Skip to content
sudodudes_
[root@sudodudes ~]# blog

A GDPR-first website architecture (no cookie banner required)

#gdpr #privacy #architecture

Most websites treat GDPR as a banner problem. Bolt on a consent popup, dark-pattern the “accept” button, and carry on shipping every visitor’s data to a dozen ad-tech processors.

We built this site the other way around: if you never collect what you don’t need, most of the consent machinery becomes unnecessary. Here is the entire architecture, honestly.

No cookies. Actually none.

This site sets no cookies. Not “only essential cookies” - none. The pages are statically generated, there is no session, no analytics script, no tracking pixel, no A/B testing framework. You can verify this yourself: open your browser’s developer tools and look at the storage panel.

The ePrivacy rules that force cookie banners apply to storing or reading information on your device. We don’t, so there is no banner. That is not a loophole; it is the point of the law working as intended.

No third-party requests either

A subtler leak most sites miss: every external resource - fonts, CDN scripts, map tiles, avatars - transmits your IP address to that third party. A German court (LG München I, 3 O 17493/20) held that embedding Google Fonts this way violates the GDPR.

This site self-hosts everything: fonts, styles, scripts, and the data behind our threat dashboard. Your browser talks to sudodudes.com and nobody else.

When we DO collect data

Two forms on this site collect personal data, and they work differently on purpose:

The contact form collects your name, email, and message so we can reply. That’s Art. 6(1)(b) GDPR - taking steps at your request before entering a contract. It is never added to a marketing list. Ever.

The newsletter is separate, explicit, opt-in consent (Art. 6(1)(a)) with double opt-in: you get a confirmation email, and nothing is active until you click it. We store the consent timestamp and the exact policy version you agreed to. Every email carries an unsubscribe link that works without logging in, and withdrawal is as easy as subscribing - because Art. 7(3) says it has to be.

EU-only, self-hosted, minimal

All of it - the website, the lead store, the CRM behind it - runs on hardware we own, physically located in Austria. Our one external processor is our email delivery provider, an EU company under a data processing agreement. No data leaves the EU; no Schrems-II transfer gymnastics required.

Data minimization is applied literally: newsletter signups store an email address, a consent record, and nothing else. No IP logging on subscribers, no device fingerprints, no enrichment.

Why we’re writing this down

Because we sell compliance engineering, and the most credible evidence is our own infrastructure. The same principles - collect less, keep it local, make consent real - are what we build for clients. This site is the reference implementation.

[root@sudodudes ~]# subscribe

Get new posts by email

Security engineering, compliance without theatre, open-source threat intel. No tracking, no forwarding your address, unsubscribe in one click.

By subscribing you consent to receiving our newsletter at this address (GDPR Art. 6(1)(a)). We store your email, the consent timestamp, and this policy version - nothing else. Withdraw anytime via the unsubscribe link in every email. Details: privacy policy.