GDPR & Privacy
Cookie consent, privacy policies, data processing, and GDPR requirements.
The General Data Protection Regulation affects every website that has European visitors. It covers how you collect personal data through forms, what cookies and tracking scripts load, whether your privacy policy meets the legal requirements, and how you handle data subject rights. Since 2018, European data protection authorities have issued over €4.5 billion in fines — and increasingly, small businesses are being targeted alongside the large corporations.
Key facts
- •The Dutch Autoriteit Persoonsgegevens fined a small company €525,000 for fingerprinting visitors without consent
- •Spain's AEPD issued over 600 fines in 2024, many under €10,000 to small businesses
- •A missing or inadequate privacy policy can result in fines of up to €20 million or 4% of annual turnover
- •Google Fonts loaded from Google servers was ruled a GDPR violation by a Munich court in January 2022
- •Cookie banners that use dark patterns (pre-checked boxes, hidden reject buttons) violate GDPR consent requirements
What we check
- ✓Cookie consent banner presence and configuration
- ✓Third-party tracking scripts loading before consent
- ✓Privacy policy completeness and required elements
- ✓Contact form data handling and legal basis
- ✓Google Fonts and other third-party resource loading
Cookie consent and privacy: good vs. bad examples
Cookie wall with no reject option
A full-screen banner that says "We use cookies to improve your experience" with only an "Accept all" button. No reject button, no settings link. GDPR requires freely given consent, which means refusing must be as easy as accepting.
Equal accept and reject buttons
A cookie banner with equally sized and styled "Accept all" and "Reject all" buttons. A third "Manage preferences" option lets users choose specific categories. No tracking fires until the visitor makes a choice.
Tracking scripts loaded before consent
Google Analytics, Facebook Pixel or other tracking scripts fire immediately on page load, before the visitor interacts with the cookie banner. This is the most common GDPR issue found by European DPAs.
No scripts until consent is given
Analytics and marketing scripts are only loaded after the visitor clicks "Accept." Essential cookies (session, cart, security) work without consent. The consent management platform blocks all non-essential scripts by default.
Privacy policy with generic template text
A privacy policy that still contains placeholder text like "[Company Name]" or refers to data processing activities your business does not actually perform. A privacy policy must accurately describe your specific data processing.
Accurate, specific privacy policy
A privacy policy that lists the exact data you collect (names, emails from the contact form), your legal basis for each, which third-party processors you use (e.g. Mailchimp, Stripe), retention periods and how visitors can exercise their rights.
Dark pattern consent design
An "Accept all" button in bright green and a "Manage preferences" link in tiny grey text. Or a cookie settings panel where all categories are pre-toggled to "on". These design patterns manipulate users into consenting and violate EDPB guidelines.
Honest, neutral consent design
Accept and reject buttons with the same size, colour weight and placement. Cookie categories explained in plain language. Settings saved and respected across visits. A persistent link in the footer to change preferences at any time.
Cookie wall with no reject option
A full-screen banner that says "We use cookies to improve your experience" with only an "Accept all" button. No reject button, no settings link. GDPR requires freely given consent, which means refusing must be as easy as accepting.
Tracking scripts loaded before consent
Google Analytics, Facebook Pixel or other tracking scripts fire immediately on page load, before the visitor interacts with the cookie banner. This is the most common GDPR issue found by European DPAs.
Privacy policy with generic template text
A privacy policy that still contains placeholder text like "[Company Name]" or refers to data processing activities your business does not actually perform. A privacy policy must accurately describe your specific data processing.
Dark pattern consent design
An "Accept all" button in bright green and a "Manage preferences" link in tiny grey text. Or a cookie settings panel where all categories are pre-toggled to "on". These design patterns manipulate users into consenting and violate EDPB guidelines.
Equal accept and reject buttons
A cookie banner with equally sized and styled "Accept all" and "Reject all" buttons. A third "Manage preferences" option lets users choose specific categories. No tracking fires until the visitor makes a choice.
No scripts until consent is given
Analytics and marketing scripts are only loaded after the visitor clicks "Accept." Essential cookies (session, cart, security) work without consent. The consent management platform blocks all non-essential scripts by default.
Accurate, specific privacy policy
A privacy policy that lists the exact data you collect (names, emails from the contact form), your legal basis for each, which third-party processors you use (e.g. Mailchimp, Stripe), retention periods and how visitors can exercise their rights.
Honest, neutral consent design
Accept and reject buttons with the same size, colour weight and placement. Cookie categories explained in plain language. Settings saved and respected across visits. A persistent link in the footer to change preferences at any time.
Related guides
Best Cookiebot Alternatives in 2026 (Cheaper + More Checks)
Cookiebot doubled its prices. Looking for an alternative? Compare cookie consent tools and multi-category website scanners. Free scan available.
Complete GDPR Website Audit: Step-by-Step Checklist
A step-by-step GDPR audit checklist for your website. Check cookies, tracking, privacy policy, forms, third-party services, and security in one pass.
Do I Need a Cookie Banner? A Simple Decision Guide
Not sure if your website needs a cookie banner? This simple guide helps you decide based on what your website actually does.
Dutch AP Cookie Warnings: What They Mean for Your Website
The Dutch Autoriteit Persoonsgegevens is warning websites about cookie issues. Here is what they check and how to fix your cookie setup.
GDPR Compliance Checklist for Your Website (2026)
A practical GDPR checklist for small business websites. Check cookies, privacy policy, consent forms, and tracking scripts.
GDPR for Restaurant Websites: What You Actually Need
Your restaurant website collects more personal data than you think. Reservations, Google Maps, analytics. Here is what GDPR requires.
Google Fonts and GDPR: Why Your Website Might Be Leaking Data
Loading Google Fonts from Google's servers sends visitor IP addresses to the US. A German court fined a website owner for this. Here is how to fix it.
How to Check If a Website Is Trustworthy (2026 Guide)
How to check if a website is trustworthy. 10 things to look for: SSL, privacy policy, business details, cookie consent, and more.
How to Create a Privacy Policy (Free Generator + Guide)
Create a GDPR-compliant privacy policy for your website. Use our free generator or follow this guide to write one yourself.
Cookie Banner Requirements 2026: What Actually Counts
Most cookie banners fail basic GDPR requirements. Here is what yours actually needs: reject buttons, no dark patterns, real consent.
Cookie-Script Alternative: Why You Might Need More Than a Cookie Banner
Cookie-Script handles cookies well, but what about accessibility, security and image copyright? Compare CMP-only tools vs full website scanners.
GDPR Fines for Small Businesses: Real Cases and Amounts
Real GDPR fines for small businesses: actual cases from 1,000 to 50,000 EUR. What triggers enforcement and how to avoid it.
GDPR for Salons and Dentists: Client Data on Your Website
Salons and dental practices handle sensitive client data. Here is what GDPR requires for your website, booking forms and client photos.
Google Maps on Your Website: The GDPR Problem
Embedding Google Maps sends visitor IP addresses and browsing data to Google without consent. Here are GDPR-compliant alternatives.
Privacy Policy: What Must Be in It and What Is Optional
GDPR Articles 13 and 14 require 12 specific elements in your privacy policy. Here is exactly what must be there and what you can skip.
YouTube Embeds and GDPR: Why Your Video Sends Data to Google
Embedding a YouTube video on your site sends visitor data to Google before they press play. Here is what happens and how to fix it.
Your Website Tracks Visitors Without You Knowing It
Third-party scripts on your website send visitor data to companies you never heard of. Here is how to find and fix hidden tracking.
Related from other areas
Does the European Accessibility Act Apply to Your Business?
The EAA became enforceable in June 2025. Find out if it applies to your business, what it requires and what happens if you don't comply.
Website Security Checklist: 10 Things to Check Today
A practical security checklist for small business websites. 10 things you can check and fix today without technical expertise.
Check your website now
Scan your website for GDPR & Privacy issues and 30+ other checks.
Scan your site free