The first example isn't enforcement, it is due diligence and compliance in companies. That does happen, of course, sometimes in a useful way, sometimes to just have some fig leaf to point at in case of a complaint.

Google analytics and Google fonts are regularly enforced, but not by data protection officials. "Enforcement" of those is, as you've said, done by scummy private lawyers, scanning websites and sending expensive letters ("Abmahnungen") en masse. Basically, due to a weird precedent, those lawyers are allowed to give you unasked advice on your wrongdoing and billing you for it. But that is, afaik, a specialty of German law, and mostly limited to stuff that can be fully automated. So while you can scan for a website using Google Fonts, you cannot as easily scan for someone using Office365. Although you might, maybe, get a hint by looking at the DNS MX records.

What needs to be true about me and my website to possibly be subject to Abmahnungen? Does my website need to be hosted I'm Germany? Do I need to reside in Germany?

Probably a german address in the imprint. I can't imagine they'd bother with anyone abroad. They're just after easy money after all.

"Probably a german address in the imprint."

Just any adress. Their point is, it needs to be an physical adress - so in case someone wants to sue the website, they have somewhere to send the physical letters to.

In other words, many people got expensive physical letters, to make it in general easier for other people to send them expensive phyical letters.

But yes, as far as I know, this only affects germans. But once we control the EU, who knows.

But if I have no imprint which is a common cause of the Abmahnungen? I am curious because I am a German citizen, but haven't lived there in a long time. Right now I just ignore all of that legal German stuff. What would need to change for me to worry? Moving residence to Germany? The server being there?

> You pratically need an external company to manage your cookie banner because it is a legal risk.

Don't set cookies for visitors. Notify on signup for everyone else.

Not really feasible in a lot of cases without giving up things the business absolutely wants. I work on an e-commerce site for a large company. Marketing wants to track all clicks and user inputs and get heat maps to improve the conversion based on their findings. They want to know where their users come from, where they go to see if their campaigns work. They also want google maps integration to find retail stores. They want users who come back 2 days later to retain their shopping cart and their preferences even without a login in case they checkout without an account. They want dynamic A/B testing based on user behaviour and they don’t want to/can’t reinvent all these solutions so they go buy them and the devs get to integrate them - whether they like it or not and some things simply make it so that you need to store some data on the client and communicate it on the client in some way while not being completely anonymous.

So cookie banner it is and to be sure you don’t get sued you buy that elsewhere.

> Marketing wants to track all clicks and user inputs and get heat maps to improve the conversion based on their findings. They want to know where their users come from, where they go to see if their campaigns work. They also want google maps integration to find retail stores. They want users who come back 2 days later to retain their shopping cart and their preferences even without a login in case they checkout without an account. They want dynamic A/B testing based on user behaviour and they don’t want to/can’t reinvent all these solutions so they go buy them and the devs get to integrate them - whether they like it or not and some things simply make it so that you need to store some data on the client and communicate it on the client in some way while not being completely anonymous.

Speaking a as user, I don't want your company to know or do any of those things. I'm very glad these practices are getting outlawed and I'd like your marketing team to know they can get hit by a bus for all I care, the world would be a better place without their cancerous doings. Psychological warfare against the general public is despicable.

I’m with you. In fact I have had more meetings with these people arguing against these practices than I can count. However every single customer facing project I have worked on so far that tries to sell something uses practices like these. Sometimes even worse. I guess it’s a result of being profit oriented before anything else and it works apparently, otherwise it would not be done. So the change you advocate for is one I would like to see too but it challenges structures which are so pervasive I’m not sure they can be easily reversed. If this company got fined for using Google analytics their answer would not be to re-evaluate tracking, they would make their legal department lay out just how far they can stretch it while still getting away with it and the do that.

> Notify on signup for everyone else.

You don't need notifications for purely functional cookies. If you have a Nextcloud instance that only uses a cookie to remember your user identity throughout a login session, no notifications are required. If you also feed the value of the Nextcloud cookie into a tracking system, that's when a notification is required. And only then.