Interoperability: The Foundation for Achieving Compliance with Global Privacy Laws

Jun 15, 2021, 10:51 AM by Cobun Zweifel-Keegan, Deputy Director, Privacy Initiatives

Data privacy laws, not just in the U.S. but around the world, are proliferating at a breakneck pace. From Colorado to Colombia, emerging state and global rules for the handling of personal information are challenging business leaders.  

Despite what you may hear about global privacy laws, exceeding minimum standards with a unified privacy program is feasible for most businesses. Many turn to accountability markers like a privacy program certification delivered by independent organizations such as ours, BBB National Programs. These privacy certifications help make global privacy best practices achievable by businesses of any size, even if you are just getting started.  

While there is not one common global data privacy law, there are standard privacy practices common across jurisdictions. This idea can be summed up in one word: interoperability. Standard data privacy practices, when properly documented and certified, are recognized as a baseline around the world.  

Interoperability does not mean equivalency. Privacy laws around the world are often different in scope, operation, or enforcement. For example, though all data privacy or data protection laws cover “personal information” (information about individuals), the types of individuals covered differ from consumers to employees to general “data subjects.” 

Interoperability stands for the idea that baseline standards can be recognized among many different jurisdictions. If you achieve recognizable baseline standards—and demonstrate your achievement through mechanisms of transparency and accountability—you have taken many of the critical steps toward achieving global privacy compliance.  

Building on this foundation lets you focus on the gaps created by individual local laws, rather than starting from scratch for every market. 


How to Achieve Interoperability 

A certification such as BBB National Programs’ based on the Cross-Border Privacy Rules (CBPR) system—or, for vendors, the more streamlined Privacy Recognition for Processors (PRP)—not only provides an independent annual review of privacy practices, but also includes a formal report and public seal of approval, ongoing monitoring, and dispute resolution services, all of which help businesses keep up with global privacy norms. 

The eight guiding principles included in the CBPR framework are universally acknowledged as fundamental to good privacy practices: 

  • Notice. Individuals should be provided with notice of privacy practices at the time of collection. 
  • Collection Limitation. Collection of personal information should be relevant to the purposes disclosed at the time of collection.
  • Uses of Personal Information. Uses should be limited to fulfilling the purposes of collection and other compatible or related purposes.
  • Choice. Where appropriate, individuals should be provided with choice in relation to the collection, use, and disclosure of their personal information.
  • Integrity of Personal Information. Procedures should be in place to maintain the accuracy and completeness of personal information.
  • Security Safeguards. Reasonable security safeguards should be implemented to protect personal information from loss, unauthorized access or disclosure, or other misuses.
  • Access and Correction. Procedures should be in place to permit individuals to access and correct their personal information.
  • Accountability. Procedures are in place to ensure compliance and accountability, even when data shared with third parties. 


Though the privacy standards built into the CBPR and PRP system were first established by the group of economies known as the Asia-Pacific Economic Cooperation (APEC), many CBPR-certified companies extend the scope of their certification to include their entire global operations. These companies recognize the value of adopting recognized privacy standards as a firm foundation for their global operations, and others may want to consider doing the same. 


How do CBPRs relate to global privacy laws? 

This table provides an overview of the correspondence between CBPRs and a selection of global privacy laws. For each principle, the table indicates whether the law:  

  • Aligns with the requirements for CBPR certification, 
  • Adds some details to the CBPR requirements (+), or
  • Does not include corresponding requirements (-).  

Cross Border Privacy Rules Matrix


The CBPR framework provides a strong foundation on which to build a business that meets global privacy standards. Demonstrating that your program meets these interoperable requirements is a proactive step in preparing for global compliance. 

Our role at BBB National Programs as a third-party provider of privacy certifications, assessments, and independent dispute resolution is to help companies confidently demonstrate that their privacy practices are built upon the principles that form the building blocks for global privacy standards.  

We can help make privacy achievable and accountable for businesses of all sizes. Reach out to to get started. 

Suggested Articles


The Do’s and Don’ts of Buying Smart for Baby: A Primer from Privacy Experts

Researching a new product and finding the critical or in-depth information you are looking for to build confidence in your purchasing decision often requires sifting through superficial lists of “best products.” These lists are often sponsored by the products they feature, which means instead of a focus on being helpful they are full of incentivized endorsements and affiliate links. In this blog, we provide a list – not a sponsored list – of some do’s and don’ts for how to confidently research smart devices.
Read more

When Web Designs Turn Into Dark Patterns And What To Do About It

Recently I wrote about the proliferation of dark patterns and tried to give readers a sense of just how widespread these practices are. But it is not just the pervasiveness of dark patterns that has lawmakers and regulators concerned, it is the intent behind them and their impact on consumers. Nonprofit leaders, in particular, should be aware of this and how to guard against it given that they are well-positioned to garner and enhance consumer trust.
Read more

Politics Aside, Advertising Gains Guidance on Deception and Substantiation in the 1980s

As we continue to celebrate the 50th anniversary of the National Advertising Division (NAD) we are looking forward while taking stock of past decades, with a special focus on decisions and developments that continue to impact advertising law and NAD cases today. This month we highlight two pivotal moments from the 1980’s that helped shape NAD’s jurisprudence.
Read more

Marking a Milestone: New Ad Guidelines, Influencers, Gaming, and More at CARU 2021

In a world where ads are woven seamlessly into online content, advertising and data collection practices become more complex, especially in the children’s space. On June 8 and 9, 2021, the Children’s Advertising Review Unit (CARU) virtually convened experts in children’s advertising, privacy, influencers, gaming, ed tech, and state and federal regulations around the globe for our annual conference, CARU 2021 to discuss challenges, best practices, and the year ahead.
Read more