Quick answer: Use this 30-point checklist to verify your website's privacy compliance in 2026. It covers GDPR, ePrivacy, cookies, consent banners, security headers, third-party scripts, and the latest EU AI Act requirements. Run a free scan with PrivacyChecker to automate most of these checks.
Cookie & Consent Compliance
| # | Check | Why It Matters | Status |
|---|
| 1 | Cookie consent banner is present | Required under ePrivacy Directive for EU visitors | |
| 2 | No cookies are set before consent | Pre-consent cookies violate GDPR — fines up to €20M | |
| 3 | Banner has a clear "Reject All" button | Required by CNIL, EDPB, and most EU DPAs | |
| 4 | Reject is as easy as Accept (no dark patterns) | Dark patterns are explicitly illegal under DSA | |
| 5 | Cookies are categorized (essential, analytics, marketing) | Users must be able to accept specific categories | |
| 6 | Consent Mode V2 is implemented | Required for Google Ads in EEA since March 2024 — setup guide | |
| 7 | Cookie policy lists all cookies with purposes and durations | Transparency requirement under GDPR Art. 13 | |
Privacy Policy
| # | Check | Why It Matters |
|---|
| 8 | Privacy policy is accessible from every page | GDPR Art. 12 requires easy access |
| 9 | Policy lists all data processing purposes | GDPR Art. 13(1)(c) |
| 10 | Legal basis stated for each processing activity | GDPR Art. 13(1)(c) |
| 11 | Third-party processors are disclosed | GDPR Art. 13(1)(e-f) |
| 12 | Data retention periods are specified | GDPR Art. 13(2)(a) |
| 13 | Data subject rights are listed (access, erasure, portability) | GDPR Art. 13(2)(b-d) |
| 14 | Contact information for DPO or privacy contact | GDPR Art. 13(1)(a-b) |
| 15 | Cross-border transfers are disclosed with safeguards | GDPR Art. 13(1)(f), Chapter V |
Security
| # | Check | Why It Matters |
|---|
| 16 | HTTPS enabled with valid SSL certificate | Basic requirement — insecure sites get browser warnings |
| 17 | Security headers configured (CSP, X-Frame-Options, HSTS) | Prevents XSS, clickjacking, and data injection |
| 18 | SPF, DKIM & DMARC configured for email | Prevents email spoofing and phishing |
| 19 | Domain not on any blacklists | Blacklisted domains trigger spam filters and lose trust |
| 20 | SSL certificate is not expiring soon | Expired certs cause trust warnings and service disruptions |
Third-Party Scripts & Trackers
| # | Check | Why It Matters |
|---|
| 21 | All third-party scripts are inventoried | Hidden trackers are a major GDPR compliance risk |
| 22 | Analytics scripts load only after consent | GA4, Meta Pixel must wait for opt-in |
| 23 | Google Analytics configured with IP anonymization | Required by most EU DPAs |
| 24 | No unknown or suspicious external connections | Malicious scripts can exfiltrate user data |
| 25 | External scripts use SRI (Subresource Integrity) | Prevents supply chain attacks via tampered CDN files |
AI & Emerging Requirements
| # | Check | Why It Matters |
|---|
| 26 | AI usage disclosed in privacy policy | EU AI Act transparency obligation (effective Aug 2025) |
| 27 | AI-generated content is labelled | Required under EU AI Act Art. 50 |
| 28 | Accessibility meets WCAG 2.1 AA | European Accessibility Act applies from June 2025 |
| 29 | Core Web Vitals pass (LCP, FID, CLS) | Google ranking factor + third-party scripts impact |
| 30 | Automated compliance monitoring is active | Compliance drifts — a one-time audit is not enough |
How to Use This Checklist
- Scan first: Run a free PrivacyChecker scan to automatically check items 1-25
- Fix critical issues: No-consent cookies and missing privacy policies are the highest-risk violations
- Document compliance: Keep evidence of your checks for accountability (GDPR Art. 5(2))
- Re-scan monthly: Websites change — new plugins, scripts, and updates can introduce new compliance gaps
Frequently Asked Questions
How often should I check my website's privacy compliance?
At minimum, monthly. Every time you add a new plugin, script, or third-party integration, your compliance posture changes. Automated monitoring tools like PrivacyChecker can alert you to new issues as they appear.
What's the fastest way to check all 30 items?
A PrivacyChecker scan automatically verifies most technical checks (cookies, headers, scripts, SSL) in under 60 seconds. The remaining items (privacy policy content, AI disclosure) require manual review against the checklist above.
My website passed all checks. Am I fully GDPR compliant?
This checklist covers website-side compliance. Full GDPR compliance also includes organizational measures: staff training, data processing records, DPAs with vendors, DSAR procedures, and breach response plans.
Check your website now — free
Run a complete privacy audit in under 60 seconds. Get your score, find issues, and learn how to fix them.
Start Free Audit