GDPR Compliance Checklist for Websites (2024)
GDPR fines reached €4.2 billion by 2024. Most violations are preventable with simple technical measures. This checklist covers the 7 areas regulators check first.
1. SSL / HTTPS enabled
CRITICALAll pages must be served over HTTPS. GDPR Article 32 requires "appropriate technical measures" — transmitting user data over unencrypted HTTP fails this test. Google also penalises HTTP sites in search rankings.
Fix: Install a free Let's Encrypt certificate via your hosting panel. Most modern hosts (Cloudflare, Vercel, Netlify) provide this automatically.
2. Privacy Policy page
CRITICALGDPR Article 13 requires you to inform users about what data you collect, why, how long you keep it, and their rights. A missing privacy policy is one of the most-fined violations.
Fix: Create a /privacy-policy page. Use our free Privacy Policy Generator to build a compliant one in minutes.
3. Cookie consent banner
CRITICALIf you use cookies that are not strictly necessary (analytics, marketing, tracking), you must obtain explicit consent before setting them. The ePrivacy Directive and GDPR both apply.
Fix: Implement a CMP (Consent Management Platform) like CookieYes, Cookiebot, or Axeptio. The banner must have a visible "Reject" option — dark patterns are increasingly fined.
4. Forms with consent checkboxes
HIGHAny form collecting email addresses or personal data needs clear disclosure of how that data will be used. Pre-ticked consent boxes are not valid under GDPR.
Fix: Add an unchecked checkbox near your form: "I agree to the processing of my data as described in the Privacy Policy." Link to your policy.
5. Terms of Service page
MEDIUMWhile not strictly required by GDPR, a ToS page limits your liability and sets clear expectations. It's also required by many payment processors and app stores.
Fix: Create a /terms page covering acceptable use, payment terms (if applicable), dispute resolution, and disclaimers.
6. Third-party scripts disclosed
INFOGoogle Analytics, Facebook Pixel, Hotjar — every third-party script that processes user data must be listed in your privacy policy as a data processor.
Fix: Audit your site's scripts. List each service in your privacy policy under "Third-party processors." Only load scripts after consent is given.
7. Contact information visible
MEDIUMGDPR Article 13 requires you to identify the data controller. This means a real contact email (not a no-reply address) or physical address must be findable on the site.
Fix: Add a contact email to your footer or create a /contact page. If you're an EU business, include your registered address.
Check your site automatically
Paste your URL and get this entire checklist run against your site in 60 seconds. Free, no account required.
Scan my site free →This article is for informational purposes only and does not constitute legal advice. Consult a qualified lawyer for your specific situation.