust consent management system that explicitly prevents GTM and related scripts from firing until user consent is obtained is no longer merely recommended - it is a clear legal requirement supported by these recent landmark German court decisions.

Start With Compliance, Stay for the Trust

The Leipzig and Hanover rulings mark a pivotal shift in European enforcement. Pixel trackers like the Meta Pixel, LinkedIn Insight Tag, and similar SDKs are no longer tolerated when embedded on third-party websites without proper consent. The courts made it clear: transmitting even hashed personal data - whether via client-side JavaScript or server-side APIs - before consent is a direct violation of the GDPR and the ePrivacy Directive.

For most websites today, this is a wake-up call. If a single user can be awarded €5,000 in damages, what happens when a site has 10,000 users? Or 1 million?

Even conservative estimates put the potential exposure in the tens or hundreds of millions of euros. And this is not theoretical - it’s enforceable precedent.

This ruling affects:

• Publishers embedding third-party pixels
• Platforms offering server-side APIs
• Agencies configuring tracking in Tag Managers
• Consent setups relying on Google Consent Mode 2.0, which has now also been ruled non-compliant

The message is simple: any processing of identifiable data must wait until informed, explicit consent is granted - regardless of the technology used.

The good news? Privacy-first infrastructure isn’t just about legal risk mitigation - it builds real trust. First-party analytics, locally hosted consent management, and transparent user experiences aren’t limitations. They’re your competitive edge in a data-conscious world.

If you're ready to transition away from pixel-based surveillance models, start with a Privacy Review - and ensure your technology stack respects user rights from the very first byte.

Ronni K. Gothard Christiansen
Technical Compliance Engineer & CEO, AesirX.io