PrivacyChecker

Is Your Website GDPR Compliant? Here's How to Check

PrivacyChecker Team·
GDPRcompliancewebsite privacycookie consentprivacy policy

GDPR isn't just a European problem — it applies to you too

If your website is accessible to visitors from the European Union — and unless you're actively geo-blocking EU traffic, it is — then the General Data Protection Regulation (GDPR) applies to you. It doesn't matter where your company is headquartered. A small business in Texas, a freelancer in Tokyo, or a startup in Sydney all fall under GDPR's reach if they process data from EU residents.

The consequences of non-compliance are not theoretical. Since GDPR took effect in 2018, regulators have issued over 2,000 fines totaling more than €4.5 billion. And it's not just tech giants getting hit — small and medium businesses have been fined tens of thousands of euros for violations as simple as missing cookie consent or an incomplete privacy policy.

The core GDPR requirements for websites

GDPR is a comprehensive regulation, but for website owners, the requirements boil down to several key areas:

Lawful basis for data processing

You must have a valid legal reason for every piece of personal data you collect. The most common bases for websites are:

  • Consent — The user explicitly agrees (e.g., checking a box for marketing emails)
  • Legitimate interest — You have a reasonable business need that doesn't override the user's rights (e.g., basic analytics)
  • Contractual necessity — You need the data to fulfill a service the user requested (e.g., shipping address for an order)

You cannot rely on pre-checked boxes, bundled consent, or implied agreement. Consent must be freely given, specific, informed, and unambiguous.

Cookie consent

This is where most websites fail. GDPR (combined with the ePrivacy Directive) requires that:

  • Non-essential cookies must be blocked until the user gives explicit consent
  • Users must be able to accept or reject cookie categories individually — not just "Accept All"
  • The consent banner must clearly explain what cookies are used and why
  • Rejecting cookies must be as easy as accepting them — no dark patterns, no hidden "reject" buttons
  • Cookie preferences must be easily changeable after the initial choice

A banner that says "By continuing to use this site, you agree to cookies" is not GDPR-compliant. Neither is a banner with only an "Accept" button.

Privacy policy

Every website that collects personal data needs a clear, comprehensive privacy policy that includes:

  • What data you collect and why
  • The legal basis for each type of processing
  • Who you share data with (including third-party services like Google Analytics, payment processors, and ad networks)
  • How long you retain data
  • Users' rights — access, rectification, erasure, data portability, and the right to object
  • Contact information for your Data Protection Officer (or whoever handles privacy requests)
  • International transfer details if data leaves the EU

The policy must be written in plain, understandable language — not dense legalese.

User rights mechanisms

GDPR grants EU residents specific rights over their data, and your website needs mechanisms to support them:

  • Right of access — Users can request a copy of all data you hold about them
  • Right to erasure — Users can request deletion of their data ("right to be forgotten")
  • Right to rectification — Users can correct inaccurate data
  • Right to data portability — Users can request their data in a machine-readable format
  • Right to object — Users can opt out of certain types of processing

You must respond to these requests within 30 days.

What to scan your website for

A thorough GDPR compliance check should examine the following areas:

Third-party scripts and trackers

Many website owners don't realize how many third-party services are loading on their pages. Each one potentially processes visitor data and needs to be accounted for in your privacy policy and consent mechanism. Common culprits include:

  • Google Analytics, Google Tag Manager, Google Fonts
  • Facebook Pixel, Meta tracking scripts
  • Hotjar, Mixpanel, Amplitude (session recording and analytics)
  • Intercom, Drift, Zendesk (chat widgets)
  • Embedded YouTube videos, social media widgets

Use PrivacyChecker's website scanner to detect all third-party scripts and trackers on your site and identify potential compliance gaps.

Cookies set before consent

One of the most common violations is setting tracking cookies before the user has given consent. Your site should not place any non-essential cookies until the visitor explicitly opts in. This includes analytics cookies, advertising cookies, and social media cookies.

Form data handling

Every form on your website — contact forms, newsletter signups, account registrations — must clearly state how the submitted data will be used. Newsletter signups need an explicit opt-in (no pre-checked boxes), and you must keep records of when and how consent was given.

Data encryption

Personal data must be transmitted securely. At minimum, your entire website should use HTTPS (TLS/SSL). Form submissions, login pages, and any page that handles personal data absolutely must be encrypted in transit.

Data storage and retention

Where is your data stored? If you use hosting providers, CRMs, email marketing platforms, or analytics tools, each one is a "data processor" under GDPR, and you need a Data Processing Agreement (DPA) with each of them. You also need a defined retention period — you can't keep personal data indefinitely "just in case."

A practical GDPR compliance checklist

Use this checklist to audit your website:

  • SSL/HTTPS is active on all pages
  • Cookie consent banner blocks non-essential cookies until consent is given
  • Cookie banner offers granular category controls (analytics, marketing, functional)
  • Rejecting cookies is as easy as accepting them
  • Privacy policy is up-to-date, comprehensive, and written in plain language
  • Privacy policy lists all third-party services that process visitor data
  • Contact forms include a privacy notice and link to the privacy policy
  • Newsletter signups use explicit opt-in (not pre-checked boxes)
  • A process exists for handling data subject access requests within 30 days
  • Data Processing Agreements are in place with all third-party processors
  • Data retention periods are defined and documented
  • No Google Fonts loaded from Google's servers without consent (a common fine trigger — host them locally instead)

How PrivacyChecker helps

Manually auditing every page of your website for compliance issues is time-consuming and error-prone. PrivacyChecker automates the process by scanning your website to identify:

  • Third-party trackers and scripts loading on your pages
  • Cookies being set before consent is obtained
  • Missing or incomplete privacy policy elements
  • Insecure data transmission (missing HTTPS)
  • Exposed personal data and potential breach indicators

A scan takes seconds and gives you a clear picture of where your website stands — and what you need to fix.

Scan your website for GDPR compliance issues →

The cost of getting it wrong

GDPR fines can reach up to €20 million or 4% of annual global turnover — whichever is higher. But even without a massive fine, non-compliance carries real costs: loss of customer trust, negative publicity, and the operational disruption of responding to a regulatory investigation.

The good news is that most compliance issues are straightforward to fix once you know they exist. The first step is understanding where you stand.

Check your website now →