17 requirements across technical, documentation, process, and cookie categories. Check each one off — or use PrivacyAudit to automate the process.
Your site must have an accessible privacy policy explaining what data you collect, why, and how it's used.
Visitors must be able to accept or reject non-essential cookies before they are set.
All pages must be served over HTTPS to protect data in transit.
Every form that collects personal data (email signups, contact, checkout) must inform users what you'll do with their data.
Users who receive marketing communications must be able to unsubscribe easily.
You must document every type of personal data you collect, its source, how it's used, and how long you retain it.
Each data processing activity must have a documented legal basis: consent, contract, legitimate interest, legal obligation, vital interests, or public task.
Any third-party service that processes personal data on your behalf (email tools, hosting, analytics) must have a Data Processing Agreement (DPA) with you.
You must specify how long you keep personal data and have a process to delete it when no longer needed.
If you send personal data outside the UK/EU (e.g. using US-based SaaS tools), you need appropriate safeguards in place.
You must have a way for individuals to request access to, correction of, or deletion of their personal data — and respond within 30 days.
Where you rely on consent as your legal basis, you must be able to prove that consent was given, when, and for what purpose.
You must have a documented plan for detecting, containing, and reporting data breaches. Breaches affecting individual rights must be reported to the ICO/supervisory authority within 72 hours.
New products and features that involve personal data should consider privacy implications from the outset, not as an afterthought.
Your cookie notice must clearly distinguish between essential cookies (no consent needed) and non-essential cookies (analytics, marketing — require consent).
Google Analytics, Meta Pixel, and similar tools must not set cookies or collect data before the user has actively consented.
A detailed cookie policy (can be part of your privacy policy) must list every cookie, its purpose, and its expiry.
Instead of checking manually, let PrivacyAudit scan your website and map every finding to items on this list — then guide you through fixing them.
Start free auditFree plan available · No credit card required