You operate an online shop. The imprint is in place, the privacy policy is linked, and a cookie banner pops up. Is everything settled? Unfortunately, no. What appears to be compliant at first glance often fails to withstand serious scrutiny.
The problem is rarely a missing link. It lies in the interplay: tracking services that load before consent is given. Privacy policies that describe a state that has not existed since two shop relaunches. Consent banners that cleverly hide the “Reject” option, almost requiring a detective course to find. All of this is not theory – these are the cases that end up with authorities and courts.
1 | The Privacy Policy Must Match Reality
Your privacy policy is not a historical document. It must reflect what your website actually does: what data is collected, for what purpose, on what legal basis (Art. 6 para. 1 GDPR), how long it is stored, and whether data flows to third parties or third countries (Art. 13, 14 GDPR).
This is precisely where the parade of errors begins. An analytics tool was removed but is still mentioned in the text. A newsletter service was changed, but the old description remained. Legal bases are generally supported by “legitimate interest” without the necessary balancing of interests having taken place. And the actual data flow, as is well known, does not care whether the generator text looked quite neat. Art. 6 (1) (f) GDPR required balancing of interests has taken place. And the actual data flow, as is well known, does not care whether the generator text looked quite neat.
By the way: According to evaluations of publicly reported fine cases, German data protection supervisory authorities imposed a total of 249 fines amounting to approximately EUR 46.9 million for 2025. Insufficient information obligations are among the perennial issues.
2 | The Cookie Banner Does Not Solve a Technical Problem
Many shop operators confuse the banner with the solution. It is merely the user interface. What happens before consent is crucial: If tracking or marketing services are already loaded before effective consent is given, this violates Section 25 (1) TDDDG – and renders the consent worthless in case of doubt.
The Administrative Court of Hanover unequivocally clarified this again in March 2025 (Judgment of March 19, 2025, Az. 10 A 5385/22): A cookie banner that prominently offers “Accept All” but relegates the rejection option to a second level violates the requirements for voluntary consent under Art. 4 No. 11 GDPR. The court called the repeated display of the banner upon non-consent a “targeted influence on the freedom of decision” – in plain terms: nudging.
Furthermore, in its published grounds for decision, the Administrative Court of Hanover objected to the use of the Google Tag Manager before consent. According to the court’s findings, information was already stored or read from the end device and personal data processed before interaction with the banner. The exception for technically essential services under Section 25 (2) No. 2 TDDDG did not apply, in the court’s opinion. As is often the case: It is not the label of the tool that matters, but its specific integration.
The message is clear: What matters is not whether a banner exists, but whether consent, revocation, and actual integration are technically and legally consistent.
3 | The Real Problem Areas Are Third-Party Providers
External fonts, embedded videos, map services, analytics tools, chat widgets, social media plugins – these are the points where data protection violations occur. Not spectacular, but reliably.
The French data protection authority CNIL imposed a fine of EUR 150 million on the fast-fashion provider Shein in 2025. The reason: Cookies were set without consent when visiting the website. An objection neither prevented further reading nor the storage of new cookies. You don’t have to be Shein to have the same problem – just on a smaller scale.
It is precisely here that it becomes clear whether a website has been individually reviewed or is merely held together by standard modules. Because what matters is not the claim “GDPR compliant” on the provider’s side, but the specific technical integration in your shop.
4 | Processor Agreements Are Not a Blind Flight
With many service providers, you need a data processing agreement under Art. 28 GDPR – for example, often in hosting, cloud, or newsletter services. For other services, the classification is more nuanced: whether a provider acts as a processor, joint controller, or independent controller depends on the actual division of roles, not on the contract title.
Anyone who generally classifies everything as data processing creates a false sense of security instead of compliance. And those who do not audit processors risk severe consequences: The BfDI imposed a fine of EUR 15 million on Vodafone in 2025 – partly because processors were not adequately controlled, and their employees were consequently able to issue forged contracts.
The legal classification must match the specific service. A checklist can raise awareness for this. It does not replace a thorough review.
5 | Data Protection Is Only One Part of Website Compliance
Online retailers must keep more in mind than just the GDPR. Imprint obligations, consent management, consumer information in distance selling according to § 312d BGB, dispute resolution according to § 36 VSBG, the Accessibility Strengthening Act (BFSG), and the ongoing requirements of the TDDDG – all of these intertwine. However, for the BFSG: micro-enterprises with fewer than ten employees and an annual turnover of no more than EUR 2 million are exempt for services. Online shops generally fall within the scope as electronic commerce services – but not every retailer is equally affected.
At the EU level, there are also further reform considerations, for example, to simplify digital legal requirements in the so-called Digital Omnibus. However, for current website compliance, the applicable law is decisive – not the next Brussels weather report.
6 | Where Most Self-Audits Fail
This checklist can provide initial guidance. However, whether your shop is truly legally sound is only decided by the specific interplay of technology, tracking, third-party providers, shop system, and business model.
And it is precisely there that, based on experience, points are overlooked in self-audits. Not due to negligence – but because the truly expensive errors are rarely large and obvious. They are usually small, technical, and surprisingly persistent. A script that fires before consent. A contract that has been sitting in a drawer for three years. A legal basis that will no longer hold up during the next audit.
Key takeaway: GDPR compliance is not a text problem. It is a technical problem with a legal price tag. Those who only check the facade overlook the areas where it gets expensive.
If you want to know whether your website can withstand serious scrutiny – not just the texts, but the actual setup of tracking, integrations, and consent – contact me before the supervisory authority does.
