Website Legal Requirements Checklist (2026)

Universal Requirements

Every website needs at minimum: a Privacy Policy (required by GDPR, CCPA, and virtually every privacy law if you collect any data), Terms of Service (limits liability and establishes rules), and a Cookie Consent mechanism (required by GDPR’s ePrivacy Directive in the EU). These three form the legal foundation. Depending on your business, audience, and jurisdiction, you may need several additional disclosures. Use the Privacy Policy Generator to create the foundation.

E-Commerce Specific

E-commerce sites need: Return and Refund Policy (required in EU and many US states), Shipping Policy (FTC Mail Order Rule requires delivery time estimates), Payment Terms, PCI DSS compliance disclosure, Sales Tax disclosure, Product Liability notices, and an Accessibility Statement (increasingly required by disability rights laws). These must be clearly displayed before purchase to be enforceable.

Content and Media Sites

Content sites need: Affiliate Disclosure if any content contains affiliate links (FTC requirement), Sponsored Content Disclosure for paid partnerships, DMCA Takedown Policy if hosting user content (safe harbor protection), Editorial Standards for E-E-A-T credibility, Comments/Community Guidelines, and Photo/Image Credits. Email newsletters need CAN-SPAM compliance: unsubscribe mechanism, physical address, accurate subject lines.

Regional Requirements

Regional specifics: EU requires GDPR privacy policy with lawful basis, cookie consent with opt-in, right to erasure. California (CCPA/CPRA) requires ‘Do Not Sell’ link. UK has post-Brexit UK GDPR. Canada has PIPEDA. Children’s sites need COPPA compliance globally. Accessibility: WCAG 2.1 AA increasingly enforced via ADA (US), European Accessibility Act (EU 2025+), and Accessibility Act (Canada).