Data Privacy Checklist

List every system that stores customer PII — checkout (Shopify), email/SMS (Klaviyo, Postscript), helpdesk (Gorgias), reviews (Yotpo), subscription (Recharge), 3PL portal. Note data category, retention period, and lawful basis. Hidden long-tail apps (loyalty, quizzes, abandoned-cart popups) are the usual blind spot.

Open OneTrust, Cookiebot, or Termly and verify pixels (Meta, TikTok, GA4) are blocked until consent. Check that Global Privacy Control (GPC) signals are honored — required by CPRA and Colorado. Run the site in an EU IP to confirm reject-all parity with accept-all.

Postscript and Attentive forms must capture express written consent with disclosure of message frequency, msg/data rates, and STOP/HELP keywords. Pre-checked boxes and checkout-bundled consent are TCPA class-action triggers.

CPRA, Virginia, Colorado, and Connecticut require an accessible opt-out link in the footer. Test that clicking it triggers an actual signal to ad pixels and Klaviyo profiles, not just a cosmetic confirmation.

Confirm every staff account has 2FA enabled in Shopify, Klaviyo, Gorgias, and the ad platforms. Remove dormant collaborator accounts from agencies and former contractors — orphaned access is the most common breach vector for SMB merchants.

CX agents rarely need export or apps permissions. Limit to Orders + Customers (view). Designers and developers should use the Themes role, not full admin.

Review every Shopify app's data permissions in Settings → Apps. Uninstall anything unused — uninstalled apps still process data per their privacy policy until you request deletion. Flag apps requesting customer PII without a clear feature need.

Shopify development stores and theme previews must not contain real customer data. Add password protection and noindex tags. A staging URL with real PII indexed by Google triggers state breach-notification obligations.

Customer requests arrive via privacy@ inbox, Gorgias, or the privacy-page form. Classify the type — different obligations and clocks apply (CCPA gives 45 days, GDPR gives 30).

Match the email of record against an order in Shopify, or send a verification link to the email on file. Don't release data based on an unauthenticated form submission — fulfilling a fraudulent DSR is itself a breach.

Pull profile, order, and event data from Shopify, Klaviyo, Recharge, and Gorgias. Combine into a single human-readable export. Klaviyo's profile export does not include unsubscribed-list events — pull those separately.

Use Shopify's Customer Data Erasure request, then propagate to Klaviyo, Gorgias, Recharge, and the 3PL. Order records may be retained for tax purposes (typically 7 years) — anonymize PII rather than full delete on transactional records.

Privacy policy must list every subprocessor that touches PII (Klaviyo, Gorgias, Recharge, Shopify, ad platforms, 3PL). EU-facing brands must give advance notice of new subprocessors per GDPR Art. 28.

Any vendor onboarded this quarter that processes customer data needs a Data Processing Agreement on file before going live. Most major SaaS vendors auto-accept their standard DPA in account settings — confirm acceptance is logged.

Request the most recent SOC 2 Type II from each critical vendor. Skim the exceptions section — vendors with material findings around access control or encryption should be flagged for re-evaluation.

If you sell to EU customers, US-based subprocessors need either Standard Contractual Clauses or EU-US Data Privacy Framework certification. DPF participation is verifiable on dataprivacyframework.gov — Klaviyo, Shopify, and Gorgias are all certified, but check anything smaller.

Update the on-call roster, escalation tree, and counsel contact. Include Shopify Trust contact, Klaviyo support tier, and your cyber-insurance hotline. A runbook with a stale on-call list is the most common Day-Zero failure.

Walk through a realistic scenario — leaked Shopify Storefront API token exposing customer profiles, or a phished Klaviyo admin. Time the team to first decision. Document gaps in runbook coverage.

For any incident reported this quarter, document what data was exposed and to whom. Notification obligations turn on whether identifiable PII was accessed by an unauthorized party — not on whether systems were merely accessible.

GDPR requires supervisory authority notification within 72 hours of awareness; most US states require notification to affected residents and state AGs (California, New York, and others have specific templates). Draft notices with counsel — wording errors trigger separate enforcement actions.