Is Your Website GDPR Compliant? (30-Point 2026 Checklist for Germany)

If you operate any German business website in 2026 and you’re searching for a GDPR compliant website checklist 2026, the bar has risen significantly since 2018. TTDSG cookie rules, the Google Fonts court ruling, BFSG accessibility for consumer-facing sites, and an active Abmahnung industry mean that “we installed a cookie banner once” is no longer enough. This guide gives you a 30-point checklist covering everything a German site must address in 2026, plus the realistic fines for getting it wrong.

Written for GmbH owners, Mittelstand operations leads, and marketing managers who want to be Abmahnung-safe without learning the entire BDSG by heart.

What does GDPR compliant mean for a website in 2026?

Five regulations interact for any German business website:

GDPR / DSGVO — the EU-wide data protection framework
BDSG — the German federal data protection law
TTDSG — German telemedia & telecommunications privacy act (cookies)
BFSG — Barrierefreiheitsstärkungsgesetz (accessibility, effective June 2025)
EU AI Act — relevant if you operate AI systems on the site

A “GDPR compliant website” in Germany in 2026 means meeting the requirements of all five where they apply. Most checklists from 2020 cover only GDPR; that’s no longer enough.

What are the real fines for a non-compliant German website?

The numbers most owners underestimate:

GDPR fines up to €20 million or 4% of global annual revenue (whichever is higher)
BFSG accessibility fines up to €100,000 per violation
TTDSG cookie violations: typically €5,000–€50,000 in practice
Abmahnung (cease and desist letter) costs: €500–€5,000 in initial fees + remediation
Reputation damage and lost B2B contracts (often the largest real cost)

For German SMEs, the Abmahnung industry is the more immediate concern. Lawyer firms actively scan websites for known violations (missing cookie consent, Google Fonts loaded from CDN, weak Impressum) and send paid demand letters to the operators.

The 30-point GDPR compliant website checklist

Work through these by category. Each is either yes (compliant) or needs fixing.

1: Cookie consent (TTDSG)

Cookie banner uses opt-in, not opt-out, and not pre-ticked checkboxes
Equal-prominence Accept and Reject buttons (no dark patterns)
Granular consent: separate categories (essential, statistics, marketing)
Tracking cookies do not fire until user consent is given
Cookie banner re-asks after consent expiry (typically 6 months)
Consent records stored with timestamp and choices made
Cookie policy page lists every cookie set, its purpose, and duration

2: Privacy policy (Datenschutzerklärung)

Datenschutzerklärung covers every data processing activity
Each third-party service is named (Google Analytics, Stripe, Cloudflare, etc.)
Legal basis for each processing is identified (Art. 6 GDPR)
Data retention periods stated for each data type
Data subject rights explained (access, deletion, portability, objection)
Contact information for data protection inquiries published
Datenschutzerklärung in the language of the audience served

3: Imprint (Impressum)

Impressum is reachable within 2 clicks from any page
Contains full company info: name, address, USt-IdNr., Handelsregister
Contains contact: email, phone number
Names the Geschäftsführer / Inhaber
Includes professional regulation details if applicable (e.g., Rechtsanwalt, Arzt)

4: Third-party services (AVV)

Auftragsverarbeitungsvertrag (AVV/DPA) signed with hosting provider
AVV signed with email marketing tool, CRM, analytics provider
AVV signed with any other service processing personal data
AVV documents stored and retrievable for audit

5: Technical requirements

Google Fonts self-hosted, not loaded from Google CDN
SSL/TLS active across the entire site (HTTPS only)
IP addresses anonymised in analytics where supported
Server-side tracking or cookieless analytics where possible

6: BFSG accessibility (consumer-facing sites)

WCAG 2.1 Level AA compliance verified
Keyboard navigation works throughout
Accessibility statement published on the site

A site scoring 28+ out of 30 is well-positioned. Sites scoring under 25 face active Abmahnung risk in 2026.

What does the Google Fonts ruling mean for German websites?

In January 2022, a Munich court ruled that loading Google Fonts from Google’s CDN transmits the visitor’s IP address to Google in the US — and that’s processing of personal data requiring consent under the GDPR compliant website checklist 2026. After that ruling, an Abmahnung wave targeted thousands of German sites.

The fix is simple:

Download the Google Fonts you use
Host them on your own server (/wp-content/themes/yourtheme/fonts/)
Update CSS to reference local files only
Remove any fonts.googleapis.com or fonts.gstatic.com calls

For WordPress, plugins like OMGF (Optimize My Google Fonts) automate this. For headless or custom sites, manual setup is straightforward.

Most German Datenschutz lawyers in 2026 consider self-hosted fonts non-negotiable.

Which cookie consent platform is best for German sites?

Three serious options for 2026:

Borlabs Cookie — German-built, €39/year, deepest TTDSG awareness
Real Cookie Banner — German-built, free + paid tiers, very polished
Usercentrics — enterprise CMP, €40+/month, used by larger DACH companies

For most German SMEs: Borlabs or Real Cookie Banner. Both are designed by German developers for German Datenschutz requirements and ship with templates pre-configured for common patterns (Google Analytics, Meta Pixel, Stripe, YouTube embeds, etc.).

Avoid: Cookiebot’s free tier (cookie scanning quality is uneven), DIY banner code without proper consent management.

What does TTDSG actually require for cookies?

The Telekommunikation-Telemedien-Datenschutz-Gesetz came into force in late 2021 and tightened cookie rules compared to GDPR alone:

Consent is required before any non-essential cookie is set
Pre-ticked checkboxes are explicitly illegal
Cookie banners must give equal prominence to Accept and Reject
No “legitimate interest” basis for tracking cookies — opt-in only
Consent records must be maintained for audit

The practical implication: most “old” cookie banners (one big Accept button, small “Settings” link) are not TTDSG-compliant. They need redesign.

Do you need an AVV with every third-party service?

If the service processes personal data on your behalf, yes. Common services requiring an Auftragsverarbeitungsvertrag:

Web hosting (Hetzner, IONOS, AWS) — yes
Email marketing (Brevo, Mailchimp, CleverReach) — yes
Analytics (Google Analytics, Plausible, Matomo if hosted) — yes
Payment processors (Stripe, PayPal, Klarna) — usually yes
Live chat (Userlike, Intercom, Crisp) — yes
CRM (HubSpot, Pipedrive, Salesforce) — yes
File storage (Dropbox, Google Drive, S3) — yes

Reputable providers offer a standard AVV via their account settings or by request. If a provider can’t produce one, that’s a sign they’re not built for the EU market.

What changed with BFSG accessibility in 2025?

The Barrierefreiheitsstärkungsgesetz came into force on June 28, 2025. It requires most consumer-facing digital services to meet WCAG 2.1 Level AA standards.

Who must comply:

E-commerce shops selling to consumers
Banking and financial services
Telecommunications providers
E-books and reading apps
Transport ticketing
Consumer-facing service businesses

Who is exempt:

B2B-only websites (in most cases)
Microenterprises (under 10 employees AND under €2M revenue) for certain services

For affected sites, BFSG compliance typically adds €2,000–€8,000 to a build/redesign and requires an accessibility statement on the site.

For deeper accessibility coverage, our Web Development Trends in Germany 2026 post explains BFSG implications.

How do you handle Datenschutzerklärung translations for a multilingual site?

If you serve English-speaking customers, your Datenschutzerklärung must be available in English (or whatever language(s) the audience speaks) as part of a GDPR compliant website checklist 2026. Three options:

Lawyer-translated full version (€500–€2,000) — safest legally
Professional translator review of a lawyer-template translation (€200–€800) — middle ground
DeepL Pro draft + native English-speaking lawyer review (€300–€1,000) — modern hybrid

Pure machine translation of legal text is risky. Datenschutzerklärung translations should be reviewed by someone who understands both languages and German law.

For broader multilingual context, see ourGDPR compliant website checklist 2026 guide.

What is server-side tracking and do you need it?

Server-side tracking sends analytics events from your server to the analytics provider (Google Analytics, Meta Pixel), instead of from the visitor’s browser. Benefits for German Datenschutz:

Better control over what data is sent (you choose what to forward)
Avoids ad-blocker interference (cleaner data)
Easier consent enforcement (server checks consent before forwarding)
Reduces direct contact between visitor and US analytics services

Common setups: Google Tag Manager Server Container, Stape, Elevar.

Server-side tracking adds €1,500–€5,000 in setup cost. For sites running €5,000+/month in advertising, ROI is typically strong. For smaller sites, cookieless analytics (Plausible, Matomo) is the cleaner alternative.

How long does it take to make a website GDPR compliant?

For a typical German SME WordPress site that’s been operating without serious compliance:

Quick fixes (cookie banner, Google Fonts, basic Impressum/Datenschutzerklärung): 1–2 days
Full compliance audit and remediation: 1–2 weeks
Major rebuild with privacy-by-design architecture: 4–8 weeks

Total cost: €1,500–€8,000 for a typical SME compliance project. Compared to a single Abmahnung (€2,000–€5,000) plus the rework, the proactive approach pays back fast.

When should you hire a Datenschutzbeauftragter (DPO)?

German law requires appointing a Datenschutzbeauftragter when:

You employ 20+ people regularly processing personal data
You process special categories of personal data (health, religious, racial) at scale
Your core activity involves regular and systematic monitoring of data subjects

Below those thresholds, a DPO is optional but often valuable for any e-commerce shop or B2C service handling significant customer data.

External DPO services typically cost €100–€500/month for an SME. For sites running €1M+ in revenue with personal data processing, this is usually money well spent.

Frequently Asked Questions About the GDPR Compliant Website Checklist 2026

Is my website GDPR compliant if I have a cookie banner?

Not by itself — need opt-in consent, equal buttons, Datenschutzerklärung, Impressum, AVVs, and TTDSG adherence.

What is the difference between GDPR and DSGVO?

Same regulation — DSGVO is the German name, GDPR is the English term.

How much does GDPR compliance cost for a German website?

€1,500–€8,000 one-time; €500–€2,000/year maintenance.

Can I use Google Analytics on a German website?

Yes with IP anonymisation, opt-in consent, AVV, and disclosure; cookieless alternatives are lower-risk.

What is an Abmahnung and how worried should I be?

A paid cease-and-desist letter; settlement costs €500–€5,000. Take seriously.

Do I need a Datenschutzerklärung if my site only has a contact form?

Yes — any site collecting personal data needs one (email addresses count).

Are AGB / Terms required by GDPR?

Not by GDPR, but by German Verbraucherrecht for e-commerce and consumer services.

Final thoughts on GDPR compliance for German websites in 2026

The 30-point checklist above represents what a Datenschutz-aware German lawyer would expect to see on any serious 2026 website. Most SMEs can reach full compliance in 1–2 weeks with proper tooling (Borlabs or Real Cookie Banner, OMGF for fonts, lawyer-reviewed Datenschutzerklärung template) and modest investment.

If you’d like a free 30-minute compliance audit of your current site with prioritised fixes, our team offers a written report covering all 30 checklist points. You can book a meeting or browse our website development services for the broader compliance + maintenance offer.

Abmahnung prevention, DSGVO website Germany, GDPR website checklist 2026