Most small business websites aren’t trying to break rules. They just grew one plugin, one form, one tracking pixel, and one newsletter signup at a time.
That is how compliance gaps happen.
A contact form collects names and emails. Google Analytics watches visitor behavior. A Meta pixel retargets people after they leave. A checkout page hands payment data to Stripe or Shopify. A testimonial says a customer got results, but nobody saved the permission record. None of those things feel risky on their own. Together, they create a website that needs basic privacy, accessibility, security, advertising, and email controls.
This checklist is built for business owners, web designers, marketers, and developers who need a practical audit, not a law school lecture. It is not legal advice. It is the working checklist I would want before launching or rebuilding a revenue-producing website.
Quick Website Compliance Checklist for 2026
Use this first pass before you get into the details:
| Area | Minimum website check | Primary source |
|---|---|---|
| Privacy | Explain what personal information you collect, why you collect it, who gets it, and how people can contact you | FTC privacy and security guidance |
| California privacy | Check whether your business meets CCPA thresholds and whether you need notices, request handling, and opt-out links | California Attorney General CCPA page |
| EU and UK visitors | Do not treat EU or UK cookie consent as a generic banner if you use analytics or advertising cookies | GDPR.eu cookie guidance |
| Google tags | Pass EEA user consent choices to Google if you measure behavior with Google tags | Google Tag Manager consent update |
| Accessibility | Audit against WCAG 2.2 for modern accessibility coverage, or WCAG 2.1 AA where a rule or contract requires it | W3C WCAG overview |
| Public sector work | Know that the DOJ’s Title II web rule uses WCAG 2.1 Level AA for state and local government web content | ADA.gov web rule fact sheet |
| Security | Map how personal information enters, moves through, and leaves the business before choosing controls | FTC personal information guide |
| Ecommerce | Confirm whether PCI DSS v4.x requirements apply to your checkout and payment scripts | PCI Security Standards Council |
| Make commercial email headers, subject lines, opt-outs, and physical address details CAN-SPAM compliant | FTC CAN-SPAM guide | |
| Reviews | Disclose material connections and avoid deceptive review practices | FTC endorsements and reviews guidance |
| Images | Confirm image licenses, permissions, and usage rights before publishing | U.S. Copyright Office fair use FAQ |
1. Privacy Policy: Say What You Actually Collect
A privacy policy should describe the real data flows on your site, not copy whatever a template generator spit out three years ago.
The FTC says businesses should understand how personal information moves into, through, and out of the company because that map is what lets you assess security and privacy risk. For a normal small business website, that may include contact forms, quote requests, newsletter signups, chat tools, call tracking, analytics, CRM integrations, appointment scheduling, embedded maps, retargeting pixels, and payment processors.
Your privacy policy should answer six plain-English questions:
- What information do you collect directly, such as names, emails, phone numbers, quote details, uploaded files, or billing data?
- What information do you collect automatically, such as IP addresses, device data, analytics events, cookie IDs, or advertising identifiers?
- Why do you collect it, such as answering inquiries, processing orders, measuring performance, preventing fraud, or sending marketing?
- Who receives it, such as hosting providers, analytics tools, email platforms, CRMs, payment processors, ad platforms, or fulfillment partners?
- How can someone contact you about privacy questions or requests?
- How do you update the policy when tools or business practices change?
If your site serves California residents, do a CCPA threshold check. The California Privacy Protection Agency says the CCPA applies to for-profit businesses doing business in California that meet stated thresholds, including a gross annual revenue threshold of $26.625 million or more effective January 1, 2025. The California Attorney General also says covered businesses have responsibilities that include responding to consumer requests and giving consumers notices explaining privacy practices.
For smaller local businesses, the CCPA may not apply. That does not mean privacy can be ignored. The FTC’s privacy and security guidance still expects companies to avoid misleading privacy statements, protect customer data, and align public promises with actual practices.
2. Cookie Consent: Stop Treating the Banner Like Decoration
Cookie compliance depends on who visits your site, what cookies you set, and what those cookies do.
If you serve visitors in the European Union or United Kingdom, analytics and advertising cookies need special attention. GDPR.eu explains that cookies can qualify as personal data when they are used to identify users, which means they can fall under GDPR requirements. That matters for common business tools like Google Analytics, Meta Pixel, LinkedIn Insight Tag, Hotjar, Microsoft Clarity, and remarketing tags.
Google adds another operational wrinkle. Google says that if a user from the EEA uses your website or app and you measure user behavior with Google tags, you need to pass end-user consent choices to Google. Google also says publishers serving personalized ads in the EEA and UK have needed a certified CMP integrated with the TCF since January 16, 2024, with Switzerland added on July 31, 2024.
A working consent setup should block non-essential analytics and advertising tags until consent is handled where that legal standard applies. It should also let users change choices later. A banner that says “we use cookies” while every tracking script fires immediately may be worse than useless because it creates the appearance of control without real control.
For U.S.-only local service businesses, the right setup may be simpler. Still, document your cookies, update your privacy policy, and avoid claiming you do not track users if you are running third-party analytics, retargeting pixels, or session recording.
3. Accessibility: Build for People, Not Just Lawsuits
Accessibility is not only about avoiding complaints. It is about making sure real people can read, navigate, submit forms, book calls, buy products, and request quotes.
The W3C says WCAG 2.2 defines how to make web content more accessible to people with disabilities, including visual, auditory, physical, speech, cognitive, language, learning, and neurological disabilities. The W3C also says WCAG 2.2 adds nine success criteria compared with WCAG 2.1, with improvements for visual, physical, and cognitive accessibility.
For small business websites, the most common accessibility issues are not exotic. They are basic failures: low color contrast, missing alt text, unlabeled form fields, buttons that cannot be reached by keyboard, vague link text, popups that trap focus, videos without captions, headings used for styling instead of structure, and error messages that screen readers cannot identify.
If your website serves government work, education, healthcare, public agencies, or contractors, pay extra attention. The DOJ’s ADA Title II web rule says state and local government web content and mobile apps must meet WCAG 2.1 Level AA, and ADA.gov gives the example that a county web page must meet WCAG 2.1 Level AA even if a local web design company built and updates it.
Private business obligations can vary by facts, jurisdiction, and industry. The safer practical standard is simple: design and test toward WCAG AA, keep an accessibility remediation log, fix critical barriers first, and make sure your team can explain how new pages stay accessible after launch.
4. Website Security: Protect the Forms, Logins, and Admin Access
A brochure website still handles risk if it collects form submissions, logs analytics identifiers, stores customer messages, embeds third-party scripts, or has a CMS login.
The FTC’s personal information guide says you should understand how personal information flows through the business before choosing protections. NIST’s small business cybersecurity materials give small and midsized businesses resources to start using the Cybersecurity Framework 2.0, especially when they have modest or no cybersecurity plan.
Start with boring controls. They work.
| Website security control | Why it matters |
|---|---|
| HTTPS on every page | Google announced HTTPS as a search ranking signal and described it as part of making the web safer |
| MFA for CMS, hosting, DNS, email, and payment accounts | A stolen password should not be enough to change your site or capture customer inquiries |
| Least-privilege admin access | Designers, freelancers, and past employees should not keep permanent full admin accounts |
| Plugin and dependency updates | Old website software is one of the easiest attack paths on CMS-driven sites |
| Backups tested by restore, not just created | A backup that has never been restored is a guess, not a recovery plan |
| Form spam and file upload controls | Public forms can be abused for spam, malware delivery, or CRM pollution |
| Security headers and script control | Modern sites load third-party scripts that can affect privacy, performance, and checkout safety |
If your site uses WordPress, security is not only a hosting problem. The business still owns plugin choices, admin access, update discipline, form handling, and backup verification. If your site is built on Shopify, Webflow, Squarespace, or another managed platform, your platform reduces some infrastructure risk, but it does not remove risks created by third-party apps, weak passwords, exposed DNS accounts, bad privacy statements, or poorly managed collaborators.
5. Ecommerce and Payment Compliance: Know Where Card Data Touches Your Site
If your website accepts payments, PCI scope matters.
The PCI Security Standards Council says PCI DSS v4.x had future-dated requirements effective March 31, 2025. The Council’s podcast on ecommerce requirements says PCI DSS included 64 new requirements, with 51 future-dated requirements effective March 31, 2025.
Many small businesses use hosted checkout tools, such as Stripe Checkout, PayPal, Square, Shopify Payments, or embedded payment components. Those tools can reduce what your own server touches, but they do not make checkout compliance automatic. You still need to know whether payment scripts load on your pages, whether third-party apps can affect checkout, who can edit theme code, and whether your payment provider requires an annual questionnaire or specific security steps.
For ecommerce sites, add these checks before launch: confirm the payment flow, document who can edit checkout-related code, remove unused apps, verify HTTPS, keep admin access tight, test order notifications, and make sure refund, shipping, subscription, tax, and terms pages match what customers actually experience.
6. Email Marketing: CAN-SPAM Still Applies
Email compliance gets messy because websites feed lists. A newsletter form, gated download, abandoned cart flow, quote follow-up, review request, or CRM sequence can all become part of the email system.
The FTC says that if an email message contains only commercial content, its primary purpose is commercial and it must comply with CAN-SPAM. The FTC’s CAN-SPAM guide lays out requirements including accurate header information, non-deceptive subject lines, a clear opt-out method, prompt opt-out handling, and a valid physical postal address.
Do not hide the unsubscribe link. Do not use misleading subject lines. Do not keep emailing people who opted out because they are “good prospects.” If sales and marketing use different platforms, make sure opt-outs sync or at least get checked before campaigns go out.
Transactional messages, such as order receipts, appointment confirmations, or password resets, are treated differently than commercial messages under the FTC’s primary-purpose framework. The practical rule is to keep transactional emails focused on the transaction. If you turn a receipt into a promotional blast, you create avoidable risk.
7. Reviews, Testimonials, and Case Studies: Keep Proof Clean
Reviews and testimonials are conversion assets, but they need clean handling.
The FTC says its Endorsement Guides were revised in 2023 to keep pace with advertising through social media and reviews. The FTC also provides business guidance on endorsements, influencers, and reviews, including how companies should think about consumer reviews and testimonials.
If a customer gave you a testimonial, keep permission records. If the review came from Google, Yelp, Clutch, or another platform, follow that platform’s reuse rules. If you paid, discounted, gifted, or otherwise incentivized a review, disclose the connection clearly. If results are unusual, do not present them as typical without context.
This matters even for service businesses. A web agency showing a “300% more leads” case study should be able to show what period was measured, what counted as a lead, what else changed, and whether the client approved the claim. A contractor using before-and-after photos should have permission to use the images. A consultant quoting private Slack messages should get written approval before publishing them.
8. Advertising Claims, Pricing, and Industry-Specific Promises
Your website is advertising. That means claims need support.
The FTC says online advertising rules protect consumers and help maintain the credibility of the internet as a marketing medium. It also says businesses making “Made in USA” claims should know the FTC’s Made in USA Labeling Rule and Enforcement Policy Statement on U.S. origin claims.
That same principle applies beyond origin claims. If your site says “guaranteed results,” “HIPAA compliant,” “bank-level security,” “certified experts,” “lowest price,” “eco-friendly,” “AI-powered,” or “trusted by 10,000 businesses,” keep proof in a folder before the page goes live.
Pricing pages deserve the same discipline. If a plan starts at $99 but required setup, usage fees, minimum terms, or cancellation limits change the real cost, spell that out where buyers can see it. If a promotion expires, remove it. If a calculator estimates savings, explain the assumptions behind the math.
9. Images, Fonts, and Content Rights: Do Not Publish Mystery Assets
A lot of website risk comes from creative assets that nobody can trace.
The U.S. Copyright Office says responsibility for making an independent legal assessment and securing necessary permissions rests with the person who wants to use the item. That applies to images, icons, videos, fonts, diagrams, screenshots, PDFs, and copied text.
Build a simple asset record. For every paid stock photo, keep the license. For every client-supplied image, keep the approval. For every font, confirm the web license. For every screenshot, avoid exposing private customer data or internal systems. For every AI-generated image, confirm your generator’s commercial-use terms and avoid using recognizable people, brands, or copyrighted characters in a way that creates new risk.
This is not busywork. When a copyright demand letter arrives two years later, “the old designer found it somewhere” is not a useful defense.
10. Launch and Quarterly Audit Process
Website compliance is not a one-time checkbox. New plugins, new campaigns, new landing pages, new pixels, new laws, and new team members can change the risk profile.
Here is a simple cadence that works for most small businesses:
| Timing | What to check |
|---|---|
| Before launch | Privacy policy, cookie behavior, accessibility basics, forms, checkout, terms, email signup language, tracking tags, image licenses, admin access |
| 30 days after launch | Analytics accuracy, form delivery, broken pages, consent logs, unsubscribe flow, accessibility issues reported by users, plugin/app cleanup |
| Quarterly | Privacy policy updates, cookie scan, admin user audit, backup restore test, dependency updates, testimonial permissions, pricing claims, security settings |
| Before major campaigns | Landing page claims, tracking pixels, form disclosures, email consent, ad platform policy requirements, promotion terms |
| After tool changes | Vendor list, privacy policy, data flows, cookie banner, tag firing rules, user permissions |
If you work with clients, this checklist also protects the relationship. A designer can build the site, but the business owner often controls the claims, tools, customer data, legal decisions, and follow-up systems. Put responsibilities in writing before launch.
What to Fix First
If your site has dozens of gaps, start with the highest-risk items:
- Forms collecting personal information with no accurate privacy policy.
- Advertising or analytics cookies firing before consent where consent is required.
- Checkout pages with unclear payment scope, weak admin access, or unreviewed third-party scripts.
- Critical accessibility blockers that stop users from navigating, reading, submitting forms, or buying.
- Email campaigns without working unsubscribe handling.
- Testimonials, case studies, or claims with no permission or proof.
- Old CMS accounts, unused plugins, missing MFA, or untested backups.
A clean compliance program does not need to be fancy. It needs to be honest, documented, and maintained.
Need a Website Compliance Cleanup?
If your website is collecting leads, taking payments, running ads, or supporting sales, it should not be held together by outdated policies and mystery plugins.
Your Web Team can audit the site, clean up the technical gaps, document the handoffs, and rebuild the pieces that are creating risk or killing conversions. Start here: /get-started/.
Richard Kastl
Founder & Lead EngineerRichard Kastl has spent 14 years engineering websites that generate revenue. He combines expertise in web development, SEO, digital marketing, and conversion optimization to build sites that make the phone ring. His work has helped generate over $30M in pipeline for clients ranging from industrial manufacturers to SaaS companies.
