CMO · Toolkit · Advanced · Saves 50+ hours
GDPR/CCPA Marketing Compliance Kit
A complete kit for ensuring marketing compliance with GDPR and CCPA regulations.
What's included
- Consent management framework
- Data subject request process
- Privacy notice templates
- Cookie consent implementation
- Vendor assessment checklist
- Audit documentation
Best used when
- Building privacy program
- EU/California market entry
- After regulatory changes
- During compliance audits
- Vendor onboarding
The template
The Template
CONSENT MANAGEMENT FRAMEWORK
Consent Collection Points
| Touchpoint | Consent Type | GDPR Basis | CCPA Requirement |
|---|---|---|---|
| Newsletter signup | Express opt-in | Consent | Notice at collection |
| Webinar registration | Express opt-in | Consent | Notice at collection |
| Contact form | Implicit (needed for service) | Contract | Notice at collection |
| Gated content | Express opt-in | Consent | Notice at collection |
| Cookie tracking | Prior consent required | Consent | Opt-out available |
| Third-party sharing | Express opt-in | Consent | Opt-out available |
Consent Record Requirements
| Field | Description | Example |
|---|---|---|
| Timestamp | When consent given | 2024-01-15T10:30:00Z |
| Consent type | What they agreed to | Email marketing |
| Method | How they consented | Web form |
| Version | Privacy policy version | v2.3 |
| IP address | For verification | 192.168.x.x |
| Source | Where consent collected | Landing page X |
DATA SUBJECT REQUEST (DSR) PROCESS
Request Intake
| Step | Action | Timeline | Owner |
|---|---|---|---|
| 1 | Receive request | Day 0 | Privacy inbox |
| 2 | Acknowledge receipt | Day 1 | Privacy team |
| 3 | Verify identity | Day 1-3 | Privacy team |
| 4 | Classify request | Day 3 | Privacy team |
| 5 | Route to systems | Day 3 | Privacy team |
Request Types and Responses
| Request Type | GDPR Term | CCPA Term | Response Time |
|---|---|---|---|
| Get my data | Access | Know | 30 days (GDPR), 45 days (CCPA) |
| Fix my data | Rectification | - | 30 days |
| Delete my data | Erasure | Delete | 30 days (GDPR), 45 days (CCPA) |
| Stop using my data | Restriction | - | 30 days |
| Take my data elsewhere | Portability | - | 30 days |
| Don't sell my data | - | Do Not Sell | 15 days |
Systems to Check
- CRM (Salesforce, HubSpot)
- Marketing automation (Marketo, Pardot)
- Email platform (Mailchimp, Klaviyo)
- Analytics (GA4, Mixpanel)
- Advertising platforms
- Customer support (Zendesk)
- Data warehouse (Snowflake, BigQuery)
PRIVACY NOTICE TEMPLATE (MARKETING SECTION)
## How We Use Your Information for Marketing
We use your personal information to:
- Send you marketing communications (with your consent)
- Personalize your experience on our website
- Show you relevant advertisements
- Analyze and improve our marketing effectiveness
### Your Choices
**Email Marketing:** You can opt out at any time using the
unsubscribe link in our emails or by contacting [email].
**Cookies:** You can manage your cookie preferences using
our cookie settings tool. [Link to cookie settings]
**Targeted Advertising:** You can opt out of interest-based
advertising through [DAA opt-out link] or [NAI opt-out link].
**Do Not Sell (California Residents):** You can opt out of
the sale of your personal information [here].
COOKIE CONSENT IMPLEMENTATION
Cookie Categories
| Category | Description | Consent Required | Examples |
|---|---|---|---|
| Strictly Necessary | Essential for site function | No | Session, security |
| Functional | Enhanced functionality | Yes (GDPR) | Preferences, chat |
| Analytics | Usage understanding | Yes | GA4, Mixpanel |
| Marketing | Ad targeting | Yes | Facebook Pixel, LinkedIn |
Consent Banner Requirements
GDPR:
- Clear affirmative action to consent
- Equal prominence to Accept/Reject
- Granular choices by category
- No pre-checked boxes
- Easy withdrawal mechanism
- No cookie wall blocking content
CCPA:
- Notice at collection
- Link to privacy policy
- "Do Not Sell" option
VENDOR ASSESSMENT CHECKLIST
Privacy Assessment for Marketing Vendors
| Criterion | Pass | Fail | Notes |
|---|---|---|---|
| Data Processing | |||
| DPA/DTA available | |||
| GDPR-compliant processor | |||
| Sub-processor list provided | |||
| Data Location | |||
| Data stored in EU/US only | |||
| Transfer mechanisms in place | |||
| Security | |||
| SOC 2 certified | |||
| Encryption at rest/transit | |||
| Access controls documented | |||
| Data Subject Rights | |||
| Can fulfill DSRs | |||
| Deletion capability | |||
| Export capability | |||
| Breach Notification | |||
| 72-hour notification | |||
| Incident response plan |
AUDIT DOCUMENTATION
Records of Processing Activities (Marketing)
| Processing Activity | Purpose | Data Categories | Recipients | Retention | Legal Basis |
|---|---|---|---|---|---|
| Email marketing | Promotional comms | Contact, behavior | ESP | 3 years | Consent |
| Website analytics | Improve UX | Device, behavior | Analytics | 26 months | Consent |
| Lead generation | Sales pipeline | Contact, company | CRM | 5 years | Legitimate interest |
| Advertising | Customer acquisition | Device, behavior | Ad platforms | Per platform | Consent |
Frequently asked questions
What is the GDPR/CCPA Marketing Compliance Kit?
A complete kit for ensuring marketing compliance with GDPR and CCPA regulations.
Who is the GDPR/CCPA Marketing Compliance Kit for?
It is built for CMOs and their teams working on Marketing Operations. The AI coach adapts it to your company, stage, and goals.
How long does the GDPR/CCPA Marketing Compliance Kit take to use?
It saves roughly 50+ hours versus building from scratch. Our AI coach can tailor the toolkit to your situation in minutes, then hand you a step-by-step plan.
Is the GDPR/CCPA Marketing Compliance Kit free?
Yes. You can read the full toolkit and start getting coached through it for free. Sign in to save your tailored version and track your next steps.
How does the AI coach help with the GDPR/CCPA Marketing Compliance Kit?
The coach teaches you the framework, asks a few questions about your business, tailors the toolkit to you, and gives you measurable next steps to execute.