10 Critical Privacy Compliance Components Every Business Must Review in 2025

As privacy enforcement intensifies across the United States, businesses face unprecedented scrutiny from state regulators working together in coordinated investigations. From the California Privacy Protection Agency’s record-breaking settlements to multistate enforcement sweeps targeting noncompliance, the consequences of inadequate privacy practices have never been more severe.

Whether you operate an e-commerce platform, manage a healthcare website, or run a consumer-facing app, staying ahead of evolving privacy compliance requirements requires ongoing vigilance. In this discussion, we discuss ten essential compliance checkpoints that every business should evaluate immediately, before regulators come knocking.

1. Keeping Your Privacy Policy Fresh: The Annual Update Imperative

Regulators are increasingly targeting businesses with outdated privacy policies. What was once considered a best practice has evolved into an enforcement priority. In enforcement actions against companies like Tractor Supply, California regulators specifically cited the failure to update privacy policies annually as a violation.

The privacy landscape changes constantly. New laws take effect, processing activities evolve, data sharing relationships shift, and regulatory interpretations develop. A privacy policy that accurately reflected your practices twelve months ago may no longer be sufficient today.

Why this matters: Courts and regulators view privacy policies as binding commitments to consumers. When your actual data practices diverge from what your policy states, you’ve potentially committed an unfair or deceptive trade practice, even if those practices would otherwise be lawful.

Action item: Schedule an annual privacy policy review with legal counsel who can assess whether your disclosures accurately reflect current operations and comply with newly enacted privacy regulations.

2. Meeting New State-Specific Disclosure Requirements

Beyond keeping your policy current, you must ensure it contains all the specific disclosures mandated by the patchwork of state privacy laws that may apply to your business.

Recent state legislation has introduced novel consumer rights that must be disclosed. For example:

• Oregon’s third-party disclosure requirement mandates that businesses provide consumers with a list of specific third parties to whom their personal data has been disclosed—not just categories of recipients.
• Minnesota’s expanded profiling rights grant consumers the ability to contest decisions made through profiling, including the right to understand what actions could have secured a different outcome and to have decisions reevaluated if based on inaccurate data.
• Maryland and Minnesota now require businesses to disclose how they process personal data for targeted advertising purposes and make universal opt-out mechanisms available.
• Enhanced child privacy protections in states like Minnesota and Oregon now extend special consent requirements to teenagers ages 13-16 for certain processing activities.

Many businesses incorrectly assume their privacy policy is compliant simply because it includes boilerplate language about “applicable state law” consumer rights. This generic approach fails to satisfy the specific disclosure obligations under laws like the Oregon Consumer Privacy Act and Minnesota Consumer Data Privacy Act.

Action item: Work with experienced privacy counsel to conduct a jurisdiction-specific analysis of which state laws apply to your business and ensure your privacy policy contains the precise disclosures each statute requires.

3. Implementing Global Privacy Control Recognition (And Disclosing It)

One of the most pressing compliance issues businesses face today involves the Global Privacy Control (GPC). This browser-based privacy signal allows consumers to automatically opt out of having their personal information sold or shared for targeted advertising purposes with just a single setting.

Multiple states now require businesses to honor GPC signals as valid consumer requests. California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas have all implemented these requirements. In September 2025, California, Colorado, and Connecticut launched a joint investigative sweep specifically targeting businesses that fail to process GPC requests properly.

What makes this especially urgent: Starting January 1, 2026, Oregon will begin actively enforcing its GPC recognition requirements, and businesses can no longer rely on the cure period that previously allowed time to fix violations. California has also strengthened its regulations to require that websites affirmatively disclose when they recognize a user’s GPC signal.

Action item: Technical teams must implement backend systems that detect GPC headers transmitted through HTTP requests or JavaScript and immediately honor those opt-out preferences across all data processing activities—both online and offline.

4. Testing Your Consent Management Platform’s Functionality

Having a cookie consent banner on your website isn’t enough—it must function properly. Regulators have brought enforcement actions specifically alleging that consent management platforms (CMPs) failed to honor consumer preferences.

The $1.55 million settlement with Healthline provides a stark warning. California regulators alleged that despite consumers clicking “reject” buttons or submitting opt-out requests through both cookie banners and the “Do Not Sell or Share My Personal Information” link, the website continued sharing personal information with advertising partners and data brokers.

Common CMP failures include:

• Reject buttons that don’t actually reject: The button appears functional, but tracking continues in the background
• Pre-checked consent boxes: Requiring users to uncheck dozens of purposes or partners manually
• Continuing to process data during consent collection: Loading advertising pixels and trackers before users make a choice
• Failing to pass consent choices downstream: Not communicating user preferences to third-party services embedded on your site
• Ignoring GPC signals: CMPs that detect GPC but don’t automatically apply those preferences

Action item: Conduct regular technical audits of your CMP to verify that when users reject tracking or opt out, the system immediately ceases processing personal data for those purposes. Test this across different browsers, devices, and user journeys.

5. Ensuring Prominent Placement of Consumer Rights Links

State privacy laws don’t just require privacy policies; they mandate specific interactive elements that allow consumers to exercise their rights.

At a minimum, businesses subject to laws like the CCPA/CPRA must provide:

• A conspicuous “Do Not Sell or Share My Personal Information” link
• A “Limit the Use of My Sensitive Personal Information” link (where applicable)
• Clear mechanisms to submit access, deletion, and correction requests
• Links to your privacy policy from appropriate locations (footer, checkout, account creation, etc.)

But it’s not enough to simply have these links. Oregon enforcement notices have specifically called out businesses for placing rights mechanisms in confusing locations or making them difficult for average consumers to find and use.

Common mistakes:

• Burying the opt-out link deep in the privacy policy text instead of making it prominently accessible
• Using non-standard language that consumers don’t recognize (e.g., “Privacy Preferences” instead of “Do Not Sell or Share”)
• Creating multi-step processes that require account creation before consumers can exercise basic rights
• Failing to provide these links on mobile versions of websites
• Not including appropriate links in email communications

Action item: Map out the consumer journey across your digital properties and ensure required links appear in prominent, accessible locations on every relevant page.

6. Maintaining Functional Privacy Mechanism Links

This might seem obvious, but broken links to privacy mechanisms represent a compliance violation that regulators take seriously. The California Privacy Protection Agency explicitly instructs consumers to report businesses whose “Do Not Sell or Share My Personal Information” links are not working or difficult to find.

Broken links can occur for various reasons:

• Website redesigns that change URL structures
• Platform migrations that fail to preserve old paths
• Temporary outages of third-party request portals
• Forms that error out or fail to submit
• Email links that expire or redirect to generic pages

When consumers encounter broken privacy rights mechanisms, they’re likely to complain to regulators—complaints that can trigger investigations revealing broader compliance issues.

Action item: Implement automated monitoring to regularly test all privacy-related links and forms, and establish protocols for quickly addressing any functionality issues.

7. Establishing a Robust Consumer Request Fulfillment Process

Beyond having functional links, your entire data subject rights request (DSAR) process must operate smoothly. This includes the intake mechanism, identity verification procedures, request processing systems, and response delivery.

Enforcement actions have revealed common failures:

• Requests disappearing into black holes: Consumers submit requests but never receive acknowledgment or responses within statutory timeframes
• Systems that can’t actually locate consumer data: Inadequate data mapping means you can’t fulfill access or deletion requests effectively
• Response templates that violate disclosure prohibitions: Some states prohibit disclosing certain sensitive data elements (like Social Security numbers or biometric data) even in response to access requests, requiring instead that businesses inform consumers that this information was collected without providing the actual data
• Failing to honor “known child” requests: Not recognizing when requests involve children under 13 (or 16 in some contexts), requiring enhanced protections

State privacy laws typically require businesses to respond to consumer requests within 45 days (with possible extensions), verify the requester’s identity using reasonable methods, and provide responses in readily usable formats.

Action item: Conduct end-to-end testing of your DSAR process from multiple consumer perspectives, document response times, and ensure you have adequate technical infrastructure to actually fulfill different request types.

8. Avoiding Excessive Verification Barriers for Opt-Out Requests

Here’s a critical distinction businesses frequently misunderstand: while you may verify identity for access, correction, and deletion requests, state privacy laws generally prohibit requiring account creation or extensive verification for opt-out requests.

The policy rationale is straightforward—consumers should be able to quickly and easily opt out of data sales and targeted advertising without jumping through administrative hoops. California regulations explicitly prohibit businesses from requiring consumers to create an account to submit opt-out requests.

However, businesses may request the minimum information necessary to complete the opt-out, such as details needed to identify which consumer’s data should no longer be sold or shared.

Prohibited practices:

• Requiring email verification before processing an opt-out
• Mandating account creation to opt out while allowing opt-in without an account
• Requesting extensive personal information to “verify” an opt-out request

Permissible practices:

• Asking for basic identifying information legitimately needed to process the request
• Using reasonable methods to ensure the request applies to the correct consumer
• Requesting clarification when opt-out requests are ambiguous

Action item: Review your opt-out request procedures to ensure you’re not imposing verification requirements that exceed what state laws permit for this category of consumer rights.

9. Right-Sizing Information Collection for Rights Requests

Related to verification practices, businesses sometimes demand excessive information from consumers submitting privacy rights requests. This creates unlawful barriers to exercising statutory rights.

Oregon enforcement notices have specifically identified “inappropriately difficult authentication requirements” as a violation. The standard is that businesses should only request information reasonably necessary to verify the consumer’s identity and locate their records.

Red flags:

• Requiring notarized documents for routine requests
• Demanding multiple forms of government-issued ID for low-risk requests
• Requesting significantly more information than you collected from the consumer initially
• Imposing verification standards for opt-outs that exceed those used for account access
• Creating multi-step verification processes that are abandoned before completion

The verification standard should be risk-based and proportionate. High-risk requests involving sensitive personal information may justify more stringent verification than routine opt-out requests.

Action item: Audit the information you request from consumers submitting privacy rights requests and ensure it’s genuinely necessary and proportionate to the request type and associated risks.

10. Securing Compliant Data Processing Agreements with Vendors

When businesses engage service providers, vendors, or contractors to process personal information on their behalf, state privacy laws require written data processing agreements (DPAs) that include specific contractual provisions.

These agreements must typically include:

• Clear instructions limiting how the service provider may process data
• Specification of the processing purpose and duration
• Confidentiality obligations binding anyone processing the data
• Commitments to implement appropriate security measures
• Provisions addressing data breach notification
• Rights to audit the service provider’s compliance
• Requirements to delete or return data upon contract termination
• Prohibitions on the service provider selling, sharing, or using the data for purposes outside the scope of services

Many businesses mistakenly believe their existing vendor agreements provide adequate protection. However, privacy laws from around the world—including state statutes, the GDPR, and sector-specific regulations like HIPAA—impose specific requirements that standard commercial contracts often don’t address.

Common gaps:

• No written agreement exists at all (relying on clickthrough terms or informal arrangements)
• Agreements predate privacy law enactments and don’t include required provisions
• Provisions are too vague to satisfy regulatory requirements
• Agreements allow the vendor too much discretion in how they process data
• Missing provisions regarding subprocessors and cross-border data transfers
• No clear allocation of responsibilities for responding to consumer rights requests or regulatory inquiries

The enforcement landscape increasingly focuses on the vendor ecosystem. California’s actions against companies like Healthline involved allegations about inadequate contractual controls over service providers and advertising partners.

Action item: Inventory all third parties who process personal information on your behalf and review existing contracts to identify gaps. Prioritize updating agreements with high-risk vendors processing sensitive data, large volumes of information, or providing AI and machine learning services.

The Path Forward: Building a Comprehensive Privacy Compliance Program

These ten checkpoints represent critical baseline requirements, but effective privacy compliance requires an ongoing, comprehensive approach. The formation of the Consortium of Privacy Regulators—bringing together enforcement authorities from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon—signals a new era of coordinated multistate privacy enforcement.

Businesses can no longer afford to treat privacy compliance as a one-time exercise or assume that minimal efforts will suffice. The regulatory environment demands:

• Regular audits of privacy practices, technical systems, and vendor relationships
• Proactive monitoring of evolving state privacy laws and enforcement actions
• Cross-functional collaboration between legal, marketing, technology, and operations teams
• Documented compliance programs, including privacy impact assessments and data mapping
• Ongoing training to ensure personnel understand privacy obligations
• Incident response planning for data breaches and regulatory inquiries

At Richt Law Firm, we help businesses navigate this complex landscape through practical, business-focused legal guidance. Whether you need to implement GPC recognition, update your privacy policy, audit your consent management platform, or establish comprehensive data processing agreements, our team provides the expertise necessary to protect your business while respecting consumer privacy rights.

Don’t Wait for an Enforcement Action

The privacy compliance failures outlined in this article have resulted in millions of dollars in settlements, government investigations, and reputational harm for affected businesses. Meanwhile, the coordinated enforcement initiatives launched in 2025 make clear that regulators are actively seeking out noncompliant businesses rather than waiting for complaints.

If you haven’t conducted a thorough review of these ten critical compliance components, now is the time to act.

---

About Richt Law Firm: Based in New York, Richt Law Firm is a premier privacy, marketing, and technology law firm serving businesses nationwide. Our team provides comprehensive legal counsel on privacy compliance, CCPA/CPRA, data security, marketing law, terms and conditions, and emerging technologies. Learn more at richtfirm.com.