Back to articles
GDPR Website Checklist: 15 Essential Points
GDPR Checklist Cookies Compliance Complio

GDPR Website Checklist: 15 Essential Points

DPLIANCESovereign Data & AI solutions provider
11 min read

GDPR website checklist: the 15 points to verify for compliance

Is your website GDPR-compliant? The question seems simple. The answer is less so. Between cookies, third-party scripts, forms, legal pages and security headers, the checkpoints are numerous and technical. In 2024, EU-wide GDPR fines totalled 1.2 billion euros (DLA Piper study). Data protection authorities across Europe are increasingly active, and SMEs are increasingly targeted by DPAs across all EU member states.

This GDPR website checklist details the 15 concrete points you need to verify. Each of these points is automatically checked by Complio, the GDPR website audit tool developed by DPLIANCE.

Cookies are the leading cause of GDPR sanctions. Data protection authorities across Europe have published detailed guidelines setting the rules (see for example the CNIL cookie guidelines or the EDPB’s guidance on consent). Here are the five points to check.

Obligation: any website that deposits non-essential cookies must obtain prior consent from the user via a consent banner, also called a CMP (Consent Management Platform).

What DPAs check: the effective presence of a banner on first page load, before any navigation.

What Complio does: the Pixtral multimodal LLM visually analyses each crawled page to detect the presence of a consent banner, exactly as a data protection authority inspector would when visiting your site.

2. “Reject” button as visible as “Accept”

Obligation: data protection authorities require that users can refuse cookies as easily as they accept them. A “Reject” button in light grey text when “Accept” is in bright green constitutes a violation (source: CNIL).

What DPAs check: the visual and functional equivalence of acceptance and refusal options. A “Reject” button leading to a complex settings page is not compliant.

What Complio does: the visual analysis by Pixtral evaluates banner compliance, including the relative visibility of accept and reject buttons.

Obligation: no cookies with non-essential purposes (analytics, advertising, marketing, social media) may be deposited before the user has given explicit consent. This is a fundamental principle of the ePrivacy Directive and GDPR.

What DPAs check: authorities like the CNIL (France) and AEPD (Spain) use automated tools that load pages and record cookies deposited before any interaction with the banner.

What Complio does: Complio records cookies deposited immediately on page load, before any CMP interaction. Non-essential cookies detected at this stage are flagged as non-compliant.

4. Effective enforcement of refusal

Obligation: when a user clicks “Reject” or closes the banner without interacting, no non-essential cookies should be deposited. Refusal must be technically respected, not merely displayed.

What DPAs check: in 2025, the CNIL (France) sanctioned 21 organisations for violations including “failure to effectively enforce user refusal or withdrawal of consent” (source: CNIL, 2025 review). Other European DPAs enforce the same principle.

What Complio does: Complio measures cookies after initial load (without consent) and after acceptance, enabling detection of cookies deposited without consent.

5. Clear information about purposes

Obligation: the banner must clearly present cookie purposes: audience measurement, targeted advertising, personalisation, social media sharing. Users must be able to give consent by purpose (source: CNIL, consolidated cookie recommendation).

What DPAs check: the clarity and completeness of information presented in the banner.

What Complio does: the AI-powered CMP analysis evaluates the presence of purpose information in the consent banner.

Third-party scripts and data transfers (points 6 to 8)

Each third-party script loaded on your site is a potential data transfer to a remote server, sometimes located outside the European Union.

6. Third-party script inventory

Obligation: the data controller must know and document all processors that handle personal data on their behalf (Article 28 GDPR). Each third-party script loaded on your site (Google Analytics, Facebook Pixel, Hotjar, Intercom, Google Fonts, etc.) potentially constitutes such processing.

What DPAs check: consistency between loaded scripts, deposited cookies, and information declared in the cookie policy.

What Complio does: Complio identifies each third-party script loaded on crawled pages, with its source domain and publisher when identifiable.

Obligation: any transfer of personal data to a third country must be covered by an appropriate legal basis: adequacy decision, standard contractual clauses, or explicit consent (Articles 44 to 49 GDPR). Several European DPAs, including the CNIL, issued formal notices to site operators for using Google Analytics due to unlawful transfers to the United States (source: CNIL).

What Complio does: for each detected third-party script, Complio flags domains whose servers are located outside the European Union, enabling identification of transfers that need legal framework.

8. Classification of detected cookies

Obligation: each cookie must be documented: name, publisher, purpose, retention period. This information must appear in the cookie policy and be accessible from the consent banner.

What Complio does: detected cookies are automatically classified using the Open Cookie Database: name, publisher, purpose (essential, analytics, marketing, functional), retention period. Unrecognised cookies are flagged for manual investigation.

Forms and data collection (points 9 and 10)

Each form is a personal data collection point subject to GDPR obligations.

9. Information notice on each form

Obligation: Article 13 of the GDPR requires informing individuals at the time their data is collected. For each form (contact, newsletter, quote, registration, comment), a notice must indicate: the identity of the data controller, the purpose, legal basis, recipients, retention period and the individual’s rights (source: CNIL).

What DPAs check: the presence of an accessible information notice near each form, or a link to the privacy policy.

What Complio does: Complio detects forms on each crawled page, identifies personal data fields collected (name, email, phone, address, message) and checks for the presence of an information notice or a link to the privacy policy.

10. Data minimisation

Obligation: Article 5 of the GDPR imposes the minimisation principle: collect only data strictly necessary for the declared purpose. A contact form does not need date of birth, postal address or phone number if responses are sent by email.

What Complio does: by listing personal data fields on each form, the report enables visual identification of potentially excessive fields relative to the form’s purpose.

Three pages are mandatory on any professional website. Their absence is a direct and easily verifiable violation.

Obligation: Article 6 of the LCEN law (French law for trust in the digital economy) requires every professional website publisher to display legal notices identifying: the name or company name, registered office address, phone number or email, registration number (RCS, SIRET), the name and contact details of the hosting provider, the name of the publication director.

Penalty for absence: up to 75,000 euros for sole traders, 375,000 euros for companies (source: francenum.gouv.fr).

What Complio does: Complio checks for the presence of a legal notices page accessible from the site, typically via a footer link.

12. Privacy policy

Obligation: Articles 13 and 14 of the GDPR require providing data subjects with comprehensive information about data processing. This generally takes the form of a privacy policy containing 9 mandatory mentions: identity of the data controller, types of data collected, purposes, legal basis, retention period, user rights, security measures, recipients, right to lodge a complaint with your data protection authority (source: leto.legal).

Best practice: the privacy policy must be separate from terms and conditions, accessible from every page via a clearly labelled link (“Personal Data”, “Privacy” or “Privacy Policy”).

What Complio does: Complio detects the presence of a privacy policy page accessible from the navigation or site footer.

Obligation: in addition to the consent banner, a page detailing the cookies used, their purposes, retention period and means of refusing or withdrawing consent must be accessible.

What Complio does: Complio checks for the presence of a page or section dedicated to cookies, separate from the general privacy policy.

Technical security (points 14 and 15)

Article 32 of the GDPR requires the data controller to implement appropriate technical and organisational measures to ensure data security. Data protection authorities such as the CNIL have published specific recommendations for website security (source: CNIL).

14. HTTPS on all pages

Obligation: data protection authorities recommend making TLS (version 1.2 or 1.3) mandatory on all site pages (source: CNIL). A form submitted over plain HTTP exposes personal data in transit.

What Complio does: Complio verifies that crawled pages are served over HTTPS and flags any mixed content or insecure redirects.

15. HTTP security headers

Obligation: data protection authorities recommend implementing HTTP security headers to protect users and their data:

  • Strict-Transport-Security (HSTS): forces HTTPS connections
  • X-Content-Type-Options: prevents incorrect MIME type interpretation
  • X-Frame-Options or Content-Security-Policy frame-ancestors: protects against clickjacking
  • Cookie attributes HttpOnly, Secure, SameSite: protects session cookies

What Complio does: the report analyses HTTP headers returned by the server and flags missing security headers, with recommendations for implementation.

Checklist summary

#CheckpointObligationComplio
1Consent banner (CMP) presentePrivacy Directive / GDPRPixtral visual analysis
2”Reject” button as visible as “Accept”GDPR (free consent)Pixtral visual analysis
3No non-essential cookies before consentePrivacy Directive / GDPRPre-interaction cookie scan
4Effective enforcement of refusalGDPR (Article 7)Before/after cookie comparison
5Clear information about purposesGDPR (informed consent)AI-powered CMP analysis
6Third-party script inventoryArticle 28 GDPRAutomatic detection
7EU transfers properly framedArticles 44-49 GDPRNon-EU domain flagging
8Cookies classified and documentedGDPR transparencyOpen Cookie Database
9Information notice on formsArticle 13 GDPRForm + notice detection
10Data minimisationArticle 5 GDPRField inventory
11Legal notices presentLCEN law, Article 6Legal notices page detection
12Complete privacy policyArticles 13-14 GDPRPrivacy page detection
13Cookie policy accessibleePrivacy Directive / GDPRCookie page detection
14HTTPS on all pagesArticle 32 GDPRProtocol verification
15HTTP security headersArticle 32 GDPRServer header analysis

Manually checking these 15 points takes hours

For each point in this checklist, manual verification involves: opening browser developer tools, navigating page by page, examining cookies deposited at different times, reading source code to identify scripts, checking HTTP headers, reading legal pages.

For a 10-page site, expect half a day’s work for an experienced professional. For a consultancy, this is billed between 500 and 1,500 euros minimum, integrated into a broader engagement of 3,000 to 7,000 euros.

Complio checks these 15 points in 10 minutes for 89 euros

Complio crawls up to 15 pages of your site with a Playwright headless browser, analyses each page with Mistral AI, and produces a structured PDF report with a compliance score out of 100 and concrete recommendations.

  • 89 euros excl. VAT (106.80 euros incl. VAT)
  • 10 minutes processing time
  • No account required: payment via Mollie, report by email
  • Score 0-100 calculated on the ratio of compliant items / applicable items

What Complio does not do: application security testing (OWASP), mobile testing, accessibility, and verification that internal practices are actually applied. Complio checks the presence of compliance elements on your site, not their organisational application.

FAQ: GDPR website checklist

Is this checklist exhaustive?

This checklist covers the 15 essential technical and legal points that a GDPR website audit should verify. It does not cover the organisation’s overall compliance (records of processing activities, processor contracts, rights management procedures, DPIAs). For full GDPR compliance, guidance from a DPO or specialist consultancy remains necessary as a complement.

My site has no cookies. Am I still concerned?

Yes. Even without cookies, your site is subject to GDPR obligations as soon as it collects personal data via a form. Legal notices are mandatory for any professional website (LCEN law). A privacy policy is required as soon as personal data is processed. Security headers remain a best practice under Article 32 of the GDPR.

How many points must I pass to be compliant?

There is no official threshold. Each point corresponds to a legal obligation or regulatory recommendation. A single violation can be enough to trigger a sanction. Data protection authorities primarily target cookies (points 1 to 5), but missing legal notices (point 11) and absent privacy policies (point 12) are also frequently sanctioned.

How often should this verification be repeated?

After each significant site modification (form addition, CMP change, new third-party tool integration, visual redesign). As routine, a quarterly audit is a reasonable frequency. At 89 euros per audit with Complio, the annual cost (356 euros) is less than the hourly rate of a GDPR consultant.

Does Complio really check all 15 points?

Complio covers all 15 points listed in this checklist via its Playwright crawl, Mistral/Pixtral AI analysis, and Open Cookie Database. The PDF report details results for each category: cookies, CMP, third-party scripts, forms, legal pages and security headers. Points where human review is recommended (data minimisation, legal page content) are noted in the recommendations.

Move from checklist to action

You have the list. You can spend half a day checking each point manually. Or you can let Complio do it in 10 minutes for 89 euros, with a structured PDF report and a compliance score.

Better to know before your data protection authority does.

Launch my GDPR audit with Complio