GDPR & Privacy
Cookie consent, privacy policies, data processing, and GDPR requirements.
The General Data Protection Regulation affects every website that has European visitors. It covers how you collect personal data through forms, what cookies and tracking scripts load, whether your privacy policy meets the legal requirements, and how you handle data subject rights. Since 2018, European data protection authorities have issued over €4.5 billion in fines, and increasingly, small businesses are being targeted alongside the large corporations.
Key facts
- •The Dutch Autoriteit Persoonsgegevens fined a small company €525,000 for fingerprinting visitors without consent
- •Spain's AEPD issued over 600 fines in 2024, many under €10,000 to small businesses
- •A missing or inadequate privacy policy can result in fines of up to €20 million or 4% of annual turnover
- •Google Fonts loaded from Google servers was ruled a GDPR violation by a Munich court in January 2022
- •Cookie banners that use dark patterns (pre-checked boxes, hidden reject buttons) violate GDPR consent requirements
What we check
- ✓Cookie consent banner presence and configuration
- ✓Third-party tracking scripts loading before consent
- ✓Privacy policy completeness and required elements
- ✓Contact form data handling and legal basis
- ✓Google Fonts and other third-party resource loading
Cookie consent and privacy: good vs. bad examples
Cookie wall with no reject option
A full-screen banner that says "We use cookies to improve your experience" with only an "Accept all" button. No reject button, no settings link. GDPR requires freely given consent, which means refusing must be as easy as accepting.
Equal accept and reject buttons
A cookie banner with equally sized and styled "Accept all" and "Reject all" buttons. A third "Manage preferences" option lets users choose specific categories. No tracking fires until the visitor makes a choice.
Tracking scripts loaded before consent
Google Analytics, Facebook Pixel or other tracking scripts fire immediately on page load, before the visitor interacts with the cookie banner. This is the most common GDPR issue found by European DPAs.
No scripts until consent is given
Analytics and marketing scripts are only loaded after the visitor clicks "Accept." Essential cookies (session, cart, security) work without consent. The consent management platform blocks all non-essential scripts by default.
Privacy policy with generic template text
A privacy policy that still contains placeholder text like "[Company Name]" or refers to data processing activities your business does not actually perform. A privacy policy must accurately describe your specific data processing.
Accurate, specific privacy policy
A privacy policy that lists the exact data you collect (names, emails from the contact form), your legal basis for each, which third-party processors you use (e.g. Mailchimp, Stripe), retention periods and how visitors can exercise their rights.
Dark pattern consent design
An "Accept all" button in bright green and a "Manage preferences" link in tiny grey text. Or a cookie settings panel where all categories are pre-toggled to "on". These design patterns manipulate users into consenting and violate EDPB guidelines.
Honest, neutral consent design
Accept and reject buttons with the same size, colour weight and placement. Cookie categories explained in plain language. Settings saved and respected across visits. A persistent link in the footer to change preferences at any time.
Cookie wall with no reject option
A full-screen banner that says "We use cookies to improve your experience" with only an "Accept all" button. No reject button, no settings link. GDPR requires freely given consent, which means refusing must be as easy as accepting.
Tracking scripts loaded before consent
Google Analytics, Facebook Pixel or other tracking scripts fire immediately on page load, before the visitor interacts with the cookie banner. This is the most common GDPR issue found by European DPAs.
Privacy policy with generic template text
A privacy policy that still contains placeholder text like "[Company Name]" or refers to data processing activities your business does not actually perform. A privacy policy must accurately describe your specific data processing.
Dark pattern consent design
An "Accept all" button in bright green and a "Manage preferences" link in tiny grey text. Or a cookie settings panel where all categories are pre-toggled to "on". These design patterns manipulate users into consenting and violate EDPB guidelines.
Equal accept and reject buttons
A cookie banner with equally sized and styled "Accept all" and "Reject all" buttons. A third "Manage preferences" option lets users choose specific categories. No tracking fires until the visitor makes a choice.
No scripts until consent is given
Analytics and marketing scripts are only loaded after the visitor clicks "Accept." Essential cookies (session, cart, security) work without consent. The consent management platform blocks all non-essential scripts by default.
Accurate, specific privacy policy
A privacy policy that lists the exact data you collect (names, emails from the contact form), your legal basis for each, which third-party processors you use (e.g. Mailchimp, Stripe), retention periods and how visitors can exercise their rights.
Honest, neutral consent design
Accept and reject buttons with the same size, colour weight and placement. Cookie categories explained in plain language. Settings saved and respected across visits. A persistent link in the footer to change preferences at any time.
Related guides
Complete GDPR Website Audit: Step-by-Step Checklist
A step-by-step GDPR audit checklist for your website. Check cookies, tracking, privacy policy, forms, third-party services, and security in one pass.
Cookie banner dark patterns in Ireland: what the DPC expects in 2026
The 12 cookie banner dark patterns per EDPB taxonomy. DPC guidance, IAB Europe ruling and what the scanner detects after clicking reject all.
Cookie consent in Ireland: DPC rules your website must follow
Cookie consent rules for Irish websites. SI 336/2011 requirements, DPC dark pattern guidance, what 'strictly necessary' means, and how to test your banner.
Do I Need a Cookie Banner? A Simple Decision Guide
Not sure if your website needs a cookie banner? This simple guide helps you decide based on what your website actually does.
GDPR Compliance Checklist for Your Website (2026)
A practical GDPR checklist for small business websites. Check cookies, privacy policy, consent forms, and tracking scripts.
GDPR compliance for Irish businesses: website checklist 2026
What Irish SMBs must do to comply with GDPR on their websites. Privacy policy, cookie consent, CRO number, DPC enforcement cases, and a free website check.
Google Fonts and GDPR: Why Your Website Might Be Leaking Data
Loading Google Fonts from Google's servers sends visitor IP addresses to the US. A German court fined a website owner for this. Here is how to fix it.
How to Create a Privacy Policy (Free Generator + Guide)
Create a GDPR-compliant privacy policy for your website. Use our free generator or follow this guide to write one yourself.
Is your website GDPR compliant? Free website check for Irish businesses
Free GDPR website check for Irish businesses. Our scanner tests cookie consent, privacy policy, company registration details, security, and more. Results in 60 seconds.
Website privacy policy requirements in Ireland: what the DPC expects in 2026
The 14 mandatory elements of a GDPR privacy policy for Irish websites. DPC guidance, LinkedIn EUR 310M transparency case and practical checklist for SMEs.
Cookie Banner Requirements 2026: What Actually Counts
Most cookie banners fail basic GDPR requirements. Here is what yours actually needs: reject buttons, no dark patterns, real consent.
GDPR Fines for Small Businesses: Real Cases and Amounts
Real GDPR fines for small businesses: actual cases from 1,000 to 50,000 EUR. What triggers enforcement and how to avoid it.
GDPR for dental practices in Ireland
GDPR and data protection for Irish dental practices. Patient data as special category, Dental Council registration, record retention, online booking, and breach notification.
GDPR for estate agents in Ireland: PSRA compliance
GDPR for Irish estate agents. PSRA licence display requirements, client and tenant data, viewing records, anti-money laundering, photography, and website compliance.
GDPR for restaurants and hospitality in Ireland
GDPR for Irish restaurants, hotels, and hospitality businesses. Reservation systems, WiFi, loyalty programmes, CCTV, staff data, and free website check.
GDPR for solicitors in Ireland: Law Society requirements
GDPR for Irish solicitors. Law Society of Ireland requirements, client confidentiality and GDPR overlap, anti-money laundering data retention, and website compliance.
Google Maps on Your Website: The GDPR Problem
Embedding Google Maps sends visitor IP addresses and browsing data to Google without consent. Here are GDPR-compliant alternatives.
Privacy Policy: What Must Be in It and What Is Optional
GDPR Articles 13 and 14 require 12 specific elements in your privacy policy. Here is exactly what must be there and what you can skip.
YouTube Embeds and GDPR: Why Your Video Sends Data to Google
Embedding a YouTube video on your site sends visitor data to Google before they press play. Here is what happens and how to fix it.
Related from other areas
Does the European Accessibility Act Apply to Your Business?
The EAA became enforceable in June 2025. Find out if it applies to your business, what it requires and what happens if you don't comply.
Website Security Checklist: 10 Things to Check Today
A practical security checklist for small business websites. 10 things you can check and fix today without technical expertise.
Check your website now
Scan your website for GDPR & Privacy issues and 30+ other checks.
Scan your site free