GDPR-Compliant Website: What to Get Right on Privacy, Cookies and Forms

The GDPR sounds like red tape, but at its core it's a manageable list of obligations. Most breaches on small-business websites don't come from bad intentions but from three classic mistakes: a cookie banner that blocks nothing, tools that send data to the US without anyone realising it, and an off-the-shelf privacy policy that doesn't match the actual site. Here's an honest overview of what you really need and what's just well-meaning half-knowledge.

One thing up front: we build websites and tools, we're not a law firm. This text is technical and practical guidance, not legal advice. For tricky cases it pays to get a specialist lawyer or data protection officer to take a look. We know where the pitfalls are because we run seven of our own brands live in production and had to make every single one privacy-compliant.

Privacy policy: it has to match the real tech

A privacy policy is mandatory the moment your website processes any personal data, and practically every site does, if only through server logs containing IP addresses. The key point: the policy has to describe what your site actually does, not what a generic generator assumes.

• Every tool has to be listed: hosting, fonts, analytics tools, maps, video embeds, newsletter service, chat widget. Whatever you integrate belongs in there.
• Legal basis and purpose: every type of processing needs a justification (e.g. legitimate interest or consent).
• Data subject rights: access, deletion, objection. Good generators supply these standard paragraphs for you.
• Accessibility: linked from every page, no menu clicking required, ideally in the footer.

A free generator from a reputable legal platform is a good starting point. The real work is keeping it up to date: the moment you add a new tool, the text has to follow. This is exactly where most policies fall apart over time.

Cookies and consent: the most common mistake

The big misconception: slap a banner on it and you're done. Wrong. What matters is that tracking tools only load after consent is given, not before. A banner that merely asks while already sending data in the background is worse than none at all, because it documents the violation.

• Technically necessary cookies (login session, shopping cart, language setting) don't require consent.
• Analytics, marketing and convenience tools may only start after an active click on "Accept".
• Declining has to be just as easy as agreeing. No hidden link, no pre-ticked boxes. "Only necessary" belongs right next to "Accept all", on equal footing.

And the good news: if your website is built lean, you often don't need an annoying banner at all. Many of our sites get by without marketing cookies because we host fonts locally, rely on privacy-friendly analytics and avoid external embeds. No banner is the best banner solution.

Google Fonts, Maps and the US transfer

An underrated point: external services often load data from US servers before the user has consented. Fonts loaded directly from a third-party server transmit the visitor's IP address, and there have already been waves of legal warnings over exactly this. The fix is simple:

• Embed fonts locally instead of loading them from an external server.
• Maps and videos should only load after a click (two-click solution) or be left out entirely.
• For US tools, check whether a European alternative exists. Often it does.

Forms: where data is actually created

Contact, booking and newsletter forms are where you actively collect personal data. A few solid rules apply here:

• Data minimisation: only ask for what you genuinely need. A phone number as a required field for a simple email enquiry is too much.
• Consent notice: a short sentence with a link to the privacy policy right next to the submit button. A pre-ticked checkbox is not permitted.
• Encryption: the site absolutely needs HTTPS (SSL), otherwise entries travel across the network in plain text.
• Double opt-in for newsletters: first click the confirmation email, then the entry is created. Without this step the sign-up is open to abuse.
• Privacy-friendly spam protection: if an external CAPTCHA service sends user data to the US, you need alternatives or proper consent.

Data processing agreements and hosting

As soon as a service provider processes data on your behalf, that is, your host, your newsletter tool, your form backend, you need a data processing agreement (DPA). Reputable providers make these ready to go, usually as a PDF download or with a click in your customer account. EU hosting also saves you the whole discussion about third-country transfers. We deliberately host our projects on European servers, which makes the entire data protection side far simpler.

What you do NOT need

Honest is honest: not every obligation applies to every site. A data protection officer is usually not required for small companies, it depends on headcount and the type of data processing. A cookie banner is only needed if you set cookies that require consent, without tracking it isn't necessary. And expensive consent management platforms with a monthly fee only pay off once you really do run a lot of marketing tools. For most small-business sites, a lean, data-minimising build is enough, one that avoids the problem at the root instead of managing it with banners.