GDPR & ePrivacy Compliance: Scan Your Site and Fix It Fast

You can have a cookie banner on every page and still be breaking the law. Compliance is not about having a banner — it is about what your site does in the half-second before anyone clicks it. And for most sites, the answer is: it already fired Google Analytics, a Meta Pixel, some fonts from a CDN, and three cookies you have never heard of.

This guide explains what GDPR and ePrivacy actually require, the gaps that catch out most sites, and how to scan yours for a concrete list of fixes.

GDPR vs ePrivacy: two rules, not one

People say "GDPR" when they usually mean both of these:

• GDPR — the broad regulation covering personal data: how you collect it, your legal basis, how you store and secure it, and the rights you must honor (access, deletion, portability).
• ePrivacy Directive (the "cookie law") — the specific rule about storing or reading information on a user's device: cookies, tracking pixels, localStorage, fingerprinting.

The order matters: ePrivacy decides whether you may set a cookie at all; GDPR governs what you do with the data once you have it. A tracker that fires before consent fails ePrivacy and GDPR at the same time.

The gaps that catch out most sites

In practice, the same handful of issues show up again and again.

1. Trackers that fire before consent

This is the big one. Analytics, ad pixels, embedded videos, A/B testing, chat widgets, and even some web-font loaders set cookies or read device data the moment the page loads — before the visitor has agreed to anything.

If a non-essential script runs before the user opts in, the consent banner is decoration. Consent must be prior: nothing non-essential loads until the user actively says yes.

2. No real "reject" option

Consent has to be as easy to refuse as to accept. Common failures:

• An "Accept all" button with no equally prominent "Reject all".
• Pre-ticked boxes (consent is never assumed).
• "Reject" buried two clicks deep in a settings panel while "Accept" is one tap.
• Cookie walls that deny access unless you accept tracking.

3. Vague or missing policies

• No privacy policy, or one that does not name your actual processors (the third parties you share data with).
• No cookie policy listing what each cookie does, who sets it, and how long it lasts.
• Consent that is not logged — under GDPR you must be able to demonstrate that a user consented, when, and to what.

4. Invisible third parties

Every embed is a data flow. A YouTube embed, a Google Map, a hosted font, a social share button, a "powered by" widget — each can ship visitor data (including IP addresses) to a third party, sometimes outside the EU, before consent. You cannot fix what you cannot see.

What "good" looks like

A compliant setup generally does all of the following:

1. Blocks non-essential scripts by default. Nothing but strictly necessary cookies loads until the visitor opts in.
2. Offers a genuine choice. "Accept all" and "Reject all" are equally easy and equally visible, with granular categories (analytics, marketing, preferences) in between.
3. Honors the choice everywhere. Refusal actually prevents the trackers from running — and the choice persists across pages and sessions.
4. Documents everything. A clear privacy policy, a cookie policy that matches the cookies you actually set, and stored consent records.
5. Makes withdrawal easy. Users can change or revoke consent at any time, as easily as they gave it.

How to audit your own site

You can check the basics by hand:

• Open your site in a fresh private window with DevTools on the Network and Application → Cookies tabs.
• Load the page without touching the banner. Note every cookie set and every third-party request that fires. Those are your pre-consent trackers.
• Click Reject and reload. If the same trackers still fire, your banner is not actually blocking anything.
• Read your privacy and cookie policies against the list you just built. Do they match reality?

This works, but it is tedious, easy to get wrong, and it goes stale the moment you add a new embed or marketing tag.

Scan your site and get actionable fixes on gdprfix.eu

Instead of doing it by hand, point a scanner at your site. gdprfix.eu crawls your pages the way a browser does and reports exactly where you stand on GDPR and ePrivacy:

• Pre-consent trackers — every cookie and third-party script that fires before the visitor opts in, named and categorized.
• Consent banner checks — whether non-essential scripts are actually blocked, whether "reject" is as easy as "accept," and whether choices are respected and remembered.
• Policy gaps — missing or mismatched privacy and cookie policies, and undocumented data flows.
• Cross-border data transfers — third parties receiving visitor data, including where it goes.

Crucially, it does not just flag problems — it returns actionable fixes: the specific scripts to gate behind consent, the banner behavior to change, and the policy items to add, prioritized so you fix what matters first. Re-scan after each change to confirm you are clean.

A practical compliance checklist

• No non-essential cookies or trackers fire before opt-in
• "Reject all" is as prominent and easy as "Accept all"
• No pre-ticked consent boxes or implied consent
• Granular categories (analytics, marketing, preferences) offered
• Rejecting tracking actually prevents the scripts from running
• Consent is logged and can be demonstrated
• Users can withdraw consent as easily as they gave it
• Privacy policy names all processors and is accurate
• Cookie policy matches the cookies actually set
• Third-party embeds and cross-border transfers are accounted for

Key takeaways

• GDPR and ePrivacy are two rules — you need to satisfy both, and a tracker firing before consent breaks both at once.
• The most common (and most serious) failure is non-essential scripts loading before opt-in.
• A banner is only compliant if refusal is as easy as acceptance and it actually blocks the trackers.
• You cannot fix what you cannot see — scan your site to find the invisible third parties and pre-consent cookies.

Want the specific list of what to fix on your site? Scan your site on gdprfix.eu and get prioritized, actionable GDPR and ePrivacy fixes.