Skip to main content
C
CookieBeam
Back to Guides
Basics11 min read

GDPR Requirements for Websites

A practical overview of GDPR requirements for websites: lawful basis, consent, transparency, user rights, DPAs, security, and breach notification.

Disclaimer

This page summarizes common GDPR requirements relevant to websites. It is not legal advice.

Key Requirements

  • Lawful basis

    Identify a lawful basis for each processing activity (e.g., consent for non-essential cookies, legitimate interests where appropriate)

  • Consent

    Obtain informed, freely given, specific, and unambiguous consent before setting non-essential cookies. Provide equal "accept" and "reject/manage" choices

  • Transparency

    Provide a clear privacy policy describing what you collect, why, and how long you keep it. Disclose third-party recipients and transfers

  • User rights

    Implement processes for access, rectification, deletion, restriction, portability, and objection

  • Data Processing Agreements (DPAs)

    Have DPAs with processors who handle personal data on your behalf

  • Security

    Apply appropriate technical and organizational measures to protect data

  • Breach notification

    Notify authorities and affected users as required in the event of a personal data breach

  • International transfers

    Use valid transfer mechanisms where data moves outside the EU/EEA

  • Record-keeping

    Maintain records of processing activities and consents as applicable

How CookieBeam Helps

CookieBeam helps with consent collection and logging. You are responsible for configuring your banner and tags to match your policies and for meeting obligations beyond consent.

Lawful Basis and Consent in Practice

Under GDPR, every act of personal data processing must rest on one of six lawful bases. For non-essential cookies — analytics, marketing, and personalisation — consent is almost always the only appropriate basis. Legitimate interests, the alternative most often cited by marketers, is rarely available for advertising cookies because the intrusive nature of tracking tips the balancing test against the controller.

Freely given means the user has a genuine choice. Regulators have been unambiguous: a consent banner must give Reject All and Accept All equal visual prominence. Pre-ticked boxes, dark patterns that bury the reject option, and cookie walls that block access to content unless the user accepts cookies all violate the freely-given requirement.

Specific consent means granularity. Bundling all non-essential cookies into a single “I agree” click is not sufficient. Users must be able to consent category-by-category — for example, accepting analytics while refusing marketing — or vendor-by-vendor if your CMP supports it.

Informed consent requires that each category comes with a plain-language explanation: what the cookies do, which third parties receive data, and how long data is retained. Vague labels like “Performance Cookies” without further detail do not meet the standard.

Revocable consent means withdrawing must be as easy as giving. A persistent floating icon that reopens the preference centre at any time satisfies this requirement. Burying the opt-out in a multi-step account settings page does not.

Transparency: What Your Privacy and Cookie Policies Must Include

GDPR Articles 13 and 14 set out transparency obligations that apply at the point of data collection. Every website that processes visitor data must disclose: the identity and contact details of the data controller; the purposes and legal basis for each processing activity; data retention periods; categories of recipients (including named third-party vendors); and the full list of data subject rights, including the right to withdraw consent and the right to lodge a complaint with a supervisory authority.

Your Cookie Policy must go further than a generic privacy notice. It must enumerate every cookie category, list individual cookies by name, identify the provider, state the purpose in plain language, and specify the cookie duration. A table format works well for this: one row per cookie, columns for name, provider, purpose, type (session/persistent), and expiry.

Some websites fold cookie disclosures into their main Privacy Policy under a dedicated “Cookies” section; others maintain a standalone Cookie Policy linked directly from the consent banner. Both approaches are acceptable under GDPR, but the policy must be reachable from the banner itself — a footer-only link is insufficient if users are being asked to consent before they scroll down.

Policies must be kept current. Adding a new analytics vendor or changing how you use existing data constitutes a change in processing purposes, which triggers an obligation to update your policy and, in most cases, re-present the consent banner to existing visitors.

Cookie Policy Must Include

  • List of all cookie categories (Strictly Necessary, Analytics, Marketing, Preferences)

    With plain-language description of each category's purpose

  • Individual cookie names and providers

    e.g. _ga (Google Analytics), _fbp (Meta Pixel)

  • Cookie duration / expiry for each cookie

    Session cookies vs persistent cookies; retention period in plain terms

  • Third-party controllers and links to their privacy policies

    Google, Meta, HubSpot, etc.

  • How users can withdraw consent

    Link to preference centre or cookie settings

  • Date the policy was last updated

    Regulators check whether policies are kept current

  • Link to your full Privacy Policy

    Accessible from the cookie policy itself

User Rights Under GDPR: What Websites Must Provide

GDPR grants individuals eight distinct rights with respect to their personal data. Websites that process visitor data must be able to honour all of them:

  • Right of access (Art. 15) — users can request a copy of all personal data you hold about them.
  • Right to rectification (Art. 16) — users can require you to correct inaccurate data.
  • Right to erasure (Art. 17) — the “right to be forgotten”; users can request deletion of their data.
  • Right to restriction of processing (Art. 18) — users can ask you to pause processing while a dispute is resolved.
  • Right to data portability (Art. 20) — users can request their data in a machine-readable format.
  • Right to object (Art. 21) — users can object to processing based on legitimate interests, including direct marketing.
  • Rights related to automated decision-making (Art. 22) — users can object to purely automated decisions that significantly affect them.
  • Right to withdraw consent (Art. 7(3)) — withdrawal must be as easy as giving consent in the first place.

In the cookie context, the most frequently exercised rights are erasure (delete my consent record and any associated data), access (show me what tracking data you hold), and objection (stop processing my data for marketing purposes).

Practically, you must provide a named contact or email address for Data Subject Access Requests (DSARs) in your privacy policy and respond within one calendar month. If you use a CMP like CookieBeam, consent records are timestamped and exportable, making DSAR responses significantly easier.

Data Processing Agreements with Vendors

GDPR Article 28 requires that whenever you share personal data with a third party that processes it on your behalf, you must have a written Data Processing Agreement (DPA) in place. This applies to any vendor whose script or SDK receives personal data collected from your visitors.

Common processors that require a DPA include: Google Analytics and Google Tag Manager, Meta (Facebook) Pixel, HubSpot, Hotjar, Intercom, Mailchimp, Zendesk, and any other SaaS tool that ingests behavioural, demographic, or contact data from your site.

Most major vendors publish standard DPAs that you accept through their admin console rather than by signing a separate document. However, acceptance is not automatic — you must actively navigate to the relevant settings screen and confirm. Simply using the vendor's service does not constitute signing a DPA.

Keep a record of which DPAs you have accepted, the version you accepted, and the date. If a vendor updates their DPA, you may need to re-accept. This record will be important if you are ever audited by a supervisory authority or respond to a DSAR.

Where to Find Major Vendor DPAs

Most major analytics and marketing vendors make their DPAs available through their admin interfaces or legal portals:

  • Google Analytics / Google Ads: Accept via your Google Account → Admin → Data Collection → Data Processing Amendment.
  • Meta (Facebook Pixel): Data Processing Terms available in Meta Business Settings → Business Info → Data Processing.
  • HubSpot: Data Processing Agreement in HubSpot Account Settings → Legal.
  • Hotjar: Data Processing Agreement available at hotjar.com/legal/.
  • Most SaaS vendors: Search for “Data Processing Agreement”, “DPA”, or “Data Processing Addendum” in the vendor’s legal or privacy pages, or in their help centre.

Security and Breach Notification

GDPR Article 32 requires data controllers to implement appropriate technical and organisational measures to protect personal data. In practice, this means ensuring all data is transmitted over HTTPS (TLS), enforcing strict access controls on any systems that store consent records or behavioural data, conducting regular security assessments, and reviewing the security posture of your third-party vendors.

If a personal data breach occurs — for example, unauthorised access to your consent logs, exposure of user preference data, or a third-party analytics SDK leaking session data — you must notify your supervisory authority (your national Data Protection Authority) within 72 hours of becoming aware of the breach (Art. 33). If the breach is likely to result in a high risk to the rights and freedoms of individuals, you must also notify those individuals directly without undue delay (Art. 34).

A breach notification to a DPA must include: a description of the nature of the breach; the categories and approximate number of individuals and records affected; the name and contact details of your Data Protection Officer (if you have one); the likely consequences of the breach; and the measures you have taken or propose to take to address it.

Cookie Compliance Audit: 6 Steps

1

Inventory All Cookies Your Site Sets

Use a cookie scanner (CookieBeam includes one) or your browser's DevTools (Application → Cookies) to list every cookie your site sets, along with its provider, purpose, and duration. Make sure to capture cookies set by third-party scripts such as Google Analytics, Meta Pixel, and Hotjar, which are often added indirectly via Google Tag Manager and may not be immediately obvious.

2

Categorise by Purpose

Sort every cookie into one of four standard categories: Strictly Necessary (login sessions, CSRF tokens, load balancer cookies), Analytics (GA4, Hotjar, Plausible), Marketing (Meta Pixel, Google Ads, LinkedIn Insight Tag), and Preferences (language selection, UI theme). Strictly Necessary cookies do not require consent; all others do. If a cookie's purpose is ambiguous, err on the side of requiring consent.

3

Update Your Consent Banner

Configure CookieBeam with your finalised cookie categories and vendor list. Verify that Reject All and Accept All buttons have equal visual weight — same size, same colour contrast, same position. Check in your browser's network tab or tag manager preview mode that no non-essential cookies or tracking pixels fire before the user has made a choice.

4

Verify Consent Signals

Use GTM Preview mode or append ?gcm_debug=1 to a URL to verify that Google Consent Mode v2 signals — ad_storage, analytics_storage, ad_user_data, and ad_personalization — update correctly when a user accepts or rejects cookies. Confirm that denied states default correctly on page load before any user action.

5

Update Privacy Policy and Cookie Policy

Revise your Privacy Policy to reflect your current processing activities and legal bases. Add or update a Cookie Policy section that lists every cookie category with individual cookie names, providers, purposes, and durations. Link to this policy directly from the consent banner. Set a calendar reminder to review the policy whenever you add a new vendor or change how you use existing data.

6

Sign Data Processing Agreements with Vendors

Check each analytics and marketing vendor's admin console for a DPA or Data Processing Amendment. Accept or sign each one and note the acceptance date and version. Keep a record — a simple spreadsheet listing vendor name, DPA version, and date accepted is sufficient for most organisations and will be invaluable if you are ever audited.

Related Guides

What Is GDPR?

Understand the EU data protection law, its scope, and the six lawful bases for processing personal data.

What Is a CMP?

How a Consent Management Platform automates consent collection and audit logging.

Google Consent Mode v2

How Consent Mode signals work and why they matter for GDPR-compliant Google Ads.

What Is TCF?

The IAB Transparency & Consent Framework — who needs it and how it relates to GDPR.

Frequently Asked Questions

Do I need a separate cookie policy or can it be part of my privacy policy?

Both approaches are legally acceptable under GDPR, provided the disclosures are complete and easily accessible. Many websites include a dedicated “Cookies” section within their main Privacy Policy. Alternatively, a standalone Cookie Policy linked directly from the consent banner is common and often cleaner for users. Whatever format you choose, the policy must be reachable from the consent banner itself — a footer-only link is insufficient when users are being asked to consent before they have scrolled to the bottom of the page.

What counts as a “strictly necessary” cookie that doesn’t need consent?

Strictly necessary (or “essential”) cookies are those without which the website cannot function as explicitly requested by the user. This includes session cookies that keep users logged in, shopping cart cookies, CSRF tokens that protect form submissions, and load balancer cookies that route requests to the correct server. It does not include analytics cookies — even first-party, cookieless analytics — or cookies that improve performance in ways that go beyond a function the user has specifically requested. When in doubt, treat a cookie as requiring consent.

Do I need a Data Processing Agreement with Google Analytics?

Yes. Google Analytics acts as a data processor when it processes personal data — including IP addresses, device identifiers, and behavioural event data — on your behalf. Google’s DPA for Google Analytics is embedded in the Google Ads Data Processing Terms and must be explicitly accepted through your Google account. Navigate to your Google Analytics Admin → Data Collection → Data Processing Amendment to review and accept the terms. Simply using Google Analytics without accepting the DPA puts you in breach of GDPR Article 28.

How often should I renew user consent?

GDPR does not specify a mandatory re-consent interval. However, consent should be renewed when your cookie purposes change materially, when you add significant new vendors, or when you update your privacy policy in a way that affects how you process cookie data. Many organisations adopt a 12-month re-consent cycle as a conservative default. CookieBeam allows you to configure a consent expiry period in the dashboard — once that period elapses, returning visitors are shown the banner again and must make a fresh choice.

Back to all guides
GDPR Requirements for Websites | CookieBeam | CookieBeam