GDPR Compliance Checklist for Website Owners (2026)
A practical, actionable GDPR compliance checklist covering every requirement your website must meet — cookies, consent, privacy policy, data rights, and more.
How to Use This Checklist
Work through each section. Items marked CRITICAL are the most commonly enforced and most likely to result in fines. Items marked IMPORTANT are required under GDPR but are enforced less frequently. Items marked BEST PRACTICE improve your compliance posture but aren't strictly required.
---
1. Cookie Consent
- [ ] CRITICAL — Consent banner visible on first visit before any non-essential cookies are set
- [ ] CRITICAL — "Reject All" or "Only Necessary" option is on the first layer (same screen as "Accept All")
- [ ] CRITICAL — No non-essential cookies set before consent is given (verify in incognito)
- [ ] CRITICAL — Pre-checked boxes are NOT used for analytics or marketing categories
- [ ] IMPORTANT — Users can change their consent preferences at any time (footer link or floating button)
- [ ] IMPORTANT — Consent is renewed periodically (typically every 12 months)
- [ ] BEST PRACTICE — Separate consent options for analytics, marketing, and functional categories
2. Cookie Policy
- [ ] CRITICAL — Dedicated cookie policy page exists (or detailed section in privacy policy)
- [ ] CRITICAL — All cookies listed with name, purpose, provider, category, and retention period
- [ ] IMPORTANT — Third-party services named explicitly (not just "analytics partners")
- [ ] IMPORTANT — Links to each third party's own privacy policy
- [ ] IMPORTANT — Information on how to change preferences and delete cookies via browser
- [ ] BEST PRACTICE — Cookie policy updated whenever new scripts or plugins are added
3. Privacy Policy
- [ ] CRITICAL — Privacy policy exists and is accessible from every page (footer)
- [ ] CRITICAL — Legal basis for each type of data processing is stated
- [ ] CRITICAL — Data retention periods specified for each category of data
- [ ] IMPORTANT — Data transfers to third countries disclosed (e.g., US via Data Privacy Framework)
- [ ] IMPORTANT — Contact details for Data Controller and DPO (if applicable) included
- [ ] IMPORTANT — All six GDPR user rights described with how to exercise them
4. Technical Implementation
- [ ] CRITICAL — Consent Management Platform (CMP) or custom solution actually blocks scripts pre-consent
- [ ] CRITICAL — Google Analytics Consent Mode v2 implemented (if using GA)
- [ ] CRITICAL — No
document.cookiewrites for non-essential cookies on page load - [ ] IMPORTANT — HTTPS enforced site-wide
- [ ] IMPORTANT — Cookie SameSite and Secure flags set appropriately
- [ ] BEST PRACTICE — Regular automated scans to catch new cookies added by CMS plugins or updates
5. Data Subject Rights
- [ ] CRITICAL — Process exists to respond to Subject Access Requests (SARs) within 30 days
- [ ] CRITICAL — Ability to delete a user's data upon request
- [ ] IMPORTANT — Ability to export user data in portable format
- [ ] IMPORTANT — Process for handling data rectification requests
- [ ] BEST PRACTICE — Self-service data export and deletion available in account settings
6. Data Processor Agreements
- [ ] CRITICAL — Data Processing Agreement (DPA) signed with Google (Analytics, Ads)
- [ ] CRITICAL — DPAs signed with all processors who handle EU user data
- [ ] IMPORTANT — Review DPAs when vendors update their terms
- [ ] BEST PRACTICE — Maintain a data processing register listing all processors
7. Forms and Data Collection
- [ ] CRITICAL — No pre-checked consent boxes for marketing communications
- [ ] CRITICAL — Purpose of data collection stated at point of collection
- [ ] IMPORTANT — Only data necessary for the stated purpose is collected (data minimization)
- [ ] IMPORTANT — Separate consent for each distinct purpose (don't bundle)
8. If You Have a Newsletter or Email Marketing
- [ ] CRITICAL — Double opt-in implemented (user confirms email address)
- [ ] CRITICAL — Unsubscribe mechanism in every email
- [ ] IMPORTANT — Consent records stored (who opted in, when, what they agreed to)
- [ ] BEST PRACTICE — Separate lists for different content types
---
How to Audit Your Compliance
The fastest way to check how many of these boxes you tick:
- Run a scan with GDPR Fix — it automatically checks cookies, consent implementation, and policy gaps
- Review your privacy and cookie policies against this checklist
- Test your consent flow in an incognito window
- Verify DPAs are in place with your key vendors
A compliance audit once a quarter is sufficient for most websites. If you regularly add new scripts, plugins, or integrations, scan after every significant change.
Check your website now
Find out if your site has the issues described in this article. Free scan, results in minutes.
Scan Your Site — Free