Website Checklist for Data Privacy and Security

James Ó Nuanáin, CIPP/E, CIPM, CIPT

written by James Ó Nuanáin, CIPP/E, CIPM, CIPT June 15, 2023

Take Compliance Quiz
Website-Checklist-for-Data-Privacy-and-Security-01

Setting your website up for full data privacy and security compliance builds trust with your customers and keeps your business safe from liabilities and potential cybersecurity attacks.

But even if you don’t meet the legal thresholds, just look at the data privacy statistics — customers today want to know what you do with their personal information, regardless of applicable legal requirements:

If you don’t meet their standards, they’ll look elsewhere.

Below, I’ve compiled three comprehensive website checklists to ensure your site complies with data privacy laws, uses security best practices, and implements the appropriate policies to provide all of your customers with a positive experience.

Table of Contents
  1. Website Privacy Checklist
  2. Website Security Checklist
  3. Additional Website Checklist Items
  4. Summary

Website Privacy Checklist

Here’s an easy-to-follow checklist that explains every legal policy you should create and publish on your website to achieve full privacy compliance and offers tools and solutions to help simplify the process.

Website Data Privacy Compliance Checklist Sources and Solutions
  • Publish a Privacy Policy

    • Provide your company name and contact details
    • List what personal information you collect
    • State why you collect it (legal basis)
    • Disclose how you collect it (include cookies)
    • Explain what you do with it, and why
    • Describe any third parties that you share or sell the data to
    • Disclose how long you retain it for
    • Explain how users can follow through on their data privacy rights (aka, access, deletion, and correction requests)
Required by the:

  • GDPR 🇪🇺
  • UK GDPR 🇬🇧
  • CCPA 🇺🇲
  • CalOPPA 🇺🇲
  • CDPA 🇺🇲
  • PIPEDA 🇨🇦
  • … & more

Termly Solution

  • Implement Consent Management

    • Auto Blocker: Mechanism to block scripts and cookies from being activated before a user has given informed consent
    • Consent Banner: With proper opt-in or opt-out consent choices depending on applicable laws
    • Cookie Policy: Accurate, up-to-date, and regularly updated
    • Consent Preference Center: So users can change their minds and opt back in or out of your privacy practices
    • DSAR or SAR forms: To provide users with a means for following through on their rights to request to access, correct, or delete their personal data
Required by the:

  • GDPR 🇪🇺
  • UK GDPR 🇬🇧
  • CCPA 🇺🇲
  • CDPA 🇺🇲
  • LGPD 🇧🇷
  • PIPEDA 🇨🇦
  • Privacy Act 🇦🇺
  • POPIA 🇿🇦
  • … & more

Termly Solution

  • Publish a Cookie Policy

    • Perform a cookie audit on your website to find all cookies or trackers it uses
    • Name and categorize all cookies and trackers, and explain each one
    • If you fall under laws like the GDPR: request opt-in consent for all non-essential cookies, including third-party trackers before placing any on users’ browsers
    • If you fall under laws like the CCPA: – provide a way for consumers to opt out of targeted advertising through things like tracker cookies
Required by the:

  • GDPR 🇪🇺
  • ePrivacy Directive 🇪🇺
  • UK GDPR 🇬🇧
  • CCPA 🇺🇲
  • CDPA 🇺🇲
  • … & more

Termly Solution

  • Have a Data Retention Policy

    • Under regulations like the GDPR, you can only store data for as long as necessary to complete the initial purpose stated when you first gathered the data.
    • Create and implement a policy following the applicable laws affecting your business.
Required by the:

  • GDPR 🇪🇺
  • UK GDPR 🇬🇧
  • CCPA 🇺🇲
  • … & more

Termly Solution

  • Coming soon
  • Provide a Data Subject Access Request (DSAR) Form: 

    • Based on applicable laws, provide a process for users to request to…
    • Access the personal information you’ve collected about them
    • Amend or correct the personal information you’ve collected about them
    • Delete the personal information you’ve collected about them
    • Provide them their data in a readily-usable format for transmission to other companies
    • Limit the use or processing of the personal information you’ve collected about them
Required by the:

  • GDPR 🇪🇺
  • UK GDPR 🇬🇧
  • CCPA 🇺🇲
  • CDPA 🇺🇲
  • LGPD 🇧🇷
  • PIPEDA 🇨🇦
  • Privacy Act 🇦🇺
  • POPIA 🇿🇦
  • … & more

Termly Solution

  • Have a “Do Not Sell Or Share My Personal Information” link

    • If you meet the legal threshold of the amended CCPA, you must provide users with two means for following through on their rights, including one of the following methods:
    • Posting a “Do Not Sell or Share My Personal Information” link in the footer of your website
    • Posting a “Limit the Use of My Sensitive Personal Information” link in the footer of your website or;
    • Combining the two links as long as it’s obvious that the link allows them to follow up on their privacy rights
Required by the:

  • CCPA 🇺🇲

Termly Solution

  • Have a Data Processing Agreement (DPA)

    • Obligate third-party processors to act solely on your instructions when processing your customers’ data
    • Require third-party entity to protect personal information using strict security requirements following current best practice and all applicable data privacy laws
    • Mandate that processors provide reasonable assistance in complying with your obligations under applicable law
    • Include provisions required when transferring data outside your jurisdiction
Required by the:

  • GDPR 🇪🇺
  • UK GDPR 🇬🇧
  • CCPA 🇺🇲
  • CDPA 🇺🇲
  • … and more!

Termly Solution

  • Coming soon
  • Have a Terms and Conditions Agreement

    • This policy protects your business from liabilities, abusive users, and intellectual property theft.
    • Include clauses that limit your liabilities
    • Outline rules of use for posting comments, content, or other communications on your platform
    • Establish your intellectual property rights
    • Set your payment terms
    • Inform users about your dispute resolutions and governing laws
    • Publish disclaimers and disclosures
    • *This policy has many titles, like terms of use, terms of service, website terms, and general conditions.
Technically, not required by any laws

  • Is a business best practice and protects you

Termly Solution

May be required by consumer protection laws like:

  • HIPAA
  • Copyright Act
  • COPPA

Enforced by groups like

Termly Solution

May be required by consumer protection laws like:

Enforced by groups like

  • The FTC
  • The CMA

Termly Solution

Website Security Checklist

As our world becomes more and more digital, online businesses are exposed to more cybersecurity risks, like data breaches and illegal hacking. If the data you collect about your users’ gets compromised, the law holds your business accountable.

Some all-too-common website security threats include:

Here’s a checklist of website cybersecurity best practices you should implement on your platform to prevent yourself from becoming a victim of one of these attacks and to keep the personal information you gather about users safe from breaches.

Website Security Protocols and Procedures Checklist
  • Get a Secure Sockets Layer or SSL Certificate

    • This digital certificate authenticates the identity of your website and allows for encryption, keeping the user data you track safer and more secure.
  • Use Firewalls

    • Firewalls are a network security system that controls the incoming and outgoing traffic based on security rules, and it establishes barriers between a trusted network and an untrusted network.
  • Implement a Proficient Password Policy

    • Implement a business-wide password policy to keep employees trained and accountable, and set guidelines such as password lengths and the types of characters allowed.
    • If your users can create logins, remind them they’re responsible for keeping their password private, and implement complex password requirements.
  • Perform Regular Software Updates

    • Update all software your business regularly uses, both internally and externally.
    • Hackers typically find holes in outdated software, which leads to many otherwise avoidable cybersecurity attacks.
  • Create a Comprehensive Backup and Recovery Plan

    • Create a protocol for disaster recovery should a cyberattack ever occur.
    • Account for things such as employee negligence and multiple attack vectors, and outline a clear timeline for recovery.
  • Invest in Proper Employee Training

    • Perform regular employee training regarding your security practices and protocols to prevent employee negligence from leading to a data breach or cyberattack.
    • Cover topics like phishing scams and password best practices.
  • Implement Strict Access Controls

    • Compile a full inventory of all your company’s systems and assets and ensure customer data is only accessible to those with a clear business need. This measure limits your exposure if employee accounts get hacked.

I’ve said it once before, but it’s worth repeating — if your business falls victim to a cyberattack and user personal data gets compromised, laws like the GDPR and the amended CCPA will hold you accountable, leaving you open to fines and other forms of enforcement.

Plan ahead and implement these business best practices now to keep yourself, your employees, and your customers safer online.

Additional Website Checklist Items

There are a few other policies you should post to your website, some of which help address consumer protection laws, while others are best practices that help protect your business and set proper customer expectations.

Check out the table below to see what else you should have on your website.

Additional Policies Your Website May Need Sources and Solutions
  • Publish a Return and Refund Policy

    • While not required by law, if you don’t post a return policy stating otherwise, in some US states, you must provide a full refund in specific situations.
    • In the UK, consumers can change their minds and request a refund for any reason within a specific number of days.
Publish one to:

  • Set proper customer expectations
  • Streamline your customer services

Termly Solution

  • Publish a Shipping Policy

    •  Post a shipping policy to inform customers how much shipping might cost, where you ship, and what delivery options are available.
    • While not legally required, this is a necessary policy for any ecommerce business.
Publish one to:

  • Set proper customer expectations
  • Streamline your customer services

Termly Solution

  • Have an End-use License Agreement

    • If you sell software, you technically are providing users with a temporary license to use it, not to own it.
    •  Create a EULA to explain these ownership rights, state what the license entails, and outline what users can and cannot do with your software.
Termly Solution

Required by the:

  • Copyright and Trademark Compliance

    • Post a copyright disclaimer in the footer of your website to remind users that you’re retaining ownership over your creative content.
    • Explain what intellectual property rights you’re retaining in a clause in your terms and conditions.
    • Trademark your business’s branding and logos, and explain what rights you’re retaining over those images in a clause in your terms and conditions.
    • Add a Digital Millennium Copyright Act (DMCA) disclosure to your terms and conditions to explain to users how a DMCA notice will be handled, should one occur.
Required by the:

Termly Solution

Summary

By setting up your website for proper data privacy and security compliance, you’re accomplishing two things:

  1. Proving to consumers that your company is trustworthy and transparent
  2. Protecting your business from falling victim to cybercrimes and attacks

Many website policies and protocols can easily be made in minutes using a managed solution, like Termly’s comprehensive suite of compliance solutions.

Plus, plenty of free resources — like customizable and downloadable templates — also exist. So don’t wait.

With these checklists in your toolbox, you’re ready to create a secure, fortified environment online for your new and recurring customers.

James Ó Nuanáin, CIPP/E, CIPM, CIPT
More about the author

Written by James Ó Nuanáin, CIPP/E, CIPM, CIPT

James is an Information Privacy Professional with over seven years of experience assisting large organizations comply with their obligations under the GPDR and other local privacy regulations. He is passionate about data privacy and the intersection between law and technology. More about the author

Related Articles

Explore more resources