Back to DigiConsent

GDPR Complete Compliance Checklist – Step-by-Step Setup Guide

The General Data Protection Regulation (GDPR) is the European Union’s comprehensive data protection law that fundamentally changed how websites must handle user consent and personal data. Achieving GDPR compliance isn’t optional for websites serving EU visitors—it’s a legal requirement with significant penalties for non-compliance. This comprehensive checklist guides you through every step of configuring DigiConsent to meet GDPR requirements, ensuring your website respects user privacy rights while maintaining necessary functionality.

GDPR compliance goes beyond just showing a cookie banner. It requires explicit consent before tracking, comprehensive consent records, clear communication about data usage, and respect for user rights to withdraw consent. This guide covers all aspects of GDPR-compliant consent management using DigiConsent.

Understanding GDPR Requirements

Before configuring DigiConsent, understanding what GDPR requires helps you make informed decisions.

Core GDPR Principles for Cookies

  • Consent Before Tracking: No non-essential cookies can be set before obtaining explicit consent
  • Opt-in Required: Pre-checked boxes or implied consent don’t meet GDPR standards
  • Granular Choice: Users must be able to accept some cookies while rejecting others
  • Easy Withdrawal: Withdrawing consent must be as easy as giving it
  • Clear Information: Users must understand what they’re consenting to
  • Consent Records: You must maintain proof of consent with timestamps

What Requires Consent

Requires Consent (Non-Essential):

  • Analytics cookies (Google Analytics, Hotjar, Matomo)
  • Marketing and advertising cookies (Facebook Pixel, Google Ads)
  • Social media tracking (Twitter embeds, Facebook widgets)
  • Preference cookies (language selection, UI customization)
  • Any third-party tracking services

Does NOT Require Consent (Essential):

  • Session cookies for logged-in users
  • Shopping cart cookies for e-commerce
  • Security and authentication cookies
  • Load balancing cookies
  • User interface state (dark mode preference without tracking)

If in doubt, require consent. It’s safer to over-protect privacy than risk non-compliance.

GDPR Compliance Checklist

Step 1: Enable Opt-In Consent Mode

GDPR requires explicit opt-in consent. Cookies must NOT load before consent is given.

  1. Navigate to DigiConsent → Settings → General
  2. Find Consent Behavior setting
  3. Select Opt-in (Block cookies until consent)
  4. Save settings

Verification: Clear cookies, visit your site, open DevTools → Application → Cookies. Verify NO analytics or marketing cookies appear before accepting the banner.

GDPR Requirement Met: Article 6(1)(a) – Consent before processing

Step 2: Configure Cookie Categories

Organize all tracking into proper categories to provide granular consent control.

  1. Go to DigiConsent → Settings → Cookie Categories
  2. Necessary Cookies:
    • Keep enabled but users cannot disable (these are essential)
    • Only include truly necessary cookies (session, security, shopping cart)
    • Add clear description explaining why they’re necessary
  3. Analytics Cookies:
    • Enable this category
    • Set Default State: Unchecked (requires opt-in)
    • Add Google Analytics, Hotjar, or other analytics scripts here
    • Write clear description: “Help us understand how visitors use our site to improve user experience”
  4. Marketing Cookies:
    • Enable this category
    • Set Default State: Unchecked
    • Add Facebook Pixel, Google Ads, LinkedIn tags here
    • Description: “Used to show you relevant advertisements based on your interests”
  5. Functional Cookies:
    • Enable if you use chat widgets, embedded videos, maps
    • Set Default State: Unchecked
    • Description: “Enable enhanced features like live chat and embedded content”
  6. Save all category configurations

GDPR Requirement Met: Article 7(2) – Granular consent options

Step 3: Write Clear Banner Text

GDPR requires clear, plain language explaining what users are consenting to.

  1. Go to Settings → General → Banner Text
  2. Pre-Heading: Keep brief (“Cookie Notice” or “Privacy Settings”)
  3. Heading: Clear and direct (“We Value Your Privacy”)
  4. Description: Must explain:
    • That the site uses cookies
    • What types of cookies (analytics, marketing)
    • Why (improving site, showing relevant ads)
    • That they can choose which to accept

Example GDPR-Compliant Description:

“We use cookies to enhance your browsing experience, analyze site traffic, and show personalized advertisements. You can choose which types of cookies to accept. Click ‘Cookie Settings’ to customize your preferences, or ‘Accept All’ to allow all cookies. See our Privacy Policy for details.”

GDPR Requirement Met: Article 12(1) – Clear and plain language

Step 4: Link Privacy Policy

GDPR requires a comprehensive privacy policy accessible from the consent banner.

  1. Ensure you have a privacy policy page that includes:
    • What data you collect
    • Why you collect it (legal basis)
    • How long you retain it
    • Who you share it with (third parties)
    • User rights (access, deletion, portability)
    • How to exercise rights
  2. In DigiConsent → Settings → General
  3. Find Privacy Policy Page dropdown
  4. Select your privacy policy page
  5. Set Privacy Policy Link Text (e.g., “Privacy Policy” or “Learn More”)
  6. Save settings

GDPR Requirement Met: Article 13 – Right to information

Step 5: Configure Button Settings

All three buttons (Accept, Reject, Settings) must be equally prominent under GDPR.

  1. Go to Settings → General → Button Configuration
  2. Show Accept Button: Enable
  3. Show Reject Button: Enable (REQUIRED for GDPR)
  4. Show Settings Button: Enable (allows granular choice)
  5. Configure button text:
    • Accept: “Accept All Cookies”
    • Reject: “Reject All” or “Essential Only”
    • Settings: “Cookie Settings” or “Customize”
  6. Button Styling: Make reject and settings buttons equally visible as accept (no dark patterns)

GDPR Compliance Note: The reject button must be as easy to click as accept. Don’t make it smaller, hidden, or harder to find. This is explicitly required.

GDPR Requirement Met: Article 7(3) – Withdrawal as easy as giving consent

Step 6: Enable Consent Logging

You must maintain records proving you obtained valid consent.

  1. Navigate to Settings → General → Consent Logging
  2. Enable Log Consent Decisions
  3. Set Log Retention Period: GDPR doesn’t specify but 2+ years recommended
  4. Logs should include:
    • Timestamp of consent
    • Which categories were accepted/rejected
    • IP address (optional, but useful for proof)
    • User agent (browser/device info)
  5. Save settings

Verification: After accepting cookies, go to DigiConsent → Consent Logs and verify your consent was recorded with all necessary details.

GDPR Requirement Met: Article 7(1) – Demonstrate consent was obtained

Step 7: Set Appropriate Consent Expiration

Consent shouldn’t last forever. GDPR best practice is 6-12 months.

  1. Go to Settings → General
  2. Find Consent Expiry setting
  3. Set to 180-365 days (6-12 months)
  4. Default is 365 days (acceptable but consider shorter for higher compliance)
  5. Save settings

After expiry, users will see the banner again and must re-consent. This ensures ongoing, fresh consent.

GDPR Best Practice: Reconsideration Opinion 15/2011 – Periodic consent renewal

Step 8: Configure Google Consent Mode v2

If using Google Analytics or Google Ads, Consent Mode is required for EEA/UK as of March 2024.

  1. Navigate to Settings → Google Consent Mode
  2. Enable Google Consent Mode
  3. Select Consent Mode v2
  4. Set Default Consent State to Denied for all parameters:
    • analytics_storage: Denied
    • ad_storage: Denied
    • ad_user_data: Denied
    • ad_personalization: Denied
  5. Implementation: Advanced (recommended for better data coverage)
  6. Save settings

This ensures Google tags respect consent choices and operate in privacy-preserving mode before consent.

GDPR Requirement Met: Google Consent Mode ensures Google services respect GDPR consent

Step 9: Add Scripts to Correct Categories

All tracking scripts must be properly categorized and blocked until consent.

  1. Go to Settings → Cookie Categories
  2. For each tracking service you use:
    • Google Analytics → Analytics category
    • Facebook Pixel → Marketing category
    • Hotjar → Analytics category
    • Google Ads → Marketing category
    • Intercom/chat widgets → Functional category
    • YouTube embeds → Marketing or Functional
  3. Paste complete script code (including <script> tags)
  4. Save each script

Critical: Do NOT add tracking scripts to Necessary category unless they’re truly essential for site function (they almost never are).

GDPR Requirement Met: Article 5(1)(a) – Lawful, fair, and transparent processing

Step 10: Enable Iframe Blocking (Pro)

If you have DigiConsent Pro, enable iframe blocking to prevent YouTube, Vimeo, Maps from tracking before consent.

  1. Navigate to Settings → Iframe Blocker
  2. Enable Block YouTube Embeds → Assign to Marketing
  3. Enable Block Vimeo Embeds → Assign to Marketing
  4. Enable Block Google Maps → Assign to Functional or Marketing
  5. Configure placeholder messages
  6. Save settings

Without iframe blocking, embedded content loads immediately and sets tracking cookies before consent banner appears—a GDPR violation.

GDPR Requirement Met: Prevents third-party tracking before consent

Step 11: Test Complete Consent Flow

Thorough testing ensures compliance isn’t just configured but actually working.

Testing Checklist:

  1. Clear all cookies and cache
  2. Visit site in private/incognito window
  3. Before accepting anything:
    • Open DevTools → Application → Cookies
    • Verify ONLY necessary cookies present
    • Check Network tab: no requests to google-analytics.com, facebook.com, etc.
    • Verify consent banner appears immediately
  4. Click Reject All:
    • Banner should close
    • No analytics/marketing cookies should appear
    • Site should function normally (shopping cart, login work)
  5. Click Cookie Settings:
    • Modal opens showing all categories
    • Each category has clear description
    • Can select individual categories
  6. Accept only Analytics:
    • Analytics cookies appear (Google Analytics)
    • Marketing cookies do NOT appear (Facebook Pixel)
    • Scripts in Analytics category execute
  7. Open preferences again:
    • Can change choices
    • Can withdraw consent by unchecking categories
  8. Reload page after withdrawal:
    • Previously set cookies should be removed or blocked
  9. Check consent logs:
    • All decisions recorded with timestamps

GDPR Requirement Met: Article 7 – Valid consent mechanism

Step 12: Configure for EU Visitors Only (Pro)

If using DigiConsent Pro with geolocation, apply strict GDPR settings only to EU visitors.

  1. Go to Settings → Geolocation → Location Rules
  2. Create EU/EEA Rule:
    • Target Type: European Union
    • Consent Behavior: Opt-in
    • All settings above apply to this rule
  3. Create Default/Fallback Rule for non-EU:
    • Target Type: Fallback (All Others)
    • Consent Behavior: Your choice (opt-out or notice-only)
    • Less strict settings acceptable for non-GDPR regions
  4. Save rules

This applies GDPR compliance only where legally required while using simpler consent for other regions.

GDPR Requirement Met: Applies to EU data subjects (Article 3)

Automated Multi-Region Compliance with DigiConsent Pro Geolocation

DigiConsent Pro includes a powerful geolocation feature that automatically detects visitor location and applies region-specific consent rules. This allows you to implement strict GDPR compliance for EU visitors while using more flexible consent approaches for other regions—all automatically without manual intervention.

Why Use Geolocation for Compliance

Different regions have different privacy laws. GDPR requires opt-in consent in the EU, but many other countries have no such requirements or allow opt-out models. Geolocation enables you to:

  • Automatic GDPR Compliance: EU visitors automatically see GDPR-compliant opt-in banners
  • Optimize for Other Regions: Non-EU visitors can see simpler notices or opt-out models
  • State-Level Compliance: Apply California CPRA rules only to California visitors
  • No Over-Restriction: Don’t apply strict EU rules globally where not legally required
  • Better User Experience: Tailor consent approach to visitor’s legal expectations

Setting Up GDPR Geolocation Rules

To automatically apply all GDPR settings above to EU visitors only:

  1. Navigate to DigiConsent Pro → Settings → Geolocation
  2. Enable Geolocation Targeting
  3. Click Add Location Rule
  4. Configure EU Rule:
    • Rule Name: “EU/EEA GDPR Compliance”
    • Target Type: European Union (automatically includes all 27 EU countries plus EEA)
    • Consent Behavior: Opt-in (Block cookies until consent)
    • Banner Text: GDPR-compliant explanation (as configured in steps above)
    • Cookie Categories: All non-essential categories unchecked by default
    • Show Reject Button: Yes (required)
    • Show Settings Button: Yes (for granular choice)
    • Google Consent Mode: Enabled with all denied by default
    • Consent Expiry: 365 days or less
  5. Configure Fallback/Default Rule for non-EU visitors:
    • Target Type: Fallback (All Others)
    • Consent Behavior: Your choice (opt-out, notice-only, or even no banner)
    • Settings: Can be less restrictive than EU rule
  6. Save all rules

Additional Region-Specific Rules

Beyond EU GDPR compliance, you can create rules for other privacy jurisdictions:

UK GDPR (Post-Brexit):

  • Target Type: Specific Countries → GB
  • Same settings as EU rule (UK GDPR virtually identical to EU GDPR)

California CPRA:

  • Target Type: US States → CA
  • Consent Behavior: Opt-out (CPRA allows this)
  • Include “Do Not Sell My Personal Information” notice

Brazil LGPD:

  • Target Type: Specific Countries → BR
  • Consent Behavior: Opt-in (LGPD requires explicit consent)

Canada PIPEDA:

  • Target Type: Specific Countries → CA
  • Consent Behavior: Opt-out (PIPEDA allows implied consent in many cases)

Testing Geolocation Rules

To verify your geolocation-based GDPR compliance works correctly:

  1. Test from Different Locations:
    • Use VPN to connect from EU country (Germany, France)
    • Clear cookies and visit site
    • Verify GDPR-compliant opt-in banner appears
    • Switch VPN to US location
    • Verify different banner appears (if configured)
  2. Developer Testing:
    • DigiConsent Pro may include location override for testing
    • Check settings for test/debug mode to simulate locations
  3. Verify in Logs:
    • Check consent logs for location data
    • Confirm correct rules applied to different geographic visitors

Benefits of Geolocation-Based Compliance

  • Full Automation: No manual detection or separate site versions needed
  • Always Current: EU country list updates automatically as membership changes
  • Granular Control: Different settings for different regions all from one installation
  • Better Analytics: Less restrictive consent outside EU = better data coverage globally
  • Legal Protection: Demonstrate you applied appropriate compliance per jurisdiction
  • Performance: Lightweight geolocation adds minimal overhead (<50ms typically)

Using DigiConsent Pro’s geolocation feature transforms GDPR compliance from a global burden into a targeted, efficient system that applies the right level of privacy protection to each visitor based on their legal jurisdiction.

Privacy Policy Requirements

DigiConsent handles consent management, but you still need a comprehensive privacy policy covering:

Required Privacy Policy Content

  • Data Controller Identity: Your company name, address, contact
  • Data Protection Officer: Contact if you have one (required for large-scale processing)
  • What Data: List all personal data collected (including via cookies)
  • Legal Basis: Why you’re allowed to process (consent, legitimate interest, contract, legal obligation)
  • Purpose: Specific purposes for each type of data
  • Retention: How long you keep data
  • Third Parties: All companies you share data with (Google, Facebook, etc.)
  • International Transfers: If data goes outside EU (US companies)
  • User Rights:
    • Right to access their data
    • Right to rectification (correction)
    • Right to erasure (deletion)
    • Right to restrict processing
    • Right to data portability
    • Right to object
    • Right to withdraw consent
  • How to Exercise Rights: Email address or contact form
  • Right to Complain: Information about supervisory authority

Consider using privacy policy generators designed for GDPR or consulting legal counsel for your specific situation.

Common GDPR Mistakes to Avoid

  • Pre-checked boxes: All cookie categories (except Necessary) must be unchecked by default
  • Consent walls: Can’t force users to accept cookies to access content (with exceptions for paywalls)
  • Hiding reject button: Must be equally prominent as accept
  • Implied consent: “By continuing to use this site” isn’t valid consent
  • Bundled consent: Can’t require accepting all or nothing (granular choice required)
  • Missing logs: Must maintain proof of consent
  • No way to withdraw: Users must be able to change preferences easily
  • Vague information: Must clearly state what cookies do, not just “we use cookies”
  • Loading scripts before consent: All non-essential scripts must wait for consent
  • Forgetting iframes: YouTube, Maps, etc. track before consent unless blocked

GDPR Penalties

Understanding the risks of non-compliance:

  • Tier 1 Violations: Up to €10 million or 2% of global annual revenue (whichever is higher)
  • Tier 2 Violations: Up to €20 million or 4% of global annual revenue
  • Real Examples:
    • Google: €50 million fine for invalid consent (France, 2019)
    • Amazon: €746 million fine for various violations (Luxembourg, 2021)
    • Meta: €390 million for invalid consent legal basis (Ireland, 2023)

Even small websites can be fined. Compliance isn’t just for large companies.

Ongoing Compliance

GDPR compliance is ongoing, not one-time:

  • Regular audits: Quarterly review of tracking scripts and consent implementation
  • Update privacy policy: When you add new tracking services or change data practices
  • Monitor consent logs: Regularly review to ensure logging works correctly
  • Stay informed: GDPR interpretations evolve; follow updates from supervisory authorities
  • Respond to requests: Handle data access, deletion requests within 30 days
  • Maintain documentation: Keep records of compliance measures and decisions

Final Verification Checklist

  • ✅ Consent behavior set to Opt-in
  • ✅ All non-essential categories unchecked by default
  • ✅ Clear, plain-language banner text
  • ✅ Privacy policy linked and comprehensive
  • ✅ Accept, Reject, and Settings buttons all visible and equal
  • ✅ Consent logging enabled with appropriate retention
  • ✅ Consent expires within 6-12 months
  • ✅ Google Consent Mode v2 configured (if using Google services)
  • ✅ All scripts properly categorized
  • ✅ Iframe blocking enabled (if Pro)
  • ✅ Complete flow tested (accept, reject, granular choice, withdrawal)
  • ✅ No cookies load before consent
  • ✅ Users can easily withdraw consent
  • ✅ Privacy policy covers all GDPR requirements

Following this checklist ensures DigiConsent is configured for full GDPR compliance. While this guide covers technical implementation, consider consulting legal counsel for your specific situation, especially for complex websites or businesses handling sensitive personal data. GDPR compliance combines technical measures (proper consent management) with legal measures (privacy policies, data processing agreements, handling user rights requests), and both aspects must work together for complete compliance.

Similar Articles

Back to DigiConsent