What evidence do I need for GDPR compliance?

GDPR Article 5(2) requires you to demonstrate compliance, and Art. 28 requires you to monitor processors. For your own website, your CMS and CMP provide version history. But for third-party websites — processors, vendors, sub-processors, clients — you have no record of what their pages showed on any date. ProofSnap captures any website with a cryptographic timestamp, creating forensic-grade proof of what a vendor's DPA, processor's privacy policy, or client's cookie banner showed at a specific point in time.

How do I prove my cookie banner was compliant on a specific date?

Open your website in Chrome, click ProofSnap. In 10 seconds you get a forensic evidence package: full-page screenshot, HTML source code, metadata, forensic log, chain of custody, and a cryptographic timestamp proving what your cookie banner looked like on that date. Repeat monthly or after every change. CNIL fined Google EUR 325M and SHEIN EUR 150M for cookie consent violations in 2025 alone.

What is the GDPR accountability principle (Article 5(2))?

Article 5(2) GDPR states: 'The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (accountability).' This shifts the burden of proof to you. If a data protection authority investigates, you must produce evidence of compliance. If you cannot, that failure itself is a violation. Meta was fined EUR 17M by the Irish DPC specifically because it could not demonstrate the security measures it had implemented.

Can I use the Wayback Machine as GDPR compliance evidence?

The Wayback Machine has significant limitations as legal evidence. In Weinhoffer v. Davie Shoring (5th Circuit, 2022), the court ruled that Wayback Machine archives are not self-authenticating and not appropriate for judicial notice, because 'a private internet archive falls short of being a source whose accuracy cannot reasonably be questioned.' The Internet Archive itself disclaims accuracy in its terms of use. It also does not capture dynamic content, JavaScript-rendered elements, or login-protected pages. ProofSnap provides cryptographically timestamped, forensic-grade evidence with chain of custody.

What happens if I fail a GDPR audit?

GDPR fines are tiered. Art. 83(5) covers the most serious violations (Arts. 5, 6, 7, 9 and Chapter V transfers) — up to EUR 20 million or 4% of annual global turnover, whichever is higher. Art. 83(4) covers less serious violations (including Arts. 8, 25–39, 42, 43) — up to EUR 10 million or 2% of annual global turnover, whichever is higher. Since 2018, over EUR 7.1 billion in fines have been issued. Cookie consent violations alone have generated hundreds of millions in fines. Without a clear audit trail, auditors assume the control is not in place.

How is ProofSnap different from CookieYes, Cookiebot or OneTrust?

Cookie consent tools manage consent on your own website and are valuable for that purpose. But they cannot capture what a third party's website showed — your processor's privacy policy, vendor's DPA, or client's cookie banner. ProofSnap captures any website with a cryptographic timestamp. For web agencies, it provides independent proof of what was delivered to the client, even after losing CMS access.

How much does GDPR compliance evidence cost?

Enterprise web archiving (Pagefreezer, MirrorWeb, Smarsh) costs $500-5,000+/month with multi-year contracts. A traditional notary costs EUR 200-500+ per session. ProofSnap starts at $4.99/month (Essential, 10 captures) or $8.99/month (Essential Annual). Enterprise with eIDAS qualified timestamps: $28.99/month. 5 captures per month covers your core compliance pages.

Does ProofSnap work for UK GDPR and CCPA/CPRA compliance?

Yes. ProofSnap captures website evidence regardless of jurisdiction. For UK GDPR (Data Protection Act 2018), it proves compliance with ICO requirements. For CCPA/CPRA (California), it proves opt-out mechanisms, Global Privacy Control signals, and privacy policy disclosures were in place. The same evidence package works for any privacy regulation that requires you to demonstrate what your website showed on a specific date.

What does the ProofSnap evidence package contain?

Up to 15 files in a ZIP: full-page screenshot (JPEG), capture video recording (WebM), evidence PDF, provenance certificate with 8 integrity checks, full HTML source code, DOM text content, metadata (JSON with URL, timestamp, TLS info, cookies), forensic log, chain of custody, manifest with SHA-256 hashes, digital signature (RSA-4096) + public key, blockchain timestamp (OpenTimestamps), and eIDAS qualified timestamp (RFC 3161, Enterprise/Company plans). Every file is cryptographically linked to the manifest.

How often should I capture my website for GDPR compliance?

At minimum: monthly captures of your cookie banner, privacy policy, and consent journey. Additional captures after every change to these pages. This creates an unbroken compliance archive. During a GDPR audit, you present 12 months of timestamped evidence proving what your website showed on any given date. 5 captures per month (Company plan) covers most organisations.

Can noyb or a DPA investigate my cookie banner?

Yes. noyb (Max Schrems' organisation) has filed more than 700 formal GDPR complaints against non-compliant cookie banners across multiple waves since 2021 — starting with 560 draft complaints in May 2021 that led to 422 formal filings, followed by 226 complaints targeting OneTrust-powered banners and further waves. Data protection authorities like CNIL, the Belgian DPA, and Sweden's IMY have actively investigated cookie banner compliance. If you receive a complaint, you need to prove what your cookie banner looked like at the time of the alleged violation, not what it looks like today.

What are the biggest GDPR cookie consent fines?

CNIL (France) has issued over EUR 935M in cookie-specific fines: Google EUR 325M (2025, Gmail ads without consent), Google EUR 150M (2022, no equal refuse button), SHEIN EUR 150M (2025, cookies before consent), Meta EUR 60M (2022, no refuse button), Microsoft EUR 60M (2022, 2-click refuse), Criteo EUR 40M (2023, no consent verification), Apple EUR 8M (2022), TikTok EUR 5M (2022, no reject on first layer), American Express EUR 1.5M (2025, cookies despite refusal).

Is an eIDAS qualified timestamp better than a blockchain timestamp for GDPR compliance?

An eIDAS qualified timestamp enjoys a legal presumption of accuracy under Art. 41(2) of the eIDAS Regulation, recognised in all 27 EU member states. A blockchain timestamp provides strong cryptographic proof but no legal presumption. For GDPR compliance within the EU, eIDAS qualified timestamps carry the highest evidential weight. ProofSnap offers both: blockchain timestamps from Professional ($16.99/month) and eIDAS qualified timestamps from Enterprise ($28.99/month).

How do I demonstrate GDPR compliance to a regulator?

When a DPA investigates, they look for: records of processing activities (Art. 30), documented consent mechanisms and consent logs, DPIAs, evidence of regular compliance audits, privacy policy adequacy, and technical measures documentation. ProofSnap adds the missing layer: independent, timestamped proof of what your website actually showed. Your CMS shows the current version. ProofSnap proves the historical version. Under Art. 83(2), the degree of accountability measures implemented directly affects the fine calculation.

What is GDPR Article 28 processor monitoring?

GDPR Article 28(1) requires data controllers to use only processors that provide sufficient guarantees to implement appropriate technical and organisational measures. This is an ongoing obligation — you must verify, not just trust. Article 28(2) requires processors to obtain prior written authorisation before engaging sub-processors. In practice, this means you need evidence of what each processor's DPA, privacy policy, and sub-processor list stated on the date of your engagement and at regular intervals thereafter. ProofSnap automates this with monthly timestamped captures.

Can a data processor use a sub-processor without consent?

No. Under GDPR Article 28(2), a processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of sub-processors, giving the controller the opportunity to object. If a processor silently adds a sub-processor, you need timestamped evidence of the old and new versions of their sub-processor list to demonstrate the change.

How do I know if I need to comply with GDPR?

GDPR applies to any organisation that processes personal data of individuals in the EU/EEA, regardless of where the organisation is located (Art. 3 territorial scope). US, UK, Canadian, and Australian companies are subject to GDPR if they offer goods or services to individuals in the EU or monitor their behaviour within the Union. Physical presence in the EU matters, not citizenship. If you have EU website visitors, collect data from users in the EU, or use analytics that track users within the Union, GDPR applies to you.

What happens if you are not GDPR compliant?

GDPR fines are tiered. For the most serious violations (Art. 83(5)), fines can reach up to EUR 20 million or 4% of annual global turnover, whichever is higher. For less serious violations (Art. 83(4)), the cap is EUR 10 million or 2% of annual global turnover. Over EUR 7.1 billion in fines have been issued since 2018, with approximately EUR 1.2 billion in 2025 alone. Beyond fines, non-compliance creates reputational damage, class action lawsuits, data subject complaints, and loss of business partnerships. Under Art. 83(2), the degree of accountability measures you implemented directly affects the fine amount.

What cookies require consent under GDPR?

Under the ePrivacy Directive and GDPR, all non-essential cookies require prior consent before being placed on a user's device. This includes: advertising cookies, analytics cookies (including Google Analytics), social media tracking cookies, marketing pixels, remarketing tags, and most third-party cookies. Only strictly necessary cookies (session management, shopping cart, security) can be placed without consent. The consent must be freely given, specific, informed, and unambiguous, with an equally easy way to refuse as to accept.

Does GDPR apply to US companies?

Yes, if a US company offers goods or services to individuals in the EU, monitors their behaviour within the Union, or processes their personal data — regardless of payment. GDPR Article 3(2) establishes extraterritorial scope based on the data subject's physical presence in the Union, not citizenship. Meta, Google, Amazon, TikTok and many other US companies have been fined billions under GDPR. For US companies, GDPR compliance typically runs in parallel with CCPA/CPRA compliance — both require documented accountability for data processing activities.

What is the EU Digital Omnibus?

The Digital Omnibus is a European Commission legislative package announced on 19 November 2025 that proposes amendments to GDPR, the AI Act, the Data Act, and ePrivacy rules. It is not yet law — it is a proposal moving through the EU legislative process. Key cookie-related proposals: integrating consent rules directly into GDPR, a single-click refusal requirement (as easy to reject as to accept), and machine-readable preference signals to combat consent fatigue.

What is the ICO cookie audit 2025?

In January 2025, the UK Information Commissioner's Office (ICO) launched a cookie compliance sweep of the top 1,000 UK websites. Under the Data (Use and Access) Act 2025, PECR penalties were increased 35-fold — from a maximum of GBP 500,000 to GBP 17.5 million or 4% of annual turnover, matching UK GDPR levels. The ICO is now actively enforcing cookie consent requirements on major UK websites.

What is a data processing agreement (DPA) under GDPR?

A Data Processing Agreement (DPA) is a legally binding contract required under GDPR Article 28(3) between a data controller and a data processor. It must specify: the subject matter and duration of processing, nature and purpose, type of personal data, categories of data subjects, and obligations and rights of the controller. It must also include processor obligations on confidentiality, security (Art. 32), sub-processor authorisation, assistance with data subject rights, breach notification, and audit cooperation. When vendors update their DPAs, you need timestamped evidence of both versions.

What is a Record of Processing Activities (RoPA)?

A Record of Processing Activities (RoPA) is a documented inventory required under GDPR Article 30 for most controllers and processors. It must list: the name and contact details of the controller/processor, purposes of processing, categories of data subjects and personal data, categories of recipients (including third countries), data transfers and safeguards, retention periods, and a general description of technical and organisational measures. During a DPA audit, your RoPA is the first document regulators request.

What is the GDPR 72-hour breach notification rule?

Under GDPR Article 33, a data controller must notify the supervisory authority of a personal data breach within 72 hours of becoming aware of it, where feasible. Under Article 33(5), the controller must also document every breach — its facts, effects and remedial action — to enable the supervisory authority to verify compliance. ProofSnap captures the state of affected web pages and vendor notifications at the moment of discovery, creating a timestamped record that supports Article 33 documentation duties.

Do I need to do a DPIA?

A Data Protection Impact Assessment (DPIA) is required under GDPR Article 35 when processing is likely to result in a high risk to the rights and freedoms of natural persons. Mandatory triggers include: systematic and extensive profiling with significant effects; large-scale processing of special category data (health, biometric, political, religious); and systematic monitoring of public areas. Each supervisory authority publishes its own DPIA blacklist. When you rely on processors for any of these activities, your DPIA should reference evidence of the processor's stated security measures — captured and timestamped.

Does Google Analytics require GDPR cookie consent?

Yes. Google Analytics (including GA4) is not considered strictly necessary under the ePrivacy Directive and GDPR, and therefore requires prior consent before any tracking cookie or identifier is placed. Austrian, French, Italian, Danish and Finnish DPAs have issued decisions finding standard Google Analytics deployments non-compliant, particularly in light of the Schrems II judgment on EU-US transfers. The EU-US Data Privacy Framework (2023) has relaxed some of these concerns, but consent is still required before GA loads. Server-side analytics or consent-mode v2 with default denied is the current best practice.

How is a controller different from a processor under GDPR?

A controller (Art. 4(7) GDPR) determines the purposes and means of processing personal data. A processor (Art. 4(8)) processes personal data on behalf of the controller. The controller bears primary legal responsibility and must demonstrate compliance (Art. 5(2)). However, processors also have direct obligations under Art. 28 and can be fined independently. Examples: a SaaS company you engage is typically a processor; your cloud host is a processor; but a joint marketing campaign may make both parties joint controllers (Art. 26).

Is the Wayback Machine valid evidence for GDPR compliance?

With significant limitations. In Weinhoffer v. Davie Shoring (5th Cir. 2022, 23 F.4th 579), the US Court of Appeals ruled the Wayback Machine is not self-authenticating and not appropriate for judicial notice because 'a private internet archive falls short of being a source whose accuracy cannot reasonably be questioned.' The Internet Archive itself disclaims accuracy in its Terms of Use. Practical limits: it does not reliably capture JavaScript-rendered content, login-protected pages, or cookie banners; its crawl schedule is unpredictable; and images may be archived on different dates than HTML.

How long should I keep GDPR compliance evidence?

GDPR does not prescribe a fixed retention period for compliance evidence, but the practical answer is as long as the statute of limitations for enforcement runs. DPAs can investigate historical conduct for several years, and civil claims for data protection violations typically track national limitation periods (6 years in England and Wales, 3 years in Germany, 5 years in France). Most DPOs retain compliance evidence for at least 6 years, aligned with the longest EU statute of limitations.

How do I prove what a vendor or processor's website showed on a specific date?

GDPR Article 28 requires you to monitor your processors. Article 5(2) requires you to demonstrate compliance. But you don't control your vendors' CMS. ProofSnap captures any website with a cryptographic timestamp, creating forensic-grade proof of what a vendor's terms, processor's privacy policy, or client's cookie banner showed on any date. Over EUR 7.1 billion in GDPR fines have been issued since 2018. From $4.99/month.

GDPR Compliance Evidence — For What You Don’t Control

GDPR Compliance Evidence when your vendor changes their terms without telling you

You control your own CMS. You don’t control theirs. ProofSnap gives you the proof.

Your processor updated their privacy policy. Your SaaS vendor quietly changed their DPA. Your sub-processor added a new data transfer clause. A client’s cookie banner broke after your agency handed it over. You need proof of what their website showed before the change — but you have no access to their version history.

ProofSnap captures any website with a cryptographic timestamp — creating tamper-proof evidence of what a third party’s website showed on any date. The accountability layer for everything you don’t control.

Start monitoring — 7-day free trial See an evidence package (ZIP)

Also available for Microsoft Edge

7-day free trial, cancel anytime. From $4.99/month.

10 seconds per capture · Capture any website — yours or third-party · No IT department required

ProofSnap Chrome Extension — GDPR compliance evidence with timestamped website captures

Art. 28

processor monitoring required

Art. 5(2)

burden of proof is on you

10s

per capture

€7.1B+

GDPR fines since 2018

What is GDPR compliance evidence?

GDPR compliance evidence is tamper-proof documentation of what a website, privacy policy, cookie banner or data processing agreement showed on a specific date. Under GDPR Article 5(2) (accountability) and Article 28 (processor monitoring), data controllers must demonstrate compliance — including for third-party processors and sub-processors they cannot control. ProofSnap creates this evidence by capturing any web page with a cryptographic timestamp, SHA-256 hash, and chain of custody in 10 seconds.

You control your own website.
You don’t control theirs.

Your CMS has version history. Your CMP has consent logs. But when a vendor, processor, or client changes their website — you have no record of what it said before.

What you already have covered

For your own website, you have tools:

CMS version history (your privacy policy)
CMP consent logs (your cookie banner)
Git/deployment logs (your code changes)

What you have NO record of

For third-party websites, you have nothing:

Processor’s privacy policy — changed without notice
Vendor’s DPA / terms — quietly updated
Sub-processor list — new entity added silently
Client’s cookie banner — broke after you delivered it

ProofSnap fills the gap: evidence for what you don’t control

Capture any website

Open your processor’s privacy policy, vendor’s DPA, or client’s cookie banner. Click ProofSnap. 10 seconds — full-page screenshot, HTML source, metadata, forensic log, chain of custody, cryptographic timestamp.

Tamper-proof record

SHA-256 hash, RSA-4096 digital signature, blockchain timestamp (Professional) or eIDAS qualified timestamp with legal presumption (Enterprise). The third party cannot claim “we never said that.”

Monthly monitoring

5 captures/month covers your critical vendors. When something changes, you have proof of what it said before — and when it changed. Art. 28 processor monitoring, done.

What is the fine for GDPR cookie consent violations?

CNIL alone has issued over €935M in cookie-specific fines. GDPR penalties for the most serious violations (Art. 83(5)) reach up to €20M or 4% of annual global turnover, whichever is higher. UK PECR penalties now reach £17.5M under the Data (Use and Access) Act 2025.

€325M

Google (CNIL, Sep 2025)

Gmail ads inserted between emails without consent. Cookies placed during Google account creation without valid consent of millions of French users. Split €200M Google LLC + €125M Google Ireland.

€150M

SHEIN (CNIL, Sep 2025)

10 types of advertising cookies placed before consent. “Reject All” didn’t work. 12 million French visitors/month affected.

€150M

Google (CNIL, Jan 2022)

Accept = 1 click. Refuse = multiple screens. No equal “Refuse All” button on google.fr and youtube.com.

€60M

Meta/Facebook (CNIL, Jan 2022)

Same dark pattern as Google — accept was 1 click, refuse required navigating multiple pages on facebook.com.

€60M

Microsoft/Bing (CNIL, Dec 2022)

Accepting cookies = 1 click. Refusing = 2 clicks. Dark pattern in cookie consent on Bing search engine.

€40M

Criteo (CNIL, Jun 2023)

Failed to verify partner websites obtained valid consent before placing Criteo tracking cookies. 370M user identifiers across the EU.

Additional cookie fines: Apple €8M (2022) · TikTok €5M (2022, no reject button) · American Express €1.5M (2025, cookies despite refusal) · Condé Nast €750K (2025) · noyb has filed 700+ formal GDPR complaints across multiple waves against non-compliant cookie banners.

What changed in 2025–2026: the enforcement landscape just shifted

UK: £500K → £17.5M

PECR penalties jumped 35x

Under the Data (Use and Access) Act 2025, UK cookie consent penalties now match UK GDPR levels — up to £17.5M or 4% of global turnover. The ICO launched a cookie compliance sweep of the top 1,000 UK websites in January 2025.

EU: Digital Omnibus (proposal)

Cookie rules moving into GDPR

The EU Commission’s Digital Omnibus package (19 November 2025) proposes integrating cookie rules directly into GDPR, single-click refusal requirements and machine-readable preference signals. Moves through the EU legislative process during 2026.

Ireland: €530M TikTok

DPC doubled down in 2025

The Irish DPC fined TikTok €530M in May 2025 for transferring EEA user data to China (now under appeal — the Irish High Court stayed the decision in November 2025). CNIL’s average sanction grew sharply between 2024 and 2025. Cumulative GDPR fines now exceed €7.1B. DPAs are not slowing down.

Start monitoring — 7-day free trial

Who needs GDPR compliance evidence?

Four roles with one common problem: proving what a third party’s website showed on a specific date. Web agencies, DPOs, privacy lawyers, and anyone filing a DPA complaint.

Web Agencies & Developers

Your client gets fined: “You built our website. You set up the cookie banner. The DPA says it wasn’t compliant. This is your liability.” After handover, you lose access to their CMS. You can’t prove the banner was correctly configured when you delivered it — or that the client broke it afterwards.

With ProofSnap: capture every client website at deployment and after every cookie banner update. Timestamped proof that the consent mechanism was correctly configured when you delivered it. If the client breaks it later — that’s on them, and you have the evidence.

Handover proof Client liability shield Deployment evidence

DPOs & Compliance Officers

Your processor changed their terms: Art. 28 GDPR requires you to monitor processors. Your analytics provider quietly added a new sub-processor. Your cloud vendor updated their DPA to allow data transfers to a new jurisdiction. You received no notification — and now the DPA is asking about your oversight.

With ProofSnap: monthly captures of every processor’s privacy policy, DPA, and sub-processor list. When they change something, you have timestamped proof of what it said before — and when it changed. Art. 28 monitoring, done in 10 seconds per vendor.

Art. 28 processor monitoring Sub-processor tracking DPA versioning

Privacy Lawyers & Legal Departments

The vendor says “we never said that”: Your SaaS vendor promised GDPR-compliant data processing in their DPA. Now there’s a breach, and their current DPA has different terms. They claim the clause you relied on never existed. Without evidence, it’s your word against theirs.

With ProofSnap: forensic evidence package with chain of custody and cryptographic timestamp. Prove what their DPA stated on the date you relied on it. eIDAS qualified timestamp = legal presumption in 27 EU member states.

Vendor disputes eIDAS Art. 41(2) DPA evidence

Filing GDPR Complaints

You found a violation: A competitor’s cookie banner has no reject button. A website processes your data without consent. You want to file a complaint with the DPA — but by the time they investigate, the website will have changed. The violation will be gone.

With ProofSnap: capture the violation with a cryptographic timestamp before they fix it. Submit the evidence package with your DPA complaint. noyb’s model: capture first, complain second. More than 700 formal complaints filed across multiple waves.

DPA complaints Competitor violations Evidence before it disappears

“Our analytics processor changed their sub-processor list without notification. During the DPA inquiry, we showed 6 months of ProofSnap captures proving the original list and the exact date of the change. The DPA focused their investigation on the processor, not on us.”

DPO, fintech company — Typical scenario

“A client blamed us for their cookie banner fine. We pulled ProofSnap captures from the deployment date — the banner was correct. Then we showed captures from 3 months later — they had modified it themselves. Case closed.”

Web agency founder — Typical scenario

How to prove GDPR compliance in 5 steps

Under the GDPR Art. 5(2) accountability principle, you must demonstrate compliance — not just claim it. Here’s how to build an audit-ready evidence trail.

1

Identify your data processors and sub-processors

List every third party processing personal data on your behalf: cloud hosts, analytics, CRM, email providers, payment processors, marketing tools. Art. 28(1) GDPR requires you to use only processors providing sufficient guarantees.
2

Capture each processor’s privacy policy and DPA

Use ProofSnap to create a timestamped snapshot of each processor’s privacy policy, data processing agreement, and sub-processor list. This is your baseline evidence — what they promised on the date you engaged them.
3

Set up monthly monitoring captures

Repeat the captures monthly. When a processor silently changes their DPA or adds a sub-processor, you’ll have timestamped proof of both the old and new versions — exactly what Art. 28(2) sub-processor notification requires.
4

Document your own compliance artefacts

Capture your own cookie banner, privacy policy, and consent journey at deployment and after every change. For agencies: this is your handover proof. For DPOs: this complements your CMS version history with independent, cryptographically verified evidence.
5

Store evidence with chain of custody

Each ProofSnap capture includes a forensic log, SHA-256 hash, RSA-4096 digital signature, blockchain timestamp, and (on Enterprise) an eIDAS qualified timestamp with legal presumption in 27 EU member states. Store the ZIP packages in a secure archive. During a DPA audit, present 12–24 months of unbroken evidence.

Start step 1 — 7-day free trial

What is a GDPR processor monitoring checklist?

Under GDPR Article 28, data controllers must monitor processors and sub-processors. Capture these 5 pages per vendor every month — 10 seconds each — and you have 12 months of audit-ready Art. 28 compliance evidence.

Processor’s Privacy Policy

Their data handling practices, retention periods, legal basis

Vendor’s DPA / Terms

Data processing agreement, transfer clauses, SCC references

Sub-Processor List

Which entities process data on their behalf, jurisdictions

Client’s Cookie Banner

For agencies: post-handover monitoring

Competitor Violations

Non-compliant banners, dark patterns, missing policies

The legal foundation: why you must monitor

GDPR Art. 28(1)

“The controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures.” You must verify — not just trust.

GDPR Art. 28(2)

The processor shall not engage another processor without prior specific or general written authorisation. Sub-processor changes require your awareness.

GDPR Art. 5(2)

“The controller shall be responsible for, and be able to demonstrate compliance.” The burden of proof is on you — including for processor oversight.

Monitor your processors for less than a coffee a month

5 captures per vendor, per month. Full forensic evidence package. 7-day free trial.

Essential

$4.99/month

or $49.99/year

10 captures/month

Full evidence package
SHA-256 hash + digital signature
Enough for 2 websites/month

7-day free trial

For: solo DPOs, freelancers, small websites

Professional

$16.99/month

or $169.99/year

200 captures/month + blockchain timestamps

Everything in Essential
Blockchain timestamp (OpenTimestamps)
200 captures = 40 websites/month

7-day free trial

For: agencies, multi-site compliance

Recommended for EU compliance

Enterprise

$28.99/month

or $280/year (20% savings)

Unlimited captures + eIDAS qualified timestamps

Everything in Professional
eIDAS qualified timestamp — legal presumption in 27 EU states
File certification — 50/month

Start monitoring — 7-day free trial

For: DPOs, legal departments, compliance teams

The alternatives cost 10–100x more

Pagefreezer $500+/mo

Enterprise web archiving. Multi-year contracts. Sales process required.

MirrorWeb (custom)

Banks and government only. Not published pricing. Requires implementation.

OneTrust $10K+/year

Enterprise CMP. Consent logs only — no website captures.

ProofSnap from $4.99/mo

Self-service. 10 seconds. Full evidence package with cryptographic timestamps.

Need team accounts? Company plan from $18.99/licence/month — centralised billing, admin dashboard, 2–10,000 licences.

Works for every major privacy regulation

One evidence package — GDPR, UK GDPR, CCPA, PIPEDA, Australian Privacy Act and more. Capture once, comply everywhere.

EU GDPR (27 member states)

€7.1B+ in cumulative fines. Art. 5(2) accountability, Art. 7 consent proof, Art. 24 controller responsibility, Art. 28 processor monitoring.

Top DPAs: Irish DPC (€4B+ total, TikTok €530M May 2025 — under appeal), CNIL (17,772 complaints/yr, €935M+ cookie fines), Spanish AEPD (932 fines)

UK GDPR / ICO

42,315 complaints in 2024/25. Average fine jumped from £150K to £2.8M. PECR penalties now £17.5M (35x increase). Data Protection Act 2018 + Data (Use and Access) Act 2025.

Notable: British Airways £20M, Marriott £18.4M, Capita £14M, Clearview AI £7.5M

USA: CCPA + 19 State Privacy Laws

20 states with active laws (CA CCPA, VA VCDPA, CO CPA, CT CTDPA, TX TDPSA). Up to $7,988/intentional violation (CA, 2025 inflation-adjusted). Texas TDPSA: up to $7,500/violation after 30-day cure. Must honour Global Privacy Control signals.

Notable: Meta’s $1.4B biometric settlement with Texas (2024), Google $1.375B Texas settlement (2025), Disney $2.75M CCPA settlement (largest to date), Tractor Supply $1.35M (largest CPPA administrative fine).

Australia (OAIC)

OAIC activity is increasing under the 2024 reform package. New statutory tort for serious privacy invasions. ADM (automated decision-making) disclosure requirements from December 2026. Shift from declarative to evidentiary compliance.

Privacy Act 1988 + Privacy and Other Legislation Amendment Act 2024. Max penalties for serious interferences: AUD 50M, 3x benefit obtained, or 30% of adjusted turnover during the breach period — whichever is highest.

Canada (PIPEDA)

1,200+ complaints/year to the Office of the Privacy Commissioner (OPC). PIPEDA remains in force after Bill C-27 lapsed when Parliament was prorogued in January 2025. Quebec’s Law 25 imposes stricter GDPR-style obligations with penalties up to CAD 25M or 4% of turnover; Alberta and BC PIPA add provincial layers.

Nordics & Netherlands

Dutch AP: €290M Uber fine (2024), 37,839 breach notifications, one of the most active EU regulators. Sweden IMY: reprimands for pre-selected cookie categories (April 2025). Denmark Datatilsynet: cookie enforcement priority for 2026.

How does ProofSnap capture GDPR compliance evidence?

No API, no IT department, no enterprise contract. Self-service Chrome extension. 10 seconds per capture. Full forensic evidence package.

Install ProofSnap

Add the Chrome extension. Start your 7-day free trial. No credit card for browsing — credit card required to start the trial.

Open your compliance page

Navigate to your cookie banner, privacy policy, consent preferences, or terms of service page.

Capture the evidence

Click ProofSnap. In 10 seconds: full-page screenshot, HTML, metadata, forensic log, chain of custody, SHA-256 hash, digital signature, and cryptographic timestamp.

Present during audit

12 months of timestamped captures. Unbroken compliance archive. The auditor has no further questions about accountability documentation.

Download a sample evidence package (ZIP)

Frequently Asked Questions

Official sources & legal framework

GDPR & Data Protection

Cookie Consent & Enforcement

US Privacy & eIDAS

Related ProofSnap landing pages

eIDAS Qualified Timestamps

EU legal presumption (Art. 41(2)) in 27 member states. Highest evidential weight for GDPR audits.

File Certification

Timestamp any file (DPA, policy, contract) with SHA-256 hash + blockchain. Complements website captures.

Recruitment Compliance (EU)

Archive job postings and recruitment pages for GDPR + anti-discrimination compliance.

Start monitoring vendors in 10 seconds

GDPR Art. 28 processor monitoring + Art. 5(2) accountability evidence — without waiting for IT, sales calls, or enterprise contracts. Capture any website with a cryptographic timestamp. From $4.99/month.

Start monitoring — 7-day free trial

From $4.99/month. eIDAS qualified timestamps from $28.99/month.

GDPR Compliance Evidence when your vendor changes their terms without telling you

What is GDPR compliance evidence?

You control your own website.You don’t control theirs.

What you already have covered

What you have NO record of

ProofSnap fills the gap: evidence for what you don’t control

What is the fine for GDPR cookie consent violations?

What changed in 2025–2026: the enforcement landscape just shifted

Who needs GDPR compliance evidence?

Web Agencies & Developers

DPOs & Compliance Officers

Privacy Lawyers & Legal Departments

Filing GDPR Complaints

How to prove GDPR compliance in 5 steps

Identify your data processors and sub-processors

Capture each processor’s privacy policy and DPA

Set up monthly monitoring captures

Document your own compliance artefacts

Store evidence with chain of custody

What is a GDPR processor monitoring checklist?

Processor’s Privacy Policy

Vendor’s DPA / Terms

Sub-Processor List

Client’s Cookie Banner

Competitor Violations

The legal foundation: why you must monitor

Monitor your processors for less than a coffee a month

Essential

Professional

Enterprise

The alternatives cost 10–100x more

Works for every major privacy regulation

EU GDPR (27 member states)

UK GDPR / ICO

USA: CCPA + 19 State Privacy Laws

Australia (OAIC)

Canada (PIPEDA)

Nordics & Netherlands

How does ProofSnap capture GDPR compliance evidence?

Install ProofSnap

Open your compliance page

Capture the evidence

Present during audit

Frequently Asked Questions

Official sources & legal framework

GDPR & Data Protection

Cookie Consent & Enforcement

US Privacy & eIDAS

Related ProofSnap landing pages

Further reading from the ProofSnap blog

Start monitoring vendors in 10 seconds

You control your own website.
You don’t control theirs.