GDPR and Cookies for Small Business Websites: A Plain-English Checklist

If your business serves customers anywhere in the European Union, GDPR applies, and yes, that includes a one-person consultancy with a single contact form. The good news: it is far less complicated than the compliance industry wants you to believe.

This checklist is what a small business website actually needs to be GDPR-compliant in 2026. No scare tactics, no '€20 million fine' headlines, no 47-page privacy policies cribbed from a Fortune 500. Just the parts that matter.

What GDPR actually says (in two paragraphs)

GDPR says: if you collect personal data from someone in the EU, you must (a) have a legal reason to collect it, (b) tell them what you're doing with it, (c) keep it secure and only as long as needed, and (d) let them ask to see or delete it. That's the whole spirit.

Personal data is anything that can identify a person: name, email, phone, IP address, even a cookie ID. The moment a visitor lands on your site, you're already collecting some of it. That's why every modern site needs at minimum a privacy policy and (in most cases) a cookie banner.

The five things every small business site must have

1. A privacy policy that says what data you collect, why, how long you keep it, and who you share it with. Linked from the footer of every page.
2. A cookie banner if you set ANY non-essential cookies (analytics, marketing pixels, embedded YouTube videos). 'Essential' means strictly required to make the site work: session login, language preference, form CSRF tokens.
3. A lawful basis for each kind of data you process. For most small business sites: 'consent' for marketing, 'contract' for orders, 'legitimate interest' for fraud prevention. Document which applies where.
4. Reasonable security: HTTPS everywhere, strong admin passwords, backups, a host that doesn't leak data.
5. A way for people to contact you about their data. Usually an email like [email protected] that goes to a human.

Cookie banners: the part people get wrong most

A compliant cookie banner has four properties. If yours is missing any, fix it.

• It loads before any non-essential cookies are set. If the analytics script fires before the user clicks 'accept', the banner is decorative, not compliant.
• Reject is as easy as Accept. A giant green 'Accept all' button next to a tiny grey 'Manage' link is the textbook example of what regulators have started fining for.
• Granular consent for different categories: analytics, marketing, personalisation. Users can accept some and reject others.
• Consent is logged. If someone says yes to analytics on Monday, you should be able to show that record on Friday.

If your site uses Google Analytics, Facebook Pixel, Hotjar, embedded YouTube, or any third-party chat widget, you need a banner. If it uses none of those and just sets a session cookie for login, you don't.

Privacy policy: what to actually write

A small business privacy policy can be one page. Cover these six points in plain language.

• Who you are (business name, address, contact email).
• What data you collect (e.g. 'name and email when you fill out our contact form; IP address and browsing data when you visit, anonymised after 30 days').
• Why you collect it (deliver our service, respond to enquiries, run analytics).
• How long you keep it (e.g. 'contact form submissions: 12 months; account data: as long as you have an account').
• Who you share it with (your hosting provider, your email provider, your analytics tool, list them).
• Their rights and how to use them (access, correction, deletion, contact privacy@…).

Copying a long template from a free generator and changing the business name produces a policy that technically passes but is unreadable. Your policy is also a trust signal. Customers who read it should come away thinking 'these people respect me', not 'I have no idea what they do with my data'.

The shortest GDPR-compliant privacy policy I've ever shipped was 600 words. It covered everything. The first draft was 3,800 words and said nothing useful.

Data minimization: the cheap compliance trick

Half of GDPR compliance is just collecting less. Every form field is a potential liability. Ask yourself, for each field: do I actually use this data, or am I asking because the form library happened to include it?

• Contact form: name, email, message. Maybe phone if call-back is your primary follow-up. That's it.
• Booking form: only what's needed to run the appointment. Asking for date of birth on a haircut booking is not minimization.
• Newsletter signup: email only. Adding 'first name' is fine; adding 'job title' is overreach.
• Cookie tracking: only the categories you actually use. If you don't run remarketing campaigns, don't set the cookies for them.

Common mistakes that get small businesses fined

• Setting analytics cookies before the user accepts. The fix is configuring your analytics to wait for consent, or using a cookie-less alternative.
• Pre-ticked consent boxes. Always opt-in, never opt-out.
• 'Accept all' with no equivalent reject button. Regulators have stopped being polite about this in 2025.
• Vague legal basis. 'We process your data based on our legitimate interest' is not enough. Say WHICH interest, in WHICH situation.
• No way to actually delete data when someone asks. The request has to result in deletion within 30 days, not a polite reply.

Where Brimky fits in

Every Brimky site ships with a cookie banner that respects 'reject', a starter privacy policy you fill in for your business, HTTPS, and a host that is a registered EU data processor. The technical half of compliance is done at launch. The policy and consent half you control, and we walk you through it during onboarding so you're not staring at a blank template.