← PageScore

Website Privacy Compliance Guide

GDPR compliant in 2026: Cookies, consent management, tracking scripts, and third-party services done right. The complete privacy guide for websites.

Why Is Privacy Compliance Important for Websites?

Since the introduction of the GDPR (General Data Protection Regulation) in May 2018, strict rules apply to the processing of personal data in Europe. Violations can result in fines of up to 20 million euros or 4% of global annual revenue.

But privacy is not just a legal obligation — it is also a trust signal for your users and can positively impact conversion rates. Websites that handle data transparently enjoy more trust.

Cookies and Consent Management

The most important principle: technically non-essential cookies may only be set after the user has given explicit consent. This means:

• Cookie banner is mandatory: Every website using non-essential cookies needs a consent dialog.
• Opt-in, not opt-out: Checkboxes must not be pre-selected. Users must actively agree.
• Rejection must be equally accessible: The "Reject" button must be as easy to reach as "Accept." No hiding it in submenus or making it smaller.
• Granular control: Users must be able to reject individual cookie categories (e.g., marketing, statistics, functional).
• Document consent: Consent must be provably stored (timestamp, scope, version of privacy policy).

Recommended Consent Management Platforms

There are several CMP providers that are TCF 2.2 compatible and simplify implementation:

• Cookiebot: Widely used, automatic cookie scanning, EU servers.
• Usercentrics: German company, very GDPR-focused.
• Klaro: Open-source alternative, self-hosted, full control.
• Cookie Notice (WordPress): Simple solution for WordPress websites.

Tracking Scripts and Analytics

Google Analytics, Facebook Pixel, Hotjar, and similar tracking tools set cookies and transfer personal data. This requires special attention:

Google Analytics 4

• GA4 requires consent before it is loaded.
• IP anonymization is active by default in GA4, but data transfer to the US remains problematic.
• Use Google Consent Mode v2 to enable basic measurements without cookies.
• Alternative: Matomo (self-hosted) or Plausible — privacy-friendly analytics without cookies.

Audit Third-Party Services

Many services that websites embed transfer data to third parties. Check critically:

• Google Fonts: Loading Google Fonts transmits the user's IP address to Google. Solution: Host fonts locally.
• YouTube embeds: Set cookies even without playing. Use the enhanced privacy mode: youtube-nocookie.com.
• Google Maps: Transfers user data to Google. Solution: Load only after consent or use a static map with a link to Google Maps.
• Social media buttons: Facebook Like button, Twitter Share, etc. transfer data to their respective networks. Use the Shariff solution or simple links.
• CDN services: Check whether your CDN provider processes data within the EU.

Privacy Policy

Every website needs a complete and up-to-date privacy policy. It must include:

• Data controller: Name, address, and contact details of the person responsible for data protection.
• Processed data: What data is collected (IP addresses, cookies, form data, etc.)?
• Purpose of processing: Why is the data collected?
• Legal basis: On what basis is the processing carried out (consent, legitimate interest, contract fulfillment)?
• Third parties: Which external services are integrated and what data is transmitted?
• Storage duration: How long is the data stored?
• Data subject rights: Right to access, rectification, erasure, data portability, and objection.

The privacy policy must be accessible from every subpage with a maximum of two clicks — ideally via a link in the footer.

Technical Measures

SSL/HTTPS

Encrypting data transmission is not optional. Every website that processes personal data (and effectively every website that stores log files does) must use HTTPS.

Security Headers

Set security headers like HSTS, CSP, and Referrer-Policy to increase security and control data transmission to third parties. The Referrer-Policy in particular can prevent URLs with sensitive parameters from being shared with external services.

Contact Forms and Inputs

• Use HTTPS for all form submissions.
• Store only the data you truly need (data minimization).
• Inform users about data processing directly at the form with a link to the privacy policy.
• Automatically delete inquiries after a reasonable period.

Regular Auditing

Privacy is not a one-time project. Regularly check:

• What cookies does your website actually set? (DevTools → Application → Cookies)
• What external requests does your website make? (DevTools → Network)
• Is the privacy policy still up to date?
• Does the consent management work correctly?