Hvor compliant er dit website, egentlig?

1. Does every meaningful image on your site have alt text?

Empty alt="" is fine for decorative images. Logos, charts, and illustrative images need descriptive alt.

2. Have you verified text-to-background contrast meets WCAG AA (4.5:1 for body, 3:1 for large)?

Most marketing-driven brand palettes fail on light grey body text or buttons over hero images.

3. Can a user complete every primary task using only a keyboard?

Try it: tab through your site without a mouse. If you can't reach the menu, the cart, or the form, you fail.

4. Does every form field have a visible label connected via <label> or aria-label?

Placeholder text alone is not a label — it disappears on input.

5. Does your site offer a "skip to main content" link for screen readers and keyboard users?

A 5-line addition that screen reader users will thank you for.

1. Do you have a cookie consent banner that blocks non-essential cookies until the user opts in?

"Implied consent" is not legally sufficient under GDPR or ePrivacy.

2. Have you verified no analytics or marketing cookies fire BEFORE the user accepts?

If you load Google Analytics in <head> with no consent gate, you're failing this. Most sites do.

3. Does your banner allow granular opt-in (analytics vs marketing vs functional)?

A single "Accept all" + "Reject" toggle is not granular consent.

4. Are your cookies set to expire within 13 months?

Most DPAs treat 13 months as the de-facto cap for tracking cookies.

5. Do you have a cookie policy page listing every cookie, its purpose, and lifetime?

Either a standalone /cookie-policy page or a clearly-marked section in your privacy policy.

1. Do you have a current inventory of every third-party script your site loads?

Tag managers hide a lot. If you can't list them off the top of your head, you don't have an inventory.

2. Do you have a Data Processing Agreement (DPA) with every third-party script you load?

Required under GDPR Article 28 for any vendor processing personal data on your behalf.

3. Have you verified none of your vendors perform browser fingerprinting?

Some session-replay and bot-detection vendors fingerprint by default. Disclosure is required.

4. For EU traffic, are all data transfers covered by adequacy decisions or SCCs?

US-based analytics and ad-tech still need a transfer mechanism, even after the Data Privacy Framework.

5. If you use session replay, do you mask sensitive form fields?

Hotjar, FullStory, and Clarity all support masking. Off by default for inputs is not safe.

1. Do you have a privacy policy linked from every page (typically the footer)?

A privacy policy on /privacy that you can only reach from the homepage is not sufficient.

2. Was your privacy policy reviewed in the last 12 months?

A 2019 policy citing the GDPR by name is a red flag for a regulator.

3. For California users, do you offer a "Do Not Sell or Share My Personal Information" link?

Required for any business meeting CCPA thresholds, regardless of whether you "sell" data.

4. Do you have a documented process for responding to data subject requests within 30 days?

GDPR Article 12. Even if you've never received one, you need the process.

5. Does your privacy policy disclose all sub-processors (vendors that touch user data)?

Either by name or by category, with the categories being granular.

1. Do you have a designated person responsible for privacy (DPO or equivalent)?

Not always legally required, but a regulator will ask who their point of contact is.

2. Do you have a documented data breach response plan?

72-hour notification clock under GDPR. You don't want to write the plan during the incident.

3. Has your team had privacy or accessibility training in the last 12 months?

Even a 1-hour Loom counts. The point is awareness across product, eng, and design.

4. Do you re-evaluate your major vendors at least annually for privacy and security posture?

SOC 2, GDPR Art. 28 compliance, breach history. A vendor that was clean two years ago may not be now.

5. Do you have any budget line for compliance work in the next 12 months?

A team with no budget cannot fix anything an audit surfaces.