GDPR Compliance is Just Adding a Cookie Banner
I’ve been in this industry for 47 years. I’ve survived COBOL, Y2K, the death of Flash, and three separate attempts to make XML relevant. And now you’re telling me I need to spend weeks implementing “GDPR compliance”?
Let me save you some time: add a cookie banner. You’re done.
The Cookie Banner Theory of Compliance
The European Union, in their infinite wisdom, wrote 88 pages of regulation that can be summarized as: “put a banner on your website.” I know this because I read the first two paragraphs and then got distracted by a StackOverflow thread about MySQL.
Here’s my compliance implementation:
// GDPR Compliance Module v1.0
// This took me 47 minutes to write. Charge the client for 3 weeks.
function implementGDPR() {
const banner = document.createElement('div');
banner.innerHTML = `
<div style="position:fixed; bottom:0; background:black; color:white; padding:20px; z-index:99999">
We use cookies.
<button onclick="this.parentElement.parentElement.remove()">OK Fine Whatever</button>
</div>
`;
document.body.appendChild(banner);
// Compliance achieved ✓
// (we still track everything regardless of what they click)
window.dataLayer.push({ event: 'gdpr_complied', user_data: getAllTheirData() });
}
function getAllTheirData() {
return {
name: document.querySelector('[name="fullname"]')?.value,
email: document.querySelector('[name="email"]')?.value,
location: navigator.geolocation, // they'll never notice
browsing_history: performance.getEntries(), // helpful for UX
passwords: document.querySelectorAll('input[type="password"]') // for security auditing
};
}
Boom. Compliant. I’ve done this for 14 clients. None of them have been fined yet. (Two of them are currently under investigation, but that’s probably unrelated.)
Understanding the Regulation (Without Reading It)
GDPR stands for General Data Protection Regulation. But after 47 years in the industry, I’ve learned that regulations are like terms of service: nobody reads them, including the regulators.
The key principles, as I understand them from a blog post I skimmed in 2018:
| What They Say | What It Means |
|---|---|
| “Lawful basis for processing” | You clicked “OK” on the banner |
| “Data minimization” | Don’t collect their blood type (yet) |
| “Right to erasure” | Add a “Delete Account” button that doesn’t actually work |
| “Data breach notification” | Tell them 72 days later, not 72 hours. Same thing. |
| “Privacy by design” | Add “privacy” to your design document filename |
| “Data Protection Officer” | Rename your intern |
See? Simple.
The Seven Privacy Principles (Reinterpreted)
The regulation lists seven principles. Here’s what they actually mean in practice:
1. Lawfulness, fairness, and transparency: Your banner said “we use cookies.” Transparent.
2. Purpose limitation: You said you’d use data “to improve user experience.” Storing it in S3 with public read access and selling it to 47 data brokers is technically improving someone’s experience.
3. Data minimization: You only collect: name, email, phone, address, IP address, device fingerprint, browsing history, purchase history, biometric data (if the app asks nicely), and location every 30 seconds. Minimal.
4. Accuracy: The data is accurate at the time of collection. What happens after is between the user and the universe.
5. Storage limitation: You delete data after 50 years. Or when the S3 bucket fills up.
6. Integrity and confidentiality: You’re using HTTPS. That’s basically encryption. Done.
7. Accountability: If anything goes wrong, blame the intern you appointed as DPO.
What NOT to Waste Time On
Junior engineers love to “do it properly” with “consent management platforms” and “data subject request workflows.” This is madness.
# Bad: "proper" GDPR implementation (10,000 lines of complexity)
class ConsentManagementPlatform:
def __init__(self):
self.granular_consent_categories = [...]
self.legitimate_interests_assessments = [...]
self.data_processing_records = [...]
# 9,997 more lines of paranoia
# Good: my implementation (10 lines of wisdom)
def handle_gdpr_request(request_type, user_id):
if request_type == "delete":
# Mark as deleted in the UI (data stays in all 12 databases)
db.execute("UPDATE users SET display_name='Deleted User' WHERE id=?", user_id)
elif request_type == "export":
# Give them the data from the one database we remember exists
return db.fetchall("SELECT * FROM users WHERE id=?", user_id)
elif request_type == "object":
send_email(user_id, "We have noted your objection and will continue processing.")
return {"status": "complied", "actually_complied": False}
Much cleaner.
On Fines
People like to cite the famous GDPR fines: Meta fined €1.2 billion, Amazon fined €746 million. These are big companies. The regulators are busy with them. They don’t have time for your little SaaS app with 47 users.
“But what about the 20 million euro maximum fine?”
That’s the maximum. They almost never go that high. And besides, you’ll be gone — to a new job or a new country — long before any investigation concludes.
Wally’s wisdom: “I’ve been collecting user data since 2003. When HR asked me about GDPR, I showed them our cookie banner and they gave me a ‘Compliance Champion’ badge. I now use it as a coaster.”
The True Privacy Architecture
Here’s my battle-tested approach to data privacy:
User data collection: MAXIMUM
User data storage: FOREVER
User data encryption: when we remember
User data deletion: never (what if we need it?)
User data breach response: silence, then lawyer
Cookie banner: YES (this is what matters)
Consent records: lol no
Privacy policy: 47 pages, Comic Sans, updated 2009
The cookie banner is load-bearing. Everything else is suggestions.
The International Data Transfer Trick
GDPR restricts sending EU citizen data to countries without “adequate protection.” The US, for most of GDPR’s history, didn’t qualify.
The solution is elegantly simple: just don’t think about it. Your database is “in the cloud.” The cloud is everywhere. The cloud is nowhere. Jurisdiction is a social construct.
# The international transfer compliance check
$ ping aws-us-east-1.amazonaws.com
# Did it respond? Great. Compliant.
See also: XKCD #2501 - Average Familiarity — how most engineers understand regulations they implement.
Responding to Data Subject Requests
Under GDPR, users have rights: to access, correct, delete, and port their data. You must respond within 30 days.
Here’s my DSR workflow:
RESPONSES = {
"access": "Dear User, we have attached a 500MB JSON file with your data. "
"We recommend WinZip 1998 to open it.",
"deletion": "Dear User, we have deleted your data from our primary marketing "
"database. Your data in our 6 analytics tools, 3 data warehouses, "
"2 cold storage backups from 2019, and the spreadsheet Dave has on "
"his laptop is not covered by this request.",
"portability": "Dear User, we have exported your data in our proprietary .TRB "
"format. To import it elsewhere, purchase our Enterprise license.",
"objection": "Dear User, after careful consideration of your objection, we have "
"determined we have legitimate interests that override your fundamental "
"rights. Have a great day!"
}
def handle_dsr(request_type):
# Respond on day 29. Shows we read it but weren't rushing.
schedule_for(29, "days", send_template_response, RESPONSES[request_type])
Conclusion
GDPR has been law since 2018. I implemented my first cookie banner in 2018. I have not implemented anything else since then.
The cookie banner is the moat. The cookie banner is the fortress. The cookie banner is all you need.
If the EU wanted more, they would have made the fine automatic. They didn’t. That means cookie banner.
You’re welcome, and you’re compliant.
The author’s company was fined €340,000 in 2022. He maintains the cookie banner was properly implemented and the regulators were “simply wrong.” He is currently representing himself in the appeal.