Chief Privacy Officer at Uber
Nov 18, 2020
Ruby Zefo, Chief Privacy Officer at Uber shares why consumer brands are leading with privacy and what the CPRA means for executive teams.
Daniel Barber 0:15
Welcome to the GrailCast. Today, We’re thrilled to welcome Ruby’s Zefo, Ubers first chief privacy officer and associate General Counsel for privacy and cyber security. Welcome, Ruby.
Ruby Zefo 0:26
Thank you. I’m glad to be here.
Daniel Barber 0:28
Yeah, as we talked about, you’ve had quite the career in privacy. And so maybe you want to just get started with a bit of a brief introduction, then we can get right into it.
Ruby Zefo 0:37
Certainly, this was a journey. It was not a direct path. It wasn’t even a thing when I graduated from law school. So, and I and I worked at Sun Microsystems when our CEO made his famous statement that you have zero privacy anyway, get over it. And sure, I know, I know. And shortly thereafter, I hired somebody to help me with IP, and marketing legal work, who really took an interest in it. And I said, wow, you know, that’s great. And I support you just, you know, I don’t know how much traction you’ll get. And then later on, I had quit, and she became the first CTO for sun. So it’s a journey for everybody. And I had probably switched my legal career up about eight different times, and was looking for something new to do at all times pretty much, which is usually an overlapping wave.
You know, you never really get rid of anything for a long time before you pick something up, that are very b2b business was turning into a very b2c business. And we had some things that had pretty significant privacy challenges. We had acquired McAfee, the software security company, we had a wearables band, we had a set top box we were developing to curate your own media streaming, which, of course, is very popular today, but was ahead of its time, then, but it had a camera on it, which worried people, right, so in your living room, so I was basically dropped, kicked into it just very abruptly, and also told to asked to pick up cyber security at the same time, which was great, you know, having both the cyber security and the privacy legal role was extremely helpful to get the bigger picture. And so that’s what I did.
And it was very challenging. It took me probably about a year and I feel like my feet were firmly on the ground. And I still had some of my old job at the same time. But once you know, I was in the audience at a conference and I and I had already understood everything that the person said on the stage, I thought, okay, now I’m ready to go out and start teaching other people. And so that’s what I did. And it was, it was great. But you have to stay on your toes all the time. Doesn’t matter how long you’ve been in this field, which is why it’s so great for newcomers, you have got to stay on top of what’s happening around the globe if you’re multinational at all times. And it’s just a daily challenge.
Daniel Barber 2:45
You know, as a follow up to that, that career path was the chosen one right at some point in time, even when it wasn’t cool. Right. And we were, you know,
Ruby Zefo 2:53
wait a minute, wait a minute wasn’t cool. The impertinence?
Daniel Barber 3:01
You were ahead of the curve
Ruby Zefo 3:02
no one told me.
Daniel Barber 3:06
Yeah, yeah. I mean, I think you’re ahead of the curve in that area, right. And there was probably a choice and and maybe a conscious decision that you said, Okay, this is the path I’m going to take. What sort of led you to that path?
Ruby Zefo 3:19
Well, honestly, I mean, it was a business need and my desire to keep learning. I mean, if you asked me what will keep a person valuable through a lengthy career, it’s your desire and ability to learn new things quickly. And so all these things I’ve learned over time, which is a weird a ray, I’ll crop up in ways I could never have anticipated that helped me understand some other picture now and I and I can’t say in advance that that will happen.
I just, I’ve always been a person to leap in and, and help wherever help is needed. And so in this one, a lot of help was needed. I practically overnight, I was told to build a global legal team to be able to handle this new set of challenges immediately on the horizon. And the more you do, the more you learn, and the more you get to shape what happens next and be helpful. And that’s what I wanted to do.
That’s awesome. Given what you’ve seen thus far, what do you think has been a surprise as we sort of gone through, you know, perhaps the GDPR experience and the ccpa experience? And what do you think is surprised you along the way? Well, I do think that the rapid change, which when it finally came, which I really think GDPR was probably the biggest instigator of things then happening pretty rapidly afterward. That was surprising. And that was due to the crazy confluence of all these other rapid changes in technology, right, massive changes in technology and big data and in our ability to process data more quickly.
All those things convened at once. And so then we needed to have different frameworks to try to manage that. And that’s happening faster than the lock and adjust to right. We don’t even know how we feel about these things. They’re logged data. So we’re like do I like it? Do I not and then we start getting used to it and we understand how to use it, you know, but the data process I think part of it is still a mystery to the average consumer and why we need to put more of that burden on companies to be good data stewards, because it’s impossible for consumers to do this for themselves.
Daniel Barber 5:10
Yeah. I mean, that’s, that’s kind of a nice segue into this next point around, how do you see consumer brands being good data stewards? Right? Because I think I agree with you companies need to take the ownership and responsibility, and we’re seeing that. But how do you see consumer brands leading with privacy, because that’s really the next frontier.
Ruby Zefo 5:30
Honestly, it’s just by embracing privacy as part of the innovation process. When I first started out working at jobs in the Silicon Valley, my whole legal career, and I’m getting a lot of Oh, you know, privacy, you know, it hampers innovation. And I’m like, that’s just baloney. You know, we had acquired a very well known new product design person from a very well known consumer products company known for its innovative designs.
And I was going into speak to his staff about this, and I did not mention the word compliance once, what I did was I use this race car analogy and how race cars filled with this whole team of people and how you need a pit crew, and on and on. And then at the end, I had this diagram of just an average guy. He’s in an open air race car, and he is having the time of his life and his cheeks are blown open from the wind, because he’s going so fast. And what you notice is he’s on a thrill ride, right? I noticed he had a five point harness on a padded steering wheel, a padded roll bar, and I’m like, he’s able to enjoy the experience, because he has these safety features built in that he knows her there.
And then he forgets about and he enjoys the ride, that was something they could understand. I said, so if you design your things with these things in mind, your products and services with privacy in mind, then people will know they’re they’re the only kind of trusted provider and they can just enjoy the experience you set up for them without worrying about it. And they actually applauded. At the end of my presentation analogy
Daniel Barber 6:55
that’s tying it back to something that people can relate to is most of what we do, right? It’s really just
Ruby Zefo 6:59
right. We think of safety as an entitlement now, right? We think of seatbelts and airbags, like you wouldn’t dream of getting into a car without it, no matter how fancy and beautiful the car is, it doesn’t ruin the design, you’d be mad if you found out you know, they weren’t in there, and you put your life at risk. So that’s the way we should be thinking about data privacy and security when we’re building things. Yeah.
Daniel Barber 7:21
So continuing on that trend. I mean, now November has arrived right there.
Ruby Zefo 7:30
Daniel Barber 7:33
But so with that, in California, at least we have CPRA. Right, right. So this is a big change. What do you think this means for the executive team, our audience of the GrailCast? Yeah.
Ruby Zefo 7:44
So well, first of all, California is economy is so big that just because you’re not in California, doesn’t mean it doesn’t impact you. And you know, much like GDPR, which is extraterritorial element. So more, this is really to me, very anticipated. It’s more on the journey of GDPR. Like, frameworks, which are never identical, but they have, they will keep having more consumer rights. It doesn’t matter if your system wasn’t set up to give those back, which none of them were because they paid back, and also more demands for accountability from companies, and so that you just buckle up, because that’s only going to keep happening, you know, then we have Brazil, you know, you’ve got all these other laws China now.
I mean, you know, major, major countries are coming up with these things. They’re amending their old laws, and then some countries are coming up with new laws. I mean, we’ll see what India does. And so they’re gonna keep moving in this direction. And we’ll see if the California Gambit will force a federal law or not, because, yeah, you know, we got to do something about that. We can’t have a bunch of states with different laws. It’s, it’s not scalable, right. But then the more states that have them, the more they dig in their heels and say, I’m not going to have some other law supersede mine. Right. So you have that problem as well. So we’ll see what happens now that we have a new regime in the White House.
Daniel Barber 9:00
Yeah. Yeah. So along those lines, right. I mean, I’m sure there are many different sources that you go to as sort of a privacy Pro. How do you how do you think about that? Where do you go to learn about privacy? What are your top three resources? Yeah, so
Ruby Zefo 9:15
first of all, let me disclose them on the IAPP board. But I can say that I have been the reason I’m on the board is because I respect the organization so much it’s and I’ve been on other industry type practice boards before in the IP world, but this one has really been a game changer. And so I can say with complete sincerity that it was one of the very first places I went and learned so much. I get the daily digest everyday and I read it, the Resource Center is very valuable. I loved the in person conferences so much because you’ve got to meet so many other cool people, but now the virtual ones at least you can get the content which is equally still as good as it always was. The local knowledge nets, the meetups, you know the job board, which I’ve been using since long before I was on Yeah, in fact, I go there myself when I’m looking for candidate So, so that’s my number one source.
But I also get a lot of other firms of fields of law firms. So they do it in different ways and be curated by one, you know, company or they may be just the law firm saying it themselves. And actual statutory language, you can’t forget that, you know, for something completely go look at the language yourself and see what it says. And then the last one, of course, is any data protection, authority guidance, because that’s very important to see where their minds are going. And even if it’s not binding, you know, that that’s where they’re going with it. And as the last shape, that’s what they’re gonna be looking for. And you want to have good relationships with them. So that’s basically my top. Make sense? Makes sense.
Daniel Barber 10:37
One last question for you the fire question of, you know, as you think about folks and try to give folks advice around their career path and their journey into privacy, you know, think back to your first few steps, right? What do you think your one piece of advice you could offer folks, as they think about that?
Ruby Zefo 10:54
Well, I would say don’t be afraid. I mean, the world now is very different than when I started out. There’s a lot of worry and concern I see in law students all the way down to high school, I went and did a chat when my daughter graduated about y’all need to calm down. This is just the beginning of a very long journey.
And your first choice will not be where you ended up. Yeah, I mean, it might, but it’s highly unlikely. So um, so don’t be afraid, guys, we’re all on the same boat. As I said, we all have to keep up, right? Even someone who’s been practicing forever has to keep up. But we’re gonna need a bigger boat. My favorite quote from jaws. So we really need more people in the field. And in terms of your first job, don’t try to only set your sights for the perfect Ceri job, you know, I thought I wanted one thing, and then within a few years found out No, I want something very different. So just be open to any job that you might enjoy. That will get you some experience, you know, because it’ll be very hard. For example, to land a perfect job in house, we need people who already have experience because we have no capability and time to do the types of training the law firms do. Right. And so that’s really hard for us.
We do have internships and stuff often. But that’s, that doesn’t mean it will lead to a full time job. So I would say be very open minded about your first job. You know, dive into it, and see if you like it. And then make your context and learn about other fields and just get as much experience doing whatever it is as you can that will help you even if you don’t stay there when you move out and try something else. So it may be a very crooked path. But you can find your way into a very good role, no matter where you start out because all of us have really diverse backgrounds. Right?
Daniel Barber 12:35
Well, this is great, Ruby. definitely enjoyed the time hope to listen to Sam as well. And so you can find the grab class on iTunes on Spotify, and keep a lookout for our next session in a couple of weeks.
Ruby Zefo 12:46
Thank you very much, Daniel.