What Is GDPR? A Plain-English Guide for Website Owners

GDPR explained in plain English: what it stands for, who it applies to (including US businesses), the 7 principles, penalties, and cookie rules.


by Riad Us Salehin • 4 July 2026


GDPR is the European Union's data privacy law, enforceable since 25 May 2018. It governs how organizations worldwide collect, store, and process the personal data of people in the EU. Its reach is extraterritorial by design. A US business with no European office can owe compliance the moment an EU visitor lands on its site and gets tracked.

This guide covers what GDPR requires, who has to comply, the fines it carries, and what it changes about your cookie banner.

What Does GDPR Stand For and What Is It?

GDPR stands for General Data Protection Regulation, formally Regulation (EU) 2016/679. It is a European Union law that sets rules for how organizations handle personal data. Those rules cover collection, storage, use, and protection of data belonging to people in the EU and the European Economic Area. The EEA is the EU plus Iceland, Norway, and Liechtenstein.

Personal data is any information relating to an identified or identifiable person. It includes names, email addresses, IP addresses, and cookie identifiers. Data that has been irreversibly anonymized falls outside GDPR, because it can no longer be tied to a person.

The regulation exists to give individuals control over their own data. Before GDPR, EU data protection ran on a 1995 directive that predated smartphones, cloud storage, and behavioral advertising. GDPR replaced that directive with a single, directly enforceable regulation. It treats personal data as belonging to the person it describes, not the company that collects it.

When Did GDPR Take Effect?

GDPR entered into force on 24 May 2016 and became enforceable on 25 May 2018. The two-year gap gave organizations a transition period to update privacy policies, consent flows, and data-handling practices before regulators began issuing fines.

It replaced the EU's 1995 Data Protection Directive (95/46/EC), which set only minimum, inconsistently applied standards across member states. GDPR is a regulation, not a directive, so it applies directly and identically in every EU and EEA country.

Who Does GDPR Apply To? (Territorial Scope)

GDPR applies to any organization, anywhere in the world, that offers goods or services to people in the EU or EEA. It also applies to organizations that monitor EU residents' behavior, such as through analytics or ad tracking, and to any organization established in the EU.

The law defines two roles for organizations that touch personal data:

  • Data controller: decides why and how personal data is processed. For most website owners, this is you.
  • Data processor: processes data on the controller's behalf, following its instructions. A SaaS tool that stores your visitor data on your behalf is typically a processor.

Scope turns on where the person is, not their citizenship. An EU citizen living permanently in the US has no GDPR rights, while a US citizen living in the EU does. What matters is whether the person is located in the EU or EEA when their data is collected.

Does GDPR Apply to My US-Based Business?

Yes, if your US business offers goods or services to people in the EU, or monitors their online behavior. No European office or employee is required. Simply not blocking EU visitors from your site, or running analytics that track them, can be enough to bring you into scope.

A common misconception is that a US-only company is automatically exempt. It is not. Two conditions trigger GDPR for a non-EU business. The first is intentionally targeting EU customers, through localized pricing, EU-language ads, or shipping to EU addresses. The second is monitoring EU visitors' behavior, through cookies, IP tracking, or analytics. Even collecting an EU resident's email address for a marketing list counts as processing their personal data.

For example, a small web design firm in Denver serves mostly local clients. It still falls under GDPR the moment it runs analytics that track EU visitors to its site. No sale to Europe is required. Tracking alone is enough.

A genuinely US-only site, with no EU traffic and no EU targeting, generally falls outside GDPR. Once EU visitors start showing up in analytics or a prospect from the EU asks about compliance, that changes. The scope test tracks what an organization does, not where it is incorporated.

What Are the 7 Principles of GDPR?

GDPR sets seven principles for handling personal data, defined in Article 5:

  1. Lawfulness, fairness, and transparency: you need a valid legal basis to process data, and you must be clear with people about how you use it.
  2. Purpose limitation: collect data only for specified, legitimate purposes, and do not repurpose it without new permission.
  3. Data minimization: collect only the data you actually need for that purpose.
  4. Accuracy: keep personal data correct and up to date, and fix or delete inaccurate data.
  5. Storage limitation: do not keep identifiable data longer than necessary for its original purpose.
  6. Integrity and confidentiality: protect data with appropriate technical and organizational security measures.
  7. Accountability: you must be able to demonstrate compliance with all six principles above, not just follow them.

What Are the Lawful Bases for Processing Personal Data?

GDPR requires a lawful basis before you process anyone's personal data. Article 6 sets out six:

  • Consent: the person has given clear, affirmative agreement for a specific purpose.
  • Contract: processing is necessary to fulfill a contract with the person, or to take steps before entering one.
  • Legal obligation: processing is necessary to comply with a law.
  • Vital interests: processing is necessary to protect someone's life.
  • Public task: processing is necessary for an official function laid out by law.
  • Legitimate interests: processing serves your legitimate business interest, provided it does not override the person's rights.

Consent is the basis most websites rely on for non-essential cookies, marketing emails, and behavioral advertising. That is the basis your cookie banner exists to collect and document.

What Rights Does GDPR Give Individuals?

GDPR gives individuals eight specific rights over their own data. Articles 12 to 22 set out the full list.

  • Right to be informed: know what data is collected and why, in plain language.
  • Right of access: request a copy of the data an organization holds about them.
  • Right to rectification: correct inaccurate or incomplete data.
  • Right to erasure (right to be forgotten): ask for their data to be deleted.
  • Right to restrict processing: limit how their data is used without deleting it.
  • Right to data portability: receive their data in a structured, transferable format.
  • Right to object: object to processing based on legitimate interests or for direct marketing.
  • Rights related to automated decision-making: not be subject to a decision based solely on automated processing, including profiling, without human review.

The right to be forgotten is the right most website owners encounter directly, usually tied to an account deletion request or a marketing opt-out.

What Does GDPR Mean for Cookies and Your Website?

Under GDPR, working alongside the EU's ePrivacy Directive, websites must get freely given, informed, opt-in consent before setting non-essential cookies or trackers. Strictly necessary cookies, the ones required for the site to function, are exempt from consent but still need a plain-language explanation.

In practice, this means a website needs a consent banner that appears before non-essential cookies load. That banner must document each visitor's choice and let them withdraw consent as easily as they gave it. A site cannot block access to its content simply because a visitor declines optional cookies.

The principle is simple; the implementation is where sites trip up. The hard part is blocking every non-essential script until a visitor consents, without breaking analytics, embeds, or the page itself. That is why cookie banners have a reputation for being fiddly, and why most compliance gaps on small sites are technical, not legal. GDPR cookie consent requirements covers the banner mechanics in full, and GDPR is one of many international privacy laws websites must navigate worldwide.

What Are the Penalties for Breaking GDPR?

GDPR fines run up to EUR 20 million or 4% of a company's global annual turnover, whichever is higher, for the most serious violations. A lower tier caps at EUR 10 million or 2% of turnover.

TierMaximum fineExample violations
Lower (Art. 83(4))EUR 10 million or 2% of global annual turnover, whichever is higherMissing Data Protection Impact Assessments, poor record-keeping, no Data Protection Officer where required
Upper (Art. 83(5))EUR 20 million or 4% of global annual turnover, whichever is higherLack of valid consent, ignoring data subject rights, unlawful international data transfers

Regulators weigh factors including the violation's severity, whether it was intentional, and the company's cooperation before setting the actual fine. National data protection authorities enforce these penalties.

Who Enforces GDPR?

GDPR is enforced by independent national data protection authorities (DPAs) in each EU and EEA member state. The European Data Protection Board (EDPB) coordinates these DPAs to keep enforcement consistent across countries. France's CNIL and Spain's AEPD are two of the most active examples.

DPAs investigate complaints, audit organizations, and issue fines and corrective orders, including formal warnings, processing bans, and orders to delete unlawfully collected data.

How Is GDPR Different from the CCPA?

GDPR requires opt-in consent before processing personal data; the CCPA, California's privacy law, lets businesses collect data by default and requires an opt-out option instead.

GDPRCCPA
JurisdictionEU and EEA residents, anywhere in the worldCalifornia residents
Consent modelOpt-in before processingOpt-out ("Do Not Sell or Share")
Max penaltyEUR 20 million or 4% of global turnover2,500 to 7,500 USD per violation

California's CCPA is the closest US equivalent to GDPR. Its opt-out model means businesses can collect data first and let users decline later, the reverse of GDPR's consent-first approach.

How Consently Helps You Meet GDPR's Cookie Consent Requirements

Consently handles the cookie-consent slice of GDPR: an opt-in banner, automatic tracker scanning and blocking, and logs that prove what each visitor agreed to.

Getting GDPR's cookie rules right means covering three things at once. Ask before you track, block anything a visitor has not approved, and keep a record of that consent. Consently's GDPR cookie consent solution is built around that sequence.

The GDPR Opt-In cookie banner template ships with the ask-first flow GDPR requires. EU visitors see a genuine opt-in banner instead of an accept-by-default one, styled to match the site rather than looking bolted on. Automatic cookie scanning runs on install and finds every cookie and tracker on the site. It auto-blocks non-essential ones until a visitor consents, so nothing fires before permission is given. Consent logs then record each visitor's choice, timestamped, as audit evidence if compliance ever needs proving. No manual spreadsheet required.

This covers the cookie-consent piece of GDPR, not the entire regulation. Broader obligations, like handling data subject access requests and internal data mapping, sit outside what any cookie banner tool can do. Consently does not claim to replace legal advice on those fronts. Try Consently free and add a GDPR-ready cookie banner to your site in minutes.

FAQs

What is GDPR in simple terms?

GDPR is the EU's law requiring organizations to get permission before collecting people's personal data and to protect that data once they have it. It applies to any business with EU visitors or customers, not just companies based in Europe.

What does GDPR stand for?

GDPR stands for General Data Protection Regulation. It is the European Union's law governing how organizations collect, store, and process personal data belonging to people in the EU and EEA.

Does the US have a GDPR equivalent?

Not at the federal level. California's CCPA and CPRA are the closest US equivalents. They give state residents rights to access, delete, and opt out of the sale of their personal data. Unlike GDPR, they use an opt-out model instead of opt-in consent.

Do I need to follow GDPR if my business is outside the EU?

Yes, if you offer goods or services to people in the EU or monitor their online behavior. Physical presence in Europe is not required; targeting or tracking EU residents is what triggers GDPR.

What are the 7 main principles of GDPR?

Lawfulness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability. Every GDPR obligation traces back to one of these seven principles.

What is considered personal data under GDPR?

Any information relating to an identified or identifiable living person, including names, email addresses, IP addresses, and cookie identifiers. Data that has been irreversibly anonymized, so it can no longer be linked to a person, falls outside GDPR's scope.

What are the penalties for a GDPR violation?

Fines reach up to EUR 20 million or 4% of a company's global annual turnover, whichever is higher, for the most serious violations. A lower EUR 10 million or 2% tier applies to less severe breaches.

How do I know if my website is GDPR compliant?

At minimum, you need a lawful basis for every type of data you collect. You also need an opt-in cookie banner for non-essential cookies and a privacy policy explaining your data practices. Finally, visitors need a way to exercise their rights, including erasure and access requests. A step-by-step compliance guide walks through each requirement in order.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.