Does GDPR apply to my website?

GDPR applies to your website if you process personal data from people in the UK or EU. Personal data includes names, email addresses, IP addresses, and cookie identifiers. If your site has a contact form, uses Google Analytics, has a newsletter signup, or shows personalised ads — GDPR applies. In practice, almost every website with any interactive element is covered.

What must a cookie consent banner do to be legal?

A compliant cookie consent banner must: appear before any non-essential cookies are set, clearly explain what cookies are used for, provide an equally easy way to reject all cookies as to accept all cookies, not use dark patterns that make rejection harder than acceptance, and record consent so you can prove it was given. Pre-ticked boxes, reject options buried in settings menus, and banners that fire analytics before consent are all non-compliant.

What must my privacy policy include?

Under UK GDPR, your privacy policy must include: what personal data you collect and why, the legal basis for processing, how long you keep data, who you share it with, whether data is transferred outside the UK/EU, users' rights (access, rectification, erasure, portability), how to complain to the ICO, and contact details for your data controller.

GDPR Compliance: What Your Website Must Have Right Now

The most common GDPR failures on business websites

1. Analytics firing before consent

The most common failure by far. Google Analytics, Facebook Pixel and other tracking scripts must not fire until the user has actively accepted cookies. If your analytics loads on page load before any cookie banner interaction, you are non-compliant. Fix this in Google Tag Manager by triggering analytics tags only after a consent_update event.

2. Cookie banner with no reject option

A banner that only has an Accept button is non-compliant. The ICO requires that rejecting cookies is as easy as accepting them. Add a clear "Reject all" option at the same level as "Accept all" — not buried in a settings menu.

3. Missing cookies policy

A privacy policy is not sufficient — you need a separate cookies policy that lists every cookie used, its name, purpose, provider and retention period. Your consent banner must link to this policy.

4. No record of consent

You must be able to prove consent was given if challenged. Your consent management platform should log when consent was given, what version of the policy was shown, and what the user consented to.

How to audit your GDPR compliance

Run the GDPR Auditor — it checks for cookie banners, analyses which trackers load before consent, validates your privacy policy presence and checks security headers. The audit is free and takes under a minute.

Quick fix: Use the GDPR Kit tool to generate a compliant privacy policy, cookies policy and consent banner HTML for your specific site. It scans your trackers and creates documentation tailored to what your site actually uses.

🔒 Run GDPR Audit Now

Run the GDPR Auditor and get actionable results in minutes. Pay as you go.

Run GDPR Audit →

GDPR Guide: Mandatory Requirements for Every Website

The most common GDPR failures on business websites

1. Analytics firing before consent

2. Cookie banner with no reject option

3. Missing cookies policy

4. No record of consent

How to audit your GDPR compliance

🔒 Run GDPR Audit Now

Related tools