ComplianceCheckup

Editorial Policy

Last updated: May 2026

ComplianceCheckup publishes compliance checklists on the six regulations most commonly relevant to websites and online businesses. This page explains how that content is sourced, how it is maintained, and what happens when an error is found or a regulation changes.

Sourcing Rules

Every checklist item on ComplianceCheckup is derived from official regulatory text or guidance published by a named legal authority. We do not paraphrase secondary sources, compliance consultancies, or third-party summaries. The authoritative sources we use are:

  • GDPR: The full text of Regulation (EU) 2016/679 as published at gdpr-info.eu, plus enforcement guidance from the European Data Protection Board (EDPB) and national Data Protection Authorities (DPAs) including the UK ICO and France's CNIL.
  • HIPAA: The U.S. Department of Health and Human Services (HHS) official HIPAA text and guidance documents, including the Security Rule and Privacy Rule as published at hhs.gov.
  • PCI DSS: The Payment Card Industry Security Standards Council (PCI SSC) official PCI DSS documentation, currently version 4.0, as published at pcisecuritystandards.org.
  • SOC 2: The American Institute of Certified Public Accountants (AICPA) Trust Services Criteria as published at aicpa-cima.com.
  • CCPA: The California Consumer Privacy Act text and regulations as published by the California Department of Justice (CA DOJ) and the California Privacy Protection Agency (CPPA).
  • ADA / WCAG: The Web Content Accessibility Guidelines (WCAG) 2.1 Level AA as published by the World Wide Web Consortium (W3C), plus U.S. Department of Justice guidance on web accessibility under the Americans with Disabilities Act.

Each checklist item includes a reference to the specific article, section, or requirement number in the official source. Readers can verify any item independently by following the link to the official regulatory text.

Review and Re-Verification Cadence

All checklists are reviewed on a regular basis. The standard cadence is:

  • A full re-verification of every checklist against its official source, at minimum once per year.
  • A spot check of any checklist affected by a significant enforcement decision, regulatory update, or published guidance change, as soon as we become aware of it.
  • The "Last verified" date shown on each checklist and in each author byline reflects the most recent full review of that page's content.

What Triggers an Update

A checklist is updated when any of the following occur: a change to the underlying regulation or its implementing rules, new official guidance that clarifies or expands on existing requirements, a significant enforcement decision that demonstrates how a requirement is interpreted in practice, or a reader correction that is verified against the official source. Minor editorial changes (improving clarity, fixing typos) do not change the "last verified" date.

Correction Policy

If you believe a checklist item is inaccurate, out of date, or misleading, please contact us at [email protected] with a reference to the relevant article or section in the official regulatory text. We review all correction submissions and aim to respond within two business days. Verified corrections are applied promptly, and significant corrections are noted in our Changelog.

Conflict-of-Interest Disclosure

ComplianceCheckup earns revenue through display advertising. Advertiser relationships have no influence on which regulations are covered, how checklist items are written, which requirements are included or excluded, or how compliance guidance is framed. Advertisers do not review content before publication and have no editorial input of any kind. The checklists are written solely based on official regulatory text.

We do not accept sponsored content, paid mentions, or affiliate arrangements for compliance tools or services. If this changes in the future, it will be disclosed clearly on the relevant page and in this policy.

Scope Limitations

ComplianceCheckup covers six regulations. This is not an exhaustive list of every regulation that may apply to a given business. Regulations we do not currently cover include, for example, PIPEDA (Canada), LGPD (Brazil), PDPA (Thailand), and sector-specific standards. Our checklists are also not a substitute for a formal audit or legal opinion. They are a starting point, not a compliance certification.

Contact

Editorial questions, corrections, and feedback can be sent to [email protected].