Frameworks

Compliance frameworks to watch on a website

This overview is not a substitute for legal monitoring. It is meant to help you identify the main compliance layers to review first, based on your audience, country footprint, and business model.

How to use this page

Start with the rules linked to the publisher's country, the countries you target, the nature of your checkout flow, and the trackers you deploy. The more personal data, countries, and transactions you handle, the more layers you need to document.

GDPR / French Data Protection Act

EU / France · In force since 2018
Top priority for websites serving EU users

This is the core framework for transparency, lawful basis, user rights, vendor governance, and cross-border data transfers.

  • Clear and complete privacy notice
  • Explanation of purposes, lawful bases, and user rights
  • Processes for access, deletion, and objection requests
  • Controls for vendors and international transfers

Cookie consent and ePrivacy

EU / UK style consent environments · Ongoing enforcement
High priority whenever non-essential trackers are present

Cookie compliance depends on a clear consent interface, a visible reject option, and intelligible disclosure of purposes and partners.

  • Consent before non-essential trackers fire
  • Reject should be as easy as accept
  • Users can withdraw their choice later
  • Trackers and partners are documented

Legal notice / publisher identification

France and civil-law markets · Established obligations
High priority for French-facing commercial websites

Commercial websites should expose the publisher identity, contact channel, and hosting information in a stable and accessible way.

  • Publisher or company identity disclosed
  • Easy-to-find contact details
  • Hosting provider named
  • Business registration details where relevant

Consumer law, terms, and withdrawal rights

EU consumer markets · Strengthened since 2014
High priority for e-commerce and online services

Checkout flows should disclose pre-contractual information, full pricing, delivery terms, cancellation rules, and post-sale channels.

  • Terms available before checkout
  • Total price and payment rules are clear
  • Withdrawal or cancellation rights are covered
  • Support and dispute contacts are identified

Accessibility / RGAA / WCAG

France, EU, and broader markets · Increasingly enforced
Growing priority for public-sector and private services

Accessibility is no longer just a design quality issue. For some actors it is a formal obligation, and for others it is a growing litigation and reputational risk.

  • Accessibility statement or commitment exists
  • Safer structure, contrast, and navigation
  • Text alternatives and understandable labels
  • Keyboard-usable flows

NIS2

European Union · National implementation underway
Critical for sensitive or regulated organizations

NIS2 pushes in-scope organizations to improve cyber-risk governance, incident reporting, vendor oversight, and operational resilience.

  • Cyber-risk management measures
  • Incident alerting and notification procedures
  • Third-party and supplier oversight
  • Board-level accountability

Digital Services Act

European Union · Applicable since 2024
Important for marketplaces, platforms, and user-generated content

The DSA strengthens moderation, transparency, and user-protection obligations for certain digital services.

  • Illegal-content reporting channels
  • Transparency on moderation and ads
  • Enhanced duties for some platforms
  • Stronger seller verification on marketplaces

CCPA / CPRA

California, United States · Applicable since 2020 / 2023
Important if you target or track California residents

California privacy rules push companies to clarify data categories, use cases, and opt-out or limitation choices related to selling or sharing data.

  • California-facing privacy notice
  • Opt-out or limitation mechanisms where required
  • Explicit treatment of sensitive data
  • Processes for consumer requests

Quebec Law 25 / PIPEDA

Quebec / Canada · Expanded since 2023
Important for websites selling into or prospecting in Canada

Quebec raises the bar on accountability, transparency, and privacy governance, with more formal expectations around public information and internal responsibility.

  • Clear disclosure of collection and use practices
  • Named privacy lead or owner
  • Incident and request handling processes
  • Controls for vendors and transfers

Important

An automated scan cannot verify records of processing, contracts, consent evidence, or DPIAs. Those points still require documentary review.