Zum Inhalt springen
smugo Logo
DEEN
Back to the blog
Web development
2026-01-29 8 min

GDPR-Compliant Website 2026: Checklist & Common Mistakes

TL;DR

A GDPR-compliant website is not optional in 2026 – it is mandatory. The most common mistakes: no opt-in cookie banner, Google Fonts loaded from Google servers, and missing privacy policy. Our 15-point checklist shows what SMEs must implement immediately – without needing a lawyer for every step.

Why GDPR Compliance Matters More Than Ever in 2026

Data protection authorities in Germany and across the EU are increasingly issuing fines against SMEs. In 2023, over 1,200 fines were issued in Germany alone – many against small businesses for easily avoidable mistakes. The most common cause: faulty cookie banners and unauthorized third-party integrations.

The 15-Point GDPR Checklist for Websites

Legal Foundations

  • ✅ Legal notice (imprint): Complete information per § 5 TMG (name, address, contact, trade register number)
  • ✅ Privacy policy: Current, complete, all services listed
  • ✅ Data protection officer: Required from 20 employees with regular data processing
  • ✅ Data processing agreements (DPA) signed with all service providers

Cookie Management

  • ✅ Cookie consent banner with genuine opt-in (no pre-checked 'Accept all')
  • ✅ Cookies are only set after consent – not before
  • ✅ Rejecting must be just as easy as accepting
  • ✅ Consent logging: who consented to what and when?
  • ✅ Consent withdrawal possible at any time (link in footer)

Third-Party Services

  • ✅ Google Fonts: host locally instead of loading from Google servers
  • ✅ Google Analytics: only after opt-in, IP anonymization active
  • ✅ Google Maps: only after opt-in or 2-click solution
  • ✅ YouTube videos: only with youtube-nocookie.com or after opt-in
  • ✅ Social media buttons: no direct share buttons (use Shariff solution)

Forms & Contact

  • ✅ Contact forms: reference to privacy policy, no mandatory newsletter opt-in
  • ✅ SSL certificate: HTTPS on all pages (required for privacy and SEO)

The 5 Most Common GDPR Mistakes on Websites

MistakeRiskSolution
Loading Google Fonts from Google serversWarning letter, up to €100 per userHost fonts locally
Cookie banner with pre-checked boxesFine up to €20 millionGenuine opt-in without pre-selection
Google Analytics without consentFine, warning letterActivate only after opt-in
Outdated privacy policyWarning letterReview and update annually
No DPA with hosting providerFineSign DPA with host

Google Fonts: Since the ruling by the Munich Regional Court (2022), Google Fonts loaded from Google servers are unlawful in Germany. Solution: download fonts and host them yourself. This takes 15 minutes.

Cookie Consent Tools Compared

ToolPriceStrengthIdeal For
CookiebotFrom €14/monthAutomatic scanning, GDPR-certifiedSMEs, e-commerce
UsercentricsFrom €60/monthEnterprise features, A/B testingLarger companies
Borlabs Cookie (WP)From €39/yearWordPress integration, one-time feeWordPress sites
Klaro (Open Source)FreeSelf-hosted, full controlTechnical teams
Real Cookie Banner (WP)From €39/yearVery GDPR-compliant, easy to useWordPress SMEs

GDPR-Compliant Alternatives to US Services

US ServiceGDPR AlternativeAdvantage
Google AnalyticsMatomo (self-hosted) / PlausibleEU servers, no cookie needed
Google FontsBunny Fonts / host locallyNo US data transfer
MailchimpBrevo (Sendinblue) / CleverReachEU servers, GDPR-compliant
TypeformTally / Typeform EUEU data storage
ZoomWhereby / Jitsi (self-hosted)EU servers or local

Our Conclusion

GDPR compliance is not a one-time project – it requires regular review as the legal landscape and the services you use change. The good news: most mistakes are easy to fix. Start with the three most important measures: host Google Fonts locally, implement a cookie banner with genuine opt-in, update your privacy policy.

Last updated: 2026-03-16

FAQ

Frequently asked questions

Does my small website also need a cookie banner?

Yes, if you set cookies that are not technically necessary (analytics, marketing, social media). Technically necessary cookies (session cookies, shopping cart) do not require consent. If you only use technically necessary cookies and no analytics, you can do without a banner.

How much does a GDPR warning letter cost?

Warning letters from competitors can cost €500–2,000. Fines from data protection authorities range from a few hundred euros (minor violations) to €20 million or 4% of global annual turnover (serious violations). For SMEs, fines of €1,000–50,000 are realistic for mid-level violations.

How often do I need to update my privacy policy?

Whenever something changes: a new service is integrated, an existing service is modified, or the legal situation changes. Review at least once a year. Use a generator (e.g. from law firm Dr. Schwenke) and update it when changes occur.

Is Google Analytics GDPR-compliant?

With a correct cookie consent banner and IP anonymization, Google Analytics can be used in a GDPR-compliant manner. However, data transfers to the US remain legally contested. For maximum legal certainty, we recommend Matomo (self-hosted) or Plausible Analytics.

What is a data processing agreement (DPA)?

A DPA is a contract between you and service providers that process personal data on your behalf (hosting, email marketing, CRM). It governs how the service provider may handle the data. Without a DPA, data processing is unlawful. Most providers automatically offer DPAs.

Questions about this?

Message me directly – I'll get back to you personally and without any fuss.

Message me on WhatsApp

Related pages

Server-Side Tracking Explained Core Web Vitals Optimization Next.js vs. WordPress Web Development Services Book a Free Consultation
Contact: +49 1590 42 33 200