Business websites now do much more than display information. They collect enquiries, run analytics, fire tracking pixels, build remarketing audiences, capture emails, use booking tools, show reviews and make claims about services. That means compliance issues can hide inside normal marketing setup.
This checklist covers the areas most likely to create problems: privacy policies, data collection, tracking and cookies, remarketing, email and SMS marketing, accessibility basics, advertising claims and overall digital trust. Many of these issues also show up as trust and conversion leaks, which is why they connect to the broader SEO strategy in our Melbourne SEO guide.
In 2026, a website can look polished and still have compliance leaks underneath.
Warning: This is general information, not legal advice Website compliance depends on your business, industry, data collection, customers, marketing tools and legal obligations. This checklist helps you find gaps. A qualified Australian lawyer or privacy professional should decide exactly how to close them. |
The Short Answer: What Should a Website Compliance Checklist Include?
Action: Quick answer A Melbourne business website should check: privacy policy, collection notices near forms, cookie and tracking disclosures, analytics setup, tracking pixels, remarketing audiences, contact form fields, lead magnets, newsletter and email consent, SMS marketing consent, accessibility basics, advertising claims, testimonials and reviews, pricing claims, terms and conditions where relevant, website security, mobile usability and ownership and maintenance responsibilities. |
The OAIC's tracking pixel guidance says organisations should conduct regular, ongoing reviews of website tracking technologies and comply with APP 7 when using tracking pixels for targeted online ads, including providing a simple opt out.
The goal is not to turn your website into a legal textbook. The goal is to remove the obvious risks before they become complaints, lost trust or messy rebuild work.
Before You Start: What This Checklist Can and Cannot Do
This checklist can help you:
Identify obvious website compliance gaps
Prepare better questions for a lawyer
Brief your developer or agency clearly
Clean up unnecessary tracking
Improve trust and transparency
Reduce avoidable website risk
This checklist cannot:
Confirm legal compliance for your specific situation
Replace professional legal advice
Cover every industry specific regulation
Decide whether the small business Privacy Act exemption applies to you
Approve your privacy policy wording
Assess all accessibility requirements
Use this checklist to find the gaps. Use professional advice to decide exactly how to close them.
Website Compliance Scorecard: The Eight Areas
Area | Checks | Max checks | Status |
Privacy policy | 1 to 4 | 4 | Pass / Review / Urgent |
Forms and data collection | 5 to 8 | 4 | Pass / Review / Urgent |
Cookies and tracking | 9 to 12 | 4 | Pass / Review / Urgent |
Remarketing and ads | 13 to 15 | 3 | Pass / Review / Urgent |
Email/SMS marketing | 16 to 18 | 3 | Pass / Review / Urgent |
Accessibility basics | 19 to 21 | 3 | Pass / Review / Urgent |
Advertising claims | 22 to 25 | 4 | Pass / Review / Urgent |
Digital trust/UX | General | Trust check | Pass / Review / Urgent |
Privacy Policy Checklist (Checks 1 to 4)
Check 1: Do You Have a Privacy Policy?
If your business is covered by the Privacy Act, you need a privacy policy. Even if the small business exemption currently applies, having a clear privacy policy builds trust with customers and prepares you for future reform. Link it in the footer and near forms. For more detail on what the recent law changes mean for your website, see our article on Australia's new privacy laws and website changes.
The OAIC's Australian Privacy Principle 1 focuses on open and transparent management of personal information, including having a clearly expressed and up to date privacy policy.
Check 2: Does It Reflect What Your Website Actually Does?
Your privacy policy should describe the website you run today, not the one you had when the policy was first written. Check whether it mentions contact forms, newsletter signups, analytics, ad pixels, remarketing, CRM systems, booking tools, payment tools, call tracking, overseas disclosures, data access and correction rights and your complaints process.
Check 3: Does It Explain Third Party Tools?
If your website sends data to Google Analytics, Google Ads, Meta, TikTok, LinkedIn, Hotjar, Mailchimp, HubSpot, Calendly, Stripe or similar platforms, your privacy policy should reflect that. Most generic template policies do not mention these tools.
Check 4: Is It Current?
Review your privacy policy every time the website is rebuilt, new forms are added, new tracking pixels are installed, your CRM changes, email or SMS flows are added, AI or chatbot tools are introduced or privacy laws change. If none of those triggers have prompted a review, it is probably out of date.
A privacy policy is only useful if it describes the website you actually run, not the website you had three years ago.
Data Collection and Form Checklist (Checks 5 to 8)
Check 5: Are Your Forms Collecting Only What You Need?
Review every form on your website. For each field, ask: do we need this? Is it required? Is there a less intrusive version? Are we collecting sensitive information by accident? Where does the submitted data end up?
Common over collection:
Asking for date of birth when it is not needed for the service
Asking for medical or legal details in a general enquiry form
Requiring full address when suburb is enough
Collecting budget information when it is not necessary at the enquiry stage
Upload fields that could capture sensitive documents
Check 6: Is There a Collection Notice Near Important Forms?
Under APP 5, entities collecting personal information must take reasonable steps to notify individuals about collection matters at or before collection. For higher risk forms, include a short notice explaining what you collect, why, what happens after submission, where to find the privacy policy and whether marketing contact is optional.
Tip: Keep it simple The notice does not need to be a full legal paragraph. A short sentence like 'We use this information to respond to your enquiry. See our privacy policy for details.' is a practical starting point. Separate any marketing opt in from the enquiry itself. |
Check 7: Are Form Submissions Stored Safely?
Check where form data ends up: website database, email inbox, CRM, spreadsheets, automation tools, agency or developer systems, old plugin storage and backups. If you do not know where the data goes after someone hits submit, that is a gap.
Check 8: Are Sensitive Industries Handling Forms Carefully?
If your business handles health, legal, financial, insurance, counselling, NDIS, recruitment or children's data, standard contact forms carry higher risk. Consider whether the form should warn users about sensitive information, whether data is stored with appropriate access controls and whether your privacy policy addresses the specific types of information collected.
The safest form field is the one you never collect unless you genuinely need it.
Cookie, Analytics and Tracking Checklist (Checks 9 to 12)
Check 9: Do You Know Which Tags Are Installed?
Open Google Tag Manager (or view page source) and list every tag, pixel and script running on your website. Common ones to look for:
GA4 (Google Analytics)
Google Ads conversion tag
Meta Pixel
TikTok Pixel
LinkedIn Insight Tag
Microsoft Ads UET tag
Hotjar or Microsoft Clarity
Call tracking scripts
Chat widget scripts
Affiliate tracking scripts
Booking widget scripts
Check 10: Are Old Tags Removed?
It is common to find tags left behind by previous agencies, old campaign setups or abandoned tools. Look for old agency tags, duplicate GA4 properties, unused remarketing pixels, abandoned heatmap tools, duplicate conversion events and tags firing on every page when they only need to fire on specific ones.
Check 11: Are You Using Tracking Pixels Responsibly?
The OAIC says organisations using third party tracking pixels for targeted online advertising must comply with APP 7 (direct marketing) and provide individuals with a simple opt out.
Check:
Which pages do pixels fire on (especially sensitive pages)?
What events are sent to ad platforms?
Are thank you pages sending sensitive event labels?
Is there a clear opt out option?
Does the privacy policy explain targeted advertising use?
Check 12: Are Analytics Events Privacy Safe?
Avoid sending personal information in page URLs, event names, form field values, thank you page labels, search terms, CRM identifiers or uploaded file names. If your GA4 setup captures enquiry form text in an event parameter, that is a problem.
Good tracking tells you what marketing works. Bad tracking quietly sends data you never meant to share.
Remarketing and Advertising Audience Checklist (Checks 13 to 15)
Check 13: Are Remarketing Audiences Appropriate?
Review what audiences you are building from website visits. Remarketing from a general service page is different from remarketing from a page about mental health counselling, family law or financial hardship.
Higher risk audience sources:
Medical or health condition pages
Legal issue pages (family law, criminal, employment disputes)
Financial hardship or debt pages
Counselling or psychology services
Children's services
Job application pages
Check 14: Do Users Have a Clear Opt Out Path?
The OAIC's guidance on direct marketing says APP 7 applies when organisations use or disclose personal information for direct marketing. Sensitive information can only be used for direct marketing with consent. Make sure your website provides a meaningful way for users to opt out of remarketing.
Check 15: Are Ad Platforms Receiving Only Necessary Data?
Review enhanced conversions, custom audiences, hashed email uploads, CRM list imports, offline conversion imports and server side tracking configurations. Each of these sends personal information to an advertising platform. Check whether each is necessary, disclosed and documented.
Remarketing is useful until it feels creepy. The line is usually crossed when businesses track sensitive intent without thinking through the customer's perspective.
Email and SMS Marketing Checklist (Checks 16 to 18)
Check 16: Do You Have Consent?
The ACMA says businesses must have consent before sending commercial electronic messages. Messages must identify the sender, include contact details and make unsubscribing easy.
Review consent for:
Newsletter signup forms
Quote and enquiry forms (is marketing consent separate?)
Checkout opt ins
Lead magnet downloads
Webinar and event registrations
CRM imports from old customer lists
Check 17: Is Marketing Consent Separate from Enquiry Consent?
Avoid automatically subscribing every form enquiry to your marketing list. Avoid pre ticked marketing checkboxes. Avoid unclear 'by submitting this form you agree to receive marketing' language buried in fine print. Make the marketing opt in a clear, separate choice.
Check 18: Is Unsubscribe Easy?
Every marketing email should have a visible unsubscribe link. SMS messages should include opt out wording. Unsubscribed contacts should go to a suppression list and not be reimported later. ACMA's guidance says marketing messages must generally include a way for recipients to unsubscribe.
A person asking for a quote is not automatically asking for your newsletter forever.
Accessibility Basics Checklist (Checks 19 to 21)
This is not a full WCAG audit. It is a basic check of whether real people can actually use your website. Accessibility is not just a compliance issue. It is whether your forms, content and calls to action work for everyone.
Check 19: Can People Read and Navigate the Site?
Check:
Colour contrast is sufficient (text is easy to read against the background)
Font sizes are readable without zooming
The site can be navigated with a keyboard (tab through links and forms)
Focus states are visible (you can see where the cursor is)
Links have descriptive text (not just 'click here')
Headings are in a logical order
Form fields have visible labels
Error messages are clear and visible
Key videos or audio have captions or transcripts
Meaningful images have alt text
The Australian Human Rights Commission's digital accessibility guidelines explain how digital accessibility helps organisations provide equal access and meet Disability Discrimination Act obligations. For private businesses, WCAG remains a useful practical benchmark even where specific obligations vary.
Check 20: Does the Website Work on Mobile and Assistive Technology?
Check that the site works at 200% zoom or more, has no horizontal scrolling on mobile, buttons are easy to tap, forms work on mobile devices, page structure makes sense to screen readers and PDFs have HTML alternatives where possible. Mobile usability also affects search rankings. See our guide on mobile SEO for Australian businesses for the SEO side.
Check 21: Are Downloadable PDFs Accessible?
Brochures, menus, price lists, forms, checklists, guides and compliance documents offered as PDFs should be accessible. This means real text (not just images of text), proper heading structure and alt text for images. If PDFs are not accessible, consider offering an HTML alternative.
Accessibility is not just a compliance issue. It is whether real people can actually use your website.
ACCC Advertising Claims Checklist (Checks 22 to 25)
Check 22: Can You Prove Every Claim?
The ACCC says businesses must be able to prove advertising claims and claims should be true, accurate and based on reasonable grounds.
Review claims like:
'Best', '#1', 'leading'
'Guaranteed results'
'Fastest' or 'cheapest'
'Trusted by thousands'
'Award winning' (is the award real and verifiable?)
'Risk free'
'Australian made' (does it meet the criteria?)
'Medical grade' or similar technical claims
If a claim helps sell the service, the business needs to be able to stand behind it with evidence.
Check 23: Are Pricing Claims Clear?
Check whether pricing includes GST, whether 'from' pricing is genuine, whether setup fees, ongoing costs, contract terms and exclusions are disclosed. If there are cancellation fees, installation costs or shipping and return conditions, these should be visible before the customer commits.
Check 24: Are Testimonials and Reviews Handled Properly?
The ACCC says it is against the law for businesses to create fake or misleading reviews or to arrange for others to do so. Check that your website does not display fake reviews, cherry pick in a way that misleads, edit testimonials to change meaning or suppress negative feedback in a deceptive way. If incentives were offered for reviews, disclose that. For more on handling reviews the right way, see our guide on getting more Google reviews without breaking Australian consumer law.
Check 25: Are Before/After and Results Claims Realistic?
This is relevant for SEO, Google Ads, fitness, cosmetic services, finance, coaching, health, renovations and professional services. Before and after claims, results claims and performance promises should be realistic, not misleading and ideally accompanied by context about what affects outcomes.
Digital Trust and User Experience Checklist
Trust is not one badge or one policy page. It is the whole experience feeling clear, safe and honest. This section connects compliance to SEO and conversion. Building visible trust on your website is also a core part of E E A T for small businesses.
Check:
HTTPS is active across the entire site
No mixed content warnings (padlock with a warning triangle)
All forms work properly and do not produce errors
Clear contact details visible on every page (at minimum in the footer)
Real business name displayed
ABN or ACN shown where useful
Privacy policy linked in the footer
Terms, returns or refund policies where relevant
Accurate opening hours
No broken links on key pages
Mobile friendly layout
Fast enough loading speed
Secure checkout (if applicable)
Accessible contact options (phone, email, form)
The Australian Government Digital Service Standard is designed for government services, but its principles are useful as a benchmark for any business: services should be user friendly, inclusive, adaptable, measurable and designed around trust.
30 Minute Website Compliance Self Audit
You do not need a full day to find the obvious gaps. Here is how to run through the key checks in about 30 minutes.
Time | Focus | What to do |
0 to 5 min | Open essentials | Open homepage, contact page, privacy policy, top service page, checkout/booking page if relevant, Google Tag Manager and your email/SMS platform. |
5 to 12 min | Forms and privacy | Check privacy policy exists and is linked. Review form fields and collection notices. Check where submissions go. Look for sensitive data in form fields. |
12 to 18 min | Tracking | Check GA4, ad pixels, remarketing tags, heatmaps, call tracking and old or unused tags in GTM. |
18 to 23 min | Claims | Review homepage and service page claims. Check testimonials and reviews. Review pricing for clarity. Look for 'best', 'guaranteed' or unsubstantiated claims. |
23 to 28 min | Accessibility basics | Check mobile layout, text size, contrast, headings, form labels, alt text on key images and keyboard navigation. |
28 to 30 min | Score and prioritise | Mark each area as Pass, Needs Review or Urgent. Note which items need legal review, developer work or marketing cleanup. |
This pairs well with our 25 point SEO audit checklist, which covers the technical, content, local and off page SEO checks alongside these compliance foundations.
Warning: Do not fix during the audit Score first, then prioritise. Fixing while auditing is how businesses spend hours on one problem and miss a bigger risk on another page. |
Get the 2026 Website Compliance Checklist
We have a printable version of this checklist you can download and use across your website. It includes all 25 checks, a scoring column (Pass, Needs Review, Urgent), a notes column and an 'ask who' column so you know whether each item is for your lawyer, developer or agency.
The checklist includes:
Privacy policy checklist
Form and data collection checklist
Tracking pixel checklist
Remarketing checklist
Email/SMS consent checklist
Accessibility basics checklist
Advertising claims checklist
Notes section and priority column
Download the checklist, run it across your website and mark each item. It will help you see whether the next step is legal review, tracking cleanup, accessibility fixes or better website governance. Reach out to us if you would like a copy.
What to Do After the Checklist
If Privacy Gaps Show Up
Speak with a privacy lawyer or legal adviser. Update your privacy policy. Add or improve form collection notices. Map your data flows so you know where information goes.
If Tracking Gaps Show Up
Audit Google Tag Manager. Remove old and unused tags. Document every active tool. Review pixel events and where data is sent. This is part of ongoing website maintenance that most businesses overlook.
If Accessibility Gaps Show Up
Fix obvious UX barriers first (broken forms, unreadable text, missing alt text). Then consider a more thorough accessibility audit. Prioritise forms, navigation, CTAs and downloadable PDFs.
If Advertising Claims Are Risky
Collect evidence to support your claims. Rewrite anything you cannot substantiate. Remove exaggerated language. Review pricing for clarity and completeness. Check that testimonials are genuine and unedited.
If Everything Looks Messy
Run a full website audit that brings legal, developer and marketing together. Consider a website rebuild with compliance built in rather than patching an old site.
Website compliance is rarely fixed by one person. Legal, marketing, design, development and operations all touch the risk.
Common Website Compliance Mistakes
The biggest compliance problem is usually ownership. Everyone assumes someone else checked it.
Copying a privacy policy from another site. A policy that does not describe your actual data practices is not compliant. It needs to reflect what your website actually collects and where that data goes.
Installing a cookie banner without auditing tags. A cookie banner that says 'we use cookies' while 15 unaudited tags fire in the background is theatre, not transparency.
Assuming the developer handled privacy. Your developer built the site. They are not responsible for your privacy obligations unless specifically engaged for that purpose.
Collecting too much form data. Every unnecessary field is a risk with no upside. If you do not use it, do not collect it.
Using Meta Pixel everywhere by default. Firing remarketing pixels on every page, including sensitive service pages, without review is one of the most common and most risky defaults.
Adding people to email lists after a quote request. A quote request is not consent to receive ongoing marketing. Separate the enquiry from the opt in.
Making claims you cannot prove. 'Guaranteed results', 'best in Melbourne' and 'trusted by thousands' all need evidence. If you cannot substantiate it, do not say it.
Using fake or edited reviews. The ACCC is clear: fake or misleading reviews are against the law. This includes reviews written by staff, reviews edited to change meaning and selectively suppressing negative feedback.
Ignoring accessibility because 'we are not government'. The Disability Discrimination Act applies to goods and services, not just government. Basic accessibility also improves usability, conversion and SEO for everyone.
FAQs
What legal pages does an Australian business website need?
At minimum, a privacy policy if you collect personal information (which most business websites do through forms, analytics or tracking). Depending on your business, you may also need terms and conditions, refund and returns policies, shipping policies and specific industry disclaimers.
Does my website need a privacy policy in Australia?
If you are an APP entity under the Privacy Act (generally businesses with over $3 million annual turnover, plus health providers and some others), yes. Even if the small business exemption currently applies to you, a privacy policy builds trust and prepares you for future reform.
Do Australian websites need cookie consent?
Australia does not have the same cookie consent model as the EU. However, if your website uses tracking pixels, remarketing or behavioural profiling, you should provide clear notice and meaningful opt out options. The exact requirements depend on your situation.
Can I use Meta Pixel on my website?
Yes, but you must comply with your Privacy Act obligations. Disclose pixel use, comply with direct marketing rules under APP 7, provide a simple opt out and avoid firing pixels on sensitive pages without careful consideration.
Are website testimonials regulated in Australia?
Yes. The ACCC says businesses must not create fake or misleading reviews or arrange for others to do so. Testimonials should be genuine, unedited in meaning and any incentives should be disclosed.
What website claims can get a business in trouble?
Claims that are false, misleading or unsubstantiated. Common examples: 'guaranteed results', 'best in Melbourne', 'cheapest', '#1 rated', 'risk free' or specific savings percentages without evidence. The ACCC says businesses must be able to prove their advertising claims.
Does my business website need to meet WCAG?
There is no single law that requires all private Australian business websites to meet a specific WCAG level. However, the Disability Discrimination Act covers goods and services and WCAG is widely accepted as the practical benchmark. Basic accessibility improvements also help usability, conversion and SEO.
How often should I review website compliance?
At minimum, review whenever you rebuild the site, add new forms or tracking, change CRM or email tools, launch new advertising campaigns or when privacy laws change. A quarterly tracking audit is good practice.
Should my web designer or lawyer handle compliance?
Both, in their areas. Your web designer or agency can audit tracking, forms, tags and UX. Your lawyer can review privacy policy wording, consent mechanisms and industry specific obligations. Neither should be expected to do the other's job.
What We Recommend at Elev8d
We can help you see what your website is doing. Your legal team should decide what your business must say, disclose or change.
When we build or audit websites, we review the tracking stack, form setup, tag configuration and user experience as part of the project. We can show you which tags are firing, which forms are collecting more than they need, which pixels are active and where the obvious trust and UX gaps are.
For most Melbourne businesses, the practical first step is visibility: know what your website collects, where it sends data and what it claims. From there, your legal adviser can review the policy side, your developer can fix the technical side and your marketing team can clean up the tracking side.
Next Steps: Pick Your Path
Path 1: Run the checklist yourself
Work through the 25 checks in this article. Mark each as Pass, Needs Review or Urgent. Use the 30 minute audit workflow to keep it focused. Then decide what needs legal review, developer work or marketing cleanup.
Path 2: Get your tracking and forms reviewed
If you are not sure what tags, pixels and integrations are running on your site, get in touch. We can map the tracking stack, review form setup and show you where the gaps are so your legal adviser has a clear picture to work with.
Path 3: Get proper legal advice
If your business handles sensitive data, operates in a regulated industry or needs specific compliance guidance, involve a qualified privacy lawyer alongside the website review. We handle the website and tracking side. A lawyer handles the policy and compliance side.
A compliant website is not just one with legal pages. It is one where the business knows what it collects, explains it clearly, avoids misleading claims and gives people a fair, usable experience.
Sources and Further Reading
OAIC: Australian Privacy Principles - The 13 principles governing personal information handling.
OAIC: Tracking Pixels Guidance - Specific guidance on tracking pixel obligations.
ACCC: Advertising and Promotions - Guidance on truthful claims, reviews and pricing.
ACMA: Avoid Sending Spam - Rules on electronic marketing messages.
Australian Human Rights Commission: Disability Rights - Digital accessibility and Disability Discrimination Act obligations.
Australian Government Digital Service Standard - Principles for user friendly, inclusive, trustworthy digital services.
General information only. This article is not legal advice. Website compliance depends on your business, industry, data collection, customers and legal obligations. If you need compliance guidance, consult a qualified Australian lawyer or privacy professional.