Even if you don't sell anything online, your website almost certainly collects personal data: a contact form, a newsletter, visitor analytics or a simple tracking pixel all count. And the moment you handle people's data, you enter the territory of data protection law. Complying isn't red tape: it's a matter of trust and, also, of avoiding penalties that can be very serious.
The GDPR (European Regulation 2016/679) has been in force since 2018 and yet many company websites still fail to cover the basics. At aatsoft, a web development studio in Manresa (Barcelona), we implement the technical side of legal compliance on the sites we build. This guide explains what your website needs and how to check it. (This is general guidance, not legal advice.)
Why it should matter, even for a small business
The rules don't distinguish by size: if you process data of people in the EU, they apply to you. And the consequences of ignoring them are real:
- Heavy penalties. The GDPR allows fines of up to 20 million euros or 4% of annual turnover, and cookie rules have their own penalty regime. You don't need to reach those figures for a fine to hurt.
- Loss of trust. A user who can't find your privacy policy or runs into a deceptive cookie banner becomes wary, and rightly so.
- Easy complaints. Any visitor can report a non-compliant website to the supervisory authority. It happens more often than you'd think.
The 4 legal essentials of a website
These are the elements that practically any company website needs to have in order.
1. Legal notice
It identifies who is behind the website: name or company name, tax ID, address and contact details. It's what lets a user know who they are dealing with.
2. Privacy policy
It explains what data you collect, for what purpose, for how long, on what legal basis and what rights the user has (access, rectification, erasure…). It's the central GDPR document and must be linked wherever you ask for data.
3. Cookie policy
It details which cookies your website uses —your own and third-party ones such as Google or social networks—, what they are for and how to manage them. It goes hand in hand with the consent banner.
4. Consent in forms
Every form that collects data must inform clearly and obtain the person's consent, with no pre-ticked boxes. Asking for the data isn't enough: you also have to ask for permission.
The cookie banner: how to do it right
The cookie banner is where most websites fail. To comply, it must let people accept and reject just as easily (a giant «Accept» button and a hidden «reject» link won't do), it must not have boxes ticked by default and, above all, it must not load tracking cookies before the user accepts them. A pretty banner that fires Google Analytics the moment someone lands doesn't comply, however much it looks like it does.
Legal compliance checklist
Run through these points on your website. If you fail any of them, it's worth fixing as soon as possible.
A legal notice accessible from any page, a clear privacy policy linked in your forms, a compliant cookie banner, explicit consent when collecting data, a secure HTTPS connection and data hosted on reliable servers. These are the basics that separate a compliant website from an exposed one.
How we help at aatsoft
At aatsoft we take care of the technical side of compliance: we install and configure a compliant cookie banner, wire up analytics tools so they respect consent, secure your site with HTTPS and set up forms and hosting properly. The legal texts themselves are best reviewed with a specialist, and we point you to what you need.
Request a compliance review of your website and we'll tell you what's missing and how to put it in order. Discover our web development services too.
This article is general information and does not constitute legal advice. For your specific case, consult a legal professional.
