Good to know - According to CNIL (French Data Protection Authority), over 90% of French websites have at least one GDPR non-compliance issue, exposing their owners to fines of up to 4% of annual global turnover or 20 million euros, not counting reputational damage in case of publicized enforcement.
GDPR is not just about cookie banners
You installed a cookie consent banner. You think you're GDPR compliant. Bad news: it's probably not enough.
The General Data Protection Regulation goes well beyond cookies. It governs all collection, processing, and storage of personal data. And the mistakes we see on most websites are often the same.
The 5 most common GDPR mistakes
1. The cookie banner that blocks nothing
Your banner displays, the user hasn't clicked yet, but Google Analytics is already running. Facebook and LinkedIn pixels too. That's illegal.
The principle: no non-essential cookies may be placed before explicit user consent. Simply displaying a banner is not enough - scripts must be technically blocked until the user clicks "Accept".
How to check: open your browser's developer tools, "Application" tab > "Cookies". Reload the page without clicking on the banner. If third-party cookies appear, you're in violation.
2. Pre-checked or forced consent
Some banners display "marketing cookies" boxes already checked. Others make the "Accept all" button highly visible while "Refuse" is microscopic or non-existent. These practices constitute dark patterns sanctioned by CNIL.
The rule: refusal must be as easy as acceptance. One click to accept = one click to refuse.
3. Forms without legal notices
Your contact form collects name, email, phone number. But where do you inform users about how their data will be used? The retention period? Their access and deletion rights?
The requirement: each collection point must display or link to clear information about data processing. A simple link to your privacy policy can suffice, provided it's complete and up to date.
4. No processing register
GDPR requires companies to maintain a register documenting all personal data processing: what data, for what purposes, what legal basis, what retention period, what recipients.
Reality: most SMBs don't have this register. Yet in case of a CNIL audit, it's the first document requested.
5. Data kept indefinitely
You've been keeping prospect emails from 2015 "just in case"? CVs from rejected candidates three years ago? These practices violate GDPR's storage limitation principle.
Recommended durations: 3 years for inactive prospecting data, 2 years for rejected CVs, 5 years for customer data after the end of the business relationship.
What you really risk
CNIL fines are no longer theoretical. In 2023, French companies of all sizes were sanctioned: 180,000 euros for an SMB, several million for large retailers.
Beyond the fine, reputation suffers. A public CNIL formal notice generates press articles, social media comments, and a loss of trust that's hard to regain.
GDPR Compliance Checklist for Websites
Check your website GDPR compliance with this complete checklist of legal requirements.
How to achieve real compliance
GDPR compliance isn't just a legal matter. It's also - and above all - a technical one. Your developers must properly implement script blocking, secure data storage, and deletion mechanisms.
We integrate GDPR compliance from the design phase of every project. Our security by design approach ensures that data protection is not a late addition but a foundation.
Is your website really compliant? Let's discuss your challenges. A quick audit can reveal flaws you're unaware of.