You've surely noticed that for a few years now, pop-up windows have been appearing every time you land on a website. The message is almost always the same: «We use cookies to improve your experience and offer you personalised advertising. Please confirm that you accept our privacy policy.»
Behind these banners lies a regulation that came into effect on 25 May 2018: the General Data Protection Regulation, better known as the GDPR. Eight years later, in 2026, many websites are still not compliant. And this is a real problem, as the sanctions have never been so severe.
What exactly is GDPR?
The GDPR governs how website owners collect and use the personal data of their visitors. It has two main objectives: to make the collection of user consent mandatory, and to guarantee users protection and control over their data.
Personal data is any information that allows an individual to be identified, directly or indirectly: their name, IP address, email address, phone number, geographical data, but also actions carried out on your site (clicks, visits, etc.).
A simple rule to remember: all websites established in European territory or targeting a European audience must comply, without exception. Whether you are a multinational corporation or a sole trader with a brochure website, the rule is the same.
Why you really shouldn't delay in 2026
For a long time, many bet that the CNIL would never check their small website. This is an increasingly risky bet. In 2025, the CNIL imposed 83 sanctions totalling a record €487 million, compared to €55 million in 2024. An explosion partly explained by two historic sanctions related to cookies: €325 million for Google and €150 million for Shein, penalised notably for cookies placed before any consent.
The most important thing to understand is that it's not just the giants who are being targeted. Thanks to its streamlined procedure, the CNIL is now sanctioning many more companies, including SMEs, much more quickly, for infringements as common as a poorly designed cookie banner. The problem of poorly managed consent is exactly what the majority of French websites are encountering.
The good news is that bringing things into compliance isn't insurmountable. Here are the four pillars to follow.
Test your site's compliance in 2 minutes
Before going any further, take stock. This 10-question quiz assesses the key compliance points of your site and gives you a score with areas to correct.
Is your website GDPR compliant?
10 questions to audit your website in 2 minutes. Score and recommendations at the end.
Question 1 of 10
1. Guarantee complete transparency for your users
It is mandatory to display a clear message regarding cookie usage on your website. You must accurately inform your users about the use of their data on every page where you collect it. This involves up-to-date «Privacy Policy» and «Legal Notice» pages, and a correctly configured cookie management tool.
2. Obtain consent, and be able to prove it
Compliance requires explicit user consent. Your visitors must also have a link to a page detailing exactly how their data is collected and used. Specifically, if your site uses an external service such as Google Analytics, you are obliged to inform users and ask for their agreement.
Above all, it is imperative to keep proof of this consent. As a guideline, consent for cookies is valid for a maximum of 13 months, while no duration is imposed for personal data. But don't get too excited about this lack of a time limit:
Let's imagine one of your users, Thomas, signs up today. You collect his data, but without keeping proof of his consent. Some time later, Thomas complains to the CNIL, who asks you to provide this proof. That would be inconvenient, wouldn't it?
3. Respect all your users' rights
The GDPR is very clear: the user has rights over their personal data, and woe betide anyone who does not respect them. Your visitors must be able to easily access their data, modify it, delete it, and limit its use. The ideal solution is to implement a system that allows them to request the deletion or export of their data without you having to intervene manually.
Ensure total data security
The security of your users« data is non-negotiable. The bare minimum is to switch your site to »https« using an SSL certificate, which guarantees the secure transfer of information. This is a standard nowadays, and a site still using »http" sends a very bad signal, both to your visitors and to Google.
Frequently Asked Questions about the GDPR
Is my small showcase website really affected?
Yes. As soon as you collect any personal data (a contact form is enough), you are concerned. The size of your website does not exempt you in any way.
How much does compliance cost?
Far less than a fine. The cost depends on the complexity of your site and the tools to be implemented, but it is a reasonable investment considering the risk incurred and the trust it inspires in your visitors.
Is a simple cookie banner enough?
No. The banner is only one part of compliance. It must be correctly configured (no cookies placed before consent), accompanied by up-to-date legal pages, a consent proof system, and security measures.
I'm not in compliance, where should I start?
The simplest approach is to have your website audited to identify any shortcomings, and then correct them one by one. This is precisely the type of support I offer.
Don't take risks, get compliant.
GDPR compliance is not just a legal obligation: it is also a mark of professionalism that reassures your visitors and protects your business. I can audit your site, identify areas for improvement, and implement the necessary tools (cookie management, consent collection and storage, legal pages, SSL certificate) to give you peace of mind.
Do you want to know if your site is compliant? Let's talk about it together, the first exchange is free and without obligation.
Sources: CNIL, 2025 sanctions report. Figures recorded early 2026.
