# Privacy Compliance Quality Checklist ## 1. Data Inventory (7 items) - [ ] All data collection points identified (registration, checkout, browsing, email, support) - [ ] Data types documented per collection point - [ ] Legal basis identified for each data processing activity - [ ] Retention periods defined for each data type - [ ] All third-party data processors listed - [ ] Data flows mapped (collection → storage → processing → sharing) - [ ] Sensitive data categories identified and flagged ## 2. Cookie Consent (8 items) - [ ] Cookie banner appears before any non-essential cookies fire - [ ] Banner offers granular category controls (not just "accept all") - [ ] "Reject all" is as prominent and easy as "Accept all" - [ ] No pre-checked boxes for non-essential categories - [ ] Consent records stored with timestamp - [ ] Banner re-appears for new visitors / expired consent - [ ] Google Analytics / Facebook Pixel blocked before consent - [ ] Cookie consent tested on mobile devices ## 3. Privacy Policy (8 items) - [ ] Covers all data collection practices accurately - [ ] Lists all third-party recipients with purposes - [ ] Includes specific retention periods (not "as long as necessary") - [ ] Describes all individual rights (GDPR + CCPA as applicable) - [ ] Includes contact information for privacy inquiries - [ ] CCPA-specific section with California consumer rights - [ ] Accessible via footer link on every page - [ ] Updated within the last 12 months ## 4. Email Marketing Compliance (7 items) - [ ] Opt-in consent collected before sending marketing emails - [ ] Double opt-in implemented (GDPR best practice) - [ ] Physical mailing address included in every email - [ ] Working unsubscribe link in every email (tested) - [ ] Unsubscribe honored within 10 business days (CAN-SPAM) - [ ] No purchased or rented email lists in use - [ ] Consent records maintained with timestamp and source ## 5. Data Subject Rights (6 items) - [ ] Process exists to handle access requests within 30 days (GDPR) / 45 days (CCPA) - [ ] Process exists to handle deletion requests - [ ] "Do Not Sell My Personal Information" link visible (if CCPA applies) - [ ] Identity verification procedure for data requests - [ ] Request tracking system in place (email, spreadsheet, or tool) - [ ] Staff know how to route incoming privacy requests ## 6. Third-Party Compliance (5 items) - [ ] Data Processing Agreements (DPAs) signed with all data processors - [ ] DPAs reviewed within last 12 months - [ ] Sub-processor lists maintained and monitored - [ ] International transfer safeguards in place (SCCs if data leaves EEA) - [ ] Vendor privacy practices reviewed before onboarding ## 7. Data Security (6 items) - [ ] Customer data encrypted at rest and in transit - [ ] Access controls — only authorized staff can access customer data - [ ] Strong password policies and MFA for admin accounts - [ ] Regular security updates applied to all systems - [ ] Payment data handled via PCI-compliant processor (never stored locally) - [ ] Employee security awareness training conducted annually ## 8. Breach Response (5 items) - [ ] Written breach response plan exists - [ ] Roles and responsibilities assigned (who does what) - [ ] 72-hour notification timeline documented and rehearsed - [ ] Template notifications prepared (authority + individuals) - [ ] Contact information for relevant supervisory authorities on file ## 9. Ongoing Maintenance (6 items) - [ ] Monthly: Review new tools/integrations for data impact - [ ] Monthly: Test unsubscribe mechanism - [ ] Quarterly: Audit cookie consent functionality - [ ] Quarterly: Delete data past retention period - [ ] Annually: Full data inventory refresh - [ ] Annually: Privacy policy comprehensive review and update