Your compliance action plan
Twenty states now have comprehensive privacy laws. Rather than trying to comply with each law individually, this checklist takes the "highest common denominator" approach — if you complete these 15 steps, you'll meet or exceed the requirements of all 20 state privacy laws.
This is a practical, actionable checklist. Each step includes what to do, why it matters, and how to get it done.
Step 1: Conduct a data inventory
What: Map every type of personal data your business collects, where it comes from, where it's stored, who has access, and who you share it with.
Why: You can't protect data you don't know about. Every subsequent step depends on understanding what data you have.
How: Walk through your customer journey from first visit to post-purchase. Document data collection at each point: website analytics, account creation, checkout, email signup, support interactions, loyalty programs. Don't forget backend systems: CRM, email platform, analytics tools, advertising accounts.
Step 2: Map your data flows to third parties
What: For every third party that receives customer data from you, document what data they receive, why, and under what terms.
Why: Data sharing with third parties is the primary trigger for most privacy law requirements — opt-out rights, DPAs, and disclosure obligations.
How: List every vendor, platform, and service provider: payment processors, shipping carriers, email marketing platforms, advertising networks, analytics providers, review platforms, CRM tools, Shopify apps. For each, document what data flows to them.
Step 3: Classify your data processing activities
What: Categorize your data processing into: essential operations, marketing/advertising, analytics, and other purposes.
Why: Different processing activities trigger different legal requirements. Targeted advertising requires DPAs and opt-out rights. Essential processing (order fulfillment) generally does not.
How: For each data flow identified in Step 2, classify it. Be honest about which activities are truly "essential" versus "nice to have."
Step 4: Update your privacy policy
What: Draft a comprehensive privacy policy that meets the requirements of all 20 state privacy laws.
Why: Every state law requires a privacy notice. An incomplete or inaccurate policy is one of the easiest violations to identify and enforce.
How: Your policy must include: categories of data collected, purposes for processing, categories of third parties (and for Rhode Island, specific third-party identities for sold data), consumer rights by state, how to exercise those rights, data retention practices, sensitive data handling, and your contact information.
Step 5: Implement consumer rights request handling
What: Build or buy a system for receiving, verifying, and fulfilling consumer privacy requests (access, deletion, correction, portability, opt-out).
Why: All 20 states grant consumers rights over their data. You must respond within 45 days (most states).
How: Options range from a simple email-based workflow to dedicated privacy rights management platforms (OneTrust, DataGrail, Ethyca). At minimum, you need: a way for consumers to submit requests, identity verification, fulfillment workflows for each request type, and tracking/documentation.
Step 6: Add required website links and disclosures
What: Add a "Do Not Sell or Share My Personal Information" link (California), cookie consent mechanisms, and privacy rights information.
Why: California specifically requires a conspicuous "Do Not Sell" link. Other states require clear disclosure of opt-out rights.
How: Add the link to your website footer. Ensure it leads to a functional opt-out mechanism, not just a page with your email address. Consider adding a universal "Your Privacy Choices" link that covers all states.
Step 7: Implement universal opt-out (GPC) support
What: Configure your website to detect and honor Global Privacy Control (GPC) signals.
Why: Required by 10 states (California, Colorado, Connecticut, Texas, Montana, Oregon, Delaware, Nebraska, New Hampshire, Minnesota), and the number is growing.
How: Use a consent management platform (CMP) that supports GPC, or implement detection in your tag management system. When GPC is detected, suppress non-essential tracking scripts including advertising pixels and data-sharing analytics.
Step 8: Conduct data protection assessments
What: Complete DPAs for all processing activities that require them: targeted advertising, data sales, profiling, sensitive data processing.
Why: Required by 16 of 20 states. Must be available to the AG upon request.
How: Use the framework in our DPA guide. At minimum, assess your targeted advertising activities, any data sharing with third parties, and any automated decision-making that affects consumers.
Step 9: Implement sensitive data consent
What: Obtain opt-in consent before processing sensitive personal data.
Why: Nearly all state laws require affirmative consent for sensitive data categories.
How: Identify if you collect any sensitive data: precise geolocation, health information, biometric data, racial/ethnic origin, religious beliefs, sexual orientation, or data from known children. If yes, implement consent mechanisms before processing.
Step 10: Set up data minimization practices
What: Review your data collection and eliminate anything you don't actually need.
Why: Maryland requires processing be "reasonably necessary and proportionate." Minnesota has strong data minimization provisions. This is a clear trend.
How: For each data point you collect, ask: do we actually use this? Could we achieve the same purpose with less data? If you're collecting data "just in case" or because a form field exists, stop.
Step 11: Review and update vendor agreements
What: Ensure all third-party data processing agreements include required privacy terms.
Why: State laws require that your contracts with data processors include specific provisions about data handling, security, and compliance.
How: Review contracts with all vendors receiving personal data. Ensure they include: purpose limitations, confidentiality requirements, subprocessor restrictions, data security obligations, data deletion provisions, and audit rights. Most major vendors (Shopify, Stripe, Mailchimp) offer DPA templates.
Step 12: Implement data security measures
What: Ensure appropriate technical and organizational security measures for personal data.
Why: California now requires annual cybersecurity audits. All states implicitly require reasonable security measures. A data breach can trigger both enforcement actions and private lawsuits.
How: At minimum: encrypt data at rest and in transit, implement access controls, use strong authentication, keep systems patched, maintain backup and recovery procedures, and document your security practices.
Step 13: Train your team
What: Ensure everyone who handles customer data understands their privacy obligations.
Why: The best policies and systems fail if your team doesn't know how to use them. A customer service representative who doesn't know how to handle a deletion request creates liability.
How: Conduct training covering: what personal data is, consumer rights and how to recognize requests, your internal procedures for handling requests, who to escalate to, and what NOT to do (never ignore or dismiss a privacy request).
Step 14: Establish a review cadence
What: Schedule regular reviews of your privacy compliance program.
Why: Laws change, your business changes, and your data practices change. A privacy program that isn't maintained becomes non-compliant.
How: Quarterly: review privacy policy for accuracy, check for new state laws or amendments. Annually: update DPAs, conduct security review, refresh team training. As needed: update when adding new vendors, marketing channels, or data collection points.
Step 15: Monitor regulatory developments
What: Stay current on new state laws, amendments, enforcement actions, and AG guidance.
Why: The state privacy landscape is changing rapidly. New laws are passed every legislative session. Cure periods expire. Enforcement priorities shift.
How: This is exactly what BriefStack does. We monitor all 20 state privacy laws and federal developments, and deliver actionable intelligence to your inbox daily. One $7,500 violation costs more than 20 years of BriefStack.
Priority order
If you can't do everything at once, prioritize in this order:
- Privacy policy (Steps 4, 6) — most visible compliance gap
- Consumer rights handling (Step 5) — failing to respond to requests is a common enforcement trigger
- Universal opt-out (Step 7) — required by 10 states, actively enforced
- Data protection assessments (Step 8) — required by 16 states, AG can request them
- Vendor agreements (Step 11) — often overlooked but critical
- Everything else — work through the remaining steps systematically
The goal isn't perfection on day one. It's demonstrable progress toward comprehensive compliance. Document your efforts — good-faith compliance work is recognized by most enforcement agencies.
Stay on top of changes like these — BriefStack monitors all 20 state privacy laws and delivers what matters to your inbox daily.
This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.