The E-Commerce Privacy Compliance Checklist

Your Complete Privacy Compliance Checklist

Privacy compliance can feel overwhelming with 20+ state laws to track, but the core work is manageable when you break it into concrete steps. This checklist covers what every e-commerce business needs to address, organized by priority.

Phase 1: Foundation — Know Your Data

• Complete a data inventory — Document every category of personal data you collect (names, emails, payment info, browsing data, device identifiers, etc.)
• Map your data flows — Trace where data goes from collection to storage to sharing to deletion. Include all platforms: your website, email service, analytics, payment processor, shipping provider, CRM, and ad platforms
• Identify your data sources — Document whether data comes directly from consumers, from cookies/tracking, from third-party sources, or from public records
• Classify sensitive data — Flag any sensitive personal information you collect (precise geolocation, financial account details, health data, demographic data, biometric data)
• Document your legal bases — For each data processing activity, identify the legal basis (consent, contractual necessity, legitimate interest, legal obligation)

Phase 2: Policies and Notices

• Draft or update your privacy policy — Ensure it covers all required disclosures for every state where you have customers (see our guide on privacy policy requirements)
• Add required links to your website — "Do Not Sell or Share My Personal Information" and "Limit the Use of My Sensitive Personal Information" links as required by California
• Create a cookie notice/banner — Disclose what cookies and tracking technologies you use, their purposes, and how users can manage preferences
• Post your privacy policy conspicuously — Link in the footer of every page, on your checkout page, and anywhere you collect personal information
• Set retention schedules — Define how long you keep each category of data and disclose this in your privacy policy
• Draft an internal privacy program document — Outline your organization's privacy commitments, responsible parties, and escalation procedures

Phase 3: Consumer Rights Infrastructure

• Set up a DSAR intake process — Create at least two methods for consumers to submit requests (web form, email, and toll-free number for California businesses with revenue over $25M)
• Build identity verification workflows — Define how you will verify the identity of consumers making requests to prevent unauthorized access
• Implement right to know — Ability to provide consumers with the specific pieces of personal information you hold about them
• Implement right to delete — Ability to delete a consumer's personal information and direct service providers to do the same
• Implement right to correct — Ability to correct inaccurate personal information upon verified request
• Implement right to opt out — Technical mechanism to stop selling/sharing a consumer's data when they opt out, including honoring Global Privacy Control (GPC) signals
• Set up response tracking — Track DSAR receipt dates, verification dates, and response dates to ensure you meet statutory deadlines (typically 45 days, extendable by another 45)
• Test your DSAR process — Submit test requests through each intake channel and verify the full workflow functions correctly

Phase 4: Consent and Cookie Management

• Implement a consent management platform (CMP) — Use a tool that can manage cookie consent, opt-out preferences, and GPC signal detection
• Configure opt-in vs. opt-out correctly — Most U.S. states use an opt-out model (no prior consent needed), but some categories of data or processing may require opt-in consent
• Honor GPC signals — Detect and respect the Global Privacy Control signal sent by browsers, treating it as a valid opt-out request
• Block tracking scripts before consent where required — If you serve customers in jurisdictions requiring opt-in consent for certain cookies, ensure scripts don't fire until consent is given
• Maintain consent records — Log when and how each user provided or withdrew consent, including timestamps and the version of the notice they saw

Phase 5: Vendor and Third-Party Management

• Inventory all vendors with data access — List every service provider, contractor, and third party that receives personal information from you
• Execute data processing agreements (DPAs) — Ensure every vendor has a signed DPA that meets the requirements of applicable state laws
• Classify vendors correctly — Determine whether each vendor is a service provider (processes data on your behalf), contractor, or third party under applicable law
• Review vendor security practices — Verify that your vendors maintain reasonable security measures appropriate to the data they handle
• Establish vendor breach notification — Ensure contracts require vendors to notify you promptly if they experience a data breach involving your data

Phase 6: Security Measures

• Implement reasonable security — Use encryption in transit (TLS/HTTPS) and at rest for sensitive data
• Enforce access controls — Limit access to personal data to employees and systems that need it
• Enable multi-factor authentication — Require MFA for all admin accounts and systems that store personal data
• Conduct regular security assessments — Perform vulnerability scans or penetration tests at least annually
• Create an incident response plan — Document how you will detect, contain, investigate, and report data breaches
• Train employees — Ensure all staff who handle personal data receive privacy and security training

Phase 7: Ongoing Compliance

• Conduct data protection assessments — Required by many states for high-risk processing activities (targeted advertising, selling data, profiling)
• Monitor new legislation — Track new state privacy laws taking effect and amendments to existing laws
• Review and update annually — Revisit your privacy policy, data inventory, vendor list, and processes at least once per year
• Document everything — Maintain records of your compliance activities, DSAR responses, assessments, and training — they demonstrate good faith in case of enforcement
• Stay current on enforcement — Follow CPPA rulings and state AG enforcement actions to understand how laws are being interpreted

Priority Order for Small Teams

If you have limited resources, tackle compliance in this order:

1. Privacy policy — This is visible and often the first thing regulators check
2. Cookie consent/opt-out — High visibility and common enforcement target
3. DSAR process — You need to be able to respond to consumer requests within statutory deadlines
4. Vendor contracts — Update DPAs with your most critical vendors first
5. Data inventory — Even a basic inventory is better than none
6. Security baseline — HTTPS, access controls, and MFA are table stakes