Privacy & Cookie Compliance Markers

Privacy compliance is unglamorous, unforgiving, and increasingly enforced. The EU GDPR, UK GDPR, California CCPA/CPRA, Brazil LGPD, and a growing list of other regulators have settled on a similar set of minimum disclosures — privacy policy, cookie policy, terms, lawful-basis statements, data-controller information. Missing any of those isn't usually a fine in itself, but it's the entry point for complaints that escalate. Regulators tend to start at 'is the basic compliance furniture here?' and move outward; the absence of a privacy policy fast-tracks the investigation. The fix is operationally trivial — write the policy, link it from the footer — and yet startups routinely launch without one because the founder thought lawyers were for later.

We crawl the homepage and look for links to the standard compliance pages: Privacy Policy, Cookie Policy, Terms of Service, Data Processing Agreement (if B2B). We also look for the markup signature of a cookie consent banner — a fixed-position element loading on first visit with accept/reject controls. We grade presence and linkability, not content quality. Whether your privacy policy is well-drafted is a legal review job; whether it exists at all is a deterministic check.

GDPR / UK GDPR / CCPA enforcement risk. The ICO (UK), CNIL (France), DPC (Ireland), and equivalent EU member-state regulators have issued fines for missing or hidden privacy pages, ranging from small administrative penalties to seven-figure assessments for repeat offenders. Class actions have been filed in the U.S. over missing CCPA disclosures. Beyond regulatory risk: B2B customers (especially in regulated sectors) gate procurement on these documents being present. Their absence stalls deals.

Have visible, footer-linked Privacy Policy, Cookie Policy, and Terms of Service from day one. The policies don't need to be perfect on launch — a clear baseline document is better than nothing — but get them in place. Add a compliant cookie consent banner that gates non-essential cookies (analytics, marketing) until consent. The banner needs to offer reject as easily as accept (no 'accept' button styled to dominate), and respect the choice (don't fire trackers on reject). Honor browser-level signals like Sec-GPC. Keep the documents updated; date them; have a process for re-issuing on material changes. For B2B selling into the EU, prepare a Data Processing Agreement template — many enterprise procurement processes require one before signature.