Pre-ticked consent boxes violate Art. 4(11) GDPR, which requires "unambiguous" consent. Pre-ticking is also explicitly prohibited by EDPB Guidelines 05/2020 on consent.

Fix: implement a banner with unchecked boxes by default and an equally visible reject button.

Art. 13(1)(c) GDPR requires stating the legal basis for each processing operation. A general statement "we process your data for marketing purposes" without citing Art. 6(1) GDPR is insufficient.

Fix: for each processing purpose, specify the legal basis (Art. 6(1)(a)-(f) GDPR), purpose, and data categories.

EDPB Guidelines 03/2022 and many national authority decisions (CNIL, UODO) make it clear: the reject button must be as prominent and accessible as the accept button. Hiding it in a menu or making it smaller violates the equality requirement.

Fix: place "Reject All" next to "Accept All" with the same visual styling.

A contact form collecting personal data (name, email, message content) is a processing operation requiring information under Art. 13 GDPR at the time of data collection. Missing an information clause under the form is a direct violation.

Fix: add a brief information clause directly below the form with a link to the full privacy policy.

Google Analytics, Hotjar, and similar analytics tools load tracking cookies before the user gives consent. This violates Art. 5(1)(b) GDPR (purpose limitation principle) and the ePrivacy Directive.

Fix: implement conditional script loading — analytics can only fire after the user grants consent.

Loading Google Fonts directly from fonts.googleapis.com transmits the user's IP address to the US without their knowledge. LG München set a precedent with a fine for this. Data transfers to the US require an appropriate mechanism (e.g., DPF adequacy decision or SCCs + TIA).

Fix: self-host fonts locally or use system fonts.

A "Message us on WhatsApp" button initiates a data transfer to Meta Platforms Inc. (US) without user knowledge. It requires an information notice and user consent before activation.

Fix: before clicking, show information about data transfer to WhatsApp/Meta and require confirmation.

Art. 37 GDPR specifies when appointing a DPO is mandatory. Law firms processing "sensitive data" (client medical data, data on criminal convictions) at scale may be required to appoint a DPO. If a DPO is appointed, their contact details must be published on the website (Art. 37(7)).

Fix: verify whether the firm meets thresholds requiring a DPO. If so — publish their contact details.

From 2026, law firms using AI chatbots or automated document analysis systems must disclose this in their privacy policy (Art. 50 EU AI Act + Art. 22 GDPR for automated decision-making). Many firms use AI tools without reflecting this in their documentation.

Fix: update the privacy policy with a section on AI systems in use.

Art. 13(2)(a) GDPR requires stating the data retention period or criteria for determining it. The general formula "we retain data for as long as necessary" is insufficient — UODO has flagged this repeatedly.

Fix: state specific periods for each data category (e.g., client data: 10 years after case closure, marketing data: 3 years).

Art. 13(2)(b)-(d) GDPR requires information on the right of access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with the DPA. Many privacy policies list these rights in one sentence without practical instructions on how to exercise them.

Fix: provide an email address or form for submitting requests, and commit to responding within 30 days.

Google Maps, Calendly, Tidio Chat, and similar widgets load third-party scripts (often from the US) without user knowledge. Each such widget requires a separate consent category in the cookie banner.

Fix: use lazy embed loading — the widget only loads after the user clicks it, with a data transfer notice shown first.

A newsletter signup form must inform users of their right to withdraw consent and how to unsubscribe (Art. 7(3) GDPR). Missing unsubscribe instructions or hiding them is non-compliant with GDPR.

Fix: add next to the form: "You can withdraw consent at any time by clicking 'Unsubscribe' in the footer of any email."

Conditioning access to the website on accepting cookies violates the voluntary nature of consent (Art. 4(11) GDPR). EDPB Guidelines 05/2020 explicitly stated that cookie walls are non-compliant with GDPR. UODO and CNIL have issued decisions confirming this interpretation.

Fix: provide access to the website without requiring cookie acceptance. A pay-or-consent model is possible but must meet strict conditions.

A record of processing activities (RoPA) is mandatory for organisations with 250+ employees and — regardless of size — for those processing sensitive data or making transfers to third countries. Law firms often process both types of data. The RoPA is not published on the website but must be available for inspection by the supervisory authority.

Fix: create and regularly update the RoPA. Include all categories of client, employee, and subcontractor data.