GDPR

Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data

Flag of ATFlag of BEFlag of BG+27
European Union + EEAOpt-inSupranational
Back to Regulations Guide

Key Facts

Effective Date
May 25, 2018
Enacted
April 14, 2016
Enforcing Authority
National Data Protection Authorities per member state, coordinated by European Data Protection Board (EDPB)
Consent Model
Opt-in
Fulfillment Time
30 days
Consent Recollection
365 days
Applies To
Any organization processing personal data of EU/EEA individuals, regardless of where the organization is based

Overview

The GDPR is the world's most influential data protection regulation, setting the baseline standard that most other countries' privacy laws follow. Enacted by the European Union in 2016 and enforceable since May 2018, it governs how any organization worldwide must handle personal data of people in the EU and EEA.

What This Means for Your Website

  • You must show a consent banner to EU/EEA visitors before loading any non-essential cookies or tracking scripts
  • Consent must be freely given, specific, informed, and unambiguous — pre-ticked boxes do not count
  • Visitors must be able to withdraw consent as easily as they gave it
  • You need granular consent categories (analytics, marketing, functional) — a single "Accept all" is insufficient
  • A visible "Reject all" option must be as prominent as "Accept all"
  • You must keep auditable records of when and how each visitor consented
  • Privacy by design requires data protection to be built into your systems from the start

Key Requirements

The GDPR applies extraterritorially to any website processing personal data of EU/EEA residents. Penalties reach EUR 20 million or 4% of global annual turnover, whichever is higher. Each EU member state has a national Data Protection Authority (DPA) that enforces the regulation locally, coordinated by the European Data Protection Board (EDPB). Data subject access requests must be fulfilled within one month. Data Protection Impact Assessments are required for high-risk processing activities.

How ConsentStack Handles This

ConsentStack automatically detects EU/EEA visitors via geo-location and presents a GDPR-compliant opt-in consent banner. All non-essential scripts are blocked until the visitor actively consents through granular category toggles. Consent records are stored with timestamps and preference details for audit compliance, and consent is automatically re-collected after 12 months per regulatory guidance.

Penalties

Up to EUR 20 million or 4% of global annual turnover, whichever is higher

Maximum Fine
€20,000,000 aggregate
Revenue-based
4% of annual revenue

Key Requirements

  • Prior opt-in consent required for non-essential cookies
  • Granular consent by purpose category
  • Consent withdrawal must be as easy as giving consent
  • Records of consent must be maintained for audit
  • Privacy by design and by default
  • Data Protection Impact Assessments for high-risk processing

Notable Provisions

  • Extraterritorial scope applies to non-EU organizations targeting EU users
  • One-stop-shop mechanism for cross-border enforcement
  • Right to be forgotten under Article 17

Data Subject Rights

Access your data30 days

Right to obtain confirmation of whether personal data is being processed and access to that data

Correct your data30 days

Right to have inaccurate personal data rectified or completed

Delete your data30 days

Right to have personal data erased when no longer necessary or consent is withdrawn

Restrict processing30 days

Right to restrict processing of personal data in certain circumstances

Port your data30 days

Right to receive personal data in a structured, commonly used, machine-readable format

Object to processing30 days

Right to object to processing based on legitimate interests or for direct marketing purposes

Other Europe Regulations

ePrivacy DirectiveEuropean Union + EEA
Article 5(3) of the ePrivacy Directive is the primary EU legal basis requiring cookie consent. It mandates prior informed consent before storing or accessing any information on a user's device, with narrow exceptions only for transmission necessity and explicitly requested services.
PECRUnited Kingdom
PECR is the UK's cookie-specific law, requiring consent before storing or accessing cookies. The DUAA 2025 significantly increased penalties from GBP 500,000 to GBP 17.5 million and introduced analytics exceptions on an opt-out basis. Only strictly necessary cookies are exempt.
UK GDPRUnited Kingdom
The UK GDPR is the retained EU GDPR post-Brexit, with consent standards identical to the EU version. The UK adequacy decision was renewed December 2025, valid until December 2031. Combined with PECR, it forms the legal framework for cookie consent in the UK.
FDPAFrance
France has the most actively enforced cookie regime in Europe. CNIL issued 259 corrective decisions in 2025, with cookie-specific fines totaling EUR 486.8 million including EUR 325M against Google. A Refuse all button or Continue without accepting must appear on the first layer.
TDDDGGermany
Germany implements the ePrivacy Directive through Section 25 of TDDDG (renamed from TTDSG in May 2024). A Consent Management Ordinance (EinwV) became effective April 2025, establishing a voluntary framework for recognized consent management services. Cookie banners must not obscure website content.
SI 336/2011Ireland
Ireland implements the ePrivacy Directive through SI 336/2011. The DPC is the lead supervisory authority for major tech companies headquartered in Ireland including Meta, Google, Apple, and Microsoft. Uniquely, cookie consent is limited to 6 months and must then be refreshed.

Frequently Asked Questions

Do I need a cookie banner for GDPR compliance?

Yes. The GDPR requires explicit opt-in consent before placing any non-essential cookies or tracking scripts on visitors from the EU/EEA. ConsentStack automatically shows a compliant consent banner to EU visitors.

What are the GDPR penalties for cookie non-compliance?

Fines can reach EUR 20 million or 4% of global annual turnover, whichever is higher. National data protection authorities in each EU member state enforce these penalties.

Does GDPR apply to websites outside the EU?

Yes. The GDPR applies to any website that processes personal data of EU/EEA residents, regardless of where the website operator is based. This extraterritorial scope means most global websites need GDPR-compliant consent.

How long is GDPR cookie consent valid?

The GDPR does not specify an exact duration, but supervisory authorities like the ICO and CNIL recommend re-collecting consent at least every 12 months. ConsentStack supports configurable consent expiry periods.

Stay compliant with GDPR

ConsentStack helps you implement Opt-in consent for European Union + EEA automatically.

Get started free