Privacy Compliance Checklist
Hit the minimum privacy requirements in under an hour using this checklist.
What this covers: Hit the minimum privacy requirements in under an hour using this checklist, including privacy policy (required everywhere), start with a data inventory.
Who it’s for: Business owners and site administrators who need to meet legal and regulatory requirements.
Key outcome: You’ll have a comprehensive data inventory documents every piece of personal data your site collects, where it’s stored, and who can access it, and privacy policy, cookie policy, and terms of service are published and linked from every page footer.
Time to read: 7 minutes
Part of: Privacy + Compliance series
Don’t have time for the full GDPR/CCPA guides? Here’s the minimum you need to not get sued.
Privacy Policy (Required Everywhere)
Every website needs one. It must include:
- What data you collect (emails, names, cookies, analytics)
- Why you collect it
- Who you share it with (Google Analytics counts)
- How users can request deletion
- Your contact information
Generate one: TermsFeed, Iubenda, or Termly.
Placement: Footer link on every page, labeled “Privacy Policy.”
Start with a Data Inventory
You cannot write an accurate privacy policy or configure cookie consent without first knowing what data you actually collect. Most site owners undercount by 40-60% because they forget about third-party scripts and passive data collection.
Walk through every page of your site and document each data collection point in a spreadsheet with these columns:
- Data type: What is collected (email address, IP address, device fingerprint, cookie ID)
- Collection method: How it is captured (form submission, JavaScript tracker, server log, embedded iframe)
- Storage location: Where it lives (your database, Mailchimp, Google Analytics, a CRM)
- Retention period: How long you keep it (indefinite is the wrong answer xe2x80x94 pick a number)
- Legal basis: Why you are allowed to collect it (consent, legitimate interest, contractual necessity)
Common data sources people miss: Google Fonts (sends visitor IP to Google), embedded YouTube videos (sets cookies), social share buttons (track users across sites), and Gravatar (leaks email hashes to Automattic). Check your page source and the Network tab in DevTools xe2x80x94 every third-party request is a potential data flow you need to document.
This inventory is not a one-time exercise. Update it whenever you add a new plugin, embed, analytics tool, or form. A quarterly review takes 30 minutes and keeps you honest.
Cookie Consent (EU/UK/California Visitors)
If you have visitors from Europe, UK, or California, you need a cookie banner that:
- Appears before any non-necessary cookies are set
- Has a “Reject All” button as prominent as “Accept All”
- Actually blocks cookies until consent is given (not just a notice)
Most “cookie banners” are fake – they show a notice but don’t block anything. That’s not compliant. Test yours: decline cookies, then check DevTools xe2x86x92 Network to see if GA or Facebook Pixel still loads.
Cookie categorization matters. Your consent tool should group cookies into these standard categories, and users should be able to opt in or out of each independently:
- Strictly necessary: Session cookies, CSRF tokens, load balancer cookies. These do not require consent and cannot be blocked.
- Analytics/performance: Google Analytics, Hotjar, Plausible. Require consent in the EU. Blocked until opt-in.
- Marketing/advertising: Facebook Pixel, Google Ads tags, retargeting scripts. Require consent everywhere that has privacy law. Always blocked by default.
- Functional: Language preferences, chat widget state, video player settings. Gray area xe2x80x94 best practice is to treat as requiring consent.
If you are unsure which category a cookie belongs to, scan your site with your consent tool’s built-in scanner or use CookieServe (free). Categorize conservatively xe2x80x94 if in doubt, require consent.
Tools that actually work:
Vendor Assessment and Data Processing Agreements
Every third-party service that handles personal data on your behalf is a “data processor” under GDPR (and carries similar obligations under CCPA). You need a Data Processing Agreement (DPA) with each one. This is not optional xe2x80x94 it is a legal requirement, and it is also your protection if a vendor has a breach.
For most small websites, the vendor list looks like this:
- Hosting provider (stores server logs, database with user data)
- Email marketing platform (Mailchimp, ConvertKit, etc.)
- Analytics (Google Analytics, Plausible, Fathom)
- Payment processor (Stripe, PayPal)
- Form handler (if different from your CMS)
- CDN provider (Cloudflare, Fastly xe2x80x94 they see all traffic)
Most major vendors have a DPA available on their website xe2x80x94 search for “[vendor name] DPA” or look in their legal/compliance section. Download, countersign, and store them. For vendors without a published DPA, send a written request. If they cannot or will not provide one, that is a red flag xe2x80x94 consider switching to a vendor that takes data protection seriously.
Note: DPA requirements and vendor assessment specifics vary by jurisdiction and business context. Consult with a qualified privacy attorney or data protection officer for guidance tailored to your situation.
Data Deletion Process
You must be able to delete someone’s data if they ask. For small sites:
- Set up privacy@yoursite.com
- Respond within 30 days (GDPR) or 45 days (CCPA)
- Know where user data lives (email lists, CRM, analytics)
Realistic Timelines for Compliance
Privacy compliance is not an afternoon project, despite what tool vendors claim. Here is what to expect based on site complexity:
- Simple brochure site (under 10 pages, contact form + analytics only): 4-8 hours. Generate a privacy policy, install and configure a cookie consent tool, document your 3-5 data flows, and collect DPAs from your 2-3 vendors.
- Content site with email marketing (10-100 pages, newsletter, multiple forms): 2-4 days spread over 1-2 weeks. The data inventory takes longer, cookie categorization requires testing, and you likely have 5-10 vendors needing DPAs.
- E-commerce or membership site (user accounts, payment data, order history): 1-3 weeks of focused work. You will need a data retention policy, a formal DSAR fulfillment process, and likely a Data Protection Impact Assessment for your highest-risk processing. Strongly consider engaging a privacy consultant or attorney at this level.
These timelines cover initial setup. Ongoing maintenance xe2x80x94 reviewing policies, updating the data inventory, handling deletion requests xe2x80x94 adds 1-2 hours per month for most small sites.
The Litmus Test
Can you answer: “What data do you have on me and how do I get it deleted?”
If yes, you’re probably compliant. If no, fix that first.
Need More Detail?
- EU visitors: See our GDPR Compliance Guide
- California visitors: See our CCPA Compliance Guide
- Full cookie setup: See our Cookie Consent Guide
The Final Privacy Check
- Privacy policy is published and linked in footer
- Cookie consent banner blocks tracking until consent
- Data collection forms mention how data will be used
- Process exists for handling data deletion requests
Sources
Privacy Compliance Questions Answered
What is the first step in becoming privacy compliant?
Start with a data mapping exercise: document every type of personal data you collect, where it is stored, who has access, why you collect it, and how long you retain it. You cannot comply with any privacy law without first understanding your data flows. This inventory becomes the foundation for your privacy policy, consent mechanisms, and deletion processes.
Do small websites need a privacy policy?
Any website that collects personal data (including via analytics cookies, contact forms, or email signups) needs a privacy policy. California’s CalOPPA requires a privacy policy for any site collecting information from California residents, which effectively means every public-facing website. Fines for missing privacy policies start at $2,500 per violation.
How often should you update your privacy policy?
Review your privacy policy at least annually and update it whenever you add new data collection methods, change processors or vendors, enter new markets, or change how you use existing data. Notify users of material changes via email or a prominent site banner, and keep an archived version history with dates.
What privacy tools should every website have?
At minimum: a cookie consent management platform (CMP), a published privacy policy with last-updated date, a data subject access request (DSAR) process, and a data processing agreement with every third-party vendor handling personal data. For higher-risk sites, add a data protection impact assessment (DPIA) process and breach notification procedures.
xe2x9cx93 Your Privacy Compliance Baseline Is Complete
- A comprehensive data inventory documents every piece of personal data your site collects, where it’s stored, and who can access it
- Privacy policy, cookie policy, and terms of service are published and linked from every page footer
- Cookie consent captures and logs proof of consent with timestamps for audit purposes
- A data breach response plan exists with assigned roles, notification timelines, and authority contact details
- Data Protection Impact Assessments (DPIAs) have been completed for high-risk processing activities
Test it: Walk through your data inventory spreadsheet and verify every listed data source matches a real collection point on your site xe2x80x94 if any are missing or outdated, your inventory needs updating.