GDPR compliance for websites — a simple guide

GDPR is a European Union regulation that governs how organizations collect, store, use, and share personal data of individuals in the EU and EEA (European Economic Area). It replaced the older Data Protection Directive 95/46/EC and became enforceable on May 25, 2018.

A common misconception is that GDPR only applies to companies based in the EU. It does not. GDPR applies to any organization that processes personal data of people in the EU, regardless of where the organization is located. If you run a website in the United States, Canada, Australia, or anywhere else and people in France, Germany, or Spain visit it — GDPR applies to you.

Article 3(2) is explicit: the regulation applies to the processing of personal data of individuals in the EU by a controller or processor not established in the EU, where the processing relates to offering goods or services to those individuals or monitoring their behavior within the EU.

Running a website that is accessible from the EU and using analytics to monitor visitor behavior counts. Running an online store that ships to EU countries counts. Even displaying ads targeted to EU visitors counts. The threshold is low. If you have a public website, GDPR almost certainly applies to you in some form.

GDPR is built on seven principles (Article 5). Understanding them makes the rest of the regulation much easier to navigate.

Lawfulness, fairness, and transparency. You must have a valid legal reason to process personal data, you must not use data in ways people would not expect, and you must be open about what you do with it.

Purpose limitation. You must collect data for a specific, stated purpose and not use it for something else. If you collect email addresses for order confirmations, you cannot start sending marketing emails without a separate legal basis.

Data minimization. Collect only the data you actually need. If you do not need a visitor's full name to provide your service, do not ask for it. If your analytics do not need to identify individual users, do not collect identifiers.

Accuracy. Personal data must be accurate and kept up to date. Where it is inaccurate, it should be corrected or deleted without delay.

Storage limitation. Do not keep personal data longer than necessary for its stated purpose. If someone cancels their account, you should delete their personal data within a reasonable timeframe (unless you have a legal obligation to retain it, such as financial records).

Integrity and confidentiality. You must protect personal data against unauthorized access, loss, or damage through appropriate technical and organizational measures. This means encryption, access controls, secure infrastructure, and sensible security practices.

Accountability. You must be able to demonstrate compliance. It is not enough to be compliant — you must be able to prove it. This means documenting your data processing activities, maintaining records, and being able to show regulators what you do and why.

GDPR defines personal data broadly. It is any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, by reference to an identifier.

For website owners, this includes obvious things like names, email addresses, phone numbers, and physical addresses. But it also includes data you might not think of as personal:

IP addresses are personal data under GDPR. The Court of Justice of the European Union confirmed this in the Breyer case (C-582/14). Even dynamic IP addresses can be personal data if the website operator has the means to identify the individual.

Cookies that contain unique identifiers are personal data. A cookie that assigns a visitor a random ID and tracks them across sessions creates a profile tied to an identifiable individual.

Device fingerprints — combinations of browser version, screen resolution, installed fonts, and other attributes that uniquely identify a device — are personal data when they can be used to single out an individual.

Online identifiers such as user IDs, advertising IDs, and session tokens are personal data. Recital 30 of GDPR explicitly mentions "cookie identifiers, internet protocol addresses, and other identifiers" as examples.

The practical implication is clear: almost every analytics tool processes some form of personal data. The question is not whether GDPR applies to your analytics — it almost certainly does — but what legal basis you use and how you handle the data.

Consent is one of six legal bases for processing personal data under GDPR (Article 6). The others are: contract performance, legal obligation, vital interests, public task, and legitimate interest. Consent is not always required — but when it is, the requirements are strict.

Under GDPR, valid consent must be:

Freely given. The person must have a genuine choice. Consent is not free if refusing it prevents the person from using your service (unless the data is genuinely necessary for the service). Bundling consent with terms of service is generally not valid.

Specific.Consent must be given for each distinct purpose. A blanket "I agree to data processing" checkbox does not meet the standard. If you want consent for analytics and marketing emails, those must be separate consent requests.

Informed. The person must know exactly what they are consenting to — what data is collected, who processes it, for what purpose, and for how long.

Unambiguous. Consent requires a clear affirmative action. Pre-ticked checkboxes do not count. Continuing to browse a website does not count. Scrolling does not count. The Planet49 ruling (C-673/17) from the Court of Justice of the EU confirmed that pre-checked boxes are not valid consent.

Consent must also be as easy to withdraw as it was to give. If a visitor consented with one click, they should be able to withdraw with one click.

Cookie consent is governed primarily by the ePrivacy Directive (2002/58/EC), not GDPR itself. The ePrivacy Directive requires consent before storing or accessing information on a user's device — which includes cookies, localStorage, and other client-side storage.

Essential cookies are exempt from consent. These are cookies strictly necessary for a service the user has explicitly requested — session cookies for login, shopping cart cookies, load balancer cookies. They do not require a banner.

Analytics cookies are not considered essential. If your analytics tool sets cookies (like Google Analytics does with its _ga and _ga_ cookies), you need consent before those cookies are set. That means a cookie banner with a genuine accept/reject choice.

Marketing cookies (Meta Pixel, Google Ads tags, retargeting pixels) always require consent. No exceptions.

Cookieless analytics do not trigger the ePrivacy Directive's consent requirement because they do not store or access information on the user's device. If your analytics tool works without cookies or client-side storage — as tools like sourcebeam do — no cookie banner is needed for analytics purposes.

This is an important distinction. Many site owners add cookie banners solely because of their analytics tool. If you switch to cookieless analytics and have no other non-essential cookies, you can remove the banner entirely.

Every website that processes personal data needs a privacy policy. GDPR Articles 13 and 14 specify what information you must provide to individuals. At a minimum, your privacy policy should include:

Identity and contact details of the data controller — who is responsible for the data processing. For a small business, this is typically the company name and a contact email address.

What data you collect and why. Be specific: "We collect your email address when you subscribe to our newsletter in order to send you weekly updates." Not: "We may collect personal information for various purposes."

The legal basis for each type of processing. Is it consent, legitimate interest, contract performance, or legal obligation? You must state this explicitly.

Who you share data with — third-party processors, analytics providers, payment processors, email services. Name categories or specific providers.

International data transfers — if data is transferred outside the EU/EEA (for example, to US- based services), explain the safeguards in place (Standard Contractual Clauses, adequacy decisions, etc.).

Data retention periods — how long you keep each type of data, or the criteria for determining retention.

Data subject rights — inform individuals of their rights under GDPR (more on this below).

Right to lodge a complaint with a supervisory authority.

GDPR also requires that privacy policies be written in clear, plain language. The days of impenetrable legal jargon are over — at least in theory. Regulators have fined companies for privacy policies that were too complex for an average person to understand.

GDPR gives individuals a set of rights over their personal data. As a website owner, you must be able to respond to these requests:

Right of access (Article 15). Individuals can request a copy of all personal data you hold about them. You must respond within one month.

Right to rectification (Article 16). Individuals can ask you to correct inaccurate personal data.

Right to erasure ("right to be forgotten") (Article 17). Individuals can ask you to delete their personal data in certain circumstances — for example, when the data is no longer necessary for the purpose it was collected, or when they withdraw consent.

Right to data portability (Article 20). Individuals can request their data in a structured, commonly used, machine-readable format so they can transfer it to another service.

Right to object (Article 21). Individuals can object to processing based on legitimate interest. If someone objects to your analytics processing their data, you must stop unless you can demonstrate compelling legitimate grounds.

Right to restriction of processing (Article 18). In certain cases, individuals can ask you to limit how you use their data while a dispute is resolved.

For most small websites, these requests will be rare. But you need a process for handling them — even if that process is simply an email address where people can send requests and a documented procedure for responding within the required timeframe.

If you use any third-party tool that processes personal data on your behalf — and you almost certainly do — GDPR requires a Data Processing Agreement (DPA) between you (the data controller) and the third party (the data processor).

This applies to analytics providers, email marketing services, hosting companies, payment processors, CRM systems, customer support tools, and basically every SaaS product that touches your users' data.

A DPA must specify what data the processor handles, for what purpose, for how long, what security measures are in place, and what happens to the data when the contract ends. It must also include provisions about sub-processors (third parties your processor uses), data breach notification, and assistance with data subject requests.

Most reputable SaaS providers have a DPA available on their website or will provide one on request. If a tool you use cannot or will not provide a DPA, that is a compliance risk you should address — either by getting one in place or finding an alternative provider.

Analytics is where GDPR becomes most relevant for typical website owners. The compliance picture depends entirely on what your analytics tool does technically.

Cookie-based analytics need consent. If your analytics tool sets cookies or uses client-side storage to identify visitors, you need consent under the ePrivacy Directive before those cookies are set. Without consent, you lose that visitor's data entirely — which typically means losing 30-70% of your analytics data, depending on your audience and how your consent banner is designed.

Cookieless analytics may not need consent. Analytics tools that do not use cookies or client-side storage bypass the ePrivacy Directive's consent requirement entirely. They still process some personal data (IP addresses are used server-side, then discarded or hashed), but this processing can typically rely on legitimate interest rather than consent — meaning no popup, no data loss, and a much simpler compliance position.

The difference is not just legal — it is practical. With consent-based analytics, you see only the visitors who clicked "accept." With cookieless analytics, you see all of them.

Google Analytics deserves its own section because it has been the subject of extensive regulatory action across Europe.

The core issue stems from the Schrems II ruling (C-311/18), in which the Court of Justice of the EU invalidated the EU-US Privacy Shield in July 2020. This ruling found that US surveillance laws (particularly FISA Section 702 and Executive Order 12333) do not provide adequate protection for EU personal data transferred to the United States.

Google Analytics transfers visitor data to Google's servers in the United States. Following Schrems II, data protection authorities in Austria (DSB), France (CNIL), Italy (Garante), and Denmark (Datatilsynet) all ruled that using Google Analytics violates GDPR because the data transfers to the US lack adequate safeguards.

The EU-US Data Privacy Framework, adopted in July 2023, was intended to resolve this issue by providing a new legal basis for transatlantic data transfers. Google has self-certified under this framework. However, the framework faces legal challenges — privacy activist Max Schrems has indicated that a "Schrems III" challenge is likely, and many experts question whether the framework will survive judicial review given that the underlying US surveillance laws have not materially changed.

Beyond the transfer issue, Google Analytics raises other GDPR concerns. Google uses GA data for its own purposes (improving Google products and services), which complicates the purpose limitation principle. Google's data processing is complex and involves numerous sub-processors, making transparency difficult. And the volume of data collected by GA4 — detailed behavioral tracking, device information, demographic signals — goes well beyond what most website owners actually need.

None of this means you cannot use Google Analytics. Many websites still do, with consent banners and updated privacy policies. But the compliance burden is significant, the legal landscape is unstable, and the practical cost (lost data from consent rejection) is real.

If you run a small website and want to get GDPR compliant without hiring a law firm, here is what to do:

1. Audit your third-party tools. Make a list of every tool that processes visitor data: analytics, email marketing, payment processing, live chat, advertising pixels, embedded content (YouTube, social media widgets). For each one, note whether it sets cookies and whether it transfers data outside the EU.

2. Choose compliant analytics. If your analytics tool sets cookies and transfers data to the US, consider switching to a cookieless, privacy-focused alternative. Our guide on how to choose the right analytics tool can help you evaluate your options. This single change can eliminate your need for a cookie consent banner and dramatically simplify your compliance position.

3. Write or update your privacy policy. Cover every type of personal data you collect, why you collect it, what legal basis you rely on, who you share it with, how long you keep it, and how individuals can exercise their rights. Write it in plain language. Use a template if needed, but customize it to reflect what you actually do — a generic privacy policy that does not match your actual data practices is worse than no policy.

4. Add consent mechanisms where needed. If you still use tools that set non-essential cookies, implement a consent banner that blocks those cookies until the visitor consents. Make sure the banner has a clear accept and reject option — not just an "accept" button. Consent must be as easy to withdraw as it is to give.

5. Secure your DPAs. Check that you have a Data Processing Agreement in place with every third-party processor. Most will have one available on their website. Download it, review it, and keep it on file.

6. Set up a process for data subject requests. Publish a contact email for privacy requests. Document your internal process for handling access, deletion, and portability requests within the one-month deadline.

7. Review and repeat. GDPR compliance is not a one-time task. Review your data practices whenever you add a new tool, change how you collect data, or expand into new markets.

"GDPR only applies to EU companies." False. GDPR applies to any organization that processes personal data of people in the EU, regardless of where the organization is based. A website run from Chicago that has visitors from Berlin is subject to GDPR.

"My site is too small to worry about GDPR." False. GDPR does not have a size exemption. A one-person blog that collects email addresses for a newsletter has the same obligations (proportionally applied) as a Fortune 500 company. The scale of your compliance efforts can be simpler, but the legal requirements apply equally.

"A cookie banner means I'm GDPR compliant." False. A cookie banner addresses cookie consent under the ePrivacy Directive. GDPR compliance is much broader: privacy policy, legal basis for processing, data subject rights, data processing agreements, data security, retention policies, and more. A cookie banner is one piece of a larger puzzle.

"Consent is always required." False. GDPR provides six legal bases for processing personal data. Consent is one. Legitimate interest is another, and it is often more appropriate for activities like basic website analytics, fraud prevention, and network security.

"If I anonymize data, GDPR does not apply." Partially true. Truly anonymized data — where re-identification is not possible — falls outside GDPR's scope. But pseudonymized data (like hashed identifiers that could theoretically be re-identified) is still personal data under GDPR. The bar for true anonymization is high.

"GDPR fines are only for big companies." False. While headline fines target large corporations, small businesses and even individuals have been fined. The amounts are proportionate — a small business will not face a EUR 50 million fine — but fines in the thousands or tens of thousands of euros are not uncommon.

GDPR has a tiered penalty structure:

Lower tier — up to EUR 10 million or 2% of annual global turnover (whichever is higher). This applies to violations of obligations like data processing agreements, record keeping, data protection impact assessments, and breach notification.

Upper tier — up to EUR 20 million or 4% of annual global turnover. This applies to violations of core principles, lawfulness of processing, consent requirements, and data subject rights.

In practice, most enforcement actions against small websites result in warnings, orders to change practices, or modest fines. Data protection authorities generally focus their resources on organizations that cause the most harm — large-scale data processing, systematic violations, or refusal to cooperate.

That said, enforcement is increasing. The total value of GDPR fines has grown every year since 2018. Authorities are also becoming more active in pursuing complaints from individuals — a single complaint from one visitor can trigger an investigation.

Beyond regulatory fines, GDPR grants individuals the right to seek compensation for material or non-material damage resulting from GDPR violations (Article 82). Class-action-style litigation is growing in several EU member states.

The cost of non-compliance is not just fines. It includes legal fees, remediation costs, reputational damage, and the operational disruption of dealing with a regulatory investigation. For most small websites, the cost of getting compliant is far lower than the cost of getting caught.

Use this as a starting point. Not every item will apply to every site, but most will:

Privacy policy. You have a clear, plain-language privacy policy that covers all required information under Articles 13 and 14. It is easily accessible from every page (typically in the footer).

Legal basis documented. For each type of personal data processing, you have identified and documented the legal basis (consent, legitimate interest, contract, etc.).

Cookie consent (if applicable). If you use non-essential cookies, you have a consent mechanism that blocks those cookies until the visitor opts in. The banner offers a genuine choice (accept and reject). Pre-ticked boxes are not used.

Analytics compliance. Your analytics tool either operates with consent or does not require it (cookieless). If you use cookie-based analytics, they are blocked until consent is given.

Data processing agreements. You have a DPA in place with every third-party service that processes personal data on your behalf.

Data subject rights. You have a published contact method for privacy requests and a documented process for responding within one month.

Data security. You use HTTPS, keep software updated, use strong passwords, limit access to personal data to those who need it, and have basic security measures in place.

International transfers. If you use US-based or other non-EU services, you have verified that appropriate safeguards are in place (Data Privacy Framework certification, Standard Contractual Clauses, etc.).

Data retention. You do not keep personal data longer than necessary. You have defined retention periods for each type of data.

Breach notification. You have a basic plan for what to do if a data breach occurs: notify your supervisory authority within 72 hours and affected individuals without undue delay if the breach poses a high risk to their rights.

Regular review. You review your compliance posture when you add new tools, change data practices, or at least once a year.

GDPR compliance does not have to be overwhelming. The regulation is designed around a straightforward principle: be honest and careful with people's data. Collect only what you need, tell people what you do with it, keep it secure, and respect their rights. For most small websites, that translates to a decent privacy policy, sensible tool choices, and a handful of documented processes.

The single most impactful change you can make is choosing tools that minimize your compliance burden. Cookieless analytics like sourcebeam eliminate the need for consent banners, reduce the personal data you process, and simplify your privacy policy. EU- hosted services reduce your international transfer obligations. Privacy-focused email tools reduce the data you share with third parties.

GDPR rewards simplicity. The less data you collect, the fewer tools you use, and the more transparent you are — the easier compliance becomes. Start with the checklist above, address the gaps, and revisit it periodically. That is a solid foundation for any small website.