GDPR Without the Panic: A Privacy-Correct Website for Small BusinessesGDPR Without the Panic: A Privacy-Correct Website for Small BusinessesGDPR Without the Panic: A Privacy-Correct Website for Small Businesses

A hotel owner in Bolzano once told me his web developer had assured him: 'You have a cookie banner, you are fine.' He was not fine. His site was loading Google Fonts directly from Google's servers, embedding a YouTube video without any consent step, and his cookie banner's 'Reject' button was buried three clicks deep. Any of those three issues, standing alone, has been the basis for fines in Germany and Italy. Fixing all of them took me four hours of work. Setting them up correctly from the beginning would have taken the same four hours — and saved the anxiety.

Why Small Businesses Are Disproportionately at Risk

Large companies have legal teams that read every Garante opinion and adjust accordingly. A Hofladen, a three-star hotel, a local Handwerker — they do not. They rely on whoever built their website, and whoever built their website often copy-pasted a template from 2019. Privacy law has moved a long way since then. The Italian Garante per la protezione dei dati personali has issued guidance and fines specifically around cookie banners and third-party scripts. The German courts — whose rulings carry weight across the EU — have ruled that loading Google Fonts from Google's CDN constitutes an unauthorized transfer of personal data (the visitor's IP address) to the United States. These are not edge cases. They are the default configuration of millions of websites.

The Four Most Common Mistakes

• Google Fonts loaded from fonts.googleapis.com — every page load sends the visitor's IP to Google servers in the US, without consent.
• Google Maps or YouTube embeds that initialize on page load — the iframe fires third-party cookies and tracking pixels before the user has agreed to anything.
• Analytics (Google Analytics, Facebook Pixel) running without prior consent — this is the most common violation and the one Garante enforcement focuses on most.
• A cookie banner with a pre-ticked 'Accept all' checkbox, or a 'Reject' option that requires navigating through a settings panel — both are illegal under EU ePrivacy rules.

Self-Hosting Fonts: One Line of Config

If you use Next.js — which I use for almost every site I build in Südtirol — the fix for Google Fonts is literally one line of configuration. The next/font/google module downloads font files at build time and serves them from your own domain. Zero requests to Google at runtime. Your visitors' IP addresses never leave your server. Here is what that looks like:

// next.config.ts – serve fonts from YOUR domain, not Google's CDN
// This prevents visitor IPs from being sent to Google servers in the US.
import type {NextConfig} from 'next';

const nextConfig: NextConfig = {
  // No special flag needed – next/font self-hosts automatically.
};
export default nextConfig;

// ---- app/layout.tsx ----
import {Inter} from 'next/font/google';
// next/font downloads the font at BUILD TIME and serves it from /app/...
// Zero runtime requests to fonts.googleapis.com or fonts.gstatic.com.
const inter = Inter({
  subsets: ['latin'],
  display: 'swap',
  // Optional: restrict to only the weights you actually use.
  weight: ['400', '600', '700'],
});

export default function RootLayout({children}: {children: React.ReactNode}) {
  return (
    <html lang="en" className={inter.className}>
      <body>{children}</body>
    </html>
  );
}

If you are on a different stack, the answer is the same in principle: download the font files, put them on your server, reference them from your own domain. Google Fonts itself offers a download option. Bunny Fonts is a GDPR-friendly CDN alternative hosted in Europe. Either way, you stop the invisible data leak.

The Consent Gate: Load Nothing Until the User Decides

The core rule of GDPR and the ePrivacy Directive is simple: you cannot drop tracking cookies or send data to third parties before you have the user's freely given, specific, informed, and unambiguous consent. That means Google Maps, YouTube embeds, and analytics scripts must not load on page load. They must wait behind a gate. When the user accepts, the gate opens. When the user rejects, nothing loads. Here is a minimal consent-gate pattern:

// lib/consent-gate.ts – never load third-party scripts until the user says yes
// This pattern satisfies GDPR/ePrivacy: no cookies or tracking before consent.

type ConsentState = {analytics: boolean; maps: boolean; youtube: boolean};

let consent: ConsentState = {analytics: false, maps: false, youtube: false};

export function setConsent(update: Partial<ConsentState>) {
  consent = {...consent, ...update};
  // Persist the choice so the banner does not re-appear on every page.
  localStorage.setItem('gdpr_consent', JSON.stringify(consent));
  if (consent.analytics) loadAnalytics();
  if (consent.maps)     loadMaps();
  if (consent.youtube)  loadYouTube();
}

export function loadSavedConsent() {
  const raw = localStorage.getItem('gdpr_consent');
  if (raw) setConsent(JSON.parse(raw));
}

function loadAnalytics() {
  // Example: inject self-hosted Umami or Plausible snippet
  const s = document.createElement('script');
  s.src = '/stats/script.js'; // served from YOUR server, not a third-party CDN
  s.defer = true;
  document.head.appendChild(s);
}

function loadMaps() {
  // Swap the static placeholder image for a live iframe only after consent.
  document
    .querySelectorAll<HTMLElement>('[data-maps-placeholder]')
    .forEach(el => {
      const iframe = document.createElement('iframe');
      iframe.src = `https://www.google.com/maps/embed?pb=${el.dataset.mapsId}`;
      iframe.loading = 'lazy';
      el.replaceWith(iframe);
    });
}

function loadYouTube() {
  document
    .querySelectorAll<HTMLElement>('[data-yt-placeholder]')
    .forEach(el => {
      const iframe = document.createElement('iframe');
      iframe.src = `https://www.youtube-nocookie.com/embed/${el.dataset.ytId}`;
      iframe.loading = 'lazy';
      el.replaceWith(iframe);
    });
}

Analytics That Do Not Require Consent

Here is a practical shortcut many small businesses do not know about: you can run website analytics with no cookie banner at all, if you use a cookieless, privacy-friendly analytics tool. Plausible Analytics (hosted in the EU), self-hosted Umami, and Fathom are the three I recommend most. They collect aggregate data — page views, referrers, country — without setting any cookies, without fingerprinting visitors, and without sending data outside Europe. The Garante's 2022 cookie guidelines explicitly acknowledge that analytics which do not identify individuals and do not involve cross-site tracking may be exempt from consent requirements. Simpler banner, simpler codebase, cleaner data.

EU Hosting: Keeping Data in Europe

A recurring theme in GDPR enforcement is data transfers to third countries — primarily the US. If your website is hosted on a US cloud provider's European data center, you are in a grey zone: the parent company is US-based and theoretically subject to US surveillance law. The safest path is a hosting provider incorporated and operating exclusively in the EU. For the sites I build, I use Hetzner (Germany) or Exoscale (Switzerland/Austria). Both offer excellent performance at reasonable prices, and both mean that your visitors' data never crosses an ocean. For a small Alto Adige business, this also makes a good story: 'Your data stays in Europe, on German servers.' Guests notice.

The Privacy Policy and Impressum: Non-Negotiable

Italy requires every commercial website to have a Privacy Policy (informativa sul trattamento dei dati) and, if it is a business, the equivalent of an Impressum: the Codice fiscale or Partita IVA, a physical address, a contact email. The Garante has fined small operators specifically for missing or incomplete privacy policies. This is not paperwork for its own sake — a clear privacy policy tells your visitors exactly what data you collect and why, which is the foundation of the trust relationship that good business runs on. I generate these with a lawyer-reviewed template I have adapted for Italian and South Tyrolean context, then tailor it to each client's actual data practices. It takes about an hour and costs a fraction of what even a single Garante investigation would.

1. 01Self-host your fonts — remove the Google Fonts CDN link entirely.
2. 02Audit every third-party embed: Maps, YouTube, analytics, chat widgets, social share buttons.
3. 03Implement a consent gate that blocks all third-party scripts until the user actively accepts.
4. 04Build your cookie banner with equal-weight Accept and Reject buttons, no pre-ticked boxes.
5. 05Switch to cookieless analytics or self-host your analytics on EU infrastructure.
6. 06Move your hosting to a provider incorporated and operating inside the EU.
7. 07Have a lawyer-reviewed Privacy Policy and a complete Impressum/legal notice live on your site.

Privacy is not a legal checkbox. It is an architectural decision. Build it into the foundation and it costs almost nothing. Bolt it on after the fact and it will crack every time something changes.

If you run a hotel, a restaurant, a Hofladen, or any small business in Südtirol and you are not sure whether your website is compliant, I offer a one-hour privacy audit: I walk through your site, identify the specific issues, and give you a prioritized fix list. No jargon, no alarm, just a clear picture of where you stand and what it takes to stand on solid ground. Reach out at gabriel@jumpinotech.com.