2026 Privacy Quiz · Attorney-Built
How privacy-ready is your business?
Twelve questions, one card at a time. No pre-filled data, no email gate. At the end I show you a 0-100 readiness score, a written gap report, and the right service tier — from a $349 single-policy review up to the $1,200 Privacy Compliance Bundle.
CCPA / CPRA
GDPR / UK GDPR
DPA & vendor audit
Opt-out flow
GPC signal
How the score is built
Each of the 12 questions carries up to 7-9 points depending on weight. The scoring favors the answers that map to enforceable compliance: a lawyer-written policy beats a template, a tested opt-out beats an untested one, a DPA with all vendors beats partial coverage.
Failed items show up in the gap report with severity flags — fail for zero-point answers (foundational misses), warn for partial-credit answers (drift, untested processes, or unknowns). The recommended tier scales to total score:
- Below 40 · Privacy Compliance Bundle ($1,200). Custom Privacy Policy + ToS rewrite + DPA template. Cheaper than three single-document reviews.
- 40-75 · Single Privacy Policy Review ($349). Targeted edits and a fix list for procedural gaps.
- Above 75 · Maintenance ($240/hr). Quarterly check-ins to catch drift as you scale.
The legal landscape this quiz is calibrated to
CCPA / CPRA (California)
Thresholds, sale/share opt-out, sensitive PI rights, GPC, service-provider rules. The CPPA is actively enforcing — especially on broken opt-outs and dark-pattern consent flows.
GDPR (EU)
Lawful basis, Art. 28 DPAs, DPIA where applicable, SCCs for transfers, 72-hour breach notification. UK GDPR mirrors with UK IDTA for transfers.
State-by-state laws
VA, CO, CT, UT, TX, OR, MT, IA, IN, TN, FL, DE, NJ, NH each diverge in scope. The quiz flags California specifically but the bundle covers the multi-state landscape.
My Health My Data (Washington)
Sweeping consumer-health-data protections that affect any business handling fitness, mental-health, or wellness information — even outside HIPAA.
CPPA enforcement priorities
Sephora ($1.2M), DoorDash, Honda, and others. Patterns: broken Do Not Sell, GPC ignored, vague consent, missing service-provider contracts.
FTC AI / dark-pattern enforcement
Operation AI Comply (2024-2025) plus standing dark-pattern actions add a federal layer for SaaS that uses AI features or growth-marketing tactics.
EU AI Act overlay
For SaaS using AI, a privacy policy + DPA refresh is often the front door to AI Act readiness. The Bundle includes the AI processing notice if the stack uses AI.
Schrems II / DPF
EU-US Data Privacy Framework participation, SCC modernization, transfer impact assessments. The Bundle includes a baseline TIA template.
Why I built this quiz
I'm Sergei Tokmakov, a California attorney (CA Bar #279869, licensed since 2011). The conversations I have with founders almost always start the same way: I have a privacy policy — do I need to do anything else?
The honest answer depends on twelve specific things. Rather than charge for a triage call, I built the triage. The score, the gap report, and the tier recommendation are the same ones I'd give you on a call. The Privacy Compliance Bundle exists for the businesses where the score lands below 40 — that's where the math favors a packaged rebuild over three separate reviews.
ST
Sergei Tokmakov · California State Bar
#279869 (licensed 2011). Sole attorney behind Terms.Law. Privacy, contracts, demand letters. I write these tools myself, read every rule I cite, and update them when state laws change. Email:
owner@terms.law.
Frequently asked questions
Is the score legal advice?▾
No. This quiz is an informational tool. The score is heuristic and the gap report is a triage list, not a legal opinion. If you want privileged advice, the next step is the $349 single-document review or the $1,200 Privacy Compliance Bundle — I open an engagement letter at that point.
I scored 35. Do I have to start with the Bundle?▾
No. The Bundle is what fits a low score because it covers the three documents you most likely need (PP, ToS, DPA template) in one engagement. If budget is the constraint, start with the $349 Privacy Policy review, fix the most exposed item first, and circle back. Email me your score and stack — I'll tell you which sequencing makes sense without trying to upsell.
Why isn't my data sent anywhere?▾
The score is computed entirely in your browser. No answers leave the page unless you submit the email-capture form. If you do submit it, your email plus your answers and score come to
owner@terms.law for me to review. That's the entire data flow.
Does this work for B2B SaaS or only consumer apps?▾
Both. The DPA question (Q8) and vendor footprint (Q7) actually score B2B SaaS more carefully because B2B businesses have more exposure on the processor side. E-commerce gets weighted more heavily on payment-data sensitivity (Q5) and opt-out flow (Q9). The rubric handles both.
What's actually in the $1,200 Bundle deliverable?▾
Three written documents plus a memo: (1) custom Privacy Policy, (2) customer-facing Terms of Service rewrite or first draft, (3) Data Processing Agreement template you can use with vendors and B2B customers. Plus a written threshold analysis (CCPA, GDPR, state-by-state) and two strategy calls. Turn-around is 10-14 business days.
Do I need a DPA if I only use Stripe and Google Analytics?▾
Both Stripe and Google have boilerplate DPAs, and accepting them is usually the right move. The gap is when you accept the boilerplate without reading the sub-processor list, the audit clause, or the transfer mechanism. The Bundle includes a DPA review template you can use to vet vendor DPAs — not just sign them.
Is GPC really mandatory?▾
In California, yes — CPRA requires businesses to honor opt-out preference signals, and GPC is the recognized signal. Other states (Colorado, Connecticut) are adopting similar rules. The technical implementation is usually a one-time engineering task; the legal exposure of ignoring it is ongoing.
What if I don't have any EU customers but use Mailchimp?▾
If your platform stores any data on EU servers (most major SaaS does), you may still need transfer mechanisms in your vendor contracts even though your customers are US-only. The DPA review is the place to catch this.
Disclaimer. This calculator is an informational tool authored by Sergei Tokmakov, a California-licensed attorney (CA Bar #279869). It is not legal advice and does not create an attorney-client relationship. The composite score and gap report are heuristic estimates based on a fixed set of factors — they do not substitute for review of your actual policies, vendor contracts, and use case. Privacy laws vary by jurisdiction and change frequently. For advice on a specific matter, email
owner@terms.law.