GDPR and Websites: The Complete 2026 Compliance Checklist

TL;DR: The French CNIL has issued over €500 million in fines since GDPR came into force, including against SMBs. Critical points to check on your site: cookie banner with a “Reject” button as visible as “Accept”, complete privacy policy, forms with data minimisation, EU hosting, and replacing Google Analytics with a compliant alternative (Plausible, Matomo).

GDPR (General Data Protection Regulation) has been in force since 2018, but in 2026, many websites remain non-compliant. The consequences are real: the French CNIL has issued over €500 million in fines since the regulation came into force, some against SMBs and micro-businesses. This guide gives you the complete checklist to bring your site into compliance.

Why GDPR compliance is essential

Beyond financial risk (fines up to 4% of annual worldwide revenue or €20 million), GDPR compliance is a matter of:

• Customer trust: 87% of European consumers say they’re concerned about the use of their personal data
• Reputation: a regulator sanction is public and covered by media
• Competitiveness: more and more tenders require GDPR compliance as a prerequisite
• Ethics: respecting your users’ privacy is simply the right thing to do

The complete checklist

1. Cookie consent banner

This is often the first thing regulators check. Your cookie banner must respect these rules:

Required:

• The banner appears before any non-essential cookie is dropped
• The user can accept, reject or customise their choices
• The “Reject” button is as visible and accessible as the “Accept” button (same size, same colour, same access level)
• No non-essential cookie is dropped before explicit consent
• Consent is recorded and can be proved in case of audit
• The user can change their choice at any time (link accessible in the footer, for example)
• Consent expires and is requested again after 13 months maximum

Common errors to fix:

• The “Reject” button hidden behind a “Settings” link (non-compliant since 2020 CNIL guidelines)
• Pre-checked boxes (forbidden)
• The “cookie wall” blocking site access without acceptance (forbidden except in very specific cases)
• Google Analytics cookies dropped before consent

2. Privacy policy

Your site must include a complete and up-to-date privacy policy. It must mention:

• Data controller identity: name, address, contact
• Data collected: precise list (name, email, IP, browsing data, etc.)
• Purposes of each processing: why you collect this data
• Legal basis for each processing: consent, legitimate interest, contract performance, legal obligation
• Data recipients: who has access (subcontractors, partners)
• Retention period of each data type
• User rights: access, rectification, deletion, portability, opposition, limitation
• How to exercise rights: email, form, postal address
• Non-EU transfers: if data is sent outside Europe (Google Analytics, Mailchimp, etc.), specify the safeguards (standard contractual clauses, adequacy decision)
• DPO contact details (if applicable) or of the person in charge of data protection

3. Data collection forms

Every form on your site (contact, newsletter, registration, quote) must respect these principles:

• Data minimisation: only ask for strictly necessary data. A contact form doesn’t need the date of birth.
• Information at collection: a link to the privacy policy must be visible near the form
• Separate consent for each purpose: if you also subscribe the person to your newsletter, that requires a separate (non pre-checked) checkbox
• No pre-checked box: consent must result from a clear positive act
• Acknowledgement: inform the user their request was received and remind them of their rights

4. Legal notices

Mandatory for any professional French website, legal notices must include:

• Company name, legal form, share capital
• Registered office address
• Phone number and contact email
• SIRET/SIREN number and intra-community VAT number
• Name of the publication director
• Host details (name, address, phone)
• CNIL declaration number (if applicable)

5. Hosting and subcontractors

Your host and tool choices directly impact compliance:

• EU hosting: prefer a European host. US hosting requires additional safeguards (standard contractual clauses) following Privacy Shield invalidation.
• Subcontracting agreement (DPA) with every provider processing personal data on your behalf
• Subcontractor register: list all tools and services that access your users’ data

Common tools and their compliance:

Tool	Hosting	GDPR compliance
Google Analytics (GA4)	United States	Problematic (US transfers)
Plausible Analytics	EU	Compliant (no cookies)
Matomo (self-hosted)	Your server	Compliant
Mailchimp	United States	DPA available, US transfers
Brevo (ex-Sendinblue)	France	Compliant
Google Fonts (CDN)	United States	Problematic (IP leak)
Google Fonts (local)	Your server	Compliant

6. Data security

GDPR requires implementing appropriate security measures:

• HTTPS mandatory: SSL/TLS certificate across the entire site
• Hashed passwords: never stored in clear text in the database
• Regular updates: CMS, plugins, dependencies
• Encrypted backups: regular and tested
• Limited access: only authorised people access personal data
• Access logging: traceability of who accesses what

7. User rights

You must be able to respond to rights exercise requests within one month:

• Right of access: provide a copy of all data held on a person
• Right to rectification: correct inaccurate data
• Right to erasure (right to be forgotten): delete data on request (except legal retention obligations)
• Right to portability: provide data in a structured, machine-readable format
• Right to object: allow opposition to processing based on legitimate interest
• Right to restriction: freeze processing in certain circumstances

Practical tip: create a dedicated email address (e.g. gdpr@yourcompany.com) and document your request handling procedure.

The processing register

If your company has over 250 employees, or if you regularly process sensitive data, you must maintain a processing activity register. In practice, the CNIL recommends any company maintain it. It must contain:

• The data controller’s name and contact details
• The purposes of each processing
• Categories of data and people concerned
• Data recipients
• Retention periods
• Security measures

The CNIL provides a free template on its website.

The DPO: is it mandatory?

Appointing a Data Protection Officer (DPO) is mandatory if:

• You’re a public body
• Your main activity involves regular and systematic large-scale monitoring of individuals
• You process sensitive data on a large scale

For SMBs, a DPO is generally not mandatory, but it’s strongly recommended to appoint an internal GDPR compliance referent.

Recent CNIL sanction examples

The CNIL doesn’t only sanction tech giants. Some telling examples:

• Doctissimo: €380,000 for excessive retention periods and non-compliant transfers
• A private doctor: €10,000 for transmitting patient data to a provider without sufficient safeguards
• An e-commerce SMB: €15,000 for lacking a compliant cookie banner and excessive customer data retention
• CRITEO: €40 million for lack of consent in ad targeting

Fine amounts are proportional to revenue and breach severity. Even a small fine comes with a public formal notice that harms reputation.

5-step action plan

1. Audit your site: use Cookiebot Scanner or a CNIL report to identify active cookies and trackers.
2. Set up a compliant cookie banner: Tarteaucitron.js (open source, French) or Axeptio are good options.
3. Write/update your legal notices and privacy policy.
4. Audit your forms: check data minimisation and information notices.
5. Document: create your processing register and rights management procedure.

The Amana approach: native compliance

At Amana Web Agency, GDPR compliance is integrated from the design of every project:

• Sovereign hosting in France: your data and your users’ data stays on French soil
• No US tools by default: no CDN Google Fonts, no Google Analytics, no uncontrolled third-party trackers
• Compliant cookie banner integrated and configured according to the latest regulator requirements
• Privacy policy and legal notices written and adapted to your business
• Respectful analytics: we use compliant solutions that don’t require consent (no cookies, no personal data)

Digital sovereignty and privacy respect aren’t options at Amana — they’re our DNA.

Conclusion

GDPR compliance isn’t a one-time project, it’s a continuous process. But the foundations can be put in place quickly with this checklist. Don’t let the apparent complexity of the regulation paralyse you: start with the most critical points (cookies, privacy policy, forms) and progress gradually.

Your site isn’t compliant and you don’t know where to start? Contact us for a free GDPR audit of your site. We’ll identify non-compliances and propose a clear, prioritised action plan.