Many data protection problems on websites are avoidable. Popular tools are often used unlawfully, although there are good opportunities to avoid this. The contribution shows common data protection problems and possible solutions.
If you're unsure about your website's data protection compliance, I recommend starting with an online data protection check:
You will find below Solutions for common data protection problems. This article is regularly updated with new solutions. If you miss a solution, please contact me mentioning the data protection problem in question.
Common Data Protection Issues and Solutions
Quick Overview
| Tool/Issue | Solution proposal |
|---|---|
| Google Analytics | Matomo (local), WP Statistics (WordPress) or Trackboxx (German provider) |
| Conversion Tracking | Custom Conversion Tracking Script. Ask me if you need it! |
| Google Tag Manager | Stop using it or only use it with consent, alternatively use a JavaScript solution |
| Google Maps | Map by Dr. GDPR, thumbnail, button for route planning or omit map (Usefulness?) |
| OpenStreetMap | Map from Dr. GDPR, thumbnail, remove route planning button or map (usefulness?) |
| External Google Fonts | Local Google Fonts |
| External image files | Local image files |
| Externe JavaScript-Bibliotheken | Lokale JavaScript-Bibliotheken |
| External helper files (CSS…) | Local auxiliary files |
| YouTube Videos | Store locally (play with the video tag) or use a thumbnail with a link to the video platform or omit the video altogether (usefulness?) |
| Vimeo Videos | Store locally (play with the video tag) or use a thumbnail with a link to the video platform or omit the video altogether (usefulness?) |
| SoundCloud Audio Player | Store audio file locally and play it back using the audio tag |
| Google reCAPTCHA | Removing or replacing Contact Form 7 Image Captcha (WordPress) with a PHP solution or waiting for a solution from Dr. GDPR |
| Cookies | Unimportant, since cookies are generated via tools. Technically necessary cookies are permitted anyway |
| Cookie Banner | Remove purely informational pop-ups ("This site uses cookies. OK") completely. Aim to avoid consent requests as much as possible and do not use any of the popular solutions without being fully aware of the risks |
| Cloudflare | Compliance with the GDPR is not possible |
| Email Newsletter | Avoid using American providers! With just a few thousand subscribers, email marketing is possible via your own mail server! |
| VG Wort | Is it permissible, no action required |
Cookies
Cookies are often used as a pretext to request consent. This is incorrect or too simplistic. Cookies do not simply exist, but are set by tools like Google Analytics. In reality, therefore, consent should be requested for tools that ultimately are responsible for the existence of cookies.
For cookies that are technically necessary, no consent is required. These cookies can simply be used. Technically necessary and therefore non-critical are, for example, the following cookies:
- VG Wort: Tracking pixels for author remuneration (that's just how it is)
- Session Management: Which user is logged in? Example: WordPress session management
- Purely functional configuration of the website, for example, role of a web shop visitor (private person vs company)
- Cookies for billing with partners (precise examination required)
All other cookies, meaning those that are not technically necessary, may only be set or read after the website visitor has given their consent.
Examples of services that use critical cookies:
- Google (Universal) Analytics (Standard configuration): This refers to the Google Analytics variant that almost every website uses today
- Google reCAPTCHA
- Google Maps
- YouTube Videos (without enhanced privacy settings)
- Vimeo Videos
Solution
- Technically necessary cookies can be used without restriction
- Other cookies should be avoided as much as possible by avoiding tools that implement these cookies. See below for alternatives for critical tools
- Consent requests must comply with numerous legal regulations. Checklist
Tools without real added value
Before the introduction of the GDPR, many websites used tools like Google Maps because
- every one she used
- they were considered stylish
- No one questioned the actual benefit.
Since the GDPR came into effect, the benefits of the tools used should be honestly questioned. Examples:
- Google Analytics: I claim that most people don't need this tool. Do you belong to that group? Alternatives: Matomo, Trackboxx (German provider)
- Google Maps: I claim that a standard map makes no sense on most websites:
- Route planning: Use a button "Your way to us" with jump to the Google Maps website
- Location display: Do you really think a standard map, preferably with maximum bird's-eye view, adequately represents your location?
- Alternative: Use my data protection friendly interactive map
- Google reCAPTCHA: It's actually a good idea for some websites. Are you using Google reCAPTCHA because someone told you that you need it? Or did you previously receive too much spam? I will soon provide a data protection-friendly solution
- Google Tag Manager: Many tools are simply loaded directly. You don't need a tag manager for that.
- YouTube and Vimeo Videos: I claim that embedded videos make little sense on many websites, especially when displayed in a mini-window. Alternatives: Thumbnail with link to video platform; Video stored locally and played with HTML tag video; No video
Use of Consent Tools
Many websites use so-called consent tools to supposedly ensure that critical tools like Google Analytics are only loaded after the user has agreed.
Other names for consent tools are:
- Cookie Blocker
- Cookie Popup
- Cookie Consent
- Cookie Tool
- Consent Management Platform (CMP)
- Consent inquiry
Unfortunately, many use these consent tools incorrectly. Many believe that the cookie tool can magically ensure that tools are correctly blocked until user consent is obtained. That is false.
Ensure that the code for loading consent-required tools is only present after consent has been given. Do not work with activated codes that are then supposed to be deactivated by a cookie tool miraculously.
It's best to completely avoid so-called consent solutions, because they are not solutions in the first place. See my comprehensive practice test, which demonstrates the failure of consent tools from well-known providers.
If you absolutely need to implement a consent request: Use your own solution or wait until I provide a free solution (find out when it's ready through Newsletter).
Tools loaded without consent
A service may only be loaded after consent if at least one of the following reasons applies:
- The service uses technically unnecessary cookies (it does not matter whether they are so-called first-party or third-party cookies). See §15 Abs. 3 TMG + BGH-Urteil zu Planet 49 + Art. 5 Abs. 3 ePrivacy-Richtlinie
- The service retrieves files from an insecure third country (example: USA). See Art. 44 GDPR
- The service performs unnecessary data transfers. See Art. 5 Abs. 1 c GDPR (data minimisation)
The following services may only be loaded after consent (excerpt with indication of the principle):
- Google Analytics (standard configuration, i.e., with cookies): Reason 1, probably also Reason 2 ([1])
- External Google Fonts: Reason 3, probably also reason 2 ([1])
- YouTube videos without extended data protection settings (i.e., with cookies): Reasons 1 to 3 ([1])
- YouTube videos with extended privacy settings (i.e., without cookies): reasons 2 and 3 ([1])
- Vimeo Videos: Reasons 1 to 3 ([1])
- SoundCloud Audio Player: Reasons 1 to 3 ([1])
- Google reCAPTCHA: Reasons 1 to 3 ([1])
- Potential reason 2: OpenStreetMap ([1])
- Google Maps: Reasons 1 to 3 ([1])
- CloudFlare: Reason 2, possibly also Reason 1 (depending on the specific case)
- Google Tag Manager: Reason 2 ([1])
For more detailed explanations, please refer to articles on this website.
In general, tools from Google and social media platform providers (Facebook, Twitter, Instagram, TikTok etc.) are considered privacy unfriendly. For example, Google's data protection notices are so opaque that as a user of Google tools, you cannot fulfill your obligation to inform visitors to your website about the data collection resulting from the use of Google tools in a transparent manner. In such cases, you as the responsible person for the website are liable, not Google (unless there is an explicitly concluded contract that could give rise to joint liability).
Solution
- Remove services without compensation if their benefit cannot be determined (Example: Does your sales revenue or, even better, your profit increase if you integrate a specific service?)
- Replace the service with an alternative: See information in this article
- Loading services only after consent: Mostly only possible with legal residual risk
- Remove Google Tag Manager entirely or load it only after consent, or load it with a small JavaScript code
External Google Fonts
Google Fonts may not be loaded from Google's server without consent: Reason. Those who need an official reason will find it in the judgment of the LG Munich from 20.01.2022 (Az.: 3 O 17493/20).
Embed the font files locally. This is legally permissible and poses no data protection issues. This allows you to potentially omit potentially incorrect privacy text.
Solution
- Use Google Webfonts Helper to locally install fonts ([1])
- WordPress: Adjust theme settings so that Google Fonts are not loaded externally (not possible for all themes); use a theme that is data protection friendly
- Manual Installation: See What is the Solution in my article on Google Fonts
Unnecessary third-party file requests
Many websites load files from a third-party server, although these files could easily be stored locally.
Solution
- Download and locally embed images
- Download and locally embed JavaScript libraries like jQuery
- Download layout files (CSS files) and embed them locally. Note: Also consider referenced resources within the files
Conclusion
Especially smaller websites or websites with few visitors often get by without critical tools and can therefore spare themselves and website visitors a bothersome consent request.
Carefully evaluate the usefulness of tools currently in use and do not solely rely on the opinions of others.
Is your website GDPR-compliant? Start here: Online Website-Check
Key takeaways of this article
Many website privacy issues can be avoided by using alternative solutions instead of questionable tools.
Websites should only use cookies that are absolutely necessary and set other cookies only after the user has given their consent.
Many common cookie tools do not function correctly and do not adequately protect your visitors. It is better to not use them at all or develop your own solution.
To minimize annoying consent requests and enhance data protection, use as few external services and tools as possible on your website.
My name is Klaus Meffert. I have a doctorate in computer science and have been working professionally and practically with information technology for over 30 years. I also work as an expert in IT & data protection. I achieve my results by looking at technology and law. This seems absolutely essential to me when it comes to digital data protection. My company, IT Logic GmbH, also offers consulting and development of optimized and secure AI solutions.
