GDPR compliance is not just an “EU problem.” If your website markets to people in the European Union, sells to EU customers, or tracks EU visitors for analytics or advertising, the GDPR can apply even if your business is based in Jamaica. And because websites are where most data collection begins (cookies, pixels, contact forms, chat widgets), your web stack is often the first place regulators and complainants look.
This GDPR website checklist focuses on what typically matters most in practice: the right pages, a compliant cookie banner and consent flow, and tracking that actually respects user choices. It is written for business owners, marketing teams, and product teams who need a practical map of what “good” looks like. (It is not legal advice, and specific implementations should be reviewed against your actual data flows.)
1) First: does GDPR apply to your website?
The GDPR has extraterritorial reach. In simple terms, it can apply where you:
Offer goods or services to individuals in the EU (even if free), for example pricing in euros, EU delivery options, EU-targeted ads, or EU language targeting.
Monitor behaviour of individuals in the EU, for example tracking for analytics, profiling, remarketing, or cross-site advertising.
These concepts come from GDPR Article 3 (territorial scope). If you are unsure, start by reading the Regulation’s scope rules and examples in official guidance, then validate against your facts: GDPR, Article 3.
Also note the stakes: administrative fines can reach up to €20 million or 4% of annual worldwide turnover, depending on the infringement (GDPR Article 83): GDPR, Article 83.
2) Pages your GDPR website should have (and what each must say)
A strong GDPR website setup usually includes a small set of core pages, plus “just in time” disclosures at collection points. The point is not to create more paperwork, it is to make your processing transparent and documentable.
Here is a practical baseline.
Page (or on-page module) | Who should see it | What it must cover (at a minimum) | Key GDPR references |
Privacy Notice / Privacy Policy | Everyone whose personal data you collect | Controller identity and contact details, purposes and lawful bases, recipients, international transfers, retention, rights, complaint route, whether provision is mandatory, automated decision-making if any | Articles 12 to 14 |
Cookie Policy (or Cookies Notice) | Visitors, especially in the EU | What cookies and similar tech you use, purposes, lifespans, who sets them (first/third party), how to change preferences, how consent is managed | GDPR (transparency) plus ePrivacy expectations |
Cookie Preferences Center (consent management panel) | Visitors before non-essential cookies load | Granular controls (by category and ideally by vendor), ability to withdraw consent, proof of choice | Articles 7 and 5(2) (accountability) |
Contact Form Notice (inline, next to the form) | People submitting forms | Purpose, lawful basis, key recipients (like CRM provider), retention summary, link to full privacy notice | Articles 12 to 14 |
Marketing / Newsletter Sign-up Notice (inline) | Subscribers | How often, what content, consent mechanics (if used), right to withdraw, tracking in emails (if any) | Articles 6, 7, 21 |
Data Subject Rights page or instructions | EU data subjects (and often all users) | How to request access, deletion, correction, objection, portability, withdrawal of consent, and verification steps | Articles 12, 15 to 22 |
Privacy notice essentials that get missed
Even mature sites often fail on the same points:
Lawful basis per purpose, not a generic statement. Analytics, customer support, account creation, billing, and marketing often require different bases.
International transfers disclosures. If your website uses US-based tools, you need to address GDPR Chapter V transfer rules in your documentation and contracts.
Retention that is specific enough to be meaningful (even if expressed as criteria, like “for the duration of the contract plus X years for legal and tax obligations”).
For a detailed, regulator-oriented view of transparency requirements, see the UK Information Commissioner’s Office explanation of privacy information: ICO, Right to be informed.
3) Cookie banners: what “compliant” looks like in real life
For many organisations, the cookie banner is where GDPR website compliance fails first, because it is visible, testable, and directly linked to tracking.
The short version: non-essential cookies and similar technologies should not be placed until the user gives valid consent, where consent is the chosen lawful basis.
Regulators expect consent to be:
Freely given (no coercion, avoid cookie walls unless you have a defensible exception)
Specific and granular (separate purposes, and ideally separate vendors)
Informed (clear language, no hidden surprises)
Unambiguous (a clear affirmative action)
These principles are reflected in the GDPR’s consent standard and the European Data Protection Board’s consent guidance: EDPB Guidelines on consent.
A practical cookie banner checklist
A strong banner and preference center typically includes:
A short first layer explaining categories (necessary, analytics, marketing) in plain English.
An “Accept all” and “Reject all” option at the same level, with comparable prominence.
A “Manage preferences” option leading to granular toggles.
No pre-ticked boxes for non-essential categories.
A clear route to withdraw consent later, for example a persistent “Cookie preferences” link in the footer.
Consent records (what was chosen, when, and from what region or policy version), aligned with accountability.
Common banner mistakes that create GDPR risk
These issues come up repeatedly in enforcement and complaints:
Loading analytics or ad tags before consent (including via Tag Manager).
Using confusing button labels (for example “OK” instead of “Accept”).
Making “Reject” harder to find than “Accept,” or burying it behind multiple clicks.
Claiming “legitimate interests” for cookies that clearly require consent in many EU contexts.
If you want a simple benchmark for what EU regulators commonly expect for cookies, France’s CNIL provides clear operational guidance and examples (useful even outside France): CNIL guidance on cookies.
4) Tracking and analytics: make sure your site actually follows user choices
The most important technical test of a GDPR website is not what your policy says, it is what your browser does.
Step 1: build a tracking inventory
List every tracking technology that can load on your site:
Analytics (for example Google Analytics, Matomo)
Advertising pixels (Meta Pixel, LinkedIn Insight Tag, TikTok Pixel)
A/B testing tools
Session replay / heatmaps
Chat widgets
Embedded media that sets cookies
Then capture, for each item: vendor, purpose, data collected, cookie lifespan, whether it involves cross-site tracking, and where data is processed.
Step 2: map each tracker to a lawful basis and a consent category
In many setups, analytics and marketing are controlled via consent categories. Your goal is that:
Nothing in the “marketing” category loads before opt-in.
Analytics does not load before opt-in if you are using consent for analytics.
Essential tools (security, load balancing, fraud prevention) are genuinely necessary and documented as such.
Step 3: test your implementation (not your intentions)
Do three quick checks:
Fresh visit test: open an incognito window, load the homepage, do not click accept, and verify whether any non-essential cookies appear.
Reject test: click reject, navigate multiple pages, and confirm no marketing tags fire.
Withdraw test: accept, then withdraw later, and confirm tags stop and cookies are handled according to your policy.
A practical way to do this is with browser developer tools (Application tab for cookies, Network tab for requests). If you see requests to ad platforms before consent, the implementation is not aligned.
Typical web tools and the compliance questions they raise
Tool type | Common risk | What to verify |
Analytics | Visitor identifiers and cross-site measurement | Whether it loads before consent, IP handling, retention settings, transfer mechanism if data leaves the EEA |
Advertising pixels | Profiling and remarketing | Consent gating, vendor disclosure, ability to honour opt-out/withdrawal |
Session replay / heatmaps | Capturing form fields or sensitive data | Masking settings, consent gating, vendor contract terms |
Embedded video/maps | Third-party cookies on load | Click-to-activate approach, consent gating, alternative content |
Chat widgets | Collection of contact details and conversation logs | Inline notice, retention, access controls, processor terms |
If your site uses international vendors, remember that tracking is not only a consent question. It is also a transfer and contracting question, covered below.
5) Forms, sign-ups, and lead capture: do not rely on your footer link alone
Many GDPR website issues happen at the moment data is collected.
If you have a contact form, quote request, consultation request, or newsletter sign-up, add a short notice right next to the form that:
tells the user the main purpose (for example responding to an enquiry)
links to the privacy notice
identifies any key third parties (for example your CRM or email platform, if appropriate to disclose at that layer)
addresses marketing separately (do not bundle it into “contact me back”)
For marketing, if you use consent, make it separate and clear. If you rely on legitimate interests for some communications, you still need to provide an easy opt-out and properly document your balancing assessment.
6) Vendor contracts and international transfers (often the hidden blocker)
Even if your pages and banners are perfect, GDPR compliance can fail if your vendor relationships are not structured correctly.
Data Processing Agreements (DPAs)
If a vendor processes personal data on your behalf (for example hosting, analytics provider, CRM, customer support platform), GDPR Article 28 expects a written contract with specific mandatory clauses.
Practically, you should maintain a list of:
processors and sub-processors
the services they provide
what data they handle
the DPA link or executed agreement
Transfers outside the EEA
If personal data is transferred outside the EEA, you need an appropriate mechanism. For many organisations, that means Standard Contractual Clauses (SCCs), plus a transfer risk assessment where needed, following the post-Schrems II enforcement landscape.
An authoritative starting point for transfer tools is the European Commission’s SCC information: European Commission, SCCs.
7) Data subject rights: add a workflow, not just a statement
A GDPR website should make it realistic for people to exercise their rights, and for you to respond on time.
Key operational expectations include:
A clear method to submit a request (email address or web form).
Identity verification that is proportionate.
Internal routing (who receives requests, who approves, who extracts data).
A response timeline aligned with GDPR rules (commonly one month, subject to extensions in permitted cases).
Your website is often the front door for these requests, but the back office process is what proves compliance.
8) Security and breach readiness: your website is part of your security perimeter
GDPR Article 32 requires appropriate technical and organisational measures. For websites, that typically touches:
HTTPS everywhere (including on subdomains)
least-privilege access to CMS and hosting
MFA for admin accounts
patching and plugin hygiene
secure backups and restore testing
logging and monitoring
If a breach occurs, GDPR imposes strict notification obligations in certain cases, including a 72-hour regulator notification requirement in many scenarios (GDPR Article 33). Your incident response plan should account for website compromises, credential leaks, and third-party incidents.
9) Quick “go-live” checklist for a GDPR website
Use this as a final readiness review before you ship a redesign, add new tags, or launch a campaign targeting EU audiences.
Area | Pass criteria |
Privacy notice | Accurate purposes, lawful bases, transfers, retention, rights, and contact details |
Cookie banner | Reject option present, equal prominence, no pre-consent marketing or analytics where consent is required |
Preferences center | Granular controls, easy withdrawal, records of consent |
Tag management | Tags are blocked by default until the right consent signal exists |
Forms | Inline disclosures, separate marketing choices, records captured where needed |
Vendors | DPAs in place, SCCs or other transfer mechanisms documented |
Rights | Clear submission path and internal workflow to respond |
Security | MFA, patching, backups, monitoring, documented breach response |
Where legal advice becomes important
This checklist helps you spot the usual gaps, but GDPR compliance is fact-specific. The correct lawful basis, what counts as “necessary,” whether a particular cookie requires consent, and how to structure international transfers depend on what your website actually does, who it targets, and which vendors you use.
If your organisation is aligning a GDPR website to regulatory expectations, especially where EU targeting, profiling, marketing pixels, or cross-border transfers are involved, it is often worth getting advice that connects the legal rules to the technical implementation.
Henlin Gibson Henlin advises on data privacy, compliance, and risk. If you want help reviewing your website’s privacy notices, cookie consent approach, or third-party tracking and contracting from a risk-management perspective, you can explore the firm’s work via the Henlin Gibson Henlin website.