What GDPR compliance actually requires for websites
The General Data Protection Regulation (GDPR) is built on a handful of core principles from Articles 5, 6, and 7 that directly affect how websites operate. For most website owners, the practical requirements boil down to three areas: lawful basis for processing (Article 6), conditions for consent (Article 7), and the ePrivacy Directive which specifically governs cookies and similar tracking technologies.
Article 5 establishes the principles: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, and accountability. For websites, this means you need a clear legal basis (usually consent) before collecting personal data through cookies, you must tell users exactly what you are collecting and why, and you must not collect more than you need.
Article 7 sets the bar for consent: it must be freely given (no pre-ticked boxes), specific (per purpose), informed (clear language), and unambiguous (affirmative action). Critically, withdrawing consent must be as easy as giving it. This means your cookie banner needs a visible reject option - not just an accept button.
7-step GDPR compliance checklist for websites
Walk through each of these checks. For every step, we explain what to look for, how to verify it, and what a pass or fail looks like.
Step 1: Cookie consent banner exists and is functional
What to check: Load your site in an incognito browser. A consent banner should appear before any non-essential cookies are set. The banner must have clear Accept and Reject options - not just an X button or a "Continue browsing" link that implies consent.
How to check it: Open DevTools > Application > Cookies before interacting with the banner. The banner should be visible and blocking interaction if it uses a modal pattern, or at minimum clearly visible without scrolling.
Pass: Banner appears with clear Accept All and Reject All buttons of equal prominence. Fail: No banner, banner appears after page interaction, reject option is hidden behind a settings menu, or reject is visually de-emphasised (a dark pattern).
Step 2: No non-essential cookies set before consent
What to check: Before clicking Accept or Reject, look at the cookies set by your domain. Analytics cookies (like _ga, _gid), advertising cookies (like _fbp, _gcl_au), and third-party tracking pixels should not be present.
How to check it: In DevTools, check both first-party and third-party cookies in the Application tab. Also check the Network tab for requests to analytics or ad platforms - even if cookies are blocked, network requests to these services before consent are a violation.
Pass: Only strictly necessary cookies (session, CSRF, load balancer) are present before consent. Fail: Google Analytics, Facebook Pixel, or any advertising cookies appear before user interaction. Use our Pre-Consent Tracking Checker to automate this test.
Step 3: Reject option works correctly
What to check: Click Reject All (or equivalent). After rejection, no analytics or advertising cookies should be set. The website should remain fully functional - rejecting cookies should not break navigation, forms, or content.
How to check it: After clicking Reject, check cookies again. Navigate to 2-3 other pages and verify no new tracking cookies appear. Check the Network tab for requests to analytics/ad platforms.
Pass: No tracking cookies after rejection, site works normally. Fail: Cookies set anyway after rejection, or site functionality degrades as punishment for rejecting.
Step 4: Consent records are stored
What to check: GDPR Article 7(1) requires you to demonstrate that consent was given. Your CMP (Consent Management Platform) should store a consent record with timestamp, consent choices, and the version of the consent text shown to the user.
How to check it: Log into your CMP dashboard (OneTrust, Cookiebot, CookieYes, etc.) and look for the consent log. Each entry should show date, user identifier (anonymised), and what was consented to.
Pass: CMP dashboard shows consent records with timestamps and choices. Fail: No consent storage, or records only stored in a first-party cookie without server-side backup.
Step 5: Google Consent Mode v2 is configured
What to check: Since March 2024, Google requires Consent Mode v2 for any site running Google Ads measurement in the EU/EEA. The four signals - ad_storage, analytics_storage, ad_user_data, and ad_personalization - must default to denied and update to granted after consent.
How to check it: Open the browser console and type dataLayer.filter(e => e[0] === 'consent') to see consent commands. Use GTM Preview mode for a detailed view. Our Google Consent Mode Checker automates this verification.
Pass: All 4 signals set to denied by default, update to granted after accept. Fail: Missing v2 signals, signals not updating, or default state is granted.
Step 6: Privacy policy is complete and current
What to check: Your privacy policy must list all categories of personal data collected, the legal basis for each, data retention periods, third-party processors, and how users can exercise their rights (access, erasure, portability). It should be written in plain language, not legal jargon.
How to check it: Review your privacy policy against the GDPR Article 13 checklist. Does it name your DPO or contact? Does it list all third-party services that receive data? Is the last-updated date recent?
Pass: Policy covers all required items, is written clearly, and has been updated within the last 12 months. Fail: Generic template policy, missing data categories, no contact details, or last updated 3+ years ago.
Step 7: Data processor agreements are in place
What to check: Every third-party service that processes personal data on your behalf (Google Analytics, your CMP, email marketing tools, hosting providers) must have a Data Processing Agreement (DPA) signed. GDPR Article 28 requires this.
How to check it: Create a list of every service that receives visitor data from your site. For each one, check if you have a signed DPA. Most major platforms (Google, Meta, HubSpot) have DPAs available in their admin settings.
Pass: DPA signed or accepted for every data processor. Fail: Using services without a DPA, or DPA not updated to reflect current data flows.
Can an automated tool check GDPR compliance?
Automated tools can verify the technical aspects of GDPR compliance - and that is a lot. A scanner can detect pre-consent cookies, check whether your consent banner has a working reject option, verify Google Consent Mode v2 signals, test GPC (Global Privacy Control) signal handling, and validate IAB TCF compliance. These are the areas where most violations occur, and they are the hardest to check manually because they require precise timing and multiple browser states.
What automated tools cannot check: the quality of your privacy policy text, whether your DPAs are signed, whether your internal data handling procedures comply with the accountability principle, or whether your legitimate interest assessments are valid. These require human review.
The practical approach is to use an automated scanner for the technical layer (steps 1-5 above) and manual review for the legal and organisational layer (steps 6-7). The Cookie Compliance Checker covers all five technical checks in a single scan - pre-consent tracking, banner behaviour, Consent Mode v2, GPC handling, and cookie classification.
Frequently asked questions
Is my website GDPR compliant?
To determine GDPR compliance, check whether your site has a valid cookie consent banner with a clear reject option, does not set non-essential cookies before consent, stores consent records, has an up-to-date privacy policy, and has data processor agreements in place. Automated tools like Cookie Compliance Checker can scan for the most common technical violations in minutes.
How do I test cookie consent on my website?
Open your site in an incognito window, clear all cookies, and reload the page. Before interacting with the consent banner, open DevTools and check the Application tab for cookies. If any non-essential cookies are already set, your site fails the pre-consent test. Then click Reject All and verify that those cookies are not set afterward.
What happens if my site is not GDPR compliant?
Non-compliance can result in fines up to 20 million euros or 4% of global annual turnover, whichever is higher. Data Protection Authorities have been actively enforcing cookie consent violations, with fines issued to major companies for pre-consent tracking, missing reject options, and dark patterns in consent banners.
Do I need a cookie consent banner?
Yes, if your website sets non-essential cookies and has visitors from the EU/EEA. The ePrivacy Directive requires prior informed consent before placing analytics, advertising, or functional cookies. Strictly necessary cookies like session IDs and security tokens are exempt.
What is the GDPR cookie rule?
The GDPR cookie rule comes from the interaction of the GDPR (which defines consent requirements) and the ePrivacy Directive (which specifically covers cookies). Together they require that websites obtain freely given, specific, informed, and unambiguous consent before setting non-essential cookies. Consent must be as easy to withdraw as it is to give.
Related articles and resources
Check your GDPR compliance in minutes
Cookie Compliance Checker scans your site for pre-consent tracking, banner dark patterns, Consent Mode v2 issues, and cookie classification errors - all in one automated report.