What is a website compliance audit? A practical guide for SMBs

If you run a small or medium business with a website, the rules you have to follow have multiplied in the last five years. Accessibility laws now reach private companies in the EU, UK, US, Canada, and Australia. Privacy regulators have shifted from warning letters to fines that scale with revenue. Cookie consent enforcement, once an EU-only headache, now appears in California, Colorado, Connecticut, Texas, and a growing list of states.

A website compliance audit is how you find out whether your site actually meets the laws that apply to it. This article walks through what the audit covers, how to run one without burning weeks of consultant time, and what an SMB should actually fix first.

What a compliance audit actually checks

There is no single global law called “website compliance.” The audit is a checklist drawn from the regulations that apply wherever your visitors live. For most SMBs operating in the EU, UK, or US, the four checklists below cover 90% of real-world risk.

1. Accessibility

The standard is WCAG 2.1 Level AA. It is referenced by the European Accessibility Act (in force from 28 June 2025), the UK Equality Act, the Americans with Disabilities Act (Title III), the Accessibility for Ontarians with Disabilities Act, and most other accessibility laws worldwide. A scanned audit catches roughly 30–40% of issues automatically — colour contrast, missing alt text, broken form labels, keyboard traps, ARIA misuse. The remaining 60–70% need manual testing, but a scan tells you whether you have the obvious problems first.

Read more: WCAG 2.1 AA accessibility audit explained.

2. Privacy & consent

For EU/UK visitors, consent for non-essential cookies and trackers is required before the script fires. A real consent audit captures network traffic on the very first page load, before the user clicks anything. Banners that say “by using this site you consent” or that drop trackers on page load are the most common failure mode — and the easiest for a regulator to spot.

Read more: What is a GDPR cookie audit?

3. Tracking and analytics

Auditors look for tracking pixels (Meta, TikTok, LinkedIn, Google Ads), session recorders (Hotjar, FullStory, Microsoft Clarity), advertising tags, and any tool that sends visitor behaviour to a third party. Each one has GDPR, ePrivacy, and increasingly US state-law implications. The fix is rarely to remove them — it is to load them only after consent and to disclose them honestly.

Read more: Tracking pixel audit: GDPR & ePrivacy.

4. Required legal pages

Auditors check that you actually have, and link to, the documents the law requires:

• Privacy policy that matches what your site actually does
• Cookie policy with a current cookie inventory
• Accessibility statement (mandatory under the EAA from June 2025)
• Imprint / Impressum (mandatory in Germany, Austria, Switzerland)
• Terms of service if you sell anything

Manual audit vs. continuous scanning

A manual audit by a consultancy typically takes 2–6 weeks and costs €5,000–€20,000 for a single SMB site. That is fine for a one-off snapshot — but most compliance regressions happen after the audit, during normal product work. A new third-party widget, a redesigned signup form, an analytics tool added by marketing without telling engineering. Continuous scanning catches these the day they ship instead of months later when the regulator’s letter arrives.

The pragmatic combination is one manual baseline (or a thorough scan) and then weekly automated scans that compare against the previous run. Most SMBs do not need a compliance team; they need a scanner that yells when something breaks.

What an SMB should actually fix first

If you are starting from zero, do these in order. Most teams can finish the list inside a sprint.

1. Stop firing trackers before consent. This is the highest-risk and easiest-to-fix issue. Move every Meta/TikTok/LinkedIn pixel and any non-essential analytics behind a consent check.
2. Replace the “by using this site you consent” banner. Replace it with a banner that has equally weighted Accept and Reject buttons. The CNIL, ICO, and Garante have all fined for the alternative.
3. Fix the top WCAG violations. Colour contrast, missing alt text, form labels, focus states, and keyboard traps. These are the 5 issues that account for the majority of accessibility complaints.
4. Publish an accessibility statement. The EAA requires one from June 2025 for in-scope products. Even if you are out of scope, having one signals good-faith effort and helps in any subsequent dispute.
5. Update your privacy policy to match what your site actually does. Most SMB privacy policies are a template that bears no relationship to the live site. Regulators check.

Common mistakes to avoid

Trusting an accessibility overlay. The FTC fined accessiBe USD 1 million in January 2025 for misleading marketing about its overlay widget. Overlays do not create legal compliance. They mask issues at runtime; the underlying code still fails for many users and is still a basis for a lawsuit.

Treating compliance as a US-only or EU-only problem. Most SMB sites today serve visitors from multiple jurisdictions. A scan that only reports against one framework will miss issues that matter for the others.

Auditing once and never again. The most common pattern: a thorough audit, a clean report, six months of routine releases, and a regulator letter. Make the audit part of your release process.

How Veracly approaches this

Veracly was built specifically for the SMB version of this problem. One scan reports against EAA, GDPR, ADA, UK Equality Act, AODA, and US state privacy laws simultaneously, with AI-explained copy-paste developer fixes for the top priorities, a complete inventory of remaining issues, and continuous monitoring after the baseline. Run a free scan at veracly.app and see what your site looks like to a regulator before they look at it for you.