Website GDPR Audit: Complete Guide 2026
Website GDPR Audit: The Complete Guide to Checking Your Site’s Compliance
Your website collects personal data. Contact forms, audience measurement cookies, third-party scripts, tracking pixels: every page is an entry point for CNIL (French data protection authority). In 2025, 83 sanctions were issued for a cumulative amount of 486.8 million euros, of which 21 specifically concerned cookies and trackers (source: CNIL, 2025 report). A website GDPR audit is the only way to know exactly where you stand before CNIL does it for you.
This guide details what a website GDPR audit covers, the precise points to check, the applicable legal obligations, and how to automate it with Complio for a fraction of a consulting firm’s cost.
Why Conduct a GDPR Audit of Your Website
CNIL Actively Inspects Websites
CNIL no longer waits for complaints. Since 2021, it uses automated tools to scan websites and detect the most common violations: cookies deposited without consent, missing compliant banner, “Refuse” button less visible than “Accept” (source: CNIL).
In 2025, more than 60% of sanctions targeted SMEs. The simplified procedure, established in 2022, allows CNIL to impose fines up to 20,000 euros without a formal hearing (source: vie-publique.fr). In short: even a small business with a showcase site can be sanctioned quickly.
Fine Amounts Are Dissuasive
The two record sanctions of 2025 concern cookies: 325 million euros for Google and 150 million euros for Shein. For French businesses, cookie-related fines reached 750,000 euros in 2025.
Beyond cookies, the general GDPR framework provides for sanctions up to 4% of annual global turnover or 20 million euros (Article 83 of the GDPR).
An Audit Protects Your Business and Your Customers
A website GDPR audit is not an administrative formality. It allows you to:
- Identify vulnerabilities before a CNIL inspection reveals them
- Protect the trust of your users by respecting their data
- Avoid financial penalties that can endanger an SME
- Document your compliance efforts (GDPR accountability principle)
What a Website GDPR Audit Checks
A website GDPR audit focuses on the technical and legal elements visible on the site. Here are the eight essential areas.
1. Cookie Banner and CMP
The first checkpoint is the presence and compliance of the cookie consent banner (CMP, Consent Management Platform). CNIL requires that consent be collected before any non-essential cookie deposit, that the user can refuse as easily as accept (same level, same visibility), that purposes be presented clearly and specifically, and that consent withdrawal be possible at any time.
2. Cookies Deposited Before and After Consent
Having a banner is not enough. You must verify that no non-essential cookies are actually deposited before the user has given consent. Many sites display a banner but deposit Google Analytics, Facebook Pixel, or other trackers upon page load, before any interaction.
A technical audit must scan cookies deposited at two moments: before any interaction with the banner, and after acceptance of consent.
3. Third-Party Scripts and Data Transfers Outside the EU
Each third-party script loaded on your site (analytics, advertising, chat, fonts, CDN) can transfer personal data to servers located outside the European Union. The GDPR strictly governs these transfers (Chapter V, Articles 44 to 49).
4. Forms and Personal Data Collection
Each form on your site (contact, newsletter, quote, registration) collects personal data. Article 13 of the GDPR requires informing the user at the time of collection: purpose, legal basis, retention period, individual rights, data recipients.
5. Mandatory Legal Pages
Three documents must be accessible on any professional website: Legal notice (publisher identity, host, publication director), Privacy policy (9 mandatory mentions under Articles 13 and 14 of the GDPR), Cookie policy (detail of cookies used, purposes, retention periods, means of refusal).
6. Security Headers
CNIL recommends securing websites by implementing HTTP security headers: mandatory HTTPS via TLS 1.2 or 1.3, HttpOnly and Secure options on cookies, protection headers against clickjacking and injections.
7. HTTPS Protocol
Using the HTTPS protocol is not optional. CNIL recommends making TLS mandatory on all pages of the site. A site that transmits form data in plain HTTP exposes users’ personal data.
8. Cookie Classification and Identification
All cookies deposited on a site must be identified, classified by purpose (essential, analytical, marketing, functional), and documented.
Three Approaches to Conducting a Website GDPR Audit
Manual Audit by a Consulting Firm
A specialized firm (outsourced DPO, GDPR lawyer, consulting firm) conducts a comprehensive audit covering both the website and the company’s organizational processes. Cost: between 3,000 and 7,000 euros for an SME, up to 15,000 euros and more for a larger company. Timeline: 3 to 6 working days, i.e., 3 to 6 calendar weeks with back and forth.
Free and Basic Tools
Several online tools offer partial checks: Cookiebot compliance test (free scan limited to cookies), rgpdkit.fr (basic self-checklist), MonAuditRGPD.fr (declarative self-assessment questionnaire). These tools exist but do not actually crawl your site, do not detect third-party scripts, do not check forms, and do not produce an actionable report.
Automated Audit with Complio
Complio is an automated website GDPR audit tool developed by DPLIANCE. Powered by Mistral AI, it crawls up to 15 pages of your site (depth 2) with a headless Playwright browser to analyze your site exactly as a real user would.
What Complio detects: Cookies deposited before and after consent, CMP presence and compliance (via visual analysis by Pixtral LLM), third-party scripts loaded on each page, forms and personal data fields collected, presence of legal pages, HTTP security headers, data transfers outside the European Union.
What you receive: A structured PDF report including an executive summary, detail for each analyzed page, a compliance score out of 100, and concrete recommendations generated by Mistral AI.
Terms: 89 euros excl. tax per audit (106.80 euros incl. tax). Results in approximately 10 minutes. No account needed: secure payment via Mollie, report sent by email.
What Complio Does Not Do
Transparency is a value. Complio does not perform: application security tests (OWASP, pentest), mobile compatibility or accessibility tests, verification that internal practices are actually applied (it checks document presence, not their effective application), organizational audit (processing records, internal procedures, subcontractor contracts).
For a complete organizational audit, a consulting firm remains necessary. Complio covers the technical web portion visible on the site, the one that CNIL can inspect online at any time.
FAQ: Website GDPR Audit
Is a website GDPR audit mandatory?
The GDPR does not explicitly require an “audit” as such. However, Article 24 requires the data controller to implement appropriate measures to demonstrate that processing is compliant (accountability principle). Article 32 requires ensuring data security. In practice, regular auditing is the only way to fulfill these obligations and document your compliance.
How often should a site be audited?
CNIL recommends regular verification, especially after each significant site modification (form addition, CMP change, new script integration). In practice, a quarterly or semi-annual audit is a reasonable rhythm for an active site. At 89 euros per audit with Complio, cost is no longer a barrier.
Is my showcase site without e-commerce affected?
Yes. A simple contact form collects personal data (name, email, message). An audience measurement tool deposits cookies. Legal notices are mandatory for any professional site. Site size or absence of online sales does not exempt from any GDPR obligation.
What are the concrete risks of non-compliance?
CNIL’s simplified procedure allows fines up to 20,000 euros quickly, without a lengthy procedure. The restricted panel can go up to 20 million euros or 4% of global turnover. In 2025, 67 of 83 sanctions were issued via the simplified procedure: CNIL also targets small structures.
Does Complio replace a DPO or a consulting firm?
No. Complio audits the technical and visible aspects of your website. A DPO or firm covers all organizational compliance: processing records, impact analysis, subcontractor contracts, team training. The two approaches are complementary. Complio allows you to quickly secure your site while you structure your overall compliance.
Better to Know Before CNIL Does
CNIL is intensifying its automated inspections and now targets SMEs with the simplified procedure. Every day your site is not compliant is a risk. An automated GDPR audit with Complio takes 10 minutes and costs 89 euros excl. tax. A CNIL inspection can cost a minimum of 20,000 euros, not counting reputational damage.