It’s a question most web designers and agencies hear sooner or later:
“Is my website compliant?”
From your client’s point of view, it probably looks like a simple, straightforward question. One that deserves a simple, straightforward answer. Unfortunately, most web design owners know the truth: Compliance is complicated.
“Compliance” can refer to many different things, from accessibility standards to cybersecurity practices to privacy laws. And unless you’re also a practicing attorney on the weekends for kicks and giggles, it’s not your role to certify that a website meets legal requirements.
But don’t leave yet, thinking the answer to the question is “Not my problem, so…”
As a web professional, you are often in the best position to identify common compliance issues, clean up unnecessary data collection, and guide your client towards the solution that is right for them. Plus, if a client of yours does get in legal trouble for their website, guess who they will be calling first?
So here are some practical steps you can follow when your client asks whether their website is compliant.
Table of Contents
Step 1: Start with a disclaimer
Before diving into anything else, clarify your role.
Explain to the client that you are not an attorney and cannot certify or guarantee legal compliance. This protects both you and the client by setting realistic expectations from the start.
First, check your contract with the client to ensure you don’t have any verbiage such as “we certify that the website will be compliant with all applicable laws.” If your current contract template has something like this, you will want to remove it to protect your agency. You may want to have them sign a Website Policies Waiver as well, so that all of this is in writing.
Instead, position yourself as someone who can help review the website for common privacy and data collection practices and recommend improvements.
If they ultimately want a legal determination of compliance, they should consult an attorney.
Step 2: Ask what “compliance” means to them
When someone asks if their website is compliant, the first step is figuring out what they’re actually referring to.
Compliance can mean many different things, such as:
- Accessibility compliance (for example, WCAG standards)
- Security compliance
- Privacy compliance
- Industry-specific regulations
Clarifying this helps you determine whether the question falls within your scope or whether the client should speak to another professional. If they’re asking about privacy compliance, that’s where a website review can be helpful.
Step 3: Offer a website privacy review
Consider offering a 1–2 hour website privacy review as a paid service.
This isn’t a legal compliance audit. Instead, it’s a general review of common privacy issues that many websites have. Charging for your time also positions the service as a professional offering rather than a quick favor.
During the review, you can walk through several key areas of the website together:
Forms – review all forms below and determine together if they’re actively being used. If not, they should be removed from the website to limit unnecessary data collection.
- Contact us form
- Registration form
- Newsletter subscription form
- Job application form
- Booking/scheduling form
- Support ticket form
Tracking/analytics – review all tracking and analytics tools on the website and make sure they’re actively being used. For example, if a Meta pixel is still on the website from a digital ad campaign that’s no longer running, it should be removed.
- Google Analytics (or other analytics tools)
- LinkedIn Pixel
- Meta Pixel
- Reddit Pixel
- Third-party plugins that track users
Privacy-friendly alternatives – Are there any features on the website that are necessary, but can be replaced by a more privacy-friendly option? Example: if the website uses reCAPTCHA, it could be replaced with FriendlyCaptcha.
- YouTube video embeds (alternative: download and host directly)
- Google Map embeds (alternative: take a screenshot)
- Google Fonts (alternative: store fonts locally)
- Google Analytics that’s being used (alternative: FathomAnalytics)
Policy check – Check the website’s policies and ask the following questions:
- How did you obtain this policy?
- When was it last updated?
- Are the business practices and information listed still accurate?
- Would you like to use an auto-updating solution (Termageddon) so that your policies are all generated correctly and are auto-updated as laws change?
Consent check – Look to see if the website has a cookie consent banner. If it does, make sure it does the following:
- Has both an “accept” and “deny” option of the same color and size
- Has non-essential cookies blocked by default
- Lists all the cookies used by the website
- Actually works (cookies are blocked until accepted)
Check data retention – Check to see how long the business retains personal data that is collected through the website. If the information is retained indefinitely, data retention periods could be set up where certain information (e.g. backups) are automatically deleted after a certain period of time.
Step 4: Bring legal questions back to website features
Clients may ask about specific laws or regulations during the review. Try to avoid answering questions like: “Does my website need to comply with GDPR?”
This could be seen as legal advice. Instead, try to ask about specific website features they are concerned about. Such as: “Are you worried about tracking features in particular? You currently have Meta Pixel and Google Analytics installed on your website.”
Step 5: Create a to-do list
After the review, compile a list of the changes that you discussed with your client and that your client would like you to make. This might include tasks such as:
- Removing unnecessary forms
- Reducing the amount of data collected
- Removing unused tracking tools
- Switching to privacy-friendly alternatives
- Implementing updated policies
- Installing or configuring a consent banner
Provide the client with a clear to-do list and an estimate for the work involved. Once the client approves your list you can move forward with making the requested updates. Treat this like any other development task and track your time accordingly.
Step 6: Summarize changes
After you make the changes, send the client the list of changes that you have made and have the client review the website to make sure that everything is the way that they would like it to be. If they would like you to make any additional adjustments, make sure to charge for your time.
Step 7: Repeat after me… “NOT. LEGAL. ADVICE.”
Remind the client that you are not an attorney and therefore cannot certify or say that the website is now compliant. Recommend that if they do want someone to certify that the website is compliant, that they should speak to an attorney.
If they can’t afford an attorney, they should use a tool like Termageddon. While Termageddon also can’t provide legal advice, our Privacy Policy Generator takes the time to find out what laws apply to a specific business, generates policies that contain]the disclosures required by those laws, and automatically keeps policies up-to-date as new laws go into effect.
Voila, you’ve turned compliance questions into a valuable service
When handled properly, the question “Is my website compliant?” can become more than an uneasy conversation.
You don’t have to be an attorney to provide real value for your website clients. You just need a clear process, the right tools, and the willingness to help clients make smarter decisions about their websites.
