OTT Compliance Checklist

1. Data Map

• Identify all categories of personal data collected (name, email, payment, IP, device IDs, viewing behaviour)
• Document the purpose and legal basis for each processing activity
• Map data flows to third-party processors (analytics, billing, CDN, email, ads)
• Identify any international transfers and safeguards in place
• Assign a data controller contact / DPO if required

2. Cookies, Tags & SDK Inventory

• Complete a tag and SDK inventory for website and apps
• Classify each tag/SDK: strictly necessary, analytics, marketing, functional
• Confirm non-essential tags are not firing before consent where required
• Document data collected, vendor, retention period, and legal basis for each

3. Consent UI + Preference Storage

• Cookie banner implemented with clear Accept / Reject / Manage options
• No pre-ticked marketing categories
• Reject button is as easy to find as Accept button
• Consent choices stored with timestamp and category granularity
• Preference centre accessible from footer and re-accessible at any time
• Banner does not fire on pages that only use strictly necessary cookies

4. Consent Signal Propagation (if running ads)

• CMP integrated and generating TCF/GPP consent strings
• Non-essential tags blocked until consent string is available
• Consent strings passed to all ad tech partners (ad server, SSP, measurement)
• Tested across web and CTV environments
• See signals checklist for full detail

5. DSAR & Deletion Workflows

• Process defined for responding to data subject access requests (DSARs)
• Response time target set (30 days for UK/EU GDPR)
• Deletion workflow covers all systems (CRM, analytics, billing, email, backups)
• DSAR contact publicly visible in privacy policy

6. Security Basics

• Data in transit encrypted (TLS 1.2+ for all endpoints)
• Data at rest encrypted (database, backups, video storage)
• Access controls: principle of least privilege applied
• MFA enabled for admin and internal tool access
• Breach notification procedure documented (72-hour GDPR reporting window)
• Vendor security assessments for key processors

7. Policies

• Privacy policy: accurate, current, publicly accessible, written in plain language
• Cookie policy: matches your actual cookie implementation
• Terms of use: covers acceptable use, IP, disclaimers
• Policies reviewed against all target markets (UK, EU, US states as applicable)

Disclaimer: This checklist is a practical starting framework. It does not constitute legal advice. Validate your compliance posture with qualified legal counsel for your specific markets, product, and data processing activities.