GDPR for Developers: What You Actually Need to Implement (Not the Legal Theory)

GDPR applies to any website with EU visitors — not just EU companies. It's been in force since 2018 and enforcement has been increasingly active. The fines are real (GDPR fines have exceeded €4 billion total across all cases). Here's the practical implementation guide.

What actually needs consent

Strictly necessary cookies — session cookies, authentication tokens, shopping cart contents — don't require consent. They're essential for the service to function. Analytics cookies (Google Analytics), advertising cookies (AdSense, Facebook Pixel), and preference cookies require explicit consent before being set.

Cookie consent must be opt-in, not opt-out

The pre-ticked checkbox is illegal under GDPR. Consent must be freely given, specific, informed, and unambiguous. A banner that says 'By continuing to use this site, you accept cookies' does not constitute valid consent. Users must take an affirmative action (clicking 'Accept' or choosing specific categories) before you set non-essential cookies.

Google Consent Mode v2

If you use Google Analytics or AdSense, Google requires Consent Mode v2 implementation for EU users (effective March 2024). This means firing gtag with default consent denied for analytics and ad_storage before the cookie banner loads, then updating to 'granted' only if the user consents. This allows Google to model behavior for denied users without collecting personal data.

The right to erasure (right to be forgotten)

Users can request deletion of their personal data. You need a process — even if it's manual — to handle these requests. This means knowing where all user data is stored: your database, your analytics platform, your email provider, your CRM. Map your data flows before you have to handle a deletion request.

Data minimization

Don't collect data you don't need. If your app works with just an email address, don't ask for a phone number and address too. GDPR's data minimization principle says you should collect only what's necessary for your stated purpose. This also reduces your liability if you have a data breach.

Privacy policy requirements

Your privacy policy must state: what data you collect, why you collect it, how long you keep it, who you share it with, and how users can exercise their rights. It must be written in plain language — not legal jargon. Update it whenever your data practices change.