Web Privacy Quick Start Guide
New to web privacy compliance? Start here.
This guide provides a concise overview of web privacy essentials—the critical concepts, best practices, and common mistakes you need to know. Think of this as your roadmap: read this first to get oriented, then dive into our detailed guides for specific topics.
Table of Contents
- What is Web Privacy?
- Key Regulations at a Glance
- The Privacy Landscape
- Critical Best Practices
- Common Pitfalls to Avoid
- Quick Reference Checklist
- Where to Go Next
What is Web Privacy?
Web privacy is about protecting user data and respecting user choices when they visit your website. It involves:
- Consent Management: Getting permission before tracking users
- Data Protection: Preventing sensitive information from leaking to third parties
- User Rights: Honoring opt-out requests and data deletion requests
- Transparency: Clearly explaining what data you collect and why
Why It Matters:
- Legal Requirements: Privacy regulations (GDPR, CCPA, etc.) require compliance
- User Trust: Privacy-respecting websites build stronger customer relationships
- Risk Reduction: Non-compliance can result in significant fines and legal action
- Business Continuity: Privacy violations can disrupt operations and damage reputation
Key Regulations at a Glance
| Regulation | Consent Model | Key Requirement | Penalties |
|---|---|---|---|
| GDPR (Europe) | Opt-in (users must actively agree) | No tracking before consent | Up to €20M or 4% of global turnover |
| CCPA/CPRA (California) | Opt-out (tracking allowed by default) | Must honor opt-out requests immediately | Up to $7,500 per intentional violation |
| Other US States | Mostly opt-out model | Varies by state | Varies by state |
Europe: GDPR (Opt-In Required)
General Data Protection Regulation - Requires explicit consent before tracking
What This Means: If you serve EU users, you cannot track them until they explicitly consent.
When It Applies: Any website serving EU residents
United States: CCPA/CPRA (Opt-Out Model)
California Consumer Privacy Act - Allows default tracking but requires opt-out mechanism
What This Means: You can track by default, but must provide and honor "Do Not Sell/Share" requests.
When It Applies: Businesses meeting revenue/data thresholds serving California residents
Other US State Laws
Fifteen US states have comprehensive privacy laws with varying requirements:
- Virginia, Colorado, Connecticut: Similar to CCPA (opt-out model)
- Each state has different thresholds and requirements
- Most require opt-out mechanisms
Bottom Line: Understand which regulations apply to your website based on where your users are located.
📖 Learn More: Web Privacy Regulations Guide
The Privacy Landscape
What Gets Tracked?
Tracking Technologies:
- Cookies: Small files stored in browsers
- Tracking Pixels: Invisible images that send data to third parties
- Session Replay: Tools that record user interactions
- Analytics: Tools that collect user behavior data
- Social Media Trackers: Facebook Pixel, Twitter Pixel, LinkedIn Insight Tag
Where Privacy Issues Occur
- Before Consent: Tracking starts before user makes a choice
- After Opt-Out: Tracking continues after user opts out
- Data Leakage: Sensitive data exposed through URLs, referrers, or forms
- Third-Party Sharing: Data sent to third parties without proper consent
The Consent Management Flow
User visits website
↓
Consent banner appears
↓
User makes choice (Accept/Reject)
↓
Page refreshes (critical!)
↓
Consent rules applied
↓
Tracking respects user choice
Critical Point: Page refresh after consent choice is essential—consent rules only apply on new page loads.
Critical Best Practices
1. Always Refresh After Consent Choice
| Why | How |
|---|---|
| Consent management platforms only enforce rules on new page loads. Without refresh, tracking scripts from before consent remain active. | Implement page refresh (window.location.reload()) immediately after user makes consent choice. |
📖 Learn More: Consent Banner Implementation Best Practices
2. Never Track Consent Interactions
| Why | What Not to Track |
|---|---|
| Tracking when users interact with consent banners violates privacy laws. | • Accept button clicks • Reject button clicks • Settings changes • Any consent banner interactions |
3. Categorize All Cookies and Trackers
| Why | How |
|---|---|
| Uncategorized cookies may load without consent, creating violations. | • Audit all cookies and tracking technologies • Categorize them (essential, functional, analytics, marketing) • Configure consent management platform to block non-essential until consent |
📖 Learn More: OneTrust Cookie Management
4. Test from the Frontend
| Why | How |
|---|---|
| Backend configuration doesn't guarantee frontend functionality. | Use browser DevTools to verify: • Scripts are blocked before consent • Opt-out actually prevents tracking • Consent rules are respected after refresh |
📖 Learn More: Testing Consent with Developer Tools
5. Protect Sensitive Data
| Why | How |
|---|---|
| Sensitive data in URLs, referrers, or forms can leak to third parties. | • Use POST (not GET) for forms with sensitive data • Implement rel="noopener noreferrer" on external links• Set referrer policies to prevent data leakage • Never put personal information in URL parameters |
📖 Learn More: Form Data Privacy Best Practices | Web Privacy Engineering Practices
6. Honor Global Privacy Control (GPC)
| Why | How |
|---|---|
| GPC is a universal opt-out signal that must be honored in several states. | Configure your consent management platform to detect and honor GPC signals. |
📖 Learn More: OneTrust Privacy Signals
7. Mask Sensitive Data in Session Replay
| Why | How |
|---|---|
| Session replay tools can capture sensitive information (passwords, SSNs, medical data). | Configure session replay tools to mask sensitive fields and data. |
📖 Learn More: Session Replay Privacy Best Practices
8. Integrate Tag Manager with Consent Platform
| Why | How |
|---|---|
| Tag managers and consent platforms must communicate for consent rules to work. | Configure integration so tag manager only fires tags based on consent groups. |
📖 Learn More: OneTrust GTM Integration
Common Pitfalls to Avoid
❌ Pitfall 1: Installed but Not Configured
| Problem | Why It Happens | How to Avoid |
|---|---|---|
| Consent banner appears, but scripts aren't actually blocked. | Installation is easy, but configuration requires additional setup. | Always test from the frontend—verify scripts are blocked before consent. |
📖 Learn More: Common Privacy Pitfalls
❌ Pitfall 2: No Page Refresh After Consent
| Problem | Why It Happens | How to Avoid |
|---|---|---|
| User opts out, but tracking continues because page doesn't refresh. | Developers assume consent rules apply immediately without refresh. | Always implement page refresh after consent choice. |
❌ Pitfall 3: Tracking Consent Interactions
| Problem | Why It Happens | How to Avoid |
|---|---|---|
| Analytics tracks when users click "Accept" or "Reject" buttons. | Tracking is enabled before consent banner is excluded. | Exclude consent banner pages/events from all tracking. |
❌ Pitfall 4: Uncategorized Cookies
| Problem | Why It Happens | How to Avoid |
|---|---|---|
| New cookies added over time aren't added to consent tool. | Lack of ongoing maintenance and auditing. | Regular audits (quarterly minimum) and change management process. |
❌ Pitfall 5: Tag Manager Not Integrated
| Problem | Why It Happens | How to Avoid |
|---|---|---|
| Tags fire regardless of consent because GTM and CMP aren't connected. | Tag manager and consent platform configured separately. | Properly integrate tag manager with consent management platform. |
❌ Pitfall 6: Sensitive Data in URLs
| Problem | Why It Happens | How to Avoid |
|---|---|---|
| Form data (search queries, personal info) appears in URL parameters. | Using GET requests for forms or search functionality. | Use POST requests for sensitive data, sanitize search queries. |
❌ Pitfall 7: Social Media Pixels on Sensitive Sites
| Problem | Why It Happens | How to Avoid |
|---|---|---|
| Facebook Pixel, Twitter Pixel on healthcare or financial websites. | Marketing teams add social trackers without privacy review. | Prohibit social media trackers on sensitive pages (patient portals, financial forms). |
📖 Learn More: Social Media Integration Privacy Compliance
❌ Pitfall 8: Testing with Browser Extensions
| Problem | Why It Happens | How to Avoid |
|---|---|---|
| Privacy extensions (uBlock Origin) block tracking, giving false confidence. | Developers test with extensions installed. | Always test in Chrome Guest Profile (no extensions). |
Quick Reference Checklist
Consent Management
- Consent banner appears before any tracking
- Page refreshes after consent choice
- Scripts are blocked before consent (GDPR regions)
- Opt-out requests are honored immediately
- Consent interactions are NOT tracked
- Global Privacy Control (GPC) is supported
Cookie and Tracker Management
- All cookies are categorized in consent tool
- Regular audits conducted (quarterly minimum)
- New cookies added to consent tool when deployed
- Essential cookies properly categorized
- Marketing cookies require consent
Tag Manager Integration
- Tag manager integrated with consent platform
- Tags only fire based on consent groups
- Blocked tags don't fire after opt-out
- Integration tested and verified
Data Protection
- No sensitive data in URL parameters
- Forms use POST (not GET) for sensitive data
- Referrer policies implemented on external links
- Session replay masks sensitive fields
- No social media trackers on sensitive pages
Testing and Maintenance
- Frontend testing confirms consent functionality
- Regular audits scheduled
- Change management process for new tags/services
- Documentation kept up-to-date
- Test in Chrome Guest Profile (no extensions)
Where to Go Next
This quick start covers the essentials. For detailed guidance on specific topics, explore these guides:
📚 Understanding Privacy
- Web Privacy Terms Glossary - Definitions of key privacy concepts
- Web Privacy Regulations Guide - Comprehensive regulatory overview
🛠️ Implementation Guides
- Consent Banner Implementation Best Practices - How to properly implement consent banners
- Consent Management Platform Best Practices - CMP configuration and best practices
- Testing Consent with Developer Tools - How to test and verify consent implementations
⚠️ Common Issues
- Common Privacy Pitfalls - Detailed guide to avoiding mistakes
- OneTrust Common Issues - Troubleshooting OneTrust-specific problems
🔧 Technical Implementation
- Web Privacy Engineering Practices - HTML and technical privacy measures
- Form Data Privacy Best Practices - Protecting form data
- Session Replay Privacy Best Practices - Configuring session replay tools
🎯 Platform-Specific
- OneTrust Getting Started - OneTrust setup and configuration
- OneTrust Best Practices - OneTrust-specific guidance
- Google Analytics Consent Management - GA4 consent integration
👥 For Privacy Leaders
- Privacy Champion Guide - Building a privacy program
- Server-Side Tracking Accountability - Understanding tracking accountability
Key Takeaways
- Privacy is Required: Regulations require compliance—it's not optional
- Consent Must Be Real: Consent banners must actually block tracking, not just appear
- Page Refresh is Critical: Consent rules only apply after page refresh
- Test Everything: Always verify consent functionality from the frontend
- Maintain Regularly: Privacy compliance requires ongoing attention, not just initial setup
- Protect Sensitive Data: Prevent data leakage through URLs, referrers, and forms
- Honor User Choices: Opt-out requests must be respected immediately
- Know Your Regulations: Understand which regulations apply to your website
Need Help?
- New to privacy? Start with the Privacy Champion Guide
- Implementing consent? See Consent Banner Implementation Best Practices
- Using OneTrust? Check OneTrust Getting Started
- Testing issues? Review Testing Consent with Developer Tools
- Common problems? Read Common Privacy Pitfalls
Remember: Privacy compliance is an ongoing process, not a one-time setup. Regular testing, maintenance, and audits are essential to protect user privacy and maintain compliance.