GDPR for websites: a practical checklist for 2026
GDPR is often presented as a wall of legal text, but for most websites the real obligations are short and concrete. This is the practical version: what every site needs, what is optional, and what the common mistakes are in 2026.
Cookies and consent
If your site uses any non-essential cookies (analytics, ads, social embeds), you need a cookie banner that asks for consent before they load.
The banner must offer a real choice. "Accept all" cannot be the only option. "Reject all" needs to be equally visible.
Until the visitor consents, no tracking scripts should fire. This is the rule that is most often broken and most easily checked.
Strictly necessary cookies (session, security, language) do not need consent, but should be listed in your cookie policy.
Privacy policy
A privacy policy is required for any site that collects personal data, which is almost every site (forms, analytics, IP logs all count).
It must say: what data you collect, why, on what legal basis, who else gets it (e.g. Google, your CRM, your hosting), how long you keep it, and what rights the visitor has.
Plain language is allowed and encouraged. A page no one reads is not the goal. A page a reader can actually understand is.
Forms and lead capture
Every form that collects personal data needs a clear purpose and a link to the privacy policy. "Send us a message" with no context is not enough.
Pre-ticked consent boxes are not allowed. The user must actively tick to consent, and you must store the fact and the time of that consent.
If you send marketing emails, you need separate consent for that, not a bundle with the contact form.
Analytics and tracking
Google Analytics 4 can be used in the EU, but only after consent and ideally with IP anonymisation and reduced data sharing.
Plausible, Fathom, and Simple Analytics are EU-friendly alternatives that work without cookies and without consent banners. For many small sites, they are simpler and just as useful.
Whatever you use, list it in your cookie and privacy policy. Hidden tracking is the fastest path to a complaint.
Data processors and contracts
Your hosting provider, email provider, CRM, and analytics tool are processors of your visitor data. GDPR requires a Data Processing Agreement (DPA) with each.
Reputable providers (Hetzner, Cloudflare, Google, Stripe) publish a DPA you can accept online. Keep a record of these acceptances.
If a tool is based outside the EU, check what transfer mechanism it relies on. The 2023 EU-US Data Privacy Framework covers most US providers, but smaller tools may not be certified.
What you do not need
You do not need a DPO (Data Protection Officer) for a typical small business website. The role is required only for large-scale or high-risk processing.
You do not need to register with the Estonian Data Protection Inspectorate just for running a website.
You do not need a cookie banner if your site truly uses zero tracking or non-essential cookies. A static site with no analytics is fully compliant by default.
FAQ
Are the fines really that big?+
Maximum fines under GDPR are large (up to 4 percent of global turnover or 20 million EUR), but in practice small businesses are far more likely to get a complaint and a request to fix it than a fine straight away.
Do I need a cookie banner if I only use Google Analytics?+
Yes. Google Analytics counts as a non-essential tracking tool and requires consent before it loads.
Can I copy a privacy policy from another site?+
No. The text must reflect what your site actually does. Copy-pasting a generic policy that does not match reality is a compliance risk.