Violations

Common Website Compliance Violations

From broken privacy policy links to outdated cookie notices, here are the compliance issues we find on real websites—and why they matter.

By PolicyGen Editorial · 8 min read · Updated December 2024

We scan hundreds of websites every week. Some are Fortune 500 companies. Some are three-person startups. Almost all of them have at least one compliance issue they don't know about.

The good news? Most violations aren't intentional. They're accidents. Someone updated the website and broke a link. A developer added Google Analytics without updating the cookie policy. The privacy policy is from 2018 and mentions features you don't even offer anymore.

The bad news? Accidents don't matter to regulators. What matters is what's on your site right now.

The Most Common Issue: The 404 Privacy Policy

This is, by far, the most common problem we find: a privacy policy link that goes nowhere.

It usually happens during a website redesign. Someone moves pages around, changes URL structures, or migrates to a new CMS. The link in the footer still says "/privacy-policy" but the actual page is now at "/legal/privacy". Nobody notices because nobody clicks privacy policy links—until a compliance audit.

Why it matters:

Under GDPR, your privacy policy must be "easily accessible." A 404 page isn't accessible. Under CCPA, you must provide "notice at collection." Can't do that if the link is broken. This isn't a technicality—it's the foundation of compliance.

We've seen companies go months with a broken privacy policy link. The website works fine. Users sign up and pay. Everything seems normal. Then comes the complaint.

The Cookie Banner That Lies

Your cookie banner says "We only use essential cookies." Your cookie policy says the same thing. But your site is actually using Google Analytics, Facebook Pixel, and Hotjar.

How does this happen? Usually, a marketing team member adds tracking tools without telling anyone. Or the website had a cookie audit in 2020, but you've added three new tools since then. Or you removed a tool but forgot to update the policy.

This is surprisingly common. We see it on about 30% of the sites we scan.

Here's what makes it dangerous: this isn't just a documentation error. Under GDPR, you can't use non-essential cookies without consent. If your banner says "essential only" but you're running analytics, you're collecting data without proper consent.

"We thought we were compliant because we had a cookie banner. Turns out, the banner said one thing and the actual cookies said another. Nobody had checked in two years."

— CTO of a 50-person SaaS company after a GDPR complaint

The Privacy Policy Frozen in Time

Scenario: It's 2024. Your privacy policy's "last updated" date says "January 2019."

Is that bad? Depends. If your business hasn't changed since 2019—same features, same data collection, same third-party tools—you're probably fine.

But if you've:

  • Added new features that collect data
  • Started using new analytics or marketing tools
  • Begun processing payments (if you didn't before)
  • Hired employees in new jurisdictions
  • Changed hosting providers

Then your privacy policy is lying. Not on purpose, but it's inaccurate. And "we forgot to update it" isn't a defense.

We see this constantly. Companies launch a whole new product line and never think to update their privacy policy. They're not hiding anything—they just don't realize the policy needs to reflect current reality, not historical reality.

Missing Data Subject Rights (For EU Users)

Your privacy policy needs to tell EU users about their rights: right to access, right to erasure, right to data portability, etc.

Many US companies include a short section like "California Privacy Rights" but completely skip the GDPR requirements. The thinking seems to be: "We're in the US, we don't need GDPR."

But if you have ANY users in the EU—even one—GDPR applies. Doesn't matter where your company is based.

The fix is straightforward: add a section explaining EU data subject rights. But about 40% of the US-based sites we scan don't have this.

The Terms of Service That Doesn't Match Reality

Your Terms of Service says "30-day money-back guarantee." Your actual refund policy is 14 days.

Your ToS says "email support Monday-Friday 9-5 EST." You actually only respond on Tuesday and Thursday.

Your ToS forbids business use. Half your customers are businesses.

These mismatches happen because Terms of Service get written once, then never updated as the business evolves. New team members don't even know the ToS exists, so when they change a policy, they don't think to update the legal document.

This creates real liability. If you promise something in your ToS, you're legally obligated to deliver it. If your ToS says 30-day refunds, a customer can demand one—even if your actual policy changed.

No Cookie Policy At All

You have a privacy policy. You have a cookie banner. But you don't have a dedicated cookie policy explaining what each cookie does.

Is this required? Depends on jurisdiction, but under GDPR, you need to tell users what cookies you're using and why. A generic "we use cookies to improve your experience" doesn't cut it.

The cookie policy doesn't need to be complicated. But it does need to be specific. Which cookies? What do they do? How long do they last? Can users opt out?

About 25% of sites we scan have a cookie banner but no detailed cookie policy.

The "Contact Us" That Goes Nowhere

Your privacy policy says "For questions about your data, contact [email protected]." But that email address:

  • Doesn't exist
  • Exists but nobody monitors it
  • Forwards to a general support inbox where privacy requests get ignored

Under GDPR and CCPA, users have the right to make data requests. You must provide a way to contact you about privacy. And it has to actually work.

This seems obvious, but we regularly find dead email addresses in privacy policies. Usually because someone left the company and the alias wasn't reassigned.

SSL Certificate Expired (Or Missing)

Technically not a "compliance" issue in the legal sense, but it's a red flag. If you're collecting user data over HTTP instead of HTTPS, you're transmitting it insecurely.

This is rare now—most hosting providers enforce HTTPS—but we still occasionally find it. Usually on older sites that haven't been touched in years.

The fix is simple: install an SSL certificate (free via Let's Encrypt). But the signal it sends is bad: "We're not even doing basic security."

Data Retention: Forever and Ever

GDPR requires you to say how long you keep personal data. Your privacy policy should include something like:

"We retain account data for the duration of your account, plus 30 days after deletion to allow for recovery. Billing records are retained for 7 years for tax compliance."

Most privacy policies we review don't include this. They say what data is collected, why it's collected, who it's shared with—but not how long it's kept.

Without a retention policy, the implication is: forever. Which is not compliant.

Third-Party Tools Not Disclosed

Your privacy policy lists "payment processors" as a third party. It doesn't mention:

  • Google Analytics
  • Intercom (chat widget)
  • Stripe (payment processing)
  • AWS (hosting)
  • SendGrid (email delivery)
  • Cloudflare (CDN)

Under GDPR, you're supposed to disclose who has access to personal data. That includes every SaaS tool that touches user information.

This gets tedious, which is why many companies just say "third-party service providers" without naming them. But the spirit of the law is transparency. Users should know where their data goes.

How These Get Fixed (And Why They Don't Stay Fixed)

Here's the frustrating part: none of these issues are difficult to fix. Broken link? Update the link. Outdated policy? Revise it. Missing cookie disclosure? Add it.

The problem is that compliance isn't a one-time project. It's ongoing maintenance.

A company fixes all these issues in January. By July:

  • Someone added a new marketing tool (cookie mismatch)
  • The privacy@ email address bounced when an employee left
  • A website redesign broke two links
  • A new feature launched without updating the privacy policy

It's not that anyone is lazy or negligent. It's that legal compliance isn't top of mind when you're shipping features, fixing bugs, or responding to customers.

Which is why automated monitoring helps. Not because it fixes things for you, but because it notices when things break—before a regulator does.

What To Do If You Find These Issues

If you're reading this and recognizing your own site, don't panic. Most of these are fixable in under an hour.

Priority 1: Fix broken links (privacy policy, terms, cookie policy)

Priority 2: Make sure cookie banner matches reality

Priority 3: Add "last updated" dates and make sure they're accurate

Priority 4: Review and update contact information

Priority 5: Add missing sections (EU data rights, data retention, third parties)

The goal isn't perfection. It's accuracy. Your legal documents should describe what you're actually doing, right now, in December 2024.

If they don't, fix them. Then set a reminder to review again in 3-6 months.

Or set up automated monitoring and let a computer tell you when something drifts.

Monitor Your Compliance

Get automated scans, instant alerts, and actionable recommendations.

Get Started Free