The GDPR Toolkit: Every Tool You Need to Stop Breaking European Law
Cookie banners are just the beginning. Here's the complete stack for running a website that won't get you fined €20 million.
Let me guess: You added a cookie banner, called it a day, and hoped nobody would notice the Google Analytics script still firing before consent.
Bad news: The regulators noticed. 2024 had record GDPR fines. 2025 was worse. 2026 is shaping up to be brutal.
Good news: Compliance isn’t that hard once you know what tools to use.
The uncomfortable math: GDPR fines can reach €20 million or 4% of global revenue—whichever is higher. That’s not a typo. That “whichever is higher” clause has bankrupted companies.
This isn’t legal advice. This is a practical toolkit from someone who’s helped 30+ websites get compliant without losing their minds.
The GDPR Compliance Stack
Here’s everything you need, organized by function:
| Category | What It Does | Top Pick | Cost |
|---|---|---|---|
| Consent Management | Cookie banners, consent records | Cookiebot | €9-108/yr |
| Analytics | Track visitors legally | Plausible | €9-69/mo |
| Email Marketing | GDPR-compliant newsletters | Mailjet | Free-€15/mo |
| Forms & Data | Collect data properly | Tally | Free-€29/mo |
| Privacy Policy | Generate legal docs | iubenda | €27-99/yr |
| Data Requests | Handle DSAR | OneTrust | Free tier |
| Hosting | EU data residency | Hetzner | €4-20/mo |
| CDN | EU-compliant delivery | Bunny CDN | €0.01/GB |
Let’s break down each category.
Cookie Consent: The Visible Part of GDPR
This is what users see. It’s also what regulators check first.
What You Actually Need
The legal requirement: Get explicit, informed consent BEFORE setting non-essential cookies. Not "implied consent." Not "by using this site you agree." Actual, affirmative, reversible consent.
The Tools
Cookiebot — The Industry Standard
Cookiebot is what most compliance consultants recommend. It automatically scans your site, categorizes cookies, blocks scripts until consent, and keeps audit logs.
The magic: It actually blocks Google Analytics, Facebook Pixel, and other scripts before consent. Not with honor-system “please don’t track” requests—with actual JavaScript blocking.
Free tier: Works for sites under 50 pages. Beyond that, €108/year.
Consent Manager (Usercentrics) — For Larger Sites
More customizable than Cookiebot. Better for complex sites with multiple domains, custom integrations, or enterprise compliance requirements.
Price: Starts around €50/month. Enterprise gets expensive fast.
The DIY Option — Osano Open Source
If you’re technical and cheap, Osano’s open-source consent manager works. You host it. You maintain it. You accept that support is “read the GitHub issues.”
Price: Free forever. Your time is the cost.
Common mistake: Adding a cookie banner that does nothing. The banner must actually block tracking scripts until consent. A decorative “we use cookies” notification is worse than nothing—it’s evidence you knew the law and chose aesthetics over compliance.
Implementation Checklist
- Banner appears before any non-essential cookies load
- “Accept all” and “Reject all” are equally prominent
- Users can change preferences later
- Consent is logged with timestamp
- Scripts only fire after explicit consent
Google Analytics Alternatives: See Your Traffic Legally
Google Analytics is the biggest GDPR headache for most sites. Data goes to America. Google uses it for advertising. The legal basis is… questionable at best.
The EU-Compliant Options
Plausible — The Recommended Choice
No cookies. No consent banner needed for analytics. EU servers only. Open source. Shows you everything you actually need—pageviews, referrers, geography—without the privacy invasion.
Best for: 90% of websites that just need basic traffic data.
Matomo — The GA Replacement
Want Google Analytics features without Google? Matomo is feature-equivalent. Heatmaps, funnels, user flows—all there.
The trade-off: More complex. Can require cookies (configurable). Self-hosted option available.
Price: Cloud starts at €19/month. Self-hosted is free (you pay for hosting).
Fathom — The Simple Premium
Like Plausible but slightly pricier and more established. Canadian company with EU servers.
Price: Starts at $15/month.
Analytics Decision Tree
Need advanced features (funnels, heatmaps)? → Matomo
Just need traffic basics? → Plausible
Want maximum simplicity? → Fathom
Budget is zero? → Umami (self-hosted)Newsletters That Won’t Get You Fined
Email marketing under GDPR requires:
- Explicit opt-in (no pre-checked boxes)
- Easy unsubscribe
- Records of consent
- Data stored in compliant locations
The EU-Safe Options
Mailjet — Best Free Tier
Owned by Sinch (Swedish company). EU data processing. Solid automation features. The free tier is actually usable.
Brevo (ex-Sendinblue) — All-in-One
French company. CRM, email, SMS, chat all in one platform. Good for businesses wanting unified customer communication.
Price: Free to €25/month depending on volume.
Mailchimp — With Caveats
Yes, it’s American. Yes, it can be GDPR-compliant. You need to:
- Enable EU data center
- Sign their DPA
- Use double opt-in
- Actually read their compliance documentation
For small lists, EU alternatives are easier. For established businesses already on Mailchimp, migration might not be worth it.
Double opt-in: User signs up → gets email → clicks confirmation link → only then added to list. Required in Germany, strongly recommended everywhere. Mailjet and Brevo make this easy.
Collect Data Without Collecting Lawsuits
Every form on your site is a data collection point. Every data collection point needs GDPR consideration.
The Compliant Form Builders
Tally — Simple, EU-Hosted
The Notion of form builders. Clean interface, powerful features, actually respects privacy. No external trackers. EU data residency.
The free tier is wild: Unlimited everything. They make money on premium features, not on selling your respondents’ data.
Typeform — With Configuration
Spanish company, but uses AWS (including US regions). Can be configured for EU-only processing. Beautiful forms, good UX, requires reading their privacy documentation.
Price: €25-83/month.
FormKeep — For Developers
Receives form submissions, stores them securely, forwards to your email/webhook. No fancy builder—just secure data handling.
Best for: Static sites that just need a form backend.
Form Compliance Checklist
- Privacy policy linked from every form
- Clear explanation of why you’re collecting data
- Separate checkbox for marketing consent (not bundled with submission)
- Data stored in EU jurisdiction
- Process for deleting data on request
Privacy Policies That Actually Work
“We respect your privacy” is not a privacy policy. You need specific, accurate documentation about what data you collect and why.
Privacy Policy Generators
iubenda — The Standard
Questionnaire-based generator. Answer questions about your site, get legally-reviewed documents. Updates automatically when laws change.
The value: Lawyer-written policies cost €500-2000. iubenda costs €27/year.
Termageddon — Auto-Updating
Similar concept, American company with GDPR compliance. Policies automatically update when regulations change.
Price: $99/year for all documents.
DIY Warning
Can you write your own privacy policy? Technically yes. Should you? Only if you’re a data protection lawyer or enjoy courtroom drama.
Handling “Delete My Data” Requests
GDPR gives users rights: access, deletion, portability. When they exercise those rights, you have 30 days to respond.
DSAR (Data Subject Access Request) Tools
OneTrust — Free Tier Available
Industry leader for enterprise privacy management. Their free tier handles basic DSAR intake and tracking.
Use case: You get occasional deletion requests and need to track them.
Mine — Consumer-Focused
Helps individuals request their data from companies. If you’re a company, you’ll receive requests through their platform.
What to do: Set up a process to handle requests from Mine and similar services.
The Manual Approach
For small sites:
- Create an email address: [email protected]
- Document your data inventory (what you collect, where it’s stored)
- Create a spreadsheet to track requests
- Respond within 30 days
Pro tip: Most small sites can handle DSAR manually. You only need automation tools when you’re getting more than a few requests per month.
Where Your Data Physically Lives Matters
Data residency isn’t just about where your hosting provider is incorporated—it’s about where the servers physically sit.
EU-Based Hosting
Hetzner — The Developer Favorite
Excellent value, German engineering, genuinely good infrastructure. Used by privacy-conscious projects across Europe.
Scaleway — The French Option
Paris and Amsterdam data centers. Good Kubernetes support. Competitive pricing.
Price: Starts at €7/month for compute.
OVHcloud — The European Giant
French company, data centers across Europe. More enterprise-focused but has affordable tiers.
CDN: Bunny vs Cloudflare
Bunny CDN: Slovenian company. You can choose EU-only edge locations. €0.01/GB pricing.
Cloudflare: American company. Has EU-only options but requires Enterprise plan for guaranteed EU-only processing. Free tier processes data globally.
For strict GDPR compliance: Bunny CDN with EU edge locations. For "good enough" with better features: Cloudflare with their EU data localization suite.
My Recommended GDPR Stack
For a typical business website:
| Layer | Tool | Cost/month |
|---|---|---|
| Hosting | Hetzner VPS | €5 |
| CDN | Bunny CDN | ~€2 |
| Analytics | Plausible | €9 |
| Consent | Cookiebot | €9 |
| Forms | Tally | Free |
| Mailjet | Free-€15 | |
| Legal docs | iubenda | ~€3 |
| Total | ~€28-43/mo |
Compare to: One GDPR fine for a small business: €5,000-50,000.
The math is obvious.
The Implementation Order
If you’re starting from zero, do this in order:
Week 1: Foundation
- Move hosting to EU provider
- Replace Google Analytics with Plausible
- Add consent management (Cookiebot)
Week 2: Documentation
- Generate privacy policy (iubenda)
- Audit all forms—add privacy notices
- Set up [email protected]
Week 3: Refinement
- Test consent flow—verify scripts are actually blocked
- Configure EU data residency for email provider
- Document your data inventory
Ongoing
- Respond to data requests within 30 days
- Review tools quarterly for compliance updates
- Update privacy policy when you add new features
Quick Audit Checklist
Run through this for any existing site:
Consent
- Cookie banner appears before non-essential scripts
- Can reject all cookies in 1 click (not buried in settings)
- Consent is logged with timestamp
- Can withdraw consent later
Analytics & Tracking
- Analytics tool stores data in EU
- No tracking before consent (or using cookieless analytics)
- No Facebook Pixel without explicit consent
- No Google Analytics without consent (or using GA4 with consent mode)
Data Collection
- Privacy policy linked from all forms
- Email signup uses double opt-in
- Clear purpose stated for each form
- Marketing consent separate from transactional consent
Documentation
- Privacy policy exists and is accurate
- Cookie policy lists all cookies with purposes
- Contact method for data requests exists
- Records of processing activities documented
Infrastructure
- Hosting in EU jurisdiction
- CDN uses EU edge locations (or properly configured)
- Backups stored in EU
- Third-party tools have DPAs signed
Common Mistakes I See Constantly
“We’re too small to be fined” False. Small businesses get fined. The fines are smaller but still painful. A €10,000 fine hurts a small business more than a €10 million fine hurts a multinational.
“We added a cookie banner, we’re compliant” A banner that doesn’t block scripts is decoration, not compliance. Test it—disable JavaScript and see if tracking pixels still load.
“Our US tool says they’re GDPR compliant” Compliance isn’t binary. A US tool can be configured compliantly, but you need to verify EU data processing, sign their DPA, and often upgrade to paid tiers.
“We don’t collect personal data” IP addresses are personal data. Email addresses are personal data. That contact form you forgot about? Personal data.
Resources
- GDPR.eu — Plain-English guide to the regulation
- ICO (UK) — Best guidance documents even for EU
- CNIL (France) — Strictest interpretations, good for understanding limits
Related:
Last updated: January 2026. This is not legal advice—consult a data protection professional for your specific situation.