THREAT BRIEFING · 03.07.2026 DEENFRES

News/7 min

DSGVO cease-and-desist letter from competitor: what counts following the BGH ruling

Von Benedikt Langer · 14. June 2026

8 min read

Since the Federal Court of Justice ruled in March 2025 that competitors can pursue certain data-protection violations under competition-law conditions, the risk landscape for companies has shifted noticeably. A faulty cookie banner or an embedded third-party service without a legal basis is no longer just a matter for the supervisory authority-it can now trigger a costly cease-and-desist demand from a competitor. Knowing and meticulously documenting your website’s technical defaults takes the edge off that risk.

Key takeaways

  • New standing to sue: In March 2025 (cases I ZR 222/19 and I ZR 223/19), Germany’s highest civil court confirmed that competitors may pursue specific GDPR breaches under the Unfair-Competition Act (UWG) when its conditions are met, opening a second enforcement channel alongside the supervisory authority.
  • Compensatory damages threshold: A mere infringement is not enough for claims under Art. 82 GDPR; you also need actual damage and causation. Yet courts may still treat the mere loss of control over data as compensable non-material harm.
  • Leverage technical defaults: Typical, highly visible risks sit in cookie banners, tracking and embedded third-party services. Clean consent and traceable documentation cut the risk sharply.

Related:Passkeys in mid-market firms  /  When the backup server becomes the weakest link

What the BGH ruling has changed

What is a GDPR cease-and-desist demand? It is an out-of-court notice demanding that allegedly unlawful conduct cease, usually accompanied by a cease-and-desist declaration and a cost note. In data-protection matters, such demands traditionally came from supervisory authorities or affected individuals; the path via competition law had long been contested.

Two judgments handed down on 27 March 2025 have settled the issue: certain GDPR violations can now be pursued by competitors as unfair commercial practices under the Unfair-Competition Act (UWG), provided its conditions are satisfied. In practice, a rival can call out a competitor’s faulty data-protection practice even without being personally affected.

For companies, the substantive law has not changed so much as the likelihood of being pursued. A supervisory authority allocates resources selectively, whereas a competitor or an industry association often has a direct incentive to flag a formal flaw. That is why small, highly visible defaults-such as the cookie banner-suddenly move into the spotlight.

When a Violation Becomes Eligible for Compensation

At the same time, the standards for compensation have become more precise. In late 2024, Germany’s Federal Court of Justice (BGH) made it clear that the mere loss of control over personal data can constitute non-material damage under Article 82 of the GDPR. This lowers the threshold compared to the previous assumption that a claim required a tangible, quantifiable disadvantage.

Yet the bar remains real. According to rulings by the European Court of Justice (ECJ) and the BGH, the violation alone is not enough. A concrete harm and a direct link between the violation and the harm must be demonstrated. A purely hypothetical risk that data could fall into the wrong hands, in the courts’ view, does not yet justify a claim. This distinction is crucial in practice, as it curbs exaggerated mass claims.

For security and legal teams, the takeaway is clear: costly scenarios arise primarily where documented data leakage occurs and affected individuals can concretely prove the loss of control. Knowing and securing your data flows directly mitigates this risk.

The Most Common Cost Traps in Day-to-Day Operations

Most complaints revolve around recurring technical defaults, not exotic edge cases. Cookie banners that initiate tracking before consent are at the top of the list. Also common are embedded third-party services-fonts, maps, analytics scripts-that transmit data to external servers, as well as incomplete information in privacy policies.

A second driver of costs is the response itself. Many follow-up expenses don’t stem from the original error but from hastily signing an overly broad cease-and-desist declaration or from an unchecked reply to a warning letter. A cease-and-desist declaration has long-term consequences and carries contractual penalties, so it must be legally vetted before signature.

What protects

  • Load tracking only after active consent
  • Host third-party services locally or secure them with a legal basis and contract
  • Log consents in a revision-proof manner
  • Have warning letters reviewed before any response

What creates risk

  • Pre-ticked or default-enabled checkboxes
  • External scripts without documented legal basis
  • Privacy policy that doesn’t reflect the actual state
  • Unreviewed signature on cease-and-desist declarations

The Cookie Banner as the Most Visible Vulnerability

No website element is as easy to audit externally as the cookie banner. It can be accessed without insider knowledge, and its flaws are often visible directly in browser developer tools. Courts require active, informed consent before non-essential cookies are set. Rejection must be just as easy to reach as acceptance.

In practice, this means an equally prominent reject button on the first layer, no pre-selected options, and a clear separation between technically necessary and consent-required services. So-called “pay-or-consent” models-where users choose between consenting or paying for an ad-free, tracking-free experience-are also under scrutiny by courts and regulators, including checks on granular processing-purpose selection. Clean defaults here remove the foundation for the most common complaints.

Checklist: Five Steps to a Robust Setup

Current legal requirements allow for a practical routine that can be implemented without specialist legal knowledge and strengthens your evidentiary position in the event of a dispute.

First, take stock: record all active scripts, trackers and third-party services on your website and assign each a legal basis. Second, check your banner to ensure that rejecting cookies is as easy as accepting them and that nothing loads before consent is given. Third, log consents in a tamper-proof way so you can prove who consented to what and when in case of a dispute.

Fourth, align your privacy policy with the actual technical setup instead of using a generic template. Fifth, establish a response plan for cease-and-desist letters: designate clear points of contact, monitor deadlines closely and make it a rule never to sign any statement without prior legal review. This last step prevents the costliest mistakes by curbing impulsive reactions.

Frequently Asked Questions

Can competitors really issue warnings for data-protection violations?

Yes, in certain constellations. On 27 March 2025, the Federal Court of Justice confirmed in rulings I ZR 222/19 and I ZR 223/19 that GDPR breaches can be pursued as unfair commercial practices under competition law by rivals, provided the conditions of the German Unfair Competition Act (UWG) are met. This creates an additional enforcement channel alongside supervisory authorities.

Does every breach automatically lead to damages?

No. According to the case law of the Court of Justice of the European Union and the Federal Court of Justice, a claim under Article 82 GDPR requires a breach, a concrete damage and a causal link between the two. While a court may recognise loss of control over data as non-material damage, a purely hypothetical risk is insufficient.

Which website element is most frequently criticised?

The cookie banner. It is easily verifiable from the outside, and flaws such as pre-ticked boxes or tracking before consent are quickly spotted. Closely related are embedded third-party services that transmit data to external servers without a clear legal basis.

How should a company react to a cease-and-desist letter?

Calmly and with scrutiny. Note deadlines, document the facts and never sign an injunction declaration without prior legal review. Such a declaration has long-term effects and is linked to a contractual penalty, so it must be evaluated by a lawyer before signature.

What is the most effective preventive measure?

Clean technical defaults and robust documentation. Knowing all data flows, assigning a legal basis to each processing activity, logging consents and regularly auditing your banner reduce both the risk of warnings and the likelihood of provable damage.

Editor’s Reading Picks

More from the MBF Media Network

cloudmagazin

Coolify tested: self-hosting instead of Vercel and Heroku

mybusinessfuture

What a vacant position costs Germany’s mid-sized sector

digital-chiefs

AI has broken hiring – what now matters most

Cover image: AI-generated (June 2026)

Further reading

News · 2. July 2026

When Attackers Are Faster Than the Patch

Between disclosure and exploitation of a vulnerability, only days often pass today. The State of Vulnerabilities Report 2026 reveals what matters now.

Ein Magazin der Evernine Media GmbH