
Step Two Determine Which Privacy Laws Apply
There are international laws like the GDPR, national but data-specific laws like the U.S. Children’s Online Privacy Protection Act (COPPA), general but state-specific laws like the California Consumer Privacy Act as amended by CPRA (CCPA 2.0) and the Virginia Consumer Data Protection Act (VCDPA), and data and state-specific laws like Illinois’ Biometric Information Privacy Act (BIPA). There are even local laws like Quebec’s Private Sector Privacy Act (Bill 64) and Charter of the French Language (Bill 101) that can create a unique set of overlapping obligations.
Understanding which laws apply to your company will help you understand its legal risk profile and have concrete conversations with your business leadership about risk tolerances and resourcing. This in turn will help you focus your privacy program’s goals and top priorities.
Ask yourself the following:
- Where are we physically established?
- Where are our data centers and other IT infrastructure situated?
- Where do we have the most vs fewest customers? How many?
- Where do we have the most vs fewest employees? How many?
- Are we in a specifically regulated industry sector like finance and healthcare?
- Are our offerings directed at specially protected groups like children?
- Dr. Ann Cavoukian, former Privacy Commissioner of Ontario & originator of Privacy by Design
Depending on your answers, you may be subject to an array of local, national, and international data protection requirements. Risk is a spectrum, and resources are always finite. Based on your organization’s needs, your program will tilt toward one of the following models:
- King of the Hill: Where an organization aligns its privacy program to the highest applicable standard, like the GDPR. This model supports a uniform, top-down approach and can help reduce program complexity. However, it can be viewed by business leaders as overly conservative or monolithic.
- Princes of their Universes: Where an organization aligns to applicable regional and local requirements as needed. This model supports a more business-friendly, targeted approach, but can be viewed as cumbersome and prone to missing the bigger picture.
Bottom Line:
There’s no single, best approach to orienting one’s privacy program. However, starting with a firm understanding of which laws and regulations apply to your organization today is simply pragmatic. It forms your rationalized baseline from which to scale up and out.
Request Manager in DataGrail offers you privacy law-specific and generally applicable Request Policies. Align your intake forms, response timelines, and request handling workflows to the GDPR, CCPA/CPRA, LGPD, and more.
In DataGrail, choose Request Manager at the top of your screen to get started.
The regulatory privacy landscape has seen dramatic changes in the past four years and shows no signs of slowing down.
Request a demo to get referrals to trusted law firms — what applies to you today may double tomorrow.
DataGrail can customize your Request Policies and Intake Forms to match.
Connect with other pros (free) to keep track of the regulatory environment and discuss best practices. Join the Privacy Basecamp Community.