German data protection law (DSGVO/GDPR) has teeth. Since 2018, tens of thousands of websites have been hit with costly warning letters (Abmahnungen) — many for simple, fixable mistakes.
If you run a website in Germany (or targeting German users), here are the 5 most common issues I see as a web developer — and how to fix them.
Mistake 1: Google Fonts Loaded from Google's Servers
The problem: When your website loads Google Fonts directly from fonts.googleapis.com, visitors' IP addresses are transmitted to Google's US servers without consent. German courts have repeatedly ruled this illegal without explicit opt-in.
The fix: Download the fonts and serve them from your own server.
<!-- Instead of this: -->
<link href="https://fonts.googleapis.com/css2?family=Roboto" rel="stylesheet">
<!-- Do this: Host fonts locally -->
<link href="/fonts/roboto.css" rel="stylesheet">
Use google-webfonts-helper.herokuapp.com to download fonts easily.
Mistake 2: Missing or Broken Cookie Consent Banner
The problem: Using cookies (analytics, marketing, functional) without explicit consent is illegal. A simple "We use cookies" notice without an opt-in/opt-out mechanism isn't enough.
The fix: Implement a proper Consent Management Platform (CMP):
- Cookiebot — free up to 100 pages
- Borlabs Cookie — great for WordPress
- Usercentrics — enterprise option
The banner must:
- Offer genuine "Accept" and "Reject" options
- Allow granular category selection
- Remember the user's choice
Mistake 3: Contact Form Without Privacy Notice
The problem: Every contact form that collects personal data (name, email) needs an associated privacy notice and explicit consent checkbox.
The fix: Add this text near every contact form:
"Ich stimme zu, dass meine Angaben aus dem Kontaktformular zur Beantwortung meiner Anfrage erhoben und verarbeitet werden. Die Daten werden nach abgeschlossener Bearbeitung gelöscht. Hinweis: Sie können Ihre Einwilligung jederzeit für die Zukunft per E-Mail an [email] widerrufen."
Plus a mandatory checkbox before submission.
Mistake 4: Google Analytics Without Consent (or IP Anonymization)
The problem: Standard Google Analytics 4 tracks users and sends data to US servers. Without consent, this violates DSGVO.
The fix options:
- Gate behind cookie consent — only load GA after explicit consent
- Switch to a DSGVO-compliant alternative:
Mistake 5: Outdated or Incomplete Privacy Policy (Datenschutzerklärung)
The problem: Your privacy policy must list every service that processes personal data — including Google Maps embeds, YouTube videos, social media buttons, and every form tool you use.
The fix: Use a generator that stays up to date:
- Datenschutz-Generator.de (free for simple sites)
- eRecht24
Update your policy whenever you add new tools or services.
Quick Audit Checklist
Run through this in 15 minutes:
- [ ] Google Fonts: Locally hosted?
- [ ] Cookie banner: Real opt-in/opt-out?
- [ ] Contact forms: Privacy notice + checkbox?
- [ ] Analytics: Consent-gated or DSGVO-compliant tool?
- [ ] Privacy policy: Lists all data processors?
- [ ] Impressum: Complete and legally compliant?
- [ ] SSL: HTTPS everywhere?
Score 7/7? You're in good shape.
Less than 7? Fix the gaps before someone else finds them.
Need Help?
I offer a professional DSGVO Website Audit starting at €149 — I check your site against 47 criteria and fix the critical issues.
👉 Book a DSGVO Audit at nevki.de or download the free DSGVO Audit Checklist.
Questions? Drop them in the comments — happy to help.
Top comments (0)