2000-Point Compliance Registry

Missing ARIA Labels on Interactive Elements

Buttons, links, and interactive controls lack accessible names via aria-label or aria-labelledby. Screen reader users cannot determine the purpose of these elements, creating a barrier to use.

No Skip Navigation Link

The page lacks a "skip to main content" link as the first focusable element. Keyboard and screen reader users must tab through the entire navigation on every page load, which is a documented accessibility barrier.

Missing Form Field Labels

Form inputs lack associated <label> elements or aria-label attributes. Screen reader users cannot identify what information is being requested, preventing form completion.

Missing HTML Lang Attribute

The <html> element lacks a lang attribute specifying the page language. Screen readers cannot determine correct pronunciation rules, causing garbled speech output for all page content.

Inaccessible Careers/Job Application Portal

The careers page or job application portal is not accessible to users with disabilities. This creates liability under both ADA Title I (employment) and Title III (public accommodation) and is a frequent target of serial ADA plaintiffs.

Google Analytics on Patient Portal Without BAA

Google Analytics is collecting data on patient portal pages without a signed Business Associate Agreement. Google does not sign BAAs for standard Analytics, making any patient portal tracking an automatic HIPAA violation.

Social Media Pixels on Health Service Pages

TikTok, Snapchat, or other social media tracking pixels are active on pages describing specific health conditions or treatments. These pixels transmit URL paths that reveal the health conditions users are researching.

Medical Chatbot Collecting Symptoms Without Consent

An AI-powered or scripted chatbot is collecting symptom information, health complaints, or medical history without presenting a HIPAA authorization or Notice of Privacy Practices. This creates an uncontrolled PHI collection point.

Missing Patient PHI Access Request Link

The website does not provide a mechanism for patients to request access to or download their protected health information. HIPAA grants patients the right to access their PHI, and the process must be clearly communicated.

Health Tracking Without MHMDA Consent

A health or wellness website is tracking user behavior without consent as required by Washington\'s My Health My Data Act (MHMDA). This law applies to any entity collecting health data from Washington residents, not just HIPAA-covered entities.

Email Discount Popup Without Financial Incentive Notice

An email signup popup offers a discount (e.g., "10% off for subscribing") without a Financial Incentive notice. CCPA/CPRA requires businesses to disclose the material terms of any financial incentive program linked to data collection.

Missing or Inadequate Privacy Policy

The website lacks a comprehensive privacy policy or the existing policy fails to disclose required CCPA categories: types of personal information collected, purposes, third-party sharing, and consumer rights.

No Data Deletion Request Mechanism

The website provides no way for consumers to request deletion of their personal information. CCPA requires at least two methods for submitting consumer requests, including a toll-free number for larger businesses.

Missing Cookie Consent Banner for California Users

No cookie consent mechanism is presented to California visitors. While CCPA does not mandate cookie banners specifically, the CPPA has signaled enforcement priority for sites that deploy tracking cookies without honoring opt-out signals.

Operating as Data Broker Without Registration

The business collects and sells personal information of consumers with whom it has no direct relationship, meeting the definition of a data broker, without registering with the state as required by Texas SB 2105 and California\'s Delete Act.

Deceptive Crossed-Out "Original" Price

A crossed-out "original" price is displayed that was never the actual selling price, creating a phantom discount. The FTC\'s Guides Against Deceptive Pricing prohibit fictitious former prices.

Unverified Customer Reviews

Customer reviews are displayed without verification of purchase or authenticity. The FTC\'s 2024 Rule on the Use of Consumer Reviews prohibits fake, purchased, or incentivized reviews without clear disclosure.

Missing Affiliate Disclosure

Affiliate links and referral commissions are not disclosed clearly and conspicuously above the first affiliate link on the page. The FTC requires material connection disclosure before the consumer encounters the endorsement.

Unsubstantiated Environmental Claims

Marketing copy uses terms like "eco-friendly," "carbon neutral," or "sustainable" without third-party certification or substantiation. The FTC\'s Green Guides require competent and reliable scientific evidence for environmental claims.

Bait-and-Switch Pricing

The price shown in advertising or search results differs from the price displayed at checkout due to added fees, different product versions, or changed terms. This constitutes classic bait-and-switch deception.

Marketing SMS Sent After 8 PM Local Time

Automated marketing text messages are sent outside permitted hours. Florida\'s Telephone Solicitation Act (FTSA) restricts texts to 8 AM–8 PM local time, with other states imposing similar windows.

Marketing Emails Without Physical Address

Commercial email messages do not include the sender\'s valid physical postal address. CAN-SPAM requires every commercial email to contain the sender\'s current street address or registered P.O. box.

Abandoned Cart SMS Without Prior Written Consent

Abandoned cart recovery text messages are sent to consumers who did not provide prior express written consent for marketing texts. Cart abandonment does not constitute consent under the TCPA.

Missing A2P 10DLC Campaign Registration

Business SMS messages are sent via long codes (10-digit numbers) without proper A2P 10DLC campaign registration with carriers. Unregistered campaigns face message filtering, blocking, and per-message carrier fines.

Pre-Recorded Voice Messages Without Opt-In

Pre-recorded or artificial voice marketing messages are delivered to consumers without prior express written consent. The TCPA\'s robocall provisions carry statutory damages of $500–$1,500 per call.

No Cookie Consent Banner for EU Visitors

The website displays no cookie consent mechanism to visitors from EU member states. The ePrivacy Directive and GDPR require informed consent before placing non-essential cookies or tracking technologies.

No Data Processing Agreement with Processors

Third-party services processing personal data on behalf of the controller operate without a signed Data Processing Agreement. GDPR mandates written contracts specifying processing scope, purpose, and security obligations.

Cross-Border Data Transfer Without Safeguards

Personal data of EU residents is transferred to US-based servers or services without Standard Contractual Clauses (SCCs), adequacy decisions, or other approved transfer mechanisms following the Schrems II ruling.

No "Right to Be Forgotten" Mechanism

The website provides no way for data subjects to request erasure of their personal data. GDPR\'s Right to Erasure requires controllers to delete personal data upon request when no overriding legal basis exists.

Consent Banner Uses Pre-Checked Boxes

The cookie consent banner presents pre-checked consent boxes for analytics or marketing cookies. The CJEU ruled in Planet49 that pre-ticked checkboxes do not constitute valid consent under GDPR.

API Keys Exposed in Frontend Source

API keys for services like Google Maps, Stripe, or SendGrid are visible in client-side JavaScript source code. Exposed secret keys can be harvested by bots and used for unauthorized API access, billing fraud, or data exfiltration.

Missing HTTPS on Form or Payment Pages

Pages containing forms, login fields, or payment inputs are served over unencrypted HTTP. All data submitted on these pages can be intercepted in transit by any network intermediary.

Open Directory Listing

Server directories such as /wp-content/uploads/ are browsable, exposing uploaded files, internal documents, and potentially sensitive data. Directory listing must be disabled on all web-accessible paths.

Outdated CMS with Known CVEs

The content management system (WordPress, Magento, Drupal) is running an outdated version with publicly disclosed security vulnerabilities. Unpatched CMS installations are the primary vector for website compromises.

Forms Without CAPTCHA Protection

Contact forms, login pages, and registration forms lack CAPTCHA or bot-detection mechanisms. Unprotected forms are vulnerable to credential stuffing, spam injection, and automated abuse at scale.

BIPA: Virtual Try-On Without Biometric Consent

A virtual try-on or face-scanning feature collects biometric identifiers without obtaining informed written consent as required by Illinois BIPA. Violations carry statutory damages of $1,000–$5,000 per scan.

CA BOT Act: AI Using Human Name Without Disclosure

An AI chatbot or automated account uses a human name, avatar, or persona without disclosing that it is not a human. California\'s BOT Act (SB 1001) requires clear disclosure when AI impersonates a human in online interactions.

CA Auto-Renewal: No Reminder Before Annual Charge

Annual subscriptions renew without sending a reminder email before the charge. California\'s Automatic Renewal Law requires businesses to provide a clear reminder with cancellation instructions before each renewal.

SB 478: Hidden Service Fees at Checkout

Mandatory fees, service charges, or surcharges are revealed only at checkout rather than being included in the advertised price. California\'s SB 478 (Junk Fee Ban) prohibits hidden fees not disclosed upfront.

Job Postings Without Salary Range

Job listings do not include compensation ranges as required by pay transparency laws in California, New York, Colorado, and Washington. Penalties range up to $10,000 per non-compliant posting.

FinCEN BOI: Missing Beneficial Ownership Report

The LLC or corporation has not filed a Beneficial Ownership Information report with FinCEN as required by the Corporate Transparency Act. Non-compliance carries penalties of $500 per day, up to $10,000, plus potential criminal liability.

Missing Contractor License Number on Website

A licensed contractor\'s website does not display the state contractor license number. Most states require the license number to appear on all advertising and business communications, with penalties of $2,000–$5,000.

Missing Arbitration Clause in Terms of Service

The Terms of Service lack a class action waiver and mandatory arbitration clause. Without these provisions, the business is exposed to class-action litigation for any consumer dispute.

Credit Card Surcharge Without Advance Notice

A credit card surcharge or convenience fee is added at checkout without prior notice at the point of entry. Multiple states require advance signage/disclosure, and card network rules limit surcharges to 3% with mandatory disclosure.

Insurance Lead Generation Without Required Disclosures

The website generates insurance quotes or leads without state-required disclosures about the nature of the service, compensation arrangements, and licensure status. Multiple states require specific disclosures for insurance lead generators.

Missing SPF Record

The domain has no SPF (Sender Policy Framework) DNS record, making it vulnerable to email spoofing. Attackers can send emails appearing to come from the domain, enabling phishing attacks against customers and partners.

Orphaned Tracking Scripts from Discontinued Services

The website loads JavaScript from services that have been discontinued, acquired, or abandoned. These zombie scripts waste page load time, may break functionality, and pose a supply-chain security risk if the domain is re-registered.

Outdated Copyright Year in Footer

The website footer displays an outdated copyright year, signaling to visitors, search engines, and potential litigants that the site may be abandoned or unmaintained. This erodes trust and can negatively impact search rankings.

Poor Mobile Tap Targets

Interactive elements (buttons, links, form fields) are smaller than 48x48 CSS pixels or positioned too close together, causing frequent mis-taps on mobile devices. This is both a UX issue and a WCAG 2.5.5 accessibility violation.

Missing or Expired SSL Certificate

The website lacks a valid SSL/TLS certificate or the certificate has expired. Browsers display prominent security warnings that drive away visitors, and search engines penalize non-HTTPS sites in rankings.

Non-Compliant Public Feedback Processes

The website's feedback mechanism is not accessible to persons with disabilities, violating AODA customer service standards for Ontario-based organizations.

Lack of Mandated Privacy Officer Contact Info

Canadian-targeted website fails to publish the name or contact info of the designated Privacy Officer accountable for PIPEDA compliance.

No Appointed Data Protection Officer (DPO)

Brazilian-targeted site does not identify or provide contact details for its DPO (Encarregado) on the website, violating LGPD Article 41.

Direct Marketing Without Opt-In Consent

Website deploys pre-checked consent boxes or opt-out forms for electronic direct marketing, violating POPIA opt-in regulations for South African consumers.

Non-Compliant Overseas Data Disclosure Statement

Australian-targeted site fails to state in its privacy policy whether it is likely to disclose personal information to overseas recipients and, if so, in which countries.

Failure to Provide Request for Access/Correction Info

Singaporean site fails to specify how users can request access to or correction of their personal data in its privacy disclosures.

Unmarked Generative AI Output / Deepfakes

Website presents AI-generated text, audio, or video (deepfakes) without marking it in a machine-readable format as AI-generated, violating EU AI Act transparency rules.

Deceptive UI Patterns (Dark Patterns) in Design

The website employs dark patterns that distort or impair the user's ability to make autonomous, informed choices (e.g., difficult unsubscribe flows, deceptive consent popups).

Unlawful Data Combination Across Services

Gatekeeper-scale platforms combine personal data from their core platform with data from other services without specific user consent, violating DMA regulations.

Absence of Consumer Appeal Rights Process

The privacy policy fails to explain the process for consumers to appeal a refusal to take action on a privacy rights request, violating Virginia VCDPA and Texas TDPSA.

Lack of Cybersecurity Multi-Factor Auth (MFA)

Financial services website does not enforce multi-factor authentication for access to corporate email or customer portal databases, violating NY DFS requirements.

No Privacy Impact Assessment (PIA) for Transfer

The website transfers personal information outside of Quebec without conducting a mandatory Privacy Impact Assessment, violating Law 25.

Video Tracking Pixel Fires Without VPPA Consent

Website embeds video content (HTML5 video, YouTube, Vimeo iframes) alongside Meta Pixel, Google Analytics, or other tracking pixels that transmit video viewing data to third parties without obtaining separate, explicit written consent. Under the VPPA, knowingly disclosing a consumer\'s PII linked to video viewing habits without prior consent is a violation.

No Security.txt or Vulnerability Disclosure Policy (NIS2)

Website of an essential or important entity (energy, health, transport, digital infrastructure) lacks a /.well-known/security.txt file or any publicly accessible vulnerability disclosure policy. NIS2 Directive requires covered entities to implement incident handling and vulnerability management measures.

Cookie Wall Blocks Access Without Valid Reject Option

Website displays a cookie consent banner that blocks all content access until cookies are accepted, with no \"Reject All\" option or equivalent free-access alternative. The EDPB and CJEU have ruled that cookie walls conditioning service access on acceptance of non-essential cookies do not constitute freely given consent under GDPR.

Website Does Not Honor Global Privacy Control Signal (Oregon CPA)

Website targeting Oregon consumers does not detect or honor the Global Privacy Control (GPC) browser signal as a valid opt-out request for targeted advertising and personal data sales. The Oregon Consumer Privacy Act mandates recognition of universal opt-out preference signals as of January 1, 2026.

Cookie Data Shared With Third Parties Without Japan APPI Disclosure

Website targeting Japanese users transfers cookie/tracking data to third-party advertising or analytics vendors that can combine it to identify individuals, without disclosing these transfers or confirming third-party consent. Japan\'s APPI and the Telecommunications Business Act require transparency and consent confirmation for such transfers.

Education Website Tracking Pixels Transmitting Student Data

Educational institution website embeds Meta Pixel, Google Analytics, or similar tracking technologies on student-facing pages (portals, enrollment forms, course catalogs) that transmit potentially identifiable student data to third parties. FERPA prohibits unauthorized disclosure of PII from education records.

Privacy Notice Not Available in Required Languages (India DPDP Act)

Website collecting personal data from Indian users does not provide a privacy notice in English and at least one of the 22 scheduled Indian languages as required by the Digital Personal Data Protection Act 2023. The notice must include itemized descriptions of data collected, purposes, and user rights.

No Clear Opt-Out Mechanism for Delaware Consumers (DPDPA)

Website targeting Delaware consumers lacks a clear, conspicuous opt-out link for targeted advertising and personal data sales, or fails to recognize universal opt-out signals (GPC). The Delaware Personal Data Privacy Act (effective January 1, 2025) requires both mechanisms.

SEC Registrant Missing Cybersecurity Governance Disclosure

Website of an SEC-reporting public company does not include or link to cybersecurity risk management disclosures (board oversight, management expertise, risk assessment processes) as required in 10-K filings. Corporate websites must reference or link to these disclosures for investor relations compliance.

Cross-Border Data Transfer Without NZ Privacy Act IPP 12 Compliance

Website collects personal data from New Zealand users and transfers it overseas (evidenced by US/EU-based tracking scripts) without disclosing in the privacy policy that data may be transferred overseas and what safeguards are in place per Information Privacy Principle 12.

Very Large Online Platform Not Prepared for EUDI Wallet Acceptance

Very Large Online Platform (VLOP) requiring strong customer authentication for login, age verification, or KYC does not support or indicate readiness for EU Digital Identity Wallet acceptance. eIDAS 2.0 mandates VLOPs accept EUDI Wallet by December 2027.

Geofencing Near Health Facility for Data Collection (CT SB 3)

Website or associated mobile app uses geofencing technology within 1,750 feet of a mental, reproductive, or sexual health facility to identify, track, or send push notifications to consumers for health data collection purposes. Connecticut SB 3 specifically prohibits this practice.

Cookie Consent Banner Uses Asymmetric Accept/Reject Design

Website\'s cookie consent banner makes the \"Accept All\" button visually prominent (larger, colored, higher placement) while the \"Reject All\" or \"Manage Preferences\" option is obscured, smaller, or requires additional clicks. European DPAs (CNIL, AEPD, Belgian DPA) have ruled that asymmetric cookie banners constitute dark patterns undermining freely given consent.

Missing Machine-Readable Metadata/Watermark in AI-Generated Content (EU AI Act)

Providers of AI systems that generate or manipulate image, audio, or video content (synthetic content/deepfakes) must ensure that the outputs are marked in a machine-readable format and detectable as artificially generated or manipulated.

Failure to Recognize Global Privacy Control (GPC) Opt-Out Signal (Colorado CPA)

Website targeting Colorado consumers fails to recognize and process the Global Privacy Control (GPC) universal opt-out signal to automatically opt users out of the processing of their personal data for targeted advertising or sale, which is mandatory as of July 1, 2024.

Missing Separate Consent for Sensitive Personal Information Processing (China PIPL)

Website targeting Chinese residents collects sensitive personal information (such as financial accounts, medical records, biometrics, or precise location) without obtaining separate, specific consent for each category of sensitive data, violating PIPL Article 29.

Bundling Consent for Third-Party Data Transfers (South Korea PIPA)

Website collects personal data of South Korean residents and shares it with third parties (such as marketing networks, CRM tools, or analytics) but bundles the third-party transfer agreement with the general privacy policy or terms of service, violating South Korea PIPA Article 17.

Missing Emotion Recognition / Biometric Categorization Disclosure (EU AI Act)

Providers or deployers of emotion recognition or biometric categorization systems must inform natural persons exposed thereto of the operation of the system, violating transparency obligations under EU AI Act Article 52(2).

Missing Biometric Retention and Destruction Policy (BIPA)

Website collecting or utilizing biometric data (virtual try-on, authentication) fails to publish a publicly available retention schedule and destruction guidelines as mandated by Illinois BIPA.

Geofencing Around Healthcare Facilities for Data Collection (VCDPA)

Website or app uses geofencing within 1,750 feet of any healthcare facility to track, identify, or target consumers for health data collection, which is prohibited under Virginia's amended VCDPA.

Missing Parent Consent Verification for Minors under 13 (Montana MCDPA)

Website targeting Montana consumers collects personal data of minors under 13 without obtaining verifiable parental consent in accordance with the Montana Consumer Data Privacy Act.

Missing Privacy Disclosures for Children's Data (New Jersey Privacy Act)

Website targeting New Jersey consumers collects data from minors (under 18) without providing the required heightened privacy notice detailing specific processing and sharing policies.

Missing Direct Marketing Opt-Out Link (New Hampshire Privacy Act)

Website targeting New Hampshire consumers fails to provide an easily accessible opt-out link for targeted advertising or personal data sale on its homepage, violating the New Hampshire Privacy Act.

Non-Layered Privacy Policy Information Structure (GDPR)

Website displays a single, dense, unnavigable blocks-of-text privacy policy without employing a multi-layered, tabbed, or expandable design structure to ensure transparency and readability.

Missing Single Point of Contact for Authorities (EU DSA)

Digital platform targeting EU users fails to publish a dedicated, easily accessible email address and communication channel for direct contact by EU authorities, violating DSA Article 11.

Smart Contract Access Lack of Deactivation Capability (EU Data Act)

Web panels administering smart contracts or IoT systems fail to provide mechanisms for safe, authorized deactivation and termination of smart contracts, violating EU Data Act Article 30.

Pre-Consent Cookie & Tracker Execution (ePrivacy)

Website runs non-essential analytics or advertising tracking scripts (e.g., Google Analytics, Meta Pixel) prior to the user interacting with the cookie consent banner, violating the ePrivacy Directive.

Missing Retention Timelines in Privacy Disclosures (GDPR)

Privacy policy fails to specify concrete retention periods or criteria used to determine retention durations for distinct categories of personal data, violating GDPR transparency principles.

Missing Consent Withdrawal Mechanism (Singapore PDPA)

Website collecting data of Singapore residents fails to provide an easily accessible online tool or form allowing users to withdraw consent for marketing or data processing, violating Singapore PDPA.

Missing Right to Nominate Representative Notice (India DPDP Act)

Website targeting Indian residents fails to inform users in its privacy policy of their right to nominate any other individual to act on their behalf in the event of death or incapacity, violating DPDP Act Section 14.

Missing Disclosures for Handling Anonymized Data (Japan APPI)

Website utilizing anonymized data of Japanese residents fails to publish the items of personal information included in the anonymized data and the security measures taken, violating APPI Article 36.

Missing DPO Contact Details in Consent Flows (Thailand PDPA)

Website collects personal data of Thai residents but fails to provide the contact details of the Data Protection Officer or representative in its consent banners or policies, violating Thailand PDPA Section 42.

Bundled Consent for Profiling and Automated Decision-Making (Philippines DPA)

Website collects data of Philippine residents and conducts automated profiling or decision-making without obtaining separate, express consent, violating the Philippines Data Privacy Act.

Missing Prior Authorization for Processing Credit Data (South Africa POPIA)

Website of a financial or credit evaluation service targeting South African residents processes consumer credit reports or history without prior registration or authorization, violating POPIA Section 57.

Failure to Disclose Database Registration Status (Israel Privacy Act)

Website collecting personal data of Israeli residents fails to specify whether the database is registered with the Database Registrar, the registration number, and the purposes of data collection, violating Israel Privacy Act.

Missing Cross-Border Data Transfer Disclosures (Nigeria NDPA)

Website collecting data of Nigerian residents transfers it to foreign servers (e.g., US/EU analytics engines) without disclosing the target countries and verifying adequacy, violating Nigeria Data Protection Act.

Lack of License for Electronic Marketing Messages (Egypt DPA)

Website targeting Egyptian users sends promotional emails or texts without obtaining the necessary electronic marketing license from the Data Protection Center, violating Egypt Law 151.

Inadequate Security Standards Disclosures (Brazil LGPD)

Website collecting personal data fails to disclose the specific administrative and technical security measures deployed to safeguard user data, violating transparency mandates under LGPD Article 46.

Missing Privacy Notice Delivery Link (GLBA)

Financial service website failing to provide a clear, visible link to its annual Gramm-Leach-Bliley Act privacy notice on all account management or client onboarding pages, violating FTC GLBA regulations.

Missing Electronic Record Archiving Verification (SEC Rule 17a-4)

Broker-dealer or financial investment portal does not disclose or link to its electronic record archiving systems (WORM storage compliance), violating SEC recordkeeping regulations.

Missing Identity Theft Prevention Disclosures (FTC Red Flags)

Creditor or financial utility portal failing to display or link to its Identity Theft Prevention Program (ITPP) or show active identity verification steps during account sign-up, violating FTC Red Flags Rule.

Unmonitored Third-Party Scripts on Checkout Page (PCI-DSS v4.0)

Payment checkout page executes third-party scripts (e.g., live chats, analytics) without employing script integrity controls, CSP restrictions, or explicit load authorization, violating PCI-DSS Req 6.4.3.

Non-Prominent APR Disclosure in Loan Ads (TILA)

Website advertising credit or loan options states finance rates or promotional fees without prominently disclosing the Annual Percentage Rate (APR) next to the rate, violating Truth in Lending Act Z Regulation.

Deceptive Urgency & Fake Countdown Timers (FTC Section 5)

Website displays countdown timers or dynamic text claiming low stock, high demand, or limited deals that are synthetic and do not reflect real transactional metrics, deceiving consumers.

Missing Smart Contract Auditing Disclosures on dApp (SEC Framework)

Web3 decentralized application launching tokens or NFTs fails to publish or link to external security audit certificates for its smart contracts, violating SEC transparency guidelines.

Missing Recommender System Algorithmic Transparency (EU DSA)

Website utilizing algorithmic recommender systems (e.g., personalized feed, product suggestions) fails to explain the main parameters used in the algorithms in its terms and conditions, violating DSA.

Auto-Renewal Terms Without Plain Language Summary (UK CRA)

Website charging recurring subscriptions fails to provide a conspicuous, plain language summary of billing terms, price changes, and renewal dates, violating the UK Consumer Rights Act.

Analytics Cookie Consent Bypass (Germany TDDDG)

Website targeting German users fires analytics, heatmap, or performance cookies before obtaining explicit consent, violating Section 25 of the Telecommunications Digital Services Data Protection Act.

Missing Age Verification for Social Platforms (Utah SMRA)

Social media platform fails to verify the age of Utah residents attempting to create accounts or fails to obtain verifiable parental consent for minors, violating the Utah Social Media Regulation Act.

Geofencing Around Mental Health Centers (Connecticut SB 3)

Website or app uses geofencing within 1,750 feet of any mental, reproductive, or sexual health facility to collect health-related data, violating Connecticut SB 3.

Profiling Enabled by Default for Minor Accounts (CA AADC)

Website likely to be accessed by children has profiling, personalized ads, or algorithmic feeds turned on by default for accounts of minors, violating the California Age-Appropriate Design Code Act.

Missing Parental Consent for Child Personal Data (Colorado CPA)

Website collects or processes personal data of consumers known to be under 13 without obtaining prior verifiable parental consent, violating the Colorado Privacy Act Rules.

Missing Privacy Policy Rights Appeals Process (Tennessee TIPA)

Website privacy notice targeting Tennessee residents fails to provide a clear description of the process to appeal a refusal to act on a privacy rights request, violating the Tennessee Information Protection Act.

Missing Valid Sender Identity and Postal Address (CAN-SPAM)

Website marketing emails do not contain a valid physical postal address of the sender or utilize misleading headers, violating federal CAN-SPAM requirements.

E-Commerce Shopping Cart Keyboard Navigation Barriers (EAA)

Checkout page or shopping cart widget contains keyboard focus traps or cannot be operated via keyboard alone, violating European Accessibility Act requirements for e-commerce.

Inaccessible Document Downloads (Ontario AODA)

Website offers public document downloads (PDFs, user manuals) that do not conform to WCAG 2.0 Level AA tagging and accessibility, violating Ontario AODA Section 14.

Inaccessible Media Players (ADA Title III)

Web media players lack accessible control labels or keyboard controls, blocking screen reader and keyboard users, violating ADA Title III requirements.

Fake AI Testimonials and Reviews (FTC Consumer Review Rule)

Website displays customer reviews or testimonials that are AI-generated or synthetic without displaying a clear, conspicuous disclosure indicating they are not genuine consumer reviews, violating the FTC Unfair Deceptive Review Rule.

Unsecure Transmission of Patient Records via SMS/Email (HIPAA)

Telehealth or medical intake forms send unencrypted patient health summaries via standard email or SMS networks, violating HIPAA Security Rule standards.

Insecure Payment Scripts Execution on Checkout Pages (PCI-DSS v4.0)

Payment checkout runs externally loaded scripts without validating integrity or restricting access using Content Security Policies (CSP), violating PCI-DSS requirements.

Missing Web Portal Authentication Session Timeouts (NIST SP 800-53)

Customer portal or system panel does not automatically terminate inactive authenticated sessions after a reasonable period, violating NIST security controls.

Undisclosed End-of-Life Software Platforms (Cyber Insurance)

SaaS website or underlying framework utilizes unsupported, end-of-life platforms without disclosing the risks to cyber underwriters, violating cyber insurance terms.

Missing Customer Portal Session Limits (FTC Safeguards)

Fintech portal fails to configure and enforce strict maximum session lengths for customer dashboard access, violating the FTC Safeguards Rule.

Sale of Sensitive Personal Data Prohibited (Maryland MODPA)

Website collects and sells sensitive personal data (e.g. precise location, health, race) of Maryland consumers, which is strictly prohibited under the Maryland Online Data Privacy Act.

Failure to Disclose Third-Party Sales in Privacy Notice (Rhode Island RIDTPPA)

Website targeting Rhode Island consumers fails to explicitly list all third parties to whom personal data is sold or shared in its privacy notice, violating RIDTPPA.

Unlawful Sharing of Health Metrics with Trackers (FTC Health Breach Rule)

Website collects health, symptom, or wellness queries and shares them with third-party advertising trackers without explicit authorization, triggering FTC Health Breach Notification violations.

Missing Written Release for Biometric Collection (Illinois BIPA)

Website collects biometric identifiers (e.g. faceprints, voiceprints) without obtaining a signed, written release from the user prior to collection, violating BIPA Section 15(b).

Insufficient Target Size for Interactive Elements (WCAG 2.2)

Interactive target elements (buttons, links, form inputs) are smaller than 24x24 CSS pixels without sufficient spacing, violating WCAG 2.2 Level AA guidelines for touch and pointer input.

Lack of Post-Market Monitoring Plans for AI Systems (EU AI Act)

Provider of regulated AI systems fails to host or link to a publicly accessible post-market monitoring plan and incident reporting path, violating EU AI Act requirements.

Missing Age Verification for Minor Protection (EU DSA)

Online platform accessible to minors fails to implement appropriate and proportionate age verification measures to ensure child safety online, violating DSA Article 28.

Missing Right to Restrict Processing Action Path (GDPR)

Website fails to provide users with a direct, online mechanism (form, switch, or email path) to exercise their right to restrict processing of personal data under GDPR Article 18.

Missing Records of Processing Activities Disclosure summary (GDPR)

Website privacy notice fails to state that the company maintains records of processing activities (ROPA) and does not provide a summary for user visibility, violating GDPR Article 30.

Missing Data Protection Impact Assessment (DPIA) Disclosures (GDPR)

Website privacy notice conducting high-risk processing (e.g. monitoring public areas or massive tracking) fails to state that a DPIA has been conducted and logged with the DPA.

Bundled Consent for Commercial Messaging (Colombia Law 1581)

Website collects data of Colombian residents and bundles marketing communications consent with the general registration agreement, violating Habeas Data Law 1581.

Missing Cross-Border Transfer Disclosures (Switzerland FADP)

Website collects Swiss residents' data and transfers it internationally (e.g. via external tracking APIs) without disclosing countries and security safeguards in its privacy policy.

Unauthorized Cross-Border Transfer without Adequate Safeguards (Turkey KVKK)

Website transfers personal data of Turkish residents to servers outside Turkey without obtaining explicit consent or demonstrating compliant standard contractual clauses, violating KVKK.

Lack of Data Access and Correction Request Tracking System (Singapore PDPA)

Website fails to provide Singapore residents with a dedicated email or automated portal to request confirmation of their data processed within the past year, violating Singapore PDPA.

Inadequate Disclosure of Right to Object to Processing (Philippines DPA)

Website privacy notice targeting Philippines residents fails to explicitly state the user's right to object to the processing of their personal data, including for marketing purposes.

Pre-ticked Optional Add-on Items at Checkout (FTC)

E-commerce checkout flow defaults optional services, warranties, or add-on products to pre-checked states, utilizing consumer inertia to inflate transaction costs.

Unsubscribe Requests Require Fees or Logins (CAN-SPAM)

Website marketing unsubscribe links force users to log in, fill complex surveys, or pay processing fees to opt-out of emails, violating CAN-SPAM regulations.

Missing Accessibility Feedback Submission Channel (Ontario AODA)

Website fails to provide an accessible online path or form specifically dedicated to receiving feedback regarding accessibility issues from disabled users, violating AODA.

Inability to Adjust or Extend Form Session Limits (ADA Title III)

Forms with timing restrictions (e.g. checkout ticket reservations) do not allow users to disable, adjust, or extend the limit before timeout, violating WCAG 2.1 SC 2.2.1.

Unlabeled Affiliate Links and Sponsored Content (FTC Endorsement Guides)

Website displays product links earning commission or sponsored content blocks without displaying clear, immediate labels (e.g. 'Affiliate Link' or 'Sponsored') near the links.

dApp Fails to Validate API Endpoint Integrity (NIST SP 1800-34)

Decentralized web application connects to RPC nodes or APIs without verifying response signatures, allowing man-in-the-middle attacks to show false wallet balances.

Customer Portal Session Replay Scripts Enabled on Password Inputs (PCI-DSS)

Session recording tools (e.g. Hotjar, FullStory) run on customer portals without masking or excluding sensitive input fields like password, cardholder, or CVV inputs.

ICT Systems Major Incident Log Reporting Lack (EU DORA)

EU financial entity web console fails to provide or link to logs of major ICT related incidents for transparency to users and regulatory authorities, violating DORA Article 18.

Inadequate Access Revocation Notification (SOC 2 Type II)

Customer console does not record logs of revoked administrative tokens or display active sessions with direct termination paths, violating SOC 2 CC6.3 security controls.

Missing Identity Verification Prior to Accessing PHI (HIPAA)

Patient intake portal or symptom tracker allows users to access historical records or Protected Health Information (PHI) without executing verified multi-step identity validation.

Inadequate Advertising Restrictions on Social Platforms for Minors (Texas SCOPE)

Social media platform targeting Texas minors serves targeted advertising based on profiling of under-18 accounts, violating the SCOPE Act.

Search Results Bias Disclosure Failure (Florida FDBR)

Search engine or directory platform targeting Florida residents fails to disclose the parameters used to rank search results when algorithmic filtering is active, violating FDBR.

Non-Obvious Interactive Dark Patterns Targeting Children (CA AADC)

Website likely to be accessed by minors uses deceptive game mechanics or styling to nudge children into spending money or disclosing email addresses, violating AADC.

Lack of Sensitive Data Processing Disclosures (Indiana CDPA)

Privacy notice targeting Indiana residents fails to explicitly state the categories of sensitive personal data processed and the specific purposes, violating the CDPA.

Missing Right to Deletion Actions for New Hampshire Consumers (NHPA)

Website fails to provide New Hampshire residents with a clear, automated method to delete personal data collected, violating the New Hampshire Privacy Act.

Inaccessible Authentication via Cognitive Function Tests (WCAG 2.2)

Website authentication requires cognitive function tests (like solving puzzles or writing codes from images) without providing an alternative, accessible login method, violating WCAG 2.2 SC 3.3.8.

Dragging Movements Required Without Single-pointer Alternatives (WCAG 2.2)

Website requires dragging movements (e.g. custom sliders, maps, or drag-and-drop lists) without supporting click-or-tap alternatives for single-pointer inputs, violating WCAG 2.2 SC 2.5.7.

Text Spacing Adjustments Lead to Overlapping Text (WCAG 2.1)

Custom client-side font spacing adjustments (line height, letter spacing) cause page text elements to overlap or truncate, violating WCAG 2.1 SC 1.4.12.

Missing Input Placeholders or Context Clues (WCAG 2.1)

Form inputs requiring specific formats (e.g. dates, phone numbers) do not provide placeholders, description hints, or context instructions, violating WCAG 2.1 SC 3.3.2.

Illogical Tab Navigation Order (WCAG 2.1)

Keyboard navigation focus path traverses the page in an illogical or random order, failing to match visual reading layouts, violating WCAG 2.1 SC 2.4.3.

Missing Adequacy Decision Disclosures for External Transfers (GDPR)

Privacy notice transfers data outside the EEA but fails to disclose whether destination countries are subject to an EC adequacy decision or state the specific safeguards deployed.

Missing Specific Storage Location Disclosures (Canada PIPEDA)

Privacy policy targeting Canadian residents collects personal data but fails to disclose the specific geographic locations (provinces/countries) where data is stored, violating PIPEDA.

Failure to Disclose Purposes of Shared Cookie Identifiers (Japan APPI)

Website targeting Japanese users shares third-party advertising identifiers or cookies without disclosing the exact advertising and analytical purposes of the recipients in its cookie statement.

Inadequate Disclosure of Right to Request Data Deletion (Thailand PDPA)

Website targeting Thai users has a privacy policy that does not state the consumer's right to request erasure, destruction, or de-identification of their personal data under the PDPA.

Privacy Policy Updates Not Prominently Notified (Brazil LGPD)

Website makes significant changes to processing methods or privacy policies without notifying Brazilian users through clear site alerts or emails, violating LGPD Article 9.

Missing Administrative Policies Safeguarding Customer Information Disclosures (SEC)

Website of a SEC-registered investment advisor fails to display or link to policies outlining physical and technical safeguards for client records, violating Regulation S-P.

Failure to Document Cryptographic Key Management (PCI-DSS v4.0)

Website handling cardholder transactions fails to document or publish summaries of cryptographical algorithms and key management procedures used to encrypt card data.

Lack of Third-Party ICT Provider Criticality Level Disclosures (EU DORA)

Web dashboard of a financial system does not list or categorise the criticality levels of its third-party cloud and infrastructure providers, violating DORA transparency rules.

Inadequate Patch Management Disclosures (SOC 2 Type II)

Customer-facing SaaS portal fails to reference or document patch management timelines and procedures for resolving known system vulnerabilities, violating SOC 2 CC7.1.

Inadequate Cybersecurity Risk Analysis Disclosures (HIPAA Security Rule)

Patient onboarding application fails to confirm in its privacy policy that it conducts periodic risk analyses to assess potential security vulnerabilities to PHI, violating HIPAA Security Rule.

Collection of Minor Location History Without Parent Verification (Texas SCOPE)

Web application collects and maintains historical location tracking records of users verified or suspected to be minors without obtaining verified parental consent, violating SCOPE.

Missing Personal Data Sales Clear Opt-out Link (Florida FDBR)

Website targeting Florida consumers fails to host a clear, conspicuous link titled "Do Not Sell My Personal Information" on its homepage, violating Florida FDBR.

Absence of Child Safety Impact Assessment Rationale Disclosures (CA AADC)

Website likely to be accessed by minors fails to detail in its privacy notice the security safeguards implemented based on child data impact assessments, violating AADC.

Inadequate De-identification of Patient Research Records (HIPAA Privacy)

Health portal publishes clinical summaries or symptom databases containing zip codes or exact birth dates, failing to meet strict Safe Harbor de-identification rules under HIPAA.

Missing Incident Response Policy Summary (FTC Safeguards)

Fintech portal fails to reference or display in its security disclosures a summary of its written Incident Response Plan (IRP) for customer data breaches, violating FTC Safeguards.

Focus Obscured by Sticky Elements

Interactive elements focused via keyboard are fully or partially covered by sticky headers, footers, or floating overlays, preventing screen visibility, violating WCAG 2.2.

Sub-Minimum Interactive Target Size

Interactive targets (buttons, links) are smaller than 24x24 CSS pixels without sufficient spacing, causing mis-clicks for touch and motor-impaired users, violating WCAG 2.2.

Inaccessible Multi-Factor Authentication

Authentication flow forces cognitive tests (e.g. memorizing passwords, transcribing codes, solving puzzles) without providing a copy-paste or hardware key alternative, violating WCAG 2.2.

Cognitive Authentication Exclusion (Enhanced)

Login forms entirely omit cognitive tests (including object recognition and pattern spelling), relying solely on accessible authentications, violating WCAG 2.2 AAA.

Missing Captions for Pre-recorded Media

Marketing or product preview videos fail to offer accurate closed captions (CC), blocking access for deaf or hard-of-hearing site visitors, violating ADA Title III.

Unauthorized Marketing Pixels on Booking Screens

Patient schedule systems execute analytics or advertising trackers (e.g. Meta Pixel) without obtaining explicit, signed HIPAA authorizations from patients, leading to massive regulatory fines.

Undated Notice of Privacy Practices

The Notice of Privacy Practices (NPP) hosted on a medical clinic's website fails to prominently display its effective date, violating HIPAA Privacy Rule disclosure mandates.

Missing MHMDA Consumer Health Opt-In

A health-tracking website collects wellness indices or condition queries from Washington consumers without obtaining a separate, explicit opt-in consent banner, violating MHMDA.

Lack of Patient Portal Automatic Logoff

Electronic medical portal sessions remain active indefinitely after user inactivity, exposing patient charts to unauthorized physical access, violating HIPAA Security Rule protocols.

De-identification Failures in Portal Reports

Portal export functions compile statistical reports while leaving identifiable patient birthdates or zip codes exposed without proper de-identification, violating HIPAA Privacy guidelines.

Lack of Global Privacy Control (GPC) Verification Logs

The website's consent manager fails to maintain internal logs showing that user GPC signals were honored and processing scripts deactivated, violating California CPPA audit readiness.

Non-Compliant Employee & Applicant Privacy Notice

Job application forms and internal intranet portals lack a detailed privacy disclosure specifically outlining how employee and applicant personal data is handled under CPRA.

Lack of Portal for Right to Correct

User account cabinet fails to offer a clear, self-service interface or form allowing California consumers to correct inaccurate personal data on record, violating CPRA.

Incomplete Authorized Agent Procedural Disclosure

The privacy policy fails to explain verification procedures and forms required when a consumer exercises rights via a third-party authorized agent, violating CCPA.

Default Profiling of Under-18 Consumers

Online services likely accessed by children enable default behavioral profiling, targeted advertising, or background geolocation tracking, violating California Age-Appropriate Design Code.

Fake Scarcity Countdown Timers

E-commerce checkout renders countdown timers claiming 'offer expires soon' that reset automatically on page reload, classified by the FTC as deceptive dark patterns.

Fake Review Data Embedded in Client Bundles

Product landing pages display customer reviews hardcoded in JavaScript bundles with randomized dates to appear recent, violating the FTC rule on deceptive reviews.

Automatic E-Commerce Shopping Cart Additions

Cart interfaces automatically add paid warranties, shipping insurance, or donation items without explicit consumer selections, violating FTC guidelines against dark patterns.

Invalid Parental Consent Process on Child Portals

Portals aimed at children collect data using simple checkboxes or unverified email returns for parental approval instead of statutory verification methods under COPPA rules.

Unlabelled Sponsored Content

E-commerce blog posts or reviews that contain paid affiliate links fail to display clear and conspicuous disclosure labels (like 'Sponsored'), violating FTC endorsement rules.

Incomplete SMS Opt-In Statutory Terms

Lead forms collecting telephone numbers lack clear statutory language specifying that 'Message and data rates may apply' and listing sending frequency, violating TCPA guidelines.

Non-Compliant SMS Unsubscribe System

Automated text campaign integrations fail to recognize and process standard opt-out keyword replies (such as STOP, CANCEL, or UNSUBSCRIBE), violating TCPA.

Broken Unsubscribe Mechanisms in Mail Footers

Unsubscribe links inside system notification emails lead to broken server paths or force users to log in before processing requests, violating CAN-SPAM regulations.

Robocalls and Automatic Texting Without Written Consent

Web landing pages collect telephone contacts for automated dialing systems without obtaining prior express written signatures of Florida consumers, violating Florida FTSA.

Out-of-Hours Automated Text Dispatching

Marketing servers queue and dispatch automated SMS messages before 8:00 AM or after 9:00 PM local time of the recipient, violating TCPA regulations.

Unequal Reject and Accept Banner Layouts

The cookie banner uses design tricks to hide the 'Reject' button or forces the visitor to open submenus to reject tracking while allowing single-click acceptance, violating GDPR.

Failing to Disclose DPAs with Cloud Subprocessors

Data forms collect European personal inputs but fail to verify and link Data Processing Agreements (DPA) completed with cloud hosts and backend subprocessors, violating GDPR Art 28.

Unjustified Erasure Request Rejections

Portal support systems refuse or delay consumer 'Right to be Forgotten' requests without valid statutory justifications, violating GDPR Article 17 requirements.

Insecure Email Contact Form Submissions

Website contact forms transmit personal user messages and identifiers over unencrypted HTTP channels instead of secure HTTPS, violating GDPR security of processing requirements.

Cross-Border Transfers without Standard Clauses

User records are transmitted to servers located in third-party countries (lacking adequacy decisions) without established Standard Contractual Clauses (SCCs) in place, violating GDPR.