Website Privacy Audit: A Free Checklist for Small Businesses

Why Audit Your Website's Privacy?

Your website is probably the single biggest data collection point in your business. Every visitor leaves a trail — cookies, form submissions, analytics data, chat interactions, purchase records. And every piece of data you collect through your website comes with legal obligations.

The problem is that most small business websites accumulate privacy issues over time without anyone noticing. A marketing person adds a Facebook Pixel. A developer installs a chat widget. Someone embeds a YouTube video. Each addition seems harmless, but each one introduces new data collection that may require disclosure, consent, or both.

A website privacy audit is a systematic check of everything your website does with personal data. It is not as daunting as it sounds. You can do the core audit in under an hour using the checklist below, and you do not need any special tools beyond a web browser.

Before You Start

What You Need

• Access to your website (front-end and admin panel)
• Access to your hosting control panel
• A list of any third-party services your website uses (analytics, ads, chat, email marketing, etc.)
• A web browser with developer tools (Chrome works well)
• About 45 to 90 minutes

How to Use This Checklist

Go through each section below. For each item, mark it as passing, failing, or not applicable. For anything that fails, note what needs to be fixed and who should fix it. Prioritize fixes by risk — items related to consent and data collection are higher priority than cosmetic issues.

Section 1: Privacy Policy

Your privacy policy is the foundational document for website privacy. It tells visitors what data you collect, why, and what you do with it. Most privacy regulations require one.

The Checklist

Does your website have a privacy policy? If not, this is your most urgent fix. Every website that collects personal data (and virtually all do, even through basic analytics) needs a privacy policy.

Is the privacy policy easy to find? Best practice is a link in the website footer on every page, plus links from any page that collects data (contact forms, checkout pages, account registration). If visitors have to hunt for your privacy policy, it is not accessible enough.

Is the privacy policy up to date? Check the "last updated" date. If it has not been updated in over 12 months, it is likely out of date. Privacy laws change, your data practices change, and your privacy policy needs to reflect reality.

Does the privacy policy accurately describe what data you collect? Read through it and compare it to what your website actually does. Common gaps:

• Analytics tools are not mentioned
• Advertising pixels are not disclosed
• Chat widgets that collect data are missing
• Cookies are not adequately described
• Third-party services are not listed

Does it explain why you collect each type of data? Under GDPR Article 5(1)(b), personal data must be collected for specified, explicit, and legitimate purposes ("purpose limitation"). Under CCPA (Cal. Civ. Code § 1798.130), your privacy policy must state the business or commercial purpose for collecting each category of personal information. Even without specific legal requirements, explaining "why" builds trust.

Does it list the third parties you share data with? If you use Google Analytics, Facebook Ads, Mailchimp, a payment processor, or any other third-party service that receives visitor data, it should be mentioned (at least by category, if not by name).

Does it explain data retention? How long do you keep personal data? GDPR Article 5(1)(e) requires that personal data be kept no longer than necessary for the purposes for which it is processed ("storage limitation"). If your privacy policy says "we retain data for as long as necessary" without any specifics, that is vague and may not satisfy GDPR requirements.

Does it explain user rights? Under GDPR, CCPA (Cal. Civ. Code § 1798.130 requires disclosure of consumer rights in the privacy policy), and other laws, individuals have rights regarding their data (access, deletion, correction, etc.). Your privacy policy should explain these rights and how to exercise them.

Does it include contact information? Visitors need to know how to reach you about privacy matters. Include an email address (privacy@yourbusiness.com or similar) at minimum.

Does it mention cookies? If your site uses cookies (it almost certainly does), the privacy policy should explain what cookies you use, what they do, and how visitors can control them. Some businesses have a separate cookie policy, which is also fine.

Section 2: Cookie Compliance

Cookies are one of the most regulated aspects of website privacy, especially under GDPR and the ePrivacy Directive.

The Checklist

Do you know what cookies your website sets? Open your website in Chrome, press F12 to open Developer Tools, go to the Application tab, and click on Cookies in the left sidebar. This shows every cookie set by your site. If you see cookies you do not recognize, investigate them.

Does your website set non-essential cookies before consent? This is a critical check for GDPR compliance. Non-essential cookies (analytics, advertising, social media) should not be set until the visitor gives consent. To test: clear your cookies, visit your site, and check the cookies in Developer Tools before interacting with any consent banner. If you see Google Analytics cookies, Facebook cookies, or other tracking cookies already set, your cookie consent is broken.

Do you have a cookie consent banner? If your website uses non-essential cookies and you have visitors from the EU (or you want to be safe), you need a cookie consent banner that allows visitors to accept or reject different cookie categories.

Does the consent banner work correctly? Test it:

• Can visitors reject all non-essential cookies? (There should be a clear reject or "necessary only" option.)
• Does rejecting cookies actually prevent those cookies from being set? (Many banners are decorative — they ask for consent but set the cookies regardless.)
• Can visitors change their preferences after making a choice? (There should be a way to re-open the consent settings.)
• Are the cookie categories accurately described?

Does your site respect the Global Privacy Control (GPC) signal? GPC is a browser setting that communicates a visitor's opt-out preference. Several US state laws (including CCPA/CPRA) require you to honor it. To test: install a GPC-enabled browser or extension (like the DuckDuckGo browser or Privacy Badger) and visit your site. Check whether your cookie consent tool detects and respects the signal.

Do you have a separate cookie policy or cookie declaration? Not strictly required everywhere, but good practice. A cookie declaration lists every cookie on your site, its purpose, its duration, and whether it is first-party or third-party. Most cookie consent platforms generate this automatically.

Section 3: Data Collection Forms

Every form on your website that collects personal data needs scrutiny.

The Checklist

Inventory all forms on your website. Common forms include:

• Contact forms
• Newsletter signup forms
• Account registration forms
• Checkout/payment forms
• Job application forms
• Survey or feedback forms
• Event registration forms
• Download forms (for gated content like lead magnets)

Does each form collect only the data it needs? This is the principle of data minimization, codified in GDPR Article 5(1)(c) — personal data must be "adequate, relevant and limited to what is necessary." If your contact form asks for name, email, phone number, physical address, company name, job title, and date of birth, ask yourself: do you actually need all of that to respond to a contact inquiry? Collect only what is necessary.

Do forms that require consent include a clear consent mechanism? For marketing-related forms (newsletter signups, lead magnets), you need clear, affirmative consent for marketing communications. This typically means an unchecked checkbox with clear language like "I agree to receive marketing emails from [Business Name]." Pre-checked boxes do not count as consent under GDPR.

Do forms link to your privacy policy? Best practice is to include a link to your privacy policy near the submit button of any form that collects personal data. Something like: "By submitting this form, you agree to our [Privacy Policy]."

Are contact form submissions stored securely? Where do form submissions go? If they are emailed to your inbox and also stored in a database or plugin (like Contact Form 7 or Gravity Forms in WordPress), know where the data lives and who has access to it.

Do you have data retention for form submissions? Old contact form submissions sitting in your database for years is unnecessary data retention. Set up a process to regularly delete old submissions (or configure your form plugin to auto-delete after a set period).

Section 4: Third-Party Scripts and Services

Third-party scripts are one of the biggest privacy risks on any website. Each script you add potentially sends visitor data to another company's servers.

The Checklist

Audit all third-party scripts on your website. Check your website's source code or tag manager for scripts from external services. Common ones include:

• Analytics: Google Analytics (GA4), Plausible, Fathom, Matomo, Adobe Analytics
• Advertising: Google Ads, Facebook/Meta Pixel, LinkedIn Insight Tag, Twitter Pixel, TikTok Pixel
• Chat widgets: Intercom, Drift, Crisp, LiveChat, tawk.to, Zendesk Chat
• Social media embeds: Facebook Like buttons, Twitter embeds, Instagram embeds, YouTube embeds
• Font services: Google Fonts (yes, this transfers IP addresses to Google)
• CDNs and hosting: Cloudflare, AWS CloudFront, Google Cloud CDN
• Customer reviews: Trustpilot, Yotpo, Bazaarvoice
• A/B testing: Optimizely, Google Optimize, VWO
• Heatmaps and session recording: Hotjar, FullStory, Microsoft Clarity, Crazy Egg
• Email marketing: Mailchimp tracking scripts, ConvertKit, ActiveCampaign
• Tag managers: Google Tag Manager (which itself may load dozens of other scripts)

Do you know what data each script collects? For every third-party script on your site, understand what data it collects from your visitors. At minimum, most scripts collect IP addresses, browser information, and page views. Advertising scripts and session recording tools collect much more.

Are all third-party scripts disclosed in your privacy policy? If a script collects personal data from your visitors, it should be mentioned in your privacy policy. This is a common gap — businesses add tracking scripts but forget to update the privacy policy.

Are marketing and analytics scripts blocked until consent is given? Under GDPR, scripts that are not strictly necessary should not load until the visitor consents. Your cookie consent platform should handle this, but verify that it actually works. Load your site, reject all cookies, and check Developer Tools (Network tab) to see if tracking scripts still fire.

Do you actually use all these scripts? It is common for businesses to have scripts from services they no longer use — an old chat widget, a discontinued A/B testing tool, an advertising platform from a past campaign. Each unused script is unnecessary data collection and a potential security risk. Remove any scripts you are not actively using.

Google Fonts check: If you use Google Fonts loaded from Google's servers (fonts.googleapis.com), visitor IP addresses are sent to Google. A German court ruled in 2022 that this violates GDPR without consent. The fix is to self-host your fonts (download them and serve them from your own server) or use a system font stack.

Session Recording and Heatmap Tools: A Special Warning

Tools like Hotjar, FullStory, and Microsoft Clarity record visitor sessions on your website — mouse movements, clicks, scrolling, and sometimes form inputs. These tools can inadvertently capture personal data (someone typing their name into a form, viewing their account page, etc.).

If you use session recording:

• Make sure you have consent before the recording scripts load
• Configure the tool to exclude or mask sensitive form fields (password fields, credit card inputs, etc.)
• Disclose the use of session recording in your privacy policy
• Regularly review recordings to ensure sensitive data is not being captured

Section 5: SSL/HTTPS

This is the easiest check and the most fundamental.

The Checklist

Does your entire website use HTTPS? Visit your site and check for the padlock icon in the browser address bar. If any page loads over HTTP (without the "S"), that is a problem.

Does HTTP redirect to HTTPS? Try visiting your site using http:// explicitly. It should automatically redirect to https://. If it does not, your server configuration needs updating.

Is your SSL certificate valid and not expiring soon? Click the padlock icon in your browser and check the certificate details. Note the expiration date. If it expires within the next 30 days and you do not have auto-renewal set up, fix this immediately. An expired SSL certificate means browsers will warn visitors that your site is not secure.

Are there mixed content warnings? Even with HTTPS, some page elements (images, scripts, stylesheets) might load over HTTP. This triggers "mixed content" warnings and can break the secure connection. Chrome Developer Tools (Console tab) will show mixed content warnings.

Section 6: Email Marketing Compliance

If you collect email addresses through your website for marketing purposes, several laws govern how you can use them.

The Checklist

Do you have proper consent for marketing emails? Under GDPR, you need explicit, affirmative consent (an unchecked checkbox that the subscriber checks). Under CAN-SPAM (US), the requirements are less strict, but best practice is still to get clear consent.

Do your signup forms clearly state what subscribers will receive? "Sign up for updates" is vague. "Get our weekly small business privacy tips" is specific. Clear expectations reduce unsubscribes and complaints.

Does every marketing email include an unsubscribe link? This is required by CAN-SPAM, GDPR, CASL (Canada), and virtually every email marketing law. Your email platform (Mailchimp, ConvertKit, etc.) should handle this automatically, but verify.

Does unsubscribing actually work? Send yourself a test email, click unsubscribe, and verify you stop receiving emails. Some businesses have broken unsubscribe processes — a fast path to complaints.

Do your emails include your business name and physical address? CAN-SPAM requires a physical postal address in every commercial email. Most email marketing platforms include this in the footer automatically, but make sure it is accurate.

Are you honoring opt-out requests within the required timeframe? CAN-SPAM gives you 10 business days to process an opt-out. GDPR requires it to be "without undue delay." Most email platforms handle this instantly, but if you manage lists manually, be aware of the deadlines.

Section 7: Social Media and Embedding

Social media integrations create privacy implications that many businesses overlook.

The Checklist

Do you use social media sharing buttons? Traditional social sharing buttons (the official ones from Facebook, Twitter, LinkedIn) load scripts from those platforms and can track visitors on your site even if they do not click the buttons. Consider using simple link-based sharing buttons that do not load external scripts, or block the scripts until consent is given.

Do you embed social media content? Embedded tweets, Instagram posts, YouTube videos, and Facebook posts all load third-party scripts and transfer data to those platforms. Disclose this in your privacy policy and consider consent requirements.

YouTube embeds: do you use privacy-enhanced mode? When embedding YouTube videos, use the privacy-enhanced domain (youtube-nocookie.com instead of youtube.com). This prevents YouTube from setting cookies until the visitor plays the video. It is a simple change in the embed URL.

Do you use social login (Sign in with Google/Facebook/Apple)? Social login transfers data between your site and the identity provider. Disclose what data is shared and why. Make sure you have a privacy-compliant fallback for users who do not want to use social login.

Section 8: Specific Page Checks

E-Commerce / Checkout Pages

• Is payment processing handled by a PCI-compliant provider? (Stripe, PayPal, Square — these handle credit card data so you do not have to)
• Are payment details entered on your site or on the payment provider's hosted page? (Hosted payment pages are more secure)
• Is the checkout page fully HTTPS?
• Do you display your privacy policy and terms at checkout?
• If you save payment details for future purchases, is this clearly communicated and optional?

Account Registration and Login Pages

• Do you collect only necessary information at registration?
• Are passwords stored securely? (If you built the authentication yourself, this is a real concern. Use established authentication services where possible.)
• Do you offer two-factor authentication? (Not a privacy requirement, but a security best practice)
• Is there a clear account deletion option?

Job Application Pages

• Do you disclose how applicant data will be used?
• How long do you retain applications from candidates you did not hire?
• Is application data stored securely and with limited access?

Section 9: Mobile and Responsiveness

The Checklist

Does your cookie consent banner work on mobile? Visit your site on a phone. Can you read the consent banner? Can you access all options (accept, reject, customize)? Many consent banners that work on desktop are broken or unusable on mobile — buttons get cut off, text is unreadable, or the banner covers the entire screen without a way to dismiss it.

Are all forms usable on mobile? If a form is hard to use on mobile, visitors may abandon it or make errors (like submitting incorrect data). This is both a UX and a data quality issue.

Does the privacy policy page render properly on mobile? A privacy policy that requires horizontal scrolling or is formatted in tiny text on mobile is not genuinely accessible.

After the Audit: Prioritizing Fixes

Once you have completed the checklist, you will likely have a list of items to fix. Prioritize them:

Priority 1: Fix Immediately (Legal Risk)

• No privacy policy, or a privacy policy that is seriously inaccurate
• Non-essential cookies loading before consent
• No unsubscribe option in marketing emails
• Missing SSL/HTTPS
• Consent mechanisms that do not actually work

Priority 2: Fix Within 30 Days (Compliance Gaps)

• Privacy policy missing key disclosures (third-party scripts, data retention, user rights)
• Cookie consent banner not functioning correctly on mobile
• Undisclosed third-party scripts
• Forms collecting unnecessary data
• GPC signal not being honored

Priority 3: Fix Within 90 Days (Best Practice)

• Self-hosting fonts instead of using Google Fonts from external servers
• Implementing privacy-enhanced YouTube embeds
• Adding a cookie declaration page
• Removing unused scripts and plugins
• Setting up data retention for form submissions

Priority 4: Ongoing Maintenance

• Re-audit every 6 months or whenever you add new tools/scripts to your site
• Update privacy policy at least annually
• Review cookie consent configuration when adding new analytics or marketing tools
• Train team members who manage the website on privacy implications of their changes

Free Tools for Your Audit

Chrome Developer Tools — Built into Chrome. Use the Application tab for cookies, the Network tab for tracking script requests, and the Console tab for mixed content warnings.

Cookiebot free scan — Scans up to 5 pages for cookies and tracking technologies. Good for a quick baseline.

Google PageSpeed Insights — Not privacy-specific, but shows all third-party requests your site makes, which helps identify data-sharing scripts.

Qualys SSL Labs — Free SSL certificate and HTTPS configuration checker. Enter your domain and get a detailed report.

Blacklight by The Markup — themarkup.org/blacklight. Enter your URL and it scans for ad trackers, third-party cookies, session recording, keylogging, and canvas fingerprinting. Excellent free tool.

Make This a Habit

A website privacy audit is not a one-time task. Your website changes constantly — new pages, new plugins, new marketing tools, new team members making updates. Schedule a re-audit every six months. Put it on the calendar. It takes less time the second time because you already know what to look for.

References

• General Data Protection Regulation (GDPR): Regulation (EU) 2016/679. Full text
• California Consumer Privacy Act (CCPA): Cal. Civ. Code §§ 1798.100–1798.199.100. Full text
• ePrivacy Directive: Directive 2002/58/EC (as amended by Directive 2009/136/EC). Full text
• CAN-SPAM Act: 15 U.S.C. §§ 7701–7713. Full text
• NIST Privacy Framework: NIST Privacy Framework

---

Build on Your Audit With a Complete Compliance Framework

Your website privacy audit is one part of a larger compliance picture. If you want to go deeper — covering DSAR response processes, data mapping, breach preparedness, and employee training — download our DSAR Compliance Guide. It ties together the website-level work with the operational processes you need for full privacy compliance.

Download the DSAR Compliance Guide