GDPR Compliance

Is your website GDPR compliant?

The General Data Protection Regulation applies to any website that collects data from EU residents. Most sites fail on trackers, consent, or privacy policies. Here's what to check.

Scan your site free
4%
Max fine (% of global turnover)
20M
Max fine (EUR, whichever higher)
2,086
Fines issued since 2018
4.5B
Total fines (EUR)

Website compliance checklist

01 Cookie consent banner. Must appear before any non-essential cookies are set. Must offer granular choices. "Accept All" cannot be more prominent than "Reject All." ePrivacy Directive Art. 5(3)
02 Reject option. Withdrawing consent must be as easy as giving it. A visible "Reject All" or "Only Necessary" button is required at the same prominence level. GDPR Art. 7(3)
03 No pre-checked boxes. Non-essential cookie categories must be unchecked by default. The CJEU Planet49 ruling explicitly prohibits pre-ticked consent boxes. CJEU C-673/17
04 No cookie walls. Blocking content access until cookies are accepted undermines freely given consent. Users must be able to access content without consenting to non-essential cookies. EDPB Guidelines 05/2020
05 Scripts blocked until consent. Analytics, advertising, and social media scripts must not load until the user actively consents. Defer all non-essential scripts. ePrivacy Directive Art. 5(3)
06 Privacy policy. Must be clearly accessible from every page. Must disclose: what data you collect, why, legal basis, who receives it, retention periods, and user rights. GDPR Art. 13
07 Data subject rights. Your policy must inform users of their rights: access, rectification, erasure, restriction, portability, and objection. Provide a contact method. GDPR Art. 15-22
08 Third-party disclosures. List categories of recipients or specific third parties that receive personal data. This includes analytics providers, ad networks, and CDNs. GDPR Art. 13(1)(e)
09 Data retention periods. Specify how long each category of personal data is retained and the criteria for determining retention. GDPR Art. 13(2)(a)
10 DPO contact. If you have a Data Protection Officer, provide their contact details. If not required, provide a privacy contact email. GDPR Art. 13(1)(b)

Common trackers and their GDPR risk

Tracker Concern Risk
Google Analytics US data transfer. Multiple EU DPA enforcement actions. High
Facebook Pixel Cross-site tracking for ad targeting. Multiple fines. High
TikTok Pixel Data transfer to China. High regulatory scrutiny. High
Hotjar Session recording captures user behavior data. Medium
Google Tag Manager Container loads third-party scripts. Each needs consent. Medium
Intercom Chat widget tracks user behavior beyond chat. Medium
Plausible No cookies, no personal data. Privacy-friendly. Low
Fathom No cookies. Generally GDPR-compliant without consent. Low

Scan your site for GDPR compliance

Gridwork Privacy Scanner detects 30+ trackers, analyzes your consent banner, checks your privacy policy, and reviews data collection forms. One command.

npx gridwork-privacy click to copy

View source on GitHub