GDPR on Your Website - What You Must Comply With in 2026

Introduction

GDPR has been around since 2018 and plenty of websites still don't have it right. You don't need to be a lawyer to understand what your website needs. This article is a practical guide for website owners - no legal jargon, just concrete steps you need to take.

If you run a website that collects any data from visitors (and that's nearly every website), this concerns you. Fines for GDPR violations can reach up to 20 million euros or 4% of annual turnover. In practice, fines in the Czech Republic range from tens of thousands to millions of CZK, but inspections from the data protection authority are increasing.

📋 GDPR in a Nutshell - What It Means for Your Website

GDPR (General Data Protection Regulation) is a European regulation on personal data protection. Personal data is anything that can identify a specific person - name, email, IP address, cookies, phone number. If you collect any of these on your website, you must follow GDPR rules.

For you as a website owner, it boils down to three things in practice:

Most data on a regular website falls under consent or legitimate interest.

🍪 Cookie Banner - How to Set It Up Right (and How Not To)

The cookie banner is the first thing a visitor sees on your website. And unfortunately, it's also where most websites make mistakes. The basic rule is: you can only run analytics and marketing cookies after active consent from the visitor. Technically necessary cookies (login, shopping cart, language preferences) don't need consent.

What does this look like in practice? A proper cookie banner must include:

• "Accept" button and "Reject" button - both must be equally prominent. No hiding the reject option in gray text.
• Option to select cookie categories (necessary, analytics, marketing).
• Link to cookie policy with a detailed description of each cookie.
• Consent must be easy to withdraw - typically via an icon in the corner of the page.

If you want to dive deeper into cookie banners, I have a dedicated article on that.

How to set up a cookie bar correctly?

Read more

📨 Contact Forms - Consent for Data Processing

The contact form is one of the most common ways you collect personal data on a website. Name, email, phone, message content - all of these are personal data. And you need a legal basis to process them.

With a contact form, you have two options. Either use legitimate interest (the visitor contacts you voluntarily, expects a response), or request explicit consent via a checkbox. In practice, using a consent checkbox is safer because legitimate interest is harder to defend if you use the data for other purposes too.

A properly set up contact form should include:

• Consent checkbox (must not be pre-checked): "I agree to the processing of personal data for the purpose of handling my inquiry. More information in the Privacy Policy."
• Link to the privacy policy directly next to the form.
• Information about data retention - e.g., "Your data will be deleted within 6 months of handling your inquiry."

📄 Privacy Policy - What It Must Include

Every website that processes personal data must have an accessible privacy policy page. You can't just throw in a generated text from the internet - it must reflect what you actually do on your website.

What must the privacy policy include:

• Who you are - identification of the data controller (name, company ID, contact, and optionally a data protection officer contact).
• What data you collect - specific list (name, email, IP address, cookies...).
• Why you collect it - purpose of processing for each data type (handling inquiries, traffic analysis, marketing...).
• Legal basis - consent, legitimate interest, contract fulfillment.
• Who you share data with - list of processors (Google, hosting provider, email service...).
• How long you retain data - specific time periods, not "for as long as necessary."
• Visitor rights - right to access, rectification, erasure, portability, objection.
• How to file a complaint - link to the data protection authority.

The privacy policy must be easily accessible - typically a link in the website footer. I recommend writing it in plain language and paying attention to web accessibility. Legal text full of paragraph references helps no one, and GDPR specifically requires that information be presented clearly and comprehensibly.

📧 Newsletter and Email Marketing - Rules for Collecting Emails

Collecting emails for a newsletter is an area where mistakes happen very often. The basic rule: to send marketing emails, you need freely given, specific, informed, and unambiguous consent. In practice, this means:

• Double opt-in - after entering their email, the person receives a confirmation email with a link. Only after clicking it are they subscribed. This isn't strictly required by law, but it's the best way to prove that consent was actually given.
• Separate consent - newsletter consent must not be bundled with terms of service consent. It must be a separate checkbox.
• Easy unsubscribe - every email must include an unsubscribe link. And unsubscribing must work immediately, not "within 30 days."

Remember that you must be able to prove when and how a person gave consent. Save the date, time, IP address, the exact wording of the consent, and how it was given. If the data protection authority comes knocking, they'll want to see evidence.

📊 Google Analytics and GDPR - How to Handle It

Google Analytics is probably the most widely used analytics tool and also one of the most problematic from a GDPR perspective. While Google Analytics 4 added IP anonymization and shorter data retention options, there's still a fundamental problem - data is transferred to Google's servers in the USA.

What this means for you in practice:

• Google Analytics requires consent from the visitor. You must not run it before consent is given via the cookie banner.
• You must have a Data Processing Agreement with Google. You set this up in Google Analytics admin.
• Your privacy policy must state that you use Google Analytics, what data you collect, and that it's transferred to the USA.
• I recommend setting data retention to the minimum (2 months) and enabling IP anonymization.

If you want the path of least resistance, consider GDPR-friendlier alternatives. Plausible, Fathom, or Umami are analytics tools that don't use cookies, don't collect personal data, and store data in the EU. With these tools, you don't even need cookie consent because they don't fall under cookie regulations.

Other popular tools - Hotjar or Microsoft Clarity (session recording, heatmaps) - also require consent. Recording visitor behavior is personal data processing and you can't do it without consent.

🚨 Most Common Mistakes Websites Make

Over years of working with websites, I've seen plenty of recurring mistakes. Here are the most common ones:

✅ Practical Compliance Checklist

Here's a checklist you can go through to verify your website meets basic GDPR requirements:

Conclusion

GDPR isn't a bogeyman - it's a set of rules that protect people's personal data on the internet. For most regular websites, compliance is a matter of a few hours of work - a properly configured cookie banner, up-to-date privacy policy, secured forms, and order in your analytics tools.

The data protection authority is checking more and more, and fines are growing. Plus - properly implemented GDPR builds trust with your customers. People notice whether you handle their data responsibly.

If you're unsure, start with the checklist above. Go through your website point by point and fix what you find. And if you're dealing with more complex cases (e-shop with international customers, processing sensitive data), I recommend consulting a lawyer who specializes in GDPR.

Useful Links

• Czech Data Protection Authority (ÚOOÚ) - Czech supervisory authority with guides and decisions
• GDPR.cz - Czech portal with practical GDPR information
• Plausible Analytics - GDPR-friendly alternative to Google Analytics
• Cookiebot - cookie consent management tool
• Google Analytics Data Processing Agreement - set up data processing agreement with Google
• ÚOOÚ Privacy Policy Templates - template documents from the Czech DPA