How can I check if my website is GDPR compliant?

You can check your website's GDPR compliance in about five minutes using free tools and your browser. View your page source to see if tracking scripts like Google Analytics or Facebook Pixel load before your cookie consent banner. Check that your privacy policy link actually works and loads a real page. Test your cookie banner in an incognito window to see if it offers a genuine reject option. You can also check your email authentication at mxtoolbox.com and your security headers at securityheaders.com.

What is the most common GDPR violation on small business websites?

The most common GDPR violation on small business websites is tracking scripts firing before cookie consent is given. Google Analytics, Facebook Pixel, and other tracking tools load the moment the page opens, before the visitor has interacted with the cookie banner. Under PECR (Privacy and Electronic Communications Regulations), non-essential cookies require explicit consent before they are set. This violation is found on virtually every small business website audited.

Does clicking reject on a cookie banner actually stop tracking?

On most small business websites, clicking reject on a cookie banner does not actually stop tracking. This is because the tracking scripts have already fired before the cookie banner appeared, so the data has already been sent to Google, Facebook, or other third parties. For the reject button to work properly, tracking scripts must be blocked from loading until the user gives explicit consent. Most cookie banner implementations do not do this correctly.

GDPR & Privacy

Does Your Website Pass a GDPR Check? Here’s How to Find Out in 5 Minutes.

Five free checks you can run on your own website right now to find GDPR violations, email spoofing risks, and security gaps. No technical skills needed.

Nicholas Hartnell · 18 March 2026 · 7 min read

You don’t need to hire anyone to check this. You don’t need any special software. Everything below uses your web browser and a couple of free websites. Takes about five minutes.

I run these checks on every audit I do. They’re the same checks the ICO would run if someone complained about your site. Here’s how to do them yourself.

Check 1: Are you tracking visitors before they consent?

This is the most common issue I find. On every single audit I’ve done so far, tracking scripts fire before the cookie consent banner appears. Every one.

Here’s how to check:

Open your website in Chrome or Firefox
Right-click anywhere on the page
Click “View Page Source”
Press Ctrl+F to open the search bar
Search for gtag or googletagmanager or fbq
Write down the line number where you find it
Now search for consent or cookie
Write down that line number

If the tracking script is on a lower line number, it loads first. That means it runs before the consent banner appears. Under PECR, that’s not allowed. Non-essential cookies need explicit consent before they’re set.

I found one business where their Facebook Pixel was on line 15 and the cookie consent didn’t load until line 60. They’d been tracking every visitor without consent for over a year.

Check 2: Do you have a privacy policy?

Go to your website and look for a link to your privacy policy. Click it. Does the page actually load?

You’d be surprised. I audited a school website where the privacy policy link returned a 404 error. Page not found. They were collecting data through analytics and cookies but had no privacy policy at all.

If you collect any personal data — and if you use Google Analytics, you do — you need a privacy policy that explains what you collect, why, how long you keep it, and who you share it with. It needs to be on your website, accessible from every page.

Check 3: Does your cookie banner actually work?

Load your site in a private/incognito window. Does a cookie banner appear? Good start.

Now look at what it says. Does it give you a genuine choice — accept, reject, or manage preferences? Or does it just say “we use cookies, continue browsing to accept”?

The second option isn’t valid consent under UK GDPR. Consent has to be a clear, affirmative action. Continuing to browse isn’t that. And there has to be an option to reject non-essential cookies that’s as easy to find as the accept button. No dark patterns, no hiding the reject option behind three clicks.

Also: does rejecting cookies actually stop the tracking? On most sites I audit, it doesn’t. The tracking already fired before the banner appeared, so clicking reject does nothing. The data has already been sent.

Check 4: Can someone spoof your emails?

Go to mxtoolbox.com. Type in your domain. Click “MX Lookup.”

Then check these:

SPF record: Search for your domain on mxtoolbox.com/spf.aspx. If it says “No SPF record found,” anyone can send email pretending to be from your domain.
DMARC record: Search for your domain on mxtoolbox.com/dmarc.aspx. If there’s no record, or if the policy says p=none, your domain is not protected against email spoofing.
DKIM: This one’s harder to check without knowing your email provider, but MXToolbox has a DKIM lookup tool too.

I’ve audited businesses that send invoices and order confirmations from their domain with no email authentication at all. A scammer could send a fake invoice to their customers that looks completely legitimate. Most email providers wouldn’t flag it.

Check 5: What’s your security header score?

Go to securityheaders.com. Type in your website URL. Hit scan.

You’ll get a grade from A+ to F.

Most small business websites score F. Not because they’ve been configured badly, but because security headers haven’t been configured at all. Nobody thought about it during the build.

The important ones are:

Strict-Transport-Security: Forces browsers to use HTTPS
Content-Security-Policy: Controls what scripts can run on your page
X-Frame-Options: Stops your site being embedded in someone else’s page
X-Content-Type-Options: Prevents certain types of attacks

If you’re missing all of these, your site is more vulnerable than it needs to be. Any decent web developer can add them in about 20 minutes.

What to do with the results

If you failed all five checks, you’re in the same boat as about 90% of small businesses. Don’t panic. None of this means you’ve been hacked or you’re about to be fined.

But it does mean there are gaps, and the longer they stay open, the higher the risk. Some of these fixes are free and take minutes. Others need a developer. The important thing is knowing they exist.

If you want someone to run through all of this properly and give you a full report with step-by-step fix instructions, that’s what we do. It’s free. No invoice, no catch.

Get a free, independent website audit

We’ll run all five of these checks and more, then send you a plain English report with step-by-step fix instructions. Free, no obligation.

Request your free audit

← Back to StagHill Software