GDPR and your website in 2026: compliance guide for European SMEs

GDPR turns 8 in 2026, yet 70% of European SME websites remain partially non-compliant according to the Cookiebot 2025 survey. Between mandatory Consent Mode v2 since March 2024, the DSA, the demise of Privacy Shield then its rebirth as the Data Privacy Framework, and the new CNIL decisions on dark patterns, the ground keeps shifting. Here is the checklist OptionWeb applies to every client site in 2026.

1. Google Consent Mode v2 is mandatory

Since 6 March 2024, Google requires Consent Mode v2 to use Google Ads and Google Analytics with European users. Without Consent Mode v2, your campaigns can no longer use EEA data for optimisation, and conversions are massively under-reported.

Concretely, you must transmit 7 consent parameters to Google: ad_storage, ad_user_data, ad_personalization, analytics_storage, functionality_storage, personalization_storage, security_storage. A Google-certified CMP (Consent Management Platform) handles this automatically.

OptionWeb recommendation: Axeptio for SMEs up to 100k views/month (UX, price, EU-based), Cookiebot above that if you need automatic multi-domain scanning.

2. Cookie banner without dark patterns

The CNIL and the UK ICO multiplied cookie-banner sanctions in 2024-2025. Explicitly prohibited patterns: 'Reject all' button hidden or less visible than 'Accept', pre-ticked boxes for non-essential cookies, page-scroll equating to implicit consent, banner closure without choice equating to acceptance.

Strict rule: 'Accept all' and 'Reject all' at the same visual level — same size, same colour, same position. Refusal must be as easy as acceptance. A French SME was fined 8,000 € in 2024 simply because its 'Reject' button was twice as small.

3. Records of processing activities

The records of processing activities are mandatory for any organisation with more than 250 employees, and strongly recommended below. For an SME being audited, this is the first document the supervisory authority will ask for.

For each processing activity (newsletter, contact form, payment, recruitment, accounting), document:

• Purpose — Why you collect this data (e.g. send a monthly newsletter).
• Legal basis — Consent, contract, legal obligation, legitimate interest, public interest, or vital interests.
• Data categories — Email, name, IP, behaviour, payment data, etc.
• Categories of subjects — Prospects, customers, employees, sub-contractors, candidates.
• Recipients — Who receives the data: internal team, sub-processors (Mailchimp, Stripe), partners.
• Non-EU transfers — If applicable: country, legal basis (SCCs, BCRs, adequacy decision).
• Retention period — Active + intermediate archive + legal archive.
• Security measures — Encryption, access control, backups, team training.

Practical format: Excel or Notion table, updated for every new processing activity. The CNIL provides a free template. Allow 1-2 days of work to compile it the first time.

4. Hosting and non-EU transfers

Since the Schrems II ruling (July 2020), hosting an EU-user website on AWS US, Google Cloud US or Azure US without Standard Contractual Clauses + impact assessment = clear non-compliance. The EU-US Data Privacy Framework of July 2023 stabilised the situation for DPF-certified US hosts, but residual risk persists (annulment proceedings pending).

Simple solution for SMEs: EU-based host (AWS Frankfurt, OVH, Hetzner, Scaleway, Verpex EU). No transfer outside the EU = no debate. That's our default choice at OptionWeb with Verpex (Netherlands datacentre).

For unavoidable US sub-processors (Stripe, Mailchimp, HubSpot, Google Workspace), you must:

1. Verify the sub-processor's DPF certification on dataprivacyframework.gov
2. Sign a DPA (Data Processing Agreement) with them (usually automatic via their ToS)
3. Verify the SCCs (Standard Contractual Clauses) attached to the DPA
4. Document the transfer and its legal basis in the records of processing
5. Mention the transfer explicitly in the privacy policy

5. DPO: required or not?

The Data Protection Officer (DPO) is mandatory in 3 cases only: public authority, systematic large-scale monitoring of individuals, large-scale processing of sensitive data (health, opinions, religion, biometrics). For 95% of SMEs, it is not mandatory.

But it is strongly recommended for B2C SMEs and e-commerce: a shared external DPO costs 200-500 €/month and provides legal coverage in case of audit. Three options:

6. User rights (access, erasure)

Every user has 6 enforceable rights: access, rectification, erasure (right to be forgotten), restriction, portability, objection. An SME must process a request within 1 month (extendable to 2 months for complex cases with justification).

Minimum setup: dedicated email address (privacy@yourdomain.eu), contact form labelled 'GDPR request', documented internal procedure to identify the request, retrieve the data, export or delete it, and notify the user.

7. Retention periods

Keeping data 'just in case' = GDPR violation. Each data category must have a justified retention period. SME template:

8. Accessible privacy policy

Dedicated page, link in the footer of every page, written in plain language (not unreadable legalese). Must contain: identity of the data controller, purposes and legal bases, retention periods, user rights and how to exercise them, any non-EU transfers, list of third-party sub-processors (Google Analytics, Mailchimp, etc.), DPO if appointed, right to lodge a complaint with the supervisory authority (ICO in the UK, CNIL in France, APD in Belgium).

Update for every new sub-processor or new purpose. Last-update date visible at the top of the page.

Recent fines: key takeaways

GDPR fines crossed the one-billion-euro mark in 2024 for Meta (1.2 B€), TikTok (345 M€) and Uber (290 M€) alone. For SMEs, sanctions remain more modest but the recurring grounds are eye-opening:

• Hidden or smaller 'Reject' button — Repeated CNIL sanctions between 5,000 € and 100,000 € in 2024.
• Newsletter without verified double opt-in — Typical case: 10,000 € fine for an SME that imported a list without consent proof.
• Excessive retention period — Keeping CVs for 10 years 'just in case' = sanction. 2-year limit recommended.
• Transfer to a US sub-processor without SCCs — 2025 CNIL sanction against an SME using a non-DPF US marketing tool: 25,000 €.
• Missing or incomplete privacy policy — Minimum 5,000 € fine almost systematic in case of complaint.