GDPR & Privacy
Cookie consent, privacy policies, data processing, and GDPR requirements.
The General Data Protection Regulation affects every website that has European visitors. It covers how you collect personal data through forms, what cookies and tracking scripts load, whether your privacy policy meets the legal requirements, and how you handle data subject rights. Since 2018, European data protection authorities have issued over €4.5 billion in fines, and increasingly, small businesses are being targeted alongside the large corporations.
Key facts
- •The Dutch Autoriteit Persoonsgegevens fined a small company €525,000 for fingerprinting visitors without consent
- •Spain's AEPD issued over 600 fines in 2024, many under €10,000 to small businesses
- •A missing or inadequate privacy policy can result in fines of up to €20 million or 4% of annual turnover
- •Google Fonts loaded from Google servers was ruled a GDPR violation by a Munich court in January 2022
- •Cookie banners that use dark patterns (pre-checked boxes, hidden reject buttons) violate GDPR consent requirements
What we check
- ✓Cookie consent banner presence and configuration
- ✓Third-party tracking scripts loading before consent
- ✓Privacy policy completeness and required elements
- ✓Contact form data handling and legal basis
- ✓Google Fonts and other third-party resource loading
Cookie consent and privacy: good vs. bad examples
Cookie wall with no reject option
A full-screen banner that says "We use cookies to improve your experience" with only an "Accept all" button. No reject button, no settings link. GDPR requires freely given consent, which means refusing must be as easy as accepting.
Equal accept and reject buttons
A cookie banner with equally sized and styled "Accept all" and "Reject all" buttons. A third "Manage preferences" option lets users choose specific categories. No tracking fires until the visitor makes a choice.
Tracking scripts loaded before consent
Google Analytics, Facebook Pixel or other tracking scripts fire immediately on page load, before the visitor interacts with the cookie banner. This is the most common GDPR issue found by European DPAs.
No scripts until consent is given
Analytics and marketing scripts are only loaded after the visitor clicks "Accept." Essential cookies (session, cart, security) work without consent. The consent management platform blocks all non-essential scripts by default.
Privacy policy with generic template text
A privacy policy that still contains placeholder text like "[Company Name]" or refers to data processing activities your business does not actually perform. A privacy policy must accurately describe your specific data processing.
Accurate, specific privacy policy
A privacy policy that lists the exact data you collect (names, emails from the contact form), your legal basis for each, which third-party processors you use (e.g. Mailchimp, Stripe), retention periods and how visitors can exercise their rights.
Dark pattern consent design
An "Accept all" button in bright green and a "Manage preferences" link in tiny grey text. Or a cookie settings panel where all categories are pre-toggled to "on". These design patterns manipulate users into consenting and violate EDPB guidelines.
Honest, neutral consent design
Accept and reject buttons with the same size, colour weight and placement. Cookie categories explained in plain language. Settings saved and respected across visits. A persistent link in the footer to change preferences at any time.
Cookie wall with no reject option
A full-screen banner that says "We use cookies to improve your experience" with only an "Accept all" button. No reject button, no settings link. GDPR requires freely given consent, which means refusing must be as easy as accepting.
Tracking scripts loaded before consent
Google Analytics, Facebook Pixel or other tracking scripts fire immediately on page load, before the visitor interacts with the cookie banner. This is the most common GDPR issue found by European DPAs.
Privacy policy with generic template text
A privacy policy that still contains placeholder text like "[Company Name]" or refers to data processing activities your business does not actually perform. A privacy policy must accurately describe your specific data processing.
Dark pattern consent design
An "Accept all" button in bright green and a "Manage preferences" link in tiny grey text. Or a cookie settings panel where all categories are pre-toggled to "on". These design patterns manipulate users into consenting and violate EDPB guidelines.
Equal accept and reject buttons
A cookie banner with equally sized and styled "Accept all" and "Reject all" buttons. A third "Manage preferences" option lets users choose specific categories. No tracking fires until the visitor makes a choice.
No scripts until consent is given
Analytics and marketing scripts are only loaded after the visitor clicks "Accept." Essential cookies (session, cart, security) work without consent. The consent management platform blocks all non-essential scripts by default.
Accurate, specific privacy policy
A privacy policy that lists the exact data you collect (names, emails from the contact form), your legal basis for each, which third-party processors you use (e.g. Mailchimp, Stripe), retention periods and how visitors can exercise their rights.
Honest, neutral consent design
Accept and reject buttons with the same size, colour weight and placement. Cookie categories explained in plain language. Settings saved and respected across visits. A persistent link in the footer to change preferences at any time.
Related guides
Can You Run Analytics Without Consent in the UK? The ICO's Position
The ICO's position on running analytics without consent in the UK. Why Google Analytics requires prior consent, what server-side and privacy-preserving alternatives qualify as exempt, and how to decide.
Complete GDPR Website Audit: Step-by-Step Checklist
A step-by-step GDPR audit checklist for your website. Check cookies, tracking, privacy policy, forms, third-party services, and security in one pass.
Cookie banner dark patterns in the UK: ICO enforcement in 2026
The 12 cookie banner dark patterns per EDPB taxonomy. ICO top-100 letter campaign, PECR enforcement and what the scanner detects after clicking reject all.
Cookie Banner Rules in the UK: What the ICO Requires in 2026
ICO requirements for UK cookie banners in 2026. PECR Regulation 6, accept/reject parity, no pre-ticked boxes, no cookie walls, and what the ICO's 2024-2025 enforcement found.
Cookie consent in the UK: ICO rules your website must follow
Cookie consent rules for UK websites. PECR Regulation 6 requirements, ICO guidance, what 'strictly necessary' means, and how to test your banner.
DMCCA 2024: How the CMA Enforces Dark Patterns on UK Websites
How the CMA enforces dark patterns under the Digital Markets, Competition and Consumers Act 2024. Drip pricing, fake reviews, subscription traps, and the CMA's new direct-fining powers.
Do I Need a Cookie Banner on My UK Website?
Do UK websites need a cookie banner? Yes, if you use any tracking — Google Analytics, Facebook Pixel, or similar. Here's what PECR and the ICO require, and what to do.
GDPR Compliance Checklist for Your Website (2026)
A practical GDPR checklist for small business websites. Check cookies, privacy policy, consent forms, and tracking scripts.
GDPR compliance for UK businesses: website checklist 2026
What UK SMEs must do to comply with UK GDPR and PECR on their websites. Privacy notice, cookie consent, Companies House details, ICO enforcement cases, and a free check.
GDPR Compliance for UK Restaurant Websites: Data, Bookings, and Consent
Essential GDPR and PECR requirements for restaurant websites collecting booking data, email signups, cookies, and payment information. UK-specific guidance with examples.
Google Fonts and GDPR: Why Your Website Might Be Leaking Data
Loading Google Fonts from Google's servers sends visitor IP addresses to the US. A German court fined a website owner for this. Here's how to fix it.
How to Check If a Website Is Trustworthy: 10 Essential Signals in 2026
Practical checks for consumers and businesses to verify a website's legitimacy: HTTPS, privacy policy, business registration, contact details, certificate validation, and more.
How to Create a Privacy Policy (Free Generator + Guide)
Create a GDPR-compliant privacy policy for your website. Use our free generator or follow this guide to write one yourself.
ICO Investigation Process: What to Expect When the ICO Contacts Your Business
What happens when the ICO investigates your business. Information notices, 30-day response deadlines, formal investigations, fine decisions and appeal routes explained.
PECR Cookie Rules in the UK: What the ICO Actually Enforces
PECR Regulation 6 cookie requirements for UK websites. How PECR differs from UK GDPR, the ICO's enforcement record, and what the 2025 guidance changed.
UK GDPR Fines Under the ICO: What Penalties Look Like in 2026
ICO fine bands under UK GDPR: up to £17.5M or 4% of global turnover. Marriott, BA and TikTok cases explained. What SMBs realistically face.
UK GDPR vs EU GDPR after Brexit: what actually changed for British businesses
UK GDPR vs EU GDPR for British SMEs in 2026. The Data (Use and Access) Act 2025, PECR cookie rules, ICO enforcement, the UK-US Data Bridge, and when you still need an EU representative.
UK GDPR vs EU GDPR: What Actually Differs Post-Brexit and After the DUAA 2025
Side-by-side comparison of UK GDPR and EU GDPR in 2026. When each applies, what the DUAA 2025 changed, adequacy status, and dual compliance for UK businesses selling into the EU.
UK website privacy notice requirements after DUAA (2026)
The 14 mandatory elements of a UK GDPR privacy notice. DUAA 2025 changes, new complaint mechanism, recognised legitimate interests and ICO checklist for SMEs.
Cookie-Script Alone May Not Be Enough: What a Scan Reveals Beyond the Banner
Cookie-Script is an excellent CMP for consent and cookie management. But it handles only PECR compliance. A website audit catches what it misses: data leaks, image copyright, accessibility, SSL issues.
GDPR Fines for Small Businesses: Real Cases and Amounts
Real GDPR fines for small businesses: actual cases from 1,000 to 50,000 EUR. What triggers enforcement and how to avoid it.
GDPR for dental practices in the UK
UK GDPR and data protection for dental practices. Patient data as special category, GDC registration, NHS Digital obligations, record retention, online booking, and breach notification.
GDPR for solicitors in the UK: SRA, Law Society, and ICO requirements
UK GDPR for solicitors. SRA Standards and Regulations, Law Society guidance, legal professional privilege and GDPR overlap, MLR 2017 retention, and website compliance.
Google Maps on Your Website: The GDPR Problem
Embedding Google Maps sends visitor IP addresses and browsing data to Google without consent. Here are GDPR-compliant alternatives.
Third-Party Tracking on Your Website: Find Hidden Cookies and Obtain Consent
Identify third-party trackers embedded in your website (Google Analytics, Facebook Pixel, YouTube, Maps). UK PECR Regulation 6 and GDPR Article 6 consent requirements.
Related from other areas
Does the European Accessibility Act Apply to Your Business?
The EAA became enforceable in June 2025. Find out if it applies to your business, what it requires and what happens if you don't comply.
Website Security Checklist: 10 Things to Check Today
A practical security checklist for small business websites. 10 things you can check and fix today without technical expertise.
Check your website now
Scan your website for GDPR & Privacy issues and 30+ other checks.
Scan your site free