Do You Need Multiple Privacy Programs?

CCPA-Exemptions-Employee-and-B2B-Data
 

It’s fairly common, especially in the eCommerce world, for a single company to have multiple subsidiary businesses operating under one umbrella. This can create some confusion as to how to approach privacy compliance: Should it be done separately, or all together?

For example, an apparel company may have three separately branded websites—one that sells shoes, another that sells sunglasses, and a third that sells swimsuits. Assuming that each of these sites gets enough traffic on its own for U.S. state privacy laws to apply, the apparel company wants to know if it has to get all three sites compliant separately or if they can share one common privacy program (i.e., data map, privacy notices, request-answering system, etc.)

There is no clear-cut answer or guidance on when more than one privacy program is needed. Instead, it will depend on the specific circumstances of each company. Here are some of the factors to consider.

Similarity of Data Practices

If each separate business is collecting, using, and disclosing personal data in essentially the same way, this weighs in favor of being able to share a privacy program. 

In the example above, there is a good chance that the apparel company’s three different subsidiary businesses are operating more or less identically, at least from a personal data perspective. That is, they are collecting data at the same points for the same purposes, using the same service providers, and so on. Therefore, the data map will be the same across all three websites, as well as their privacy notices and responses to privacy requests.

This is not always the case. Sometimes a company may have multiple businesses that operate quite differently from each other, such as an online store vs. a publication that generates revenue from advertising. The more the businesses’ data practices diverge, the more likely it is that they should have separate privacy programs.

Clarity for Consumers

From the consumer’s perspective, privacy notices should be easy to understand and the procedure for submitting privacy requests should be simple to follow. If bundling multiple businesses together will make privacy notices and requests overly complicated, you should consider separating them out.

Ability to Coordinate Between Entities

This is more of an operational concern. Privacy compliance goes much more smoothly if there is one person within the company who takes responsibility for it. It also requires a lot of communication between departments to make sure everyone’s on the same page and responding appropriately to privacy requests.

If all of a company’s subsidiaries are operating out of one office with the same staff, this isn’t really an issue. However, it may be that the subsidiaries are based in different locations, with separate staff that have never even met each other. In that case, internal coordination will be more difficult and maintaining separate privacy programs may be more appropriate.

Get Started with Your Privacy Program(s)

There is no one-size-fits-all answer to this question. Each company needs to consider its own unique circumstances to decide on the right course. It’s not uncommon for businesses to start out with a single privacy program for efficiency’s sake, only to later split it up because of unforeseen complications.

Whatever you decide, TrueVault makes it possible for your business to get compliant with privacy laws from across the United States in a matter of days, or even hours. With our guided software, you can onboard vendors, create a data map, respond to privacy requests, and more, all from a single platform.

Contact our team to learn more and schedule a demo.

Schedule Call