Data privacy compliance is mandatory for any business that collects personal data from EU residents (GDPR), California residents (CCPA/CPRA), or residents of 15+ other US states with comprehensive privacy laws. Fines can reach €20 million or 4% of global revenue under GDPR, and $7,500 per intentional violation under CCPA. This interactive checklist helps you track compliance requirements. Progress is saved automatically. This tool provides general information only, not legal advice. Consult a licensed attorney for legal guidance specific to your situation.
Overall Compliance Progress
GDPR (General Data Protection Regulation)
Applies to: businesses processing personal data of EU residents
CCPA / CPRA (California)
Applies to: for-profit businesses meeting CA thresholds (>$25M revenue, or 100K+ consumers)
State Privacy Laws (VA, CO, CT, UT & others)
Applies to: businesses with 100,000+ state consumers annually or selling data of 25,000+ consumers
How to Use This Data Privacy Compliance Checklist
Data privacy compliance is no longer optional for most businesses. A small e-commerce site with European customers must comply with GDPR. A California-based SaaS company above $25M revenue must comply with CCPA. Using this checklist systematically helps you identify gaps before regulators or plaintiffs find them first.
Start with the Right Regulation
Determine which laws apply to you first. GDPR applies if you have EU users or customers — this is broader than you think. If you use Google Analytics on a website accessible in Europe, you're processing EU residents' data and GDPR requirements (specifically cookie consent) apply. CCPA/CPRA applies to California-directed businesses meeting revenue or data volume thresholds. State laws like Virginia's VCDPA apply to businesses with 100,000+ Virginia consumers annually.
The Privacy Policy Is Just the Start
Most businesses post a privacy policy and think they're done — they're not. GDPR requires a detailed Record of Processing Activities (RoPA), Data Processing Agreements with every vendor that handles personal data, and cookie consent mechanisms. CCPA requires a "Do Not Sell My Personal Information" link and a mechanism to honor opt-out requests within 45 days. The policy describes your practices; the technical and operational controls are what actually create compliance.
Data Breach Response Preparation
GDPR requires reporting personal data breaches to the supervisory authority within 72 hours of becoming aware. CCPA provides a private right of action for data breaches resulting from inadequate security. You need a documented incident response plan before a breach occurs, not after. Key elements: a designated privacy contact, a list of data assets and where they're stored, a breach assessment checklist, and a contact list for regulators.
Vendor Management Is Often the Biggest Gap
GDPR requires written Data Processing Agreements (DPAs) with every vendor who processes personal data on your behalf — your email platform, analytics tool, CRM, payment processor, cloud storage provider. Many businesses use dozens of SaaS tools and have DPAs with none of them. Start by listing all tools that touch personal data and check if the vendor offers a standard DPA (most major vendors like Google, AWS, Mailchimp have them available).
FAQ
Is this data privacy compliance checklist free?
Yes, completely free with no signup required. Your progress is saved in your browser's localStorage. This tool provides general information only, not legal advice. Consult a licensed attorney for legal guidance specific to your situation.
Does GDPR apply to US companies?
Yes — GDPR applies to any organization that processes personal data of EU residents, regardless of where the organization is based. If you have EU customers or users, GDPR applies even if your business is in the US. The regulation covers: websites that use cookies or analytics, email marketing to EU subscribers, and any service collecting personal data from EU residents.
What does CCPA require for small businesses?
CCPA applies to for-profit businesses that meet at least one of these thresholds: annual gross revenue over $25 million, annually buy/sell/receive/share personal information of 100,000+ consumers or households, or derive 50%+ of annual revenue from selling consumers' personal information. Many small businesses fall below these thresholds. CPRA (2023 amendment) raised some thresholds slightly.
What is 'consent' under GDPR?
GDPR requires consent to be freely given, specific, informed, and unambiguous — indicated by a clear affirmative action (checking a box, clicking 'I agree'). Pre-checked boxes don't constitute consent. Consent must be as easy to withdraw as to give. Consent cannot be bundled with terms of service for a service you need. Marketing consent must be separate from service consent.
What happens if I violate GDPR?
GDPR penalties come in two tiers: less severe violations (inadequate security, no DPA agreements, no impact assessments) can result in fines up to €10 million or 2% of global annual revenue. More severe violations (unlawful data processing, violating core principles, children's data) can result in fines up to €20 million or 4% of global annual revenue, whichever is higher. The FTC and state AGs enforce CCPA violations — CCPA allows $2,500/unintentional violation, $7,500/intentional violation.
What US states have comprehensive privacy laws?
As of 2025, states with comprehensive privacy laws include: California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Iowa (ICDPA), Indiana (IDPA), Tennessee (TIPA), Montana (MCDPA), Oregon (OCPA), and more. The laws vary but share similar rights: right to access, delete, correct, and opt-out of data sales. A federal privacy law is under discussion but hasn't passed.