Reconvio
Back to blog
Compliance 4 min read

The 2026 website compliance checklist: GDPR, cookies & the European Accessibility Act

Security isn't the only thing that gets you fined. Here's what actually applies to your website if you sell to EU customers — and what a scan can and can't tell you about it.

Marek Křivan · July 18, 2026
The 2026 website compliance checklist: GDPR, cookies & the European Accessibility Act

Most website owners worry about getting hacked. Far fewer worry about the letter from a regulator — and yet compliance is the risk that arrives quietly, without an attacker, and still ends in a fine. The rules feel vague until the day they don't.

The good news: the essentials are concrete and checkable. This is the plain-language checklist for what a modern website has to get right — GDPR, cookies, accessibility and consumer-law basics — plus an honest note on what an automated scan can verify and what still needs a human.

One caveat up front: I'm a security specialist, not a lawyer, and nothing here is legal advice. Use it to find the obvious gaps, then have a lawyer confirm the specifics for your business.

Who this applies to (spoiler: probably you)

A common myth is that EU rules only bind EU companies. They don't. GDPR and EU consumer law reach any business that offers goods or services to people in the EU — wherever the business itself is based. If EU customers can buy from you or you track EU visitors, you're in scope. "We're a US company" is not a defence.

1. GDPR: the basics your website must get right

  • A real privacy policy, easy to find, that says what data you collect, why, on what legal basis, and who you share it with. A generic template with the placeholders still in it doesn't count.
  • A lawful basis for each kind of processing — consent, contract, legitimate interest. Analytics and marketing almost always need consent.
  • Data minimisation. Don't collect what you don't need. Every extra field is extra liability.
  • A way to reach you about data, and a route for people to exercise their rights (access, deletion).

You can see how we handle ours on the Reconvio privacy policy — leading by example is the point.

2. Cookies and consent (where most sites fail)

This is the single most common compliance gap I see, and AI-built sites almost always get it wrong.

The rule is straightforward: analytics and marketing scripts must not load until the visitor has said yes. Google Analytics, the Meta Pixel and friends firing on page load, before any choice, is the classic violation.

A compliant cookie banner:

  • Loads non-essential trackers only after explicit consent — not before.
  • Makes "reject" as easy as "accept" — no pre-ticked boxes, no reject button buried three clicks deep.
  • Lets people change or withdraw consent later.

Getting the banner to appear is easy. Getting it to actually gate the scripts is where sites fail — the banner shows, and the trackers fire anyway. Our own cookie notice shows the shape of it.

3. The European Accessibility Act

Since 28 June 2025, accessibility is not a nice-to-have — it's law for most businesses selling to EU consumers. Unlabelled buttons, missing alt text, poor colour contrast and a page a screen reader can't navigate are now compliance problems as well as usability ones.

I wrote a dedicated piece on what the European Accessibility Act actually requires — who's covered, what's in scope, and what a scan can and can't tell you. If you sell to EU consumers, read that one next.

4. Consumer-law disclosures for online stores

If you sell online, EU distance-selling rules expect a few things to be visibly present:

  • Business identification — who you are and a registered address, so customers know who they're buying from.
  • Clear terms of sale.
  • The 14-day right of withdrawal — the cooling-off period for distance purchases — stated plainly.
  • Out-of-court dispute resolution (ODR) information.

The exact wording and which rules bite depend on your country and what you sell — that's the part to confirm with a lawyer. But the presence of these elements is easy to check, and their absence is a red flag.

What a scan can — and can't — tell you

Here's where I'll be straight with you, because plenty of tools won't be.

An automated scan is very good at the objective, technical signals: is a tracker firing before consent? Is there a cookie banner at all? Is there a privacy policy, a terms link, an accessibility statement? Does the page have the accessibility basics — alt text, labels, contrast, a set language? These are real, measurable, and worth catching — most sites fail several.

What a scan cannot do is judge whether your privacy policy is legally sufficient, whether your lawful basis is correct, or whether your terms hold up in your jurisdiction. That's a lawyer's job. Anyone selling you a tool that promises "full legal compliance" from a URL scan is overselling.

So treat a scan as the smoke detector: it tells you fast and cheaply where to look. It doesn't replace the fire inspection.

Check your compliance signals in 30 seconds

Reconvio checks the technical compliance signals on this page — cookie-consent behaviour, GDPR markers, accessibility basics and the consumer-law disclosures — alongside its security and SEO checks, and explains each in plain language. It's free and needs no signup.

It won't make you a lawyer. It will make sure you're not failing the obvious, checkable things — which is where most sites are actually exposed.


Compliance and security are two sides of the same coin: both are about the gap between what you think your site is doing and what it's actually doing to every visitor. If you came here from the build-it-fast world, pair this with the security checklist for AI-built sites — together they cover the two ways a site quietly gets you in trouble.

See what your site exposes

Run a free audit and get concrete issues in half a minute — no signup.

Check my website