Why Your German Website Gets You Sued (DSGVO for Developers)

Germany has some of the strictest data protection laws in the world. If you're running a website targeting German users, ignorance isn't a defense — it's a liability waiting to happen.

Here's what every developer needs to know about DSGVO (GDPR in German) compliance.

The Abmahnung Industry

In Germany, lawyers specialize in sending Abmahnungen (cease-and-desist letters) for GDPR violations. These aren't empty threats — they come with:

• Fines up to €20 million or 4% of global revenue
• Legal fees starting at €500-2000 per violation
• Reputation damage
• Potential class-action lawsuits

Common trigger points that get you flagged:

1. Google Fonts Without Consent

The Problem: Loading Google Fonts from Google's servers leaks user IP addresses.

The Fix:

# Self-host your fonts
npm install google-fonts-helper
# Or use system fonts
font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;

2. Google Analytics Without Proper Setup

The Problem: Default GA tracks everything, including IP addresses.

The Fix:

gtag('config', 'GA_MEASUREMENT_ID', {
  'anonymize_ip': true,
  'cookie_flags': 'SameSite=None;Secure'
});

Better yet, use privacy-focused alternatives:

• Matomo (self-hosted)
• Plausible (open source)
• Umami (self-hosted, free)

3. Missing or Inadequate Privacy Policy

The Problem: Vague or English-only privacy policies don't cut it.

Requirements:

• German language version mandatory
• Specific data processing details
• User rights explanation (Art. 13 GDPR)
• Contact information for DPO

4. Cookie Banners That Don't Comply

The Problem: Banners that pre-check tracking cookies or make rejection difficult.

Compliant Banner Requirements:

• No pre-checked consent boxes
• Equal prominence for Accept/Reject
• Granular category control
• Easy withdrawal of consent
• No cookie loading before consent

// WRONG: Load everything, then ask
<script src="analytics.js"></script>
<div class="cookie-banner">Accept cookies?</div>

// RIGHT: Wait for consent
<script>
if (hasConsent('analytics')) {
  loadScript('analytics.js');
}
</script>

Technical Implementation Checklist

SSL/TLS

✓ HTTPS everywhere (no mixed content)
✓ TLS 1.2+ minimum
✓ HSTS header enabled
✓ Certificate valid and not expiring

Data Minimization

// WRONG: Collect everything
const userData = {
  ip: req.ip,
  userAgent: req.headers['user-agent'],
  referrer: req.headers.referer,
  // ...everything else
};

// RIGHT: Collect only what's needed
const userData = {
  email: validatedEmail,
  // Only what's necessary for the function
};

User Rights Implementation

Right to Access (Art. 15)

// Endpoint: GET /api/user/data-export
app.get('/api/user/data-export', authenticate, async (req, res) => {
  const userData = await aggregateUserData(req.user.id);
  res.json(formatForExport(userData));
});

Right to Erasure (Art. 17)

// Endpoint: DELETE /api/user/account
app.delete('/api/user/account', authenticate, async (req, res) => {
  await anonymizeUserData(req.user.id);
  // Keep only legally required records
  await deleteUserData(req.user.id);
  res.json({ deleted: true });
});

Session Storage

// WRONG: 2 year cookie expiration
res.cookie('session', token, { maxAge: 2 * 365 * 24 * 60 * 60 * 1000 });

// RIGHT: Reasonable duration with clear purpose
res.cookie('session', token, {
  maxAge: 24 * 60 * 60 * 1000, // 24 hours
  httpOnly: true,
  secure: true,
  sameSite: 'strict'
});

Database Considerations

Encryption at Rest

-- Encrypt sensitive fields
CREATE EXTENSION pgcrypto;
INSERT INTO users (email) 
VALUES (pgp_sym_encrypt('user@example.com', $encryption_key));

Audit Logging

// Log all data access
const auditLog = {
  userId: user.id,
  action: 'READ',
  dataType: 'personal_data',
  timestamp: new Date(),
  ip: req.ip
};
await AuditLog.create(auditLog);

Third-Party Service Checklist

Before integrating any service:

Check	Why
DPA signed	Legal requirement
Data processing location	EU/EEA preferred
Subprocessors listed	Transparency
Data deletion on request	Art. 17 compliance
Breach notification SLA	72-hour requirement

Common Violations I See Weekly

1. Contact forms without consent checkbox
2. Newsletter subscriptions without double opt-in
3. Log files retaining IPs for months
4. Third-party embeds (YouTube, Maps) without consent
5. No imprint (Impressum) page — required in Germany!

The Impressum Requirement

In Germany, every commercial website must have an Impressum:

Required Information:
- Name and legal form
- Address (no PO boxes)
- Contact information (email AND phone)
- Commercial register number (if applicable)
- VAT number
- Responsible person's name

Quick Win Checklist

□ Self-host fonts or use system fonts
□ Anonymize or remove Google Analytics
□ Implement proper consent management
□ Add German privacy policy
□ Add Impressum page
□ Enable HTTPS everywhere
□ Implement user data export
□ Implement user data deletion
□ Review third-party integrations
□ Set up audit logging

Tools I Recommend

• Cookiebot or Usercentrics for consent management
• Dr. Schwenke's generator for privacy policies
• Matomo for privacy-first analytics
• SSL Labs for TLS configuration testing

The Bottom Line

GDPR compliance isn't optional. In Germany, it's actively enforced by private lawyers who make money finding violations.

The good news? Most fixes are technical and straightforward. The bad news? Ignoring them can cost you thousands.

---

Need a professional DSGVO audit? I help developers and businesses achieve compliance without killing their analytics.

🔒 DSGVO Audit → https://nevki.de

Comments

[Rick Cogley]

Good to know even if you don’t have a German audience