Small Business Website Compliance Checklist 2026: 44 Checks Before Your Site Costs You

Most small business websites are built to look good, load fast, and bring in leads. Compliance gets treated like the paperwork drawer nobody wants to open. That is a mistake.

Your website collects names, emails, phone numbers, quote requests, appointment details, chat transcripts, analytics data, ad tracking data, payment information, and sometimes health, finance, employment, or location information. If that data is handled sloppily, the risk is not theoretical. The FTC says the Safeguards Rule requires covered businesses to develop, implement, and maintain an information security program to protect customer information. The FTC also says the CAN-SPAM Act sets rules for commercial email and gives recipients the right to make businesses stop emailing them. WebAIM’s 2026 Million report found 56,114,377 detectable accessibility errors across the top one million homepages, an average of 56.1 errors per page.

Use this checklist to find the weak spots before they get expensive.

The 2026 website compliance map

Think in three buckets:

• Privacy and tracking: what you collect, why you collect it, who receives it, and whether visitors can opt out.
• Accessibility and usability: whether people with disabilities can read, navigate, buy, book, and contact you.
• Security and operations: whether customer information is protected, vendors are controlled, and problems get logged.

Part 1: Privacy policy and data collection checks

1) Inventory every place your website collects personal information

List contact forms, quote forms, newsletter boxes, checkout pages, booking tools, account logins, chat widgets, job applications, lead magnets, analytics tools, heatmaps, call tracking scripts, CRM forms, and ad pixels.

The FTC’s privacy and security guidance focuses on knowing what consumer information you have, keeping only what you need, protecting it, and disposing of what you no longer need. If you cannot list what your website collects, you cannot honestly explain it to customers.

2) Update the privacy policy so it matches the real site

A copied privacy policy is worse than a short honest one. If your site sends leads into HubSpot, runs Meta Pixel, records chat logs, uses Google Analytics, or embeds a scheduling tool, the policy should say so in plain English.

California’s privacy regulator explains that California consumers have rights to know, delete, correct, and opt out of certain uses of personal information under the CCPA. Even if your small business is below a law’s threshold, accurate disclosure builds trust and gives your team a cleaner standard.

3) Put privacy links near the decisions

Add the privacy policy to the footer, contact page, checkout flow, lead forms, and account sign-up areas. If users need to search for the policy, the policy is not doing its job.

The FTC’s mobile privacy guidance says disclosures should be clear and timely, especially when collecting sensitive information. That same plain-language principle applies to website forms.

4) Stop collecting data you do not need

If you only need a name, email, and project description to return a quote, do not require a home address, revenue range, birth date, or full customer file. Less data means less risk.

The FTC’s Start with Security guidance tells businesses not to collect personal information they do not need and not to hold information longer than they have a legitimate business need.

5) Add clear disclosures near sensitive forms

For normal contact forms, “We’ll use this information to respond to your request” may be enough. For appointment, finance, health, or employment forms, be more specific.

The FTC says the Health Breach Notification Rule applies to health apps and similar technologies not covered by HIPAA. If your website collects health-related information, do not treat it like a generic newsletter signup.

6) Set a data retention rule

Decide how long form submissions, chat transcripts, call recordings, analytics exports, abandoned-cart records, and uploaded files are kept. Then configure the tools to match.

The FTC’s data security guidance tells businesses to dispose of information they no longer need. A simple retention rule is better than years of forgotten leads sitting in five different tools.

Part 2: Cookie, tracking, and analytics checks

7) List every script running on the site

Open your tag manager, CMS plugins, theme settings, checkout scripts, chat widgets, ad accounts, analytics tools, and embedded code blocks. If nobody can explain why a script exists, remove it or pause it until someone can.

Google’s Tag Manager documentation explains that tags are snippets of code from Google or third parties. That convenience is useful, but it also makes forgotten tracking easy.

8) Classify scripts by purpose

Group scripts into necessary, analytics, advertising, personalization, chat, payments, and embedded media. This matters because visitors, regulators, and internal teams need to understand what happens before and after consent.

The UK’s ICO explains that consent is generally required for non-essential cookies and similar technologies. U.S. rules vary by state, but clear classification helps no matter where your visitors are.

9) Check whether your site needs a cookie banner

A local brochure site with no ad pixels may not need the same banner as an ecommerce brand running retargeting across states and countries. A site with analytics, remarketing, session recording, or cross-site ad tracking needs a closer look.

The IAPP reported that Indiana, Kentucky, and Rhode Island privacy laws come online as 2026 begins. MultiState’s 2026 tracker describes 20 state privacy laws in effect in 2026. If your website serves customers in multiple states, tracking rules are not a California-only issue.

10) Honor opt-out signals where required

If your site is covered by California privacy rules, Global Privacy Control needs a technical response, not just a sentence in a policy.

The California Attorney General announced a $1.2 million Sephora settlement in 2022 and said the company failed to process user requests to opt out of sale through Global Privacy Control. The California Privacy Protection Agency says businesses must provide methods for consumers to opt out of sale or sharing when the law applies.

11) Do not fire ad pixels before consent where consent is required

If your banner says users can reject advertising cookies, your site should not load those pixels first and ask later.

The ICO says consent for non-essential cookies must be obtained before cookies are set. Even when your business is U.S.-focused, the engineering principle is simple: the banner should control the scripts.

12) Set analytics retention on purpose

Configure internal traffic filters, limit unnecessary user-level identifiers, and document what events are tracked.

Google Analytics 4 documentation explains data retention settings for user-level and event-level data. Do not accept old defaults nobody remembers.

Part 3: Accessibility checks

13) Test keyboard navigation on every core page

Unplug the mouse. Use Tab, Shift+Tab, Enter, Space, and Escape. You should be able to reach menus, forms, buttons, modals, chat widgets, checkout controls, and the main CTA.

W3C’s WCAG 2 overview describes WCAG as the standard for making web content more accessible to people with disabilities. Keyboard access is one of the first places broken websites show themselves.

14) Fix missing labels on forms

Every form field needs a real label, not just placeholder text. That includes search boxes, newsletter forms, quote forms, calendar widgets, and checkout fields.

WebAIM’s 2026 Million report lists missing form input labels among common detectable accessibility failures. A quote form that a screen reader cannot explain is not just a code issue. It is a lost lead.

15) Check color contrast before launch

Light gray text on white backgrounds looks clean in a design file and fails quickly on real phones, older monitors, and bright outdoor conditions.

WCAG 2.2 includes contrast requirements for text under Success Criterion 1.4.3. If your designer cannot show contrast values, the design is not ready for production.

16) Write useful alt text for meaningful images

Product photos, team photos, diagrams, before-and-after images, and service examples need useful alt text. Decorative images can be marked decorative.

W3C’s alt decision tree explains how to decide whether an image needs alternative text and what kind. Do not stuff keywords into alt text. Describe the useful information.

17) Make error messages specific

“Invalid input” does not help. “Enter a 10-digit phone number” does. Put error messages near the field and make sure they are announced to assistive technology.

WCAG 2.2 Success Criterion 3.3.1 requires input errors to be identified and described to users in text. This also improves conversion because people can finish the form.

18) Avoid accessibility overlays as your main fix

An overlay button is not a substitute for fixing the site. If the HTML, forms, contrast, keyboard access, and scripts are broken, a widget is not a cleanup crew.

Overlay Fact Sheet, a statement signed by accessibility professionals, says overlays do not make websites accessible and can make access harder for assistive technology users. Use automated tools, but fix the source.

Part 4: Security and operations checks

Force HTTPS across every page, form, checkout step, login, and asset. Google Search Central says HTTPS helps prevent intruders from tampering with communications between websites and users’ browsers.

Turn on MFA for your CMS, hosting account, domain registrar, email provider, analytics account, CRM, tag manager, and payment processor. CISA says multi-factor authentication makes it harder for attackers to access accounts if they steal passwords.

Remove unused users, plugins, themes, apps, and integrations. WordPress.org’s hardening guide recommends keeping WordPress, themes, and plugins updated and removing unused themes and plugins. The same rule applies to Shopify apps, Webflow integrations, Wix apps, and custom portals.

Back up the site and test restore before you need it. CISA’s ransomware guidance recommends maintaining offline encrypted backups and regularly testing backups. Monitor forms too, not just uptime. Google’s Search Essentials says site owners should make sure Google can access important pages and resources. Customers need access too.

Limit who can publish code, tags, and tracking scripts. The FTC’s Start with Security guidance tells businesses to control access to data sensibly.

Part 5: Ecommerce, email, and lead form checks

Keep payment data inside trusted processors like Stripe, PayPal, Shopify Payments, Square, or another established payment tool instead of collecting card data directly. PCI Security Standards Council says PCI DSS provides a baseline of technical and operational requirements designed to protect account data. If your checkout uses embedded fields, fraud tools, analytics, affiliate pixels, or chat widgets, review those scripts too. PCI Security Standards Council’s PCI DSS v4.0.1 standard includes requirements for scripts on payment pages, including managing scripts loaded and executed in the consumer’s browser.

Make refund, cancellation, shipping, subscription, and auto-renewal terms easy to find before payment. The FTC’s negative option rule guidance focuses on clear disclosure and consent when sellers use recurring subscriptions or similar negative option features.

Do not treat a quote request as automatic permission to send weekly promotions forever. The FTC says CAN-SPAM requires commercial email to include a clear way to opt out and to honor opt-out requests promptly. Separate transactional follow-up from marketing consent in your CRM.

If users upload resumes, RFQs, photos, PDFs, drawings, medical documents, or insurance files, restrict file types, scan uploads, and keep files out of public directories. OWASP’s File Upload Cheat Sheet explains that unrestricted file uploads can create risks including malware, server-side execution, and public retrieval of sensitive files. If you use CAPTCHA, test it carefully. W3C’s inaccessibility of CAPTCHA note explains that traditional CAPTCHA can create barriers for people with disabilities.

Part 6: Claims, vendors, and maintenance checks

Compliance is not only privacy and security. It also includes the promises your website makes and the vendors your website depends on.

Remove fake urgency, fake scarcity, unsupported rankings, inflated savings claims, invented testimonials, and vague guarantees. The FTC says advertising claims must be truthful, not misleading, and substantiated. The FTC’s consumer review rule bans fake reviews and certain review manipulation practices.

Disclose affiliate, referral, and sponsored relationships near the recommendation. The FTC says endorsement disclosures should be clear, conspicuous, and hard to miss.

Assign an internal owner for compliance updates, keep a vendor list for tools that touch website data, and document changes to scripts, forms, privacy language, consent settings, and AI tools. The FTC’s Start with Security guidance says businesses should insist that service providers implement reasonable security measures. NIST’s AI Risk Management Framework says organizations should map, measure, manage, and govern AI risks.

Finally, scan for accessibility issues after major site changes, but do not rely on automated tools alone. WebAIM explains that WAVE can identify many accessibility and WCAG errors but human evaluation is still needed to determine true accessibility. W3C says WCAG 2.2 added 9 success criteria since WCAG 2.1, so your review process needs to keep moving too.

The 44-point website compliance checklist

Use this as a working QA sheet. Assign an owner and due date to each item.

1. List every form, checkout, login, chat, tracking, and embedded tool that collects data.
2. Match the privacy policy to the tools actually running on the site.
3. Link the privacy policy from the footer, forms, checkout, and sign-up flows.
4. Reduce required form fields to what the business truly needs.
5. Add clear disclosures near sensitive forms.
6. Set retention rules for leads, chat logs, uploads, recordings, and analytics data.
7. List every script running through the CMS, tag manager, apps, and plugins.
8. Classify scripts by necessary, analytics, advertising, personalization, chat, payment, or media.
9. Confirm whether cookie consent is required for your traffic and tracking setup.
10. Configure the banner so rejection actually blocks non-essential scripts where required.
11. Honor opt-out preference signals where applicable.
12. Document analytics events and data retention settings.
13. Test keyboard navigation on core pages.
14. Add real labels to every form field.
15. Fix low-contrast text and buttons.
16. Write useful alt text for meaningful images.
17. Make form errors specific and visible.
18. Fix source accessibility issues instead of relying on overlays.
19. Force HTTPS across the site.
20. Turn on MFA for admin accounts.
21. Remove unused users, plugins, themes, apps, and integrations.
22. Back up the site and test restore.
23. Monitor uptime and test forms regularly.
24. Limit who can publish code, tags, and tracking scripts.
25. Keep payment data inside trusted payment processors.
26. Review scripts that run on checkout pages.
27. Make refund, shipping, cancellation, and subscription terms easy to find.
28. Separate quote follow-up from marketing email consent.
29. Protect file upload forms.
30. Add spam protection that does not block real users.
31. Remove fake urgency and fake scarcity.
32. Save proof for numbers, awards, guarantees, and performance claims.
33. Disclose affiliate, referral, and sponsored relationships.
34. Use real testimonials with permission.
35. Assign an internal owner for website compliance.
36. Keep a vendor list for tools that touch website data.
37. Review AI tools before sending them customer information.
38. Keep a change log for scripts, forms, vendors, and policies.
39. Run automated accessibility scans plus manual checks.
40. Recheck compliance after redesigns and major plugin changes.
41. Confirm email unsubscribe links work.
42. Test mobile forms on real devices.
43. Check that old staging, demo, and test pages are not public.
44. Schedule a quarterly website compliance review.

What to fix first if the list feels too big

If you only have two hours, start with the risks most likely to hurt customers or block revenue:

1. Forms and checkout: make sure they work, are secure, are accessible, and do not collect excess data.
2. Privacy and tracking: make sure your policy, cookies, ad pixels, and analytics match reality.
3. Admin access and backups: make sure the wrong person cannot break the site and the right person can restore it.

That will not make the site perfect. It will make the next step clearer.

Need help cleaning this up?

If your website has grown through years of plugins, quick fixes, landing pages, ad pixels, and vendor handoffs, compliance can feel messy fast. That is normal.

Your Web Team can review your site, identify the highest-risk issues, and turn the cleanup into a practical action plan instead of a scary legal project.

Get started here and we’ll help you make the site safer, clearer, and easier for customers to trust.