The Definitive Guide To Picking A Data Privacy Management Solution For Your Business

Privacy laws like Europe’s GDPR and California’s CCPA are on the increase around the world, but the field of privacy tech is relatively new. There are two big issues for buyers in this fast-growing market: defining their privacy requirements and evaluating those requirements against the products on offer.

Knowing where to start with a data privacy management solution can be a challenge.

Privacy laws like Europe’s GDPR and California’s CCPA are on the increase around the world, but the field of privacy tech is relatively new. There are two big issues for buyers in this fast-growing market: defining their privacy requirements and evaluating those requirements against the products on offer.

In this article, we’re going to help demystify the different sorts of privacy requirements a typical privacy buyer might have, and we’re going to compare the offerings of some of the market’s leading players in relation to the requirements we’ve defined.

So, let’s take a look at how to get from:

“We just know we need a privacy tool”

All the way to:

“We have privacy requirements x, y, and z, and believe this platform is the best match for our specific needs.”

PS: We’re going to do all this keeping things as high-level as possible. While there’s plenty of time to dive into the weeds of data privacy, wrapping your head around the marketplace isn’t the time to do it. That comes later!

First, Define Your Privacy Requirements

The directive often comes down from above: “We need to comply with CCPA.” A quick search shows there are plenty of platforms claiming to enable CCPA compliance. How to choose between them?

An informed decision can only be made by understanding the exact requirements that laws like CCPA place on a business. Essentially, those can be broken down into three buckets:

  1. Fulfill privacy requests from users for Data Access or Data Erasure
  2. Implement consent preferences of users across business systems, most notably Opt-Outs from the sale of personal information
  3. Though not explicitly required by the CCPA, building a data inventory or “data map” is the best, and possibly only, way to accomplish the two points above.

In other words, privacy request fulfillment, consent management, and data mapping are three core requirements for complying with the CCPA. Here’s what’s important: Not all companies will choose third-party platforms to handle all of these separate requirements.

Understanding which elements of compliance will be handled internally and which may require licensing an outside platform – and how those workflows will integrate – is key to understanding your business’s requirements when shopping in the privacy vendor marketplace.

We’ll proceed assuming that you have clearly defined your set of requirements. Armed with this new certainty, you’re ready to begin shopping. Below, we provide an overview of five of the top Data Privacy Management platforms. Let’s see how they stack up!

Osano |


First, we look at Osano. They’re a well-known privacy management solution that was founded in 2018. Osano are best known for their cookie banner tool. Anyone who has seen a GDPR cookie notice upon landing on a webpage is familiar with this experience. However, they also offer more comprehensive solutions for complying with privacy laws: Consent Management, Subject Rights Management, and plenty of auxiliary support in the form of Vendor Assessments and alerts for breaking news in the world of privacy law.

Pros Cons
  • Cookie Consent tool is simple to set up and widely in use.
  • Pricing is transparent and affordable.
  • Auxiliary support around laws and vendors may be useful to privacy newcomers.
  • There is ongoing debate as to whether a cookie tool is sufficient to satisfy the CCPA’s requirements for data sales – expect next year’s CPRA to help provide more clarity.
  • Osano’s approach to fulfilling privacy rights requests stops short of being an automated solution in that it doesn’t integrate into actual business systems to execute the access or erasure of data for a privacy request. Compliance teams seeking to ease workloads may prefer a more hands-off approach.

OneTrust |


Next, we come to OneTrust. OneTrust is the leading example of the “first-gen” data privacy compliance solutions. Headquartered in Atlanta, the company has enjoyed rapid growth since its founding. OneTrust has been able to scale quickly due to its positioning as a “one-stop-shop” for privacy compliance. Indeed, its platform is notably comprehensive – this brings pros and cons.

Pros Cons
  • The platform is robust, with functionality for most aspects of privacy compliance. In particular, OneTrust offers strong support for the audit and documentation aspect of ongoing privacy management.
  • OneTrust has a proven range of products for improving workflows in large organizations.
  • As a “first-gen” privacy solution, OneTrust’s product places emphasis on process-building rather than automation. This is useful for very large teams, but SMBs and scale-ups seeking to simplify and quickly scale their privacy ops may find the product not best-suited to their use case.
  • Onboarding with OneTrust’s product takes time and considerable training. Teams wanting to make the most of this product will have to rely on internal product whizzes to get best results.

Ethyca | Data Privacy Software & CCPA Compliance Software | Ethyca"


Hi! It’s us. Ethyca’s a next-gen privacy platform that aims to provide comprehensive privacy management capabilities without costing teams undue time or money. We rely more heavily on automation than other providers in the privacy management space.

This means that once an Ethyca control panel has been fully configured – in other words, integrated with the SaaS and first-party data platforms in a business using pre-built data integrations – consumers can execute privacy requests with no incremental time (or cost) needed.

Furthermore, this approach speeds up the time it takes to map business data systems in the first place. Once a list of systems is compiled, Ethyca is able to automatically generate a data flow map that documents the types of PII that lives in a system, and the ways that different types of PII are used – in full compliance with GDPR article 30 requirements. Ethyca’s data mapping tools are also perfect for businesses looking to comply with the CCPA.

This “Self-Service” privacy model was brought to market in 2020 and has been embraced by mid-sized companies, direct-to-consumer brands, and fast-growing tech scale-ups as the most efficient way to make their privacy headaches go away.

Pros Cons
  • Having the highest degree of process automation allows small teams to manage large volumes of privacy rights fulfillment with no incremental time or cost.
  • Only vendor to automate data retrieval from “non-SaaS” proprietary data sources like AWS, PostgreSQL, and RedShift.
  • Deep integration with business tech stack allows teams to solve privacy management “at the source.”
  • Onboarding time is minimized due to to library of pre-built data integrations.
  • Pricing is tiered with a range of products to suit business of all sizes.
  • Data Mapping functionality is “plug-and-play.”
  • Ethyca is firmly in the realm of SaaS products, so it doesn’t offer ongoing consultative services to support, say, breaking legal developments. However the product itself is consistently updated to accommodate new requirements from laws around the globe.

TrustArc |


TrustArc used to be called TRUSTe, and is a longstanding player in the privacy space. It was founded as a non-profit organization in 1997 and was known for its certification programs around Europe’s Safe Harbor. Nowadays, TrustArc offers a range of privacy compliance functions, and is best known for its consent preference manager.

Pros Cons
  • Longstanding player in the privacy space and has a built up a wealth of institutional knowledge of privacy regulations
  • Much like Osano, TrustArc’s consent preference tool is in wide use across a wide customer base
  • Beyond consent management, TrustArc does not automate the retrieval, delivery, or erasure of data across business systems for privacy right fulfillment. In other words, it can help teams build better workflows around privacy rights, but it cannot do the heavy lifting for them.

DataGrail |


Lastly, we’ll take a look at DataGrail. DataGrail emerged relatively recently as a player in the privacy space. Its product uses pre-built data integrations to take the pain out of day-to-day privacy management. What’s more, the company has made steady progress on expanding their integration offerings to become one of the more robust libraries in the privacy tech category.

Pros Cons
  • Falls further towards the automation end of the privacy spectrum than other companies on this list apart from Ethyca.
  • List of integrations is also strong, and it’s been praised for building integrations for customers when they don’t already exist.
  • While Datagrail has strong integration offerings for off-the-shelf SaaS products, their system has trouble integrating with proprietary databases
  • As such, fully onboarding can be a lengthy process and comprehensive automated compliance with laws like CCPA is elusive.
  • Additionally, privacy rights requests are processed in cooperation with an external support team, which can lead to workflow challenges.

Conclusion

It should be clear from the above that there are plenty of options available to buyers in the privacy management market. The right choice for your business will depend on the specific needs of your business.
In other words, do you simply want a cookie banner tool for basic consent tracking? Do you want a robust workflow solution for filing all the necessary paperwork? Or do you want an automated solution that can go the hard work of data mapping and rights fulfillment? No matter your needs, we hope this article has enhanced your comprehension of the privacy management vendor landscape.

And if you’d like to speak to a privacy pro about your specific situation, why not book fifteen minutes with a member of our team to talk through your needs?

Changes in the data-collection policy for a hugely popular audio editing app are highlighting old and new tensions in digital trustworthiness, and how open-source software can offer solutions.
Strong password practices are essential for keeping your company's and users' data safe, in processing DSARs and in your general business practices. However, passwords are just one part of the equation. For next-level protection, here's the 411 on 2FA: two-factor authentication.

Ready to get started?

While it was just a TV show, that little speech at the beginning of the original Star Trek show really did do a good job of capturing our feelings about space. It is those feelings that drive our love of astronomy