The 2026 Website Compliance Checklist You'll Actually Use

Compliance checklists are like gym memberships — everyone has one, nobody uses it, and the old one is probably outdated. But here's the thing: regulatory requirements for websites actually changed significantly in 2025-2026. The CPPA finalized new rulemaking. ESMA updated MiFID II guidance. FINRA increased examination focus on digital communications. If your checklist is from 2023, you're working with expired maps.

This checklist covers the five major regulatory frameworks that govern website content: GDPR, CCPA/CPRA, FINRA Rule 17a-4, SEC Rule 204-2, and HIPAA. Not every item applies to every business — a healthcare company doesn't need FINRA compliance, and a broker-dealer doesn't need HIPAA. Find your applicable regulations and work through those sections.

Fair warning: this is comprehensive. Bookmark it, share it with your compliance team, and work through it methodically. Your future self (the one sitting across from an auditor) will thank you.

Regardless of your industry or applicable regulations, every website needs these basics: a current privacy policy that accurately describes your data practices, a terms of service or terms of use page, proper SSL/TLS encryption (HTTPS — not HTTP), a contact mechanism for privacy inquiries, and an automated archiving system that captures your website with timestamps and integrity verification.

The archiving requirement isn't technically universal yet — not every regulation explicitly mandates website archiving. But every regulation requires you to produce evidence of what your website displayed during investigations. The practical effect is the same: if you can't produce records, you fail the audit.

Start with these five items. If you don't have all five, stop reading and fix them before moving to the regulation-specific sections. There's no point optimizing for FINRA if your site is still on HTTP.

Privacy notice meets Article 13/14 requirements: legal basis for processing, data categories, retention periods, third-party recipients, data subject rights, DPO contact information, and right to lodge a complaint with a supervisory authority. Cookie consent banner complies with CJEU Planet49 — no pre-ticked boxes, reject option as prominent as accept, no cookie wall blocking access. 'Do Not Track' signals are respected or policy explicitly addresses them. Data Subject Access Request mechanism is accessible from the website. Privacy policy is available in the languages of your EU-based users. Cross-border transfer mechanisms (SCCs, adequacy decisions) are disclosed. Cookie consent records are maintained showing what visitors consented to and when.

Archiving requirement: capture your privacy policy, cookie banner, and consent mechanism daily. These are the pages DPAs examine most frequently during investigations. Keep archives indefinitely — GDPR's accountability principle has no expiry date.

Your privacy policy is updated at least annually and includes: categories of personal information collected, purposes of collection, categories of third parties with whom data is shared, consumer rights under CCPA/CPRA, and how to submit data requests. A 'Do Not Sell or Share My Personal Information' link is visible on every page (typically in the footer). A 'Limit the Use of My Sensitive Personal Information' link is present if you collect sensitive data. Your privacy policy discloses whether you sell or share personal information. Financial incentive programs (loyalty programs, discounts for data) are disclosed with their material terms.

The CPPA conducts enforcement sweeps targeting specific website requirements. They don't just check current compliance — they review historical compliance. Daily captures of your homepage, privacy policy, and footer (for the required links) are the minimum.

BrokerCheck link is prominent on your website (FINRA Rule 2210). Form CRS is accessible from your homepage. Fee disclosures match your filed ADV/CRS. Performance claims include required disclosures. Testimonials and endorsements comply with the Marketing Rule (SEC 206(4)-1). No promissory statements or guarantees. Risk warnings are present for applicable products. All website content is treated as business communication and retained per Rule 17a-4 (6 years) or Rule 204-2 (5 years).

Archiving requirement: every page is a retention requirement. Daily captures with WORM-compliant storage and SHA-256 hashing. Examiners will compare current website content against your archives during routine examinations.

Notice of Privacy Practices is posted prominently on your website. NPP includes all required elements under 45 CFR §164.520. Patient rights are clearly described. Breach notification procedures are documented. Patient portal login pages use proper encryption. Online forms that collect PHI have appropriate security measures. Business associate agreements are in place for any third-party services handling PHI through your website (analytics, chatbots, scheduling tools).

Archiving requirement: retain every version of your NPP and patient-facing pages for 6 years from creation or last effective date. OCR investigators routinely request historical website content during breach investigations.