OfferUp is the largest local consumer-to-consumer marketplace. Founded in 2011, the mobile app-based marketplace connects buyers to sellers in their area. OfferUp differentiates itself from other online marketplaces by its focus on building trust, and its modern, user-friendly interface.
Shannon Doniere, Associate General Counsel at OfferUp, was tapped to lead the company's privacy initiative. The startup had some privacy functions in place when she arrived, but the wave of U.S. state privacy laws that began proliferating after the CCPA nudged OfferUp to appoint responsibility for privacy writ large. Her number one priority would be to build a comprehensive program that could cope with the uncertain landscape moving forward.
"Each group, each engineering group, and product group has to answer the questions for themselves and go through our list of vendors. Who are we sharing with? Are we doing this, are we doing that? And it's a lot of time on our teams that would otherwise be used towards whatever they planned for that sprint to get done."
— Shannon Doniere / Associate General Counsel
THE CHALLENGE
A reactionary program with no automation
- No automation, fully manual processes
The existing privacy program was reactionary, built around CCPA requirements with no tooling to scale. There was no single source of truth mapping OfferUp's data flows, uses, and partners. - Repetitive, manual assessments
Without a central data catalog, each engineering and product group had to manually answer third-party questionnaires (like Facebook's data privacy assessment) over and over again every review cycle. - Real business impact from privacy gaps
An app store erroneously rejected an iteration of OfferUp's app, citing discrepancies between practices and its privacy policy. While it turned out to be a reviewer mistake, the rollout was delayed and investigating the issue took up an entire sprint.
"CCPA had already obviously been around for a couple of years at that point. So there was a baseline program, but it was very reactionary. It was kind of like, 'Okay, this law exists. We need to build something around that.' That's pretty much the platform that I had. There was no automation."
— Shannon Doniere / Associate General Counsel
"We couldn't launch the newest version of our app. And that's a huge blocker for a team to not be able to get that out. So that was a big derail."
— Shannon Doniere / Associate General Counsel
Since Doniere would be serving as the head of privacy compliance without support staff, she knew she needed to find a tool to help her scale, to establish a single source of truth for data flows, and to automate the processes that she could.
THE SOLUTION
Getting privacy in front of the folks building the products
OfferUp is an engineering-forward company focused on building product. Doniere recognized that privacy, as an entire function, had to shift from being an afterthought to working alongside product teams proactively.
What OfferUp needed
Cross-functional collaboration
Enable OfferUp's legal team to work seamlessly across multiple roles with privacy, engineering, and product teams.
A single source of truth
One central place for privacy policies, data flows, vendor information, and regulatory compliance.
Automation to scale a solo team
A tool that could aggregate data and generate assessments automatically, replacing manual, repetitive work.
"I really liked the idea of getting privacy in front of the folks building the products and getting that thinking in early, just as an automation, time-saving piece. Being able to just aggregate that information that we have in there to spit out assessments — it's brilliant! We have a single source of truth for infosec, privacy, and vendors."
— Shannon Doniere / Associate General Counsel
Why OfferUp chose TerraTrue
Doniere talked to other counsel and privacy professionals who had implemented privacy tools. TerraTrue stood out because it fit OfferUp's engineering-forward culture and could serve as a living, adaptable system as the privacy landscape continued to change.
"There are a lot of products out there. And I talked to other counsel and privacy professionals who had implemented privacy tools, and TerraTrue really fit the product that we have and what we're doing."
— Shannon Doniere / Associate General Counsel
"We all understand that it is a living document. Because the privacy landscape continues to change, and we don't know today what it's going to look like in October, December, or 2024, because a bunch of other states are working on privacy."
— Shannon Doniere / Associate General Counsel
THE RESULTS
A single source of truth, early visibility, and product confidence
Streamlined reviews
OfferUp can now resolve privacy questions with a simple query instead of digging through code or documentation. The company can immediately report on data practices and policies.
Privacy embedded in product
TerraTrue embeds Doniere with product and engineering, granting early visibility on all product or feature blueprints. Nothing comes as a surprise at sprint demos.
Increased confidence
TerraTrue gives OfferUp more confidence in their product and its use, positioning privacy as a market differentiator rather than a bottleneck.
"Nobody wants to be in the seat of holding up a new product launch. Because in the 24 hours before a launch, somebody thinks to run it by legal or privacy, or, worse, rolls it out and then finds out, 'Oh, we have to retool.' The sooner you can get into that loop, the better."
— Shannon Doniere / Associate General Counsel
"Using TerraTrue gives us more confidence for our product. It gives more confidence in the use of the product as well. It will become a differentiator in how we decide to signal that out in the marketplace."
— Shannon Doniere / Associate General Counsel
KEY TAKEAWAYS
Lessons for solo privacy leads and small teams
- A one-person privacy team can scale with the right tooling. Automation replaces the headcount you don't have.
- Get privacy in front of product teams early. Shifting from reactive to proactive prevents last-minute scrambles and launch delays.
- Establish a single source of truth for data flows. Without one, every third-party assessment becomes a manual, team-wide exercise.
- Choose a tool that fits your company's engineering culture. Adoption depends on the platform working with how your teams already operate.
- Treat your privacy program as a living system. The regulatory landscape changes constantly, and your tooling should adapt with it.