GDPR / French Data Protection Act
EU / France · In force since 2018
Top priority for websites serving EU users
This is the core framework for transparency, lawful basis, user rights, vendor governance, and cross-border data transfers.
- ▸Clear and complete privacy notice
- ▸Explanation of purposes, lawful bases, and user rights
- ▸Processes for access, deletion, and objection requests
- ▸Controls for vendors and international transfers
Cookie consent and ePrivacy
EU / UK style consent environments · Ongoing enforcement
High priority whenever non-essential trackers are present
Cookie compliance depends on a clear consent interface, a visible reject option, and intelligible disclosure of purposes and partners.
- ▸Consent before non-essential trackers fire
- ▸Reject should be as easy as accept
- ▸Users can withdraw their choice later
- ▸Trackers and partners are documented
Legal notice / publisher identification
France and civil-law markets · Established obligations
High priority for French-facing commercial websites
Commercial websites should expose the publisher identity, contact channel, and hosting information in a stable and accessible way.
- ▸Publisher or company identity disclosed
- ▸Easy-to-find contact details
- ▸Hosting provider named
- ▸Business registration details where relevant
Consumer law, terms, and withdrawal rights
EU consumer markets · Strengthened since 2014
High priority for e-commerce and online services
Checkout flows should disclose pre-contractual information, full pricing, delivery terms, cancellation rules, and post-sale channels.
- ▸Terms available before checkout
- ▸Total price and payment rules are clear
- ▸Withdrawal or cancellation rights are covered
- ▸Support and dispute contacts are identified
Accessibility / RGAA / WCAG
France, EU, and broader markets · Increasingly enforced
Growing priority for public-sector and private services
Accessibility is no longer just a design quality issue. For some actors it is a formal obligation, and for others it is a growing litigation and reputational risk.
- ▸Accessibility statement or commitment exists
- ▸Safer structure, contrast, and navigation
- ▸Text alternatives and understandable labels
- ▸Keyboard-usable flows
NIS2
European Union · National implementation underway
Critical for sensitive or regulated organizations
NIS2 pushes in-scope organizations to improve cyber-risk governance, incident reporting, vendor oversight, and operational resilience.
- ▸Cyber-risk management measures
- ▸Incident alerting and notification procedures
- ▸Third-party and supplier oversight
- ▸Board-level accountability
Digital Services Act
European Union · Applicable since 2024
Important for marketplaces, platforms, and user-generated content
The DSA strengthens moderation, transparency, and user-protection obligations for certain digital services.
- ▸Illegal-content reporting channels
- ▸Transparency on moderation and ads
- ▸Enhanced duties for some platforms
- ▸Stronger seller verification on marketplaces
CCPA / CPRA
California, United States · Applicable since 2020 / 2023
Important if you target or track California residents
California privacy rules push companies to clarify data categories, use cases, and opt-out or limitation choices related to selling or sharing data.
- ▸California-facing privacy notice
- ▸Opt-out or limitation mechanisms where required
- ▸Explicit treatment of sensitive data
- ▸Processes for consumer requests
Quebec Law 25 / PIPEDA
Quebec / Canada · Expanded since 2023
Important for websites selling into or prospecting in Canada
Quebec raises the bar on accountability, transparency, and privacy governance, with more formal expectations around public information and internal responsibility.
- ▸Clear disclosure of collection and use practices
- ▸Named privacy lead or owner
- ▸Incident and request handling processes
- ▸Controls for vendors and transfers