← Back to Blog
Security & Compliance February 12, 2026

GDPR Compliance for Websites: EU Privacy Requirements

Navigate GDPR regulations to protect user privacy and avoid massive fines

The General Data Protection Regulation (GDPR) is the European Union's comprehensive privacy law that affects any website serving EU users. Even if your business is based in the United States or elsewhere, GDPR applies if you process personal data of people in the EU. Penalties for non-compliance reach €20 million or 4% of global annual revenue, whichever is higher. Beyond avoiding fines, GDPR compliance builds user trust and establishes good data practices that benefit everyone.

Who Must Comply with GDPR

GDPR has extraterritorial reach—location of your business doesn't determine applicability:

For more insights on this topic, see our guide on CCPA Privacy Requirements: California Consumer Rights.

If you target EU users: Offering goods or services to people in the EU means GDPR applies, regardless of where your servers or company are located. Having a .eu domain, accepting euros, or providing EU-specific content indicates targeting.

If you monitor EU users: Tracking behavior of people in the EU triggers GDPR, even if you're not directly targeting them. Analytics, behavioral advertising, or profiling of EU users all count as monitoring.

Exceptions are narrow: Simply having EU visitors doesn't automatically trigger GDPR if you're clearly not targeting that market. But the safe approach is to assume GDPR applies unless you actively block EU users.

Key GDPR Principles

GDPR is built on fundamental principles that should guide all data processing decisions:

Lawfulness, fairness, and transparency: Process data legally with clear communication. Users should understand what data you collect, why, and how it's used. No hidden data collection or deceptive practices.

Purpose limitation: Only collect data for specified, legitimate purposes. You can't collect email for newsletter signup then use it for unrelated marketing. Each use requires separate legal basis.

Data minimization: Collect only what's necessary. If you don't need phone numbers, don't ask for them. If you don't need detailed browsing history, don't track it. Less data means less liability.

Accuracy: Keep data correct and up to date. Provide ways for users to update their information. Delete outdated data that's no longer needed.

Storage limitation: Don't keep data longer than necessary. Define retention periods and automatically delete data when that period expires. "Forever" isn't an acceptable retention policy.

Integrity and confidentiality: Protect data with appropriate security measures. Use encryption, access controls, and secure systems. Have incident response plans for breaches.

Legal Basis for Processing

Every data processing activity requires one of six legal bases. Choose the appropriate one for each purpose:

Consent: User gives clear, affirmative agreement. Must be freely given, specific, informed, and unambiguous. Pre-checked boxes don't count. Silence isn't consent. Users can withdraw consent easily at any time. Use consent for optional processing like marketing emails.

Contract: Processing is necessary to fulfill a contract with the user. If someone places an order, you can collect shipping address because it's necessary for delivery. This doesn't extend to optional activities—you can't use "contract" as basis for marketing emails.

Legal obligation: Law requires you to process the data. Tax records, for example. This basis is narrow—most businesses don't qualify for many activities.

Legitimate interest: Processing is necessary for your legitimate business interests, balanced against user rights. Fraud prevention, security, and some analytics may qualify. You must perform a balancing test and document it. This basis is flexible but requires careful analysis.

Consent Requirements

If using consent as legal basis, GDPR sets strict requirements that most websites fail to meet:

Granular and specific: You can't bundle consent. Users must be able to consent to analytics separately from marketing, separately from third-party cookies. One checkbox for "I agree to privacy policy" doesn't work.

Clear and plain language: No legalese. Explain in simple terms what data you collect and why. "We use cookies to improve your experience" isn't specific enough. "We use Google Analytics to count visitors and understand which pages are popular" is better.

Easy to withdraw: Withdrawing consent must be as easy as giving it. If users can consent with one click, they must be able to withdraw with one click. Requiring email to support team doesn't qualify.

Separate from other terms: Don't bury consent in terms and conditions. Use clear affirmative action like clicking "I accept" or checking an unchecked box. Scrolling or continuing to use the site isn't valid consent.

Not conditional: Can't require consent for non-essential processing as condition of service. If someone can use your site without marketing cookies, you can't force them to accept marketing cookies to access the site.

Cookie Consent Banners

Cookie banners are ubiquitous because GDPR (and ePrivacy Directive) require consent for most cookies:

Strictly necessary cookies exempt: Authentication, shopping cart, load balancing, and security cookies don't need consent. They're essential for the site to function. But analytics, advertising, and social media cookies do need consent.

Before cookies are set: Ask for consent before setting non-essential cookies. Many sites set cookies then ask for consent after—that's backwards and non-compliant. No cookies should be set until user agrees.

"Reject All" must be as easy as "Accept All": Can't make rejecting cookies harder than accepting. Both options should be equally prominent. Making users click through multiple screens to reject while accepting is one click violates GDPR.

No cookie walls (usually): Blocking access to content unless users accept cookies is generally prohibited unless you can prove the cookies are absolutely necessary. Offering paid alternative without tracking may be acceptable but is legally uncertain.

User Rights

GDPR grants users extensive rights over their personal data. You must facilitate these:

  • Right to access — Users can request copies of all personal data you hold about them. Provide it within one month, in machine-readable format.
  • Right to rectification — Users can correct inaccurate data. Provide easy ways to update their information.
  • Right to erasure ("right to be forgotten") — Users can request deletion of their data. You must comply unless you have compelling reason to retain it (legal obligations, etc.).
  • Right to restrict processing — Users can ask you to store but not use their data while disputing accuracy or processing legality.
  • Right to data portability — Users can get their data in structured, commonly used format and transfer it to another service.
  • Right to object — Users can object to processing based on legitimate interests or for direct marketing. You must stop unless you have overriding legitimate grounds.

Data Processing Agreements

Third-party services that process user data on your behalf require Data Processing Agreements (DPAs):

Processors vs Controllers: You're typically a controller—you determine why and how data is processed. Third-party services (analytics, CRM, email providers) are processors—they process data on your instructions. Controllers are responsible for processors' compliance.

DPA requirements: Formal written agreement specifying what data is processed, how it's protected, retention periods, and what happens when the relationship ends. Major services provide standard DPAs you can sign.

Sub-processors: If your processor uses sub-processors (e.g., cloud hosting), you must approve them. Most DPAs include lists of sub-processors and require notification of changes.

International Data Transfers

Sending personal data outside the EU requires additional safeguards:

Adequacy decisions: EU has deemed some countries to have adequate protection (including UK, Switzerland, and some others). Transfers to these countries don't need extra measures.

Standard Contractual Clauses (SCCs): For transfers to countries without adequacy decisions (including the US), use SCCs—standard contracts approved by EU. Most US cloud providers offer SCCs.

Privacy Shield is dead: The EU-US Privacy Shield framework was invalidated in 2020. Don't rely on it. Use SCCs instead.

Privacy Policy Requirements

Your privacy policy must be comprehensive, accessible, and clear:

What to include: Identity and contact details of your organization, purposes of processing, legal basis for each purpose, recipients of data, retention periods, user rights, right to lodge complaint with supervisory authority, whether data is transferred internationally.

Accessibility: Link to privacy policy in footer of every page. Reference it in consent banners and forms. Make it easy to find—burying it doesn't reduce legal obligation.

Keep it updated: Review and update privacy policy when you add new services, change data practices, or laws change. Notify users of material changes.

Technical Implementation

Compliance requires technical measures, not just legal documents:

Consent management platforms: Tools like OneTrust, Cookiebot, or open-source alternatives manage consent collection, store proof of consent, and block cookies until consent is given.

Data subject request automation: Build or use tools to handle access requests, deletion requests, and data portability. Manual processes don't scale.

Encryption: Encrypt personal data at rest and in transit. Use HTTPS everywhere. Encrypt database fields containing sensitive data.

Access logging: Log who accesses personal data and when. Helps detect breaches and prove compliance.

Getting Started

GDPR compliance is a process, not a one-time checklist. Start with these priorities:

Audit what data you collect and why. Map all data flows—where it comes from, where it goes, who processes it. Identify legal basis for each processing activity. Implement proper cookie consent. Update privacy policy to meet GDPR requirements. Establish processes for user rights requests.

Consider consulting a privacy lawyer, especially if you process sensitive data or large volumes of personal data. This article provides overview but doesn't constitute legal advice. GDPR is complex and interpretations evolve through enforcement actions and court cases.

Related Reading

Need Help with GDPR Compliance?

We implement GDPR-compliant consent management, privacy policies, and data handling workflows. Protect your users and your business.

Get Compliant

More from the Blog