Skip to main content
What can we help you with?
< All Topics
Print

Privacy Compliance

Posted
Updated
ByPeter Westerman

name: privacy-compliance

description: Privacy and data protection compliance covering GDPR, CCPA, privacy policies, cookie consent, data mapping, privacy impact assessments, data subject requests, and third-party vendor assessment. Use when implementing privacy programs, writing privacy policies, conducting data mapping, handling data subject requests, or assessing vendor privacy practices.

Privacy Compliance

Instructions

Guide organizations through privacy and data protection compliance with practical, actionable frameworks. Cover regulatory requirements, operational processes, and documentation standards. Always note that guidance does not replace qualified legal counsel for jurisdiction-specific questions.

Regulatory Overview

GDPR (EU/EEA)

  • Scope: Applies to any organization processing personal data of EU/EEA residents, regardless of where the organization is based
  • Lawful bases: Consent, contract, legal obligation, vital interests, public task, legitimate interests — every processing activity must have one
  • Key rights: Access, rectification, erasure (“right to be forgotten”), restriction, portability, objection, automated decision-making opt-out
  • Breach notification: 72 hours to supervisory authority; without undue delay to affected individuals if high risk
  • Penalties: Up to €20M or 4% of global annual revenue, whichever is higher
  • DPO requirement: Mandatory for public authorities, large-scale monitoring, or large-scale processing of special categories

CCPA/CPRA (California)

  • Scope: For-profit businesses that collect California residents’ personal information and meet revenue/data volume thresholds
  • Key rights: Know, delete, opt-out of sale/sharing, correct, limit use of sensitive personal information
  • “Do Not Sell or Share”: Must provide a clear, conspicuous link on the website
  • Penalties: $2,500 per unintentional violation; $7,500 per intentional violation or violations involving minors
  • Private right of action: For data breaches involving unencrypted/unredacted personal information

Other Key Regulations

  • PIPEDA (Canada), LGPD (Brazil), POPIA (South Africa), PDPA (Singapore/Thailand) — similar principles with jurisdiction-specific requirements
  • COPPA (US) — additional protections for children under 13
  • HIPAA (US) — health information; separate compliance framework
  • State privacy laws — Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and others with varying requirements

Privacy Policy Writing

A compliant privacy policy must clearly communicate:

  1. What data is collected — enumerate categories of personal information with examples
  2. How data is collected — directly from users, automatically via cookies/tracking, from third parties
  3. Why data is collected — purpose for each category, mapped to a lawful basis (GDPR) or business purpose (CCPA)
  4. Who data is shared with — categories of third parties, not just “business partners”
  5. How long data is retained — retention periods or criteria for determining retention
  6. User rights — what rights exist and how to exercise them, with contact information
  7. Cookie and tracking disclosure — what cookies are used, for what purpose, and how to manage preferences
  8. Security measures — general description of how data is protected
  9. Contact information — DPO or privacy team contact, supervisory authority (GDPR)
  10. Effective date and change notification — how users will be informed of policy updates

Write in plain language. Avoid legalese. Use layered notices — a short summary with links to full details.

Cookie Consent Implementation

  • Prior consent required (GDPR) for non-essential cookies — no pre-checked boxes
  • Categories: Strictly necessary (no consent needed), functional, analytics, marketing/advertising
  • Banner requirements: Clear explanation of cookie use, granular category controls, easy accept/reject with equal prominence, link to full cookie policy
  • Consent records: Log consent timestamp, version of policy, categories accepted/rejected
  • Renewal: Re-prompt when cookie purposes change or at least annually
  • Do not load non-essential cookies/scripts until consent is obtained

Data Mapping

Maintain a data inventory that documents:

Field Description
Data category Type of personal data (name, email, location, financial, etc.)
Source Where data comes from (user input, tracking, third party)
Purpose Why it’s collected and processed
Lawful basis Legal justification (GDPR)
Storage location Where data resides (database, cloud provider, region)
Retention period How long data is kept and deletion criteria
Access controls Who can access this data and under what conditions
Third-party sharing Who receives this data and why
Cross-border transfers Whether data leaves originating jurisdiction and safeguards used

Review and update the data map quarterly or whenever processing activities change.

Privacy Impact Assessments (PIA/DPIA)

Conduct an assessment before any new processing activity that involves:

  • New technology or significant system changes
  • Large-scale profiling or automated decision-making
  • Processing of sensitive/special category data
  • Large-scale monitoring of public areas
  • Cross-border data transfers to non-adequate jurisdictions

Assessment structure:

  1. Processing description — what data, why, how, for how long
  2. Necessity and proportionality — is this the minimum data needed for the purpose?
  3. Risk identification — what could go wrong for data subjects?
  4. Risk mitigation — technical and organizational measures to reduce identified risks
  5. Residual risk — what risk remains after mitigation?
  6. Decision — proceed, modify, or consult supervisory authority

Data Subject Request Handling

Process every request within regulatory timelines (30 days GDPR, 45 days CCPA):

  1. Receive and log — record the request with timestamp and requester identity
  2. Verify identity — confirm the requester is who they claim to be (do not create new privacy risks through verification)
  3. Scope the request — determine which right is being exercised and what data is affected
  4. Locate data — use the data map to find all instances across systems
  5. Execute — fulfill the request (provide access, delete, correct, port, restrict)
  6. Document — record what was done, when, and by whom
  7. Respond — notify the requester with a clear explanation of actions taken

Third-Party Vendor Assessment

Before sharing personal data with any vendor:

  • Data Processing Agreement (DPA) — must be in place before data sharing begins
  • Security assessment — review SOC 2, ISO 27001, or equivalent certifications
  • Sub-processor disclosure — vendor must disclose their own third-party data sharing
  • Breach notification clause — vendor must notify within agreed timeframe (typically 24–48 hours)
  • Data deletion — contract must require data deletion or return upon termination
  • Audit rights — retain the right to audit vendor compliance
  • Cross-border transfers — verify adequate safeguards (SCCs, adequacy decisions, BCRs)

Reassess vendors annually or when processing activities change.

Examples

Privacy policy section: “We collect your email address when you create an account. We use it to send account notifications and, with your consent, marketing communications. You can withdraw marketing consent at any time via your account settings or by clicking ‘unsubscribe’ in any email.”

Data subject access request response: Acknowledgment within 48 hours, identity verification, delivery of all personal data in structured format within 30 days, explanation of retention periods and processing purposes, and instructions for further rights (deletion, correction).

Vendor assessment summary: Vendor name, data categories shared, DPA status, security certifications, sub-processor list, breach notification terms, cross-border transfer safeguards, and next review date.

Table of Contents
Privacy Policy Terms and Conditions Cookie Policy