A Practical Guide to gdpr requirements list

This guide explains gdpr requirements list in practical terms, with a focus on privacy-first analytics decisions.

A privacy policy is not a decorative legal page. It is where a website explains what personal data it collects, why it collects it, who receives it, how long it is kept, and what rights people have.

For analytics-heavy sites, the privacy policy must be specific enough to describe tracking, cookies, pixels, events, vendors, and advertising uses. Vague language such as "we may collect information to improve services" is rarely enough.

GDPR Privacy Notice Requirements

GDPR Articles 13 and 14 set transparency requirements for personal data collected directly from people or obtained indirectly. A practical privacy policy should include:

• The controller's identity and contact details.
• Data protection officer contact details, if applicable.
• Categories of personal data collected.
• Purposes of processing.
• Legal basis for each purpose.
• Legitimate interests, if relied on.
• Recipients or categories of recipients.
• International transfers and safeguards.
• Retention periods or criteria.
• Data subject rights.
• Right to withdraw consent.
• Right to lodge a complaint with a supervisory authority.
• Whether data provision is required and consequences of not providing it.
• Whether automated decision-making or profiling occurs.

The GDPR text is the authoritative starting point (GDPR Article 13, GDPR Article 14).

Analytics Disclosures

For web analytics, disclose:

• Which analytics tools you use.
• What data they collect.
• Whether cookies or similar technologies are used.
• Whether identifiers are persistent.
• Whether IP addresses are stored or truncated.
• Whether data is shared with vendors or ad platforms.
• Whether data is used for cross-site advertising.
• How users can opt out or change consent.
• Retention period for analytics data.

If you use Google Analytics, Google states that Analytics uses cookies such as _ga to distinguish visitors (Google Privacy and Terms). Your policy should not imply that no identifiers are used if your implementation uses them.

If you use cookieless privacy-first analytics, say that clearly, but do not overclaim. Explain what is still collected, such as page URL, referrer, browser, device type, and approximate location.

Cookie Policy and Consent

Many websites combine a privacy policy with a separate cookie policy. Either structure can work if users can understand the information.

Your cookie disclosure should include:

• Cookie or technology name.
• Provider.
• Purpose.
• Duration.
• Whether it is essential or optional.
• Whether third parties receive data.
• How preferences can be changed.

Regulators often treat analytics cookies as non-essential unless a narrow exemption applies. The UK ICO says organisations need a consent mechanism that lets users control non-essential cookies and similar technologies (ICO).

CCPA/CPRA Additions

If the CCPA applies, your notice also needs California-specific disclosures. The California Attorney General summarises consumer rights including access, deletion, correction, opt-out of sale or sharing, and limits on sensitive personal information (California OAG).

Covered businesses should address:

• Categories of personal information collected.
• Sources of personal information.
• Business or commercial purposes.
• Categories of third parties disclosed to.
• Sale or sharing disclosures.
• Sensitive personal information use.
• Rights request methods.
• Non-discrimination.
• "Do Not Sell or Share" mechanisms where required.

Common Privacy Policy Mistakes

• Listing tools that are no longer used.
• Omitting tag manager pixels added by marketing.
• Saying data is anonymous when it is pseudonymous.
• Failing to mention international transfers.
• Hiding retention behind "as long as necessary."
• Forgetting session replay, heatmaps, A/B testing, and chat widgets.
• Sending personal data in URLs while claiming minimal collection.
• Not explaining consent withdrawal.

Practical Maintenance Workflow

Review the privacy policy whenever:

• A new analytics or advertising tool is added.
• A tag manager container changes.
• A new region is targeted.
• A vendor changes subprocessors.
• A cookie banner changes.
• Data retention settings change.
• New events collect account or form-related data.

Privacy policies drift because websites drift. Keep a simple register of data collection points and compare it to the published notice every quarter.

The best privacy policy is easy to write because the data practices are simple. A privacy-first analytics setup with no cookies, no advertising sharing, no full IP storage, and aggregate reporting is easier to explain, easier to defend, and easier for visitors to trust.

Analytics Wording Should Match Reality

Avoid absolute claims unless the implementation supports them. "Anonymous analytics" is only accurate if data cannot reasonably identify a person. Many analytics systems are pseudonymous, not anonymous, because they use identifiers or can link activity over time.

Better wording is specific: "We use cookieless analytics to count aggregate page visits, referrers, device type, and country-level location. We do not use analytics cookies or sell analytics data." Then verify the configuration regularly.

Match the Policy to the Tag Inventory

Before publishing, compare the policy against a live crawl of your site. List every script, iframe, cookie, local-storage key, tracking pixel, chat widget, font provider, form tool, and embedded media service. Then check whether each item appears in the privacy policy, cookie notice, or vendor register with the same purpose and retention story.

This catches common drift. Marketing may remove a pixel but leave it in the policy, making the notice look scarier than reality. Or a new A/B testing script may appear without any disclosure. A quarterly tag-to-policy review keeps the public notice aligned with what visitors actually experience.

Policy Review Checklist

Before publishing the policy, document every analytics event collected, the decision it supports, whether it uses storage or identifiers, which vendors receive it, and when raw records expire. Then test the live site in a clean browser profile.

The policy is ready only when the notice, vendor register, consent behavior, and browser evidence tell the same story. If the network panel shows a tracker the policy does not explain, fix the implementation or the wording before launch.