The top 10 compliance issues Veracly finds on SMB sites — and how to fix them

Across the first thousand Veracly scans, the same ten issues fire on more than half of SMB sites. None require a rebuild; all are fixable in a single PR. Below is the list, the regulation each breaches, the typical Veracly severity, and the developer fix.

1. Tracking pixels firing before consent

What: Meta Pixel, Google Ads, GA4, LinkedIn Insight loading on first page view, before the cookie banner has been clicked.

Regulation: ePrivacy Article 5(3), GDPR Article 7. CNIL and the Italian Garante have issued seven-figure fines for this exact pattern.

Severity: Critical.

Fix: Move every non-essential script behind a consent gate. The simplest pattern: set type="text/plain" on the <script> tag at first load and flip it to text/javascript when the user accepts. Most CMP vendors ship a helper for this; if you do not use a CMP, a 20-line vanilla helper does the job.

2. Form inputs without labels

What: Inputs with placeholder text but no associated <label> or aria-label.

Regulation: WCAG 2.1 AA Success Criterion 1.3.1 (Info and Relationships) and 4.1.2 (Name, Role, Value). Caught by every accessibility scanner and every screen reader.

Severity: High.

Fix: <label for="email">Email</label> paired with <input id="email" ... />. If a visible label is not in the design, use aria-label="Email" on the input. Never rely on placeholder alone — it disappears the moment the user starts typing.

3. Insufficient color contrast on body text

What: Gray-on-white body text with a contrast ratio below 4.5:1.

Regulation: WCAG 2.1 AA Success Criterion 1.4.3 (Contrast — Minimum).

Severity: High.

Fix: Darken the gray. color: #6b7280 on #ffffff is 4.04:1 — fails. #475569 is 7.5:1 — passes. Pair this with a one-time pass through your design tokens; the issue usually lives in 3-4 CSS variables, not on individual elements.

4. Missing or stale accessibility statement

What: No accessibility statement page, or one last updated more than a year ago.

Regulation: European Accessibility Act Article 7; in the UK, public sector regulations and procurement law. The EAA explicitly requires a current statement disclosing the level of conformance and how to report issues.

Severity: Medium.

Fix: Publish /accessibility with: the conformance target (WCAG 2.1 AA), the known limitations, a contact path for accessibility reports, and a last-reviewed date. Re-review annually.

5. Cookie banner with no “reject all” option

What: A banner with “Accept all” on a prominent button but “reject all” buried two clicks deep, or missing entirely.

Regulation: GDPR Article 7(3), ePrivacy. CNIL, Garante, AEPD, BfDI have all fined for asymmetric consent — the design choice is itself the violation.

Severity: High.

Fix: Reject and accept must be on the same surface, same visual weight. The standard CNIL test: a reasonable person presented with the banner could decline as easily as accept. Most CMPs have a “banner parity” toggle shipped off-by-default — turn it on.

6. Self-hosted Google Fonts violation (live load)

What: The page loads fonts from fonts.googleapis.com or fonts.gstatic.com at runtime.

Regulation: LG München I 2022 ruling — live-loading Google Fonts transmits visitor IP addresses to Google without consent, violating GDPR Article 6. Class actions in Germany have followed.

Severity: Medium (in DE/AT); low elsewhere.

Fix: Self-host the font files. If you are on Next.js, the next/font/google API does this at build time automatically — drop the external <link> tags. For static sites, download the woff2 files and serve from your own origin.

7. Cookie inventory mismatch with policy

What: The site sets cookies the published cookie policy does not list, or lists cookies the site no longer sets.

Regulation: GDPR Article 13 (transparency); UK Equivalent under PECR. The most common cause of a regulator follow-up question.

Severity: Medium.

Fix: Run a fresh inventory (Veracly captures one on every scan; you can also use the browser’s Application tab). Update /cookies so every cookie set is listed with its purpose, lifetime, and category. Re-check on every third-party addition.

8. Missing alt text on meaningful images

What: Product photos, infographics, team headshots without an alt attribute.

Regulation: WCAG 2.1 AA SC 1.1.1 (Non-text Content).

Severity: Medium for meaningful images, low for decorative.

Fix: alt="descriptive text" on meaningful images, alt="" (empty string) on decorative ones. The empty alt is correct, not lazy — screen readers skip it. The bug is omitting the attribute entirely.

9. Heading hierarchy skipping levels

What: A page that goes from <h1> directly to <h3>, or has multiple <h1> elements.

Regulation: WCAG 2.1 AA SC 1.3.1.

Severity: Low to medium.

Fix: One <h1> per page; nested sections drop one level at a time. CSS handles visual size; do not pick a heading element for its font size.

10. Privacy policy missing required clauses

What: The published privacy policy omits one or more required sections — typically the international transfers clause, the data retention table, or the supervisory authority contact.

Regulation: GDPR Articles 13 and 14 enumerate the required disclosures.

Severity: Medium.

Fix: Run your policy against the Article 13/14 checklist. Common omissions: SCC reference for non-EU transfers, named supervisory authority for your country of establishment, retention periods (not just “as long as necessary”). A lawyer review every two years; a scanner check every week.

The pattern

Nine of these ten issues are fixable by a single developer in under a day. Issue #10 (privacy policy) is the only one that needs a lawyer review on the final language. That is the SMB compliance opportunity in 2026: the bar is low because most sites never check.

See also: Reading your first Veracly report · Cookie banner audit checklist