Does GDPR apply if my website is based outside the EU?

Yes, if your website offers goods or services to people in the EU, or monitors the behaviour of people in the EU (for example, by setting tracking cookies or running analytics), the GDPR applies regardless of where your business is located. Article 3(2) of the regulation makes this explicit.

Do I need cookie consent if I only use Google Analytics?

Yes. Google Analytics sets non-essential cookies such as _ga and _gid that track user behaviour. These require prior opt-in consent under both the GDPR and the ePrivacy Directive. The CNIL and other regulators have repeatedly confirmed this position through enforcement actions.

What is the maximum fine for a GDPR violation?

The most serious infringements can result in fines of up to EUR 20 million or 4% of the organisation's worldwide annual turnover, whichever is higher. The largest fine to date is EUR 1.2 billion, imposed on Meta Platforms by the Irish DPC in 2023.

How often should I re-ask for cookie consent?

Most data protection authorities recommend refreshing consent every 6 to 12 months. You should also re-ask if your cookie purposes change or if the user clears their browser data, since the stored consent record will be lost.

Is a cookie banner enough to make my website GDPR-compliant?

A cookie banner is one piece of the puzzle, but GDPR compliance also requires a privacy policy, data processing records, data subject request handling, secure data storage, and up-to-date processor agreements. The banner addresses consent for cookies specifically; it does not cover the full scope of your obligations.

What is the difference between the GDPR and the ePrivacy Directive?

The GDPR is a broad data protection regulation covering all personal data processing. The ePrivacy Directive specifically addresses confidentiality of electronic communications and rules for cookies and similar tracking technologies. The ePrivacy Directive tells you when consent is needed for cookies; the GDPR tells you what that consent must look like. The two work together.

GDPR Explained: What It Means for Your Website

Q: Can I use legitimate interest instead of consent for cookies?

Not for non-essential cookies. The ePrivacy Directive requires consent for storing or accessing information on a user's device unless the cookie is strictly necessary. Legitimate interest under Article 6(1)(f) of the GDPR does not override the ePrivacy consent requirement for cookies.

GDPR at a Glance

The General Data Protection Regulation (GDPR) is Regulation (EU) 2016/679 of the European Parliament and of the Council. It took effect on 25 May 2018, replacing the 1995 Data Protection Directive, and it applies directly in all EU member states without requiring separate national legislation. The regulation also extends to the European Economic Area (EEA), which includes Iceland, Liechtenstein, and Norway. The United Kingdom adopted its own near-identical version, the UK GDPR, after Brexit.

At its core, the GDPR gives individuals stronger control over their personal data. For website owners, it dictates how you collect, store, process, and share information about your visitors - from names and email addresses to IP addresses and cookie identifiers.

Enforcement is real, and the numbers are large. By early 2025, data protection authorities across Europe had issued over 2,200 fines totalling approximately EUR 5.88 billion. The single largest penalty remains the EUR 1.2 billion fine imposed on Meta Platforms by the Irish Data Protection Commission (DPC) in 2023, for transferring EU user data to the United States without adequate safeguards. That figure alone accounts for roughly a fifth of all GDPR fines ever levied.

Does the GDPR Apply to Your Website?

This is the question most site owners outside Europe ask first. The answer usually comes down to Article 3 of the GDPR, which defines the regulation's territorial scope through two tests.

The first test is establishment. If your organisation has any presence in the EU or EEA - an office, a subsidiary, even a single employee - the GDPR applies to all personal data processing carried out in the context of that establishment's activities, regardless of where the actual processing takes place.

The second test catches everyone else. If you are not established in the EU but your website offers goods or services to people in the EU, or monitors the behaviour of people in the EU, the GDPR still applies. Monitoring behaviour includes tracking visitors with cookies, running analytics tools, or building user profiles. An online shop based in Texas that ships to Germany, a SaaS platform with EU subscribers, a blog running Google Analytics on visitors from France - all of these fall within scope.

The EDPB has clarified that the regulation protects individuals who are physically in the EU at the time of processing, regardless of their citizenship. A Brazilian tourist browsing your site while visiting Rome is protected. An EU citizen living permanently in the United States is not.

Practical Indicators of Targeting

Regulators look at specific signals to decide whether a non-EU website is targeting EU users. Accepting payments in euros, offering content in EU languages beyond English, referencing EU delivery regions, or mentioning EU-specific legal terms - these all suggest intent. Running a .de or .fr domain is an obvious flag.

Even without these signals, if your site sets cookies that track behaviour or loads third-party scripts such as the Meta Pixel or Google Analytics tags that collect data from EU visitors, you may be caught by the monitoring criterion.

The Seven Principles Behind the GDPR

Article 5 of the GDPR sets out seven principles that govern all personal data processing. Every decision you make about cookies, forms, analytics, and data storage should trace back to at least one of these.

Principle	What It Means for Your Website
Lawfulness, fairness, and transparency	You need a valid legal basis (usually consent) for processing, and you must explain what you do with data in plain language.
Purpose limitation	Collect data only for specified purposes. If you ask for an email to send a receipt, you cannot later use it for marketing without separate consent.
Data minimisation	Only collect what you actually need. A newsletter signup does not need a date of birth.
Accuracy	Keep personal data up to date and give users a way to correct inaccurate information.
Storage limitation	Do not hold data longer than necessary. Define retention periods and stick to them.
Integrity and confidentiality	Use appropriate technical measures - encryption, access controls, secure hosting - to protect data.
Accountability	You must be able to demonstrate compliance, not just claim it. This means records, policies, and audits.

The accountability principle is often overlooked by smaller sites. Article 5(2) makes the controller responsible for demonstrating that the other six principles are being followed. In practice, this means maintaining a written record of processing activities (Article 30), keeping logs of consent, and being able to show a regulator exactly what data you hold and why.

Consent, Cookies, and the ePrivacy Directive

The GDPR does not mention cookies by name. Cookie rules come from the ePrivacy Directive (2002/58/EC), specifically Article 5(3), which requires consent before storing or accessing information on a user's device - unless the cookie is strictly necessary to provide a service the user has explicitly requested.

The GDPR steps in to define what valid consent looks like. Under Article 4(11), consent must be freely given, specific, informed, and unambiguous. Article 7 adds further conditions: the controller must be able to prove consent was given, the request must be clearly distinguishable from other matters, and withdrawing consent must be as easy as giving it.

Pre-ticked boxes do not count. Implied consent through continued browsing does not count. The Court of Justice of the EU confirmed both of these points in its 2019 Planet49 ruling (Case C-673/17).

What Counts as a Strictly Necessary Cookie?

Only a narrow set of cookies qualifies for the strictly necessary exemption. Session cookies that keep a user logged in, shopping cart cookies on an e-commerce site, load-balancing cookies, and cookies that remember a user's consent choice itself - these are typically exempt. Analytics cookies like _ga or _gid, advertising cookies like _fbp, and social media widgets are not exempt. They require prior opt-in consent.

Regulators have been explicit about this. The French CNIL published a definitive list of exempt cookie categories following its 2020 guidelines, and enforcement since then has been unrelenting. Between December 2022 and December 2024, the CNIL alone issued combined fines exceeding EUR 139 million specifically for breaches of cookie consent rules. In September 2025, the CNIL imposed its largest cookie-related penalties ever: EUR 325 million against Google and EUR 150 million against Shein, both for setting tracking cookies before obtaining user consent and for deploying misleading consent interfaces.

Rights Your Visitors Have Under the GDPR

The GDPR grants data subjects a set of rights that your website must be prepared to honour. These are not theoretical - regulators expect you to have processes in place, and individuals are increasingly aware of their entitlements.

Right of access (Article 15): A visitor can request a copy of all personal data you hold about them. You have one month to respond.

Right to rectification (Article 16): If data is inaccurate, the individual can ask you to correct it.

Right to erasure (Article 17): Often called the "right to be forgotten." Under certain conditions, a person can demand you delete their data entirely.

Right to data portability (Article 20): Users can request their data in a structured, machine-readable format so they can transfer it to another service.

Right to object (Article 21): Individuals can object to processing based on legitimate interest or for direct marketing purposes. If someone objects to marketing, you must stop immediately - no exceptions, no balancing test.

For most websites, the practical implication is that you need a clear privacy policy explaining these rights, a working contact mechanism (typically an email address or form), and internal procedures to respond within the one-month deadline. If you process large volumes of personal data, appointing a Data Protection Officer (DPO) under Article 37 may be mandatory.

Penalties: What Non-Compliance Actually Costs

The GDPR operates on a two-tier fine structure defined in Article 83. Less severe infringements - such as failing to maintain proper records or not notifying a data breach in time - can result in fines of up to EUR 10 million or 2% of worldwide annual turnover, whichever is higher. More serious violations - unlawful processing, breaching consent rules, ignoring data subject rights - carry fines of up to EUR 20 million or 4% of worldwide annual turnover.

Those headline figures apply to the largest companies, but small and medium businesses are not immune. Spain's data protection authority (AEPD) is the most active enforcer in Europe by volume, having issued over 930 fines since 2018, many of them against small businesses for infractions like sending marketing emails without consent or failing to respond to deletion requests.

Enforcement Is Accelerating

The pace of enforcement has picked up significantly since 2022. According to DLA Piper's annual GDPR survey, regulators across Europe issued an aggregate of EUR 1.2 billion in fines during 2024 alone. The average number of data breach notifications rose to 363 per day. Ireland's DPC has emerged as the dominant enforcer by fine value, having imposed over EUR 3.5 billion since 2018 - more than four times the amount levied by the second-placed Luxembourg authority.

A particularly notable trend is the push towards personal accountability. In 2024, the Dutch DPA announced it was investigating whether it could hold the directors of Clearview AI personally liable for repeated GDPR breaches, following a EUR 30.5 million fine against the company. If this approach gains traction, the consequences of non-compliance could extend beyond the corporate balance sheet.

GDPR and Cookie Banners: Getting It Right

Your cookie banner is not a formality. Regulators in 2025 treat it as a direct, testable measure of your compliance. A banner that sets cookies before the user clicks anything, or one that makes "Reject" harder to find than "Accept," is a violation waiting to be discovered.

The CNIL has been particularly aggressive on dark patterns in consent interfaces. In December 2024, it issued formal notices to multiple website publishers whose banners used manipulative design - oversized accept buttons, hidden reject options, confusing toggle arrangements. In November 2025, it fined Les Publications Conde Nast EUR 750,000 for cookies that continued to be set on the Vanity Fair France website even after users clicked "Refuse all."

What a Compliant Cookie Banner Looks Like

A GDPR-compliant cookie banner needs to meet several requirements simultaneously. It must appear before any non-essential cookies are set. It must present "Accept" and "Reject" options with equal visual weight - same size, same colour emphasis, same number of clicks. It must explain, in plain language, what categories of cookies the site uses and for what purposes. And it must allow users to withdraw consent at any time, with immediate effect.

Behind the banner, a consent management platform (CMP) handles the technical work: blocking scripts until consent is given, recording the user's choice with a timestamp, and re-surfacing the banner when consent expires (typically after 6-12 months). Kukie.io's CMP handles this by scanning your site for cookies, categorising them automatically, and blocking non-essential scripts until the visitor makes an active choice. You can start a free scan to see exactly what your site sets before you make any changes.

Google Consent Mode v2 and GDPR

If your site uses Google Analytics 4 or Google Ads, you have likely encountered Google Consent Mode v2. Introduced in late 2023 and enforced from March 2024 under Google's EU User Consent Policy, it adds two new consent parameters - ad_user_data and ad_personalization - alongside the existing analytics_storage and ad_storage signals.

Consent Mode is not a cookie banner. It is an API layer that sits between your CMP and your Google tags. When a user declines consent, Consent Mode adjusts Google tag behaviour accordingly - either blocking data collection entirely (Basic mode) or sending cookieless, anonymised pings for conversion modelling (Advanced mode).

The Advanced mode remains controversial from a privacy perspective. Even without the user's consent, it transmits data such as timestamps, user agent strings, referrer URLs, and ad-click identifiers (GCLID) to Google. Several privacy experts and data protection consultants have raised concerns that this may not align with the ePrivacy Directive's requirement for consent before accessing or storing information on a user's device. If your CMP supports Google Consent Mode v2, the safer approach is to use Basic mode and accept the resulting data gap, unless your DPO or legal counsel advises otherwise.

Beyond Europe: GDPR's Ripple Effect

The GDPR has directly influenced privacy legislation worldwide. Brazil's LGPD, South Africa's POPIA, and Canada's proposed updates to PIPEDA all borrow heavily from the GDPR's structure. In the United States, state-level laws such as the California Consumer Privacy Act (CCPA) and its successor, the CPRA, share core concepts - the right to know, the right to delete, the right to opt out of data sales - though they differ in significant ways, particularly around the opt-in versus opt-out model.

For website owners operating across multiple jurisdictions, this patchwork of regulations means that GDPR compliance is often a practical floor, not a ceiling. A site that meets GDPR requirements for consent, transparency, and data subject rights will typically need only minor adjustments to satisfy CCPA/CPRA, LGPD, or POPIA.

Geo-targeted consent banners help here. Rather than showing the same banner to every visitor, your CMP can detect the user's location and display the appropriate consent mechanism - opt-in for EU visitors, opt-out for California, simplified notice for jurisdictions with less strict requirements. Kukie.io's geo-detection feature handles this automatically, adjusting the banner's behaviour and language based on where the visitor connects from.

A Practical GDPR Compliance Checklist for Website Owners

Compliance does not require a legal department or a six-figure budget. Most websites can reach a reasonable baseline by working through the following steps.

Audit your cookies and trackers. Before you can manage consent, you need to know what your site sets. Run a cookie scan to identify every first-party and third-party cookie, its purpose, its expiry, and which domain sets it. Many sites discover they set 20-40 cookies they did not know about, courtesy of embedded scripts, social widgets, or tag manager configurations inherited from previous developers.

Categorise and document. Group cookies into standard categories: strictly necessary, functional, analytics, and marketing/advertising. Record this information in a cookie policy that is linked from your consent banner.

Implement a CMP. A consent management platform ensures that non-essential cookies are blocked until the visitor opts in. It also records consent with a timestamp and makes it straightforward to prove, during an audit, that your site respects user choices.

Write a clear privacy policy. Your privacy notice must state who you are, what data you collect, your legal basis for processing, how long you retain data, who you share it with, and how individuals can exercise their rights. Article 13 of the GDPR provides a full list of required disclosures.

Set up data subject request handling. You need a process - even if it is just a dedicated email address - for responding to access, deletion, and portability requests within 30 d

Europe

United States

Brazil

Canada

Asia-Pacific

Middle East & Africa

Categories

Latest Articles

Cookie Consent Laws by Country: A Beginner's World Map

GDPR for Beginners: What Every Website Owner Must Know About Cookies

What Happens When a User Rejects All Cookies on Your Website

What Is GDPR and Why Does It Matter for Your Website?