CCPA and GDPR Privacy Compliance Audit

The problem privacy compliance audits solve

Your cookie banner fires on page load. Your privacy policy was written by a template generator in 2021 and references California law that was superseded in 2023. Your Klaviyo flows segment on custom properties derived from Shopify fields your privacy policy does not mention. Your Meta pixel fires before consent. Your data subject access request process is a shared inbox that nobody has checked in six weeks. Each of these is a finding. Together they constitute a regulatory exposure that a state attorney general or class action firm can document in a single afternoon.

The gap between stated and actual practice is the most common finding in DTC privacy audits. Most brands state a privacy policy their operations do not implement. They say they honor deletion requests within forty-five days and they do not have a workflow to honor them at all. They say they obtain consent before processing sensitive categories and they do not distinguish sensitive categories in Klaviyo. They say they do not sell personal information and they run Meta advertising using customer lists, which the California AG has taken the position constitutes a sale under CCPA. The gap is not usually malicious. It is usually just uninspected.

The enforcement trajectory is clear even if the absolute volume remains modest. California's AG has levied public fines, Colorado and Connecticut have active AG enforcement, and Virginia, Texas, Oregon, Montana, Florida, and several more states have operative laws with private rights of action in some cases. The EU data protection authorities have issued substantial fines against US ecommerce companies with EU presence. The trend is unambiguous and the cost of catching up under deadline pressure is materially higher than the cost of getting it right proactively.

Our approach

We run a five week privacy compliance audit engagement covering the full operational picture, not only the website.

Step one is the data inventory. We document every category of personal information collected: identifiers, commercial information, internet activity, geolocation, sensory, employment, inference, and sensitive categories as defined by CPRA. For each category we document the source, the purpose, the retention period, the lawful basis, and every processor who touches it. This inventory is the backbone of every subsequent deliverable.

Step two is the processor review. Every vendor processing personal data on your behalf is listed and reviewed. Shopify, Klaviyo, Meta, Google, TikTok, the reviews app, the subscription app, the helpdesk, the shipping platform, the returns platform. For each we verify the data processing addendum is executed, the data residency is documented, and the sub-processor chain is known. Gaps get flagged with remediation steps.

Step three is the policy review. We audit the privacy policy, cookie policy, and terms against the inventory. Gaps between stated and actual practice are the single largest source of enforcement risk. We rewrite the policies to match actual practice, or we flag operational changes needed to match the existing policy, whichever the client prefers.

Step four is operational controls. We audit the consent management platform configuration, the data subject access and deletion workflows, the incident response procedure, the data retention schedules, the employee access controls, and the cross-border transfer mechanisms where GDPR applies. Each gets documented, gaps get remediation steps, and critical gaps get ticketed immediately.

Step five is the ongoing program. Privacy is not a one-time audit. We deliver a privacy program document covering quarterly access request metrics review, annual policy review, annual processor review, and triggered review whenever a new processor or new data category is introduced. The client gets a calendar and a named internal owner.

What you get

▸ Data inventory document covering every category of personal information collected. ▸ Processor register with DPA status, residency, and sub-processor chain for every vendor. ▸ Rewritten privacy policy, cookie policy, and terms reflecting actual practice. ▸ Consent management platform configuration review and recommended changes. ▸ Data subject access, deletion, and correction request workflow documented and tested. ▸ Incident response procedure with defined roles and notification timelines. ▸ Data retention schedule per category with automated deletion where possible. ▸ Employee access control review with least-privilege recommendations. ▸ Cross-border transfer mechanism documentation where GDPR applies. ▸ Privacy program calendar with quarterly and annual review cadences. ▸ Named internal privacy owner and training session for that role.

Timeline

Five weeks in three phases.

Week one is inventory and processor review. We document every data category and every processor.

Weeks two and three are policy and controls audit. We review the existing policies against the inventory, draft rewrites, and audit every operational control.

Weeks four and five are remediation and program handoff. Critical gaps get remediated during the engagement where possible, the privacy program document is delivered, and the training session runs with the named internal owner.

Mini case anatomy

A wellness brand in the fifteen to twenty-five million revenue range received a consumer inquiry from a resident who had requested deletion three months earlier and received no response. The inquiry escalated to the state AG's office within two weeks. The brand's attorney asked what the privacy posture looked like and nobody could answer coherently.

We ran the audit in four compressed weeks. The data inventory identified sixty-three distinct personal data processing activities across twenty-one processors. Fourteen of those processors lacked executed DPAs. The privacy policy referenced fields Shopify no longer collected and omitted fields Klaviyo now collected. The deletion request workflow was a shared inbox checked irregularly. We documented every gap and remediated the critical ones during the engagement.

The AG inquiry closed with a conduct remediation commitment rather than a fine, in part because the brand could show an active remediation program. The brand kept the privacy program running, with quarterly access request reviews and annual processor audits. For adjacent operational topics see our posts on ecommerce analytics with GA4 and server-side tagging.

FAQs

See frequently asked questions below. Privacy sits alongside accessibility and claim compliance as the three most common enforcement vectors for DTC brands. Consider pairing this audit with our WCAG accessibility audit and claim substantiation review. For the broader picture see our compliance audits hub and the SMS TCPA compliance leaf.