GDPR Compliance Checklist for SaaS (2026)

If you're selling a SaaS — on Acquire.com, to an enterprise customer, or to an investor — GDPR due diligence will check the same 9 things. This is the checklist they run, and the one you should run first.

Why this matters

73% of SaaS listed for sale have at least one GDPR issue that comes up in week 2 of due diligence. These issues don't kill deals outright, but they renegotiate the price down — sometimes by 10-20%.

The 9 checks

1. Cookie consent banner (ePrivacy Art. 5(3))

Non-necessary cookies (analytics, marketing) must not be set before the user consents.

How to pass: Implement a consent banner that blocks non-essential cookies until the user opts in.

2. Privacy policy exists (Art. 13)

Your site must link to a privacy policy from every page.

3. Legal basis disclosed (Art. 6)

Your privacy policy must state the legal basis for processing (consent, contract, legitimate interest).

4. Data subject rights documented (Art. 13(2)(b))

The policy must tell users their rights: access, rectification, erasure, portability.

5. DPO / contact info (Art. 13(1)(b))

A contact email for privacy questions must be present.

6. Retention policy (Art. 5(1)(e))

How long you keep user data must be documented.

7. Signup consent checkboxes (Art. 4(11), Planet49)

Registration forms must not have pre-checked consent boxes. Consent must be active, not implied.

8. Third-party tracker disclosure (Art. 13(1)(e))

Analytics, marketing pixels, and chat widgets must be listed in the privacy policy.

9. SSL / no mixed content (Art. 32)

The site must be HTTPS with no insecure mixed content.

How to check all 9 in 60 seconds

Run them through ComplyScan — enter your URL and get a grade (A-F) plus every finding cited to the exact GDPR article. The free scan shows your grade and top issues; the full report is $99.

ComplyScan is a screening tool, not legal advice. Always confirm with a qualified privacy lawyer before a transaction.

---

Run your free scan at exitcomply.com.