GDPR requirements are continuously evolving and becoming more precise. Data protection is now a natural part of the digital landscape. In 2025, data privacy is more in focus than ever. The rules are stricter, and enforcement is tighter.
Cookie consent management (the cookie banner) is a critical part of GDPR compliance. In Estonia, this aspect has gained significantly more attention in recent years.
Data protection as a sign of trustworthiness
Website owners often struggle to keep up with data protection regulations alongside their core responsibilities, which is perfectly understandable. Just like most of us don’t follow the latest developments in the metaverse over our morning coffee, a business owner isn’t expected to be a data privacy expert. However, this doesn’t remove the responsibility—it simply signals that it might be time to delegate this area to a reliable partner.
Unfortunately, we still come across websites, sometimes even newly launched ones, that don’t meet even the minimum GDPR standards. This highlights a knowledge gap within the sector itself.
It’s crucial to understand: GDPR is not just a legal requirement but also a marker of business responsibility and trustworthiness. A website that complies with data protection laws reflects a professional and considerate approach and sends a clear message—we respect our visitors’ privacy.
Real risks: the rise of cyber incidents
In 2024, Estonia’s Information System Authority (RIA) reported 6,515 significant cyber incidents—almost twice as many as the year before. The number of vulnerabilities is also rising. The majority of CERT-EE’s security alerts in 2024 concerned vulnerabilities in WordPress plugins (2,462) and the Magento platform (263).
This isn’t just a local issue—globally, vulnerabilities were more widespread in 2024 than ever before. According to Patchstack, WordPress vulnerabilities increased from 5,948 in 2023 to 7,966 in 2024. As of April 2025, over 4,000 have already been identified, putting this year on track to surpass the last.
RIA emphasizes that the simplest and most effective way to reduce cyber risks is by keeping your website software, plugins, and other components up to date. Through offering website maintenance, I’ve seen firsthand how much room for improvement there still is in Estonia—awareness of the need for ongoing maintenance and what it entails is low. Many still view website maintenance as a “nice-to-have,” when in fact, it’s a vital part of a company’s defense strategy. Too often, the assumption is that if a site looks polished, everything else must be fine. In reality, this mindset risks both data and reputation just to save on maintenance costs.
If no one is currently maintaining your site, or you’re unsure about your knowledge, Redwall’s maintenance service can help.
Website maintenance service and support
A website requires regular maintenance to remain up to date, secure, and trustworthy for your clients.
GDPR, on the other hand, primarily helps prevent potential damage – it ensures that a website does not collect unnecessary personal data and gives visitors the ability to choose what information they share. If something does happen (though hopefully it won’t), the impact is significantly reduced.
GDPR means responsibility
When a customer entrusts their data to a company, be it during a purchase or an inquiry, they rightfully expect the company to handle that data securely and responsibly.
Data processing rules are governed not only by the GDPR but also by related regulations such as the ePrivacy Directive and Estonia’s Personal Data Protection Act. The most visible and routine aspect of this is the website’s cookie consent form, commonly known as the cookie banner.
Basic rules for managing cookies
- Data related to cookies must not be stored before obtaining consent (except for essential cookies).
- If the visitor has not made a choice yet, the default selection must be “decline.”
- The cookie banner must offer options; solutions with only one option like “OK” are not acceptable.
- Buttons (“accept,” “decline”) must be of equal size, contrast, and clarity.
- Options must be clearly worded.
- All used cookies and their purposes must be described.
- Visitors must be able to change their choices later.
- Cookie storage must reflect the user’s actual choice – a well-designed banner alone is insufficient.
Too often, we encounter websites where the form looks good but doesn’t function correctly—cookies are collected even if the user declines. Such implementations violate the law.
If you’re unsure whether your website’s solution works as required, feel free to contact us. We’ll review it.
A proper solution may not be free
Free cookie banner plugins might seem appealing but may not be reliable. Our experience shows that cheap or free solutions don’t always ensure proper data management. More popular and secure solutions are usually paid, especially as website traffic grows.
Therefore, we recommend paid and reliable solutions like:
These tools also offer security updates and allow management of pixels or web beacons, which are important for marketing activities.
Not just a recommendation
Compliance with GDPR requirements is not merely a recommended best practice or a matter of internal company ethics. It is a legal obligation enforced by relevant authorities. In Estonia, the Data Protection Inspectorate has the legal right to issue directives, initiate supervisory proceedings, and impose fines for violations.
This is not fearmongering but a reality that every website owner should consider. Penalties are not imposed only on large corporations—even small businesses with non-compliant websites or improper data collection practices can come under scrutiny.
Proper cookie management, transparent presentation of data protection terms, and a technically functioning consent system are not added values but the minimum expected from a website.
Recommendations for online stores that actually apply to all websites
GDPR and privacy policies are not limited to managing cookies and tracking pixels. They encompass broader data protection principles affecting the entire process of collecting, storing, and processing customer data. To understand precisely what your website must comply with, it’s worth reviewing the guidelines prepared by the Data Protection Inspectorate. Although aimed at Estonian online stores, they are also suitable for all Estonian website owners.
The material is clearly structured and provides a good overview of data security principles and practical requirements. Review the guidelines here (in Estonian):
Privacy policy must be present on the website and compliant
In addition to the cookie consent form, every website must have an easily accessible and understandable privacy policy document. This document, typically found in the website footer, clearly outlines what personal data is collected, how it’s used, how long it’s stored, who has access, and the visitor’s rights regarding their data.
We often encounter websites with privacy policies copied from elsewhere or outdated—referencing obsolete laws or lacking information about data processors. Such approaches offer no protection to either the business or the customer and may violate GDPR requirements.
When creating a reliable and compliant privacy policy page, it’s advisable to follow the Data Protection Inspectorate’s guidelines (see aki.ee) and seek assistance from a lawyer or competent partner.
Final word
GDPR is more than just a regulation—it’s part of a professional, secure, and trustworthy web presence. If you lack the necessary knowledge for website management, contact us—Redwall’s maintenance service and support will help ensure your website complies with data protection requirements, functions correctly, and includes a compliant and reliably working cookie consent form.
How to start?
👋 Write to us info@redwall.ee or call 776 9222.
Let’s arrange a meeting to get to know each other, think together and discuss how we can be of help with our services.
Used Materials
- Riigi Infosüsteemi Amet. Küberturvalisuse aastaraamat: mõjuga intsidentide arv kasvas aastaga kaks korda. https://www.ria.ee/uudised/kuberturvalisuse-aastaraamat-mojuga-intsidentide-arv-kasvas-aastaga-kaks-korda
- Riigi Infosüsteemi Amet. Küberturvalisuse Aastaraamat 2025. https://www.ria.ee/2024-toi-rekordarvu-turvanorkusi
- Patchstack. State of WordPress Security In 2025. https://patchstack.com/whitepaper/state-of-wordpress-security-in-2025/
- Patchstack. State of WordPress Security In 2024. https://patchstack.com/whitepaper/state-of-wordpress-security-in-2024/
- Patchstack. Latest in WordPress security. https://patchstack.com/database/statistics/wordpress/2025
- Riigi Infosüsteemi Amet. 2024 tõi rekordarvu turvanõrkusi. https://www.ria.ee/2024-toi-rekordarvu-turvanorkusi
- Cookies, the GDPR, and the ePrivacy Directive. https://gdpr.eu/cookies/
- CookieYes. Guide to a GDPR Compliant Cookie Banner. https://www.cookieyes.com/blog/cookie-banner/
- Andmekaitse Inspektsiooni aastaraamat. Veebiküpsiste kasutamine. https://aastaraamat.aki.ee/index.php/aastaraamat-2021-2022-meedia/veebikupsiste-kasutamine
- Andmekaitse Inspektsioon. Andmekaitse Inspektsioon avaldas uued andmeturbe soovitused e-poodidele. https://www.aki.ee/uudised/andmekaitse-inspektsioon-avaldas-uued-andmeturbe-soovitused-e-poodidele
- Riigi Teataja. Isikuandmete kaitse seadus. https://www.riigiteataja.ee/akt/104012019011
- EUR-Lex. Euroopa Parlamendi ja nõukogu direktiiv 2002/58/EÜ, milles käsitletakse isikuandmete töötlemist ja eraelu puutumatuse kaitset elektroonilise side sektoris (eraelu puutumatust ja elektroonilist sidet käsitlev direktiiv). https://eur-lex.europa.eu/legal-content/ET/TXT/?uri=celex:32002L0058
- EUR-Lex. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng?utm_source
