"It won't happen to me."
That's what most business owners think about website compliance enforcement. And statistically, they might be right — for now. Not every website gets audited. Not every violation gets caught.
But when it does happen, the consequences are severe. And enforcement is accelerating.
Here are 9 real cases where companies were fined for website-related compliance violations. Every one of these is a documented enforcement action.
⚠️ Disclaimer: This article is for informational purposes only and does not constitute legal advice. Fine amounts and enforcement decisions are based on publicly available information at time of writing and may not reflect the most recent developments. Consult a qualified lawyer for advice specific to your situation.
Violation: CNIL found that Criteo, the French advertising technology company, was collecting personal data from website visitors without valid consent. The company was processing data from partner websites where the cookie consent mechanisms did not meet GDPR requirements.
What went wrong: Insufficient consent collection, failure to demonstrate valid consent, inadequate information provided to data subjects, and failure to honor the right of withdrawal.
Lesson: Even if your consent mechanism seems fine, if your technology partners are collecting data through your website without proper consent, you can be held responsible.
Violation: Doctissimo, a popular French health information website, had multiple compliance failures: cookies deposited without prior consent; a banner that didn't allow users to refuse cookies as easily as accepting; data shared with advertising partners without valid consent; and an incomplete privacy policy.
Lesson: This case is particularly relevant because Doctissimo is a content website — not an e-commerce platform. If you run a content site that uses advertising or analytics, you face the same requirements as any other business.
Violation: A medium-sized German online retailer was using Google Analytics without proper consent. The tracking script loaded before the user interacted with the cookie banner. The privacy policy didn't adequately disclose the use of Google Analytics or the data transferred to the United States.
Total cost: €25,000 DPA fine, plus approximately €3,500 in Abmahnung costs from a competitor who reported the same issues.
Lesson: Google Analytics must not load before consent is given. Your privacy policy must specifically address it. This is one of the most commonly enforced violations in Germany.
Violation: TTPCG processed sensitive personal data (including health data and sexual orientation) through its website without obtaining explicit consent as required for special categories of data under GDPR Art. 9.
Lesson: If your website collects any sensitive data — health information, religious views, political opinions, sexual orientation — the consent bar is significantly higher than for standard personal data.
Violation: NS Cards was retaining customer identity documents (uploaded for verification) for excessive periods and without adequate security measures. Violations: excessive data retention, insufficient data security, inadequate privacy policy.
Lesson: If your website allows file uploads — identity documents, personal documents of any kind — you must have clear retention periods, secure storage, and automatic deletion mechanisms.
Violation: A consumer protection association systematically audited hundreds of German small business websites and sent Abmahnung letters for Impressum violations. Common issues: missing phone numbers, using a P.O. box instead of a physical address, missing commercial register information, missing VAT ID numbers.
Lesson: You don't need to be investigated by a regulator to face financial consequences. In Germany, competitors and consumer groups can enforce website compliance directly — and they do, routinely.
Violation: A German court ruled that a website loading Google Fonts from Google's servers (rather than self-hosting) violated GDPR because each page load transmitted the visitor's IP address to Google in the United States without consent. Subsequent enforcement attempts sought to scale this to thousands of visitors.
Lesson: Third-party resources loaded from external servers — Google Fonts, JavaScript libraries from CDNs, social media widgets — all potentially transmit visitor data to third parties. The safest approach: self-host everything you can.
Violation: SAF Logistics' website and online systems collected excessive personal data from employees and job applicants, retained data beyond necessary periods, and had an inadequate privacy policy. Career pages and job application forms are subject to the same compliance requirements as customer-facing pages.
Lesson: Your website isn't just your customer-facing pages. Career pages, application forms, employee portals — all are subject to the same compliance requirements.
Violation: Multiple German e-commerce websites received Abmahnung letters for incorrect or missing Widerrufsbelehrung (cancellation/withdrawal information). Common issues: using outdated templates, not providing the withdrawal form, placing the information only in the AGB rather than prominently.
Lesson: Consumer protection requirements for e-commerce are strictly enforced in Germany through private legal action. The withdrawal information must use the official template.
Most of the violations in these cases were detectable and fixable before enforcement. The pattern is consistent: the business didn't know they had a problem until someone else found it first.
Many of these German cases began as an Abmahnung. See our Abmahnung response guide and Why Small Businesses Are the #1 Target for the economics behind why German SME websites get systematically targeted.
Not sure if your website is compliant?
Scan your website now — results in 30 secondsAre these fines just for large companies?
No. Cases 6 and 9 above specifically involved small businesses targeted through Germany's Abmahnung system. The Criteo and Doctissimo cases involved well-known companies, but the violations themselves — cookie consent failures, incomplete legal notices — are just as common on small-business websites.
What is the most commonly enforced compliance area?
Cookie consent. Regulators use automated scanning tools that can check thousands of websites. CNIL has been doing this since 2021.
Can a competitor really report my website and cause legal problems?
Yes — in Germany specifically. The Abmahnung system allows competitors and qualified consumer protection organizations to send cease-and-desist letters directly, without involving a regulator. This is legal, common, and can result in costs of €1,000–€5,000 even if the underlying issue was minor.
Is Google Fonts really a compliance issue?
In Germany, yes — if you load them from Google's CDN. Each page load transmits the visitor's IP address to Google's servers. LG München ruled this violates GDPR (2022). The fix is straightforward: self-host your fonts.
Sources: CNIL enforcement decisions (publicly available at cnil.fr), BfDI annual reports, LG München I Az. 3 O 17493/20, DSK press releases, public Abmahnung documentation