Business websites now do much more than display information. They collect enquiries, run analytics, fire tracking pixels, build remarketing audiences, capture emails, use booking tools, show reviews and make claims about services. That means compliance issues can hide inside normal marketing setup.

This checklist covers the areas most likely to create problems: privacy policies, data collection, tracking and cookies, remarketing, email and SMS marketing, accessibility basics, advertising claims and overall digital trust. Many of these issues also show up as trust and conversion leaks, which is why they connect to the broader SEO strategy in our Melbourne SEO guide.

In 2026, a website can look polished and still have compliance leaks underneath.

Warning: This is general information, not legal advice

Website compliance depends on your business, industry, data collection, customers, marketing tools and legal obligations. This checklist helps you find gaps. A qualified Australian lawyer or privacy professional should decide exactly how to close them.

The Short Answer: What Should a Website Compliance Checklist Include?

Action: Quick answer

A Melbourne business website should check: privacy policy, collection notices near forms, cookie and tracking disclosures, analytics setup, tracking pixels, remarketing audiences, contact form fields, lead magnets, newsletter and email consent, SMS marketing consent, accessibility basics, advertising claims, testimonials and reviews, pricing claims, terms and conditions where relevant, website security, mobile usability and ownership and maintenance responsibilities.

The OAIC's tracking pixel guidance says organisations should conduct regular, ongoing reviews of website tracking technologies and comply with APP 7 when using tracking pixels for targeted online ads, including providing a simple opt out.

The goal is not to turn your website into a legal textbook. The goal is to remove the obvious risks before they become complaints, lost trust or messy rebuild work.

Before You Start: What This Checklist Can and Cannot Do

This checklist can help you:

  • Identify obvious website compliance gaps

  • Prepare better questions for a lawyer

  • Brief your developer or agency clearly

  • Clean up unnecessary tracking

  • Improve trust and transparency

  • Reduce avoidable website risk

This checklist cannot:

  • Confirm legal compliance for your specific situation

  • Replace professional legal advice

  • Cover every industry specific regulation

  • Decide whether the small business Privacy Act exemption applies to you

  • Approve your privacy policy wording

  • Assess all accessibility requirements

Use this checklist to find the gaps. Use professional advice to decide exactly how to close them.

Website Compliance Scorecard: The Eight Areas

Area

Checks

Max checks

Status

Privacy policy

1 to 4

4

Pass / Review / Urgent

Forms and data collection

5 to 8

4

Pass / Review / Urgent

Cookies and tracking

9 to 12

4

Pass / Review / Urgent

Remarketing and ads

13 to 15

3

Pass / Review / Urgent

Email/SMS marketing

16 to 18

3

Pass / Review / Urgent

Accessibility basics

19 to 21

3

Pass / Review / Urgent

Advertising claims

22 to 25

4

Pass / Review / Urgent

Digital trust/UX

General

Trust check

Pass / Review / Urgent

Privacy Policy Checklist (Checks 1 to 4)

Check 1: Do You Have a Privacy Policy?

If your business is covered by the Privacy Act, you need a privacy policy. Even if the small business exemption currently applies, having a clear privacy policy builds trust with customers and prepares you for future reform. Link it in the footer and near forms. For more detail on what the recent law changes mean for your website, see our article on Australia's new privacy laws and website changes.

The OAIC's Australian Privacy Principle 1 focuses on open and transparent management of personal information, including having a clearly expressed and up to date privacy policy.

Check 2: Does It Reflect What Your Website Actually Does?

Your privacy policy should describe the website you run today, not the one you had when the policy was first written. Check whether it mentions contact forms, newsletter signups, analytics, ad pixels, remarketing, CRM systems, booking tools, payment tools, call tracking, overseas disclosures, data access and correction rights and your complaints process.

Check 3: Does It Explain Third Party Tools?

If your website sends data to Google Analytics, Google Ads, Meta, TikTok, LinkedIn, Hotjar, Mailchimp, HubSpot, Calendly, Stripe or similar platforms, your privacy policy should reflect that. Most generic template policies do not mention these tools.

Check 4: Is It Current?

Review your privacy policy every time the website is rebuilt, new forms are added, new tracking pixels are installed, your CRM changes, email or SMS flows are added, AI or chatbot tools are introduced or privacy laws change. If none of those triggers have prompted a review, it is probably out of date.

A privacy policy is only useful if it describes the website you actually run, not the website you had three years ago.

Data Collection and Form Checklist (Checks 5 to 8)

Check 5: Are Your Forms Collecting Only What You Need?

Review every form on your website. For each field, ask: do we need this? Is it required? Is there a less intrusive version? Are we collecting sensitive information by accident? Where does the submitted data end up?

Common over collection:

  • Asking for date of birth when it is not needed for the service

  • Asking for medical or legal details in a general enquiry form

  • Requiring full address when suburb is enough

  • Collecting budget information when it is not necessary at the enquiry stage

  • Upload fields that could capture sensitive documents

Check 6: Is There a Collection Notice Near Important Forms?

Under APP 5, entities collecting personal information must take reasonable steps to notify individuals about collection matters at or before collection. For higher risk forms, include a short notice explaining what you collect, why, what happens after submission, where to find the privacy policy and whether marketing contact is optional.

Tip: Keep it simple

The notice does not need to be a full legal paragraph. A short sentence like 'We use this information to respond to your enquiry. See our privacy policy for details.' is a practical starting point. Separate any marketing opt in from the enquiry itself.

Check 7: Are Form Submissions Stored Safely?

Check where form data ends up: website database, email inbox, CRM, spreadsheets, automation tools, agency or developer systems, old plugin storage and backups. If you do not know where the data goes after someone hits submit, that is a gap.

Check 8: Are Sensitive Industries Handling Forms Carefully?

If your business handles health, legal, financial, insurance, counselling, NDIS, recruitment or children's data, standard contact forms carry higher risk. Consider whether the form should warn users about sensitive information, whether data is stored with appropriate access controls and whether your privacy policy addresses the specific types of information collected.

The safest form field is the one you never collect unless you genuinely need it.

Cookie, Analytics and Tracking Checklist (Checks 9 to 12)

Check 9: Do You Know Which Tags Are Installed?

Open Google Tag Manager (or view page source) and list every tag, pixel and script running on your website. Common ones to look for:

  • GA4 (Google Analytics)

  • Google Ads conversion tag

  • Meta Pixel

  • TikTok Pixel

  • LinkedIn Insight Tag

  • Microsoft Ads UET tag

  • Hotjar or Microsoft Clarity

  • Call tracking scripts

  • Chat widget scripts

  • Affiliate tracking scripts

  • Booking widget scripts

Check 10: Are Old Tags Removed?

It is common to find tags left behind by previous agencies, old campaign setups or abandoned tools. Look for old agency tags, duplicate GA4 properties, unused remarketing pixels, abandoned heatmap tools, duplicate conversion events and tags firing on every page when they only need to fire on specific ones.

Check 11: Are You Using Tracking Pixels Responsibly?

The OAIC says organisations using third party tracking pixels for targeted online advertising must comply with APP 7 (direct marketing) and provide individuals with a simple opt out.

Check:

  • Which pages do pixels fire on (especially sensitive pages)?

  • What events are sent to ad platforms?

  • Are thank you pages sending sensitive event labels?

  • Is there a clear opt out option?

  • Does the privacy policy explain targeted advertising use?

Check 12: Are Analytics Events Privacy Safe?

Avoid sending personal information in page URLs, event names, form field values, thank you page labels, search terms, CRM identifiers or uploaded file names. If your GA4 setup captures enquiry form text in an event parameter, that is a problem.

Good tracking tells you what marketing works. Bad tracking quietly sends data you never meant to share.

Remarketing and Advertising Audience Checklist (Checks 13 to 15)

Check 13: Are Remarketing Audiences Appropriate?

Review what audiences you are building from website visits. Remarketing from a general service page is different from remarketing from a page about mental health counselling, family law or financial hardship.

Higher risk audience sources:

  • Medical or health condition pages

  • Legal issue pages (family law, criminal, employment disputes)

  • Financial hardship or debt pages

  • Counselling or psychology services

  • Children's services

  • Job application pages

Check 14: Do Users Have a Clear Opt Out Path?

The OAIC's guidance on direct marketing says APP 7 applies when organisations use or disclose personal information for direct marketing. Sensitive information can only be used for direct marketing with consent. Make sure your website provides a meaningful way for users to opt out of remarketing.

Check 15: Are Ad Platforms Receiving Only Necessary Data?

Review enhanced conversions, custom audiences, hashed email uploads, CRM list imports, offline conversion imports and server side tracking configurations. Each of these sends personal information to an advertising platform. Check whether each is necessary, disclosed and documented.

Remarketing is useful until it feels creepy. The line is usually crossed when businesses track sensitive intent without thinking through the customer's perspective.

Email and SMS Marketing Checklist (Checks 16 to 18)

Check 16: Do You Have Consent?

The ACMA says businesses must have consent before sending commercial electronic messages. Messages must identify the sender, include contact details and make unsubscribing easy.

Review consent for:

  • Newsletter signup forms

  • Quote and enquiry forms (is marketing consent separate?)

  • Checkout opt ins

  • Lead magnet downloads

  • Webinar and event registrations

  • CRM imports from old customer lists

Check 17: Is Marketing Consent Separate from Enquiry Consent?

Avoid automatically subscribing every form enquiry to your marketing list. Avoid pre ticked marketing checkboxes. Avoid unclear 'by submitting this form you agree to receive marketing' language buried in fine print. Make the marketing opt in a clear, separate choice.

Check 18: Is Unsubscribe Easy?

Every marketing email should have a visible unsubscribe link. SMS messages should include opt out wording. Unsubscribed contacts should go to a suppression list and not be reimported later. ACMA's guidance says marketing messages must generally include a way for recipients to unsubscribe.

A person asking for a quote is not automatically asking for your newsletter forever.

Accessibility Basics Checklist (Checks 19 to 21)

This is not a full WCAG audit. It is a basic check of whether real people can actually use your website. Accessibility is not just a compliance issue. It is whether your forms, content and calls to action work for everyone.

Check 19: Can People Read and Navigate the Site?

Check:

  • Colour contrast is sufficient (text is easy to read against the background)

  • Font sizes are readable without zooming

  • The site can be navigated with a keyboard (tab through links and forms)

  • Focus states are visible (you can see where the cursor is)

  • Links have descriptive text (not just 'click here')

  • Headings are in a logical order

  • Form fields have visible labels

  • Error messages are clear and visible

  • Key videos or audio have captions or transcripts

  • Meaningful images have alt text

The Australian Human Rights Commission's digital accessibility guidelines explain how digital accessibility helps organisations provide equal access and meet Disability Discrimination Act obligations. For private businesses, WCAG remains a useful practical benchmark even where specific obligations vary.

Check 20: Does the Website Work on Mobile and Assistive Technology?

Check that the site works at 200% zoom or more, has no horizontal scrolling on mobile, buttons are easy to tap, forms work on mobile devices, page structure makes sense to screen readers and PDFs have HTML alternatives where possible. Mobile usability also affects search rankings. See our guide on mobile SEO for Australian businesses for the SEO side.

Check 21: Are Downloadable PDFs Accessible?

Brochures, menus, price lists, forms, checklists, guides and compliance documents offered as PDFs should be accessible. This means real text (not just images of text), proper heading structure and alt text for images. If PDFs are not accessible, consider offering an HTML alternative.

Accessibility is not just a compliance issue. It is whether real people can actually use your website.

ACCC Advertising Claims Checklist (Checks 22 to 25)

Check 22: Can You Prove Every Claim?

The ACCC says businesses must be able to prove advertising claims and claims should be true, accurate and based on reasonable grounds.

Review claims like:

  • 'Best', '#1', 'leading'

  • 'Guaranteed results'

  • 'Fastest' or 'cheapest'

  • 'Trusted by thousands'

  • 'Award winning' (is the award real and verifiable?)

  • 'Risk free'

  • 'Australian made' (does it meet the criteria?)

  • 'Medical grade' or similar technical claims

If a claim helps sell the service, the business needs to be able to stand behind it with evidence.

Check 23: Are Pricing Claims Clear?

Check whether pricing includes GST, whether 'from' pricing is genuine, whether setup fees, ongoing costs, contract terms and exclusions are disclosed. If there are cancellation fees, installation costs or shipping and return conditions, these should be visible before the customer commits.

Check 24: Are Testimonials and Reviews Handled Properly?

The ACCC says it is against the law for businesses to create fake or misleading reviews or to arrange for others to do so. Check that your website does not display fake reviews, cherry pick in a way that misleads, edit testimonials to change meaning or suppress negative feedback in a deceptive way. If incentives were offered for reviews, disclose that. For more on handling reviews the right way, see our guide on getting more Google reviews without breaking Australian consumer law.

Check 25: Are Before/After and Results Claims Realistic?

This is relevant for SEO, Google Ads, fitness, cosmetic services, finance, coaching, health, renovations and professional services. Before and after claims, results claims and performance promises should be realistic, not misleading and ideally accompanied by context about what affects outcomes.

Digital Trust and User Experience Checklist

Trust is not one badge or one policy page. It is the whole experience feeling clear, safe and honest. This section connects compliance to SEO and conversion. Building visible trust on your website is also a core part of E E A T for small businesses.

Check:

  • HTTPS is active across the entire site

  • No mixed content warnings (padlock with a warning triangle)

  • All forms work properly and do not produce errors

  • Clear contact details visible on every page (at minimum in the footer)

  • Real business name displayed

  • ABN or ACN shown where useful

  • Privacy policy linked in the footer

  • Terms, returns or refund policies where relevant

  • Accurate opening hours

  • No broken links on key pages

  • Mobile friendly layout

  • Fast enough loading speed

  • Secure checkout (if applicable)

  • Accessible contact options (phone, email, form)

The Australian Government Digital Service Standard is designed for government services, but its principles are useful as a benchmark for any business: services should be user friendly, inclusive, adaptable, measurable and designed around trust.

30 Minute Website Compliance Self Audit

You do not need a full day to find the obvious gaps. Here is how to run through the key checks in about 30 minutes.

Time

Focus

What to do

0 to 5 min

Open essentials

Open homepage, contact page, privacy policy, top service page, checkout/booking page if relevant, Google Tag Manager and your email/SMS platform.

5 to 12 min

Forms and privacy

Check privacy policy exists and is linked. Review form fields and collection notices. Check where submissions go. Look for sensitive data in form fields.

12 to 18 min

Tracking

Check GA4, ad pixels, remarketing tags, heatmaps, call tracking and old or unused tags in GTM.

18 to 23 min

Claims

Review homepage and service page claims. Check testimonials and reviews. Review pricing for clarity. Look for 'best', 'guaranteed' or unsubstantiated claims.

23 to 28 min

Accessibility basics

Check mobile layout, text size, contrast, headings, form labels, alt text on key images and keyboard navigation.

28 to 30 min

Score and prioritise

Mark each area as Pass, Needs Review or Urgent. Note which items need legal review, developer work or marketing cleanup.

This pairs well with our 25 point SEO audit checklist, which covers the technical, content, local and off page SEO checks alongside these compliance foundations.

Warning: Do not fix during the audit

Score first, then prioritise. Fixing while auditing is how businesses spend hours on one problem and miss a bigger risk on another page.

Get the 2026 Website Compliance Checklist

We have a printable version of this checklist you can download and use across your website. It includes all 25 checks, a scoring column (Pass, Needs Review, Urgent), a notes column and an 'ask who' column so you know whether each item is for your lawyer, developer or agency.

The checklist includes:

  • Privacy policy checklist

  • Form and data collection checklist

  • Tracking pixel checklist

  • Remarketing checklist

  • Email/SMS consent checklist

  • Accessibility basics checklist

  • Advertising claims checklist

  • Notes section and priority column

Download the checklist, run it across your website and mark each item. It will help you see whether the next step is legal review, tracking cleanup, accessibility fixes or better website governance. Reach out to us if you would like a copy.

What to Do After the Checklist

If Privacy Gaps Show Up

Speak with a privacy lawyer or legal adviser. Update your privacy policy. Add or improve form collection notices. Map your data flows so you know where information goes.

If Tracking Gaps Show Up

Audit Google Tag Manager. Remove old and unused tags. Document every active tool. Review pixel events and where data is sent. This is part of ongoing website maintenance that most businesses overlook.

If Accessibility Gaps Show Up

Fix obvious UX barriers first (broken forms, unreadable text, missing alt text). Then consider a more thorough accessibility audit. Prioritise forms, navigation, CTAs and downloadable PDFs.

If Advertising Claims Are Risky

Collect evidence to support your claims. Rewrite anything you cannot substantiate. Remove exaggerated language. Review pricing for clarity and completeness. Check that testimonials are genuine and unedited.

If Everything Looks Messy

Run a full website audit that brings legal, developer and marketing together. Consider a website rebuild with compliance built in rather than patching an old site.

Website compliance is rarely fixed by one person. Legal, marketing, design, development and operations all touch the risk.

Common Website Compliance Mistakes

The biggest compliance problem is usually ownership. Everyone assumes someone else checked it.

Copying a privacy policy from another site. A policy that does not describe your actual data practices is not compliant. It needs to reflect what your website actually collects and where that data goes.

Installing a cookie banner without auditing tags. A cookie banner that says 'we use cookies' while 15 unaudited tags fire in the background is theatre, not transparency.

Assuming the developer handled privacy. Your developer built the site. They are not responsible for your privacy obligations unless specifically engaged for that purpose.

Collecting too much form data. Every unnecessary field is a risk with no upside. If you do not use it, do not collect it.

Using Meta Pixel everywhere by default. Firing remarketing pixels on every page, including sensitive service pages, without review is one of the most common and most risky defaults.

Adding people to email lists after a quote request. A quote request is not consent to receive ongoing marketing. Separate the enquiry from the opt in.

Making claims you cannot prove. 'Guaranteed results', 'best in Melbourne' and 'trusted by thousands' all need evidence. If you cannot substantiate it, do not say it.

Using fake or edited reviews. The ACCC is clear: fake or misleading reviews are against the law. This includes reviews written by staff, reviews edited to change meaning and selectively suppressing negative feedback.

Ignoring accessibility because 'we are not government'. The Disability Discrimination Act applies to goods and services, not just government. Basic accessibility also improves usability, conversion and SEO for everyone.

FAQs

What legal pages does an Australian business website need?

At minimum, a privacy policy if you collect personal information (which most business websites do through forms, analytics or tracking). Depending on your business, you may also need terms and conditions, refund and returns policies, shipping policies and specific industry disclaimers.

Does my website need a privacy policy in Australia?

If you are an APP entity under the Privacy Act (generally businesses with over $3 million annual turnover, plus health providers and some others), yes. Even if the small business exemption currently applies to you, a privacy policy builds trust and prepares you for future reform.

Do Australian websites need cookie consent?

Australia does not have the same cookie consent model as the EU. However, if your website uses tracking pixels, remarketing or behavioural profiling, you should provide clear notice and meaningful opt out options. The exact requirements depend on your situation.

Can I use Meta Pixel on my website?

Yes, but you must comply with your Privacy Act obligations. Disclose pixel use, comply with direct marketing rules under APP 7, provide a simple opt out and avoid firing pixels on sensitive pages without careful consideration.

Are website testimonials regulated in Australia?

Yes. The ACCC says businesses must not create fake or misleading reviews or arrange for others to do so. Testimonials should be genuine, unedited in meaning and any incentives should be disclosed.

What website claims can get a business in trouble?

Claims that are false, misleading or unsubstantiated. Common examples: 'guaranteed results', 'best in Melbourne', 'cheapest', '#1 rated', 'risk free' or specific savings percentages without evidence. The ACCC says businesses must be able to prove their advertising claims.

Does my business website need to meet WCAG?

There is no single law that requires all private Australian business websites to meet a specific WCAG level. However, the Disability Discrimination Act covers goods and services and WCAG is widely accepted as the practical benchmark. Basic accessibility improvements also help usability, conversion and SEO.

How often should I review website compliance?

At minimum, review whenever you rebuild the site, add new forms or tracking, change CRM or email tools, launch new advertising campaigns or when privacy laws change. A quarterly tracking audit is good practice.

Should my web designer or lawyer handle compliance?

Both, in their areas. Your web designer or agency can audit tracking, forms, tags and UX. Your lawyer can review privacy policy wording, consent mechanisms and industry specific obligations. Neither should be expected to do the other's job.

What We Recommend at Elev8d

We can help you see what your website is doing. Your legal team should decide what your business must say, disclose or change.

When we build or audit websites, we review the tracking stack, form setup, tag configuration and user experience as part of the project. We can show you which tags are firing, which forms are collecting more than they need, which pixels are active and where the obvious trust and UX gaps are.

For most Melbourne businesses, the practical first step is visibility: know what your website collects, where it sends data and what it claims. From there, your legal adviser can review the policy side, your developer can fix the technical side and your marketing team can clean up the tracking side.

Next Steps: Pick Your Path

Path 1: Run the checklist yourself

Work through the 25 checks in this article. Mark each as Pass, Needs Review or Urgent. Use the 30 minute audit workflow to keep it focused. Then decide what needs legal review, developer work or marketing cleanup.

Path 2: Get your tracking and forms reviewed

If you are not sure what tags, pixels and integrations are running on your site, get in touch. We can map the tracking stack, review form setup and show you where the gaps are so your legal adviser has a clear picture to work with.

Path 3: Get proper legal advice

If your business handles sensitive data, operates in a regulated industry or needs specific compliance guidance, involve a qualified privacy lawyer alongside the website review. We handle the website and tracking side. A lawyer handles the policy and compliance side.

A compliant website is not just one with legal pages. It is one where the business knows what it collects, explains it clearly, avoids misleading claims and gives people a fair, usable experience.

Sources and Further Reading

General information only. This article is not legal advice. Website compliance depends on your business, industry, data collection, customers and legal obligations. If you need compliance guidance, consult a qualified Australian lawyer or privacy professional.

AK
Written by

Ajay K.

Ajay K is the founder of Elev8d. A psychology grad turned marketer, he writes plain English guides on SEO, ads and web design. Reader, adrenaline seeker & self confessed introverted extrovert.