GDPR Compliance Checklist for Websites in 2026

GDPR enforcement is intensifying across Europe. In 2025 alone, European data protection authorities issued over €2 billion in fines — and SMBs are increasingly in the crosshairs. The days of ignoring GDPR because "we're too small to get noticed" are over. National authorities in France (CNIL), the Netherlands (AP), Belgium (APD/GBA), and Germany (BfDI) are actively auditing websites and responding to consumer complaints.

This checklist covers every GDPR requirement your website must meet in 2026, with practical implementation guidance for each item.

Cookie Consent — The Most Visible Requirement

Cookie consent is where most websites fail their GDPR compliance. A simple "We use cookies" banner with an "OK" button hasn't been compliant since 2019. Here's what you actually need:

Consent Management Platform (CMP)

• Prior consent required: No tracking cookies, analytics scripts, or advertising pixels may fire until the user gives explicit consent. This means your Google Analytics, Facebook Pixel, and other tracking must be blocked by default
• Granular choices: Users must be able to accept or reject categories separately (necessary, analytics, marketing, preferences). An "accept all" or "reject all" toggle is not sufficient alone
• No dark patterns: The "reject" option must be equally prominent as "accept." No hiding it behind "manage preferences" with extra clicks. CNIL has specifically fined companies for making rejection harder than acceptance
• Consent record: Store proof of consent (what was consented to, when, and the version of your privacy policy at that time)
• Easy withdrawal: Users must be able to change their cookie preferences at any time. A persistent link in the footer (e.g., "Cookie Settings") is the standard approach
• Consent expiry: Re-ask for consent periodically (typically every 6-13 months, depending on the authority)

Technical Implementation

• Script blocking: Your CMP must actually block scripts, not just show a banner while tracking runs in the background. Test by checking network requests before consent is given
• Tag manager integration: If using Google Tag Manager, configure consent mode to respect CMP decisions
• Server-side tracking: Be aware that server-side analytics (e.g., Plausible, Umami) may not require consent if they don't use cookies and anonymize IPs — but verify with your DPA's guidance

Privacy Policy Requirements

Your privacy policy must be comprehensive, clear, and accessible. Required elements:

Identity and Contact

• Full legal name and registration number of your company
• Physical address
• Data Protection Officer (DPO) contact details (if applicable)
• Email or form for data subject requests

Data Processing Details

• What data you collect: Be specific — name, email, IP address, browser data, cookies, form submissions
• Why you collect it (legal basis): For each type of data, state the legal basis — consent, legitimate interest, contractual necessity, or legal obligation
• How long you keep it: Specific retention periods for each data category. "As long as necessary" is not specific enough
• Who you share it with: List all third parties that receive data — hosting provider, analytics tools, email service, payment processor. Include their location (especially if outside the EU)
• International transfers: If data leaves the EU (e.g., to US-based services), explain the legal basis (Standard Contractual Clauses, adequacy decision, etc.)

User Rights Section

Your privacy policy must clearly explain how users can exercise their GDPR rights:

• Right of access: Users can request a copy of all data you hold about them
• Right to rectification: Users can request correction of inaccurate data
• Right to erasure ("right to be forgotten"): Users can request deletion of their data
• Right to restrict processing: Users can ask you to stop processing while they dispute accuracy
• Right to data portability: Users can request their data in a machine-readable format
• Right to object: Users can object to processing based on legitimate interest
• Right to complain: Users can file complaints with the relevant supervisory authority

Forms and Data Collection

Contact Forms

• Minimize data collection: Only ask for what you genuinely need. If you don't need a phone number, don't ask for it
• Clear purpose statement: Tell users why you're collecting each piece of information before they submit
• Consent checkbox: For marketing communications, include an unchecked checkbox with clear language: "I agree to receive marketing emails from [Company]. I can unsubscribe at any time."
• Link to privacy policy: Always link to your privacy policy near the submit button
• No pre-checked boxes: GDPR explicitly prohibits pre-checked consent checkboxes

Newsletter Signup

• Double opt-in: Send a confirmation email before adding anyone to your mailing list. This is legally required in Germany and recommended everywhere in Europe
• Easy unsubscribe: Every email must include a one-click unsubscribe link
• Separate consent: Newsletter consent must be separate from other consents (e.g., terms of service)

Third-Party Services Audit

Every third-party service your website uses that processes personal data must be GDPR-compliant. Audit these common integrations:

Analytics

• Google Analytics 4: Requires cookie consent, IP anonymization, data processing agreement, and proper GA4 configuration for EU compliance
• Alternatives: Privacy-focused analytics like Plausible, Fathom, or Umami can operate without cookies and may not require consent — but still document them in your privacy policy

Fonts and CDNs

• Google Fonts: Loading from Google's CDN transmits the user's IP address to Google — a German court ruled this violates GDPR in 2022. Self-host your fonts to avoid this issue entirely
• Other CDNs: Any CDN that logs user data (IP addresses) should be covered in your privacy policy

Embedded Content

• YouTube videos: Use youtube-nocookie.com embed domain and load behind consent
• Google Maps: Transmits user data to Google — load behind consent or use a static map image with a link
• Social media embeds: Twitter, Facebook, Instagram embeds all track users — use facade patterns (static previews that load the real embed only after consent)

Country-Specific Requirements

While GDPR is EU-wide, national data protection authorities add their own interpretations:

France (CNIL)

• Requires "continue without accepting" to be as prominent as "accept all"
• Maximum cookie consent duration: 13 months
• Specific guidance on cookie wall compliance
• Active enforcement with significant fines even for SMBs

Germany (BfDI + State DPAs)

• Strictest interpretation in Europe
• Double opt-in mandatory for email marketing
• Google Fonts must be self-hosted (court ruling)
• Detailed Impressum (legal notice) required on every website

Netherlands (Autoriteit Persoonsgegevens)

• Cookie walls generally not permitted
• Specific guidance on cookie consent for government and public sector sites
• Active enforcement on major websites

Belgium (APD/GBA)

• IAB Europe's TCF consent framework partially invalidated by Belgian DPA
• Focus on transparency and genuine consent
• Bilingual requirements (FR/NL) for privacy notices depending on region

United Kingdom (ICO — Post-Brexit)

• UK GDPR mirrors EU GDPR with minor differences
• PECR (Privacy and Electronic Communications Regulations) governs cookies
• ICO has its own enforcement priorities and fine structure
• If you serve both EU and UK markets, you may need to comply with both frameworks

Data Processing Agreement (DPA)

If you use any third-party service that processes personal data on your behalf, you need a DPA in place. This includes:

• Your hosting provider
• Email service provider (Mailchimp, SendGrid, etc.)
• Analytics tools
• CRM systems
• Payment processors
• Cloud storage providers

Most reputable services offer a DPA as part of their terms. Ensure you've signed or accepted it, and keep copies accessible.

Data Breach Response Plan

GDPR requires you to:

• Report breaches to your DPA within 72 hours of becoming aware (if the breach is likely to result in a risk to individuals)
• Notify affected individuals "without undue delay" if the breach is likely to result in high risk
• Document all breaches — even those you don't need to report — including facts, effects, and remedial action

Have a documented breach response plan before you need one. Know who to contact at your DPA, have template notification letters ready, and ensure your team knows the 72-hour clock.

Website Accessibility and GDPR

While not strictly a GDPR requirement, the European Accessibility Act (EAA) comes into full effect in June 2025, requiring websites that sell products or services to be accessible. Ensure your WCAG 2.1 AA compliance extends to privacy-related elements:

• Cookie consent banners must be keyboard-accessible and screen-reader compatible
• Privacy policy must be readable (plain language, proper heading structure)
• Data subject request forms must be accessible

GDPR Compliance Checklist Summary

1. Cookie consent management platform installed and properly blocking scripts
2. Privacy policy comprehensive, current, and accessible
3. Legal notice / Impressum page (required in Germany, recommended everywhere)
4. Contact forms with minimal data collection and proper consent
5. Newsletter with double opt-in and easy unsubscribe
6. Google Fonts self-hosted (not loaded from Google CDN)
7. Third-party services audited and DPAs in place
8. Data retention periods defined and enforced
9. Data subject request process documented and tested
10. Data breach response plan in place
11. Cookie consent re-collected every 6-13 months
12. All embedded content (YouTube, Maps, social) behind consent

Building a GDPR-compliant website from the ground up is far easier than retrofitting compliance onto an existing site. We build every website with GDPR compliance as a core requirement, not an afterthought. Contact us to discuss how we can help your business meet its obligations while delivering an excellent user experience.