Managing Privacy Compliance in Multiple Jurisdictions


Data privacy laws are multiplying quickly. First came the EU’s General Data Protection Regulation (GDPR), followed by the California Consumer Privacy Act (CCPA), and similar state laws in Virginia, Colorado, and Utah. This is undoubtedly a positive development for consumers, but with more state and national privacy laws on the way, it will become increasingly complicated for businesses to manage multiple compliance schemes at once.

In an age when data flows so easily across state and national borders, how can you be sure you are following the laws in each jurisdiction?

Create a Comprehensive Data Map

Regardless of which privacy law is in play, creating a complete data map for your business is an indispensable part of compliance. What is a data map? It is the systematic tracking of:

  • Data Sources - Who you are collecting from
  • Collection Points - Where the data is collected
  • Disclosures - Any situations where the data is shared with outside parties
  • Data Categories - What types of data are collected and disclosed

Take the example of a newsletter subscription signup. The data source is the consumer themselves, the collection point is the online sign-up form, a likely disclosure is to your email marketing vendor, and the data category is email addresses.

The creation of a data map takes a bit of preparation, but can be done relatively quickly with privacy compliance software. Once completed, it can be used to build compliance with all the various data privacy laws. This is because the information tends to stay the same across multiple jurisdictions. The definition of “personal data” in each law is similar enough to be more or less universal; the collection points and disclosures are often the same as well.

There may need to be a few tweaks from jurisdiction to jurisdiction. For example, the GDPR applies to employees’ personal data (which is generally exempt from the U.S. state laws), so that information would need to be added to your data map. These are usually minor changes, though, and the core of the data map will continue to apply across the board.

Implement Privacy Request Workflows

Following the GDPR’s example, new privacy laws grant consumers the right to make certain requests regarding their personal information. The types of privacy requests may not always line up 100% from one law to the next, but there is a lot of common ground. For example, each law creates the right to access or delete personal information, as well as the right to opt out of targeted advertising. The basic architecture for responding to these requests will remain more or less the same across jurisdictions, even if there are some minor differences (e.g., which data may be retained in response to a deletion request).


Rather than attempting to figure out what is required for each request on an individual basis, creating a series of master workflows will be immensely helpful in a number of ways, including:

  • Improved Response Time - Each law has a time limit for responding to privacy requests. Responding in time will take planning.
  • Documenting Processing Instructions - Handling a privacy request will involve interacting with potentially dozens of vendors and other outside parties. Figuring out how to do that in advance will make the process much easier.
  • Managing Request Exceptions - Depending on the jurisdiction, the type of request, and the personal data involved, different sets of exceptions will apply. Managing all of these can be complicated, so it’s best to plan it out ahead of time.
  • Proper Verification Procedures - Protection of consumers’ personal information should always be the highest priority. Businesses must implement verification procedures that are secure and meet any jurisdiction’s requirements.

As with data mapping, having a core set of workflows that can be modified according to each different law should be a central part of multi-jurisdiction compliance.

Location-Specific Notices

Because different laws have different privacy notice requirements and different types of privacy requests, many online businesses choose to display different information based on where the consumer is located. For instance, a business may be required to display a “Do Not Sell My Personal Information” link on their homepage in California, but can configure its site not to show that link to visitors from other states. You might also want to create separate privacy request forms for each jurisdiction so that consumers will see only the request types that apply to them.

Alternatively, other businesses have chosen to extend all privacy rights to all website visitors, regardless of their location. This approach is simpler in some ways and can help build consumer trust, but will require some planning.

Multi-Jurisdiction Compliance Software

The easiest way to manage multiple privacy laws at once is to use a compliance software that covers the jurisdictions you need. Keeping all the necessary information in one place and applying it automatically to each set of legal requirements will greatly simplify your compliance efforts. 

TrueVault Polaris is designed specifically for small and medium-sized businesses to help them get compliant on their own, without the expense of hiring a law firm. With a guided, step-by-step process, many businesses can finish the initial onboarding in as little as a few hours. To learn more about how Polaris works or to schedule a demo, contact our team.

Schedule Call