Here are some things mentioned in our talk "Data protection for websites made simple" at FSCONS in Gothenburg, Sweden, on November 8 2015.
See also "Why data protection?" and "Recent reports" on the page about our earlier DrupalCamp Baltics talk.
Use HTTPS, always. Standard certificates are now < 10 EUR/year. Let's Encrypt will soon make them free.
Turn on HSTS (HTTP Strict Transport Security) after first making sure that everything works fine.
Note that HTTPS doesn't offer perfect privacy - it might still be possible to determine what page you're looking at through traffic analysis. But it's a whole lot better than using HTTP.
Use Qualys' SSL Server Test to check your setup.
rel="noreferrer" can be used on links to avoid leaking referrer information. Supported by Firefox since version 33 and by WebKit (Chrome, Safari) since November 2009, as well as by Microsoft Edge in Windows 10.
However, a much superior option is Referrer Policy which lets you apply a certain policy to all links in one fell swoop as well as other requests generated by a page (e.g. external CSS, JS, images). Add this to your page head:
<meta name="referrer" content="never">
Still a W3C draft, but it is supported by latest Firefox, Chrome and Safari, as well as Microsoft Edge. (
no-referrer is the preferred keyword but Edge only supports the legacy
never keyword last time we checked).
Google Analytics alternative: Piwik
Piwik is a free (GPLv3) analytics platform. PHP + MySQL.
Self-host Google Fonts - use one of the following to get fonts in all formats with proper CSS:
Social media buttons
Official like/share buttons let others track your visitors. Use locally hosted images/fonts, like Font Awesome.
If you need to show number of shares, use a two-click solution (user needs to click to activate) - such as Social Share Privacy - or let your server fetch the data periodically. Same with e.g. embedded Tweets.
If you don't want to use the built-in comment system of your CMS (or if it has none), you can run self-hosted Disqus-like software: