What Is a Website GDPR Compliance Checklist and Do You Need One?

The Privacy Law That Affects Websites Globally

When the European Union's General Data Protection Regulation (GDPR) came into force in May 2018, many non-European businesses assumed it didn't apply to them. They were wrong. GDPR applies to any organization that processes personal data of EU residents — regardless of where that organization is based. A website in Miami that has a single visitor from Germany is technically subject to GDPR if it collects that visitor's personal data.

The fines are real: the GDPR allows regulators to issue fines up to €20 million or 4% of global annual turnover, whichever is higher, for serious violations. Major companies have paid billions: Meta was fined €1.2 billion in 2023. Google was fined €50 million by France's data protection authority. Amazon was fined €746 million. These aren't theoretical penalties for theoretical violations.

This doesn't mean every small business with a few European visitors faces imminent enforcement action — regulatory resources are concentrated on large organizations and serious violations. But GDPR compliance is increasingly expected, increasingly enforced at smaller scales, and increasingly important for building trust with all visitors regardless of geography. Many of the practices GDPR requires are simply good privacy practices that users everywhere appreciate.

What GDPR Is

The General Data Protection Regulation is EU legislation that establishes rights for individuals regarding their personal data and obligations for organizations that collect and process that data. It replaces the 1995 EU Data Protection Directive and represents a significant strengthening and harmonization of privacy law across EU member states.

Core GDPR principles:

• Lawfulness, fairness, and transparency: Personal data must be processed lawfully and transparently. People must know their data is being collected and why.
• Purpose limitation: Data must be collected for specified, explicit, and legitimate purposes and not processed beyond those purposes.
• Data minimization: Only data that is necessary for the stated purpose should be collected.
• Accuracy: Data must be accurate and kept up to date.
• Storage limitation: Data should be kept for no longer than necessary.
• Integrity and confidentiality: Data must be processed securely.
• Accountability: Organizations are responsible for demonstrating GDPR compliance.

What Counts as Personal Data

GDPR's definition of personal data is broad: any information relating to an identified or identifiable natural person. This includes:

• Names and email addresses (contact form data)
• IP addresses (analytics data)
• Cookie identifiers (tracking cookies)
• Location data
• Purchase history linked to individuals
• Behavioral tracking data linked to individuals

This means that Google Analytics 4, Facebook Pixel, advertising cookies, contact form submissions, and email subscription lists all involve personal data subject to GDPR requirements when EU residents are involved.

Does GDPR Apply to Your Website?

GDPR applies to your website if:

• You actively target EU residents (running EU-targeted ads, offering services in EU languages, showing EU prices, etc.)
• You regularly have EU visitors who provide personal data (form submissions, newsletter signups, purchases)
• You have an EU establishment (office, employees, or operations in the EU)

GDPR may apply if you have incidental EU traffic that results in personal data collection. Regulatory enforcement priority is on intentional targeting and large-scale processing, but the letter of the law applies broadly.

California CCPA note: For US businesses, California's Consumer Privacy Act (CCPA) and its amendment the CPRA create similar obligations for California residents. If you have California customers, you likely need to address both GDPR (for EU visitors) and CCPA (for California residents) — which have different requirements but significant overlap in best practices.

Website GDPR Compliance Checklist

Privacy Policy

• □ Privacy Policy exists and is accessible from every page (typically in the footer)
• □ Policy explains what personal data you collect
• □ Policy explains why you collect it (legal basis for processing)
• □ Policy explains how long you retain data
• □ Policy explains who you share data with (third-party services, processors)
• □ Policy explains users' rights (access, correction, deletion, portability)
• □ Policy provides contact information for privacy inquiries
• □ Policy is written in plain language (not just legal jargon)
• □ Policy is kept up to date as your data practices change

Cookie Consent

GDPR (combined with the EU ePrivacy Directive) requires informed, specific consent before placing non-essential cookies on EU visitors' devices. This is the cookie banner/popup that has become ubiquitous on websites.

• □ Cookie consent mechanism implemented that blocks non-essential cookies until consent is given
• □ Consent is collected before analytics, advertising, or tracking cookies are set
• □ Consent is granular — visitors can accept/reject different categories (analytics, marketing, functionality)
• □ Consent is as easy to decline as to accept (no dark patterns forcing acceptance)
• □ Visitors can withdraw consent after giving it (accessible cookie settings)
• □ Consent is documented and proof is stored
• □ Essential cookies (session cookies, security cookies, shopping cart) are excluded from consent requirement

Cookie consent tools: Cookiebot, CookieYes, Osano, and OneTrust all provide GDPR-compliant consent management platforms that handle the technical implementation of consent collection, blocking, and documentation.

Contact Forms and Data Collection

• □ Contact forms include a link to your Privacy Policy
• □ Email newsletter subscription forms include consent language and Privacy Policy link
• □ Form fields only collect data that is necessary for the stated purpose (data minimization)
• □ Clear information about what happens to submitted data (who receives it, how it's stored)
• □ No pre-ticked consent checkboxes — consent must be actively given

Email Marketing

• □ Email marketing lists are permission-based (opt-in, not pre-ticked or assumed)
• □ Clear record of when and how consent was given for each subscriber
• □ Every marketing email includes an unsubscribe link
• □ Unsubscribe requests are honored promptly
• □ Consent records retained even after unsubscription (to document previous permission)

Analytics and Tracking

Google Analytics 4 collects IP addresses (even if they're partially anonymized) and uses cookies — both activities that require consent under GDPR for EU visitors.

• □ Google Analytics configured with IP anonymization enabled (GA4 does this by default)
• □ Analytics cookies only loaded after consent is given (via cookie consent tool)
• □ Google Ads / Facebook Pixel tracking cookies only loaded after consent
• □ Data Processing Agreement (DPA) signed with Google Analytics (available in GA4 account settings)
• □ Analytics data retention settings configured in GA4 (Admin → Data Settings → Data Retention)

Third-Party Services

• □ List of all third-party services that receive or process personal data documented (analytics, CRM, email platform, payment processor, chat tools, etc.)
• □ Data Processing Agreements (DPAs) signed with all data processors that process EU personal data
• □ Privacy policies of third-party services reviewed for GDPR compliance
• □ EU-US data transfer mechanisms in place if data is transferred to US-based services (standard contractual clauses or adequacy decisions)

User Rights Implementation

GDPR gives individuals specific rights regarding their personal data. Your processes must support these rights:

• □ Process established for handling data access requests (individuals can request all data you hold on them)
• □ Process established for handling data correction requests
• □ Process established for handling data deletion requests ("right to be forgotten")
• □ Process established for handling data portability requests (providing data in machine-readable format)
• □ Response timeframe: 30 days to respond to rights requests
• □ Contact method for rights requests published in Privacy Policy

Data Breach Procedures

• □ Data breach notification procedure documented
• □ Under GDPR, data breaches must be reported to supervisory authority within 72 hours if they're likely to result in risk to individuals' rights and freedoms
• □ Affected individuals must be notified if the breach is high-risk to their rights

Common GDPR Mistakes on Websites

Blocking non-essential cookies BEFORE consent but loading Google Analytics anyway: Many websites have a cookie banner but load analytics before consent is given. GA4 cookies are non-essential and require consent. If GA4 is loading on page load regardless of consent status, the implementation is non-compliant regardless of the presence of a banner.

Pre-ticked consent checkboxes: "Subscribe to our newsletter" with a checkbox that's pre-ticked doesn't constitute valid GDPR consent. Consent must be actively given — the box must be unchecked by default.

Cookie banners that make refusal harder than acceptance: If accepting all cookies requires one click but declining requires navigating through multiple menus and adjusting settings, this is a "dark pattern" that coerces consent. GDPR requires that consent be as easy to decline as to accept. Regulators are increasingly enforcing against dark patterns.

Not having a Data Processing Agreement with Google: If you use Google Analytics and process EU personal data, you need a DPA with Google. It's available to sign in the GA4 account settings under Admin → Account Settings → Data Processing Amendment.

Outdated or generic Privacy Policy: A Privacy Policy copied from a template that doesn't reflect your actual data practices (which third parties you use, what data you collect, why you collect it) isn't compliant even if it looks like a legitimate Privacy Policy. It must accurately describe your actual practices.

GDPR vs. CCPA: Key Differences for US Businesses

If you serve both EU and California visitors, you're likely subject to both GDPR and CCPA. Key differences:

GDPR requires opt-in consent for non-essential data processing; CCPA is primarily opt-out — consumers have the right to opt out of the sale of their personal information, but data collection can proceed unless they opt out.

GDPR covers all residents of EU member states; CCPA covers California residents with annual gross revenues over $25 million, or that buy/sell/share personal information of 100,000+ consumers annually, or derive 50%+ of annual revenues from selling personal information.

Rights are similar but not identical: both provide access, deletion, and portability rights. CCPA adds the specific right to opt out of the "sale" of personal information.

Implementing GDPR-level consent controls and privacy practices generally satisfies CCPA requirements as well — GDPR is the more demanding standard in most respects.

The Bottom Line

GDPR compliance for websites involves: a current, accurate Privacy Policy; a consent management platform that properly blocks tracking cookies until consent is given; data collection forms with clear consent language; email marketing with documented opt-in consent; signed Data Processing Agreements with third-party processors; and operational processes for handling data rights requests.

Full legal compliance requires working with a privacy attorney familiar with GDPR and your specific situation. This guide provides a practical starting point for website-level implementation, not legal advice. But the basics — honest privacy policy, proper cookie consent, permission-based email marketing — are achievable for any business and represent both legal responsibility and good user experience practice.

At Scalify, we build websites with privacy foundations in place — proper consent mechanisms, privacy policy linking, and data collection forms that meet baseline requirements — while recommending appropriate legal counsel for businesses with significant EU user bases or complex data processing activities.