Skip to main content
VertaaUXVertaaUX
Trust & Compliance

GDPR Compliance for Websites

GDPR is not just a legal checkbox — it shapes every consent flow, form, and cookie banner on your site. Poor compliance exposes you to multi-million euro fines and erodes user trust. This page explains what the regulation requires, how it intersects with UX design, and how to audit your website systematically.

EU Regulation 2016/679Effective May 2018€4.5 B+ in fines issuedApplies globally to EU users

What is GDPR?

GDPR (General Data Protection Regulation) is EU Regulation 2016/679, effective May 25, 2018. It establishes data protection and privacy rights for individuals in the European Union and European Economic Area. GDPR applies to any website or service that collects or processes personal data of EU residents, regardless of where the operator is based.

When to use

Relevant whenever your website collects personal data (email addresses, IP logs, cookies, analytics) from visitors who may be EU residents.

How it works

  1. 1.Defines six lawful bases for data processing: consent, contract, legal obligation, vital interests, public task, and legitimate interests.
  2. 2.Grants data subjects eight rights: access, rectification, erasure, restriction, portability, object, automated-decision opt-out, and the right to complain.
  3. 3.Requires Data Protection Officers (DPOs) for public authorities and organisations processing data at scale or processing sensitive categories.
  4. 4.Enforced by national Data Protection Authorities (DPAs) in each EU member state, coordinated via the European Data Protection Board (EDPB).

Evidence

  • GDPR fines have totalled over €4.5 billion since enforcement began in 2018GDPR Enforcement Tracker, 2024
  • 92% of websites use at least one third-party tracker, making GDPR scope nearly universalW3Techs, 2024
Privacy PolicyVertaaUX Features

What does GDPR require for websites?

Websites must obtain freely given, specific, informed, and unambiguous consent before setting non-essential cookies. They must publish a clear privacy policy, maintain records of data processing activities, honour data subject rights (access, erasure, portability), report breaches within 72 hours, and appoint a Data Protection Officer where required.

When to use

Applies to every website that processes personal data of EU residents, including analytics, contact forms, e-commerce checkouts, and third-party advertising pixels.

How it works

  1. 1.Cookie consent: non-essential cookies (analytics, advertising, social) require opt-in consent before firing. Pre-ticked boxes are invalid.
  2. 2.Privacy policy: must state what data is collected, why, how long it is retained, who it is shared with, and how users can exercise their rights.
  3. 3.Records of processing activities (RoPA): organisations with 250+ employees (or processing sensitive data) must maintain a written RoPA.
  4. 4.Right to erasure (Article 17): users can request deletion of their personal data; sites must honour requests within 30 days.
  5. 5.Breach notification: data breaches likely to risk rights and freedoms must be reported to the DPA within 72 hours of becoming aware.

Evidence

Privacy PolicyAccessibility Audit

How does GDPR affect UX design?

GDPR mandates privacy-by-design and bans dark patterns in consent flows. Pre-ticked consent checkboxes, confusing opt-out UI, and consent walls are non-compliant. Forms must minimise data collection, cookie banners must make rejection as easy as acceptance, and privacy information must be written in plain language.

When to use

Critical for designers and product teams building cookie banners, account registration flows, checkout forms, email sign-up modals, and any data-collection UI.

How it works

  1. 1.Consent banners: accept and reject must be presented with equal visual prominence. A prominent 'Accept All' next to a buried settings link fails this test.
  2. 2.Privacy-by-design: data minimisation, purpose limitation, and storage limitation must be built into features from the start — not bolted on after.
  3. 3.Form design: collect only fields strictly necessary for the stated purpose. Optional fields must be clearly labelled as optional.
  4. 4.Legitimate interest assessments (LIAs): when relying on legitimate interest as a lawful basis, document a three-part balancing test.
  5. 5.Children's data: special protections apply for users under 16 (or under 13–16 depending on member state). Age verification and parental consent may be required.

Evidence

WCAG ComplianceVertaaUX FeaturesAccessibility Audit

What are GDPR fines and penalties?

GDPR penalties reach up to 4% of global annual turnover or €20 million, whichever is higher. Meta received a record €1.2 billion fine in 2023 for unlawful EU–US data transfers. Amazon was fined €746 million in 2021. Total GDPR enforcement has surpassed €4.5 billion since the regulation took effect.

When to use

Relevant for any organisation assessing the business risk of non-compliance, including legal, compliance, and engineering teams.

How it works

  1. 1.Article 83(4): lower-tier fines up to €10 M / 2% of annual global turnover for obligations like processor contracts, data breach notification, and DPO duties.
  2. 2.Article 83(5): higher-tier fines up to €20 M / 4% of annual global turnover for core principles, lawful basis, data subject rights, and international transfers.
  3. 3.Additional remedies: DPAs can order a temporary or permanent processing ban, require data deletion, and mandate corrective action.
  4. 4.Private right of action: individuals can claim compensation for material or non-material damage caused by GDPR violations.

Evidence

Privacy PolicyVertaaUX Features

How do I audit GDPR compliance on my website?

A GDPR website audit checks for: valid cookie consent banners, absence of dark-pattern consent UI, third-party tracker inventory, privacy policy completeness, data minimisation in forms, and right-to-erasure workflows. VertaaUX automates detection of dark patterns and non-compliant consent flows as part of its UX audit engine.

When to use

Run a GDPR audit before product launches, after major UI changes involving forms or consent flows, annually as part of a compliance calendar, or when entering new EU markets.

How it works

  1. 1.Scan all pages for cookie-setting scripts and classify them (strictly necessary vs. non-essential).
  2. 2.Test the consent banner: attempt to reject all, verify non-essential cookies do not fire before consent, check that accept and reject have equal visual weight.
  3. 3.Audit third-party integrations: analytics (GA4), ad pixels (Meta, Google Ads), live-chat tools, and A/B testing platforms all typically require consent.
  4. 4.Review forms for data minimisation: remove optional fields that are pre-filled or unlabelled.
  5. 5.Verify privacy policy covers all required GDPR disclosures: data controller identity, lawful bases, retention periods, third-party recipients, and rights.
  6. 6.Test right-to-erasure: can a user locate and submit a deletion request within one click from their account or privacy policy?

Evidence

VertaaUX FeaturesAccessibility AuditWCAG Compliance

What is the difference between GDPR and other privacy laws?

GDPR covers all EU/EEA residents and requires opt-in consent for most data processing. CCPA (California) uses an opt-out model and applies to for-profit businesses above a threshold. Brazil's LGPD mirrors GDPR closely. South Korea's PIPA predates GDPR but has similar principles. Multinational sites typically align with GDPR as the strictest standard.

When to use

Relevant for product and legal teams building for multiple jurisdictions. Understanding which law applies — and where they overlap or conflict — determines your consent architecture.

How it works

  1. 1.GDPR (EU/EEA): opt-in consent required for most processing; applies to any site serving EU users; fines up to 4% of global turnover.
  2. 2.CCPA / CPRA (California): opt-out model for personal information sales; applies to for-profit businesses meeting revenue or data-volume thresholds; fines up to $7,500 per intentional violation.
  3. 3.LGPD (Brazil): closely mirrors GDPR structure and principles; enforced by the ANPD; applies to processing data of Brazil residents.
  4. 4.PIPA (South Korea): comprehensive personal data law with consent-based approach; enforced by the PIPC; requires local representative for foreign businesses.
  5. 5.Practical approach: implement GDPR-compliant consent and data subject rights globally to cover the strictest requirements, then layer jurisdiction-specific notices where needed.

Evidence

  • GDPR fines have totalled over €4.5 billion since 2018, making it the most actively enforced privacy regulation globallyGDPR Enforcement Tracker, 2024
Privacy PolicyWCAG ComplianceVertaaUX Features