Data Privacy Checklist
In this post, we share tips for protecting your users’ privacy and maintaining compliance with new and emerging laws like Europe’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA).
In the mad dash to bring more and more digital products and services online, we collectively neglect our privacy. Digital products are so ubiquitous that we often forget real consequences occur when personal data is shared without our knowledge or permission:
- Our information is used not only to make fraudulent purchases. More sophisticated laundering schemes are increasingly prevalent.
- Large-scale misuse of personal data—a price we often pay when using “free” online tools—allows misinformation to spread and feeds a growing “surveillance economy”.
Every minute a person spends online helps countless companies build a thicker dossier about that person. Despite what corporations profess, much of this personal data is used not to improve products themselves but to make those products more attractive to advertisers.
— The New York Times, America, Your Privacy Settings Are All Wrong
Your Data is Already Under Siege
While website hacks, malware, and other security threats are still on the rise, millions of websites all over the internet already collect your personal information every day. Ad-tracking scripts let companies know all sorts of information related to your browsing habits.
In the wrong hands, this information could potentially be used against you. Consequences might range from minor annoyances, like increased spam, to life-changing issues like fraud, discrimination, or access to products and services.
The decisions we make about privacy today and in the coming years will shape the future of humanity for decades to come. Societal choices about privacy will influence how political campaigns are run, how corporations earn their keep, the power that governments and private businesses may wield, the advancement of medicine, the pursuit of public health goals, the risks we are exposed to, how we interact with each other, and, not least, whether our rights are respected as we go about our daily lives.
— Carissa Véliz, Lit Hub
Prioritizing Data Privacy
Adopting smart data governance and privacy and security practices is part of a larger corporate digital responsibility strategy that aligns all your organization’s digital practices with stakeholder needs and ethical behavior. Plus, with ongoing legislative changes, we must be vigilant in setting up and maintaining effective, long-term data privacy practices that include informed consent, among other things. What’s legal today might very well put you at risk for a fine tomorrow. Better to err on the proactive side.
This is clearly a big deal. So, what can we do? Put simply, organizations must protect the integrity and privacy of their users’ data. They must communicate transparently about which information is collected, how it is used, and what is done with it once a user requests deletion. On the personal side, we all must take a more proactive stance in how our personal information is collected and used.
For 37 years, Congress has completely failed to pass another consumer privacy law. Which is how we got here — to this moment where you can target ads to suicidal teens, gambling addicted soldiers in Minuteman silos, grannies with Alzheimer’s, and every Congressional staffer on the Hill.
— Cory Doctorow, Ad-tech Targeting is an Existential Threat
Privacy Legislation
GDPR and CCPA are frontrunners in online privacy regulations. Several other U.S. states have introduced similar legislation as well. It is inevitable that more will follow.
These laws provide clear guidelines for protecting user data and giving people the right to choose how their data is used, stored, and deleted. If your website serves people from California or the European Union, you need to pay attention to these laws today and do what’s necessary to comply.
Also, forward-thinking organizations should adopt more stringent privacy policies that apply to users from any state, region, or country, since that’s where things are headed.
Financial Consequences
Since GDPR legislation was enacted in 2018, over €153 million worth of fines were levied as of August 2020. Even small infringements can incur penalties of up to €10 million. Individual CCPA fines start at around $7,500.00 and there is no ceiling. It should go without saying that these fines are serious and businesses should do everything they can to comply.
A Pew Research Institute study found that controlling PI [personal information] online is “very important” to 74% of Americans. According to another Pew study, 86% of Americans have taken action to maintain their privacy—deleting cookies, encrypting email, and protecting their IP address.
— Thomson Reuters
Data Privacy + Security: You Need Both
Additionally, every year, millions of people’s data is exposed to malicious attacks on every type of online entity you can imagine. From credit reporting companies and webcams to fitness apps and online games, any company using network-enabled technology—basically, all of them—can be exposed to this type of risk. No organization is truly safe.
What’s more, if your business or nonprofit is hacked and your customers’ data is leaked, you’re responsible for the consequences.
Privacy Breach: A Cautionary Tale
Equifax had a data breach in 2017. 147.9 million people’s data was compromised. This data included social security numbers, birth dates, addresses, and even driver’s license numbers. Another 209,000 people had their credit card data exposed.
Worse, Equifax’s data breach is just a small drop in a much, much larger bucket. If you tally up the 15 biggest data breaches of the 21st century, over 6,457,100,000 online accounts have been compromised. There’s a good chance your data is among them. These breaches cost companies billions of dollars. If you’re not careful, your organization could be next.
Data Privacy Checklist
This data privacy checklist will help you better understand business requirements specific to GDPR and CCPA. Plus, it includes general privacy recommendations to inform a more impactful long-term privacy and security plan. We hope you find it useful. Please reach out if you have any questions.
SSL Certificate
Add an SSL certificate to your website. This improves security, SEO performance, and user experience by preventing browser privacy warnings.
Cookie Policy
Create a cookie policy that clearly states which cookies are yours and which belong to third parties. Users must have the option to use your site without cookies.
Privacy Policy
Include a clear, explicit explanation of how you collect and protect user data.
Proving Consent
You must be able to prove that users gave clear, comprehensible consent. Keep records of user interactions related to consent.
Opt-In
Use separate opt-in checkboxes for each instance where you gather data—e.g., newsletter signup vs. terms for a purchase.
Privacy Shield
If you use third-party payment gateways, ensure your site is Privacy Shield-compliant.
Withdrawing Consent
Provide easy options for users to withdraw consent and request deletion of their data (“right to be forgotten”).
Secure Web Forms
Forms must be transmitted securely via SSL. If form data is emailed to recipients, those emails must meet GDPR/CCPA-compliant security standards. Check your email provider’s terms.
Social Media Data
Social platforms are third-party data controllers. Any data collected through them must follow GDPR/CCPA rules. Include these channels in your privacy policy and avoid storing user data directly in the social account.
Secure Tracking
Google Analytics and other tracking tools must be referenced in your privacy policy and must be GDPR/CCPA/Privacy Shield-compliant. Some lesser-known tools may not be—verify before using them.
CRM Data
CRMs collect user data (including date/time of capture and reasons for collection). These details must be included when users request their data be deleted.
Data Masking
If your site stores account information, users must be identified by username only—not by sensitive account details. This process is called pseudonymization or anonymization.
These apply if visitors from the EU access your site.
Chat Privacy
If you use third-party live chat, reference its privacy policy and terms on your website.
Opt-In, Not Opt-Out
Do not use pre-checked boxes. Users must actively opt in.
These apply if your site receives visitors from California.
Right to Disclosure
Consumers can request full transparency on the specific personal information you’ve collected, sources, purposes, and who you share the data with—free of charge.
Don’t Discriminate
You cannot deny services, charge different rates, or reduce quality for users who opt out of data sharing.
Policy Maintenance
Privacy policies must be updated every 12 months. Material changes must be clearly communicated to users.
Disclaimer: Digital privacy is an always-evolving issue. This post is not to be construed as legal advice.
Respecting User Privacy
Implementing these practices demonstrates respect for your users and helps protect your organization from significant fines. Strong privacy practices improve trust, strengthen relationships, and support both ethical and legal obligations.
Make privacy compliance part of a smarter, more resilient digital ecosystem. Explore how our digital strategy services can support your long-term goals.
Responsible Digital Strategy
Learn more about how Mightybytes uses responsible digital strategy to position our clients for long-term success.