GDPR website compliance: what a technical audit really reveals

EDPB CEF 2026, cookies before consent, Google Fonts, HTTP headers, privacy policy: what an external scan detects, what it cannot detect, and how to turn these signals into a billable service.

In April 2026, France's CNIL announced its participation in the European Coordinated Enforcement Framework (CEF) led by the European Data Protection Board, dedicated this year to transparency and information obligations. Twenty-five European authorities take part. For a website, this means possible scrutiny of the privacy policy, the clarity of information shown to visitors, and the actual compliance of cookie banners.

For a freelancer or agency auditing client sites, this changes the scale of the topic. It is no longer a theoretical paragraph dropped into legal notices, it is a vigilance point that surfaces concretely in an audit report and that can justify a compliance engagement.

This article explains what a technical audit actually detects regarding a website's GDPR compliance, what it cannot detect, and how to turn these observations into a clear action plan for a non-technical client. The scope stays deliberately technical, not legal — the latter belongs to a DPO or a lawyer.

What a technical GDPR audit covers, and what it does not

Before talking about cookies or HTTP headers, you need to set the exact scope of a technical GDPR audit. The boundary with legal work is what distinguishes an honest service from marketing talk.

The technical scope observable from the outside

An external technical GDPR audit, conducted without back-office access, relies on analyzing what a visitor sees and what the browser loads. The scope is clear and limited to observable technical signals.

Analyzable from the outside: cookies dropped before and after consent, third-party resources loaded (fonts, scripts, pixels, iframes), HTTP headers related to security and confidentiality, the presence and accessibility of a privacy policy, the consent banner and its actual configuration, and whether HTTPS is enforced.

These elements represent the most visible surface of compliance. They are also the ones that surface first during a CNIL online inspection, since the authority examines what every visitor sees from their browser.

What stays outside the technical scope

An external audit cannot evaluate the records of processing activities, the actual legal basis of each collection, the appointment of a DPO, processor contracts, retention durations configured at the database level, internal data breach procedures, or the impact assessment (DPIA) for high-risk processing.

These topics belong to legal and organizational work. A freelancer or agency auditing a client site must stay honest about this boundary: a technical report identifies weak or strong signals, it does not deliver a global compliance certificate.

In audits run with Orilyt, I systematically state this point in the client summary: "this report covers observable technical aspects, it does not replace a legal analysis by a DPO or specialized lawyer." It is a precaution that protects the provider and prevents the client from believing that a good technical score means "everything is fine on the GDPR side."

Cookies and consent

The cookie remains the most visible point of a website's GDPR compliance. Detection is simple, correction is fast, and the stakes are immediately understandable to the client.

The rule as it stands in 2026

The rule remains the one set by France's CNIL in 2020 and confirmed since: cookies that are not strictly necessary to the functioning of the site (exempted audience measurement, cart, authentication, language preference) must obtain prior, free, informed, specific, and unambiguous consent.

Concretely, no advertising cookie, no Facebook pixel, no Google Ads tag should be dropped before the visitor clicks "accept." Refusing must be as easy as accepting, with a button of equivalent visual importance. The site must also allow withdrawing consent at any time, as easily as it was given.

Recurring errors detected in audits

In GDPR audits run on WordPress sites, three errors come back massively. The first is dropping cookies before consent: Google Analytics, Meta Pixel, Hotjar, or LinkedIn Insight Tag keep tracking while the banner displays "accept or refuse." This is technically detectable by loading the page with a neutral browser and inspecting present cookies.

The second is the ornamental banner: a strip that informs but does not actually allow refusal, with a single "OK" button or a "refuse" link buried in a menu. This case has been explicitly sanctioned by France's CNIL since its March 2021 recommendations.

The third is asymmetry: a large green "accept all" button and a small grey "settings" link below. France's Conseil d'État, in its June 28, 2022 decision, confirmed that this visual imbalance could constitute an attack on the free expression of consent.

These three points are detectable by a technical audit tool that inspects the page before and after interaction with the banner. That is exactly what Orilyt does in its GDPR tests.

What to document for the client

For a freelancer auditing a site, the cookie remains the most concrete friction point to surface to the client, because it is visible, verifiable, and quickly fixable through a compliant Consent Management Platform. The commercial argument speaks for itself: a cookie dropped before consent on a client site is a CNIL sanction risk that lands on the client, and a compliance fix that gets billed.

External fonts and resources

Beyond cookies, third-party resources loaded by a site are a GDPR audit angle often ignored, even though they transmit the visitor's IP address to servers outside the EU.

Google Fonts and the German 2022 ruling

In January 2022, the regional court of Munich ordered a website publisher to pay 100 euros to a visitor for having loaded a Google Fonts font from Google's servers, thereby transmitting their IP address to the United States without legal basis. The ruling set jurisprudence in Germany and was widely echoed in the European legal community.

In France, the CNIL has not taken such a frontal position, but the principle of minimizing transfers outside the EU still applies. The European regulation requires that any transfer of personal data to a third country rest on a solid legal basis: adequacy decision, standard contractual clauses, or explicit consent.

Commonly problematic external resources

A technical scan easily detects third-party resources loaded by a site. The most problematic in practice are Google Fonts on direct CDN (fonts.googleapis.com), Google Maps scripts loaded on every page when only one needs them, YouTube iframes integrated without "youtube-nocookie" mode, Gravatars on a WordPress blog that surface every commenter's IP address, and advertising pixels loaded before consent.

For each, the technical correction exists and is accessible. Google Fonts can be self-hosted. YouTube offers a cookieless mode. Gravatar can be disabled in WordPress settings. Advertising pixels must be governed by the CMP.

The signal this sends to the client

With Orilyt, I regularly see sites that invested in a paid cookie banner and remain non-compliant because Google Fonts loads on every page. The banner becomes a false sense of security. For a freelancer, this is a perfect commercial angle: "your cookie tool is not enough, here are the three other points no one looked at on your site."

HTTP headers related to confidentiality

HTTP headers are the least visible part of a GDPR audit, and paradoxically the one that most differentiates a serious technical service from a standard legal audit.

What headers reveal

HTTP headers are sent by the server with each response. Several headers play a role in data confidentiality and security, and their absence is a negligence signal that is easily detectable.

Strict-Transport-Security (HSTS) forces the browser to use HTTPS for all future connections to the domain. Its absence can let an attacker intercept a first HTTP request and inject content. Content-Security-Policy (CSP) limits the sources from which the browser can load scripts, images, and fonts. Without CSP, a script injected through an XSS flaw can exfiltrate personal data to a third-party server. X-Content-Type-Options and X-Frame-Options reduce other classic attack surfaces.

Referrer-Policy controls what the browser transmits as origin information when navigating to another site. A "no-referrer" or "strict-origin-when-cross-origin" policy prevents leaking the full URL, which can contain sensitive parameters.

Why this is a neglected angle in most audits

Most GDPR audits run by lawyers or DPOs do not look at HTTP headers. It is not their craft and it is not in their toolkit. Yet these headers participate directly in the technical and organizational measures imposed by Article 32 of the GDPR.

For a freelancer who audits, this is a strong differentiation angle. A report that lists missing headers, explains their role in accessible language, and quantifies the correction effort brings value the client will not find at their lawyer's or external DPO's. Orilyt integrates these checks into its Security category, alongside the SSL certificate and HTTPS redirect.

The link with 2026 developments

2026 compliance guides remind that France's CNIL now requires more precise access logs, generalized strong authentication, and documented data destruction policies. These requirements exceed the scope of an external scan, but HTTP headers remain the first level of publicly observable proof that a site takes technical security seriously.

Privacy policy and visitor information

This is the heart of the EDPB CEF 2026 coordinated action: verifying that sites actually inform their visitors about what is collected, by whom, for what purpose, and how to exercise their rights.

What the CEF 2026 action will examine

The EDPB coordinated action for 2026 specifically targets Articles 12, 13, and 14 of the GDPR. Participating European authorities will send questionnaires and inquiries to data controllers across various sectors to verify how they meet their transparency and information obligations.

For a website, this translates into very concrete questions: is the privacy policy accessible in one click from every page, does it mention the legal basis for each processing, does it list the data recipients, does it specify retention durations, does it indicate the possibility to contact the DPO and refer the matter to the CNIL in case of disagreement.

What a technical audit can verify

A technical audit cannot judge the legal quality of a privacy policy. It can however verify several factual elements: does the page exist, is it indexable, is it linked from the footer of every page, was it recently updated, does it mention the minimum expected elements (cookies, purposes, data subject rights, contact).

These checks are automatable and surface in an Orilyt report as vigilance points, not legal validations. It is an important nuance to convey to the client to avoid any misunderstanding about the scope of the audit.

The copy-paste trap

In audits run on SME sites, I regularly come across privacy policies that are copy-pastes of a generic template found online, sometimes with another company's name still visible in the text. It is a clear sign that the topic was not seriously addressed and that other compliance points have a good chance of being equally neglected.

For a freelancer, this is a solid commercial angle of attack: propose a technical GDPR audit that surfaces these points, then steer the client toward a lawyer or DPO for the editorial and organizational part. The two services are complementary and sell well together.

Turning a GDPR audit into a billable service

Detecting is good. Selling the correction and continuous monitoring is better. The method holds in three simple principles.

The golden rule: do not play the lawyer

A freelancer or agency auditing a client site technically should never position themselves as a GDPR expert in the legal sense. It is not their craft, it exposes their professional liability, and it muddles the message to the client.

The right positioning is "technical signal detector." The audit surfaces clues, ranks them by severity, proposes realistic technical corrections, and steers toward the right interlocutors for the rest. This honesty about scope is paradoxically reassuring for the client: they understand what they are buying and what they are not.

Structure the report so it triggers a decision

A technical GDPR report benefits from a simple logic: severity → impact → correction → effort. For each surfaced point, the client must clearly see what it is, why it is a risk, how to fix it, and how much it costs in time or euros. That is the principle of the FIA method to present results that I apply in every Orilyt report.

This structure turns a technical diagnosis into a commercial proposal. The client does not receive an unintelligible list of alerts, they receive a hierarchical action plan they can approve or break into batches. To go further, I detailed in a dedicated guide how to structure an audit report for the client.

Concrete commercial value

A freelancer who sells a technical GDPR audit at 350 euros often opens the door to a monthly maintenance contract. Because a compliant cookie banner gets reconfigured, because Google Fonts need to be repatriated locally, because HTTP headers must be adjusted at the server level. These are all micro-interventions that justify a recurring fee.

Orilyt offers unlimited audits starting at 39 euros per month on paid plans, which makes the model profitable even for a freelancer auditing five to ten client sites per month. For details, see Orilyt pricing.

Concrete sanctions and the 2026 stakes

Before selling a compliance fix, you need to know the exact figures to convey to the client and the year's regulatory dynamic.

The numbers to know

The GDPR provides for two levels of sanctions. Violations considered light (no records, no DPO appointed, insufficient privacy policy) can reach 10 million euros or 2% of global annual turnover. Serious violations (unlawful processing, unsecured transfer, total absence of consent) can reach 20 million euros or 4% of global annual turnover, the higher amount being retained.

For an SME, effective sanctions are proportionate, but they exist. 2026 guides report fines from a few thousand to several hundred thousand euros depending on severity. Beyond the amount, the publicity of the sanction and the injunction to comply within a constrained deadline are often more damaging than the fine itself.

Why 2026 is a turning point

Three dynamics converge this year and justify freelancers and agencies seizing the topic. The EDPB CEF 2026 coordinated action on transparency mechanically increases the probability of inspection on the privacy policy and cookie banner. The NIS2 directive, which entered into application in January 2026, broadens the perimeter of entities subject to cybersecurity obligations to SMEs with more than fifty employees in critical sectors.

Finally, the GDPR/AI Act convergence imposes increased vigilance on AI uses on the site side, especially for chatbots, automatic personalization, and visitor scoring.

What field experience says

Orilyt audits that surface GDPR problems almost always fit into one of these three scenarios. Recognizing them allows calibrating the service from the very first client meeting.

The three typical scenarios

The first is the classic SME WordPress site: cookie banner installed with a poorly configured free plugin, Google Analytics running before consent, Google Fonts loaded via CDN, no HTTP security header. The client thinks they are compliant because they "put up a banner," technical reality says otherwise.

The second is the e-commerce site: multiplication of advertising pixels (Meta, TikTok, Pinterest, Google Ads), consent not always respected for all, YouTube iframes full of cookies on product pages, Gravatar enabled on reviews. Flow complexity makes the technical audit particularly useful because it surfaces an exhaustive map.

The third is the well-managed institutional site: correct privacy policy, functional banner, HTTPS enforced, but one or two scripts inherited from an old version of the site keep loading and causing problems. The technical audit surfaces what humans no longer see because they know the site "by heart."

The lesson to draw

None of these three scenarios is solved with a single tool. A site's GDPR compliance is a continuous process that combines regular technical audit, human vigilance, and occasional legal expertise. Orilyt covers the first pillar, the other two remain the responsibility of the client or their counsel. This clear role distribution distinguishes a good technical GDPR audit from a sales pitch: it reassures the client, protects the provider, and lays the foundation for a lasting relationship.

Your most frequent questions

Sources and references

• CNIL, CEF 2026 coordinated action on transparency — official announcement of the European 2026 action on Articles 12, 13, and 14 of the GDPR.
• CNIL, GDPR where to start — 4-step action plan and official compliance resources.
• CNIL, cookies and trackers — official framework on consent to cookies.
• CNIL, transparency and information — obligations from Articles 12 to 14 of the GDPR.
• EDPB, official site of the European Data Protection Board — European reference on GDPR enforcement.