Website Compliance in Germany
German websites must comply with the DSGVO (GDPR), the Telemediengesetz (TMG), the Impressumspflicht (mandatory imprint), the European Accessibility Act, and strict cookie consent requirements. The Bundesdatenschutzbeauftragte (BfDI) and the 16 Landesdatenschutzbehörden actively enforce data protection rules. Germany also has uniquely strict Abmahn-culture: third parties, including competitors, can sue for Impressum violations, privacy-policy deficiencies, and unlicensed images.
Data protection authority:
Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
(BfDI)
Requirements
5
country-specific rules
Guides
12
guides available
Specific requirements for Germany
Impressumspflicht (mandatory imprint)
Every German commercial website must have an Impressum listing the full name and address of the responsible person or company, contact email, phone number, and where applicable the Handelsregisternummer and USt-IdNr. Violations are aggressively pursued via Abmahnungen (cease-and-desist letters) by competitors.
Datenschutzerklärung (privacy policy)
German websites must have a comprehensive Datenschutzerklärung under the DSGVO and BDSG. It must name every service that processes personal data (Google Analytics, fonts, CDN, contact forms), the legal basis for each, and contact details of the responsible controller.
Cookie consent (TTDSG)
The Telekommunikation-Telemedien-Datenschutz-Gesetz (TTDSG) requires prior informed consent for non-essential cookies. German courts have ruled that nudging users (e.g. pre-ticked boxes, hard-to-find reject buttons) violates consent requirements.
Google Fonts self-hosting
In January 2022 a Munich court (LG München I) ruled that embedding Google Fonts via Google servers without consent violates the DSGVO by leaking visitor IP addresses to the US. German websites should self-host fonts or use privacy-compliant CDN configurations.
European Accessibility Act (EAA) from June 2025
From 28 June 2025 the EAA requires e-commerce and financial-services websites in Germany to meet WCAG 2.1 AA accessibility standards. Violations can be reported to Marktüberwachungsbehörden.
Enforcement in Germany
The Hamburg DPA fined a company €105,000 for embedding Google Fonts without consent. The LG München I ordered a website to cease embedding Google Fonts via Google servers and pay €100 in damages to an individual complainant. Abmahnwellen (mass cease-and-desist campaigns) for missing Impressum or cookie-consent non-compliance are common, with typical Abmahnung costs of €500–€1,500.
Official resources
Guides for Germany
AI-Built Website Liability Under EU Law
Cursor, Lovable and ChatGPT helped build your site. The GDPR controller is still you. What the AI Act, EDPB and 9 Dec 2026 actually change.
AI-Generated Code and Open-Source Licences
Copilot or Cursor wrote GPL code into your site. The site operator distributes it, not the AI. What Doe v. GitHub decided and what you can actually do.
AI-Generated Images on Your Business Website (EU 2026)
Article 50(4) of the AI Act applies 2 Aug 2026. The four risk layers an EU SMB should check before publishing AI-generated images on a website.
Contact Form GDPR Requirements: Article 13 Compliance
What a GDPR-compliant contact form needs: Article 13 information, the right legal basis (legitimate interest vs precontractual), unchecked boxes, retention.
Google Analytics and GDPR: Is GA4 Legal in the EU? (2026)
Can you use Google Analytics 4 in the EU? The consent requirement, the EU-US DPF transfer mechanism, Consent Mode v2 limits and cookieless alternatives.
Product Liability Directive 2024/2853: 9 Dec 2026
Directive (EU) 2024/2853 makes software and AI 'products' for strict liability on 9 Dec 2026. What it means for SMBs, and what it does not change.
The EU AI Act for Website Owners (2026)
Article 50 applies 2 Aug 2026. For most SMB sites it creates almost no new obligations. Here's the honest checklist before the deadline.
Data Breach Reporting Under GDPR: 72-Hour Notification
Report a personal data breach under GDPR Article 33: the 72-hour clock, when notification is required, what to file and when to tell affected individuals.
Data Processing Agreement (DPA): Article 28 GDPR Guide
When a third-party service needs a Data Processing Agreement under GDPR Article 28: required clauses, common processors and how to handle DPA refusal.
GDPR Data Retention Periods: Article 5(1)(e) Guide
How long can you keep personal data under GDPR? The Article 5(1)(e) storage limitation principle and retention periods by data category for EU businesses.
GDPR Records of Processing: Article 30 Template
Build the Article 30 GDPR record of processing activities. Who is exempt, what to include, controller vs processor versions and a ready-to-fill template.
Free Stock Photo Sources for Business Websites
Find free stock photo sources that are safe for commercial use on your business website. Unsplash, Pexels, Pixabay and more, with license details.
Check your website for Germany requirements
Our scanner checks for Germany-specific requirements automatically.
I understand this is a technical scan, not legal advice, and I accept the Terms.