Building for German clients means GDPR (DSGVO) compliance isn't optional. Courts are enforcing it with €5,000–50,000 fines. Here's what you actually need.
1. Cookie Consent That Actually Works
German courts are strict: no non-essential cookies before explicit consent.
// ❌ ILLEGAL in Germany — loads GA before consent
gtag('config', 'GA-XXXXXXXX');
// ✅ Legal — only after user accepts
document.getElementById('accept-all').addEventListener('click', () => {
loadGoogleAnalytics('GA-XXXXXXXX');
setCookie('consent', 'granted', 365);
});
Your banner needs a real "Reject All" button (equally prominent as "Accept All"), category-level control, and logged consent with timestamp.
2. Self-Host Google Fonts
A Munich court fined a site €100 per visitor for loading Google Fonts directly from Google's servers. The IP address transmitted to Google without consent was the violation.
/* ❌ Don't */
@import url('https://fonts.googleapis.com/css2?family=Inter');
/* ✅ Self-host */
@font-face {
font-family: 'Inter';
src: url('/fonts/inter-regular.woff2') format('woff2');
font-display: swap;
}
Use google-webfonts-helper to download any font in seconds.
3. Privacy Policy (Datenschutzerklärung)
Required on every commercial site. Must list every service processing personal data:
- Google Analytics / Tag Manager
- YouTube embeds
- Google Maps
- Contact form tools
- CDN providers
- Email platforms
Include: legal basis, retention periods, user rights (access, deletion, portability).
4. Impressum (Legal Notice)
Required by §5 TMG:
Full legal name (not just brand)
Physical address (no PO boxes)
Email address
Phone number
VAT number (if applicable)
Trade register number (if applicable)
Responsible person for content
5. Contact Forms
Every form collecting personal data needs:
<label>
<input type="checkbox" name="consent" required>
Ich stimme der Verarbeitung meiner Daten zur Bearbeitung meiner Anfrage zu.
<a href="/datenschutz">Datenschutzerklärung</a>
</label>
6. Data Processing Agreements
For every service processing personal data on your behalf (Google, Mailchimp, hosting): sign a DPA. Most major providers have self-service DPAs in their dashboards.
Quick Checklist
□ Cookie banner with real reject option
□ Google Fonts self-hosted
□ Analytics behind consent gate
□ YouTube → nocookie domain
□ Privacy policy complete
□ Impressum complete and accurate
□ Contact forms with consent checkbox
□ DPAs signed
□ SSL active everywhere
Most Common Violations I See
- Google Fonts from Google (50% of audited sites)
- GA without consent gate (40%)
- Contact forms missing privacy notice (60%)
- Cookie banners that don't actually block scripts (70%)
- Outdated privacy policy that doesn't list current tools (80%)
I offer professional DSGVO Website Audits from €149 — 47-point checklist, issues fixed, certificate of compliance.
Free audit checklist (47 points): Download on Gumroad
Top comments (0)