SiteProof AI Blog
GDPR AI Compliance Checklist for Websites: 12 Things to Verify in 2026
GDPR applies to every AI tool on your website that collects or processes personal data from EU users — chatbots, AI analytics, recommendation engines, third-party AI APIs. The regulation doesn't distinguish between "AI" and "regular" data processing. If personal data is involved, GDPR applies. Here's what you need to verify before regulators do.
Why GDPR Applies to Every AI Tool on Your Website
Every AI feature on a typical website processes some form of personal data:
| AI Feature | Personal Data Processed | GDPR Applies? |
|---|---|---|
| Customer service chatbot | Names, email, conversation content | Yes |
| AI-powered search | Search queries, IP address, session data | Yes |
| Recommendation engine | Browsing history, purchase history | Yes |
| AI analytics tool | Behavioral data, device fingerprint | Yes |
| AI content generation (internal) | No user data involved | Only if user data used for prompts |
The 12-Point GDPR AI Compliance Checklist
Identify all AI tools that process personal data
List every AI system on your website — chatbots, analytics, recommendations, APIs. For each one, document what personal data it receives, where it's stored, and who processes it.
Establish a lawful basis for each AI processing activity
GDPR Article 6 requires a lawful basis. For most website AI tools: consent (cookie banner), legitimate interests (analytics), or contract (processing needed to deliver a service). Document this for each tool.
Update your privacy policy to disclose AI processing
Your privacy policy must explain which AI tools are used, what data they process, the lawful basis for processing, and how long data is retained. Generic privacy policies written before AI integration are non-compliant.
Implement cookie consent for AI-related cookies
If any AI tool drops cookies — analytics, session tracking, personalization — these require prior consent under the ePrivacy Directive. Analytics cookies are not strictly necessary and cannot be deployed before consent.
Sign Data Processing Agreements with all AI vendors
GDPR Article 28 requires a DPA with every third-party that processes personal data on your behalf. This includes OpenAI, Anthropic, Google, and any other AI API you call with user data.
Verify international data transfer safeguards
Sending personal data to AI APIs based in the US triggers GDPR Chapter V transfer requirements. Standard Contractual Clauses (SCCs) are the most common mechanism. Verify your AI vendors have SCCs in place.
Check GDPR Article 22 for automated decision-making
If your AI system makes decisions with significant effects on users — pricing, content access, account status — GDPR Article 22 applies. Users must be informed, have a right to human review, and be able to contest decisions.
Conduct a DPIA for high-risk AI processing
GDPR Article 35 requires a Data Protection Impact Assessment for AI that involves large-scale processing, systematic monitoring, or decisions with significant effects. Document the risks and mitigations.
Implement data minimization in AI prompts
Only send the minimum personal data necessary to the AI for each task. Avoid sending full user profiles to AI APIs when only a name or ID is needed. This limits exposure in case of a breach.
Establish data retention limits for AI-processed data
AI conversation logs, analytics data, and processed outputs must have documented retention periods. Data should not be kept longer than necessary for the stated purpose.
Ensure users can exercise GDPR rights over AI-processed data
Users have the right to access, correct, and delete data processed by AI systems. Your systems must support these requests — including data held by third-party AI vendors.
Publish an AI usage policy
A public AI policy page documenting your AI tools, their purposes, and data handling practices demonstrates transparency and reduces regulatory risk. It also satisfies emerging EU AI Act transparency obligations.
For an automated check of cookie consent, privacy policy gaps, and third-party AI data flows (items 3, 4, and 6 above), use our AI Privacy Scanner.
Item 12 (Publish an AI usage policy) takes minutes with our free AI policy generator.
Cookie Consent for AI Tools — What's Required
The ePrivacy Directive requires prior informed consent before any non-essential cookie is set. AI tools commonly deploy cookies without adequate consent:
Notable enforcement: the French CNIL fined Google €150 million and Facebook €60 million in 2022 for making it harder to reject cookies than to accept them. Cookie consent for AI tools is actively enforced.
Privacy Policy Requirements for AI-Using Websites
GDPR Articles 13 and 14 require specific disclosures when personal data is collected. For AI systems, your privacy policy must include:
International Data Transfers to AI Providers
Most major AI APIs are operated by US companies. Every API call that sends personal data from EU users to a US server is an international data transfer under GDPR Chapter V. The legal mechanism most commonly used:
| AI Provider | Transfer Mechanism | DPA Available? |
|---|---|---|
| OpenAI | Standard Contractual Clauses (SCCs) | Yes — in Terms of Service |
| Anthropic | Standard Contractual Clauses (SCCs) | Yes — via API Terms |
| Google (Gemini API) | SCCs + EU Data Processing Addendum | Yes |
| Microsoft Azure OpenAI | SCCs + EU Data Boundary | Yes |
| Custom/self-hosted models | Depends on hosting location | Configure your own |
When Your AI Processing Requires a DPIA
GDPR Article 35 triggers a mandatory Data Protection Impact Assessment when AI processing meets certain criteria. You need a DPIA if your AI system:
A DPIA is a documented assessment — not a public document. It identifies the risks, assesses their severity and likelihood, and documents the mitigations you've put in place. Most website AI tools used for customer service or analytics do not trigger a mandatory DPIA, but documenting your assessment either way is good practice.
For the full step-by-step process of checking your website across all regulations, see our guide to a full website AI compliance audit.
Also see: does the EU AI Act apply to US companies.
Frequently Asked Questions
Does GDPR apply if I use a third-party AI tool like ChatGPT on my website?
Yes. When you integrate a third-party AI API that processes personal data from your users, you become a data controller and the AI provider becomes a data processor. GDPR requires you to have a Data Processing Agreement (DPA) in place, disclose the processing in your privacy policy, and ensure the provider meets GDPR standards.
Does a chatbot that only answers FAQs trigger GDPR?
If the chatbot collects any personal data — including IP addresses, names, or email addresses typed into the chat — GDPR applies. Even a simple FAQ bot that logs conversations for analytics is in scope.
What is a Data Processing Agreement and do I need one?
A DPA is a contract between you (data controller) and any third-party service that processes personal data on your behalf (data processor). If you use any AI API — OpenAI, Anthropic, Google AI, or similar — that receives personal data from your users, GDPR Article 28 requires a DPA. Most major providers offer a standard DPA in their terms.
When is a Data Protection Impact Assessment (DPIA) required?
GDPR Article 35 requires a DPIA when processing is 'likely to result in a high risk' to individuals. For AI systems, this typically means: automated decision-making with significant effects, large-scale processing of sensitive data, or systematic monitoring of individuals. A DPIA is a documented assessment — not necessarily a formal audit.
Can I rely on legitimate interests instead of consent for AI data processing?
Legitimate interests can be a lawful basis for AI data processing, but it requires a balancing test: your interests must outweigh the rights and expectations of users. For analytics and service improvement, legitimate interests often applies. For AI systems that profile users or make decisions about them, consent or another specific basis is safer.
Check Your Website Now — It's Free
Run a free EU AI Act compliance scan. No signup required.
Start Free Scan →