GDPR & Privacy
Cookie consent, privacy policies, data processing, and GDPR requirements.
The General Data Protection Regulation affects every website that has European visitors. It covers how you collect personal data through forms, what cookies and tracking scripts load, whether your privacy policy meets the legal requirements, and how you handle data subject rights. Since 2018, European data protection authorities have issued over €4.5 billion in fines, and increasingly, small businesses are being targeted alongside the large corporations.
Key facts
- •The Dutch Autoriteit Persoonsgegevens fined a small company €525,000 for fingerprinting visitors without consent
- •Spain's AEPD issued over 600 fines in 2024, many under €10,000 to small businesses
- •A missing or inadequate privacy policy can result in fines of up to €20 million or 4% of annual turnover
- •Google Fonts loaded from Google servers was ruled a GDPR violation by a Munich court in January 2022
- •Cookie banners that use dark patterns (pre-checked boxes, hidden reject buttons) violate GDPR consent requirements
What we check
- ✓Cookie consent banner presence and configuration
- ✓Third-party tracking scripts loading before consent
- ✓Privacy policy completeness and required elements
- ✓Contact form data handling and legal basis
- ✓Google Fonts and other third-party resource loading
Cookie consent and privacy: good vs. bad examples
Cookie wall with no reject option
A full-screen banner that says "We use cookies to improve your experience" with only an "Accept all" button. No reject button, no settings link. GDPR requires freely given consent, which means refusing must be as easy as accepting.
Equal accept and reject buttons
A cookie banner with equally sized and styled "Accept all" and "Reject all" buttons. A third "Manage preferences" option lets users choose specific categories. No tracking fires until the visitor makes a choice.
Tracking scripts loaded before consent
Google Analytics, Facebook Pixel or other tracking scripts fire immediately on page load, before the visitor interacts with the cookie banner. This is the most common GDPR issue found by European DPAs.
No scripts until consent is given
Analytics and marketing scripts are only loaded after the visitor clicks "Accept." Essential cookies (session, cart, security) work without consent. The consent management platform blocks all non-essential scripts by default.
Privacy policy with generic template text
A privacy policy that still contains placeholder text like "[Company Name]" or refers to data processing activities your business does not actually perform. A privacy policy must accurately describe your specific data processing.
Accurate, specific privacy policy
A privacy policy that lists the exact data you collect (names, emails from the contact form), your legal basis for each, which third-party processors you use (e.g. Mailchimp, Stripe), retention periods and how visitors can exercise their rights.
Dark pattern consent design
An "Accept all" button in bright green and a "Manage preferences" link in tiny grey text. Or a cookie settings panel where all categories are pre-toggled to "on". These design patterns manipulate users into consenting and violate EDPB guidelines.
Honest, neutral consent design
Accept and reject buttons with the same size, colour weight and placement. Cookie categories explained in plain language. Settings saved and respected across visits. A persistent link in the footer to change preferences at any time.
Cookie wall with no reject option
A full-screen banner that says "We use cookies to improve your experience" with only an "Accept all" button. No reject button, no settings link. GDPR requires freely given consent, which means refusing must be as easy as accepting.
Tracking scripts loaded before consent
Google Analytics, Facebook Pixel or other tracking scripts fire immediately on page load, before the visitor interacts with the cookie banner. This is the most common GDPR issue found by European DPAs.
Privacy policy with generic template text
A privacy policy that still contains placeholder text like "[Company Name]" or refers to data processing activities your business does not actually perform. A privacy policy must accurately describe your specific data processing.
Dark pattern consent design
An "Accept all" button in bright green and a "Manage preferences" link in tiny grey text. Or a cookie settings panel where all categories are pre-toggled to "on". These design patterns manipulate users into consenting and violate EDPB guidelines.
Equal accept and reject buttons
A cookie banner with equally sized and styled "Accept all" and "Reject all" buttons. A third "Manage preferences" option lets users choose specific categories. No tracking fires until the visitor makes a choice.
No scripts until consent is given
Analytics and marketing scripts are only loaded after the visitor clicks "Accept." Essential cookies (session, cart, security) work without consent. The consent management platform blocks all non-essential scripts by default.
Accurate, specific privacy policy
A privacy policy that lists the exact data you collect (names, emails from the contact form), your legal basis for each, which third-party processors you use (e.g. Mailchimp, Stripe), retention periods and how visitors can exercise their rights.
Honest, neutral consent design
Accept and reject buttons with the same size, colour weight and placement. Cookie categories explained in plain language. Settings saved and respected across visits. A persistent link in the footer to change preferences at any time.
Related guides
Belgian GBA Cookie Enforcement: What They Check on Your Website
The Belgian Gegevensbeschermingsautoriteit (GBA) enforces cookie rules under the Wet van 13 juni 2005. Here is what they check and how to fix your cookie setup.
Cookie Banner Requirements for Belgium: What English-Speaking Businesses Need to Know
What your cookie banner must do in Belgium. GBA enforcement, equal reject button, no dark patterns, language requirements, and a step-by-step compliance checklist.
Do I Need a Cookie Banner? A Simple Decision Guide
Not sure if your website needs a cookie banner? This simple guide helps you decide based on what your website actually does.
GDPR Compliance Checklist for Belgian Businesses (2026)
A practical GDPR compliance checklist for Belgian business websites. Covers cookies, privacy policy, KBO number, legal notices, contact forms, and data processor agreements.
GDPR Compliance Checklist for Belgian Businesses (2026)
35-point GDPR checklist for Belgian businesses. APD/GBA enforcement, Wet 30 juli 2018, KBO/BCE number, cookie consent rules, Brussels bilingual obligations.
GDPR Website Audit for Belgian Businesses: Step-by-Step
Step-by-step GDPR website audit for Belgian businesses. APD/GBA inspection approach, cookie testing, Belgian 10-year retention, Brussels bilingual privacy notices.
Google Fonts and GDPR: Why Your Website Might Be Leaking Data
Loading Google Fonts from Google's servers sends visitor IP addresses to the US. A German court fined a website owner for this. Here is how to fix it.
How to Create a Privacy Policy (Free Generator + Guide)
Create a GDPR-compliant privacy policy for your website. Use our free generator or follow this guide to write one yourself.
YouTube Embeds and GDPR: What Irish and Belgian Businesses Need to Know
YouTube embeds collect data before play. Irish DPC and Belgian GBA both require prior consent. Three compliant approaches and a full checklist for Belgian businesses.
Cookie Banner Requirements 2026: What Actually Counts
Most cookie banners fail basic GDPR requirements. Here is what yours actually needs: reject buttons, no dark patterns, real consent.
GDPR Fines for Small Businesses: Real Cases and Amounts
Real GDPR fines for small businesses: actual cases from 1,000 to 50,000 EUR. What triggers enforcement and how to avoid it.
Google Maps on Your Website: The GDPR Problem
Embedding Google Maps sends visitor IP addresses and browsing data to Google without consent. Here are GDPR-compliant alternatives.
Privacy Policy: What Must Be in It and What Is Optional
GDPR Articles 13 and 14 require 12 specific elements in your privacy policy. Here is exactly what must be there and what you can skip.
Related from other areas
EAA for Belgian Small Businesses: What Your Website Must Do Since 28 June 2025
Practical EAA guide for Belgian SMBs. Microenterprise exemption, KBO/BCE number, accessibility statement, Brussels bilingual obligations, WCAG 2.1 AA: all explained.
Website Security Checklist: 10 Things to Check Today
A practical security checklist for small business websites. 10 things you can check and fix today without technical expertise.
Check your website now
Scan your website for GDPR & Privacy issues and 30+ other checks.
Scan your site free