PrivacyProof · Small business
GDPR + the cookie rules require a clear privacy policy, lawful opt-in for non-essential cookies, and a way for people to exercise their data rights. Check yours in 60 seconds.
📐 The honest answer: GDPR has no small-business exemption — it applies regardless of size if you handle EU personal data. Businesses under 250 employees get limited relief from some record-keeping, but the core duties (lawful basis, a privacy notice, honouring data rights) still apply in full.
If it applies to you, here's what you need — these are the points small businesses most often miss:
⚠️ Exposure: up to €20M or 4% of global turnover (Art. 83) · Status: In force. Regulators and plaintiffs do go after small businesses — being small is not a defence.
Compare the penalty for every rule →
GDPR has no small-business exemption — it applies regardless of size if you handle EU personal data. Businesses under 250 employees get limited relief from some record-keeping, but the core duties (lawful basis, a privacy notice, honouring data rights) still apply in full.
If you serve EU/UK visitors and use any non-essential cookies (analytics, advertising), yes — they must load only after the visitor opts in, with a Reject option as easy as Accept.
What data you collect, why, the lawful basis, who you share it with, how long you keep it, international transfers, and how to exercise data rights — in plain language, available at collection.
Up to €20 million or 4% of global annual turnover, whichever is higher — plus regulator orders and reputational damage.
RuleGoose checks this against the EU GDPR (Reg. (EU) 2016/679), UK GDPR + ePrivacy/cookie rules. Read it yourself: EUR-Lex — Regulation (EU) 2016/679 →
or read the full GDPR privacy & cookie consent guide, or get one RuleGoose Score across every rule.
Informational only, not legal advice, and not affiliated with the EU. Thresholds can change and be fact-specific — confirm against the cited source. Last reviewed 2026-06-30.