Skip to content
Back to Blog
GDPR BasicsMay 1, 20268 min read

Does My Website Need to Be GDPR Compliant?

If your website is accessible to people in the EU, GDPR applies — regardless of where your business is based. Here's exactly who needs to comply and what that means in practice.

The Short Answer

Yes — if your website can be accessed by people in the European Union or you process personal data of EU residents, GDPR applies to you. This is true even if your business, server, or legal entity is based outside the EU.

The regulation has extraterritorial scope. A US startup, an Australian e-commerce store, a Brazilian SaaS company — all must comply if they have EU users.

Who Is Covered by GDPR?

GDPR applies to any organisation that:

  • Is established in the EU — whether or not the actual processing takes place in the EU
  • Targets EU residents — offering goods or services to people in the EU (even for free)
  • Monitors the behaviour of EU residents — using analytics, tracking pixels, or behavioural advertising

The "Targeting" Test

You are targeting EU residents if your website:

  • Accepts customers from EU countries
  • Displays prices in Euros
  • Mentions EU cities, regions, or countries in its content
  • Uses EU-specific languages (French, German, Spanish, etc.)
  • Has a .eu, .de, .fr or other EU country domain

There is no threshold — even a small side project with occasional EU visitors triggers GDPR obligations once any personal data is involved.

What Counts as "Personal Data"?

Personal data is any information that can directly or indirectly identify a person. For websites, this includes:

  • IP addresses — considered personal data by the Court of Justice of the EU
  • Cookies with persistent identifiers_ga, _fbp, session tokens
  • Email addresses — from contact forms, newsletter sign-ups, account registrations
  • Behavioural data — page views, click patterns, scroll depth tied to an identifier
  • Device fingerprints — browser type, screen resolution, installed fonts used together
  • Names, phone numbers, payment details — anything collected in forms or checkouts

If your website uses Google Analytics, a Facebook Pixel, a contact form, or even just user login — you are processing personal data and GDPR applies.

What GDPR Requires of Your Website

1. Lawful Basis for Processing

Every type of data processing needs a lawful basis. For websites, the relevant ones are:

  • Consent — required for analytics cookies, marketing pixels, and behavioural tracking
  • Legitimate interest — may apply to fraud prevention or basic security logging
  • Contract performance — covers data collected to fulfil an order or provide a service
  • Legal obligation — for records required by law

Relying on "legitimate interest" for analytics is not valid. Analytics is for your benefit, not the user's — you need consent.

2. Cookie Consent

Any cookie that is not strictly necessary to operate the website requires prior, freely given, explicit consent. This means:

  • A consent banner on first visit before non-essential cookies are set
  • A genuine "Reject All" option as easy to reach as "Accept All"
  • No pre-checked boxes for analytics or marketing categories
  • Scripts actually blocked until consent is given — not just asked about

Non-essential cookies set before consent is registered is one of the most commonly fined violations.

3. Privacy Policy

Your website must have a privacy policy that explains:

  • What personal data you collect and why
  • The legal basis for each type of processing
  • Who you share data with (third-party processors, advertising networks)
  • How long you retain data
  • The six rights users have under GDPR (access, erasure, portability, etc.)
  • How to contact you (and your DPO, if applicable)

A generic template you downloaded five years ago does not count. The policy must reflect your actual data practices.

4. Cookie Policy

Separate from your privacy policy, you need a dedicated cookie policy listing every cookie your site sets — by name, purpose, provider, category, and retention period. "We use analytics cookies" is not compliant. "We use Google Analytics cookies _ga (2 years) and _gid (24 hours) to measure website traffic" is.

5. Data Processing Agreements

If you use any third-party tool that processes EU user data on your behalf — Google Analytics, Mailchimp, Stripe, a hosting provider — you need a signed Data Processing Agreement (DPA) in place. Google, Stripe, and most major vendors provide these; you just need to accept them in your account settings.

6. Data Subject Rights

You must be able to respond to requests from EU residents to:

  • Access their data (Subject Access Request, within 30 days)
  • Erase their data (right to be forgotten)
  • Export their data in a portable format
  • Correct inaccurate data
  • Withdraw consent at any time

For most websites, this means having a contact email for privacy requests and being able to delete a user's account and data upon request.

Common Misconceptions

"I'm a small business — GDPR doesn't apply to me"

GDPR has no small business exemption for cookies or website analytics. The only meaningful exception is that companies with fewer than 250 employees have reduced record-keeping obligations under Article 30 — but cookie consent, privacy policy, and data subject rights all still apply regardless of company size.

"I'm not based in Europe"

Where your business is registered is irrelevant. Where your users are located is what matters. If EU residents visit your site, GDPR applies.

"My website doesn't collect data — I have nothing to worry about"

Almost no website is data-free. If you have:

  • Google Analytics → you collect data
  • A contact form → you collect data
  • A cookie consent banner → the banner itself stores a cookie
  • User logins → you collect data
  • Embedded YouTube videos → YouTube collects data on your behalf

The only truly data-free website is a completely static page with no analytics, no external scripts, and no forms. Virtually nothing in production qualifies.

"I have a cookie banner, so I'm compliant"

A cookie banner that doesn't actually block cookies is worse than useless — it creates a paper trail showing you acknowledged the requirement and didn't implement it correctly. Regulators check whether the technical implementation matches the consent collected.

What Happens If You Don't Comply?

GDPR gives supervisory authorities the power to impose fines of:

  • Up to €10 million or 2% of global annual turnover for less serious violations
  • Up to €20 million or 4% of global annual turnover for the most serious infringements

For small businesses, the fines are typically much lower — enforcement decisions against SMEs often result in fines of €5,000–€50,000 — but the reputational damage and cost of remediation can be significant.

Enforcement routes include:

  • Regulator-initiated audits — automated scanning tools used by the French CNIL and others to identify non-compliant sites at scale
  • User complaints — any visitor can file a complaint with their national data protection authority
  • Privacy advocacy groups — organisations like noyb (Max Schrems) file hundreds of complaints annually against websites with cookie consent violations

How to Check If Your Site Is Compliant

The fastest way to assess your current GDPR compliance:

  1. Run an automated scan — GDPR Fix scans your site with a real browser, detects every cookie, checks your consent implementation, and analyses your privacy policy. Free scan, results in 2 minutes.
  2. Test your consent flow manually — Open your site in an incognito window and check what cookies are set before clicking anything. Then click "Reject All" and check again.
  3. Review your privacy and cookie policies — Are all your actual cookies listed? Are DPAs in place for your third-party tools?
  4. Verify data subject request handling — Do you have a way to respond to access and deletion requests within 30 days?

GDPR compliance is not a one-time task. Every time you install a new plugin, add an analytics tool, or change your sign-up flow, your compliance status can change. Regular automated scans are the most practical way to stay on top of it.

Free scan

Check your website now

Find out if your site has the issues described in this article. Free scan, results in minutes.

Scan Your Site — Free