# Privacy Compliance Audit & Implementation Plan — Output Template

## Business Profile

| Field | Value |
|---|---|
| **Business Name** | [Name] |
| **Jurisdictions** | [Where you sell: US, EU, UK, etc.] |
| **Sales Channels** | [Shopify, Amazon, eBay, etc.] |
| **Annual Revenue** | [Range — determines CCPA applicability] |
| **Customer Count** | [Approximate — determines CCPA applicability] |
| **Audit Date** | [Date] |
| **Auditor** | [Name/Role] |

## Applicable Regulations

| Regulation | Applies? | Trigger | Priority |
|---|---|---|---|
| GDPR (EU/UK) | Yes/No | [Selling to or targeting EU/UK residents] | [High/Med/Low] |
| CCPA/CPRA (California) | Yes/No | [>$25M revenue OR >100K consumers OR >50% revenue from selling PI] | |
| CAN-SPAM (US) | Yes/No | [Sending commercial email to US recipients] | |
| COPPA (US) | Yes/No | [Collecting data from children under 13] | |
| VCDPA (Virginia) | Yes/No | [Processing data of 100K+ VA consumers] | |
| CPA (Colorado) | Yes/No | [Processing data of 100K+ CO consumers] | |
| [Other state laws] | Yes/No | [Check thresholds] | |

## Data Inventory

### Data Collection Points
| Touchpoint | Data Types | Legal Basis | Retention Period | Third Parties |
|---|---|---|---|---|
| [Registration] | [Fields] | [Consent/Contract/LI] | [Period] | [Who receives] |
| [Checkout] | [Fields] | [Basis] | [Period] | [Who receives] |
| [Browsing] | [Fields] | [Basis] | [Period] | [Who receives] |
| [Email signup] | [Fields] | [Basis] | [Period] | [Who receives] |
| [Support] | [Fields] | [Basis] | [Period] | [Who receives] |

### Third-Party Data Processors
| Vendor | Data Shared | Purpose | DPA Status | Last Reviewed |
|---|---|---|---|---|
| [Vendor 1] | [Data types] | [Purpose] | [Signed/Pending/Needed] | [Date] |
| [Vendor 2] | [Data types] | [Purpose] | [Status] | [Date] |

## Compliance Status Assessment

### Cookie Consent
| Requirement | Status | Action Needed |
|---|---|---|
| Banner displayed before non-essential cookies | ✅/❌ | [Action] |
| Granular category controls | ✅/❌ | [Action] |
| Easy to reject as to accept | ✅/❌ | [Action] |
| Consent records stored | ✅/❌ | [Action] |
| Non-essential cookies blocked before consent | ✅/❌ | [Action] |

### Privacy Policy
| Requirement | Status | Action Needed |
|---|---|---|
| Covers all data collection practices | ✅/❌ | [Action] |
| Lists all third-party recipients | ✅/❌ | [Action] |
| Includes retention periods | ✅/❌ | [Action] |
| CCPA-specific disclosures | ✅/❌ | [Action] |
| "Do Not Sell" link (if CCPA applies) | ✅/❌ | [Action] |
| Accessible from every page (footer) | ✅/❌ | [Action] |
| Updated within last 12 months | ✅/❌ | [Action] |

### Email Marketing
| Requirement | Status | Action Needed |
|---|---|---|
| Opt-in consent (GDPR: explicit) | ✅/❌ | [Action] |
| Double opt-in implemented | ✅/❌ | [Action] |
| Working unsubscribe in every email | ✅/❌ | [Action] |
| Physical address in every email | ✅/❌ | [Action] |
| No purchased email lists | ✅/❌ | [Action] |
| Consent records maintained | ✅/❌ | [Action] |

### Data Subject Rights
| Right | Process Exists? | Timeline Met? | Action Needed |
|---|---|---|---|
| Access/SAR | ✅/❌ | ✅/❌ | [Action] |
| Erasure | ✅/❌ | ✅/❌ | [Action] |
| Rectification | ✅/❌ | ✅/❌ | [Action] |
| Portability | ✅/❌ | ✅/❌ | [Action] |
| Opt-out of sale (CCPA) | ✅/❌ | ✅/❌ | [Action] |

### Breach Response
| Requirement | Status | Action Needed |
|---|---|---|
| Written breach response plan | ✅/❌ | [Action] |
| Roles and responsibilities assigned | ✅/❌ | [Action] |
| 72-hour notification procedure | ✅/❌ | [Action] |
| Template notifications prepared | ✅/❌ | [Action] |

## Implementation Roadmap

### Phase 1: Critical (Week 1-2)
| Task | Owner | Deadline | Status |
|---|---|---|---|
| [Highest-risk items] | [Name] | [Date] | [ ] |

### Phase 2: Important (Week 3-4)
| Task | Owner | Deadline | Status |
|---|---|---|---|
| [Medium-risk items] | [Name] | [Date] | [ ] |

### Phase 3: Maintenance (Ongoing)
| Task | Frequency | Owner | Next Due |
|---|---|---|---|
| [Recurring tasks] | [Monthly/Quarterly/Annual] | [Name] | [Date] |

## Cost Estimate

| Item | One-Time | Monthly | Annual |
|---|---|---|---|
| Cookie consent tool | $ | $ | $ |
| Privacy policy generator/legal review | $ | | $ |
| Staff training | $ | | $ |
| Process implementation | $ | | |
| **Total** | **$** | **$** | **$** |