At the point of collection, users are told what data is collected, why, and retention period

Why it matters

GDPR Articles 13 and 14 impose a positive obligation to inform users at the point of data collection — not just in a footer-buried privacy policy. A signup form that submits an email address with no indication of what happens to it, how long it is kept, or why it is needed violates Art. 13(1) on first contact. Cookie banners that present an 'Accept' button without describing which cookies fire or for how long similarly fail Art. 13 and the ePrivacy Directive Art. 5(3). Regulators treat missing point-of-collection notices as independently sanctionable from other violations, not merely as context for other failures.

Remediation

Add a privacy notice near the submit button of every data-collecting form, linking to the full privacy policy within one click.

<form onSubmit={handleSignup}>
  <input type="email" name="email" required />
  <input type="password" name="password" required />

  {/* Required by GDPR Art. 13 */}
  <p className="text-sm text-muted-foreground mt-3">
    By creating an account, you agree to our{' '}
    <a href="/terms" className="underline">Terms</a>. We collect your email
    to deliver the service (legal basis: contract, Art. 6(1)(b)). We retain
    account data until you delete your account.{' '}
    <a href="/privacy" className="underline">Privacy Policy</a>.
  </p>
  <button type="submit">Create account</button>
</form>

For cookie banners, ensure purpose and retention are visible or reachable in one click from the banner itself — not only in the full privacy policy. Minimum compliant banner text: "Essential cookies run the site. Analytics cookies (2-year retention) help us improve it. Accept all / Manage preferences / Reject non-essential."

Detection

ID: gdpr-readiness.lawful-basis.collection-transparency
Severity: high
What to look for: GDPR Articles 13 and 14 require that users be informed at the point of data collection about: what personal data is being collected, the purpose of processing, the legal basis, the retention period (or criteria for determining it), and who the data will be shared with. Check each major data collection point: signup form, contact form, newsletter opt-in, checkout, and cookie consent banner. Is there a notice or link to the privacy policy at each form? For the cookie banner: does it state which categories of cookies are used and for what purpose? Is the retention period mentioned (either in the banner or reachable via one click)? Check whether "privacy notice" text is visible at the point of form submission, not just buried in the footer. Count all instances found and enumerate each.
Pass criteria: At each significant data collection point, users can see (or reach within one click) information about what is collected, why, the retention period, and who it is shared with. The cookie consent banner clearly describes cookie categories and their purposes. Signup forms link to the privacy policy near the submit button. At least 1 implementation must be confirmed.
Fail criteria: No privacy notice at data collection points. Forms submit data with no indication of what is collected or why. Cookie banner appears but does not describe the purpose of each category. Retention periods nowhere communicated.
Skip (N/A) when: Application collects no personal data and has no user-facing forms or cookies.
Detail on fail: Example: "Signup form has no link to the privacy policy and no disclosure of what data is collected or why. Users have no notice at the point of collection." or "Cookie banner shows Accept/Reject with no description of cookie purposes or retention periods." or "Checkout form collects billing address with no disclosure that it is stored and for how long.".

Remediation: Add point-of-collection transparency to each data-gathering form:

// Signup form — add privacy notice near submit button
<form onSubmit={handleSignup}>
  <input type="email" name="email" required />
  <input type="password" name="password" required />

  {/* Transparency notice — required by GDPR Art. 13 */}
  <p className="text-sm text-muted-foreground mt-3">
    By creating an account, you agree to our{' '}
    <a href="/terms" className="underline">Terms of Service</a>. We collect your
    email address to deliver the service (legal basis: contract). We retain account
    data until you delete your account. See our{' '}
    <a href="/privacy" className="underline">Privacy Policy</a> for full details.
  </p>

  <button type="submit">Create account</button>
</form>

For cookie banners, the purpose and retention should be in the expanded view or reachable via a "Learn more" link. A compliant banner structure:

"We use cookies to make this site work and, with your permission, to understand
how you use it. Essential cookies are always on (session, security). Analytics
cookies help us improve the product (2-year retention). Accept all / Manage
preferences / Reject non-essential"

External references

gdpr · Art. 13 — Information to be provided where personal data are collected from the data subject

gdpr · Art. 14 — Information to be provided where personal data have not been obtained from the data subject

gdpr · Art. 5(1)(a) — Transparency principle

eprivacy · Art. 5(3) — Cookies and similar technologies

Why it matters

Remediation

Add a privacy notice near the submit button of every data-collecting form, linking to the full privacy policy within one click.

<form onSubmit={handleSignup}>
  <input type="email" name="email" required />
  <input type="password" name="password" required />

  {/* Required by GDPR Art. 13 */}
  <p className="text-sm text-muted-foreground mt-3">
    By creating an account, you agree to our{' '}
    <a href="/terms" className="underline">Terms</a>. We collect your email
    to deliver the service (legal basis: contract, Art. 6(1)(b)). We retain
    account data until you delete your account.{' '}
    <a href="/privacy" className="underline">Privacy Policy</a>.
  </p>
  <button type="submit">Create account</button>
</form>

Detection

ID: gdpr-readiness.lawful-basis.collection-transparency
Severity: high
What to look for: GDPR Articles 13 and 14 require that users be informed at the point of data collection about: what personal data is being collected, the purpose of processing, the legal basis, the retention period (or criteria for determining it), and who the data will be shared with. Check each major data collection point: signup form, contact form, newsletter opt-in, checkout, and cookie consent banner. Is there a notice or link to the privacy policy at each form? For the cookie banner: does it state which categories of cookies are used and for what purpose? Is the retention period mentioned (either in the banner or reachable via one click)? Check whether "privacy notice" text is visible at the point of form submission, not just buried in the footer. Count all instances found and enumerate each.
Pass criteria: At each significant data collection point, users can see (or reach within one click) information about what is collected, why, the retention period, and who it is shared with. The cookie consent banner clearly describes cookie categories and their purposes. Signup forms link to the privacy policy near the submit button. At least 1 implementation must be confirmed.
Fail criteria: No privacy notice at data collection points. Forms submit data with no indication of what is collected or why. Cookie banner appears but does not describe the purpose of each category. Retention periods nowhere communicated.
Skip (N/A) when: Application collects no personal data and has no user-facing forms or cookies.
Detail on fail: Example: "Signup form has no link to the privacy policy and no disclosure of what data is collected or why. Users have no notice at the point of collection." or "Cookie banner shows Accept/Reject with no description of cookie purposes or retention periods." or "Checkout form collects billing address with no disclosure that it is stored and for how long.".

Remediation: Add point-of-collection transparency to each data-gathering form:

// Signup form — add privacy notice near submit button
<form onSubmit={handleSignup}>
  <input type="email" name="email" required />
  <input type="password" name="password" required />

  {/* Transparency notice — required by GDPR Art. 13 */}
  <p className="text-sm text-muted-foreground mt-3">
    By creating an account, you agree to our{' '}
    <a href="/terms" className="underline">Terms of Service</a>. We collect your
    email address to deliver the service (legal basis: contract). We retain account
    data until you delete your account. See our{' '}
    <a href="/privacy" className="underline">Privacy Policy</a> for full details.
  </p>

  <button type="submit">Create account</button>
</form>

For cookie banners, the purpose and retention should be in the expanded view or reachable via a "Learn more" link. A compliant banner structure:

"We use cookies to make this site work and, with your permission, to understand
how you use it. Essential cookies are always on (session, security). Analytics
cookies help us improve the product (2-year retention). Accept all / Manage
preferences / Reject non-essential"

External references

gdpr · Art. 13 — Information to be provided where personal data are collected from the data subject

gdpr · Art. 14 — Information to be provided where personal data have not been obtained from the data subject

gdpr · Art. 5(1)(a) — Transparency principle

eprivacy · Art. 5(3) — Cookies and similar technologies

At the point of collection, users are told what data is collected, why, and retention period

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

At the point of collection, users are told what data is collected, why, and retention period

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History