GDPR Website Checklist: 15 Essential Points
GDPR website checklist: the 15 points to verify for compliance
Is your website GDPR-compliant? The question seems simple. The answer is less so. Between cookies, third-party scripts, forms, legal pages and security headers, the checkpoints are numerous and technical. In 2025, the CNIL (French DPA) issued 83 sanctions totalling 486.8 million euros, including 21 for cookie-related violations (source: CNIL (French DPA), 2025 review). Over 60% of these sanctions targeted SMEs.
This GDPR website checklist details the 15 concrete points you need to verify. Each of these points is automatically checked by Complio, the GDPR website audit tool developed by DPLIANCE.
Cookie banner and consent (points 1 to 5)
Cookies are the leading cause of CNIL (French DPA) sanctions in 2025. The CNIL (French DPA) has published guidelines and a consolidated recommendation setting the rules (source: CNIL (French DPA), cookie guidelines). Here are the five points to check.
1. Presence of a consent banner (CMP)
Obligation: any website that deposits non-essential cookies must obtain prior consent from the user via a consent banner, also called a CMP (Consent Management Platform).
What the CNIL (French DPA) checks: the effective presence of a banner on first page load, before any navigation.
What Complio does: the Pixtral multimodal LLM visually analyses each crawled page to detect the presence of a consent banner, exactly as a CNIL (French DPA) inspector would when visiting your site.
2. “Reject” button as visible as “Accept”
Obligation: the CNIL (French DPA) requires that users can refuse cookies as easily as they accept them. A “Reject” button in light grey text when “Accept” is in bright green constitutes a violation (source: CNIL (French DPA)).
What the CNIL (French DPA) checks: the visual and functional equivalence of acceptance and refusal options. A “Reject” button leading to a complex settings page is not compliant.
What Complio does: the visual analysis by Pixtral evaluates banner compliance, including the relative visibility of accept and reject buttons.
3. No non-essential cookies before consent
Obligation: no cookies with non-essential purposes (analytics, advertising, marketing, social media) may be deposited before the user has given explicit consent. This is the fundamental principle of the CNIL (French DPA) guidelines.
What the CNIL (French DPA) checks: the CNIL (French DPA) uses robots that load pages and record cookies deposited before any interaction with the banner.
What Complio does: Complio records cookies deposited immediately on page load, before any CMP interaction. Non-essential cookies detected at this stage are flagged as non-compliant.
4. Effective enforcement of refusal
Obligation: when a user clicks “Reject” or closes the banner without interacting, no non-essential cookies should be deposited. Refusal must be technically respected, not merely displayed.
What the CNIL (French DPA) checks: in 2025, 21 organisations were sanctioned for violations including “failure to effectively enforce user refusal or withdrawal of consent” (source: CNIL (French DPA), 2025 review).
What Complio does: Complio measures cookies after initial load (without consent) and after acceptance, enabling detection of cookies deposited without consent.
5. Clear information about purposes
Obligation: the banner must clearly present cookie purposes: audience measurement, targeted advertising, personalisation, social media sharing. Users must be able to give consent by purpose (source: CNIL (French DPA), consolidated cookie recommendation).
What the CNIL (French DPA) checks: the clarity and completeness of information presented in the banner.
What Complio does: the AI-powered CMP analysis evaluates the presence of purpose information in the consent banner.
Third-party scripts and data transfers (points 6 to 8)
Each third-party script loaded on your site is a potential data transfer to a remote server, sometimes located outside the European Union.
6. Third-party script inventory
Obligation: the data controller must know and document all processors that handle personal data on their behalf (Article 28 GDPR). Each third-party script loaded on your site (Google Analytics, Facebook Pixel, Hotjar, Intercom, Google Fonts, etc.) potentially constitutes such processing.
What the CNIL (French DPA) checks: consistency between loaded scripts, deposited cookies, and information declared in the cookie policy.
What Complio does: Complio identifies each third-party script loaded on crawled pages, with its source domain and publisher when identifiable.
7. No data transfer outside the EU without legal basis
Obligation: any transfer of personal data to a third country must be covered by an appropriate legal basis: adequacy decision, standard contractual clauses, or explicit consent (Articles 44 to 49 GDPR). The CNIL (French DPA) had issued formal notices to several site operators for using Google Analytics due to unlawful transfers to the United States (source: CNIL (French DPA)).
What Complio does: for each detected third-party script, Complio flags domains whose servers are located outside the European Union, enabling identification of transfers that need legal framework.
8. Classification of detected cookies
Obligation: each cookie must be documented: name, publisher, purpose, retention period. This information must appear in the cookie policy and be accessible from the consent banner.
What Complio does: detected cookies are automatically classified using the Open Cookie Database: name, publisher, purpose (essential, analytics, marketing, functional), retention period. Unrecognised cookies are flagged for manual investigation.
Forms and data collection (points 9 and 10)
Each form is a personal data collection point subject to GDPR obligations.
9. Information notice on each form
Obligation: Article 13 of the GDPR requires informing individuals at the time their data is collected. For each form (contact, newsletter, quote, registration, comment), a notice must indicate: the identity of the data controller, the purpose, legal basis, recipients, retention period and the individual’s rights (source: CNIL (French DPA)).
What the CNIL (French DPA) checks: the presence of an accessible information notice near each form, or a link to the privacy policy.
What Complio does: Complio detects forms on each crawled page, identifies personal data fields collected (name, email, phone, address, message) and checks for the presence of an information notice or a link to the privacy policy.
10. Data minimisation
Obligation: Article 5 of the GDPR imposes the minimisation principle: collect only data strictly necessary for the declared purpose. A contact form does not need date of birth, postal address or phone number if responses are sent by email.
What Complio does: by listing personal data fields on each form, the report enables visual identification of potentially excessive fields relative to the form’s purpose.
Mandatory legal pages (points 11 to 13)
Three pages are mandatory on any professional website. Their absence is a direct and easily verifiable violation.
11. Legal notices
Obligation: Article 6 of the LCEN law (French law for trust in the digital economy) requires every professional website publisher to display legal notices identifying: the name or company name, registered office address, phone number or email, registration number (RCS, SIRET), the name and contact details of the hosting provider, the name of the publication director.
Penalty for absence: up to 75,000 euros for sole traders, 375,000 euros for companies (source: francenum.gouv.fr).
What Complio does: Complio checks for the presence of a legal notices page accessible from the site, typically via a footer link.
12. Privacy policy
Obligation: Articles 13 and 14 of the GDPR require providing data subjects with comprehensive information about data processing. This generally takes the form of a privacy policy containing 9 mandatory mentions: identity of the data controller, types of data collected, purposes, legal basis, retention period, user rights, security measures, recipients, right to lodge a complaint with the CNIL (French DPA) (source: leto.legal).
What the CNIL (French DPA) recommends: the privacy policy must be separate from terms and conditions, accessible from every page via a clearly labelled link (“Personal Data”, “Privacy” or “Privacy Policy”).
What Complio does: Complio detects the presence of a privacy policy page accessible from the navigation or site footer.
13. Cookie policy
Obligation: in addition to the consent banner, a page detailing the cookies used, their purposes, retention period and means of refusing or withdrawing consent must be accessible.
What Complio does: Complio checks for the presence of a page or section dedicated to cookies, separate from the general privacy policy.
Technical security (points 14 and 15)
Article 32 of the GDPR requires the data controller to implement appropriate technical and organisational measures to ensure data security. The CNIL (French DPA) has published specific recommendations for website security (source: CNIL (French DPA)).
14. HTTPS on all pages
Obligation: the CNIL (French DPA) recommends making TLS (version 1.2 or 1.3) mandatory on all site pages (source: CNIL (French DPA)). A form submitted over plain HTTP exposes personal data in transit.
What Complio does: Complio verifies that crawled pages are served over HTTPS and flags any mixed content or insecure redirects.
15. HTTP security headers
Obligation: the CNIL (French DPA) recommends implementing HTTP security headers to protect users and their data:
- Strict-Transport-Security (HSTS): forces HTTPS connections
- X-Content-Type-Options: prevents incorrect MIME type interpretation
- X-Frame-Options or Content-Security-Policy frame-ancestors: protects against clickjacking
- Cookie attributes HttpOnly, Secure, SameSite: protects session cookies
What Complio does: the report analyses HTTP headers returned by the server and flags missing security headers, with recommendations for implementation.
Checklist summary
| # | Checkpoint | Obligation | Complio |
|---|---|---|---|
| 1 | Consent banner (CMP) present | CNIL (French DPA) guidelines | Pixtral visual analysis |
| 2 | ”Reject” button as visible as “Accept” | CNIL (French DPA) recommendation | Pixtral visual analysis |
| 3 | No non-essential cookies before consent | ePrivacy Directive / CNIL (French DPA) | Pre-interaction cookie scan |
| 4 | Effective enforcement of refusal | CNIL (French DPA) guidelines | Before/after cookie comparison |
| 5 | Clear information about purposes | CNIL (French DPA) recommendation | AI-powered CMP analysis |
| 6 | Third-party script inventory | Article 28 GDPR | Automatic detection |
| 7 | EU transfers properly framed | Articles 44-49 GDPR | Non-EU domain flagging |
| 8 | Cookies classified and documented | GDPR transparency | Open Cookie Database |
| 9 | Information notice on forms | Article 13 GDPR | Form + notice detection |
| 10 | Data minimisation | Article 5 GDPR | Field inventory |
| 11 | Legal notices present | LCEN law, Article 6 | Legal notices page detection |
| 12 | Complete privacy policy | Articles 13-14 GDPR | Privacy page detection |
| 13 | Cookie policy accessible | CNIL (French DPA) guidelines | Cookie page detection |
| 14 | HTTPS on all pages | Article 32 GDPR / CNIL (French DPA) | Protocol verification |
| 15 | HTTP security headers | Article 32 GDPR / CNIL (French DPA) | Server header analysis |
Manually checking these 15 points takes hours
For each point in this checklist, manual verification involves: opening browser developer tools, navigating page by page, examining cookies deposited at different times, reading source code to identify scripts, checking HTTP headers, reading legal pages.
For a 10-page site, expect half a day’s work for an experienced professional. For a consultancy, this is billed between 500 and 1,500 euros minimum, integrated into a broader engagement of 3,000 to 7,000 euros.
Complio checks these 15 points in 10 minutes for 89 euros
Complio crawls up to 15 pages of your site with a Playwright headless browser, analyses each page with Mistral AI, and produces a structured PDF report with a compliance score out of 100 and concrete recommendations.
- 89 euros excl. VAT (106.80 euros incl. VAT)
- 10 minutes processing time
- No account required: payment via Mollie, report by email
- Score 0-100 calculated on the ratio of compliant items / applicable items
What Complio does not do: application security testing (OWASP), mobile testing, accessibility, and verification that internal practices are actually applied. Complio checks the presence of compliance elements on your site, not their organisational application.
FAQ: GDPR website checklist
Is this checklist exhaustive?
This checklist covers the 15 essential technical and legal points that a GDPR website audit should verify. It does not cover the organisation’s overall compliance (records of processing activities, processor contracts, rights management procedures, DPIAs). For full GDPR compliance, guidance from a DPO or specialist consultancy remains necessary as a complement.
My site has no cookies. Am I still concerned?
Yes. Even without cookies, your site is subject to GDPR obligations as soon as it collects personal data via a form. Legal notices are mandatory for any professional website (LCEN law). A privacy policy is required as soon as personal data is processed. Security headers remain CNIL (French DPA) recommendations under Article 32.
How many points must I pass to be compliant?
There is no official threshold. Each point corresponds to a legal obligation or CNIL (French DPA) recommendation. A single violation can be enough to trigger a sanction. The CNIL (French DPA) primarily targets cookies (points 1 to 5), but missing legal notices (point 11) and absent privacy policies (point 12) are also frequently sanctioned.
How often should this verification be repeated?
After each significant site modification (form addition, CMP change, new third-party tool integration, visual redesign). As routine, a quarterly audit is a reasonable frequency. At 89 euros per audit with Complio, the annual cost (356 euros) is less than the hourly rate of a GDPR consultant.
Does Complio really check all 15 points?
Complio covers all 15 points listed in this checklist via its Playwright crawl, Mistral/Pixtral AI analysis, and Open Cookie Database. The PDF report details results for each category: cookies, CMP, third-party scripts, forms, legal pages and security headers. Points where human review is recommended (data minimisation, legal page content) are noted in the recommendations.
Move from checklist to action
You have the list. You can spend half a day checking each point manually. Or you can let Complio do it in 10 minutes for 89 euros, with a structured PDF report and a compliance score.
Better to know before the CNIL (French DPA) does.