I audit websites for GDPR compliance. In the last month, I found that 87% of small business websites in Germany have at least one critical GDPR violation.
Here are the most common ones — and they're shockingly easy to fix.
1. Google Fonts Loaded Externally
The problem: Every time a visitor loads your page, their IP is sent to Google servers in the US. Since Schrems II, this requires explicit consent.
The fine: €100 per visitor (yes, there's precedent — LG München, Jan 2022).
The fix: Self-host your fonts. 5 minutes of work.
2. Cookie Banner That Doesn't Actually Block Cookies
Most cookie banners are decorative. They show a popup but load Google Analytics, Facebook Pixel, and HotJar before the user consents.
The fix: Use a consent manager that actually blocks scripts until consent. I recommend Cookiebot or a self-hosted solution.
3. Missing or Incomplete Privacy Policy
Your privacy policy needs to list:
- Every third-party service you use
- What data each collects
- Legal basis for each
- Data retention periods
- How users can request deletion
Most privacy policies I see are templates from 2018 that haven't been updated.
4. Contact Forms Without SSL
Still see this in 2026. Personal data transmitted over HTTP = violation.
5. No Data Processing Agreement (Auftragsverarbeitungsvertrag)
Using Mailchimp? Google Workspace? AWS? You need a signed DPA with each provider.
How to Check Your Site
I built a comprehensive GDPR Website Audit Checklist (€19) that covers:
- 47 specific checkpoints
- German legal requirements (TTDSG, BDSG, DSGVO)
- Impressum requirements
- Cookie consent validation
- Third-party service audit
- Data flow mapping
- Template for privacy policy updates
For automated monitoring, my AI Automation Starter Kit (€29) includes a weekly GDPR compliance scanner that runs automatically via n8n.
Disclaimer: I'm a developer, not a lawyer. This is technical guidance based on current enforcement patterns.
Top comments (0)