24. March 2026 | Print article |

Avoid GDPR Warnings 2026: BGH Rulings, Cost Traps & Checklist

4:32 min. read

Since March 2025, competitors have been able to issue warning letters for GDPR violations under UWG – the BGH opened the door. At the same time, a second BGH ruling confirms: the mere loss of control over personal data establishes a claim for damages – benchmark of 100 euros per affected person. For companies, this means: flawed cookie banners, outdated privacy policies or Google Fonts without local hosting are no longer just a fine risk, but an invitation to competitors.

Key Takeaways

  • BGH ruling March 27, 2025 (I ZR 186/17): GDPR violations are now actionable via UWG warning letters. Competitors and consumer protection associations can sue without an assignment from an affected person (BGH).
  • BGH ruling November 18, 2024 (VI ZR 10/24): loss of control over data = non-material damage. No minimum amount, benchmark around 100 euros per affected person (BGH).
  • 266 GDPR fines in Germany in 2024, total amount 2.5 million euros. Highest single penalty: 900,000 euros for excessive retention periods (dsgvo-portal.de).
  • Google Fonts warning letter wave 2022/2023: thousands of website operators affected. LG Munich stopped the wave as an abuse of rights (LG Munich I, 2023).
  • AI Act labelling obligation from August 2026: violations on AI content could become subject to UWG warning letters under the same logic. Fines up to 35 million euros or 7% of annual turnover.

BGH March 2025: the turning point for GDPR warning letters

Until March 27, 2025, it was contested whether GDPR violations could be addressed via competition law warning letters at all. The BGH has now answered this definitively in the affirmative (I ZR 186/17, I ZR 222/19, I ZR 223/19): data protection breaches are deemed violations of market conduct rules under Section 3a UWG.

The reasoning: personal data is economically valuable. Anyone processing it unlawfully gains an unfair competitive advantage. Competitors and consumer protection associations can now pursue these violations under civil law – without an individual mandate from an affected person.

For companies, this means: in addition to fines from data protection authorities, a second front now opens up. A competitor that complies with the GDPR more rigorously can issue a warning letter – and make the rival pay the costs.

266
GDPR fines in Germany in 2024 – total amount 2.5 million euros
Source: dsgvo-portal.de, 2024 annual review

Loss of control = damage: the second BGH ruling

On November 18, 2024, the BGH ruled (VI ZR 10/24) in the context of the Facebook scraping data leak: mere loss of control over personal data establishes a claim for non-material damages under Art. 82 GDPR. There is no need to prove that the data was actually misused.

Important: a GDPR violation alone is not enough. A concrete damage must have occurred and be demonstrated. But the threshold is low – an uncontrolled data outflow is sufficient. The BGH benchmark: around 100 euros per affected person. In a data breach with 10,000 affected, that is a million euros of damages exposure.

“Data protection breaches qualify as violations of market conduct rules because personal data is economically valuable and failures in information duties obstruct informed consumer decisions.”
– BGH, ruling of March 27, 2025 (I ZR 186/17), translated

The five most common grounds for warning letters in 2025/2026

1. Flawed or missing privacy policy: the most frequent trigger. The policy must be complete, name all tools and service providers in use and be easy to find (footer link on every page). Missing details on hosting, tracking or embedded services are already enough for a warning letter.

2. Cookie banners without genuine opt-in: Section 25 TDDDG (since May 2024, previously TTDSG) requires active opt-in for cookies that are not technically necessary. Pre-ticked checkboxes have been illegal since the Planet49 ruling (ECJ 2019, BGH 2020). “Continued surfing = consent” is unlawful. Technical defects – cookies being set despite rejection – are particularly risky.

3. Google Fonts without local hosting: LG Munich (2022) ruled that the dynamic inclusion of Google Fonts transfers the user’s IP address to Google servers without consent. The subsequent mass warning letter wave was stopped as an abuse of rights, but the underlying legal view remains. Solution: host Google Fonts locally.

4. Newsletters without double opt-in: unsolicited email marketing without a demonstrable opt-in can be addressed under both Section 7 para. 2 UWG and GDPR. The burden of proof that consent exists lies with the company.

5. Tracking without consent: Google Analytics, Meta Pixel and comparable tools require informed, active consent before the first data transfer. If a tracking tool is not correctly named in the privacy policy, that is a separate violation in its own right.

Google Fonts: the warning letter wave and its lessons

In August 2022, a mass warning letter wave began: a Berlin lawyer sent thousands of claim letters on behalf of Martin Ismail and the “IG Datenschutz” – each with low three-digit amounts and short deadlines. The legal basis was the LG Munich ruling of January 2022 (Az. 3 O 17493/20), which had awarded 100 euros in damages for unauthorized IP transfer to Google.

The same court stopped the wave in March 2023 (Az. 4 O 13063/22): the mass warning letters were classified as abuse of rights because the sender had deployed an automated crawler. The right to damages for unauthorized Google Fonts embedding remains – only the systematic abuse was blocked.

What does a warning letter cost?

Cost item Amount Basis
Lawyer fees (amount in dispute 5,000 euros) approx. 808 euros 1.3 business fee RVG + flat rate + VAT
Damages (loss of control) approx. 100 euros/person BGH VI ZR 10/24 (benchmark)
Fine from data protection authority up to 20 million euros / 4% of turnover Art. 83 GDPR

Cost privilege for SMEs: for competition law warning letters from rivals, Section 13 para. 4 UWG waives cost reimbursement claims for companies with fewer than 250 employees. Below 100 employees, a first-time violation cannot trigger a demand for a cease-and-desist declaration with a penalty clause.

AI Act: the next warning letter field from August 2026

The EU AI Act (Art. 50) requires the labelling of AI-generated content from August 2026. Deepfakes – AI-generated or manipulated image, audio or video content that appears real – must be marked as such. The definition is deliberately broad: it covers not just people but also products, places and situations.

The warning letter risk: following the logic of the BGH’s March 2025 ruling, AI Act violations could also be treated as breaches of market conduct rules and pursued under UWG. The fines in the AI Act are severe: up to 35 million euros or 7 percent of global annual turnover. There is no case law yet – but the legal assessment is unambiguous.

Practical checklist: avoiding GDPR warning letters

  1. Review privacy policy: are all tools, hosting providers and third-party services named? Current date? Easy to find (footer link)? Data processing agreements signed with all providers?
  2. Test cookie banner: are cookies really only set after active opt-in? Is the “Reject” button as visible as “Accept”? No pre-ticked checkboxes? Verify technically – not just the UI.
  3. Host Google Fonts locally: download the fonts and serve them from your own server. No dynamic loading from fonts.googleapis.com. Also check Google Maps embeds and YouTube embeds.
  4. Document newsletter consents: keep double opt-in records. Every email must contain a working opt-out link. When in doubt: have a lawyer review it.
  5. Verify tracking consents: load Google Analytics, Meta Pixel and comparable tools only after active consent. Name them correctly in the privacy policy. Activate IP anonymization.
  6. Label AI content: AI Act obligation from August 2026. Already good practice now: transparently flag AI-generated texts, images or videos.
  7. Regular checks: run a GDPR scanner on your own site every quarter (Cookiebot, OneTrust or similar). Update the privacy policy completely once a year.

Conclusion: compliance is no longer optional, it is competitive protection

The BGH ruling of March 2025 has changed the rules. GDPR compliance is no longer just an issue between companies and data protection authorities – it is a competitive factor. Anyone who doesn’t have their website under control hands competitors a free weapon.

The first step costs little: host Google Fonts locally (one hour of work), technically test the cookie banner (one afternoon) and have the privacy policy updated (one appointment with a lawyer). These three measures close the most common attack vectors – before a competitor finds them.

Frequently Asked Questions

Can competitors issue warning letters against me for GDPR violations?

Yes, since the BGH ruling of March 27, 2025 (I ZR 186/17). The BGH classified GDPR violations as breaches of market conduct rules under Section 3a UWG. Competitors and consumer protection associations can sue without an individual mandate from an affected person.

How much damages does a GDPR violation trigger?

In November 2024, the BGH set around 100 euros per affected person as the benchmark for loss of control over personal data. There is no de minimis threshold. In a data breach with many affected users, the amount adds up quickly. Individual courts have awarded up to 5,000 euros per person.

Do I have to host Google Fonts locally?

If you don’t obtain effective consent for the data transfer to Google: yes. LG Munich ruled in 2022 that dynamic inclusion without consent is a GDPR violation. The simplest solution: download the fonts and serve them from your own server. The same applies by analogy to Google Maps embeds and other externally embedded resources.

What does a GDPR warning letter cost?

Lawyer fees come to around 808 euros at an amount in dispute of 5,000 euros. On top of that is potential damages (about 100 euros per affected person). SMEs below 250 employees benefit from a cost privilege (Section 13 para. 4 UWG): cost reimbursement is waived for competition law warning letters. Below 100 employees, a first-time violation cannot trigger a demand for a cease-and-desist declaration with a penalty clause.

What role does the AI Act play for warning letters?

From August 2026, AI-generated content must be labelled (Art. 50 AI Act). Under the BGH logic, AI Act violations could also be pursued as market conduct breaches under UWG. The fines are high: up to 35 million euros or 7 percent of annual turnover. There is no case law yet, but the risk is real.

Editor’s picks

  • GDPR 2026: what is changing and what companies need to watch out for
  • Data protection and personnel files 2026: retention periods and NIS2 duties
  • GDPR and phone calls 2026: cold calling, recording and Teams

Further reading in the MBF Media network

  • cloudmagazin – Cloud, SaaS and IT infrastructure
  • Digital Chiefs – strategies for IT decision makers
  • MyBusinessFuture – digitalization in the Mittelstand

Cover image source: Pexels / Sora Shimazaki (px:5668473)

Print article
Benedikt Langer

About the author: Benedikt Langer

More articles by

Also available in

FrançaisEspañolDeutsch
A magazine by Evernine Media GmbH