You think GDPR only concerns large companies. You think the CNIL does not bother with small businesses. You think that with your cookie banner and legal notices, you are "roughly compliant." Here is the reality: since 2024, CNIL audits have shifted massively toward smaller organisations precisely because the gaps there are systematic, easy to detect, and economically valuable — fines for small businesses now range from a few thousand to several tens of thousands of euros.
I see this at every website redesign I carry out in the Gironde region. The vast majority of small businesses are living with a false sense of compliance — installed in 2018 when the regulation came into force, never updated since. What was acceptable seven years ago has become a concrete risk in 2026. Here are the four blind spots I encounter almost systematically, and that the CNIL identifies in two minutes during an audit.
"GDPR does not penalise ignorance. It penalises detectable gaps. And for the majority of small businesses, detectable gaps are everywhere.
Your cookie banner lies — and it is the easiest gap to detect
The vast majority of cookie banners installed on small business websites present an appearance of compliance — an "accept" button, a "decline" button, a "cookie policy" link — but with a major technical flaw: they drop analytics, social media, or advertising cookies before the visitor has clicked anything. The banner appears on the surface while cookies load silently underneath. You believe you are compliant because the banner exists. The CNIL sees the opposite by checking network requests for two seconds.
This practice — pre-dropping cookies — has been explicitly prohibited by the CNIL since its 2020 guidelines. The automated audits the CNIL has been running at scale since 2023 detect the gap in seconds using publicly available technical tools. And it is precisely this gap that has triggered the majority of formal notices sent to small businesses in France over the past two years. You can check for yourself by opening your browser's network inspector on your own site — you will see exactly what the CNIL sees.
The trap is all the more insidious because non-compliant banners are often installed by free plugins or default configurations of well-known platforms. You trusted your developer, who trusted the plugin publisher, who trusted a configuration that is years out of date. The chain of trust is no longer current, and you bear the final legal responsibility.
What I recommend: today, open your site in a private browser window, launch the network inspector, and observe which requests are sent to third-party domains (Google, Facebook, tracking tools) before any click on the banner. If you see requests firing, you have an active problem. And as long as it is not fixed, you are technically outside GDPR with every single visit to your site.
Your form collects data — without keeping any record of consent
Every time a visitor fills in your contact or quote request form, you collect personal data — name, email, phone number, sometimes an address, sometimes a description of a sensitive project. This collection is lawful, but it is subject to a strict GDPR requirement: you must be able to prove, months later, exactly what the visitor agreed to at the precise moment they clicked "submit". Date of the click, exact version of your privacy policy, exact wording of checkboxes, precise purposes stated. This traceability is mandatory, and it is almost always absent.
The typical scenario unfolds as follows. A prospect fills in your form in March. You do not follow up. Six months later, you send them a year-end promotion. They are annoyed, file a CNIL complaint. The CNIL asks you to prove on what legal basis you sent that promotion. If you cannot produce a trace of the initial consent — date, wording, version of the terms in force on that day — you are technically liable. And the majority of small business forms generate no trace of this kind. Data arrives in an inbox, with no legal context attached.
The technical solution is well known but rarely deployed: record for each form submission a precise timestamp, the exact version of the consent text shown, the IP address, and store these records in a queryable register. This is trivial to code and almost free to maintain — but it requires someone to have thought about it upfront. That is precisely what is missing in virtually every small business site I redesign.
What I recommend: ask your web developer — or yourself if you manage your site — how consent is tracked for your current forms. If the answer is "we just receive an email", you are exposed. If the answer is "we store the date, the text, the IP", you are compliant on this specific point. The distinction is not trivial: it is exactly the piece of evidence you will need to produce in the event of an audit.
You send mailings without being able to say why you have the right to do so
Every commercial send — newsletter, promotion, follow-up, product communication — must rest on an identifiable legal basis under GDPR. The regulation recognises six, but only two truly apply to commercial small businesses: explicit prior consent (the box voluntarily ticked by your recipient), or legitimate interest in the narrow case of an existing customer being re-engaged on a product similar to one they already purchased. Any other configuration exposes you. And that is precisely the configuration in which the majority of small businesses that send mailings find themselves.
The simple test is to ask yourself the following question before every send: "If a recipient asks me on what basis I am writing to them, I can answer in one precise, documented sentence." If you cannot answer, you are taking a risk. If the answer is "they have been in my file for a long time", that is insufficient. If the answer is "we exchanged business cards two years ago", that is also insufficient. A single complaint from a disgruntled recipient is enough to trigger a CNIL investigation, and the investigation then extends to your entire contact base.
The unsubscribe rule adds another layer that few small businesses truly respect. Every commercial email must include an active, immediate unsubscribe link that effectively removes the recipient from your list — not a link that opens a page asking them to log in, nor a link that asks them to explain their reason for unsubscribing. One click must remove the person, full stop. And the removal must be instant. A single poorly handled request exposes you.
What I recommend: before your next commercial send, mentally divide your contact file into three categories. Those who have explicitly consented to receiving your communications (tracked ticked box), those who are recent active customers (legitimate interest applicable), and everyone else. This third category must not receive commercial sends — or must first receive an explicit consent request. It is strict, it is what the regulation says, and it is what the CNIL enforces during audits.
A small business in the Gironde region that I am aware of was subject to a CNIL audit triggered by a single complaint from a former prospect who was annoyed to receive a commercial follow-up two years after a single exchange. The investigation covered the entire contact file, revealing the absence of a documented legal basis for half the sends, the absence of a processing register, and a non-compliant cookie banner. Outcome: a formal notice, a mandatory compliance deadline of six months, and the threat of a fine in the event of non-execution. One initial complaint, lasting consequences for the structure and its commercial operations.
The first document the CNIL requests — and the one you have probably never produced
The processing register is mandatory for all companies since May 2018, without any exception based on size. It is an internal document that lists, for each personal data processing operation you carry out, its purpose, its legal basis, the categories of people concerned, the categories of data collected, the recipients, the retention period, and the associated security measures. Without this register, you are in structural breach of GDPR — meaning beyond a simple technical gap, it is the absence of a fundamental obligation.
The practical consequence: it is the first document the CNIL requests during an audit. Not the last, not one among many — the first. Before even looking at your website, your cookie banner, your forms. If you cannot produce a coherent and up-to-date register, the investigation immediately orients toward a presumption of structural non-compliance, and your overall GDPR posture is called into question. Conversely, presenting a clean register — even an imperfect one — demonstrates good faith, which radically changes the tone of the exchange.
The good news is that this register is relatively simple to establish for a small business. A typical small business has between four and eight processing activities to document — prospect and customer management, payroll if you have employees, the newsletter, invoicing, video surveillance if applicable. One well-structured working day is enough to build it. And once in place, it takes a few minutes per year to update. The effort-to-risk-avoided ratio is one of the most favourable in all of GDPR.
What I recommend: if you do not have a processing register today, this is your absolute priority. Not in six months, not next year — now. It is the document that transforms a CNIL audit from a potential nightmare into a structured administrative procedure. And it is precisely the document I systematically include in my GDPR compliance work for small businesses.
Four blind spots, one complaint is enough.
Cookies
Before click · If your cookies drop before the visitor's consent, you are in active breach.
Forms
Traceability · Without a timestamp and archived version, you can prove nothing six months later.
Mailings
Legal basis · One clear sentence to justify each send. Otherwise, one complaint exposes you entirely.
Register
Mandatory · First document requested by the CNIL. Establish it before anything else.
GDPR compliance is never a one-time fix. Every change to your site, every new form, every third-party tool added requires a review. This is why I integrate it systematically into the website redesigns I carry out — rather than treating it separately as an isolated administrative chore.
If you are planning a redesign or an update to your site, read CMS vs custom: why this debate became obsolete in 2026 — GDPR compliance is built in from the start, not bolted on afterwards.