How I Scan Websites for GDPR Violations
After setting up dozens of client websites, I kept seeing the same DSGVO (German GDPR) violations over and over: missing imprint pages, external Google Fonts, no cookie consent banner, Google Analytics without a legal basis.
So I built an automated scanner. Here's what it checks and what I've learned from scanning hundreds of German websites.
The 6 Most Common GDPR Violations I Find
1. External Google Fonts (Critical)
This one is a Abmahnung magnet in Germany. The LG MΓΌnchen ruling made it clear: loading fonts from Google's servers without consent is a GDPR violation because it transfers the user's IP address to Google.
Fix: Self-host your fonts. Download from Google Fonts and serve them from your own server.
2. Google Analytics Without Legal Basis (Critical)
Most small German websites still use Google Analytics without:
- A cookie consent banner
- A data processing agreement (AVV) with Google
- Anonymized IPs
Fix: Switch to self-hosted Matomo or use a privacy-friendly alternative like Plausible.
3. Missing Impressum (Critical)
Β§5 TMG requires every German commercial website to have an Impressum. Yet ~30% of sites I scan are missing one.
4. No Cookie Consent Banner (High)
If you use any cookies that aren't strictly necessary, you need a consent banner. This includes analytics cookies, marketing pixels, and even some session cookies.
5. Missing Privacy Policy (Critical)
Not just any privacy policy β it needs to list ALL services that process user data, including CDN providers, font services, analytics tools, and payment processors.
6. Insecure Connections on Subpages
While the homepage might redirect to HTTPS, subpages often remain accessible via HTTP. This leaks session cookies and form data.
The Scanner I Built
I built a free scanner that checks all of these automatically:
π Free DSGVO Website Scanner β No signup required, results in 30 seconds.
It checks:
- SSL/HTTPS configuration
- External resource loading (fonts, scripts, analytics)
- Cookie consent detection
- Impressum and privacy policy presence
- Security headers
- Third-party data transfers
What a Typical Scan Reveals
I scanned a random German small business website and got a score of 67/100:
| Check | Status | Severity |
|---|---|---|
| SSL Encryption | β Pass | Critical |
| Google Fonts | β Pass | Critical |
| Google Analytics | β Pass | Critical |
| Cookie Consent Banner | β οΈ Warning | High |
| Impressum | β οΈ Warning | High |
| Privacy Policy | β Fail | Critical |
This site is okay but has two critical issues that could lead to Abmahnungen costing β¬500-5,000+.
Why This Matters for Developers
If you build websites for German clients, you could be liable for GDPR violations. The developer who implements Google Fonts without consent can be named in the Abmahnung.
Building GDPR compliance into your workflow isn't just good practice β it's professional self-protection.
Quick Checklist for Your Next Project
- Self-host all fonts (no external CDNs)
- Use privacy-friendly analytics (Matomo, Plausible, or nothing)
- Implement a proper cookie consent tool
- Generate a comprehensive privacy policy
- Add an Impressum
- Force HTTPS everywhere (HSTS header)
- Add security headers (X-Frame-Options, CSP, etc.)
- Review all third-party scripts and services
Try the free scanner: nevik.de/check β it takes 30 seconds and could save your clients thousands in Abmahnungen.
βοΈ Need a Server for Self-Hosting?
I run all my services on Hetzner Cloud β EU-based, from β¬3.29/mo. Use my link and we both get β¬20 in credits.
π‘οΈ Is Your Website GDPR Compliant?
Check in 60 seconds: nevik.de/check β free DSGVO scanner.
π‘ Tools I Built: bewertung.nevik.de (Google Reviews) Β· cv.nevik.de (Free CV Builder)
Follow me on Dev.to for weekly guides on self-hosting, AI tools, and growing your business.
Top comments (0)