Skip to content
GrowthVector.io

Legal & Compliance

Global Privacy & GDPR

172 Countries Have Data Privacy Laws

Graham Greenleaf (UNSW law professor, April 2025) counted 172 countries with data privacy laws as of March 2025, adding 12 new laws in 2023/24 at an average rate of 5.4 per year since 2020. The IAPP 2026 Global Privacy Law and DPA Directory reports 98% of developed nations are covered. Regional breakdown: Europe 98%, Africa 77%, North America 75%, Asia 72%, South America 71%, Oceania 35%. A few countries still lack even draft bills. No business is too small to be caught.

GDPR Fines Are Intensifying

Cumulative fines reached approximately 7.1 billion EUR across 2,900+ enforcement actions by early 2026 (Kiteworks GDPR Fines tracker).

~7.1B EUR
Cumulative Fines
1.2B EUR
2024 Alone
363/day
Breach Notifications (2024)

Spain's AEPD is the highest-volume enforcer with 1,021+ fines by September 2025, issuing hundreds in the 1K-10K EUR range against small businesses for surveillance, marketing consent, and breach failures. Ireland's DPC leads by value at roughly 4.04B EUR cumulatively, driven by Big Tech fines (Meta 1.2B EUR, TikTok 530M EUR, LinkedIn 310M EUR).

Small-Entity Fines That Matter for Indie Builders

Romanian Individual: ~200 EUR

Posted another person's pay slip and personal data on Facebook and paper flyers without a legal basis.

Austrian Individual: 600 EUR

Disclosed another person's health data (a disability claim) to a public institution without a legal basis.

Spanish Individual: 10K EUR

Shared images of minors on Instagram without consent.

Polish Company (Bisnode): ~220K EUR

Failed to inform millions of people, whose data it processed, of their GDPR rights under Article 14. A warning for anyone processing third-party data.

Voodoo Games (CNIL)

French mobile game developer fined 3M EUR for reading an advertising identifier without consent. Directly relevant to app developers.

Clubhouse: 2M EUR

Italy fined them for lack of transparency and storing audio without consent.

UK GDPR Post-Brexit

Fewer fines but dramatically higher amounts in 2025.

62
ICO Actions (2024)
7x
More Money Collected (2025)
2.8M+ GBP
Avg Fine (2025)

The Data (Use and Access) Act 2025 (DUAA) received Royal Assent June 19, 2025. Key changes: raised PECR penalty caps from 500K GBP to match UK GDPR maximums (17.5M GBP or 4% of global turnover), new requirements for data subjects to complain directly to organizations before escalating to the ICO, broadened legitimate interest basis, and reframed automated decision-making restrictions.

Practical difference from EU GDPR: The ICO is far less aggressive in volume (single-digit annual enforcement versus hundreds from Spain's AEPD). Commissioner John Edwards has argued that fines are not always the most effective enforcement tool, particularly against public-sector bodies. The UK has no equivalent of the EU AI Act.

US & International Privacy Laws

20 States With Comprehensive Privacy Laws

Twenty US states have comprehensive consumer privacy laws in effect as of 2026; no comprehensive federal privacy law exists or appears imminent.

Timeline of Enforcement Dates
2020-2023California (CCPA 2020/CPRA 2023), Virginia (Jan 2023), Colorado (Jul 2023), Connecticut (Jul 2023), Utah (Dec 2023)
2024Oregon (Jul), Texas (Jul), Montana (Oct), Florida (Jul)
2025Delaware (Jan), Iowa (Jan), Nebraska (Jan), New Hampshire (Jan), New Jersey (Jan 15), Tennessee (Jul), Minnesota (Jul 31), Maryland (Oct)
Jan 2026Indiana, Kentucky, Rhode Island
Key Differences Across States

California

Only state with a dedicated agency (CPPA), broadest scope, and the only private right of action for data breaches.

Texas

No revenue threshold at all. Applies to any entity doing business in the state.

Maryland

Strictest data minimization. Bans the sale of sensitive data entirely.

Rhode Island

One of the lowest thresholds at 35,000 consumers, matched by New Hampshire and Delaware. Montana's base threshold is 50,000 (dropping to 25,000 for businesses earning 25%+ of revenue from selling data).

CCPA/CPRA Enforcement

Fines assessed per affected consumer, compounding to massive totals.

$2,663
Per Unintentional Violation
$7,988
Per Intentional Violation
Major Enforcement Actions

Tractor Supply Co.

$1.35M

CPPA's largest fine (Sept 2025). Ineffective opt-out, failure to honor GPC signals, privacy policy not updated since 2021. Investigation started from a single consumer complaint.

Healthline Media

$1.55M

Largest AG CCPA settlement (Jul 2025). Failed to honor opt-outs for targeted ads, shared health condition data with third parties.

Jam City

$1.4M

No in-app CCPA opt-outs across 21 mobile games. Sold teen data without opt-in consent.

Todd Snyder, Inc.

$345K

40-day delay processing opt-outs. Required photo ID for opt-out requests, classified as a dark pattern.

GPC Enforcement Is Top Priority

Businesses must honor browser-based Global Privacy Control signals in a frictionless manner. Multiple states now require universal opt-out mechanism recognition (CA, CO, CT, OR, MT, MN). The California Delete Act launched the DROP (Delete Request and Opt-Out Platform) on January 1, 2026. Starting August 1, 2026, data brokers must access DROP at least once every 45 days and process the deletion requests they find (the 45 days is a check cadence, not a per-request completion deadline).

COPPA Enforcement

The FTC aggressively targets app developers who collect children's data.

Epic Games (Fortnite): $275M

2023. The $275M COPPA penalty was part of a broader $520M FTC settlement (the other $245M covered dark-pattern charges).

Disney: $10M

2025. Enabled unlawful collection of children's data on YouTube videos not labeled "Made for Kids."

NGL Labs: Banned for Under-18s

Jul 2024. First FTC order barring an online service from offering itself to minors at all.

HyperBeard: $150K

Collected children's persistent identifiers via third-party ad SDKs without consent.

January 2025 COPPA Amendments

New rules require separate opt-in consent for sharing children's data with third parties. Embedding third-party SDKs inherits their COPPA violations. Your vendors' COPPA missteps are your own.

FTC Health Breach Notification Rule

Applies to health-adjacent apps, not just HIPAA-covered entities. The HBNR is the primary enforcement threat for vibe coders building health apps.

GoodRx

$1.5M

First-ever HBNR enforcement (Feb 2023). Shared prescription data with Facebook and Google via tracking pixels.

BetterHelp

$7.8M

Mar 2023. Shared mental health data with Facebook, Snapchat, and Pinterest for advertising. Misrepresented HIPAA compliance.

Premom (Easy Healthcare)

$200K

May 2023. Fertility app shared health data with third-party SDKs ($100K FTC penalty plus $100K to state AGs).

Context Reveals Conditions

Even sharing an email address can constitute health data disclosure if context reveals health conditions. For example, if a user visits a mental health service and their email is shared with an analytics provider, that context alone may trigger HBNR obligations.

Canada, Australia, Brazil

Canada

PIPEDA still from 2000. Bill C-27 died Jan 2025.

The Privacy Commissioner can recommend but cannot directly impose financial penalties. Maximum penal fine is only $100,000 CAD.

Quebec Law 25 (fully effective Sept 2024) is the critical exception: requires explicit opt-in consent for sensitive data and cookies. The only North American jurisdiction with EU-style opt-in. Penalties reach $25M CAD or 4% of gross worldwide revenue.

Large Canadian companies are aligning with Law 25 nationally since it is the strictest Canadian regime.

Australia

POLA Act passed Dec 2024.

A statutory tort for serious privacy invasions commenced June 10, 2025, allowing Australians to sue for up to AU$478,550 in damages.

The small business exemption (businesses under AU$3M turnover, covering approximately 95% of Australian businesses) still exists but is expected to be abolished in Tranche 2 reforms.

There is no specific cookie consent law in Australia currently. New Privacy Commissioner Carly Kind has signaled more enforcement focus.

Brazil

ANPD issued approximately BRL 98M total.

The first-ever LGPD sanction hit Telekall Infoservice, a micro-company telecom, with BRL 14,400 (~$2,960) for processing data without legal basis and failing to appoint a DPO.

ANPD suspended Meta's use of Brazilian user data for AI training in July 2024, threatening BRL 50,000 per day.

LGPD enforcement is significantly less mature than GDPR. Cumulative US$20M versus GDPR's ~7.1B EUR.

Cookie Consent by Jurisdiction

Default to the highest standard (EU opt-in) when user location is unclear.

EU / UK

Strict Opt-In

Block all non-essential cookies before consent. Granular options required, one-click withdrawal mandatory.

California

Opt-Out

Disclose cookie use, provide "Do Not Sell or Share" link, and honor GPC signals.

Brazil

Opt-In

Follows GDPR principles. Requires consent before setting non-essential cookies.

Australia

Notice Only

No specific cookie law currently. Informational notice is sufficient.

Cookiebot (Usercentrics)

From ~12 EUR/month. Automatic scanning, Google Consent Mode v2 support.

CookieYes

From ~$10/month. Affordable alternative with similar feature set.

Privacy Policy Generators Compared

Tool
Pricing
Languages
Best For
Termly
Free (1 policy, 10K banner views), $10-$14/mo paid
English
Best free tier, auto-updates
iubenda
$3.99-$119.99/mo
15 languages
Most comprehensive, global coverage
PrivacyPolicies.com
$14 one-time per document
English
Best value, no subscription
GetTerms
Free basic, paid plans available
English
Simplest, but limited coverage

Recommendation: PrivacyPolicies.com at $14 one-time for budget projects. Termly at $10-$14/month for ongoing auto-updates as laws change.

Copyright & Licensing

AI-Generated Code Likely Cannot Be Copyrighted

The US Copyright Office Report, Part 2 (January 29, 2025) established that merely providing prompts is not sufficient for copyright ownership. "Repeatedly entering prompts until the output matches desired expression" is insufficient, described as "like spinning a metaphorical wheel with infinite possibilities." Code generated purely by AI prompts likely falls into the public domain, meaning competitors can freely copy it. However, AI-generated code that a human substantially modifies, arranges, or integrates may be protectable, evaluated case-by-case with no clear-cut threshold. Thaler v. Perlmutter confirmed that human authorship is required: the D.C. Circuit affirmed the Copyright Office's refusal in March 2025 (the 2023 district-court opinion called human authorship a "bedrock requirement" of copyright), and the Supreme Court declined to hear the case, denying certiorari on March 2, 2026 and leaving the human-authorship rule in place.

Open-Source License Contamination Is a Live Legal Risk

The Doe v. GitHub lawsuit (filed November 2022, N.D. Cal., now on appeal to the Ninth Circuit) alleges Copilot was trained on billions of lines of GPL, MIT, and Apache-licensed code and outputs code without required attribution. Plaintiffs floated theoretical DMCA statutory damages in the $9B+ range; this is a plaintiff-side calculation, not a judgment. The DMCA §1202(b)(1) and (b)(3) claims were dismissed with prejudice in July 2024; what survived are the open-source-license and breach-of-contract claims. The dismissal of the DMCA claims is what is now on an interlocutory appeal to the Ninth Circuit (No. 24-6136, accepted December 2024). The case still treats open-source licenses as real, enforceable agreements. By GitHub's own research, fewer than 1% of Copilot suggestions may reproduce training-set code, and its public-code filter blocks matches longer than about 150 characters. You are legally responsible for code you ship regardless of who wrote it. Run license scanners. Understand the difference between permissive (MIT, Apache) and copyleft (GPL, AGPL) licenses.

Accessibility & Data Implementation

94.8% of Top 1M Homepages Fail WCAG 2

WebAIM Million 2025 analysis. AI-generated code is often worse.

Pages using ARIA attributes (which AI generates liberally) averaged 34.2% more accessibility errors than those without.

6 Most Common Failures AI Consistently Reproduces
79.1%
Low contrast text
55.5%
Missing alt text
48.2%
Missing form labels
45.4%
Empty links
29.6%
Empty buttons
15.8%
Missing document language
ADA Federal Lawsuit Volume
~814
2017 (Baseline)
~2,258
2018 (+177%)
~4,605
2023
5,100+
2025

Most target small businesses

Companies under $25M revenue. That share was about 64% of defendants in 2025, down from roughly two-thirds in prior years (UsableNet). Settlements range $5,000-$75,000 plus attorney fees and redesign costs.

40% of 2025 filings are pro se

Self-represented plaintiffs using AI to draft complaints. Suggests lawsuit volume will continue rising.

accessiBe fined $1M by FTC (Jan 2025)

False advertising about its accessibility overlay widget. 25% of 2024 lawsuits targeted sites using overlay widgets.

DOJ Title II Rule

Requires WCAG 2.1 AA conformance for state and local government sites. DOJ extended the compliance date to April 26, 2027 for large public entities (population 50,000+), and April 26, 2028 for smaller entities.

European Accessibility Act (EAA)

Effective June 28, 2025. Applies to ANY organization providing covered services to EU consumers, regardless of headquarters location.

Covered Services
E-commerceElectronic CommunicationsBankingE-booksAudiovisual MediaTransport Services

Micro-enterprise exemption: Fewer than 10 employees AND annual turnover not exceeding 2M EUR (for service providers). There is also an "undue burden" exemption.

Requires compliance with EN 301 549, which incorporates WCAG 2.1 Level AA. Accessibility widgets or overlays alone are not sufficient for conformance.

Penalties must be "effective, proportionate, and dissuasive" and are set individually by each member state, so maximum fines vary widely across the EU. Market-surveillance authorities can also order non-compliant products withdrawn from the market. Enforcement is still ramping up, with few penalties publicly reported as of early 2026.

Privacy Nutrition Labels (App Stores)

Apple requires declaring data across 14 categories with 6 purposes.

Apple's 14 Data Categories
Contact InfoHealth & FitnessFinancial InfoLocationSensitive InfoContactsUser ContentBrowsing HistorySearch HistoryIdentifiersPurchasesUsage DataDiagnosticsOther Data
6 Purposes
Third-Party AdvertisingDeveloper's MarketingAnalyticsProduct PersonalizationApp FunctionalityOther

Typical Vibe-Coded App (Auth + Analytics)

  • Declare email address and user ID as "Data Linked to You" for App Functionality.
  • Declare product interaction, crash data, and device ID as "Data Not Linked to You" for Analytics.
  • If you use any ad SDK, declare device ID under "Data Used to Track You."
Google Play Data Safety Differences
  • Google requires explicit "collected" vs. "shared" declarations (Apple implies sharing through tracking).
  • Google prominently displays security practices (encryption, data deletion).
  • Google has no "optional disclosure" exemption. All collected data must be declared.
  • Both require a privacy policy URL.

GDPR Essentials

Total fines exceed 7.1 billion EUR

Consent: Cookie banners must offer equal Reject/Accept options (no dark patterns). Google was fined 150M EUR for making rejection harder than acceptance.

Deletion: "Delete Account" must actually delete data, not just set a deleted: true flag. Drop the rows.

Breach Notification: You have 72 hours to report a data breach to authorities. Document everything.

Data Minimization: Only collect data you actually need. If you don't need a phone number, don't ask for one.

CAN-SPAM & CCPA (US)

CAN-SPAM: Every marketing email needs a working unsubscribe link and a valid physical postal address. Violations cost $53,088 per email. Honor opt-outs within 10 business days.

Google/Yahoo 2024 Rules: SPF/DKIM/DMARC authentication required, one-click unsubscribe header mandatory, complaint rates must stay below 0.3%. Failing these means your emails go straight to spam.

CCPA (California): Applies if you have $25M+ in annual revenue, buy, sell, or share the data of 100,000+ California consumers or households, or make 50%+ of revenue from selling data. Covered businesses that sell or share personal information must provide a "Do Not Sell or Share My Personal Information" option.

Children's Data: COPPA applies if any users are under 13. Requires verifiable parental consent.

What Data to Store (And What Never to Store)

OK to Store

  • Email addresses (with consent)
  • Hashed passwords (bcrypt/argon2)
  • Subscription status
  • User preferences
  • App-generated content

Minimize Storage

  • Full names (only if needed)
  • Phone numbers (only if needed)
  • IP addresses (anonymize after use)
  • Usage analytics (aggregate when possible)
  • Location data (use coarse precision)

Never Store

  • Plain-text passwords
  • Full credit card numbers (let Stripe handle it)
  • Government IDs / SSNs
  • Health data (HIPAA)
  • API keys in your database

"Delete My Account" Done Right

GDPR requires actual deletion, not just setting a flag. Here is the correct cascade order.

// Correct deletion cascade order

1. Delete user's posts, comments, uploads

2. Cancel active Stripe subscription

3. Remove from email provider (Resend, SendGrid)

4. Anonymize analytics data (replace userId with "deleted")

5. Delete auth account (Clerk, Supabase Auth)

6. Delete user row from database

7. Log deletion request for audit trail

Keep Financial Records

Tax law requires retaining financial records for 5-7 years. Anonymize the personal data but keep transaction amounts and dates. Replace user attribution with "[deleted user]" on any content that must be retained.

Generate Your Privacy Policy with AI

"Generate a privacy policy for [app name], a [describe app]. We collect: [list data types]. We use [list services: Supabase, Stripe, Resend, etc.]. We operate in [countries/regions]. Include GDPR, CCPA, and CAN-SPAM compliance sections. Use plain language, not legalese."

Get a Lawyer Review

AI-generated privacy policies are a solid starting point, but have a lawyer review before launch. A basic legal review costs $500-$1,500 and is far cheaper than a GDPR fine. Many startup-focused law firms offer flat-rate packages.

Watch for Phantom Statistics

The commonly cited "89% of apps built on no-code/low-code platforms lack proper consent mechanisms" cannot be verified. Extensive searching across Gartner, Forrester, KPMG, and Deloitte found no credible source. The closest real statistic: Usercentrics (2022) found "90% of apps available in the EU that we looked at were not compliant with the GDPR." Use this with proper attribution instead. Similarly, "67% of low-code apps can't locate all the places personal data is stored" has no credible source. Always verify compliance statistics before citing them.

WCAG 2.1 AA: The Four Principles in Plain English

Every WCAG requirement falls under one of these four principles. Here is what they actually mean for your code.

1. Perceivable

Users must be able to perceive all content through at least one sense.

  • Every <img> needs descriptive alt text (or alt="" for purely decorative images)
  • Videos must have captions and audio descriptions for meaningful visual content
  • Color alone must never be the only way to communicate meaning (add icons, text, or patterns alongside color)
  • Text must meet a 4.5:1 contrast ratio against its background (3:1 for large text 18px bold or 24px regular)

2. Operable

Users must be able to operate all interface components using any input method.

  • Every interactive element must be reachable and usable with keyboard alone (no mouse required)
  • No keyboard traps: users must be able to Tab into and out of every component
  • Provide a "Skip to main content" link as the first focusable element on each page
  • Focus indicators must be clearly visible (never hide them with outline: none unless you provide a replacement)

3. Understandable

Users must be able to understand both the content and how the interface works.

  • Set the page language with lang="en" on the <html> element (screen readers use this for pronunciation)
  • Navigation must be consistent across all pages (same order, same labels)
  • Form validation errors must be identified with text descriptions, not just a red border or color change
  • Labels and instructions must appear before or alongside form inputs, not only as placeholder text

4. Robust

Content must work reliably across browsers, devices, and assistive technologies.

  • Write valid HTML with no duplicate id attributes (screen readers rely on unique IDs for label associations)
  • All custom interactive components need appropriate ARIA roles (e.g., role="tablist", role="dialog")
  • Dynamic status messages must use role="status" (polite) or role="alert" (urgent) so screen readers announce them
  • Use semantic HTML elements first (<nav>, <main>, <header>) before reaching for ARIA attributes

4-Phase Accessibility Audit Process

A structured approach that catches the vast majority of accessibility issues. Run all four phases in order.

Phase 1

Automated Scanning

Catches roughly 30% of issues. Start here because it's fast and free.

Tools

  • axe DevTools (Chrome extension, free) - best starting point for most developers
  • Lighthouse (built into Chrome DevTools, Audits tab) - includes accessibility scoring
  • WAVE (browser extension) - provides visual overlay of issues directly on the page

What They Catch

  • Missing alt text on images
  • Contrast ratio violations
  • Missing form labels
  • Invalid ARIA attributes

What They Miss

  • Whether alt text is actually meaningful (they only check if it exists)
  • Logical focus order and tab sequence
  • Whether interactive patterns are understandable to users
Phase 2

Keyboard Testing

Catches roughly 25% of issues. Put your mouse away and Tab through the entire application.

Test These Interactions

  • Can you reach every interactive element with Tab?
  • Is the focus indicator visible on every focused element?
  • Does Enter/Space activate buttons and links?
  • Does Escape close modals and popups?
  • Do arrow keys navigate within dropdowns, tabs, and menus?

Common Failures

  • <div onClick> used instead of <button> (divs aren't keyboard focusable by default)
  • outline: none applied globally without a visible replacement focus style
  • Modal dialogs that have no Escape key handler and no focus trap
Phase 3

Screen Reader Testing

Catches roughly 30% of issues. Test with at least one screen reader.

Free Screen Readers

  • VoiceOver (macOS and iOS, built-in, free)
  • NVDA (Windows, free and open-source download)
  • TalkBack (Android, built-in, free)

What to Verify

  • Headings announce their correct level (h1, h2, h3) and text
  • Form labels are read aloud when the input receives focus
  • Buttons and links have descriptive names (not just "button" or "click here")
  • Dynamic content changes are announced (toast messages, loading states)

Common AI Failures

  • Buttons announced as generic "button" instead of "Submit application"
  • Images announced as "image" because alt text is missing or empty on meaningful images
  • Form inputs without associated labels (screen reader says "edit text" with no context)
  • Dynamic content not announced because aria-live regions are missing
Phase 4

Visual and Cognitive Testing

Catches roughly 15% of issues. These are the problems automated tools and keyboard testing overlook.

Contrast

  • Use the WebAIM Contrast Checker to verify all text meets 4.5:1 (or 3:1 for large text)
  • Check contrast on focus indicators, icons, and form field borders too

Zoom and Reflow

  • Zoom the browser to 200% and verify all content remains readable with no overlapping text
  • Resize the browser window to 320px wide and verify there's no horizontal scrollbar

Motion and Animation

  • Enable "Reduce motion" in your OS accessibility settings
  • Verify all animations respect the prefers-reduced-motion media query
  • No content should auto-play, flash, or move without user control

Fixing Common AI-Generated Accessibility Issues

AI code generators consistently produce these seven patterns. Each one is a WCAG failure and a potential lawsuit trigger.

1. The Div-Soup Problem

AI wraps everything in <div> elements instead of using semantic HTML for interactive controls.

// Bad: div is not a button

<div onClick={handleSubmit}>

Submit

</div>

// Good: semantic button element

<button onClick={handleSubmit}>

Submit

</button>

2. Missing Form Labels

AI uses placeholder text as the only label. Placeholders disappear on focus and aren't announced by all screen readers.

// Bad: no label, placeholder only

<input placeholder="Email" />

// Good: explicit label association

<label htmlFor="email">Email</label>

<input id="email" type="email" />

3. Click Handlers on Non-Interactive Elements

A <div onClick> is invisible to keyboard and screen reader users. If you can't use a <button>, you need three additions.

// Bad: keyboard users cannot activate

<div onClick={toggle}>Menu</div>

// Good: keyboard accessible div

<div role="button" tabIndex={0}

onClick={toggle}

onKeyDown={(e) =>

(e.key === 'Enter' || e.key === ' ') && toggle()

}>Menu</div>

4. Images Without Alt Text

AI omits alt attributes entirely or sets them to the filename. Screen readers will read the full file path instead.

// Bad: no alt attribute

<img src="/team-photo.jpg" />

// Good: descriptive or empty alt

<img src="/team.jpg" alt="Team at 2025 summit" />

// Decorative image: empty alt

<img src="/divider.svg" alt="" />

5. Color-Only Indicators

AI marks errors with red text or borders alone. Users who are colorblind or using monochrome displays can't distinguish these.

// Bad: color is the only indicator

<span style={{color: 'red'}}>

Invalid email

</span>

// Good: icon + text + color

<span role="alert" className="text-red-500">

⚠ Error: Please enter a valid email

</span>

6. Focus Management in Modals

AI creates modal dialogs that lack focus trapping. Keyboard users Tab behind the modal into invisible page content.

// Bad: no trap, no escape, no role

<div className="modal">

<p>Confirm?</p>

</div>

// Good: role, label, escape handler

<FocusTrap>

<div role="dialog"

aria-labelledby="modal-title"

onKeyDown={(e) =>

e.key === 'Escape' && close()

}>

<h2 id="modal-title">Confirm</h2>

</div>

</FocusTrap>

7. Insufficient Contrast

AI selects colors for aesthetics, not accessibility. Light gray on white is a common failure.

// Bad: 2.5:1 ratio (fails WCAG)

color: #999999;

background: #ffffff;

// Good: 7.0:1 ratio (passes AAA)

color: #595959;

background: #ffffff;

// Check: webaim.org/resources/contrastchecker

Accessibility Audit Prompt

Copy this prompt and paste it into your AI assistant alongside your code to get a thorough accessibility review.

"Perform a complete WCAG 2.1 AA accessibility audit on my [framework] application. Test every component and page. For each failure: state the WCAG criterion number and name, the specific element that fails, the exact code fix needed, and priority (critical/high/medium/low). Pay special attention to: div/span elements used instead of semantic HTML, missing form labels, click handlers on non-interactive elements, images without alt text, insufficient color contrast, missing keyboard navigation, missing ARIA labels on custom components, no focus management in modals, and dynamic content that is not announced to screen readers. Group your findings by page and sort by priority within each page."

Four Steps Cover 90% of Accessibility Issues

(1) Run an automated scanner like axe DevTools. (2) Test the entire app with keyboard only. (3) Test with a screen reader (VoiceOver, NVDA, or TalkBack). (4) Check color contrast with WebAIM Contrast Checker. Then use AI to generate fixes for everything you find. This process takes 1-3 hours for a typical application and prevents lawsuits that cost $5,000-$75,000 in settlements.