GDPR and cookies for Estonian websites: a simple guide

If your site loads anything that tracks visitors, such as Google Analytics, you need real consent before it runs.

A banner that just says we use cookies with an OK button is not compliance. The visitor must be able to decline, and tracking must not run until they accept. The banner has to actually control what loads.

The simplest way to reduce GDPR friction is to use analytics that does not set cookies, such as Plausible.

Cookieless analytics needs no consent banner for itself and still gives you the numbers that matter: visitors, sources, popular pages. Many small sites do not need anything heavier than this.

Your site needs a privacy policy that reflects what it actually does: what data you collect, why, how long you keep it, and how someone can request deletion.

A copied template that does not match your site is worse than useless. If you collect form submissions, say so. If you use analytics, name it. Honesty is the standard.

When a visitor sends a contact form, they give you their name and email. Add a clear consent checkbox so they agree to that data being processed.

Keep form data only as long as you need it to handle the inquiry. Do not add people to a mailing list just because they sent a form. That is a separate consent.