What this page covers
A practical introduction to GDPR, CCPA, COPPA, implementation basics, and code examples that connect policy to actual website behavior.
Privacy & Compliance
Privacy & Compliance
Understand global privacy laws and learn how to implement them correctly - with real examples anyone can follow.
Best way to use it
Start with the quick checklist, then read the law summaries, and finally use the implementation and code sections to connect theory to action.
Why it matters
Privacy is not just policy text. It shapes when tags can fire, what data can move, and what proof your team needs during implementation or audits.
+ 5-Minute Compliance Checklist
Start here if you need to get compliant quickly. These are the essential steps every website should take:
1
Add a Privacy Policy
Create a page explaining what data you collect and why. Link it in your footer.
Example: "We use Google Analytics to understand how visitors use our site"
2
Install a Cookie Banner
Use a Consent Management Platform (CMP) to ask users for permission before tracking them.
Popular options: Cookiebot, OneTrust, or Google's Consent Mode
3
Respect User Choices
Only load tracking scripts (Google Analytics, Facebook Pixel, etc.) AFTER users give consent.
Use Google Tag Manager to gate your tags based on consent
4
Provide User Rights
Add a way for users to request their data or ask for deletion (email address is fine to start).
Example: privacy@yourcompany.com
5
Minimize Data Collection
Only collect what you actually need. Don't ask for phone numbers if you'll never call.
Less data = less risk = easier compliance
EU
GDPR - Europe's Privacy Law
In Plain English: If you have visitors from Europe, you need their permission before tracking them. Be transparent about what you collect and why.
Who Does This Apply To?
Any website or business that:
- Has visitors from EU countries (even if your business is elsewhere)
- Collects any personal data (emails, names, IP addresses, cookies)
- Offers goods or services to EU residents
Real-World Example
Wrong Way:
Your website loads Google Analytics automatically when someone visits from Germany. You don't have a cookie banner.
Right Way:
When someone from Germany visits, they see a banner: "We use cookies to improve your experience. Accept or Reject?" Google Analytics only loads if they click Accept.
What You Must Do
Get Consent First
Ask permission BEFORE setting cookies or tracking users. Pre-checked boxes don't count.
Be Transparent
Your privacy policy must explain: what data you collect, why you need it, who you share it with, and how long you keep it.
Honor User Rights
Users can request: access to their data, corrections, deletion, or a copy to take elsewhere.
Report Data Breaches
If you get hacked and user data is exposed, you must report it to authorities within 72 hours.
Pro Tip: Use Google Consent Mode v2 to keep measuring website performance even when users decline cookies. It uses privacy-safe modeling instead of individual tracking.
CA
CCPA / CPRA - California Privacy Rights
In Plain English: California residents can see what data you have about them, ask you to delete it, and stop you from selling it to others.
Who Does This Apply To?
Businesses that meet ANY of these criteria:
- Annual revenue over $25 million
- Buy, sell, or share data of 100,000+ California residents
- Get 50%+ of revenue from selling personal data
Real-World Example
Scenario: You run an e-commerce site and share customer emails with Facebook for ad targeting.
Wrong Way:
No mention of data sharing. No way for users to opt out.
Right Way:
Your homepage has a "Do Not Sell My Personal Information" link. When clicked, you stop sharing that user's data with Facebook and other partners.
What You Must Do
Add "Do Not Sell" Link
Must be on your homepage or in your footer. When clicked, stop sharing their data with third parties.
Handle Data Requests
Users can request: what data you have, who you shared it with, and deletion. You have 45 days to respond.
Update Privacy Policy
List all categories of personal data you collect and all third parties you share it with.
13
COPPA - Protecting Children Online
In Plain English: If your website or app is for kids under 13, you need parental permission before collecting ANY personal information.
Real-World Example
Scenario: You create a kids' game app that lets children create accounts.
Wrong Way:
Kids can sign up with just an email. You show them personalized ads based on their gameplay.
Right Way:
Kids enter their parent's email. Parents get a verification email and must approve the account. No personalized ads or tracking. Only show age-appropriate, contextual ads.
What You Must Do
Get Parental Consent
Before collecting emails, names, photos, or location from kids under 13.
No Behavioral Tracking
Don't track kids across websites or build profiles for targeted advertising.
Keep Data Secure
Use encryption and limit who can access children's data.
Important: YouTube, TikTok, and most social media require users to be 13+ for this reason. If your service is for kids, disable all tracking by default.
Other Privacy Laws to Know
IN
DPDP - India
India's Digital Personal Data Protection Act is similar to GDPR but with some differences.
Get consent before processing data
Allow users to access and delete their data
Document how you transfer data outside India
BR
LGPD - Brazil
Brazil's General Data Protection Law (LGPD) is heavily inspired by GDPR.
Have a legal basis for data processing
Appoint a data protection officer
Report data breaches to authorities
01 How to Actually Implement This
Step 1: Add a Cookie Consent Banner
Use a Consent Management Platform (CMP) to show a banner and collect user choices.
Popular CMPs (pick one):
What this does: Shows a banner asking users to accept/reject cookies. Stores their choice and tells your tracking tools whether they consented.
Step 2: Only Load Tracking After Consent
Use Google Tag Manager to control when tags fire based on user consent.
In Google Tag Manager:
- Create a trigger that only fires when consent is granted
- Apply this trigger to your Google Analytics, Facebook Pixel, etc.
- Test in Preview mode to verify tags don't fire without consent
Pro Tip: Essential cookies (like shopping cart) don't need consent. Only marketing and analytics cookies do.
Step 3: Write a Clear Privacy Policy
Your privacy policy should explain in plain language:
- - What data you collect (emails, names, browsing behavior)
- - Why you collect it (to send newsletters, improve the site)
- - Who you share it with (Google Analytics, email provider)
- - How users can request deletion or access
Template generators: Use tools like TermsFeed or FreePrivacyPolicy to create a basic policy, then customize it.
Tips Code Examples You Can Use
Google Consent Mode v2 Setup
Add this to your website's <head> section BEFORE any tracking scripts:
<script>
// Set default consent state (denied until user accepts)
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('consent', 'default', {
'ad_storage': 'denied',
'ad_user_data': 'denied',
'ad_personalization': 'denied',
'analytics_storage': 'denied'
});
</script>
When user accepts cookies, update consent:
gtag('consent', 'update', {
'ad_storage': 'granted',
'ad_user_data': 'granted',
'ad_personalization': 'granted',
'analytics_storage': 'granted'
});
Check Consent in Google Tag Manager
Create a custom JavaScript variable in GTM to check if user gave consent:
function() {
// Check if analytics consent was granted
var consent = {{Consent State}}; // Your CMP variable
return consent && consent.analytics === true;
}
Use this variable as a trigger condition for your GA4 tag.
Basic Cookie Banner (HTML + JS)
A simple banner you can customize:
<div id="cookie-banner" style="position:fixed;bottom:0;left:0;right:0;background:#1e293b;padding:20px;display:none;">
<p style="color:white;margin:0 0 10px 0;">
We use cookies to improve your experience.
<a href="/pages/privacy.php" style="color:#a78bfa;">Learn more</a>
</p>
<button onclick="acceptCookies()" style="background:#8b5cf6;color:white;padding:8px 16px;border:none;border-radius:4px;cursor:pointer;">
Accept
</button>
<button onclick="rejectCookies()" style="background:#475569;color:white;padding:8px 16px;border:none;border-radius:4px;cursor:pointer;margin-left:10px;">
Reject
</button>
</div>
<script>
function acceptCookies() {
localStorage.setItem('cookieConsent', 'accepted');
document.getElementById('cookie-banner').style.display = 'none';
// Load your tracking scripts here
gtag('consent', 'update', {'analytics_storage': 'granted'});
}
function rejectCookies() {
localStorage.setItem('cookieConsent', 'rejected');
document.getElementById('cookie-banner').style.display = 'none';
}
// Show banner if no choice was made
if (!localStorage.getItem('cookieConsent')) {
document.getElementById('cookie-banner').style.display = 'block';
}
</script>
Resources Helpful Resources
Official Guides
Need Help?
Privacy compliance can be complex. If you're handling sensitive data or have a large user base, consider consulting with a privacy lawyer or data protection officer.
This guide provides general information and is not legal advice. Laws change frequently, so always verify current requirements.