GDPR & Privacy
Cookie consent, privacy policies, data processing, and GDPR requirements.
The General Data Protection Regulation affects every website that has European visitors. It covers how you collect personal data through forms, what cookies and tracking scripts load, whether your privacy policy meets the legal requirements, and how you handle data subject rights. Since 2018, European data protection authorities have issued over €4.5 billion in fines — and increasingly, small businesses are being targeted alongside the large corporations.
Key facts
- •The Dutch Autoriteit Persoonsgegevens fined a small company €525,000 for fingerprinting visitors without consent
- •Spain's AEPD issued over 600 fines in 2024, many under €10,000 to small businesses
- •A missing or inadequate privacy policy can result in fines of up to €20 million or 4% of annual turnover
- •Google Fonts loaded from Google servers was ruled a GDPR violation by a Munich court in January 2022
- •Cookie banners that use dark patterns (pre-checked boxes, hidden reject buttons) violate GDPR consent requirements
What we check
- ✓Cookie consent banner presence and configuration
- ✓Third-party tracking scripts loading before consent
- ✓Privacy policy completeness and required elements
- ✓Contact form data handling and legal basis
- ✓Google Fonts and other third-party resource loading
Cookie consent and privacy: good vs. bad examples
Cookie wall with no reject option
A full-screen banner that says "We use cookies to improve your experience" with only an "Accept all" button. No reject button, no settings link. GDPR requires freely given consent, which means refusing must be as easy as accepting.
Equal accept and reject buttons
A cookie banner with equally sized and styled "Accept all" and "Reject all" buttons. A third "Manage preferences" option lets users choose specific categories. No tracking fires until the visitor makes a choice.
Tracking scripts loaded before consent
Google Analytics, Facebook Pixel or other tracking scripts fire immediately on page load, before the visitor interacts with the cookie banner. This is the most common GDPR issue found by European DPAs.
No scripts until consent is given
Analytics and marketing scripts are only loaded after the visitor clicks "Accept." Essential cookies (session, cart, security) work without consent. The consent management platform blocks all non-essential scripts by default.
Privacy policy with generic template text
A privacy policy that still contains placeholder text like "[Company Name]" or refers to data processing activities your business does not actually perform. A privacy policy must accurately describe your specific data processing.
Accurate, specific privacy policy
A privacy policy that lists the exact data you collect (names, emails from the contact form), your legal basis for each, which third-party processors you use (e.g. Mailchimp, Stripe), retention periods and how visitors can exercise their rights.
Dark pattern consent design
An "Accept all" button in bright green and a "Manage preferences" link in tiny grey text. Or a cookie settings panel where all categories are pre-toggled to "on". These design patterns manipulate users into consenting and violate EDPB guidelines.
Honest, neutral consent design
Accept and reject buttons with the same size, colour weight and placement. Cookie categories explained in plain language. Settings saved and respected across visits. A persistent link in the footer to change preferences at any time.
Cookie wall with no reject option
A full-screen banner that says "We use cookies to improve your experience" with only an "Accept all" button. No reject button, no settings link. GDPR requires freely given consent, which means refusing must be as easy as accepting.
Tracking scripts loaded before consent
Google Analytics, Facebook Pixel or other tracking scripts fire immediately on page load, before the visitor interacts with the cookie banner. This is the most common GDPR issue found by European DPAs.
Privacy policy with generic template text
A privacy policy that still contains placeholder text like "[Company Name]" or refers to data processing activities your business does not actually perform. A privacy policy must accurately describe your specific data processing.
Dark pattern consent design
An "Accept all" button in bright green and a "Manage preferences" link in tiny grey text. Or a cookie settings panel where all categories are pre-toggled to "on". These design patterns manipulate users into consenting and violate EDPB guidelines.
Equal accept and reject buttons
A cookie banner with equally sized and styled "Accept all" and "Reject all" buttons. A third "Manage preferences" option lets users choose specific categories. No tracking fires until the visitor makes a choice.
No scripts until consent is given
Analytics and marketing scripts are only loaded after the visitor clicks "Accept." Essential cookies (session, cart, security) work without consent. The consent management platform blocks all non-essential scripts by default.
Accurate, specific privacy policy
A privacy policy that lists the exact data you collect (names, emails from the contact form), your legal basis for each, which third-party processors you use (e.g. Mailchimp, Stripe), retention periods and how visitors can exercise their rights.
Honest, neutral consent design
Accept and reject buttons with the same size, colour weight and placement. Cookie categories explained in plain language. Settings saved and respected across visits. A persistent link in the footer to change preferences at any time.
Cookie consent in Ireland: DPC rules your website must follow
Cookie consent rules for Irish websites. SI 336/2011 requirements, DPC dark pattern guidance, what 'strictly necessary' means, and how to test your banner.
GDPR compliance for Irish businesses: website checklist 2026
What Irish SMBs must do to comply with GDPR on their websites. Privacy policy, cookie consent, CRO number, DPC enforcement cases, and a free website check.
Is your website GDPR compliant? Free website check for Irish businesses
Free GDPR website check for Irish businesses. Our scanner tests cookie consent, privacy policy, company registration details, security, and more. Results in 60 seconds.
GDPR for dental practices in Ireland
GDPR and data protection for Irish dental practices. Patient data as special category, Dental Council registration, record retention, online booking, and breach notification.
GDPR for estate agents in Ireland: PSRA compliance
GDPR for Irish estate agents. PSRA licence display requirements, client and tenant data, viewing records, anti-money laundering, photography, and website compliance.
GDPR for restaurants and hospitality in Ireland
GDPR for Irish restaurants, hotels, and hospitality businesses. Reservation systems, WiFi, loyalty programmes, CCTV, staff data, and free website check.
GDPR for solicitors in Ireland: Law Society requirements
GDPR for Irish solicitors. Law Society of Ireland requirements, client confidentiality and GDPR overlap, anti-money laundering data retention, and website compliance.
Check your website now
Scan your website for GDPR & Privacy issues and 30+ other checks.
Scan your website free