Privacy & Data Protection
19 states now have comprehensive privacy laws. GDPR enforcement has exceeded EUR 7 billion in fines. We build privacy programs that cover every framework your business touches — with one team, one assessment, one fee.
Our team is certified in both US and European privacy law (CIPP/US + CIPP/E), so one engagement covers GDPR, CCPA, HIPAA, and the growing patchwork of state laws. We also hold Certified AI Auditor credentials, which means we can address the privacy implications of AI systems without bringing in a separate firm.
Starting at $10K | 1-8 weeks
Services
Privacy Program Development
Data mapping, policies, processing registers, consent frameworks, vendor DPAs. Covers GDPR, CCPA/CPRA, HIPAA, and state privacy laws in one engagement.
4-8 weeks
Data Protection Impact Assessment
GDPR Article 35 assessment for high-risk processing. Risk documentation, mitigation plan, and a regulator-ready report.
2-4 weeks
Multi-State Privacy Law Compliance
Gap assessment across 19-20 state privacy laws. Unified compliance framework that maps overlapping requirements so you implement once.
2-6 weeks
HIPAA Privacy & Security Program
Risk analysis, policies, workforce training, BAA templates, and breach notification procedures. Full program build or gap remediation.
4-8 weeks
Privacy Program Maturity Assessment
Current-state evaluation against NIST Privacy Framework or ISO 27701. Scored assessment with prioritized remediation roadmap.
1-2 weeks
Why us
US and EU privacy in one engagement
Our team holds both CIPP/US and CIPP/E certifications, so a single engagement covers GDPR, CCPA/CPRA, HIPAA, and state privacy laws without splitting the work across separate US and EU practices.
Privacy expertise that extends to AI
AI introduces privacy risks that most consultants are not equipped to assess: LLM training on personal data, automated decision-making under GDPR Article 22, and vendor AI dependencies that create new data flows. Our Certified AI Auditor credentials mean we cover both.
19 states and counting
With 19-20 comprehensive state privacy laws now in effect, multi-state compliance requires mapping overlapping requirements. One assessment, one fee.
Why licens.io?
| Big 4 | licens.io | |
|---|---|---|
| Privacy scope | Separate US and EU teams | Dual CIPP: US + Europe in one person |
| AI intersection | Privacy only | Certified AI Auditor — AI + privacy together |
| State coverage | State-by-state | Map 19-20 state laws in one assessment |
| Pricing | Hourly, $75K-$200K+ total | Fixed-fee, $15K-$75K total |
| Speed | 3-6 months | 1-8 weeks |
Privacy scope
Big 4
Separate US and EU teams
licens.io
Dual CIPP: US + Europe in one person
AI intersection
Big 4
Privacy only
licens.io
Certified AI Auditor — AI + privacy together
State coverage
Big 4
State-by-state
licens.io
Map 19-20 state laws in one assessment
Pricing
Big 4
Hourly, $75K-$200K+ total
licens.io
Fixed-fee, $15K-$75K total
Speed
Big 4
3-6 months
licens.io
1-8 weeks
Who this is for
- ✓ Companies with EU customers or employees needing GDPR compliance programs
- ✓ Startups scaling into enterprise that need a privacy program before their first SOC 2 or enterprise deal
- ✓ Companies operating in multiple states needing unified compliance across 19-20 privacy laws
- ✓ Healthcare organizations needing HIPAA privacy and security programs
- ✓ AI companies needing privacy + AI expertise together instead of two separate firms
Frequently asked questions
Do US companies need to comply with GDPR?
Yes, if you process EU resident data — customers, users, or employees. GDPR applies regardless of where your company is headquartered.
How many US states have privacy laws now?
19-20 states have comprehensive privacy laws as of 2026. Applicability depends on revenue thresholds, data volume, and where your users are.
What is a DPIA and when is one required?
A Data Protection Impact Assessment is required under GDPR Article 35 for high-risk data processing. We produce regulator-ready reports.
How does AI affect privacy compliance?
Automated decision-making triggers GDPR Article 22. Training data raises consent and lawful basis questions. New state laws add AI-specific disclosure requirements.
Related articles
Delve and the 494 Fake SOC 2 Reports: What the Compliance Industry Should Learn
A Y Combinator-backed compliance startup allegedly fabricated 494 SOC 2 reports with auditor conclusions pre-written before clients submitted any evidence.
Read moreFive Supply Chain Attacks in Twelve Days: March 2026 Broke Open Source Trust
In twelve days, attackers compromised Trivy, Checkmarx, LiteLLM, Telnyx, and Axios — and the supply chain security model most organizations rely on did not survive.
Read moreThree More States, Three More Privacy Laws: 2026 Compliance Starts Now
Indiana, Kentucky, and Rhode Island all went live on January 1, 2026, which means privacy compliance just got a little less optional.
Read moreGet a clear picture of your privacy posture
We'll map which privacy frameworks apply to your business and where you stand — then build the program to close the gaps.