Brauche ich einen Cookie-Banner, wenn ich gar kein Tracking nutze?

Wenn deine Seite nur technisch notwendige Cookies setzt oder gar keine, brauchst du keinen Einwilligungs-Banner. Viele Seiten haben aber unbemerkt Tracking an Bord — etwa durch eingebettete Videos oder Karten. Erst prüfen, dann entscheiden.

Reicht ein kostenloser Datenschutz-Generator?

Als Ausgangspunkt besser als nichts — aber nur, wenn die Angaben exakt zu dem passen, was deine Seite technisch tut. Häufigster Fehler: Die Erklärung nennt Tools, die gar nicht laufen, und verschweigt welche, die laufen.

Was ist mit KI-Chatbots auf der Webseite?

Auch die gehören in die Datenschutzerklärung: welcher Anbieter, was mit Eingaben passiert, wo verarbeitet wird. Mit EU-Verarbeitung und klarer Kennzeichnung lässt sich das sauber lösen.

Wer haftet, wenn meine Agentur Fehler einbaut?

Verantwortlich gegenüber Besuchern bleibt grundsätzlich der Seitenbetreiber — also du. Umso wichtiger, dass dein Dienstleister DSGVO nicht als Aufpreis-Extra behandelt, sondern als Standard.

LEGAL & GDPR

10 points your website must cover.

Most cease-and-desist letters don't target corporations — they hit small businesses with avoidable, standard mistakes. This checklist covers the most common problem areas, no legal jargon included.

By Eugen Völker · Runline Automation, Dortmund · Last updated: June 2026

✓ Fonts local ✓ Consent first ✓ EU hosting

✓

Important: This article is a practical technical guide, not legal advice. For binding statements on your specific situation, consult a lawyer specializing in IT law.

The 10-Point Checklist

SSL encryption (https)Required as soon as a form transmits data. Without the padlock icon, the browser shows a warning — costing you trust and inquiries.

Legal NoticeComplete and reachable from every page in one click: name, address, contact details, and additional mandatory information depending on your legal structure.

Privacy PolicyMust describe what your site ACTUALLY does — every tool belongs in it. A generic copy-paste template is a risk in itself.

Cookie consent done rightAsk first, then load. Many banners are just decoration while tracking is already running in the background.

Host fonts locallyGoogle Fonts served from Google's servers triggered waves of cease-and-desist letters (IP transmission to the US). Solution: self-host your fonts.

Build forms cleanlyOnly collect what you need, state the purpose, include a consent checkbox with a Privacy Policy link, and use encrypted transmission.

DPA with service providersWith every party that processes personal data on your behalf (hosting, newsletter, CRM), you need a Data Processing Agreement.

Know your hosting locationEU hosting keeps things straightforward. US-based services rely on framework agreements that keep getting challenged in court.

Tracking only with consentAnalytics and similar tools belong behind the consent gate. Modern setups (Consent Mode v2) clearly regulate what happens when.

Be able to provide access & deletion"What data do you hold on me — delete it" must be answerable. Knowing where requests land is half the battle.

How serious is the risk really?

No honest estimate of probability can be given. In practice, problems arise more often from cease-and-desist letters than from regulators — and they tend to target easily spotted standard mistakes like externally loaded fonts or missing privacy policies. These are exactly the easiest mistakes to fix.

Pro tip: Most of these points aren't rocket science — they just need to be set up correctly once and then kept up to date. That's precisely why we build sites GDPR-compliant from the ground up: German servers, local fonts, real consent management, and DPA documentation included.

Frequently Asked Questions

Do I need a cookie banner if I don't use any tracking?

If your site only sets technically necessary cookies, or none at all, you don't need a consent banner. However, many sites have tracking on board without realizing it — for example through embedded videos or maps. Check first, then decide.

Is a free Privacy Policy generator enough?

A better starting point than nothing — but only if the details match exactly what your site actually does technically. The most common mistake: the policy lists tools that aren't running and omits ones that are.

What about AI chatbots on the website?

Those belong in the Privacy Policy too: which provider, what happens to inputs, where processing takes place. With EU-based processing and clear labeling, this can be handled cleanly.

Who is liable if my agency introduces errors?

Responsibility toward visitors ultimately stays with the site operator — that's you. All the more reason to make sure your service provider treats GDPR not as a paid add-on, but as standard.

Is your site properly set up?

Our free website audit checks visible basics alongside technical and SEO factors — in 30 seconds.

Start free audit Free Initial Consultation