The €50K GDPR Fine Your Client Doesn't Know They're Getting

I audit websites for GDPR compliance. In the last month, I found that 87% of small business websites in Germany have at least one critical GDPR violation. Here are the most common ones — and they're shockingly easy to fix. 1. Google Fonts Loaded Externally The problem: Every time a visitor loads your page, their IP is sent to Google servers in the US. Since Schrems II, this requires explicit consent. The fine: €100 per visitor (yes, there's precedent — LG München, Jan 2022). The fix: Self-host your fonts. 5 minutes of work. 2. Cookie Banner That Doesn't Actually Block Cookies Most cookie banners are decorative. They show a popup but load Google Analytics, Facebook Pixel, and HotJar before the user consents. The fix: Use a consent manager that actually blocks scripts until consent. I recommend Cookiebot or a self-hosted solution. 3. Missing or Incomplete Privacy Policy Your privacy policy needs to list: Every third-party service you use What data each collects Legal basis for each Data