Background
What is GDPR?
The General Data Protection Regulation (GDPR) is a European Union regulation that came into force on 25 May 2018. It sets out rules for how personal data — any information relating to an identified or identifiable person — must be collected, stored, processed, and protected.
GDPR replaced the 1995 EU Data Protection Directive. It introduced much stricter requirements, substantial fines for non-compliance, and — critically — an extraterritorial reach that made it apply to organisations worldwide, not just those based in Europe.
GDPR applies to your website even if you are not in the EU
Under Article 3(2), GDPR applies to any organisation that offers goods or services to EU residents, or monitors the behaviour of EU residents — including through website analytics, advertising pixels, or session recording. If your website has visitors from EU member states and you use Google Analytics, Meta Pixel, Hotjar, or similar tools, GDPR applies to you.
GDPR and the ePrivacy Directive — both apply to websites
GDPR works alongside the ePrivacy Directive (the "Cookie Law") for websites. GDPR sets the standard for what valid consent looks like — freely given, specific, informed, and unambiguous. The ePrivacy Directive requires that consent be obtained before non-essential cookies are placed on a visitor's device. In practice, a compliant cookie consent banner must satisfy both.
Core requirement
GDPR cookie consent — what valid consent requires
GDPR Article 4(11) defines consent as "any freely given, specific, informed and unambiguous indication of the data subject's wishes." For cookies and tracking technologies, this translates into four non-negotiable requirements.
1
Freely given
No coercion, no cookie walls blocking access to the site. Pre-ticked boxes do not count. Consent must be a genuine choice.
2
Specific
Granular consent required — separate opt-in for analytics, advertising, and functional cookies. One "Accept All" button alone is not sufficient.
3
Informed
Visitors must know which cookies fire, what each category does, which third parties receive data, and how to withdraw consent.
4
Unambiguous
Requires a clear affirmative action — clicking a button, ticking a box. "By continuing to browse" implied consent is explicitly prohibited.
Trackers must not fire before consent is given
This is the most commonly violated GDPR rule — and one of the most commonly cited issues in DPA investigations. If Google Analytics, Meta Pixel, or any other tracking technology loads on page load while a consent banner is still displayed, that is a violation. The banner is irrelevant if the tracking has already started. Trackers must be technically blocked until the visitor has actively accepted.
What a compliant banner must and must not do
Full requirements
All GDPR requirements for website operators
GDPR compliance goes beyond the consent banner. Here are all the areas your website must address.
Privacy policy (Articles 13–14)
Must disclose: what personal data you collect, why, the legal basis for processing, how long it is retained, which third parties receive it, and how individuals can exercise their rights. Must be written in clear, plain language.
Legal basis for processing (Article 6)
Every data processing activity must have a documented legal basis: consent, contract, legal obligation, vital interest, public task, or legitimate interest. Article 6 violations account for one-third of all GDPR enforcement actions. Documentation must precede data collection.
Cookie consent mechanism
Non-essential cookies (analytics, advertising, session recording) require prior, granular consent. Essential cookies do not require consent but must be disclosed. Consent must be logged with timestamp.
Data subject rights (Articles 15–22)
Must respond to requests for access, deletion, correction, restriction, portability, and objection within one month. Requires a designated process — typically a DSAR form or email. Extension to three months allowed with notice.
Data security (Article 32)
Appropriate technical and organisational measures must be in place. Data breaches affecting individuals' rights must be reported to the supervisory authority within 72 hours and, where there is high risk, to the individuals directly.
International data transfers (Chapter V)
Transferring personal data outside the EU/EEA requires an adequacy decision, Standard Contractual Clauses (SCCs), or another approved transfer mechanism. The TikTok (€530M) and Meta (€1.2B) fines were both for unlawful international transfers.
Data Processing Agreements (Article 28)
If you share personal data with third-party processors (cloud providers, analytics platforms, email tools), you must have a Data Processing Agreement (DPA) in place. Most major tools provide standard DPAs.
Records of processing (Article 30)
Organisations with 250+ employees must maintain a Record of Processing Activities (RoPA). Smaller organisations are strongly advised to maintain one regardless — it is the foundation of demonstrating accountability.
Enforcement
GDPR penalties and enforcement in 2026
GDPR enforcement has entered a sustained high-volume phase. Between January 2023 and March 2026, regulators issued more fines than in the preceding five years combined. European supervisory authorities issued approximately €1.2 billion in fines during 2025, broadly matching the 2024 total.
Tier 1 — Less severe violations
€10M
or 2% of global annual turnover — whichever is higher
Applies to: failure to maintain records, insufficient data security measures, failure to notify a breach, violations related to processors, children's data, and DPO obligations.
Tier 2 — Most serious violations
€20M
or 4% of global annual turnover — whichever is higher
Applies to: violations of basic data processing principles, consent requirements, data subject rights, and unlawful international data transfers.
Notable enforcement actions 2024–2026
| Company | Fine | Year | Violation |
|---|---|---|---|
| Meta Platforms | €1.2B | 2023 | Unlawful EU-US data transfers (largest GDPR fine on record) |
| TikTok | €530M | 2025 | Unlawful EU-China data transfers — no adequate safeguards |
| Google (CNIL) | €325M | 2025 | Gmail ad personalisation and signup consent violations |
| €310M | 2024 | Behavioural analysis and targeted advertising without valid legal basis | |
| Uber | €290M | 2024 | EU-US data transfer violations for driver data |
| SHEIN (CNIL) | €150M | 2025 | Cookie placement before consent — CNIL found cookies firing on every page load |
2026 enforcement priority: transparency obligations
The European Data Protection Board has confirmed transparency obligations (Articles 12–14) as the coordinated enforcement focus for 2026. This means privacy notices, consent documentation, and disclosure clarity are under active review across all EU jurisdictions. If your privacy policy is vague, outdated, or hard to find, you are in the crosshairs.
Free tool
Scan your site for GDPR compliance issues
Our free scanner checks your homepage for the most common GDPR violations — trackers firing before consent, missing consent banners, and pre-consent data collection. Results in 30 seconds, no account needed.
Action plan
How to make your website GDPR compliant
GDPR compliance is not a one-time task — it is ongoing operational infrastructure. These are the steps to get compliant, ordered by impact and urgency.
1
Install a compliant consent management platform (CMP)
This is the foundation. A CMP technically blocks all non-essential trackers until consent is given, presents the banner with granular category options, logs every consent decision with a timestamp, and provides a way for visitors to withdraw consent later. ConsentPixel — Privacy · Verified installs with one script tag — the banner, blocking, and consent log are all handled automatically.
2
Write or update your privacy policy
Your privacy policy must cover all required disclosures under Articles 13 and 14. It should identify every tool and third party that processes visitor data, the legal basis for each, retention periods, and how users can exercise their rights. It must be written in clear, plain language — not legal boilerplate. ConsentPixel auto-generates a GDPR-compliant privacy policy as part of setup.
3
Audit and document your data processing activities
List every service on your website that processes personal data — analytics, advertising, support tools, CRM integrations, email platforms. For each one: what data is collected, why, the legal basis, and which third parties receive it. This is your Record of Processing Activities (RoPA) — the document that proves your compliance to a regulator. Doing this before data collection is critical, not retrospectively.
4
Set up a data subject request process
You need a mechanism for visitors to submit access, deletion, correction, restriction, and portability requests. A form or designated email address is the minimum. You have one month to respond. ConsentPixel includes an embeddable DSAR form that handles submission logging and tracks response deadlines.
5
Check your international data transfers
If you use US-based tools like Google Analytics, Salesforce, HubSpot, or Mailchimp and have EU visitors, personal data is being transferred to the US. Standard Contractual Clauses (SCCs) are required for these transfers. Most major vendors have updated their DPAs to include SCCs — check that you have signed the DPA and the SCCs are in place. The Meta (€1.2B) and TikTok (€530M) fines were for failing this exact requirement.
6
Configure Google Consent Mode v2
If you use any Google product (GA4, Google Ads, YouTube), Google Consent Mode v2 is required to maintain measurement while respecting consent. It must be configured before your Google tags load so that Google's tags receive the correct consent signals. ConsentPixel handles Consent Mode v2 configuration automatically.
Compliance checklist
GDPR compliance checklist for websites 2026
Click each item to mark it as done. Use this to assess your current compliance posture.
- Consent management platform installed — all non-essential trackers blocked until consent is given
- Cookie banner presents accept and decline with equal visual prominence (no dark patterns)
- Granular consent by category — analytics, advertising, and functional cookies have separate toggles
- All cookie categories unchecked by default — user must actively opt in
- Consent withdrawal available at any time via a persistent link (e.g. in the footer)
- Consent decisions logged with timestamp for audit trail
- Privacy policy published and up to date — covers all required GDPR disclosures
- Legal basis documented for every data processing activity
- All third-party tools identified in privacy policy and cookie policy
- Data Processing Agreements (DPAs) signed with all processors (Google, Meta, etc.)
- Standard Contractual Clauses in place for any US-based tools processing EU data
- Data subject request process in place — DSAR form or designated email
- Google Consent Mode v2 configured for all Google tags
- Data breach response procedure in place — 72-hour reporting obligation understood
Common questions
GDPR frequently asked questions
Yes. GDPR applies to any organisation worldwide that offers goods or services to EU residents, or monitors the behaviour of EU residents. If your website has visitors from EU countries and you use analytics, advertising tools, or session recording software, GDPR applies to you regardless of where your business is based.
Yes, if your website uses any non-essential cookies — including analytics (Google Analytics), advertising pixels (Meta Pixel), or session recording tools (Hotjar, FullStory). You must obtain valid consent before these load. Essential cookies strictly necessary for the website to function do not require consent but must be disclosed in your cookie policy.
A compliant banner must: block all non-essential trackers until consent is actively given; present accept and decline with equal visual prominence; allow granular consent by category; keep all non-essential categories unchecked by default; provide a way to withdraw consent as easily as it was given; and log consent decisions with timestamps. Pre-ticked boxes, implied consent, and "accept" more prominent than "decline" are all non-compliant.
GDPR fines come in two tiers. Tier 1 is up to €10 million or 2% of global annual turnover for less severe violations. Tier 2 is up to €20 million or 4% of global annual turnover for the most serious violations including consent and data transfer failures. Cumulative fines have exceeded €7.1 billion since 2018, with €1.2 billion in 2025 alone.
GDPR is the broader regulation covering all personal data processing. The ePrivacy Directive (the Cookie Law) specifically governs cookies and tracking technologies. For cookie consent on websites, both apply together. GDPR provides the consent standard; the ePrivacy Directive requires consent before non-essential cookies are placed. A compliant cookie banner must satisfy both.
A DPO is mandatory for: public authorities, organisations that carry out large-scale systematic monitoring of individuals, and organisations that process special category data at scale. Most small and medium-sized businesses — including eCommerce sites and SaaS companies — do not need a formal DPO. However, you must designate a contact point for data protection matters and disclose it in your privacy policy.
Get GDPR compliant in 5 minutes
ConsentPixel — Privacy · Verified handles your consent banner, cookie blocking, DSAR process, privacy policy, consent audit log, and Google Consent Mode v2 — all from one script tag.
No credit card required · Setup in 5 minutes · Cancel anytime