Updated: Jan. 12, 2026
Originally Published: Oct. 1, 2019
Data privacy laws are expanding to new states and countries every year. Businesses can no longer afford to focus solely on the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR). Instead, organizations must assess how they handle their customers’, users’, and website visitors’ data overall.
Not only is achieving data privacy compliance the right thing to do, but the recent surge in new data privacy regulations has led to an increase in lawsuits – including nuisance lawsuits initiated by trolls targeting well-meaning companies that haven’t fully kept up. These suits threaten companies to either pay up or be sued for lack of compliance.
To avoid becoming victim, companies are better off addressing data privacy compliance now (and on their own terms) instead of responding to the threat of a lawsuit under a time crunch. Keep in mind that the goals of data privacy regulations are benign: to give your users control over the data they share with you and to guide you on how to manage that data in a way that respects their wishes. The particulars vary with each law, but all of them promote transparency.
This chart illustrates the scope of privacy regulations in the United State as of November 2025. Data privacy litigation in the U.S. is at an all-time high, with nearly 2,000 lawsuits filed in 2024 alone.
Source: iapp
How to Get Started with Data Privacy Compliance
Start on the path to data privacy compliance by addressing three pieces of the lowest-hanging fruit:
1. Manage Cookies with a Consent Management Platform (CMP)
A cookie is a small text file created or placed by websites. It lives on the user's computer either temporarily (session cookie) or for a set period (persistent cookie). Cookies are means for websites to recognize users, track their preferences and provide analytics data back to website owners.
- Cookies play a big role in e-commerce. When a user adds an item to a shopping cart, that action triggers a cookie so the site can remember the added item. Depending on how the cookie is configured, users could leave the site and later return to find the same products sitting in their carts. Cookies also figure in third-party tracking tools, such as Google Analytics.
- Cookies play a big role on all websites. Whether you run an e-commerce site keeping items in a cart or a manufacturing business capturing and tracking users via your CRM/Marketing Automation tools, cookies are used to help enable all of these features and many more. Cookies help us gather analytical data on how people use our site and drive key features and functions on many sites.
Data privacy laws are pushing sites to inform users and give them control over what data is collected and shared. These laws don’t forbid the use of cookies but require business to share what data is gathered about users and how to prevent data collection altogether when possible.
Give users that power through a Consent Management Platform (CMP). CMPs help users select which cookies they would like to allow or block from your site and come in many different shapes and sizes. Make sure that the CMP (any third-party tool) you choose meets the criteria set forth by your legal and compliance teams.
Northwoods partners with a few select CMPs that meet a wide range of needs. Our recommended CMPs are:
- Termly
- CookiePro by One Trust
A CMP also supports the next steps on our list.
2. Update Your Privacy Policy
CCPA and GDPR require you to update your privacy policy to inform users of the rights granted to them under these laws. Most CMPs will offer a standard privacy policy that can be tailored to your specific situation. Work with your legal or compliance team to draft an updated privacy policy for your websites, so users know their rights and how to assert them.
Design your privacy policy with follow-through in mind; make sure that your company can meet your stated commitments. Some data privacy laws require you to update the policy not only when the regulations go into effect, but also at set intervals going forward.
Read more about website policy best practices, including privacy.
3. Implement a Data Subject Access Request Process
Some of the most recent privacy laws bestow website users with additional rights over their personal data. Assure your users that you’re serious about data privacy by establishing clear methods for them to contact you about their data preferences. Data Subject Access Request (DSAR) tools help streamline this process.
Handling a DSAR properly requires a few things for you to consider:
- Identity Verification. Can you validate who the request is coming from? You don't want to give out someone's private information to the wrong person.
- Applicable Regulation. You need to know what regulation applies so you can meet that legislation’s specific requirements.
Many CMPs offer a DSAR form to users that requires the correct information to be submitted before the request is sent to you. This will make a data request much easier to meet while helping to mitigate risk.
Once you receive a legitimate DSAR, you will need to respond. This isn’t a matter of flipping a switch – your internal teams must know where all user information is stored. Data privacy laws apply to marketing, sales, contractors, employee records, and more.
Make sure to work with your legal or compliance team on all compliance steps to ensure you meet the requirements of each law.
Data Mapping to the Rescue
Many businesses employ staff to keep track of physical inventories and dedicate days or weeks every year to counting items to ensure they know where everything is and what they have. The process of data mapping is like inventory tracking but for data instead of physical products.
To begin the process, select a data collection method (e.g. a web form) and follow the data submitted to all points of entry and storage in your organization. The end goal is to document where all personal information is collected, stored, secured, and accessed.
You can’t respond to a user request to delete data if you don’t know where that data lives. This process will help inform your DSAR workflows by guiding your employees to the systems that house the requested data.
Some of the most sophisticated CMPs can assist in this process, as they offer tracking and workflow to follow, assuming all of your systems are mapped correctly.
Key Takeaways
- Consent Management Platforms can significantly help with managing cookies compliance as well as Data Subject Requests.
- Keep in mind the common purpose of data privacy laws: User control over their personal information.
- Manage your users’ data as they wish and do so transparently.
- Compliance with online privacy laws is not set-it-and-forget-it. These laws have continuing requirements, and different states, countries, and regions have different regulations.
- Online data privacy regulation is here to stay.
- Non-compliance with online data privacy laws can result in hefty fines and legal complications.
Need help choosing the right CMP or getting a deeper understanding of the impact of data privacy laws on your digital marketing efforts? Reach out!
