Your organization is a U.S.-based e-commerce retailer that sells products to customers in the European Union and California and allows employees to work remotely from Brazil. The security manager must design a privacy compliance program that minimizes legal exposure while keeping operations as simple as possible. Which of the following strategies BEST accomplishes this goal?
Implement a single privacy program that meets the most stringent requirements across GDPR, CCPA/CPRA, and LGPD, and apply it to all data processing worldwide.
Comply only with U.S. federal privacy laws because the company is incorporated in the United States.
Rely exclusively on user consent pop-ups to satisfy all international privacy obligations.
Maintain separate privacy policies and technical controls for each jurisdiction but enforce them only in the local office located there.
Because the company processes personal data of EU residents, California residents, and Brazilian employees, it falls under the extraterritorial scopes of the GDPR, CCPA/CPRA, and Brazil's LGPD. Building one privacy framework that satisfies the strictest overlapping requirements (for example, GDPR's consent rules, LGPD's data-subject rights, and CCPA opt-out mechanisms) and applying it globally reduces complexity and the risk of missing a jurisdiction-specific obligation. Limiting compliance to U.S. federal laws ignores extraterritorial statutes; maintaining separate policies for each location is error-prone and resource-intensive; relying solely on consent pop-ups fails to address breach-notification, security, and data-subject access requirements.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the GDPR, and why is it considered strict?