Elevate

Privacy & Cookie Compliance

Website Privacy and Cookie Compliance Review

Privacy regulations (including the EU GDPR, CPRA/CCPA, and the ePrivacy Directive) define specific requirements for how your website handles cookies, tracking, privacy notices, and terms of service. Elevate Consult reviews your website’s compliance posture across all four dimensions and delivers actionable findings, not just a scan report. 

The regulatory landscape

Three overlapping frameworks, one website to get right

Most organizations subject to privacy regulations operate under more than one framework simultaneously. A website that is CCPA-compliant may still fail under GDPR’s stricter consent requirements, and neither framework addresses the accessibility obligations that apply when your audience includes federal contractors or government-adjacent stakeholders. 

EU

Basic GDPR and ePrivacy Directive

Requires explicit opt-in consent before non-essential cookies are placed. Privacy notices must disclose legal basis, data retention, and third-party data sharing. The ePrivacy Directive governs cookie banners and tracking consent independently from GDPR. 

US California

CPRA / CCPA

Requires transparency about data collection practices, opt-out mechanisms for data sales, and specific disclosures in your privacy policy. CPRA introduced stricter data minimization and purpose limitation requirements effective 2023. 

HighFederal Accessibility

Mandatory Section 508 and WCAG 2.0 Level AA

Section 508 of the Rehabilitation Act requires digital content to be accessible to people with disabilities. This applies to any organization that operates a public website; the government treats public-facing websites similarly to physical storefronts, which must meet accessibility requirements for individuals with disabilities. WCAG 2.0 Level AA is the standard confirmed by the Section 508 Trusted Tester process.

What we review

Four areas covered in every engagement

Elevate’s website review combines automated scanning with manual assessment across four domains. Each produces specific, documented findings not a generic checklist. 

Cookie compliance

Technology scanning tools combined with manual review to assess cookie activities, tracking, and consent configurations against GDPR and CPRA/CCPA requirements. 

  • First-party and third-party cookie inventory 
  • Consent management platform configuration ç
  • Tracking and pixel review (analytics, advertising, social) 
  • Opt-in / opt-out mechanism validation 
  • Cookie banner adequacy under GDPR and ePrivacy Directive 

Copyright image compliance

Review of image usage practices to identify unlicensed or improperly attributed assets that create copyright and associated privacy exposure. 

  • Image licensing status review 
  • Attribution and rights documentation 
  • Tracking embedded in image assets 
  • Alignment with privacy notice disclosures 

Privacy and cookie policy review

Review of all publicly available notices — Privacy Policy, Privacy Notice, Cookie Policy, and Terms of Service — against GDPR and CPRA/CCPA regulatory requirements. 

  • Required disclosure completeness check 
  • Legal basis documentation (GDPR) 
  • Data subject rights language adequacy 
  • “Do Not Sell” and opt-out mechanism review (CCPA/CPRA) 
  • Data retention and third-party sharing disclosures 

Section 508 / WCAG accessibility

Section 508 Trusted Tester testing on the main page and associated compliance pages to produce a formal attestation against WCAG 2.0 Level AA requirements. 

  • DHS Trusted Tester methodology 
  • WCAG 2.0 Level AA conformance testing 
  • Automated and manual review combination 
  • Accessibility of cookie banners, consent forms, and opt-out mechanisms 
  • Formal attestation against tested pages 
Why this matters now

Regulatory enforcement is accelerating

Privacy regulators on both sides of the Atlantic have moved from guidance to active enforcement. Cookie compliance and privacy notice adequacy are among the most frequently cited violations in recent regulatory actions. 

€4.5B+

GDPR fines issued since enforcement began 

$7,500

Maximum CCPA/CPRA penalty per intentional violation 

15+

US states with active privacy laws requiring opt-out mechanisms 

~30%

Accessibility issues caught by automated tools alone — manual testing is required 

Who this is for

Organizations with cross-jurisdictional privacy exposure

This review is built for organizations that operate websites with global traffic, handle personal data of EU or California residents, or are subject to federal accessibility requirements — particularly those combining privacy and accessibility obligations in a single compliance program. 

Privacy and Data Officers

Legal and General Counsel

Compliance and Risk Officers

Marketing and Digital teams

Federal contractors

CTOs and IT leads

What you get

Two structured outputs built for two audiences

Every engagement delivers a complete documented record of findings, observations, and prioritized recommendations — structured for both technical review and executive decision-making. 

Detailed compliance report

Control-level findings across all four review areas — cookie configuration, privacy notices, copyright, and accessibility — with specific observations and remediation recommendations for each item identified. 

Executive summary

High-level assessment of overall compliance posture, prioritized risk areas, and headline findings — designed for privacy leadership, legal counsel, and C-suite consumption. 

Client use case

How organizations are using this service

Elevate’s website privacy and cookie review is deployed as a standalone engagement or as part of a broader compliance program, including alongside ISO 42001 AI governance work where website-facing privacy practices intersect with AI system data handling.

As part of a broader AI governance engagement focused on ISO 42001 certification readiness, Elevate performed a preliminary website privacy and cookie review for Tealium. The review covered cookie activities and tracking configurations against GDPR and CPRA/CCPA requirements and assessed publicly available privacy notices for regulatory adequacy. Findings were incorporated into Tealium’s corrective action plan alongside their AIMS implementation work. A full standalone review remains available as a next phase.

Tealium — San Diego, CA

FAQ

Common questions

Does this service apply if we already have a cookie banner in place?

Yes. Having a cookie banner is not the same as being compliant. Many organizations have banners that fail to meet GDPR’s opt-in consent requirements, pre-check non-essential cookies, or omit required categories. This review validates that your consent mechanism — not just its presence — meets the applicable regulatory requirements. 

What is the Section 508 Trusted Tester process?

The DHS Trusted Tester program is a certification process that qualifies testers to perform standardized, reproducible Section 508 conformance testing. Unlike automated scans — which catch approximately 30% of accessibility issues — Trusted Tester methodology includes manual testing using assistive technologies. Elevate performs this testing on your main page and associated compliance pages to produce a formal attestation of conformance against WCAG 2.0 Level AA. 

Does GDPR compliance satisfy CPRA/CCPA requirements?

Partially. There is meaningful overlap — particularly around transparency, data subject rights, and privacy notice disclosures — but the frameworks differ. GDPR requires opt-in consent for most cookies; CCPA uses an opt-out model for data sales. CPRA introduced additional data minimization requirements not found in GDPR. Our review addresses both frameworks independently and identifies gaps specific to each. 

Is this a legal review?

No. This service is a compliance review that assesses your website’s practices against documented regulatory requirements. It does not constitute legal advice and does not substitute for review by qualified legal counsel. Organizations with complex cross-jurisdictional exposure are encouraged to engage legal counsel alongside this review. 

How often should a website undergo this type of review?

Industry guidance recommends cookie audits at least every six months, and privacy policy reviews whenever you introduce new data collection practices, third-party integrations, or when applicable regulations are updated. Organizations subject to multiple frameworks — particularly those with EU and California exposure — should treat this as an ongoing program, not a one-time exercise. 

GET STARTED

Ready to assess your website's privacy and cookie compliance posture?

Elevate Consult reviews cookie configurations, privacy notices, copyright practices, and website                     accessibility in a single engagement — delivering findings your legal, compliance,                                and technical teams can act on.