The 2021 Privacy Compliance Checklist for California Businesses

May 26, 2021

Here’s how it works:

Check the items only when you’ve satisfied every criterion. If any item is left unchecked, you need to act quickly, but don’t worry. We’re here to help. Fill out the form at the end if you need some assistance.



    Do you understand what personal information (including sensitive information) your business collects? And do you know how it is collected?

    • Personal information includes details that alone or in combination with other information may identify a specific individual. This includes details such as names, email addresses, unique device identifiers, internet browsing history, and information about a person’s interaction with a website, mobile app, email, or advertisement.
      Under California law, personal information also includes information on individual households. Do you understand your obligations with respect to the types of data you collect?
    • Information about an individual’s health, finances, biometrics, and information about children is considered sensitive information and comes with more robust privacy obligations. If you collect these sorts of details, you have to take extra care and adhere to stricter compliance regulations. Have you evaluated the data you collect to determine whether any of it may be sensitive information? Have you put extra safeguards in place for the sensitive information in your care?
    Do you know where the data you collect and the digital material and information you produce are stored?
    • Just because your web developer is local, doesn’t mean your data is stored locally. They may host the information in another state or country. Your contractors and third-party providers (consider email marketing platforms, virtual desktops, document management systems, etc) may also store data out of state or internationally. When you transfer personal information across borders certain requirements may apply. Have you investigated where your data is being stored?
    • The laws in some jurisdictions give individuals rights to access personal information businesses hold about them; ask that their personal information be corrected, updated, or erased; and ask that their personal information be deleted or transferred upon request. If you received one of these requests from a user, would you be able to quickly find all the places your business has stored that person’s information? Would you be able to honor a request to update, delete, or transfer a user’s personal data?
    Is the data you collect stored securely?
    • Have you conducted risk assessments to determine the sensitivity of the data you collect and store?
    • Have you implemented protections scaled to that risk level? This FTC Guidance is a useful starting place for assessing your data security.
    • Do you use physical security controls to deter or prevent theft or tampering with all devices and computing assets used in your business?
    • Do you have technical protections (like antivirus and encryption mechanisms) installed or configured on all devices and computing assets used in your business?
    • Do you restrict access to personal information to only those employees and third-party contractors with a “need to know”?
    • Do you have strict internal password requirements for employees and third-party contractors?
    • Do you ensure that information is disposed of securely when it is no longer needed?
    Does your business have the following internal and external policies?
    • Public-facing privacy notices, such as a web privacy policy, website terms of use, cookie policy, cookie pop-up, and just-in-time data collection notices.
    • Internal governance policies, such as an information security policy, incident response policy, vendor management policy, bring your own device and work from home policies, and business continuity and disaster recovery policies.
    Do you provide privacy and security awareness training for your employees?
    If you collect personal or sensitive information, are you compliant with all relevant data collection laws?
    • Have you considered all jurisdiction-specific laws? For instance, if you collect information from European residents, are you compliant with the GDPR (General Data Protection Regulation)? If you collect information from California users, are you compliant with the CCPA (California Consumer Privacy Act) (soon to be replaced with the CCPA (California Privacy Rights Act))?
    • Have you considered all laws that apply to specific types of information? For instance, if you collect health information, are you compliant with HIPAA (Health Insurance Portability and Accountability Act)? If you collect financial or credit information, have you considered your obligations under the FCRA (Fair Credit Reporting Act) and GLBA (Gramm-Leach-Bliley Act)?
    • Have you considered all laws that apply to specific types of individuals? For instance, if you collect information from children under the age of 13, are you
      compliant with COPPA (Children’s Online Privacy Protection Act)? Are you aware of the special considerations for children between the ages of 13 and 16 under California law?
    Are your marketing emails CAN-SPAM compliant?
    • Emails containing ‘commercial content’ (that promotes products or services) sent from businesses are governed by the Federal CAN-SPAM law. You are required to:
      • Accurately identify the sender
      • Use clear, accurate subject lines
      • Identify your emails as an advertisement
      • Provide a valid physical postal address
      • Tell recipients how to opt out
      • Honour opt out requests promptly
      • Ensure third-party marketers comply on your behalf
    Does your business have (and regularly test) a comprehensive Incident Response Plan?
    • Have you identified relevant staff to lead efforts to contain and/or stop a breach?
    • Have you developed pre-prepared communications to inform your users, service providers, business partners, law enforcement and regulatory agencies, and the media about a breach?
    • Are you aware of all your relevant reporting obligations and statutory timeframes for sending notices?
    Does your business have an internal accountability framework for privacy compliance?
    • Do you provide for routine review of your privacy compliance documents and processes?
    • Does anyone routinely monitor for changes to the privacy landscape in any jurisdiction from which you collect personal data?
    • Do you have a framework that allocates responsibility to specific managerial staff members for your business privacy compliance?

    Online Consultation

    Do you want to get a free consultation from our specialists?



      The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.

      Other Articles

      External Privacy Policy with hand hovering above it and reading glasses sitting on it Is an External Privacy Policy Enough?
      GDPR Explained: A Quick Guide for U.S. Businesses
      Children’s Data Privacy: Five Takeaways from the FTC’s Recent Workshop

        Ready to Talk?
        Contact Us

        We would to hear from you

        Please take a moment to tell us a few things about your needs and someone from our team will reach out to you as soon as possible.

        We would to hear from you

        Thank you for reaching out!

        Someone from our team will get back to you shortly

        We would to hear from you