Some privacy laws require businesses to create data retention policies, but figuring out the maximum amount of time you can hold on to data can be complicated.
It’s fairly common, especially in the eCommerce world, for a single company to have multiple subsidiary businesses operating under one umbrella. This can create some confusion as to how to approach privacy compliance: Should it be done separately, or all together?
For example, an apparel company may have three separately branded websites—one that sells shoes, another that sells sunglasses, and a third that sells swimsuits. Assuming that each of these sites gets enough traffic on its own for U.S. state privacy laws to apply, the apparel company wants to know if it has to get all three sites compliant separately or if they can share one common privacy program (i.e., data map, privacy notices, request-answering system, etc.)
There is no clear-cut answer or guidance on when more than one privacy program is needed. Instead, it will depend on the specific circumstances of each company. Here are some of the factors to consider.
If each separate business is collecting, using, and disclosing personal data in essentially the same way, this weighs in favor of being able to share a privacy program.
In the example above, there is a good chance that the apparel company’s three different subsidiary businesses are operating more or less identically, at least from a personal data perspective. That is, they are collecting data at the same points for the same purposes, using the same service providers, and so on. Therefore, the data map will be the same across all three websites, as well as their privacy notices and responses to privacy requests.
This is not always the case. Sometimes a company may have multiple businesses that operate quite differently from each other, such as an online store vs. a publication that generates revenue from advertising. The more the businesses’ data practices diverge, the more likely it is that they should have separate privacy programs.
From the consumer’s perspective, privacy notices should be easy to understand and the procedure for submitting privacy requests should be simple to follow. If bundling multiple businesses together will make privacy notices and requests overly complicated, you should consider separating them out.
This is more of an operational concern. Privacy compliance goes much more smoothly if there is one person within the company who takes responsibility for it. It also requires a lot of communication between departments to make sure everyone’s on the same page and responding appropriately to privacy requests.
If all of a company’s subsidiaries are operating out of one office with the same staff, this isn’t really an issue. However, it may be that the subsidiaries are based in different locations, with separate staff that have never even met each other. In that case, internal coordination will be more difficult and maintaining separate privacy programs may be more appropriate.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.