GDPR in 2026: What Your Website Must Absolutely Comply With

GDPR in 2026: What Your Website Must Absolutely Comply With

C

Camille Beaucher

Founder & Developer · NexIT Agency — Le Mans, France

GDPRLegalWebCompliance

Introduction: GDPR is No Longer Reserved for Large Companies

For a long time, GDPR was perceived as a constraint for large companies — GAFAs, banks, telecom operators. SMEs and VSEs could reasonably think they'd slip through the cracks.

That era is over.

In 2025, CNIL issued €478 million in fines — a historic record. And the 2026 trend is even clearer: 32% of audited companies are SMEs and VSEs under 250 employees. CNIL officially announced small structures are in its sights.

Furthermore, one figure should worry even the most confident: 92% of companies declare GDPR compliant. Only 34% actually are according to CNIL audits. The gap between perception and reality is massive.

If your site collects personal data — which is almost universal: contact form, analytics cookies, newsletter — you're concerned. Here's what you need to know.


Who's Concerned? (Spoiler: Probably You)

GDPR applies to any organization collecting or processing personal data of people located in the European Union, regardless of:

  • Its size: a sole proprietorship is as concerned as an international group
  • Its location: an American company targeting French customers is concerned
  • Its sector: e-commerce, B2B, associative, institutional — all without exception

Personal data is any information directly or indirectly identifying a person: first name + email, IP address, phone number, location, browsing behavior if linked to an identifier.

In practice: if your site has a contact form, analytics tool (Google Analytics, etc.), advertising pixel or newsletter, you collect personal data.


Sanctions That Marked 2025 (And What They Announce for 2026)

Before listing obligations, a tour of recent sanctions illustrates what's at stake.

Digital giants:

  • Google: €325 million (CNIL, September 2025)
  • TikTok: €530 million
  • Shein: €150 million
  • Meta: €251 million + €91 million additional in 2025

French players:

  • Free: €42 million (January 2026, massive data breach)
  • American Express: €1.5 million for non-compliance with tracker rules
  • Condé Nast: €750,000 for non-compliant cookies

In total since 2018, over €4.6 billion in fines have been issued across Europe. And in 2026, regulatory convergence — GDPR + AI Act + NIS 2 + DSA — makes the landscape even more complex and risks even higher.

2026 novelty: GDPR sanctions can now be combined with the AI Act, bringing theoretical maximum to €35 million or 7% of global turnover for AI-related infractions.


What Your Site Must Imperatively Comply With

1. Clear and Accessible Privacy Policy

It's the most visible and one of the most often botched obligations. Your privacy policy must explain in clear language (not incomprehensible legal jargon):

  • What data you collect and why (purpose)
  • Who processes it: you, your providers (host, CRM, analytics tool)
  • How long you keep it
  • People's rights: access, rectification, erasure, portability, objection
  • How to exercise these rights: contact email, response time

Privacy policy must be accessible from all site pages — usually in footer. If someone clicks "Privacy Policy" and lands on copy-pasted text not matching your actual activity, it's non-compliant.

Cookie banner is the most visible GDPR element user-side — and one of the worst implemented.

What's mandatory:

  • User must be able to refuse as easily as accept. An "Accept all" button without equivalent "Refuse" button is illegal. Condé Nast was fined €750,000 exactly for this.
  • Consent must be free, specific, informed and unambiguous. A pre-checked box isn't valid consent.
  • Non-essential cookies (analytics, advertising, social media) can't be placed before user agreement.
  • Refusal must have real effect: if cookies are placed even after refusal, you're in violation.

Cookies always allowed without consent: Cookies strictly necessary for site operation (login session, shopping cart, language preferences).

GDPR requires personal data protected by appropriate technical and organizational measures. This isn't optional — it's a legal obligation.

Minimum expected for a website:

  • Mandatory HTTPS: all communications between browser and your server must be encrypted
  • Strong and hashed passwords: passwords must never be stored in clear text
  • Regular updates: CMS (WordPress, etc.), plugins and server must be updated
  • Regular backups: to restore in case of incident
  • Restricted access: only people needing data should have access

A non-updated WordPress site with obsolete plugins that gets hacked, causing your contacts' emails to leak, is a data breach you must report to CNIL within 72 hours.

4. Managing People's Rights

If someone contacts you to exercise their GDPR rights — access their data, have it modified, have it deleted — you must be able to respond within a maximum one month.

Rights to respect:

  • Access right: person can ask what data you hold on them
  • Rectification right: correct erroneous information
  • Erasure right ("right to be forgotten"): delete their data
  • Portability right: provide their data in readable format
  • Objection right: oppose certain processing (commercial solicitation notably)

Many companies have no internal process managing these requests. If someone requests data deletion and you can't do it within legal timeframe, you're in violation.

5. Data Retention Period

You can't keep personal data indefinitely. Retention period must be proportionate to processing purpose.

CNIL recommended periods:

  • Prospect data: 3 years after last contact
  • Customer data: 5 years after contract end (accounting obligations)
  • Connection data / technical logs: 1 year maximum
  • Received CVs without follow-up: 2 years maximum

Keeping prospect data in your CRM since 2018 without ever cleaning it is a latent GDPR violation.

6. Collection Forms

Each form collecting personal data must be accompanied by:

  • Information notice: who processes data, why, how long, and how to exercise rights
  • Explicit consent checkbox for marketing communications (newsletter, etc.) — not pre-checked
  • Mention of mandatory or optional character of each field

A contact form without GDPR notice is non-compliant. And if this form is used to then send newsletters, consent must have been explicitly collected.


2026 Regulatory Convergence: GDPR + AI Act

2026 marks full entry into application of the European AI Act for high-risk systems (planned for August 2026). This regulation directly concerns sites using AI tools:

  • Chatbots and virtual assistants: transparency obligation (indicate to user they're interacting with AI)
  • Recommendation or personalization systems
  • Behavioral analysis tools
  • Forms with automatic scoring

If your site uses these technologies, obligations stack and potential sanctions too.


How to Assess Your Compliance Level

CNIL provides a self-assessment guide allowing initial diagnosis. Here are essential questions:

On your data:

  • Do you know exactly what personal data you collect?
  • Do you know where it's stored (server, CRM, email tool)?
  • Do you know how long it's kept?

On your providers:

  • Have you signed a DPA (Data Processing Agreement) with each of them?
  • Are your providers based outside EU? If yes, additional guarantees are necessary.

On your site:

  • Does your cookie banner allow refusal as easily as acceptance?
  • Is your privacy policy up to date and accessible?
  • Is your site in HTTPS?
  • Do your forms include GDPR notices?

Cost of Compliance vs Cost of Sanction

GDPR compliance represents an investment — in time, legal advice, tools. For an SME, count between €2,000 and €10,000 for serious compliance depending on your processing complexity.

Compared to a simplified procedure fine (up to €20,000), ordinary procedure fine (up to €20 million or 4% of global revenue), reputational damage, and cost of managing a data breach, compliance is an infinitely rational investment.

"The cost of compliance is infinitely lower than the cost of sanction." — Source: CNIL


Conclusion: GDPR Compliance is Digital Hygiene

In 2026, respecting GDPR is no longer an option or heroic approach: it's basic digital hygiene, like putting your site in HTTPS or making regular backups.

✅ A clear and updated privacy policy ✅ A cookie banner with refusal as accessible as acceptance ✅ Secured data (HTTPS, hashed passwords, updates) ✅ A process to manage people's rights in under a month ✅ Defined and respected retention periods ✅ Forms with GDPR notices and explicit consent

And with AI Act's arrival, vigilance must extend to all AI uses on your site.

Put Your Site in Compliance

At NexIT, we support companies in their GDPR compliance: audit of your processing, drafting of legal notices and privacy policy, cookie banner configuration, and rights management process.

Better to act before an audit than react after a sanction.


Camille Beaucher — Your partner for compliant and secure web presence.

Request a GDPR audit of your siteDiscover our custom software services


Sources

Share this article: