The Washington Privacy Act (WPA) passed last month, joining a growing line of state-wide, national and regional privacy regulations redefining how data-driven enterprises engage with consumer data. While largely similar in their intent, these respective privacy laws and regulations diverge just enough to make tracking and ensuring compliance with each one an overwhelming task for just about any privacy team. This raises important questions around how global SaaS companies are dealing with this growing number of geo-specific data privacy regulations, which includes the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), Russian’s Federal Law on Personal Data and China’s Data Protection Regulatory Guideline.
Consider the following example: Cora Laçione is the Head of Data Infrastructure at a company that offers the most compact, lightweight and high-quality yoga mats on the market. The product, branded YogiMate, is sold online through an online shop which just so happens to be one of the best resources for online yoga training videos. Cora is responsible for the data infrastructure supporting the company’s online store and its internal applications for collecting and analyzing website visitor interest and buying patterns. These data points are crucial to helping marketing and sales optimize their operations. While YogiMate was initially focused on consumers in California, it was recently featured on “The Yoga Tribune”, and international demand for YogiMate yoga mats have skyrocketed ever since. Now, demand is pouring in from the far corners of the earth, from France and Germany to Korea and the Philippines, all the way through to Australia! Overall, this is excellent news for YogiMate but an absolute maze for Cora and his team to unravel.
As a SaaS platform, YogiMate’s architecture and operations are designed to maximize economies of scale and leverage shared infrastructure and resources across all site visitors and customers. To achieve this, Cora has built the company’s data architecture to support all types of customers with a scalable and efficient data pipeline. While this is the best practice from a data engineering perspective, it creates multiple challenges when it comes to addressing the different data privacy requirements of different regions.
This is because operating globally introduces various legal considerations in order to support the legal rights of global customers. Data-driven companies must run off a list of questions before they can confidently feel that they comply. Among them are:
- Can data be shared?
- How can data be used?
- Where can data be stored?
- When should data be deleted?
- And, what is considered personal data?