Or: Why 90% was unnecessary panic (and which 10% will really save your skin)
Do you remember May 2018? The great GDPR apocalypse was imminent. Lawyers predicted waves of warnings, consultants sold expensive emergency packages, and it felt like every other newsletter was announcing the end of the internet.
Now, almost seven years later, it's time for an honest reality check. What really happened? Spoiler alert: the internet still exists, most of you are still alive, and the millions in fines? Well, we'll get to that in a moment.
The big panic balance sheet: surprising figures
Can you imagine that almost nothing remains of the feared mass warnings? According to Bitkom surveys, around 20% of companies report at least one data protection breach within a year – but only a tiny fraction of these actually result in a fine.
An analysis of published German GDPR fines for 2018 shows an average fine of around €8,500 – a far cry from the millions often cited.
For comparison:
- Feared penalties in 2018: up to 20 million euros (panic!!!)
- Actual average penalty for SMEs: 8,500 euros
- Most common punishment: Warning without a fine
If you look at all the fines imposed in recent years, the total in Germany comes to around 1,600 to 1,700 known cases.
And even if the number of unreported cases is a bit higher:
We are talking about a tiny number.
With over 3.5 million companies, that's practically nothing. You have a higher chance of being struck by lightning.
📊 Table – „GDPR fines in Germany 2018–2023
| year | Number of fines | Total fines (in € million) | Reported data breaches |
|---|---|---|---|
| 2018 | around 40 | — | — |
| 2019 | 187 | > 25 | — |
| 2020 | 284 | 48,15 | 26.057 |
| 2021 | 373 | 2,11 | 13.890 |
| 2022 | 453 | 5,81 | 21.170 |
| 2023 | 357 | 4,94 | 24.749 |
- Published by state authorities or summarised at GDPR Portal. Data protection law firm+3dsgvo-portal.de+3dsgvo-portal.de+3
- Only the amounts reported as the „lower limit“ – some authorities did not provide complete information. 2020: €48.15 million dsgvo-portal.de+1
- Reports of data breaches (not automatically fines).
- Number of approximately 40 cases in 2018 according to Wikipedia („41 cases by the end of 2018...“) Wikipedia+1
- 2019: 187 fines, > €25 million according to the GDPR portal Review of 2020. dsgvo-portal.de
- 2020 Data from GDPR portal (26,057 reports, 284 fines, €48.15 million) dsgvo-portal.de+1
- 2021: 373 fines, €2.11 million as the lower limit. dsgvo-portal.de
- 2022: 453 fines, €5.81 million. dsgvo-portal.de+1
- 2023: 357 fines, €4.94 million. dsgvo-portal.de
Note: No reliable overall figures are available for 2024 or complete data until the end of 2024.
The data shows that although the GDPR has been in force since 2018, between 2018 and 2023 in Germany, fewer than 1,700 fines imposed (see table). With around 3.5 million companies, this means that only about one of approximately 2,000 companies has ever been fined.
What the authorities are REALLY interested in (and what they are not)
After seven years of GDPR, we know pretty much where data protection authorities are looking and where they are turning a blind eye. Surprise: it's not what we were told in 2018.
What really interests me:
1. Data leaks and hacker attacks without notification – Anyone who has a reportable data breach and fails to report it within 72 hours has a real problem.
This point regularly appears in the activity reports of the authorities as one of the most common reasons for fines – especially in the case of larger leaks or completely missing reports.
2. No response to requests for information – If someone asks for their data and you simply does not respond, Then it gets really unpleasant.
German courts now regularly award damages — ranging from a few hundred to five figures.
Would you like an example?
10,000 euros for providing information to a former employee 20 months late (Oldenburg Labour Court).
And even small online shops are now raking in four-figure sums if they simply do not respond.
3. Newsletters without consent – The perennial favourite for 20 years.
This issue keeps cropping up in warning letter practice — as reliably as an annual statement.
Sending without consent in 2025 is about as brilliant as Password123.
(Almost) nobody is interested in this:
- Cookie banner detailsWhether your banner is on the left or right, whether the „Accept all“ button is blue or green – it doesn't matter. The main thing is that it's there (when you need it).
- Lack of order processing agreements: Theoretically mandatory, but in practice no one asks about it. Unless something else happens and they take a closer look.
- Outdated privacy policiesAs long as there is one at all, hardly anyone cares whether it is from 2019 or 2024.
The 3 real risks that could hit you hard in 2025
Risk 1: Google Fonts – The warning trap that no one saw coming
2022 was a really turbulent year: a ruling by the Munich Regional Court I made it clear that reloading Google Fonts from US servers without consent is a violation of the GDPR. Zack – one user was awarded €100 in damages, and suddenly a few particularly creative warning letter writers sensed the next business model. Result: at least one hundred thousand letters went through the country. Demand: around €170 in „compensation for pain and suffering“ – so low that many simply paid up to keep the peace.
The solution is still ridiculously simple:
- Host fonts locally (plugin, 2 clicks, done)
- Or just use system fonts
- Proxy solutions are also available, but that's more of a nerd thing.
And now for the big news: Even 2023, 2024 and even 2025 Google Fonts cases are still being dealt with by the courts. Some judgements now refer to the circumvention of warning letters as „abusive“, but until everything has been finally settled, the wheels of justice will continue to turn. Slowly but surely.
Risk 2: Google Analytics without a legal basis
This is where it gets exciting. Austria's data protection authority led the way, with France and Italy following suit: Google Analytics is not GDPR-compliant in its standard configuration. Germany? Still keeping a low profile, but the signs point to stormy weather ahead.
What really happens:
- No mass warnings to date
- BUT: In the event of complaints, the authorities will take a close look.
Google Analytics without a legal basis is not a trivial offence.
There have been several instances of this in the EU. four- to five-figure fines, depending on severity and configuration.
Germany is still keeping a low profile, but when complaints are received, the authorities take a very close look.
What you can do:
- Google Analytics with Consent Mode V2 and order processing (complicated)
- Switch to EU alternatives (Matomo, Plausible, or... well, you know)
- Doing without analytics altogether (seriously, it is possible)
Risk 3: Contact forms without SSL
Yes, in 2025 we're still talking about it. Can you imagine that there are still websites without HTTPS? Neither can I, but they exist. And that's going to be expensive.
Real case from 2024: Craft business fined €3,500 for unencrypted contact form. The reason: „Negligent endangerment of personal data.“
The solution:
- Let’s Encrypt = free SSL certificate
- Installation: 5 minutes
- Excuses: Zero
The elephant in the room: Why cookie banners are still everywhere
Although hardly anyone is penalised for incorrect cookie banners, everyone still has them. Why?
The truth:
😧 70 % of all cookie banners are technically incorrect
🤔 The consent rate is a measly 3–8 per cent.
🙄 And warnings? They practically never happen.
Nevertheless, everyone has one of these things on their site.
Why? FOMO? Fear? Or because some agency decided in 2018 that „that's just how it's done“?
And now comes the really exciting part:
You only need a banner if you non-essential services uses – i.e. things that send data to third parties or track users.
These include, for example:
- Tracking tools with cookies or fingerprinting
- Marketing/advertising scripts (Meta Pixel, Google Ads, etc.)
- external resources that transfer personal data
- embedded content that tracks itself (YouTube, Maps, social feeds)
If you omit all of this or integrate it in a data protection-friendly manner, you will often no longer need the banner.
No external tracking = no consent = no banner = no fuss.
With modern cookie-free analytics solutions you still get all the important insights – just without the need for consent and without conversion losses.
Try Trackboxx free for 30 days now
No payment information required! No automatic renewal! Your Trackboxx ready to go in 1 minute.
What has really changed in 2025
AI and data protection: the new minefield
ChatGPT, Claude, Midjourney – the question is no longer whether, but how you use AI. And this is where it gets tricky:
Can I enter customer data into ChatGPT? Short answer: No. Long answer: No, unless you have the Enterprise version with order processing.
What about AI-generated text on my website? No GDPR issue, as long as no personal data was included in the prompt.
The next wave: Digital Services Act (DSA)
While everyone is focused on the GDPR, the DSA has been in force since February 2024. It primarily affects platforms and marketplaces, but also:
- Large online shops (45 million users or more in the EU)
- Social media pages
- Forums and communities
The good news: Nothing changes for normal websites.
The 5-point reality check for your website
Enough with the theory. Here's what you REALLY need to know:
- SSL certificate active? → If not, change IMMEDIATELY
- Is there a privacy policy? → Use generator, done
- Imprint accessible? → Maximum of 2 clicks
- Newsletter with double opt-in? → If not, change
- Google Fonts locally? → If not, install the plugin.
All done? Congratulations, you are more secure than 90% of all German websites.
The conclusion that should reassure you
After seven years of GDPR, we know that the world has not ended. The feared wave of warnings did not materialise. The million-pound fines only affected the very big players (looking at you, Meta).
What really matters:
- Get the basics right (SSL, privacy policy, legal notice)
- Avoid the three real risks (fonts, analytics, SSL)
- Don't let every new „GDPR expert“ drive you crazy
And the next time you read an article predicting the end of the world, remember: we were all supposed to perish in 2018. That didn't happen.
In the next part of the series: Why cookie banners are the most ridiculous invention since pop-up blockers – and how you can legally get rid of them. Spoiler alert: it has to do with cookie-free tracking, and yes, it really works.
