All you need is a privacy policy and the ability to delete / return customer data when requested. But that doesn't have to be in real time/automated, you can just set up an email address and respond manually. It's rare you'll even get a request if you're a company with such a small IT budget.
All the other things (double opt-in email, not contacting your customers in an unsolicited way) are process changes that can be implemented without IT cost.
All you need is a privacy policy and the ability to delete / return customer data when requested. But that doesn't have to be in real time/automated, you can just set up an email address and respond manually. It's rare you'll even get a request if you're a company with such a small IT budget.
All the other things (double opt-in email, not contacting your customers in an unsolicited way) are process changes that can be implemented without IT cost.