Before you worry about data protection assessments, vendor audits, or multi-state compliance programs, there are ten foundational items every small business should have locked in. This is that checklist.
Start here: Most small businesses do not have a privacy problem — they have a documentation problem. The data practices are often reasonable. What is missing is the written evidence that those practices exist. Regulators and plaintiffs do not take your word for it.
The Ten Items
- A privacy policy that reflects reality. Not a template. Not a policy copied from a competitor. A privacy policy that accurately describes what data you actually collect, why you collect it, who you share it with, and how consumers can exercise their rights. If your policy says one thing and your practices say another, the policy makes things worse — not better.
- A documented data inventory. You cannot manage what you have not mapped. A data inventory is a record of: what personal data you collect, where it comes from, how it is used, who has access to it, and how long you keep it. A well-structured spreadsheet is enough to start.
- A consumer rights request process. Every active state privacy law gives consumers rights over their data. You need a designated email address or web form for receiving those requests, a process for verifying the requestor's identity, and a documented response timeline. Most laws require a response within 45 days.
- Data Processing Agreements with key vendors. If a vendor processes personal data on your behalf — your email platform, CRM, payment processor, analytics tool — you likely need a Data Processing Agreement in place. Many platforms (Google, HubSpot, Mailchimp) have standard DPAs available on request or in their privacy documentation.
- A clear retention policy. How long do you keep customer data? Employee data? Prospect data? "Forever" is not a compliant answer. Write down how long different categories of data are retained and why — then actually delete data when it is no longer needed.
- Cookie consent (if applicable). If your website uses analytics, advertising pixels, or other tracking technologies, and you have visitors from California, Colorado, Connecticut, or several other states, you likely need a cookie consent mechanism. At minimum, you need a cookie policy that lists what you are using.
- A "Do Not Sell / Do Not Share" mechanism. If you sell or share personal data with third parties for advertising purposes, several state laws require you to offer consumers a way to opt out. California and Texas require a "Do Not Sell or Share My Personal Information" link on your website. Check if this applies to your situation.
- An incident response plan. It does not need to be long. At minimum: who to call first (attorney, IT contact), how to document what happened, and which state notification laws apply to your customer base. The businesses that handle breaches well are the ones that made these decisions before they needed to.
- Employee training. Most data breaches start with a human error — a phished email, a misdirected file, a weak password. Annual privacy and security awareness training for employees who handle personal data is both a best practice and a requirement under several state laws.
- A privacy policy update schedule. Privacy law is not static. Laws pass, regulations are amended, and enforcement priorities shift. Your privacy policy and internal practices need to be reviewed at least annually — and any time you make a material change to how you collect or use data.
Where to Start
If you do not have any of these in place, start with items 1, 2, and 3. A privacy policy that reflects reality, a basic data inventory, and a process for handling consumer requests will address your most immediate exposure.
If you have some of these in place but are not sure whether they are adequate, that is exactly what a privacy assessment is designed to tell you.
Not sure how you score on this checklist?
Take the free Privacy Readiness Assessment or book a consultation for a deeper look.
Take the Assessment Book a Consultation