We’ve analyzed more than 100,000 websites and always find the same errors when it comes to GDPR-compliance. More than 70% of the websites are not GDPR-compliant. Even most websites that use a “Cookie banner” are not GDPR-compliant. Here are the Top 10 reasons we see every day why your website is not GDPR compliant:
#10 – No data controller named
A Cookie Banner is only valid if the visitor can know who the controller is
(so to say the “owner” of the data) before the visitor gives consent. If your Cookie Banner does not explicitly list your company as a controller – then your website is not GDPR compliant!
#9 – No access to imprint & privacy notice
While the consent layer should be displayed on every page (document), it is essential, that you do NOT display it on your terms & conditions page, imprint / legal notice or your privacy notice page. These pages must be accessible without interacting with the consent banner.
#8 – Incorrect welcome text
We’ve seen them so often: One-liner cookie texts with low amount of information. What might be the dream of your marketing team – it is simply not sufficient for GDPR-compliance. The welcome text should at least tell the visitor a) that there is data processing, b) that there are third parties involved, c) for which purposes the processing happens and what kind of data will be processed.
#7 – Incorrect headline
Since the consent layer is asking the visitor for permission to process personal data – it is essential that the headline reflects this to your visitors. A headline like “We set cookies” is seen so many times but is not compliant. A better headline would be “Consent for Data processing & Cookies”.
#6 – No possibility to reject
Also very often seen: A consent layer without the possibility to reject. A visitor must have a possibility to say “No, I don’t want Cookies and I don’t want my personal data processed” – if your Cookie Banner does not offer this – then your website is not compliant. (Extra: “But, a visitor could simply leave the website instead of accepting”. Yes, but your website is still not compliant because leaving is not a valid choice under GDPR!)
#5 – Cookie details missing
This is a very simple and logic one, but so often so wrong: If I’m asking my visitors for consent, they should know to what they consent. Hence a Cookie Banner must be able to tell why types of cookies are set, by which vendors and how long they are stored. Without this information: Not compliant.
#4 – Incorrect button setup
This topic was just increasing the last months as new guidelines from Data Protection Authorities like the CNIL or ICO came in: In order to be GDPR-compliant, a Consent Layer must have two buttons of same design
for Accept and Reject (can use a third “Settings” button or link). It is not valid to have an Accept and a “Customize” button only.
#3 – Vendor details missing
We see it even with the most expensive GDPR tools: If you design your consent layer, you MUST name all the vendors
that process personal data or set cookies on your website. This must include their names, address, legal basis, purpose and more. If your Cookie Banner doesn’t include this information – you are not compliant!
#2 – No Consent Layer
Although GDPR is now more than 3 years old, still there are many websites who do not yet have a consent layer to inform their visitors and ask for consent for tracking, marketing and other things that require consent. Our last study found, that more than 40% of the European websites still don’t have a consent layer or are still using a very old one-line “we set cookies” box that is not compliant.
#1 – Tracking without/before consent
This is definitely and by far the top reason why most websites are not GDPR-compliant: They are setting Cookies or processing personal data without consent. This is mind-blowing, especially since it is so easy to spot with tools like our crawler and so easy to prevent with tools like Auto-Blocking.