Skip to main content

Zest

Cookie consent

Menu

Choose a theme and configure high-contrast mode. Preferences are saved in your browser only.

User Preferences

Theme

Pick a palette or follow your system preference.

High Contrast

Sharper text and borders. System follows your OS setting.

Regulations

GDPR — The Law That Changed the Web

Everything you actually need to know about the General Data Protection Regulation. No legal jargon. No fluff.

The General Data Protection Regulation (GDPR) is the reason every website you visit asks you to click “Accept cookies.” It’s the EU’s privacy law, and alongside the ePrivacy Directive it applies to anyone processing data from people inside the EU, regardless of where your servers live.

If you have a website and someone from France visits it, GDPR applies to you. Period.

What it actually says

The GDPR isn’t complicated. It boils down to seven core principles:

  1. Lawfulness. You need a legal reason to collect personal data. Consent is one. Contractual necessity is another. “Because we want to” isn’t.
  2. Purpose limitation. Collect data for a specific reason. Don’t use it for something else later.
  3. Data minimization. If you don’t need it, don’t collect it.
  4. Accuracy. Keep data correct. Let people fix it.
  5. Storage limitation. Delete data when you’re done with it.
  6. Integrity and confidentiality. Protect it. Encrypt it. Don’t leak it.
  7. Accountability. You’re responsible. Prove you comply.

Who must comply

  • Any organization processing personal data of people in the EU/EEA
  • Foreign companies with EU customers or website visitors
  • No revenue threshold. No size exemption. Everyone.

The UK has its own equivalent, UK GDPR, which works nearly identically for most sites.

What counts as personal data

Basically everything: names, emails, IP addresses, cookie IDs, device fingerprints, location data, behavioral data. If it can identify a person, directly or indirectly, it’s personal data.

Consent must be:

  • Freely given. No pre-ticked boxes. No “continue browsing = accept.”
  • Specific. One purpose per consent. No bundling.
  • Informed. Tell people what you’re collecting and why.
  • Unambiguous. A clear affirmative action, like clicking a button or flipping a toggle.

“Implied consent” doesn’t exist under GDPR. If someone scrolls past your banner, that’s not consent. If someone ignores your banner, that’s not consent.

Non-essential cookies (analytics, ads, tracking) require prior consent. You must block them until the user opts in. No, really. Block them. At the network level.

Essential cookies (session, shopping cart, load balancing) don’t need consent. But “essential” is a narrow category. Google Analytics isn’t essential.

Penalties

Fines up to €20 million or 4% of global annual turnover, whichever is higher. Enforcement has gotten aggressive since 2023. The fines are real and they’re not just going to Big Tech anymore. Outside the EU, California’s CCPA takes a different, opt-out approach. See our GDPR vs CCPA vs ePrivacy comparison for the side-by-side.

How Zest handles it

Zest blocks non-essential trackers by default until consent is given. It records consent with an auditable trail. It supports geography-based rules so you can serve different compliance modes depending on where your visitor is.

The bottom line

GDPR compliance is not optional if you have EU visitors. A consent banner that doesn’t actually block trackers is worse than no banner at all. It’s a paper trail of your non-compliance.

Own your cookie banner.

Zest is free and MIT-licensed, and it doesn't phone home to anyone.
Drop the script in and you're done.

Try it free