Legal and Compliance: GDPR, Cookie Consent, Privacy Laws Without Tears

Summary

Privacy law sounds terrifying and is mostly common sense written down. Collect only what you need, tell people what you collect and why, get real permission before you track them, and let them see and delete their data on request. GDPR, the UK GDPR, the Swiss revFADP and the US state laws all share that core. This lesson translates the landscape into a short list of things you actually build, with a plain-words note that none of it is legal advice - when in doubt, ask a lawyer.

What you will learn

You will learn the shared core of the major privacy laws, what "lawful basis" and "real consent" mean in practice, how to build a cookie banner that complies (including honouring Global Privacy Control), what your privacy policy and imprint must contain, how to handle data export and deletion requests, and the simple test for when you need a Data Processing Agreement.

Prerequisites

A product that collects any user data - an email signup, an account, analytics - from Course 3 or your own project, since compliance is about how you handle that data. No legal background needed. This lesson is practical guidance, not legal advice; for anything high-stakes, get a professional to review your specific situation.

The problem

Most small builders do one of two wrong things. They either ignore privacy law entirely until a user or a regulator asks an uncomfortable question, or they freeze, convinced compliance needs a legal department they cannot afford. The truth sits in between: a solo founder can be genuinely compliant by following a handful of principles and shipping a few standard pages and a working consent banner. The cost of getting it wrong - fines, takedowns, lost trust - is far higher than the afternoon it takes to get it right.

The landscape in plain words

You do not need to memorise every law. They rhyme. Build to the strictest common denominator - effectively GDPR plus US opt-out rights - and you are covered almost everywhere.

• GDPR (EU) and UK GDPR: the strict baseline. You need a lawful basis to process personal data, must be transparent, must minimise what you collect, and must honour access and deletion rights. Applies whenever you have EU or UK users, wherever you are based.
• Swiss revFADP: the revised Swiss Federal Act on Data Protection. Closely aligned with GDPR, so meeting GDPR largely covers it. Relevant if you serve Swiss users.
• CCPA and CPRA (California) and the wave of other US state laws (Virginia, Colorado, and more): consumer-rights based. Built around the right to know, to delete, and to opt out of the sale or sharing of personal data.
• Practical rule: design to GDPR, add a clear opt-out for US users, and you satisfy the strictest common denominator across all of them.

Lawful basis and real consent

Under GDPR you must have a lawful basis for every bit of personal data you process. For a small product the two you will use most are "contract" (you need the data to provide the service the user signed up for, like their email to run their account) and "consent" (the user actively agreed, which you need for marketing and non-essential tracking). Real consent is specific, informed, freely given and as easy to withdraw as to give. A pre-ticked box is not consent. A banner that only offers "Accept" is not consent. Bundling marketing into the signup terms is not consent. If you cannot honestly say the user chose, you do not have it.

Cookie consent done right (including Global Privacy Control)

The rule is simple and people break it constantly: non-essential cookies and trackers - analytics, ads, anything that profiles the user - must not load until the user agrees. Essential cookies that make the site function need no consent. A compliant banner gives "Accept all" and "Reject all" equal prominence, lets the user choose per category, and remembers the choice. Modern best practice also honours Global Privacy Control: when a visitor's browser sends the GPC signal, treat it as a valid opt-out automatically and do not even show a nagging banner for tracking they have already refused.

// Honour Global Privacy Control before showing any tracking banner.
const gpc = (navigator as Navigator & { globalPrivacyControl?: boolean })
  .globalPrivacyControl

if (gpc) {
  // Treat as a valid opt-out: do not load trackers, do not nag.
  setConsent({ analytics: false, marketing: false })
} else if (!hasStoredConsent()) {
  showConsentBanner() // Reject all must be as easy as Accept all.
}

// Load analytics/marketing scripts ONLY after explicit opt-in.
if (getConsent().analytics) loadAnalytics()

Policy, imprint, and user rights

A few standard pieces make you compliant and trustworthy. They are boring to write and you only do it once.

• Privacy policy: in plain language, say what you collect, why, the lawful basis, who you share it with (your processors), how long you keep it, and how to contact you or complain. Link it in your footer.
• Imprint / legal notice: required in places like Germany, Austria and Switzerland. State who is behind the site - name, address and contact - so visitors know who they are dealing with.
• Right to access and delete: a user can ask for a copy of their data and ask you to delete it. Build a path to honour both. Even a manual process is fine at small scale, but you must actually do it within the legal window.
• Data export: be able to hand a user their data in a portable format. If your database is clean (Course 3), this is a query, not a project.

When you need a DPA

A Data Processing Agreement is a contract between you and a company that handles personal data on your behalf - your hosting, your database, your email sender, your analytics provider. Under GDPR you need a DPA in place with every such processor. The good news: reputable providers publish a standard DPA you simply accept, often automatically in their terms. The practical test is "does this third party touch my users' personal data?" If yes, find and accept their DPA, and list them as a processor in your privacy policy. If you are the only one touching the data, you do not need one.

Typical mistakes

The frequent ones: loading Google Analytics or ad pixels before the user consents (the single most common violation); a cookie banner with a big "Accept" and a hidden or missing "Reject"; ignoring GPC and other browser signals; no privacy policy or a copied one that lies about what you actually collect; and forgetting DPAs with the providers you rely on. None are hard to fix, and all are easy for a regulator or a competitor to spot.

Business ROI

Compliance is both risk reduction and a trust signal. The downside of ignoring it is real - GDPR fines scale with revenue, and a botched data request can become a public complaint. The upside is quieter but real: a clear privacy policy and an honest consent flow tell customers you take their data seriously, which matters more every year. Build it in from the start and it costs an afternoon; retrofit it under pressure after you have users and it costs a painful migration. Do it early.

Checklist

Run through these for any product that collects user data before you promote it.

• You can name the lawful basis for every category of data you collect.
• No non-essential tracker loads before opt-in, and GPC is honoured automatically.
• Your cookie banner offers Reject all as easily as Accept all and remembers the choice.
• A real privacy policy and (where required) an imprint are linked in your footer.
• You can export and delete a user's data on request, and you have a DPA with every processor.

Resources

The official ICO (UK), EDPB (EU), Swiss FDPIC and California Privacy Protection Agency sites are the authoritative, timeless references, and they publish plain-language guides for small businesses. A reputable consent-management platform handles the banner and GPC for you if you would rather not build it. For anything high-stakes, a short consult with a privacy lawyer is money well spent. This lesson is guidance, not legal advice.

Your task

Audit one of your projects: list every piece of personal data it collects and the lawful basis for each. Then check your consent flow - does any tracker fire before opt-in, and does Reject all really work? Fix whatever fails. If you have no privacy policy yet, draft one in plain language and link it in your footer.

Next lesson

Compliant and secure, the next lesson gets you found: classic SEO plus GEO/AEO, llms.txt and structured data, the favicon-in-SERP trick, and the system-of-websites strategy so both Google and AI recommend you.