5 Critical Compliance Issues Your Business Can’t Afford to Ignore

Protect your business in 2025 with our comprehensive guide to critical compliance issues. Learn about GDPR, CCPA, ADA, TikTok tracking regulations, and cybersecurity threats that could cost you thousands in penalties and legal risks.

1. General Data Protection Regulation (GDPR) Compliance

The General Data Protection Regulation (GDPR) applies to businesses operating within the European Union (EU) and any organization that processes the personal data of EU residents, regardless of the company's location. This includes:

1. Companies offering goods or services to EU residents
2. Organizations monitoring the behavior of individuals within the EU
3. Businesses handling EU resident data on behalf of other organizations (e.g., data processors)
4. If your company collects, stores, or processes personal data such as names, email addresses, IP addresses, or payment information of EU residents, GDPR compliance is mandatory

In layman’s terms, if you do business in or with the EU, you’ll need to comply with GDPR.

Risks/Penalties

• Significant Fines -> Penalties can reach up to €20 million or 4% of global annual turnover, whichever is higher

• Legal Liabilities -> Individuals have the right to file complaints and seek compensation for misuse of their data

• Reputational Damage -> Breaches or non-compliance can harm customer trust and brand image

• Operational Challenges -> Lack of compliance may disrupt business operations, particularly with partners or clients requiring GDPR adherence

Recommendations

• Appoint a Data Protection Officer (DPO) -> If required, designate a DPO to oversee compliance efforts
• Conduct a Data Audit  -> Identify and document the personal data you collect, process, and store, including its sources and purposes
• Implement Privacy Policies and Notices  -> Update your privacy policy to clearly inform users about data collection, usage, and their rights
• Secure Consent  -> Ensure explicit, informed, and revocable consent is obtained for data processing
• Enable Individual Rights  -> Provide mechanisms to honor data subjects' rights, including access, rectification, deletion, and portability

• Strengthen Data Security  -> Use encryption, secure data storage, and regular security audits to protect personal information
• Establish Incident Response Plans  -> Prepare for data breaches by developing protocols to notify authorities and affected individuals within 72 hours

How X Agency Can Help

1. Market Channels We Manage -> These compliance and security updates are already handled—no action is needed on your part. 
2. Marketing Channels We Don’t Manage -> For channels we don’t manage, we can help too! 
   1. We can audit and review the pixels to get an understanding of the current status and gaps.
   2. We’ll create a uniquely tailored gameplan to bring you into full compliance.
   3. If you would like our assistance, we’ll provide a tailored estimate of the costs required to bring you into full compliance.

Helpful Links

1. https://gdpr-info.eu/
2. https://www.edpb.europa.eu/our-work-tools/our-documents/publication-type/guidelines_en

2. California Consumer Privacy Act (CCPA) Compliance

The California Consumer Privacy Act (CCPA) applies to businesses that meet ANY of the following criteria:

1. Revenue Threshold  ->  Annual gross revenue exceeding $25 million
2. Data Volume  ->  Processes personal data of 50,000 or more California residents, households, or devices annually
3. Revenue from Data  ->  Derives 50% or more of annual revenue from selling California residents' personal information

The difference between CCPA & GDPR is that CCPA does not require explicit consent for most data processing activities (Consent to sell data is implicit by default unless the consumer opts out). Instead, it emphasizes transparency and the right to opt out of data sales. 

Exceptions

• If your website has visitors or customers who are minors under the age of 16, you are required to obtain their opt-in (consent) before you are allowed to sell or disclose their personal information to third parties.
•  If the minor is under the age of 13, a parent or legal guardian must consent for them.

In layman’s terms, if your business meets the criteria above, you’ll need to let customers know about your data collection practices.

Risks/Penalties

• Up to $2,500 per violation
• $7,500 per intentional violation

• Individuals may sue for statutory damages of $100–$750 per incident if their data is subject to unauthorized access, theft, or disclosure

Recommendations

• “Do Not Sell My Personal Information”  ->  Provide consumers with a link on the website, allowing them to opt out of the sale of their personal information
• Update Privacy Policies  ->  Clearly inform consumers about the types of data collected, how it’s used, and their rights under CCPA
• Enable Consumer Rights  ->  Implement processes for consumers to request access to, deletion of, or opting out of the sale of their personal information.
• Post a “Do Not Sell My Personal Information” Link: Make this option easily accessible on your website if applicable.
• Conduct Data Audits  ->  Identify and document the personal information you collect, its sources, and how it is shared or sold
• Secure Data  ->  Enhance data protection measures to prevent unauthorized access or breaches
• Train Employees  ->  Ensure relevant staff are trained to handle CCPA requests and compliance protocols
• Work with Vendors  ->  Ensure contracts with service providers include data protection and CCPA compliance clauses

How X Agency Can Help

1. Market Channels We Manage -> These compliance and security updates are already handled—no action is needed on your part. 
2. Marketing Channels We Don’t Manage -> For channels we don’t manage, we can help too! 
   1. We can audit and review the pixels to get an understanding of the current status and gaps.
   2. We’ll create a uniquely tailored gameplan to bring you into full compliance.
   3. If you would like our assistance, we’ll provide a tailored estimate of the costs required to bring you into full compliance.

Helpful Links

1. https://www.oag.ca.gov/privacy/ccpa
2. https://oag.ca.gov/privacy/ccpa/regs

3.  Virginia Consumer Data Protection Act (VCDPA) Compliance

Virginia has joined the ranks of US states taking decisive action to protect consumers' personal information. The Virginia Consumer Data Protection Act (VCDPA) has introduced a comprehensive framework designed to ensure the privacy and security of personal data in the state.

The VCDPA is not as strict as GDPR in terms of cookies. It draws similarities to the CCPA and CPRA and follows the trend set by all the US states that have passed any kind of privacy law.

VCDPA applies to you if you conduct business in Virginia or cater to Virginia residents, and if:

• You handle or process the personal data of a minimum of 100,000 users.
• You handle or use the personal information of at least 25,000 consumers and generate more than 50% of your gross income from selling personal data.
• Unlike other US states’ privacy laws, it does not prescribe a gross revenue in a calendar year threshold.

You don't need to obtain cookie consent to comply with the VCDPA. You are free to use any type of cookies as long as consumers do not opt out of data processing.

Virginia's CDPA relies on the opt-out principle, which means that you are not required to get an opt-in from data subjects. You just need to allow them to opt out when they want.

However, there are three exceptions to this rule where you must obtain explicit users' consent:

• When you process sensitive personal information,
• When you collect children's personal information, and
• When you want to process personal information for purposes other than those for which you collected the data.

The following categories of personal data are considered sensitive:

• Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
• The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
• The personal data collected from a known child; or
• Precise geolocation data.

When it comes to processing personal data via cookies and trackers, they can collect only the data of a known child or precise geolocation data. If your website or app processes such data with the help of cookies, you need to obtain explicit consent before collecting it.

Helpful Links

https://secureprivacy.ai/blog/vcdpa-cookie-consent

4. Accessibility Issues

The Americans with Disabilities Act (ADA) applies to businesses that qualify as public accommodations, regardless of whether they operate online or offline. 

1. Businesses Open to the Public Any organization providing goods or services, such as e-commerce, banking, healthcare, and education websites
2. Government and Public Sector Entities Websites, apps, and digital services used by citizens.
3. Businesses with 15+ Employees These must provide accessible experiences for both employees and customers under the ADA

In layman’s terms, if you operate a business with a website, you need to be ADA compliant.

Risks/Penalties

1. Lawsuits under the ADA or other state-level disability laws 
   • We’ve had multiple clients sued due to ADA non-compliance
2. Settlements or damages that can cost tens of thousands of dollars
3. Accessibility Audits: Non-compliance can lead to mandatory remediation and costly audits

Recommendations

To address potential compliance risks and enhance user experience, we recommend the following actions below or sign up for Accessibe which can take care of everything for you.

• Conduct an Accessibility Audit
  •  Evaluate your website using tools such as WAVE to identify barriers for users with disabilities
• Adopt WCAG Standards 
  • Align your website with the Web Content Accessibility Guidelines (WCAG) 2.1 at Level AA compliance, a widely accepted benchmark for accessibility
• Implement Key Features
  •  Ensure alternative text for images, proper keyboard navigation, readable text with sufficient contrast, and accessible forms
• Continuous Monitoring
  •  Accessibility is an ongoing process. Regular updates, testing, and feedback loops help maintain compliance
• Provide an Accessibility Statement
  • Publish a clear accessibility statement on your website detailing your commitment to inclusivity and how users can report issues

How X Agency Can Help

Maintaining ADA compliance for your website is critical—not just for avoiding legal risks, but for ensuring inclusivity and accessibility for all users.

If your website needs updates to meet accessibility standards, we can help. Please note that ADA compliance efforts require specialized technical hours and will be billed based on the hours required to implement these changes. 

Let us know if you'd like to move forward, and we’ll provide an estimate tailored to your needs.

Helpful Links

1. https://www.accessibility.com/
2. https://www.ada.gov/
3. https://www.w3.org/WAI/standards-guidelines/wcag/

5. TikTok - Tap and Trace Lawsuits

This is a new issue that we’ve seen with one of our clients and upon doing more research, there seems to be one company attempting to sue businesses that use tik tok tracking within California. Keep in mind, “Track & Trace” was meant for law enforcement wiretapping but since the laws are old and ambiguous they’re somehow able to tie this into digital marketing and how companies track users through the Tik Tok Pixel.

The California Trap and Trace Statute applies to businesses or organizations collecting, monitoring, or tracking user behavior within California, especially those using tools like TikTok Pixels or other tracking technologies. Your business may fall under its scope if:

1. You Use Tracking Tools  ->  Such as TikTok Pixel, Google Analytics, or similar technologies that monitor user actions on your website
2. Operate in California  ->  Or collect data from California residents
3. Handle Sensitive Data  ->  Including but not limited to IP addresses, location data, or behavioral patterns for marketing or analytics purposes

Risks/Penalties

1. Civil penalties under the California Trap and Trace Statute for unauthorized tracking
2. Users may bring legal actions if their data is improperly collected or tracked without consent
   1. Penalties of up to $5000 per infraction

Recommendations

• Conduct a Tracking Audit  ->  Identify all tracking technologies used, including TikTok Pixel, and assess what data is being collected and how it is used
• Obtain Explicit Consent  ->   Implement a consent management platform (CMP) that informs users of tracking technologies and allows them to opt in or out
• Limit Data Collection  ->  Configure tracking tools to minimize data collection and avoid unnecessary gathering of sensitive user information
• Publish a Privacy Policy  ->  Clearly disclose tracking activities and purposes in your privacy policy, as well as the rights users have to control their data
• Work with Legal Counsel  ->  Consult with attorneys specializing in privacy law to assess and mitigate risks specific to your tracking practices
• Train Your Team  ->  Educate your marketing and technical teams on the legal and ethical use of tracking tools like TikTok Pixel

Helpful Links

1. https://www.dailyjournal.com/article/377643-vivint-tiktok-accused-of-violating-trap-and-trace-law
2. https://www.lawinc.com/puma-tiktok-tracking-lawsuit-privacy-concerns
3. https://www.gpwa.org/forum/fanduel-faces-tiktok-trap-trace-privacy-class-action-267933.html
4. https://ogletree.com/insights-resources/blog-posts/businesses-beware-california-trap-trace-lawsuits-target-common-website-tools/

Site Security/Phishing

Businesses of all sizes and industries are vulnerable to website hacking and phishing attacks, which exploit security gaps to gain unauthorized access to sensitive data or defraud users. Your organization is particularly at risk if:

1. You Handle Sensitive Data  ->  Such as customer payment details, personal information, or intellectual property
2. Operate Online  ->  With e-commerce websites, online portals, or customer-facing digital platforms
3. Use Email and Messaging For communication with customers, employees, or vendors, making you susceptible to phishing schemes
4. Have Limited Security Measures  ->  Such as outdated software, unsecured networks, or lack of employee training

We’ve had clients who have had their entire website/email database stolen, fraudulent purchases made and lost revenue due to this.

Risks/Penalties

1. Data Breaches: Loss of sensitive customer or business data
2. Financial Loss: Through fraudulent transactions, ransom demands, or operational downtime
3. Reputational Damage: Loss of customer trust and brand credibility
4. Legal Penalties Violations of data protection laws like GDPR, CCPA, or other industry-specific regulations
5. Operational Disruption Hacked websites or phishing attacks can cripple essential business functions

Recommendations

• Implement Strong Authentication  ->  Use two-factor Authentication (2FA) for all accounts and platforms
• Secure Your Website  -> 
  1. Regularly update your CMS, plugins, and software
  2. Enable SSL certificates for encrypted data transmission
  3. Conduct regular security scans and penetration tests
• Train Employees
  1. Educate staff about identifying phishing emails, texts, and social engineering tactics
  2. Conduct simulated phishing exercises
• Adopt Email Security Measures
  1. Use email filters to block suspicious messages
  2. Configure SPF, DKIM, and DMARC to prevent email spoofing
• Monitor Activity
  1. Use firewalls and intrusion detection/prevention systems (IDS/IPS)
  2. Monitor for unusual account or network activity
• Backup Data Regularly  ->  Maintain secure, offsite backups to recover quickly in the event of an attack.
• Establish an Incident Response Plan  ->  Outline steps for identifying, containing, and mitigating breaches or phishing incidents.

We can’t stress enough how important it is to tackle these compliance issues head-on. These aren’t just “nice to haves”—we’ve had clients face lawsuits over non-compliance, and trust me, that’s not a situation we want you to be in.

If we manage your channels, we’ve got you covered and have and continue to address these concerns. If we don’t manage a specific channel for you, we can help! We’ll start with an audit, figure out what’s needed, and give you an estimate to get everything compliant and secure.

Let’s work together to make sure your business is protected and running smoothly. Reach out to your account manager and/or X Agency contact with any questions —we’re here for you!