GDPR Website Checklist 2026 — What Businesses Need to Review

Many companies underestimate the privacy law requirements for their website — until the first warning letter arrives. The good news: With a structured approach, GDPR compliance can be systematically implemented.

Important Notice: This article does not constitute legal advice. The information presented is based on publicly available sources regarding GDPR. For legally binding statements, please consult a specialized privacy law attorney.

The General Data Protection Regulation (GDPR) has been in effect since May 2018 — and yet many websites in Germany are still not fully compliant. The consequences range from expensive warning letters to severe fines.

In this article, we provide you with a practical, complete GDPR website checklist for 2026. Point by point, you’ll learn what to pay attention to — from cookie consent to Google Fonts to newsletter subscriptions. So your website doesn’t become a warning trap.

If you’re wondering how much a legally sound and professional website costs, take a look at our cost overview for websites. And if you’re planning a complete fresh start, our website relaunch checklist helps.

GDPR and TTDSG: What’s the Difference?

Before we dive into the checklist, an important distinction: The GDPR (General Data Protection Regulation) governs the protection of personal data at the European level. It concerns everything related to processing user data — from collection through storage to deletion.

The TTDSG (Telecommunications-Telemedia Data Protection Act) is a German law that has applied since December 2021. It specifically regulates access to users’ devices — setting and reading cookies and similar technologies. While GDPR asks “May you process this personal data?”, TTDSG asks: “May you access the user’s device at all?”

In practice, this means: Even if a cookie contains no personal data, you need consent under TTDSG unless the cookie is technically necessary. Both laws interlock and must be considered together.

The Complete GDPR Website Checklist 2026

1. SSL Encryption

• The entire website is delivered via HTTPS
• HTTP requests are automatically redirected to HTTPS
• The SSL certificate is valid and current
• Mixed content (HTTP resources on HTTPS pages) is eliminated

SSL encryption is not only a Google ranking factor but a mandatory technical measure under Article 32 GDPR for protecting personal data. Any website containing contact forms, login, or other input fields must be encrypted. Nowadays, free certificates are available through Let’s Encrypt — so there’s no excuse anymore.

2. Cookie Consent (TTDSG-Compliant)

• A cookie consent banner is displayed before setting non-technical cookies
• Cookies are only set after active consent (opt-in, not opt-out)
• The “Reject” button is as prominent as the “Accept” button
• Users can withdraw their consent at any time
• Consent is documented and stored
• Technically necessary cookies are correctly categorized
• Pre-selected checkboxes are not used
• The banner actually blocks all tracking scripts until consent

Cookie consent is one of the most common stumbling blocks. According to a BVDW study, over 40% of cookie banners on German websites are not legally compliant. Many websites set tracking cookies already when loading the page — before users can even make a choice. This is a clear violation of TTDSG. Recommended consent management platforms include Cookiebot, Borlabs Cookie (for WordPress), or Real Cookie Banner.

Common mistake: Dark patterns in cookie banners, such as a large green “Accept all” button and a tiny gray “Reject” link. Supervisory authorities increasingly ensure that rejection is as easy as consent.

3. Privacy Policy

• A complete privacy policy is present
• It’s reachable from every page with maximum one click
• All used services and tools are listed
• Legal bases for each data processing are named
• Data subject rights (access, deletion, objection) are explained
• Controller contact details are provided
• Data protection officer information (if required) is present
• The policy is regularly updated

The privacy policy must cover every form of data processing on your website. Using Google Analytics? It’s listed. Embedding YouTube videos? It’s listed. Using a contact form? It’s listed. Generators like those from Dr. Schwenke law firm or eRecht24 can serve as starting points but should always be individually adapted.

4. Legal Notice

• A complete legal notice according to § 5 TMG is present
• It’s reachable from every page with maximum one click
• Name, address, email, and telephone number are provided
• Commercial register number and VAT ID are listed (if applicable)
• For regulated professions: responsible chamber and professional regulations

The legal notice is not strictly a GDPR requirement but results from the Telemedia Act. Nevertheless, it belongs to the basic equipment of every legally compliant website. If it’s missing or incomplete, warning letters threaten — often the first weak point warning lawyers check.

5. Google Fonts Local Hosting

• Google Fonts are hosted locally instead of loaded from Google servers
• No connection to fonts.googleapis.com or fonts.gstatic.com
• All external font requests are checked and eliminated

Since the groundbreaking Munich District Court ruling (January 2022), it’s clear: Embedding Google Fonts via Google servers without consent violates GDPR, as users’ IP addresses are transmitted to Google in the USA. A warning wave followed that caught many website operators off guard. The solution is simple: Download the fonts and embed them locally on your server. Tools like google-webfonts-helper make this child’s play.

6. Analytics: Matomo vs. Google Analytics 4

• The analytics tool used is listed in the privacy policy
• Consent is obtained before tracking (mandatory for GA4)
• IP anonymization is activated
• A data processing agreement (DPA) is in place
• Alternatively: cookieless or privacy-friendly tracking checked

Google Analytics 4 (GA4) requires consent as data is transmitted to Google servers (including to the USA). Despite the EU-US Data Privacy Framework, the situation remains complex.

Matomo offers a privacy-friendly alternative: Self-hosted on your own server, all data stays with you. With correct configuration (IP anonymization, no cookies or session cookies), Matomo can even be used without consent — a significant advantage as you can also capture visitors who reject cookie banners.

Our recommendation: If you depend on detailed Google Ads analytics, you can’t avoid GA4. For all other cases, Matomo is the cleaner solution.

7. Contact Forms

• Only necessary fields are defined as required fields
• A reference to the privacy policy is present on the form
• Data transmission occurs encrypted (SSL)
• Form data is not forwarded to third parties
• A deletion period for inquiries is defined and documented
• No pre-selected checkbox for marketing consent

For contact forms, the principle of data minimization applies: Only ask for what you actually need. For simple contact inquiries, name, email, and message suffice. Additional fields like telephone number or company should be optional.

8. Newsletter and Double Opt-in

• Newsletter registration occurs via double opt-in
• Consent is logged (timestamp, IP address)
• Every newsletter contains an unsubscribe link
• The newsletter service is listed in the privacy policy
• A DPA with the newsletter provider is concluded
• No automatic registration with contact inquiries or orders

Double opt-in is the gold standard for newsletter registrations in Germany. Users enter their email, receive a confirmation email, and must click the link in it. Only then are they added to the list. Without double opt-in, you have no burden of proof for consent in disputes. Providers like Brevo (formerly Sendinblue), CleverReach, or Mailchimp offer this by default.

9. Social Media Embeds and External Content

• YouTube videos are embedded in enhanced privacy mode (youtube-nocookie.com)
• Social media plugins load only after consent (two-click solution or consent)
• Google Maps loads only after consent
• External content (Instagram, Twitter/X, etc.) is shown only after consent
• Placeholders with notice text exist for all embeds

Every embedding of external content is a potential privacy violation, as user data is transmitted to the respective third party — often to the USA. The solution: Initially show only a placeholder with notice and load the actual content only after users actively consent. For YouTube, using the domain youtube-nocookie.com is generally recommended.

10. Data Processing Agreements (DPA)

• A DPA exists with every service provider processing personal data
• Hosting provider: DPA concluded
• Email marketing service: DPA concluded
• Analytics provider: DPA concluded
• CRM and project management tools: DPA checked
• Cloud storage and backup services: DPA concluded
• All DPAs are documented and retrievably filed

According to Article 28 GDPR, you’re obligated to conclude a data processing agreement with every service provider processing personal data on your behalf. This affects your host, newsletter service, analytics tool, and many other services. Most reputable providers offer prefabricated DPAs — but you must actively conclude and archive them.

Common GDPR Violations and Their Consequences

Fines under Article 83 GDPR are severe: Up to €20 million or 4% of global annual revenue — whichever is higher. Penalties are also relevant for small and medium enterprises. Here are some typical violations:

Particularly tricky: Warnings often don’t come from supervisory authorities but from specialized lawyers or competitors. Inadequate privacy protection is just one of many avoidable errors — more on this in our article about the most common mistakes on business websites. Costs add up quickly — even if individual amounts seem small.

Bonus Checklist: Quick Test for Your Website

Take the quick test — if you answer any of the following questions with “No,” action is needed:

• Is your website delivered completely via HTTPS?
• Does a cookie banner appear before tracking cookies are set?
• Can users reject cookies as easily as accept them?
• Is your privacy policy reachable from every page and current?
• Are Google Fonts hosted locally?
• Have you concluded DPAs with all service providers?
• Does your newsletter system use double opt-in?
• Is external content loaded only after consent?

Privacy is Not a One-time Project

GDPR compliance of your website is not a task you complete once and then check off. New tools are integrated, services change, laws are updated. Plan a privacy check of your website at least annually — better quarterly. Check particularly:

• Whether new cookies or tracking scripts have been added
• Whether all services are listed in the privacy policy
• Whether DPAs are still current and complete
• Whether your consent tool functions correctly

Your Website Under Review: GDPR Audit by Lindwurm Digital

Are you unsure whether your website meets all requirements? Do you want to take no risks and avoid warnings?

→ Request GDPR Website Check — We systematically review your website for all relevant privacy requirements — from technical implementation through cookie consent and external services to your privacy policy. You receive a detailed report with concrete action recommendations and, if desired, we implement the necessary adjustments directly for you.

Contact us for a non-binding initial consultation. We support companies in making their web presences legally secure and future-proof.

Lindwurm Digital GmbH — Web development and digital solutions.