Legal pages linked from registration, checkout, and footer
Why it matters
GDPR Art. 13 requires that privacy information be provided at the time personal data is collected — which means the Privacy Policy must be linked at or before the registration form submit button, not discoverable only through the footer. CCPA §1798.130(a)(5)(A) requires a "conspicuous link" to the privacy policy on the homepage and at points of collection. eprivacy Art. 5(3) requires consent and disclosure at the point of tracking. A footer-only privacy link does not satisfy these requirements — regulators look for proximity of the link to the data collection action. Missing legal links at checkout also directly enable chargebacks: payment processors expect that users had access to refund terms before completing a transaction.
Severity rationale
Info because missing legal links at registration and checkout, while a compliance gap, is remediated by a single-line addition per surface rather than an architectural change.
Remediation
Add legal links to footer, registration form, and checkout page in a single pass. Each surface has a specific requirement.
// 1. Footer — legal nav group
// components/Footer.tsx
<div className="flex flex-wrap gap-4 text-sm text-muted-foreground">
<a href="/terms">Terms of Service</a>
<a href="/privacy">Privacy Policy</a>
{hasPayments && <a href="/refund-policy">Refund Policy</a>}
{hasUGC && <a href="/acceptable-use">Acceptable Use</a>}
</div>
// 2. Registration form — below the submit button
// app/register/page.tsx
<p className="text-xs text-muted-foreground text-center">
By creating an account, you agree to our{' '}
<a href="/terms" className="underline">Terms of Service</a>{' '}and{' '}
<a href="/privacy" className="underline">Privacy Policy</a>.
</p>
// 3. Checkout — near the payment button
// app/checkout/page.tsx
<p className="text-xs text-muted-foreground text-center">
By completing your purchase, you agree to our{' '}
<a href="/terms" className="underline">Terms of Service</a>{' '}and{' '}
<a href="/refund-policy" className="underline">Refund Policy</a>.
</p>
Detection
-
ID:
linked-from-registration -
Severity:
info -
What to look for: Enumerate every relevant item. Check three specific surfaces for legal page links. (1) Footer — inspect the footer component for links to Terms, Privacy Policy, and any other applicable legal pages. Check both the link text and the href. (2) Registration/signup form — inspect the registration page and form for a legal acknowledgment near the submit button. This can be a checkbox ("I agree to the Terms of Service and Privacy Policy"), inline text ("By signing up, you agree to..."), or a visible link in proximity to the signup CTA. (3) Checkout flow — if payment features are present, inspect the checkout page for a reference to the Terms of Service and Refund Policy. Users completing a purchase should have access to the legal terms governing that purchase. Check whether the linked text targets the correct route (not a broken link, not
/). -
Pass criteria: At least 1 of the following conditions is met. Footer includes links to all applicable legal pages. Registration flow includes at minimum a reference to Terms and Privacy Policy before form submission. Checkout flow (if present) references Terms and Refund Policy. All links point to valid, existing routes.
-
Fail criteria: Footer has no legal links. Registration form has no Terms or Privacy reference. Checkout has no reference to Terms or Refund Policy. Legal links in footer point to 404 routes.
-
Skip (N/A) when: Application has no footer component, no registration flow, and no checkout flow. This would be an API-only service — extremely rare for a project with legal pages.
-
Detail on fail: Specify which surfaces are missing. Example:
"Footer component found but has no links to /terms or /privacy. No legal navigation."or"Registration form found but no legal acknowledgment or link to Terms/Privacy near the submit button."or"Stripe checkout integration present but no reference to Terms or Refund Policy on the pricing or checkout pages.". -
Remediation: Add legal links to all three surfaces systematically:
// 1. Footer — add legal nav section // components/Footer.tsx <div className="border-t mt-8 pt-6 flex flex-wrap gap-4 text-sm text-muted-foreground"> <a href="/terms">Terms of Service</a> <a href="/privacy">Privacy Policy</a> {hasPayments && <a href="/refund-policy">Refund Policy</a>} {hasUGC && <a href="/acceptable-use">Acceptable Use</a>} </div> // 2. Registration form — add below the submit button // app/register/page.tsx <p className="text-xs text-muted-foreground text-center"> By creating an account, you agree to our{' '} <a href="/terms" className="underline hover:text-foreground">Terms of Service</a> {' '}and{' '} <a href="/privacy" className="underline hover:text-foreground">Privacy Policy</a>. </p> // 3. Checkout — add near the payment button // app/checkout/page.tsx <p className="text-xs text-muted-foreground text-center"> By completing your purchase, you agree to our{' '} <a href="/terms" className="underline">Terms of Service</a> {' '}and{' '} <a href="/refund-policy" className="underline">Refund Policy</a>. </p>
External references
- gdpr · Art. 13 — Privacy information must be provided at time personal data is collected — requires link at point of data collection (registration, checkout)
- ccpa · §1798.130(a)(5)(A) — Privacy notice must be conspicuously posted including at or before the point of collection
- eprivacy · Art. 5(3) — ePrivacy Directive — clear and comprehensive information must be provided before cookies/tracking begins at registration
Taxons
History
- 2026-04-18·v1.0.0·Initial import from legal-pages-compliance·automated