Workshops and General Session Recap, October 18–19
As companies and their products continue to leverage data about our personal behavior and habits, implementing privacy by design has never been more important. The IAPP Privacy, Security, and Risk conference brought together a large group of privacy professionals. A few of the highlights include CCPA (California Consumer Privacy Act) sponsor Alastair Mactaggart and his speech on the need for data privacy, a presentation on the 5 steps ahead for California’s regulation, and a session discussing anonymization and breach management control for data.
In this article, we’re bringing you a recap of the leading sessions from the conference.
Session 1: How Privacy Tech is Bought and Deployed
Jennifer Couture – CPO, Alexion Pharmaceuticals
ShanShan Pa – Head of Compliance and Privacy, US and Europe, Alibaba Cloud
Chris Babel – CEO, TrustArc
Technology solutions are needed to efficiently manage and operationalize privacy, and tech companies are responding by building solutions. Data mapping and discovery both remain pain points.
Comments from the audience were interesting:
- Companies that use multiple systems to operate their business and leverage user data have difficulty tying these systems and data sets together.
- Due to each piece of technology and system being highly customizable, pieces of personal data are often in different forms and are not easily accessed throughout all systems at once. This leads to many systems not being ideal for privacy compliance.
- Data cannot be changed, deleted, or accessed with ease when serving a SAR or deletion request.
Session 2: A Win-Win Privacy Partnership with Product Teams: A PIA in Three Parts
Sarah Pipes – Manager, Global Data Privacy, Workday
Franchesca Sanabria – Principal, National Data Privacy Practice, Focal Point Data Risk
Michael Quagliato – Manager, Technology Risk and Compliance, Workday
The most important takeaways are that privacy has to be integrated into product design and development, rather than an after-the-fact review, and that privacy has to be supported from the top down.
Business friendly PIAs (Privacy Impact Assessments) need to occur early and parallel with the product development lifecycle. By meeting your teams where they are and engaging early you can increase impact and lower costs/objections by preventing poor decisions rather than trying to fix them after a product has been built. Educating everyone involved on privacy and why it matters will significantly aid this process.
Another important part of privacy compliance at a company is the integration of privacy into the culture. The tone coming from executives at the company will foster an environment where privacy is not only a priority, but a corporate responsibility or break such an environment.
Session 3: Anonymization and Pseudonymization. What is it and Why does it Matter?
Elena Elkina – Partner/Co-founder, Aleada Consulting. Co-founder/Board Member, Women in Security and Privacy (WISP)
Paul Francis – Research Director, MPI-SWS. Co-founder Aircloak GmbH
Elimu Kajunju – Senior Director, Senior Counsel, Global Privacy Office, McKesson
Bianca Zimmer – Data Analyst, fymio by TeamBank AG Nürnberg
Companies with personal data can anonymize or pseudonymize the personal data In order to make the data no longer subject to privacy regulations, both have drawbacks that must be considered
Anonymization is an ideal outcome but the threshold is very high. For example, you must not be able to re-identify the data, even with datasets not in your possession. Further, anonymization via various techniques such as differential privacy often leads to the data being so transformed as to be useless: No valuable information can be concluded in analysis.
When companies pseudonymize data, the dataset is often at risk of re-identification, and some countries have laws imposed that state this risk can not even be as high as one-percent: French authorities have determined that not even a one-percent risk of re identification can be considered anonymization. It’s also a very difficult to accurately characterize the risk of re-identification.
Session 4: The EU ePrivacy Regulation: Current Status and New Expectations for AdTech
Reed Freeman – Global Co-Chair, Cybersecurity Practice Group, WilmerHale
The EU is working on a new ePrivacy directive to replace the current ePrivacy Directive 2002/58/EC. The update is meant to keep pace with the evolution of technology and to more closely align with the GDPR. Similarly to the GDPR, it is a Regulation (applying EU-wide as written) rather than a Directive, it applies extraterritorially, and it synchronizes fines to the GDPR at up to 4% of global revenues.
However, there are multiple drafts in play. The Council of the European Union, the European Parliament, and the European Commission (the bloc’s executive arm) must all agree and current reports are agreement is far from at hand. Mr. Freeman expects that we will not see agreement in the next 12 months.
If the current compromise proposal passes there will be large implications for adtech. First, it seems to explicitly permit tracking walls: it is permissible for publishers to require visitors to pay either with personal data or with money. And yes, this does seem to contradict the GDPR. Second, one of the proposals being debated functionally bans 3rd party adtech companies, only permitting first party adtech companies to get consent. This would be a very odd position for the EU to take, as it would essentially grant a monopoly on advertising to Facebook, Google, and a handful of competitors.
Session 1: Out GDPR; In CCPA; Compare and Contrast
Barbara Cosgrove – Workday Inc
Lothar Determann – Baker McKenzie
Phil Lee – Fieldfisher
While broadly similar, the CCPA and the GDPR do differ in important ways.
One of the most important differences between the GDPR and CCPA is the method of enforcement. The GDPR is enforced by the Data Protection Authorities (DPAs) of the individual member states — including the British ICO — of the EU, while the CCPA relies on enforcement from the Attorney General.
Another major takeaway is Mr. Determann’s opinion that lobbying in Sacramento is a waste of time and money. It only costs approximately two million dollars to get a proposition on the ballot in California. Now that Alastair Mactaggart paved the way, there are plenty of people in California who, if they don’t like changes Sacramento makes, have the money to present another proposition. Therefore, the only smart place to spend lobbying dollars is in DC, pushing for a federal privacy law that preempts California’s law. As many large tech companies are doing.
The GDPR is a Regulation (rather than a Directive), applying as written EU-wide.. In contrast, the US has no omnibus privacy law. This leads to some very strange incentives. For example, certain types of medical data are covered under HIPAA. If you anonymize it, the data becomes subject to CCPA access rights.
In contrast to the GDPR, the CCPA requires subject companies to set up specific communication channels, including toll-free numbers.
A final large difference is limitations on access rights, particularly for current or former employees. While the GDPR access right has some limitations, in that it “shall not adversely affect the rights and freedoms of others”, the CCPA access right has no limitations. A panelist estimated the cost of processing a request for a terminated employee at anywhere between 10 and 40 thousand pounds.
Session 2: Top 5 Operational Impacts of CCPA
Patricia Bailin – Head of Privacy, Datavant
Brandon Kerstens – Privacy Counsel, Tinder
Rita Heims – General Counsel, Research Director, DPO, IAPP
#1 — Does the law apply?
The CCPA, unlike the GDPR, applies only to businesses for which at least one of the following applies
- Annual gross revenues > $25 million
- Annually buy [very broadly construed] or sell [also broadly construed] PI of more than 50 thousand consumers
- Derive 50% or more of revenues from selling [broadly construed] consumers’ PI
#2 — Disclosures Required
Although the regulation only applies to California residents, relying on IP addresses to protect user privacy is not a valid solution due to people moving around in the US. Thus companies are presented with some ugly choices about making a separate CA site, or when to alter behavior of their US specific site.
Mr. Kerstens, Privacy Counsel at Tinder, stated that companies cannot afford to have a coordinator performing an access request every time it is received. The process is too complex and the employee effort required to do it manually is excessive.
The fines also give the law teeth, and there doesn’t seem to be a cap on the total fine amount. This is the new world, and companies would be well advised to comply.
#3 — Access Requests
The CCPA will require companies to comply with requests in 45 days, with free access for users. The company can provide information through mail, a consumer’s account, or any electronic transmission.
#4 — Consumers’ Rights
Consumers are given rights under the CCPA to request access to their data. This form is very similar to the GDPR, and requires that companies provide access via their website or written form, and complete requests at no charge.
In addition to being able to access personal data, residents are also allowed to request that companies delete their data. This extends to any personal information the company may have stored in it’s database, and is only limited by information that the company must keep according to law. However, companies do have more ability to keep information, even after a deletion request, under CCPA than under GDPR.
Finally, companies cannot discriminate against users that request access or deletion of their data. This includes denying goods or services, changing prices, or providing lower quality products. This is going to be very dangerous to companies that monetize via data.
#5 Penalties and Enforcement
The Attorney General is in charge of enforcement of the CCPA at the state level and this includes ensuring companies comply with access requests and general regulation requirements.
Users and citizens are allowed to submit complaints to the Attorney General regarding non-compliance from businesses. Consumers also have a private right of action under the CCPA, though it is relatively limited.
Session 3: Consent & the Consumer, a Driving Force of the Future of Privacy in the US
Audrey Trainor – Director, Ad Notice, Evidon from Crownpeak
Lou Mastria – Executive Director, Digital Advertising Alliance
Rachel Glasser – Chief Privacy Officer, Wunderman
Ms. Glasser opened the session by suggesting businesses must adapt to consumer expectations for privacy. She not only believes that businesses need to be more sensitive, but that, “If you feel uncomfortable explaining to the public what you’re doing, it’s probably not okay.” She does feel that there is a large value exchange (services for data) that people don’t well understand: For example, Facebook and much of the internet are supported by advertising.
Both Ms. Glasser and Mr. Mastria think that the industry generally self-regulates. Mr. Mastria points out that, while the DAA can’t control companies, they do take violations seriously and aggressively pursue companies that violate the policies they agree to.
What about national privacy law for the US
The speakers also addressed the potential for a nation privacy law, stating that if passed it would be beneficial for users throughout the country. Since data is often used for internet advertising and other business, interstate commerce can easily become a big issue for companies forced to comply with regulation in different states. California, New Jersey, and Vermont all have different definitions of personal data and this may cause unnecessary difficulty for businesses looking to comply.