Website Checklist for Data Privacy and Security

Setting your website up for full data privacy and security compliance builds trust with your customers and keeps your business safe from liabilities and potential cybersecurity attacks.

But even if you don’t meet the legal thresholds, just look at the data privacy statistics — customers today want to know what you do with their personal information, regardless of applicable legal requirements:

48% of users have stopped buying from a company over privacy concerns. (Tableau)
60% of users say they would spend more money with a brand they trust to handle their personal data responsibly. (Global Consumer State of Mind Report 2021)

If you don’t meet their standards, they’ll look elsewhere.

Below, I’ve compiled three comprehensive website checklists to ensure your site complies with data privacy laws, uses security best practices, and implements the appropriate policies to provide all of your customers with a positive experience.

Table of Contents

Website Privacy Checklist
Website Security Checklist
Additional Website Checklist Items
Summary

Website Privacy Checklist

Here’s an easy-to-follow checklist that explains every legal policy you should create and publish on your website to achieve full privacy compliance and offers tools and solutions to help simplify the process.

Website Security Checklist

As our world becomes more and more digital, online businesses are exposed to more cybersecurity risks, like data breaches and illegal hacking. If the data you collect about your users’ gets compromised, the law holds your business accountable.

Some all-too-common website security threats include:

Malware: The name for any software designed to intentionally cause disruption or leak information from a computer, server, network, or client.
Phishing scams: A type of fraud where an attacker pretends to be a reliable person or entity through email or other forms of communication, but it includes a malicious link or attachment that performs various hacking functions, putting your business at risk.
Ransomware: This is a type of malware that prevents or partially limits you from accessing your system, for example, screen locking and file locking, until you pay a “ransom” to reaccess your systems.
Structured Query Language (SQL) injection: An attack vector that uses malicious code to manipulate backend databases, gaining access to information that otherwise shouldn’t be distributed or shared, including user personal information, business documents, company data, and more.
Cross-site scripting (XSS): When an attacker injects a malicious script into an otherwise trusted app or website, typically spread through an enticing link that tempts a user to click on it.
Distributed denial-of-service (DDoS) attacks: A form of cybercrime where your server is flooded with traffic from thousands of individuals, preventing users from accessing all connected websites and services by overloading the target.
Viruses, worms, and spyware: Viruses are programs that replicate and modify other computer programs. Worms are Trojan horse malware that replicates itself without being activated by human intervention and targets weak security failures. Spyware is malicious software that gathers and shares data from user devices with third parties without user consent.

Here’s a checklist of website cybersecurity best practices you should implement on your platform to prevent yourself from becoming a victim of one of these attacks and to keep the personal information you gather about users safe from breaches.

Website Security Protocols and Procedures Checklist

Get a Secure Sockets Layer or SSL Certificate
- This digital certificate authenticates the identity of your website and allows for encryption, keeping the user data you track safer and more secure.

Use Firewalls
- Firewalls are a network security system that controls the incoming and outgoing traffic based on security rules, and it establishes barriers between a trusted network and an untrusted network.

Implement a Proficient Password Policy
- Implement a business-wide password policy to keep employees trained and accountable, and set guidelines such as password lengths and the types of characters allowed.
- If your users can create logins, remind them they’re responsible for keeping their password private, and implement complex password requirements.

Perform Regular Software Updates
- Update all software your business regularly uses, both internally and externally.
- Hackers typically find holes in outdated software, which leads to many otherwise avoidable cybersecurity attacks.

Create a Comprehensive Backup and Recovery Plan
- Create a protocol for disaster recovery should a cyberattack ever occur.
- Account for things such as employee negligence and multiple attack vectors, and outline a clear timeline for recovery.

Invest in Proper Employee Training
- Perform regular employee training regarding your security practices and protocols to prevent employee negligence from leading to a data breach or cyberattack.
- Cover topics like phishing scams and password best practices.

Implement Strict Access Controls
- Compile a full inventory of all your company’s systems and assets and ensure customer data is only accessible to those with a clear business need. This measure limits your exposure if employee accounts get hacked.

I’ve said it once before, but it’s worth repeating — if your business falls victim to a cyberattack and user personal data gets compromised, laws like the GDPR and the amended CCPA will hold you accountable, leaving you open to fines and other forms of enforcement.

Plan ahead and implement these business best practices now to keep yourself, your employees, and your customers safer online.

Additional Website Checklist Items

There are a few other policies you should post to your website, some of which help address consumer protection laws, while others are best practices that help protect your business and set proper customer expectations.

Check out the table below to see what else you should have on your website.

Summary

By setting up your website for proper data privacy and security compliance, you’re accomplishing two things:

Proving to consumers that your company is trustworthy and transparent
Protecting your business from falling victim to cybercrimes and attacks

Many website policies and protocols can easily be made in minutes using a managed solution, like Termly’s comprehensive suite of compliance solutions.

Plus, plenty of free resources — like customizable and downloadable templates — also exist. So don’t wait.

With these checklists in your toolbox, you’re ready to create a secure, fortified environment online for your new and recurring customers.

More about the author

Written by James Ó Nuanáin, CIPP/E, CIPM, CIPT

James is an Information Privacy Professional with over seven years of experience assisting large organizations comply with their obligations under the GPDR and other local privacy regulations. He is passionate about data privacy and the intersection between law and technology. More about the author

Website Data Privacy Compliance Checklist	Sources and Solutions
Publish a Privacy Policy Provide your company name and contact details List what personal information you collect State why you collect it (legal basis) Disclose how you collect it (include cookies) Explain what you do with it, and why Describe any third parties that you share or sell the data to Disclose how long you retain it for Explain how users can follow through on their data privacy rights (aka, access, deletion, and correction requests)	Required by the: GDPR 🇪🇺 UK GDPR 🇬🇧 CCPA 🇺🇲 CalOPPA 🇺🇲 CDPA 🇺🇲 PIPEDA 🇨🇦 … & more Termly Solution Privacy Policy Generator Privacy Policy Template
Implement Consent Management Auto Blocker: Mechanism to block scripts and cookies from being activated before a user has given informed consent Consent Banner: With proper opt-in or opt-out consent choices depending on applicable laws Cookie Policy: Accurate, up-to-date, and regularly updated Consent Preference Center: So users can change their minds and opt back in or out of your privacy practices DSAR or SAR forms: To provide users with a means for following through on their rights to request to access, correct, or delete their personal data	Required by the: GDPR 🇪🇺 UK GDPR 🇬🇧 CCPA 🇺🇲 CDPA 🇺🇲 LGPD 🇧🇷 PIPEDA 🇨🇦 Privacy Act 🇦🇺 POPIA 🇿🇦 … & more Termly Solution Consent Management Platform Cookie Banner Generator Cookie Scanner
Publish a Cookie Policy Perform a cookie audit on your website to find all cookies or trackers it uses Name and categorize all cookies and trackers, and explain each one If you fall under laws like the GDPR: request opt-in consent for all non-essential cookies, including third-party trackers before placing any on users’ browsers If you fall under laws like the CCPA: – provide a way for consumers to opt out of targeted advertising through things like tracker cookies	Required by the: GDPR 🇪🇺 ePrivacy Directive 🇪🇺 UK GDPR 🇬🇧 CCPA 🇺🇲 CDPA 🇺🇲 … & more Termly Solution Cookie Policy Generator Cookie Policy Template Consent Management Platform
Have a Data Retention Policy Under regulations like the GDPR, you can only store data for as long as necessary to complete the initial purpose stated when you first gathered the data. Create and implement a policy following the applicable laws affecting your business.	Required by the: GDPR 🇪🇺 UK GDPR 🇬🇧 CCPA 🇺🇲 … & more Termly Solution Coming soon
Provide a Data Subject Access Request (DSAR) Form: Based on applicable laws, provide a process for users to request to… Access the personal information you’ve collected about them Amend or correct the personal information you’ve collected about them Delete the personal information you’ve collected about them Provide them their data in a readily-usable format for transmission to other companies Limit the use or processing of the personal information you’ve collected about them	Required by the: GDPR 🇪🇺 UK GDPR 🇬🇧 CCPA 🇺🇲 CDPA 🇺🇲 LGPD 🇧🇷 PIPEDA 🇨🇦 Privacy Act 🇦🇺 POPIA 🇿🇦 … & more Termly Solution Consent Management Solution DSAR/SAR Template
Have a “Do Not Sell Or Share My Personal Information” link If you meet the legal threshold of the amended CCPA, you must provide users with two means for following through on their rights, including one of the following methods: Posting a “Do Not Sell or Share My Personal Information” link in the footer of your website Posting a “Limit the Use of My Sensitive Personal Information” link in the footer of your website or; Combining the two links as long as it’s obvious that the link allows them to follow up on their privacy rights	Required by the: CCPA 🇺🇲 Termly Solution Consent Management Solution
Have a Data Processing Agreement (DPA) Obligate third-party processors to act solely on your instructions when processing your customers’ data Require third-party entity to protect personal information using strict security requirements following current best practice and all applicable data privacy laws Mandate that processors provide reasonable assistance in complying with your obligations under applicable law Include provisions required when transferring data outside your jurisdiction	Required by the: GDPR 🇪🇺 UK GDPR 🇬🇧 CCPA 🇺🇲 CDPA 🇺🇲 … and more! Termly Solution Coming soon
Have a Terms and Conditions Agreement This policy protects your business from liabilities, abusive users, and intellectual property theft. Include clauses that limit your liabilities Outline rules of use for posting comments, content, or other communications on your platform Establish your intellectual property rights Set your payment terms Inform users about your dispute resolutions and governing laws Publish disclaimers and disclosures *This policy has many titles, like terms of use, terms of service, website terms, and general conditions.	Technically, not required by any laws Is a business best practice and protects you Termly Solution Terms and Conditions Generator Terms and Conditions Template
Publish Disclosures These explain (or disclose) important or necessary details to your consumers Affiliate link disclosure Fair use disclosure Shipping and handling disclosure Return policy disclosure Disclosure of payment terms Dispute resolution disclosure Governing laws disclosure	May be required by consumer protection laws like: HIPAA Copyright Act COPPA Enforced by groups like The FTC The CMA Termly Solution Disclaimer Generator Disclaimer Template (because these are similar to disclaimers, our tools are combined into one!)
Publish Disclaimers These remove (or disclaim) liabilities and responsibilities from your plate Limits of Liability or No Responsibility Copyright disclaimer Testimonial disclaimer Views expressed disclaimer Warranty disclaimer Product disclaimer Advice disclaimer — medical, legal, financial, health, etc. Third party disclaimer DMCA Notice	May be required by consumer protection laws like: HIPAA Copyright Act COPPA Enforced by groups like The FTC The CMA Termly Solution Disclaimer Generator Disclaimer Template

Additional Policies Your Website May Need	Sources and Solutions
Publish a Return and Refund Policy While not required by law, if you don’t post a return policy stating otherwise, in some US states, you must provide a full refund in specific situations. In the UK, consumers can change their minds and request a refund for any reason within a specific number of days.	Publish one to: Set proper customer expectations Streamline your customer services Termly Solution Return and Refund Policy Generator Return and Refund Policy Template
Publish a Shipping Policy Post a shipping policy to inform customers how much shipping might cost, where you ship, and what delivery options are available. While not legally required, this is a necessary policy for any ecommerce business.	Publish one to: Set proper customer expectations Streamline your customer services Termly Solution Shipping Policy Generator Shipping Policy Template
Have an End-use License Agreement If you sell software, you technically are providing users with a temporary license to use it, not to own it. Create a EULA to explain these ownership rights, state what the license entails, and outline what users can and cannot do with your software.	Termly Solution EULA Generator EULA Template
Make Your Website Accessible Make your website accessible to as many types of visitors as possible by achieving Website Content Accessibility Guidelines (WCAG) 2.1 compliance. Follow the U.S. Department of Health and Human Services (HHS) accessibility training guide. Federal agencies are subject to following Section 508.	Required by the: U.S Department of Justice Guidance on Americans with Disabilities Act (ADA)
Copyright and Trademark Compliance Post a copyright disclaimer in the footer of your website to remind users that you’re retaining ownership over your creative content. Explain what intellectual property rights you’re retaining in a clause in your terms and conditions. Trademark your business’s branding and logos, and explain what rights you’re retaining over those images in a clause in your terms and conditions. Add a Digital Millennium Copyright Act (DMCA) disclosure to your terms and conditions to explain to users how a DMCA notice will be handled, should one occur.	Required by the: Copyright Law of the United States (Title 17) Digital Millennium Copyright Act (DMCA) U.S. Trademark Law Termly Solution Terms and Conditions Generator Terms and Conditions Template Disclaimer Generator Disclaimer Template

What Is the IAB’s Global Privacy Platform (IAB GPP)?

American Privacy Rights Act (APRA): First Look & Summary

109 Biggest Data Breaches, Hacks, and Exposures as of 2024

New Zealand Data Privacy Act 2020 Explained

Cookie Walls: Are They GDPR Compliant?

Personal vs. Sensitive Personal Information

Privacy Policy for Hotel Websites

Privacy Policy for Gym Websites

Privacy Policy for Real Estate Websites