It's one of the greatest ironies in law firm marketing: lawyers advise clients on data protection law – and themselves operate a website that violates the GDPR. Not out of malice, but because the technical details are often hidden: a Google Font that silently transmits data to US servers; an analytics script that runs before the visitor has given their consent; a contact form without a data processing agreement.
The consequences range from cease-and-desist letters from competitors to GDPR fines. For law firms, there is also reputational damage that extends far beyond the legal harm: those who ignore data protection themselves lose the trust of clients who seek advice precisely in this area.
This article outlines the ten most common GDPR errors on law firm websites – with specific solutions for WordPress. For everything beyond the technical implementation, please see our section. Data protection and compliance for lawyers available as a resource.
How often should I check my website's GDPR compliance?
At least every six months and after every plugin update or new embedded service. GDPR requirements are constantly changing due to new rulings by the European Court of Justice and decisions by the German Data Protection Conference (DSK). What was sufficient in 2023 may no longer be compliant in 2025. Automated GDPR scanners, such as those from eRecht24 or Datenschutz.org, identify the most common problems. For a legally sound assessment, a periodic review by a data protection expert is also recommended.
As a lawyer, am I required to appoint a data protection officer?
In most cases not – but there are exceptions. Law firms with fewer than 20 employees that do not process personal data as a core activity are generally exempt from the obligation to appoint a data protection officer. Exceptions apply if sensitive data categories (e.g., health data, law enforcement data) are processed on a large scale. In case of doubt, consult a data protection lawyer.
What happens if I have misconfigured my cookie banner?
Risk of legal warnings from competitors and potential fines from the data protection authority. Competitors and law firms specializing in cease-and-desist letters systematically scan for GDPR violations. A cookie banner without a genuine opt-out option or an analytics script that loads before consent is given is a common violation that leads to legal action. Fines from the data protection authority are less frequent for smaller law firms, but not impossible. Act preventively – the correction usually only takes a few hours.
Error 1: Google Fonts embedded externally
Google Fonts is one of the most widespread GDPR pitfalls for law firm websites. When fonts are loaded via fonts.googleapis.com, the visitor's browser transmits their IP address to Google servers in the USA – without consent. The Munich Regional Court classified this as a GDPR violation in 2022.
Solution for WordPress: Host Google Fonts locally. Download the necessary font files (google-webfonts-helper.herokuapp.com is a helpful tool), save them on your own server, and integrate them using CSS. Alternatively, use a plugin like OMGF (Optimize My Google Fonts), which automates this process.
Error 2: Google Analytics without consent
Google Analytics may only be activated after the visitor has given their explicit consent. An analytics script that transmits data on the first page view violates Article 6 of the GDPR. This also applies to Google Tag Manager if Analytics is loaded through it.
Solution: Integrate analytics via a consent management plugin that ensures the script is only loaded after consent has been given. Recommended tools for WordPress: Borlabs Cookie, Complianz, or Cookiebot. Alternatively: Matomo with server-side operation, which is GDPR-compliant without requiring consent.
Error 3: Cookie banner without a real choice
A cookie notice that only displays an OK button without offering a Decline option does not constitute valid consent. This also applies to pre-selected checkboxes and banners that only register as consent upon scrolling further. The European Court of Justice has repeatedly clarified the requirements for valid consent.
Solution: Your cookie banner must offer at least two equally valid options: Accept all and Only necessary cookies. The decline button must not be visually smaller or less visible. Technically necessary cookies (session, login) do not require consent.
Error 4: Contact form without minimum requirements
Contact forms on law firm websites have several common GDPR errors:
- Both contact methods are required fields: Email and phone number cannot both be mandatory fields. Only one contact method is required to process the request.
- No SSL encryption: The form must run over HTTPS. No form on an HTTP page.
- Hidden newsletter opt-in: A pre-selected checkbox for newsletter registration in the contact form is invalid and subject to legal action.
- Missing data processing agreement with the provider: If a third-party provider (e.g., WP Forms, Gravity Forms) processes form data, you need a data processing agreement.
Error 5: Loading external services without consent
Google Maps, YouTube embeds, and reCAPTCHA load scripts and transmit data to Google when a page is accessed – without the visitor's consent. This also applies to social media buttons that load tracking code.
Solution: Load external services only after consent is given. For Google Maps: Use a two-click solution (display a placeholder first, load after clicking). For YouTube: Use privacy-enhanced mode (youtube-nocookie.com) or a two-click embed. Your consent management plugin should automatically block these services and only enable them after consent is given.
| Warning: Law firms are particularly targeted Competitors and law firms specializing in cease-and-desist letters systematically scan for GDPR violations. The risk is particularly high for law firms, as a data protection breach directly damages their reputation as legal advisors. |
The complete GDPR checklist for law firm websites
The following checklist covers all essential points. It is not a substitute for a case-by-case legal review, but a solid starting point:
| status | checkpoint | What to do |
| ☐ | HTTPS active | SSL certificate active, all pages accessible only via https://, HTTP redirects set up |
| ☐ | Privacy policy in full | All third-party services listed (Analytics, Fonts, Maps, Forms), legal basis specified for each processing activity. |
| ☐ | Cookie banner with real choice | Technically necessary cookies are used without consent; all others require active opt-in; no pre-selected checkboxes. |
| ☐ | Google Fonts embedded locally | Load fonts from your own server, not from fonts.googleapis.com; in WordPress via plugin or manually. |
| ☐ | Google Analytics only with consent | The analytics tag only runs after cookie consent; alternatively: Matomo without consent (server-side) |
| ☐ | Contact form: only required fields, minimal | Only one contact method is required (email or phone, not both); no hidden newsletter opt-in. |
| ☐ | Contact form: Data processing agreement (DPA) concluded with hosting provider | A data processing agreement with the form provider (e.g., Contact Form 7 + hosting provider) is in place. |
| ☐ | External services linked with consent | Google Maps, YouTube, and reCAPTCHA will only load after consent; consent management plugin is set up. |
| ☐ | Legal notice in full according to the German Telemedia Act (TMG) | Full name, address, telephone number, email address, professional association, professional title, professional regulations |
| ☐ | Data processing agreement with hosting provider | Data processing agreement (DPA) with the web host and all third-party providers that process personal data |
GDPR check for your law firm website
OMmatic checks your law firm website for the most common GDPR errors and implements the technical corrections in WordPress.
Recommended tools for WordPress law firms
Consent Management
Borlabs Cookie (paid, approx. €39/year) or Complianz (freemium) are the most reliable options. Both support the TCF 2.0 framework and can be combined with Google Tag Manager. Important: The plugin must be updated regularly, as GDPR requirements change.
Google Fonts locally
OMGF (Optimize My Google Fonts) automates the local integration of Google Fonts in WordPress. It loads fonts locally, removes external Google calls, and updates as needed. The basic version is free; paid extensions are available for more complex setups.
Analytics without consent
Matomo (formerly Piwik) can be configured server-side so that no personal data is transferred and no consent is required. Requirements: IP anonymization enabled, no cross-site tracking, data remains on your own server. There is an official Matomo plugin for WordPress.
Frequently Asked Questions
Do I need a lawyer to have my website GDPR compliant?
Not for the technical fundamentals, but yes for a sound legal assessment. The measures described in this article are technical in nature and can be implemented by your web developer or a law firm marketing service provider. We also recommend an individual legal review of your entire data processing activities.
What is the biggest risk for law firms in the event of GDPR violations?
Warnings from competitors and reputational damage. Fines from data protection authorities are rarely the biggest risk for minor violations. A warning letter from a competitor or a client complaint that exposes your data protection practices is far more dangerous.
Is a privacy notice in the footer sufficient instead of a cookie banner?
No, not for cookies that require consent. A privacy notice in the footer provides information about data processing, but does not replace active consent for non-essential cookies and tracking tools. Both are required.
How often should I check my website's GDPR compliance?
At least every six months and after every plugin update or new embedded service. GDPR requirements are constantly changing due to new rulings by the European Court of Justice and decisions by the German Data Protection Conference (DSK). Automated GDPR scanners, such as the one from eRecht24, identify the most common problems. For a legally sound assessment, a periodic review by a data protection expert is also recommended.
As a lawyer, am I required to appoint a data protection officer?
In most cases not – but there are exceptions. Law firms with fewer than 20 employees that do not process personal data as a core activity are generally exempt from the obligation to appoint a data protection officer. Exceptions apply if sensitive data categories are processed on a large scale. In case of doubt, consult a data protection lawyer.
What happens if I have misconfigured my cookie banner?
Risk of legal warnings from competitors and potential fines from the data protection authority. Competitors and law firms specializing in cease-and-desist letters systematically scan for GDPR violations. A cookie banner without a genuine opt-out option or an analytics script that loads before consent is given is a common violation that leads to legal action. Act preventively – the correction usually only takes a few hours.
Conclusion
A GDPR-compliant law firm website is not a one-off project, but an ongoing process: New tools are added, requirements change, and court rulings clarify the legal situation. The best approach is a solid technical foundation that can be managed with the right plugins, combined with regular audits. You can find all further information on data protection and legally compliant law firm marketing at [website address]. Data protection and compliance for lawyers.
Making a law firm's website technically and legally secure
OMmatic implements GDPR-compliant consent management, optimizes Google Fonts and ensures that your WordPress website meets current requirements.