No website or tool is "GDPR compliant" on its own. A stack becomes compliant when every non-essential tool is configured correctly, gated behind valid user consent, and covered by a Data Processing Agreement. Most third-party tools, including analytics, advertising pixels, and chat widgets, need consent before they load.
This page answers whether your stack is GDPR compliant and shows which tools need consent using a category-by-category checklist. It explains what triggers consent and what does not, covers the DPA obligation, and links to a per-tool deep dive for every common tool category.
Is Your Tech Stack GDPR Compliant? The Short Answer
Your stack is GDPR compliant when four conditions are met. You have a lawful basis (usually consent) for every tool that processes personal data. Non-essential cookies and scripts are blocked until the visitor consents. You disclose data use in a privacy and cookie consent policy, and you hold a Data Processing Agreement with each vendor.
An automated compliance scanner can flag missing pieces: cookies set before consent, a missing banner, or an absent policy. But a scanner cannot certify legal compliance. It cannot assess your lawful basis, your DPAs, or your internal data handling, so the final steps are always manual. The scanner finds gaps; you fix them.
Why No Single Tool Is "GDPR Compliant" on Its Own
"GDPR compliant" describes how you USE a tool, not the tool itself.
Take the same Google Analytics installation on two sites. On one it is compliant: blocked until consent, DPA signed, privacy policy accurate. On the other it is not: loaded on every page before consent, no DPA, personal data sent by default. The tool has not changed. The configuration has.
Under the GDPR and related data privacy laws, your site is usually the "data controller." You decide why and how personal data is processed. Most third-party tools (Google Analytics, Meta Pixel, HubSpot, Mailchimp) are "data processors" that handle data on your behalf. You stay responsible for how those processors treat the data you send them. That responsibility does not transfer when you sign a DPA or install a tag.
Which Tools in Your Stack Need Consent? (The Stack Checklist)
Here are the tool categories most websites run, and what each one typically needs before loading.
| Tool category (example) | What it typically sets or does | Needs consent before loading? | Learn more |
|---|---|---|---|
| Analytics (Google Analytics) | Analytics cookies; sends user data to Google | Yes | Is Google Analytics GDPR compliant? |
| Tag managers (Google Tag Manager) | Fires other tags and scripts | Yes (gate the tags it loads) | Is Google Tag Manager GDPR compliant? |
| Advertising pixels (Meta Pixel) | Ad and tracking cookies; sends data to the network | Yes | Is the Meta Pixel legal? |
| CRM (HubSpot) | Tracking cookies and form data | Yes for tracking and forms | Is HubSpot GDPR compliant? |
| Email marketing (Mailchimp) | Signup forms and tracking pixels | Yes for tracking; forms need clear opt-in | Is Mailchimp GDPR compliant? |
| Forms and surveys (Typeform) | Embedded form cookies | Often (embedded tracking) | Is Typeform GDPR compliant? |
| Live chat (Intercom) | Chat and tracking cookies | Yes | Is Intercom GDPR compliant? |
| Video and embeds (YouTube) | Sets cookies when the embed loads | Yes (unless privacy-enhanced mode) | Are YouTube embeds GDPR compliant? |
| Ecommerce (Shopify) | Essential cart cookies plus marketing and analytics | Essential: no. Marketing and analytics: yes | Is Shopify GDPR compliant? |
| CMS (WordPress) | Depends on plugins and themes added | Yes for any non-essential plugin tracking | Is WordPress GDPR compliant? |
Strictly necessary cookies (login sessions, shopping carts, security tokens) do not need consent. Almost every tool in the marketing, analytics, and advertising categories does.
What Triggers Consent (and What Does Not)
Under the GDPR and the ePrivacy Directive, consent is required before any non-essential cookie or tracker loads. The official gdpr.eu guidance sets the rule. You need consent "before you use any cookies except strictly necessary cookies."
These tools need consent, so they load only after the visitor opts in.
- Analytics cookies and scripts, including Google Analytics and heatmap tools
- Advertising and retargeting pixels, including the Meta Pixel and LinkedIn Insight Tag
- Social media widgets and video embeds that set cookies when they load
- A/B testing tools that fingerprint or track users across sessions
- CRM and live chat tracking cookies
- Third-party fonts and CDN resources that set identifiers or log IP addresses as personal data
These cookies are strictly necessary, so they do not need consent.
- Session and login authentication cookies
- Shopping cart and checkout cookies
- Security and CSRF protection tokens
- Load-balancing cookies that route requests to servers
- Consent-state storage (the cookie recording what the visitor chose)
Two failures are the most common: loading a tracker before the banner appears, and using pre-checked opt-in boxes. The ICO is explicit that you "cannot set non-essential cookies" before the user has consented. Pre-ticked boxes also fail, because valid consent needs an "unambiguous positive action."
The Role of a Data Processing Agreement (DPA)
Consent and cookie blocking handle the cookie layer. GDPR also requires a written Data Processing Agreement with every tool that processes personal data on your behalf. Under GDPR Article 28, a DPA sets out what data is processed, for what purpose, and what each side must do to protect it. You, as the controller, remain responsible even after a vendor signs a DPA.
Most reputable SaaS tools publish a standard DPA you can accept through their settings or data-processing addendum page. International tools should also document transfer safeguards, such as Standard Contractual Clauses, covering personal data that flows outside the EU or UK.
A cookie banner does not replace a DPA. They address different obligations: the banner handles user consent for cookies, while the DPA governs the legal relationship between your site and the tool's servers. Both are required.
Is X GDPR Compliant? Check Each Tool in Your Stack
Want the verdict for a specific tool? The checklist table above links to each tool's spoke page, grouped here by category with the one thing to watch for each.
Analytics and tag management tools track behavior and fire other scripts.
- Google Analytics: blocked by default until consent, DPA with Google required
- Google Tag Manager: the container itself may not set cookies, but the tags it fires often do
Advertising pixels load tracking scripts on page load.
- Meta Pixel: high-risk for consent failures; loads pixel scripts on page load by default
Marketing and CRM tools combine tracking cookies with form data.
- HubSpot: tracking cookies and forms both require consent
- Mailchimp: tracking pixels in emails and embedded signup forms each have distinct requirements
Forms and chat widgets load cookies the moment a visitor arrives.
- Typeform: embedded forms often load tracking cookies
- Intercom: chat widget loads cookies and fingerprints sessions on arrival
Embeds and platforms vary by configuration and installed extensions.
- YouTube embeds: standard embed URL sets cookies; youtube-nocookie.com reduces but does not eliminate the obligation
- Shopify: core checkout cookies are essential; marketing apps and analytics are not
- WordPress: the CMS itself is minimal; installed plugins determine the consent footprint
For the full analysis of each tool, the consent configuration required, and whether a DPA is available, follow the spoke links in the checklist table.
How a Consent Management Platform Makes Your Stack Compliant-Ready
A consent management platform handles the hardest part of stack compliance: finding every third-party script in your stack and blocking it until the visitor consents.
Consently scans your site automatically to detect the cookies, trackers, scripts, and iframes each tool sets. It then auto-blocks those non-essential tools before consent, covering cookies, scripts, and iframes in one pass. It also shows the right banner template per region. EU and UK visitors see a GDPR opt-in template, and US visitors see an opt-out template where applicable.
Two additional features close the documentation gaps the GDPR requires. Consent logs record a timestamped entry for each visitor's choice, giving you an audit trail for compliance reviews. The policy generator produces cookie policies and privacy policies to satisfy the disclosure requirements. Consently also sends consent signals via Google Consent Mode v2, so GA4 and Google Ads receive consent status before firing.
Honesty matters here. A CMP handles the consent and blocking layer. It does not sign your Data Processing Agreements with your tool vendors. It does not change how a vendor processes data on its own servers or where it transfers that data. It does not by itself make your site "GDPR compliant." Policy generators are assistance in drafting disclosure language, not legal advice. If you are unsure whether your configuration meets the legal standard, consult a qualified privacy professional.
Try Consently free and run your first stack scan to see which tools are loading before consent.
FAQs
How do I know if my website is GDPR compliant?
Confirm four things. Every non-essential tool is blocked until consent. You publish a privacy and cookie policy and keep consent records. You hold a DPA with each vendor that processes personal data. An automated scanner flags gaps but cannot certify legal compliance.
Which tools on my website need cookie consent?
Consent is required before loading analytics tools (Google Analytics), advertising pixels (Meta Pixel), and tag managers (Google Tag Manager). It is also required for most CRM and email tracking scripts, live chat tools (Intercom), and cookie-setting embeds (YouTube). Strictly necessary cookies, including login sessions, shopping carts, and security tokens, do not need consent.
Is Google Analytics GDPR compliant?
Only with the right setup. You must block it until the visitor consents, configure it to minimize personal data, and hold a signed DPA with Google. By default, GA4 loads and collects data before any consent interaction, which is non-compliant. The checklist table above links to the full Google Analytics breakdown.
Do I need a DPA with every tool I use?
Yes, with every tool that processes personal data on your behalf as a data processor. Most reputable vendors publish a standard DPA you can accept in their settings. You, as the data controller, remain responsible for the processing that happens on their servers even after signing.
Does a cookie banner make my website GDPR compliant?
No. A banner handles user consent for cookies, which is one requirement. Compliance also requires a privacy policy that discloses your data practices. It needs valid opt-in checkboxes on forms with no pre-ticked boxes. It also needs a way for users to exercise their data rights, plus DPAs with your processors.
Are first-party tools exempt from consent?
Not automatically. Whether a cookie needs consent depends on whether it is strictly necessary, not on who set it. A first-party analytics cookie you set on your own domain still requires consent. A first-party login session cookie does not. The "first-party" label refers to the domain that sets the cookie, not whether the processing is optional.
What happens if a third-party tool loads before consent?
It sets cookies or transmits personal data without a lawful basis. Under the GDPR and ePrivacy Directive, that is a violation before any user has seen your banner. The technical fix is to auto-block the tool's script or iframe until the visitor gives consent. Retroactive consent does not cover data collected before the consent event.

