A mid-sized company may never think of itself as a "data company," yet by the only definition that matters to regulators it is one of the largest data businesses in its zip code. The day it discovers this is usually a bad day — a deletion request it cannot honor, a regulator's letter, a class-action demand, or a breach that exposes how little anyone could say about where the data even lived. The companies that weather those days are not the ones with the thickest privacy policy; they are the ones with a program: a living system of people, processes, and documentation that lets the business know what data it holds, why, what the law requires, and how it proves all of that on demand. Start with the word "program." A policy is a document that goes stale the moment the ink dries; a program adapts, because privacy law changes monthly, your data changes daily, and your vendors change quarterly. Work this checklist roughly in order — governance and a data map come first because almost every other decision flows from them. None of this is legal advice for your situation.

Phase 1 — Governance: Name an Accountable Owner

  • Secure a senior sponsor (general counsel, chief compliance officer, or CEO) and a board-level acknowledgment that privacy is a corporate risk
  • Choose a structure: the chief privacy officer (CPO) model (preferred — one accountable person with authority) over the working-group/council model (diffused ownership erodes into no ownership)
  • Give the privacy lead real authority to set policy and to tell a revenue team it cannot ship a feature as designed
  • Determine whether the GDPR/UK GDPR requires a data protection officer (DPO) with guaranteed independence (Articles 37–39) and protection from being penalized for the role
  • Wire in cross-functional liaisons: legal, CIO/CISO, marketing/sales, HR, records management, and internal audit

A privacy program lives or dies on a single question: who, by name, is accountable when something goes wrong? If the answer is "everyone," it is "no one," and the program is theater. A privacy office with responsibility but no authority is a liability generator, because it documents in writing all the things the company knew it should do and then did not. The CPO model grants one person the authority to decide and creates a clear answer when a regulator or court asks "who was responsible?" Where the EU is involved, a DPO who can be fired for delivering bad news is not a DPO within the meaning of the regulation.

Phase 2 — Map the Data

  • For every meaningful category of personal information, capture: what is collected, whether any is sensitive (SSNs, health, financial, precise geolocation, biometrics), where it lives (inside and at third parties), cross-border flows, the security protecting it, and the internal owner
  • Build a data map / record of processing (database or diagram) capturing use, sharing, storage, retention, transfers, point of collection, and third-party access
  • At minimum, ensure the privacy office understands what categories the business collects and where they are collected and stored
  • Keep the map current; it is the foundation for notices, DSARs, breach analysis, and minimization

You cannot protect, govern, or lawfully delete data you cannot find, so this is the first real project — before a single policy is drafted — and it is where most programs are weakest. A full data map is time-consuming, which is why many companies never finish one, but you cannot escape the floor. When a deletion request later arrives, the difference between honoring it in a day and flailing for a month is whether someone already knew the data sits in the primary database, a backup, an analytics warehouse, and a marketing platform. You cannot minimize what you have not inventoried.

Phase 3 — Analyze the Legal Patchwork

  • Treat FTC Section 5 (15 U.S.C. § 45) as the federal baseline: your public privacy promises are legally enforceable, and inadequate security is independently actionable (FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015))
  • Assess CCPA/CPRA coverage (thresholds: >$25M revenue; 100,000+ CA consumers/households; or 50%+ revenue from selling/sharing PI) and its rights, sensitive-PI category, and private right of action for certain breaches
  • Survey the state laws (~20 states as of 2026 — Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and a growing list) with their controller/processor architecture, opt-outs, and data-protection-assessment duties
  • Assess GDPR reach (offering goods/services to, or monitoring, people in the EU), its lawful-basis and accountability principles, 72-hour breach notice, DPIAs, and transfer rules
  • Identify applicable sectoral statutes: HIPAA (PHI and business associates), GLBA (financial NPI and the Safeguards Rule), COPPA (children under 13, verifiable parental consent), FCRA, and state biometric laws (e.g., Illinois BIPA)
  • Adopt the design rule: build to the strictest applicable standard for each obligation and apply it broadly

There is no comprehensive federal privacy law, so the program is in large part the institutional machinery for surviving the patchwork without going mad. Section 5 is the closest thing to a federal baseline — a practice is deceptive when a company says one thing and does another, and unfair when it causes substantial, unavoidable consumer injury. California functions as a de facto national standard. State laws share a GDPR-derived architecture but diverge in thresholds, definitions, and cure periods, so a program that hard-codes California's rules will misfire in Colorado. Building to GDPR standards tends to satisfy most lesser regimes, which is why even companies with no EU obligations often treat it as a best-practices baseline.

Phase 4 — Anchor the Program and Build the Roadmap

  • Anchor to neutral, law-agnostic frameworks: the Fair Information Practice Principles (FIPPs) and the NIST Privacy Framework's five functions (Identify, Govern, Control, Communicate, Protect)
  • Build a compliance roadmap covering the next 6–12 months, prioritized by risk to be mitigated, cost to implement, and speed/ease of achievement
  • Attack high-risk items and easy wins first; defer expensive, low-risk, hard items
  • Revisit the roadmap roughly every six months

Rather than building to any single law, anchor the program to a neutral framework that maps onto all of them, so it bends gracefully as laws change rather than needing to be rebuilt. The roadmap turns analysis into action and, not incidentally, demonstrates good faith to a regulator — it shows the company identified its gaps and was methodically closing them, often the difference between a warning and a penalty. A roadmap that reskins the cookie banner while ignoring the unencrypted database of Social Security numbers has its priorities exactly inverted.

Phase 5 — Stand Up the Operational Machinery

  • Draft accurate privacy notices (website, mobile app, offline, employee) reconciled against the data map, with CCPA/CPRA and GDPR (Arts. 13–14) mandatory content — and the "Do Not Sell or Share My Personal Information" link where applicable
  • Build a DSAR / consumer-rights process: recognized intake channels, identity verification, a way to find the requester's data across all systems, correct application of exemptions, and a log of every request and disposition
  • Stand up vendor and DPA management: a vendor inventory, due diligence before onboarding, a standard data processing agreement (GDPR Art. 28; state controller/processor terms; HIPAA BAA under 45 C.F.R. § 164.504(e)), ongoing monitoring, and clean offboarding
  • Institute DPIAs / data-protection assessments for higher-risk processing (GDPR Art. 35; state laws for targeted ads, sale, profiling, sensitive data) and embed privacy by design and by default (GDPR Art. 25)
  • Coordinate security safeguards (access controls, encryption at rest and in transit, monitoring) and a tested, rehearsed incident-response plan keyed to the right notification clocks (GDPR 72 hours; all 50 state laws; HIPAA/GLBA)
  • Deliver training at least annually (role-specific for those handling sensitive data, products, or vendors)
  • Enforce retention and minimization with a records-retention schedule and deletion/de-identification processes

Privacy notices are a legally enforceable promise under Section 5, so a beautiful notice describing practices the company does not follow is worse than no notice at all. The DSAR process is the program's public stress test — a deletion request you cannot fulfill is a violation you have documented, and a process that works for ten requests collapses under a thousand. Vendors are a primary driver of privacy risk; many of the largest incidents originate in a vendor's systems. The DPIA forces the privacy team into the room at the start of a project, which is the essence of privacy by design. Encryption deserves special mention: several breach-notification regimes treat properly encrypted data as effectively unbreached — a literal safe harbor. And data you have already lawfully deleted cannot be breached, subpoenaed, or made the subject of a deletion request; over-retention converts a dormant asset into a standing liability.

Phase 6 — Accountability: Document, Monitor, Audit

  • Maintain the documentation spine: data map, risk assessments, privacy notices and version history, training records, audit reports, DPIAs, vendor agreements and inventory, the DSAR log, the incident-response plan, and records of incidents and their handling (GDPR Art. 30 record of processing)
  • Conduct periodic audits with independence from the day-to-day program, benchmarking reality against the compliance plan and feeding gaps back into the roadmap
  • Evaluate and revise controls continually, because the data, vendors, technology, and law never stop changing

A program that works perfectly but cannot demonstrate that it works is, from a regulator's chair, indistinguishable from one that does nothing. Documentation is not bureaucratic busywork; it is the program's evidentiary spine, the thing that converts "we tried" into "here is the evidence" when a regulator inquires, a plaintiff sues, or a board asks for assurance. A privacy program is less like a building you finish and more like a garden you tend.

Common Mistakes

  • Confusing a privacy policy (one document) with a privacy program (the system that makes the policy true) — and having a polished policy with no program behind it, which converts an operational gap into a deceptive-practices violation.
  • Naming "everyone" as responsible for privacy, so no one is.
  • Skipping the data map, then being unable to fulfill a deletion request or answer a regulator's letter.
  • Hard-coding California's rules and misfiring in Colorado, Virginia, or under the GDPR.
  • Letting the privacy notice and the actual data practices drift apart.
  • Treating breach response as a document in a drawer rather than a rehearsed playbook with known clocks.
  • Over-retaining data, enlarging the attack surface and the litigation/subpoena/DSAR surface alike.

Primary Authority

  • Federal baseline: FTC Act § 5, 15 U.S.C. § 45; FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015).
  • California: CCPA, Cal. Civ. Code § 1798.100 et seq., as amended by the CPRA; the California Privacy Protection Agency.
  • GDPR: Regulation (EU) 2016/679, Arts. 5 (principles), 6 (lawful basis), 13–14 (notice), 25 (privacy by design), 28 (processor contracts), 30 (records), 33–34 (breach), 35 (DPIA), 37–39 (DPO).
  • Sectoral: HIPAA (45 C.F.R. Parts 160 and 164, including § 164.504(e) BAAs); GLBA and the FTC Safeguards Rule (16 C.F.R. Part 314); COPPA, 15 U.S.C. §§ 6501–6506 and 16 C.F.R. Part 312; FCRA; Illinois BIPA, 740 ILCS 14.
  • Frameworks: Fair Information Practice Principles; NIST Privacy Framework v1.0. Privacy law changes rapidly; verify current thresholds, deadlines, and the state-law count at official sources.

Related Resources

This checklist is general information, not legal advice. Privacy law varies by jurisdiction and changes rapidly; the application of any law to your specific facts requires the judgment of qualified counsel. Consult a licensed attorney before making decisions about your privacy compliance program.