10 Steps to GDPR Compliant Web Design

25 June 2021
10 Steps to GDPR Compliant Web Design

If you are marketing to countries in the European Union (EU), your website must be GDPR compliant. Now, everyone has heard of GDPR (General Data Protection Regulation). But do you understand what it means for your website?

What is GDPR?

GDPR is a set of data privacy laws that apply to collecting personal data of people who live in the EU. The GPR mandates that visitors to a site must give explicit consent to their personal data being collected. However, the scope of GDPR is broader than most people realize. GDPR is not limited to information like IP address and location. The law also applies to things like racial or ethnic data, political opinions, and sexual orientation.

Does GDPR Apply to Sites Outside the EU?

Any website that collects the personal data of European Union citizens is required to comply with GDPR. So, in theory, even a personal blog maintained in the US must explicitly ask visitors’ permission before collecting any personal data. Indeed, the first company fined under GDPR was a Canadian company. And the Washington Post also received a warning about cookie consent.

What Are the Penalties for Non-Compliance?

The penalties for failing to comply with GPR can be considerable. Indeed, the size of the fines has led some big US-based websites to prohibit EU visitors from using their sites. The fines levied for non-compliance can be 20 million euros or 4% of a company’s total annual turnover.

How do You make a Website GPR Compliant?

Full GDPR compliance means more than adding a cookie consent pop-up to a website. To be 100% sure that a site complies with the regulations, several steps must be taken. Here’s a rundown of the steps to take to ensure that site does not fall foul of GDPR.

1. Develop and Publish a Transparent Privacy Policy

The first step to GDPR compliance is to identify the relevant data you will be collecting. And then, you need to develop and publish a privacy statement that lists that data. The privacy statement needs to be clear about the information stored and how long it will be held. And who can view the data must also be clarified. How people can ask for information about them to be removed must also be explained.

2. Active Opt-Ins Only

Any forms that invite users to share information must actively require opt-in. In other words, users must tick the boxes; the options must not be preselected. This active opt-in rule applies to cookie consent and subscriptions to mailing lists or notifications.

3. Unbundled Opt-Ins

Consent to store personal information must not be bundled with other options. So, you cannot bundle together a user’s acceptance of your terms and conditions with their consent for you to hold their data. This provision relates to the need for a user’s freedom to consent. Because if a user cannot accept your terms without agreeing to their data being held, they are not free to choose.

4. Granular Opt-Ins

Separate tick boxes must be provided for different types of consent as well. So, suppose you want permission to contact a user by phone and or email. In that case, each communication method requires a separate confirmation. And, if you will be passing data to third parties, each of those parties must be listed for separate consent.

5. Easy to Opt-Out

It must be as easy for a user to withdraw permission as it was to agree to something. So, for example, there should be an opt-out option at the bottom of all marketing emails. And there should be a link for the same purpose on the website, usually on the privacy policy page.

6. Cookie Consent

Cookie consent cannot be implied or gained by a failure to opt-out. Instead, the user must be specifically asked for their permission to store cookies on their computer. How a website uses cookies should also be detailed in the privacy policy. And even cookies used by anonymous tracking software, like Google Analytics, should be mentioned in the privacy policy.

7. IP Tracking

The IP (Internet Protocol) address of a computer is personal information under GDPR. So, if a site collects and stores IP addresses, this must be stated in the privacy policy. Some third-party plugins and apps that you have installed on your website may collect IP addresses. For example, some affiliate programs log the IP address of visitors, as do some blog commenting apps, all of which will need to be disclosed in the privacy policy.

8. SSL Certificate

GDPR does not explicitly require an SSL (Secure Sockets Layer) certificate. However, GDPR does state that websites should take appropriate technical measures to ensure the security of personal data. So, the broader security requirements of the legislation will be met by implementing an SSL certificate.

9. Data Recorded for Online Payments

Some customer payment details may be stored in your website’s database even if you use a payment gateway. If that is the case, this must be stated in the privacy policy. And the data may only be held for a reasonable amount of time. What is “reasonable” is not defined in GDPR. However, it can be reasonably assumed that data not required for ongoing subscriptions should be deleted after 60-90 days.

10. Named Parties

Every party to whom you pass personal data must be specifically named to be compliant with GDPR. So, it is not sufficient that state that data might be collected by affiliate programs with whom you partner. Each of the affiliate companies must be named in the privacy policy and what data they collect.


To sum up, GDPR is all about transparency, security, and choice. Users must know what their personal data is being stored, what it is used for, and how long the information will be held. And they must be allowed to explicitly allow or deny the collection and use of that data. These steps might sound like a big ask for a relatively small site that may or may not be visited by EU citizens. But GDPR compliance is not as onerous as it may first appear if designed into the website from the outset. And GDPR compliance is a good practice that will help to inspire trust in a site.