The GDPR trap of the DIY website

You’ve put a privacy policy on your website. Maybe even a cookie banner. Checkbox ticked, done, legally compliant. Right?

No. Not right.

The GDPR (General Data Protection Regulation) isn’t about a page of legal text. It’s about what your website technically does with your visitors’ data. And for most DIY websites, the answer is: far more than you think.

What your website is secretly doing

Every time someone visits your site, things happen behind the scenes. On a typical WordPress or Wix site:

• Google Fonts are loaded from an external server.

  Your visitor’s IP address gets sent to Google — a connection you can avoid by hosting fonts locally, but DIY platforms don’t set that up for you by default.

• Contact form data is stored in a database. Name, email, phone number — everything sits in a system that can be hacked.

• Analytics scripts track your visitor.

  Google Analytics places tracking cookies and sends data to external servers. DIY sites often configure this non-anonymously without the business owner knowing. Without explicit consent via a valid cookie banner: illegal.

• Social media buttons load external scripts.

  Facebook, Instagram, LinkedIn — each button sends data to those platforms, even if the visitor doesn’t click on them.

• Plugins communicate with external servers.

  Security plugins, SEO tools, chat widgets — each with their own data flows that you can’t see and can’t control.

It’s like running a shop where cameras you didn’t know about are filming every customer and sending the footage to an unknown address. You don’t know it’s happening, but you’re still liable.

Why a privacy policy isn’t enough

A privacy policy describes what you do with data. But if your website technically does more than what’s stated in that policy, you have a problem. And with DIY sites, that’s almost always the case.

Most business owners copy a standard privacy policy from the internet. That policy might say: “We don’t use tracking cookies.” But meanwhile, your site loads Google Analytics, Google Fonts, and five social media scripts that do exactly that.

That’s not an innocent mistake. Under GDPR, you as the business owner are the data controller. You are liable — not your website builder, not your hosting provider, not the plugin developer.

The risks are real

In 2024, more than €1.2 billion in GDPR fines were imposed across Europe. (DLA Piper, 2025) Those aren’t just the big tech companies. Small business owners get visits from data protection authorities too.

Fines can reach up to €20 million or 4% of your annual turnover. For a sole trader, even a fine of a few thousand euros is devastating.

But it’s not just about fines. A data breach — customer data exposed through a hacked plugin — means:

• Mandatory notification to the data protection authority (within 72 hours)
• Mandatory notification to affected individuals
• Reputational damage you can’t repair
• Potential compensation claims from those affected

Why DIY sites structurally fail here

The problem isn’t that business owners want to break the law. The problem is that DIY platforms make it impossible to comply without deep technical knowledge:

• You don’t know which scripts are running. Wix and WordPress load dozens of external resources you can’t see in your dashboard.
• You can’t turn them off. Many scripts are baked into the platform or the theme. You have no control.
• Plugins silently add data flows. Every plugin you install can send data to third parties without your knowledge.

It’s like living in a rental property where the landlord has installed extra doors without telling you. You’re responsible for security, but you don’t even know how many entry points there are.

The alternative: privacy by design

A well-built static website is fundamentally different:

• No database. — Where there’s no database, no database can leak. Contact form submissions are sent directly and encrypted to your email — nothing is stored.
• No external scripts. — Fonts are hosted locally. No Google Fonts, no external calls, no IP addresses sent to third parties.
• No tracking. — No heavy Google cookies, and in many cases you don’t even need an annoying cookie banner. You measure what you need through privacy-friendly alternatives, without shadowing your visitors.
• No plugins. — No invisible data flows to unknown parties.

This is called privacy by design: the technology is built so that no personal data is processed beyond what’s strictly necessary. Not because you’ve written a legal text, but because the architecture makes it impossible to violate the law.

The question you need to ask yourself

Do you know exactly what data your website collects? Do you know where it goes? Do you know if that matches what your privacy policy states?

If the answer to any of those questions is “no,” you have a problem. Not tomorrow — now. Let’s fix it.

Curious how your website performs? Try the free website check.