A practical GDPR compliance checklist for 2025. Check if your website has everything required β from cookie consent to privacy policy, user rights and security measures.
GDPR (General Data Protection Regulation) has been in effect since 2018, but enforcement is stronger than ever in 2025. Data protection authorities across Europe issued over β¬1.6 billion in fines last year alone. Here's a practical checklist to make sure your website is compliant.
Your cookie consent must be explicit, informed, and granular. A pre-ticked 'Accept all' button is not compliant under GDPR. Users must be able to accept or reject each category of cookies (analytics, marketing, preferences) separately. The consent must be as easy to withdraw as it is to give.
You must have a clear, accessible privacy policy that explains: what data you collect, why you collect it (legal basis), how long you keep it, who you share it with, and how users can exercise their rights. It must be written in plain language β not legalese.
For every type of data you process, you must have a valid legal basis: consent, contract performance, legal obligation, vital interests, public task, or legitimate interests. You must document this in your Records of Processing Activities (ROPA).
You must give users a way to exercise their GDPR rights: access their data, correct it, delete it (the 'right to be forgotten'), port it to another service, and object to processing. This typically means a dedicated email address or form, and you must respond within 30 days.
Pre-ticked checkboxes for marketing emails or non-essential cookies are explicitly prohibited under GDPR. Consent must be an affirmative action β the user must actively opt in.
All data transmitted between users and your website must be encrypted via HTTPS. Mixed content (HTTP resources loaded on HTTPS pages) is also a problem. This is both a GDPR security requirement and a basic web standard.
If you suffer a data breach, you must notify your supervisory authority within 72 hours and inform affected users without undue delay if the breach poses a high risk. You need a documented procedure for this before a breach happens.
If you use third-party services that process personal data on your behalf (email providers, analytics, hosting, CRM), you must have a Data Processing Agreement (DPA) with each. Most major providers (Google, AWS, Mailchimp) provide standard DPAs on request.
Many websites set cookies they're not even aware of β from embedded fonts, analytics scripts, support widgets, and social media buttons. Run a cookie scan to discover all cookies your site sets and classify them correctly in your consent banner.
Meta Pixel, Google Analytics, LinkedIn Insight Tag, and similar trackers collect personal data. Under GDPR, loading these before obtaining consent is a violation. Ensure your tag manager respects consent categories and doesn't fire without permission.
Scanlei scans your website for cookies, trackers, privacy policy presence, HTTPS, and more. Get a free GDPR compliance report in 60 seconds β no signup required.
Scan your website freeYour website must have a visible way for users to contact you about their data. For EU-based companies or those processing data at scale, you may also need to appoint a Data Protection Officer (DPO).
If your service is accessible to children under 16 (or a lower age set by specific EU member states), you need verifiable parental consent for processing their data. You also cannot use dark patterns to collect children's data.
Transferring personal data outside the EU requires adequate protection: Standard Contractual Clauses (SCCs), adequacy decisions, or Binding Corporate Rules. Using US-based services without proper safeguards is a common GDPR violation.
Forms should only ask for data you actually need (data minimization). If you're collecting an email for a newsletter, don't also require a phone number. Each field must have a clear purpose.
GDPR compliance isn't a one-time task. Websites change β new trackers get added, consent banners break, policies go out of date. Set up automated monitoring to catch issues before regulators do.
If you're starting from scratch, focus on: cookie consent banner, HTTPS, and privacy policy. These are the most commonly cited violations in enforcement actions and the quickest to fix.