Skip to main content
Legal

GDPR for Websites: A Practical Compliance Guide

18 June 2025 AAM Services
GDPR for Websites: A Practical Compliance Guide

GDPR has been in effect since 2018, yet many websites still fall short of compliance. The regulation can seem complex, but for most websites, compliance involves straightforward steps. This guide covers what you actually need to do.

What GDPR Requires

The General Data Protection Regulation governs how organisations collect, process, and store personal data of EU citizens. Key principles include:

  • Lawful basis: You need a legitimate reason to process personal data
  • Transparency: Tell people what data you collect and why
  • Purpose limitation: Only use data for stated purposes
  • Data minimisation: Collect only what you need
  • Accuracy: Keep data accurate and up to date
  • Storage limitation: Don't keep data longer than necessary
  • Security: Protect data appropriately
  • Accountability: Be able to demonstrate compliance

For websites, this translates into specific requirements.

Cookie Consent

Cookies that identify users or track behaviour require consent before being set. This means:

What Needs Consent

  • Analytics cookies (Google Analytics, etc.)
  • Advertising and remarketing cookies
  • Social media tracking cookies
  • Any third-party cookies that track users

What Doesn't Need Consent

  • Essential cookies for site functionality (shopping cart, login sessions)
  • Cookies that don't track across sites or identify individuals
  • Preference cookies that only affect user experience on your site

Valid Consent Requirements

Consent must be:

  • Freely given: Users must have a genuine choice. "Accept all or leave" isn't valid consent.
  • Specific: Separate consent for different purposes (analytics vs. marketing)
  • Informed: Clear explanation of what cookies do
  • Unambiguous: Requires affirmative action (clicking "accept," not continuing to browse)

Pre-ticked boxes don't constitute consent. Neither does implied consent from continued browsing. Users must actively choose to accept.

Cookie Banner Implementation

A compliant cookie banner should:

  • Appear before any non-essential cookies are set
  • Explain what cookies you use and why
  • Offer equal prominence to "accept" and "reject" options
  • Allow granular control (accept analytics but not marketing)
  • Not use dark patterns to manipulate choices
  • Remember choices and not repeatedly ask
  • Allow users to change their mind later

Privacy Policy

Every website collecting personal data needs a privacy policy explaining:

  • What data you collect
  • Why you collect it (purposes and legal basis)
  • Who you share it with
  • How long you keep it
  • User rights (access, deletion, correction)
  • How to exercise those rights
  • Contact information for data protection queries

The privacy policy must be written in clear, understandable language—not dense legalese. It should be easy to find, typically linked from every page.

Forms and Data Collection

When collecting data through forms:

  • Collect only necessary information (do you really need date of birth?)
  • Explain what you'll do with the data
  • If you'll use data for marketing, get explicit separate consent (not buried in terms)
  • If sharing data with third parties, disclose this
  • Provide a clear link to your privacy policy

Data Subject Rights

Users have rights you must accommodate:

Right of access: Users can request copies of their personal data.

Right to rectification: Users can request correction of inaccurate data.

Right to erasure: Users can request deletion of their data (with some exceptions).

Right to portability: Users can request their data in a machine-readable format.

You need processes to handle these requests within one month.

Third-Party Services

Your website likely uses third-party services that process personal data:

  • Analytics (Google Analytics)
  • Marketing tools (Mailchimp, HubSpot)
  • Payment processors (Stripe, PayPal)
  • Hosting providers
  • CDNs and performance services

You're responsible for ensuring these services are GDPR-compliant. Many require data processing agreements. Verify they comply before using them.

International Data Transfers

Transferring data outside the EU/UK requires additional safeguards. Many US services have mechanisms for compliant transfers (Standard Contractual Clauses), but you should verify.

Google Analytics, in particular, has faced scrutiny. Consider privacy-focused alternatives if this concerns you.

Practical Implementation Steps

  1. Audit your data: What personal data does your website collect? Where does it go? How long is it kept?
  2. Review third-party services: List every service processing user data. Verify their compliance and sign data processing agreements where needed.
  3. Implement proper cookie consent: Use a compliant consent management platform that blocks cookies until consent is given.
  4. Write a clear privacy policy: Cover all required information in plain language. Update it when practices change.
  5. Review form data collection: Minimise what you collect. Add appropriate consent checkboxes for marketing.
  6. Establish request handling processes: How will you respond to access or deletion requests?
  7. Ensure data security: SSL encryption, secure hosting, access controls, regular updates.
  8. Document everything: Keep records of your compliance measures. If challenged, you need to demonstrate accountability.

Common Mistakes

Cookie walls: Blocking access until users accept cookies isn't valid consent.

Pre-ticked boxes: Consent must be actively given.

Hidden "reject" options: Accept and reject must be equally prominent.

No cookie management: Loading tracking cookies before consent is given violates GDPR regardless of what your banner says.

Outdated privacy policies: Policies must reflect current practices.

No unsubscribe process: Users must be able to withdraw consent easily.

Enforcement and Penalties

GDPR violations can result in fines up to €20 million or 4% of global annual turnover. In practice, most enforcement targets egregious violations or large companies, but smaller businesses have been fined.

Beyond fines, non-compliance risks reputational damage, especially as privacy awareness grows.

Our Approach

We build websites with GDPR compliance in mind: proper cookie consent implementation, privacy policy guidance, minimal data collection, and secure architecture.

If your website needs a compliance review or updates to meet current requirements, contact us. We'll help you understand what's needed and implement practical solutions.

LegalPrivacyBest PracticesSecurity

Ready to Start Your Project?

Have questions about building your eCommerce store or custom web application? Let's talk.

Get a Quote View Our Services