close
close
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

View Webinar

Thank you for your interest!

Please click below to view the on-demand webinar.

View Webinar

Staying ahead of these changes isn’t just a legal requirement—it’s a strategic advantage. Adapting your business practices to meet these ever-changing regulations will position you for success in 2025 and beyond.

So, how can you stay ahead in a world where data privacy is rapidly transforming?

Watch this on-demand webinar to learn:

  • What you need to know about the new data privacy laws in Delaware, Iowa, Nebraska, New Hampshire, and New Jersey going into effect in January
  • Proven strategies to stay ahead of rapidly evolving state-by-state privacy regulations
  • How fellow privacy leaders are equipping their teams to navigate January's new regulations and future changes

Panelists

headshot
Jasmine Sharma
Privacy Community Manager, DataGrail
headshot
Larry Caughlan
Associate General Counsel, Route
headshot
Audrey Kittock
Head of Privacy, Product, & IP, Benchling
headshot
Heather Wood
Head, Data Protection & Privacy Office, Outreach
headshot
Jesse Kellar
Senior Operations Manager, Legal, NETGEAR
View Transcript

Hello, and welcome, everyone. Thank you for joining us today for this important webinar on how January's 5 new privacy laws will change data privacy in 2025. 2025 is already shaping up to be a game changer for privacy regulations, and January is bringing some significant updates that will impact businesses across the country. Today, we're diving deep into the critical changes coming to state privacy laws, laws that are going into effect this January. By the end of the session, you'll have a clear understanding of the new landscape, along with practical insights from our expert panelists on how to navigate these changes smoothly.

Plus, we'll provide you with essential resources to help you all stay ahead and ensure that you are prepared for what's to come. With these 5 new state laws, we'll have a total of 15 state privacy laws in play, so this is no small matter. We know it's a lot to digest, but don't worry. We're here to guide you through it and make sure that you're ready for what's next. But before we jump in, let me go ahead and introduce myself.

I'm Jasmine Sharma, your moderator for today's session. As the privacy community manager at DataGrow, I hold a JD, and I have specialized in privacy compliance. My mission is to help raise awareness and, provide resources that enable professionals like you to just basically stay ahead of the curve. I'm so excited to be here and guide you through today's session. So let's go ahead and get right into our agenda.

So here's what we'll cover today. 1st, I'll walk you through the 5 new privacy laws that will take effect in January with an honorable mention of California's CCPA updates. Then we'll go ahead and dive into a dynamic Q and A where our experts will address top questions. You can go ahead and submit questions at any time using the q and a function at the bottom of the window. We'll either address some of your questions during the panel discussion or just respond directly to you.

After the discussion, we'll go ahead and wrap up with a few essential resources to help you prepare for all of these changes. So let's go ahead and jump right in. As we move into 2025, we're looking at the following state privacy laws going into effect starting January 1st. We have Delaware, Iowa, Nebraska, New Hampshire, and then we have New Jersey's privacy law also taking effect mid January. These new regulations are coming up very fast, and understanding their details will be essential for staying compliant and ahead of the new year.

So let's go ahead and take a closer look at what each of these laws do entail. Starting with Delaware's Personal Data Privacy Act is set to go into effect on January 1st. This is one of the strongest privacy bills in the country. While California does remain the leader, Delaware is definitely setting a high standard with its its law, especially in terms of data subject rights. Data subject rights refer to the rights individuals have over their personal data.

So as you can see here, Delaware does grant all of the following: access to data, correction of inaccuracies, deletion of personal data, the portability of data, opting out of targeted advertising, as well as the sale of your data. One unique provision in Delaware's law requires businesses to actually disclose the categories of third parties with whom they share consumer data with. This disclosure is in response to data subject requests providing consumers with more transparency about who's actually receiving their information. While this may sound similar to Oregon's Law, Delaware's approach is actually less stringent as it focuses on the actual categories of third parties rather than naming those specific entities. Another notable feature of Delaware's Law is that it does apply to nonprofits and higher education institutions.

This is an approach that is kind of rare for privacy legislation as most states actually do exempt these types of entities. However, there are some exceptions for nonprofit data, especially for organizations serving victims of sensitive crimes, so it is important to be aware of these types of nuances. So next, we'll take a look at Iowa's Consumer Data Protection Act, which will take effect on January 1st. Iowa's law takes a more business friendly approach compared to the other state privacy laws, but it does come with some limitations when it comes to data subject rights. Iowa provides standard data subject rights like the right to access, delete, and request portability of personal data.

However, it notably does not include the right to correct. This can create some challenges for consumers needing to fix errors in their information, as well as Iowa also lacks that right to opt out of targeted advertising, meaning it can be harder for consumers to prevent profiling based on their data. And then another key feature of Iowa's law is its actual response time will be longer for data subject requests. Most states require responses within 45 days. However, Iowa is actually giving businesses up to 90 days to respond.

Because of this more business friendly stance, Iowa's law is often compared to Utah's UCPA, which also has fewer consumer protections. These types of absences may raise concerns, especially for consumers facing issues like incorrect data or unwanted profiling. And then next, we'll speak on the Nebraska Data Privacy Act. So this will be effective January 1st. The Nebraska Act grants consumers rights that align with the standard provisions, access, correction, deletion, portability, as well as the right to opt out.

Nebraska lawmakers modeled the law actually after last year's Texas' data privacy law. And what's most notable here is the actual broad scope of the law. So as long as your organization is not classified as a small business, which is defined by the small business admin, it's likely subject to the law if it processes the data of Nebraskans regardless of revenue or the total number of consumers whose data that you process. This mirrors the very unique thresholds we have seen in Texas's privacy law and makes Nebraska the actual second state to set this kind of very low bar for applicability, meaning more businesses will need to comply with that law. Also, you'll see here Nebraska takes a very strong stance on dark patterns.

So you might be wondering, what are dark patterns? Dark patterns are deceptive design tactics that actually trick users into making choices they would not normally make. For example, accidentally agreeing to data collection or subscriptions. This makes Nebraska's law quite proactive when it comes to protecting consumers from such manipulative practices. And then next, we'll look at the New Hampshire privacy law, which was inspired by an earlier version of Connecticut's law.

Like the other laws we've discussed, it does give consumers important rights, like access to their data, the ability to correct it, delete it, move it, and also opt out of certain data uses. A key change actually came to the law this August. Originally, the secretary of state was supposed to create rules for privacy policies and consumer rights, but that requirement was removed. So businesses now have to comply with the law without waiting for those further instructions from the state. And what makes New Hampshire's law, actually very unique is that it does not have a revenue threshold.

So this means that more businesses, including smaller ones, will be affected by the law compared to laws in other states with higher revenue rec requirements. Even though New Hampshire has a smaller population, its law could still impact a very large range of businesses. And then lastly, let's go ahead and discuss New Jersey's Senate Bill 332, which also goes into effect on January 15th. So the consumer rights in this law are consistent with the others that we've already reviewed, access, correction, deletion, portability, and opt out. One important future of New Jersey's law is that it includes nonprofits and higher education institutions.

And unlike some other states, where these actual, you know, are usually exempt, we could actually see that this signals a broader trend in new privacy regulations moving forward as we've already kind of seen this trend, already with Delaware. And then New Jersey also joins California in treating financial account information as sensitive personal data. So this will mean businesses need to handle this type of data with extra care. And another update is how New Jersey defines biometric data. It includes, not only those traditional identifiers like fingerprints or facial recognition, but also data generated through technological analysis.

So this type of data could mean, a lot of things such as voice patterns or even unique movement patterns that can be all analyzed by technology, which definitely broadens the scope of what businesses will need to protect. Alright. So now that we've covered the 5 new laws taking effect this January, let's go ahead and shift our focus to updates in California. California does continue to lead the way in privacy regulation, and these amendments do reflect the state's commitment to definitely staying ahead of that curve. So here we'll see California has expanded the definition of personal information to include digital files, AI generated data, as well as biometric data.

Also, neural data, which is actual information derived from brain activity, has been added to the list of sensitive personal information. This is a big step addressing the growing concerns around safeguarding highly personal and emerging forms of data. And then building on these updates, California has also addressed how businesses manage privacy in specific situations like mergers and acquisitions, as well as adopting thresholds to keep pace with economic changes. So AB 1824 actually ensures businesses on or opt out requests from consumers of an acquired company, maintaining privacy rights even during those mergers and acquisitions. And then we'll see AB 3286, which gives the California Privacy Protection Agency the actual authority to adjust these certain monetary thresholds.

This type of flexibility allows the CCPA to better align the regulations with evolving market conditions. And then as we wrap up California's updates, it's clear that privacy regulations are not just evolving in one state, but are part of a broader national trend. So let's go ahead and take a moment to look ahead and explore what's coming in 2025 and beyond. So looking ahead, 2025 is going to be another busy year for privacy. Later in July, we'll see Tennessee and Minnesota roll out their privacy laws, followed by Maryland in October.

And then in 2026, we'll see 3 new laws in Rhode Island, Kentucky, as well as Indiana. With so many states creating their own privacy laws, it's so critical for businesses to stay on top of these developments and definitely be ready for what's ahead. Fortunately, we've got an expert panel here to help guide you through it all. They'll be sharing their insights on these topics we've covered so far and also offering their perspectives on navigating these new laws. So go ahead and join me in welcoming Larry, Audrey, Heather, and Jesse.

Larry, let's go ahead and start with you. If you'd please introduce yourself and share a bit about your role and background, please. Absolutely. As Jasmine says and as you can see, on your screen, my name is Larry Coughlin. I'm associate general counsel at Route.

You may have seen Route as you are checking out at various ecommerce stores. We provide, package tracking and protection as well as a slew of other services. I've been with Route for about 3 years and have built out our privacy program and structures. We've been a client of Datagrail for a couple years, and they were instrumental in helping us build that out. As as you can see, the the the landscape for privacy is expanding, and it's changing, and it's fluid.

And to to to be up to speed with with all those new changes and incoming regulations, I've I've been instrumental in in keeping up to speed with that and making sure that client my client route is, compliant with that. Yeah. Thank you so much, Larry. And let's go ahead and pass it now to Audrey. Hi, everyone.

My name is Audrey Kiddock, and I am head of product and privacy legal at a biotech r and d company called Benchling. At the heart of it, Benchling is really a SaaS platform that helps to accelerate r and d for biotech companies, enabling them to bring their products to market much faster. One of the things that I like to brag about at Venturing is that a lot of the mRNA COVID vaccines were developed using our platform. So the folks who work there, we we really drink the Kool Aid and and are stoked to support our customers doing such amazing work. At Benchling in my role, I'm really deeply focused on navigating the intersection of privacy, technology, and innovation.

I've been there for about two and a half years, a little over two and a half years, and, I built our privacy program from the ground up using Datagrail as one of our critical vendors. I also lead up our product counseling function on the legal team as well as our AI governance committee. So I'm very happy to be here. Yes. Thank you so much, Audrey, for that.

And let's go ahead and move on to Heather. Hi. My name is Heather Wood, and I am the head of, data privacy and protection at Outreach. My team oversees AI governance, privacy, everything from operations to demonstrable compliance, as well as parts of our data management program and our third party risk program. So we oversee quite a bit.

I have been here for almost 5 years, or, actually, I've been here more than 5 years. And our program, this is the 3rd program I have built from the ground up, starting at Expedia with their privacy, governance program, and then at Nordstrom and now at Outreach. And, I will say that I think one of the things that is really helpful to these programs and building them out is ensuring that you've got strong partnerships with your product design engineering folks as well as your marketing folks. Those are your baseline for your programs. And so that has been foundational for being able to build these programs up with the help of DataGrill, assisting us in making sure our data subject rights requests are actioned timely.

Thank you, Heather. And last but certainly not least, Jesse, we'd love to hear from you. Hello. My name is Jesse Keller, and I'm the senior operations manager in the legal department at NETGEAR. We make, home SMB and AV networking gear.

I just crossed 2 months here. Before that, I was at Life 360 and Tile, where we also use Datagrill. I spent the last 5 years helping these companies navigate and operationalize privacy. I'm excited to share some of the insights I've learned throughout my experiences. Awesome.

Thank you to all of our panelists for these introductions. Each of you brings such unique insights into the privacy challenges and opportunities ahead. So now let's go ahead and, the moment we've been waiting for. Let's jump into some of these key questions that we've prepared to dive deeper into these new privacy laws and their impact. To start us off, I would like to ask, as we approach the January 1st deadline, what are the most critical steps privacy teams should take to ensure compliance with the new state privacy laws?

I'm happy to take that one. We utilize a number of, different tools and technologies to assess our privacy programs. So the first thing that we always look at is what is the requirement of the new law, and where do we already have that covered? Are there any gaps in what it is that we are already doing versus what it is that we're looking at from this newly implemented legislation? And so I think that's usually the first thing to set you up for success is understanding what the requirements are, what you're already doing to cover that off, and knowing where your gaps are.

And just to tag on to what Heather was saying, which is totally spot on. Even before I do that, I really assess if my company is even in scope. So a lot of these state privacy laws have requirements on revenue thresholds, on data processing volumes. Some of them speak about revenue from data sales, and then a lot of them have exemptions for smaller entities or already regulated types of data such as HIPAA or GLBA. So step 1 for me is to ask, am I in scope for this law?

And if I'm not in scope, I clearly document all of the reasons why I'm not in scope. So if a regulator ever comes to me, I have a spreadsheet to hand them to demonstrate exactly why. But, definitely, what Heather said is spot on and would be my step number 2. Yeah. I don't think I could say anything different from from Audrey or Heather.

I would just say take an audit of your current processes and look for any gaps, between what you currently have in place and what the new regulations are and begin taking steps to making those changes and making sure you fill those gaps so that you're ready to go when when the new regulations launch. Alright. Those are all amazing points. And as we see, privacy teams, you know, prepare for all these changes. It's very clear that staying on top of all these evolving regulations is definitely a challenge for everyone.

So let's go ahead and move to our next question. With nearly 20 state privacy laws in play, how do privacy teams stay on top of these changes, and how does managing this type of patchwork of regulations impact day to day operations? Happy to take that one as well. So one of the things that we have actually set up is an RSS feed into our Slack instance to get notification, from very specific sources around what is it that might be impacting us both from a privacy perspective, but also from a security perspective. Because we all know that while we have specific focus areas, those 2 are very heavily intertwined.

And so we're always looking at where there are things that are being published, that allow for us to have a greater understanding. So I would say that that's probably one of the things that we do to keep up. There's, obviously a laundry list, but, I can I can pass it off to the rest of the panelists to see what their thoughts are? I love that idea, Heather. And I might hang you outside of this just to figure out exactly how you're doing that because I really like that idea.

The ways that I stay up to date, I I lean really heavily on IAPP. I think it's such an amazing organization, and I subscribe to all of their specific email updates, which keeps me abreast of all of the privacy laws that are coming out and the privacy laws that are changing. There are also privacy folks that I follow on LinkedIn, which are really helpful. I lean on Datagrail's Slack channel, which I think is a great resource, and is always posting content about emerging privacy regulations. Similarly, there is, another privacy expert Slack group that, basically just has many, many different privacy folks in the industry who are chatting about all of their challenges and struggles and what they're finding to be helpful.

And I think that's just a great way to chat with other folks in the community because so many of us are going through the same things. So really finding a network of people who can noodle around on these ideas with you and, help you work through, the the best solutions to our shared problems. I I know we all don't need another newsletter, but in this case, I'd rather have more than less. And so just like what Otter said it with IAPP, also with Datagrill, and then there are several, outside law firms that focus on privacy, so there are newsletters. So we're constantly getting just a continual flow of information, and then that circulated internally on our teams.

We don't have a dedicated Slack channel yet, but we have people who talk to each other all the time. It keeps us honest and, involved. Awesome. Yeah. Those insights are really helpful.

It's so important to always have bookmark your go to resources, especially when it comes to navigating all these state privacy laws. And with that being said, let's go ahead and dive deeper into the bigger picture then. So what key trends or patterns are you noticing in the development of state privacy laws, and how should privacy teams actually adapt to these types of emerging changes? So for us, when we are looking at what these requirements are, what we're seeing is and great example here would be GDPR. Next thing we know, we've got CCPA, and CCPA was modeled after GDPR.

Obviously, there's key nuances between the 2. I think that what we're going to see over time is that a lot of these laws will actually look to align to one another based on friendliness to business, and versus, you know, how well we're protecting consumer rights. But I think that we will start to see an alignment between these laws over time. And so when you think about, you know, the patterns that we're looking at and how we should adapt to those, there's the piece around if you are looking to align to the most stringent or broadest of requirements, then you kind of by default end up covering off a lot of other requirements in the process. On top of that, I do think there's a piece of, privacy professionals kind of acting as a crystal ball.

In many ways, what we do for a living isn't just about what the legal requirements are. There's the ethical thought process around what is the impact to an individual here. And so we're starting to see emerging laws around AI. California is a great example of that. And so when we start thinking about it's from an adaptability perspective, we should also be thinking about what is the impact to individuals and how do we anticipate lawmakers are going to look at that.

I think one of the key things that we've actually seen that wasn't anticipated is the utilization of the wiretapping law from 1920 something, that is now being utilized around cookies and recorded conversations. That's not what the original intent of that law was, but it is definitely be being considered applicable. And so we as privacy professionals, I think, also from an adaptability perspective, have to be able to look at where are there things that, a, could be used, around these programs and set you know, put us in a position where we may not be compliant depending on how it goes through the court system. But also really thinking about, is this ethical? Is this something a consumer would be comfortable with if they knew that we were doing this?

Just because it's not against a regulatory or against a privacy regulation doesn't mean that we should be doing it. I think that's what we're learning around the development of these privacy laws. I so agree with everything you said, Heather, especially around aligning the most stringent regulatory requirements. I think that helps so much in getting up to speed with so many of these other emerging regulations and trying to figure out the patchwork of everything. No organization is going to be 100% in compliance with everything.

But if you're aligning to the most stringent requirements, you're you're doing pretty good. I also really loved what you said about staying abreast with new types of class actions. For example, with what's going on with the wiretapping and pen register cases that are coming up left and right. This is something I've I've really been following. And on that note, I also wanted to mention a couple other trends that I've been seeing with emerging state privacy laws, specifically around capturing, new data types like neural data and biometric data.

And I think that this new trend really highlights the need for companies to start monitoring how AI and advanced data, analytics really intersects with privacy. And we're also seeing that regulators are expanding the scope of sensitive data to include financial data and educational data. So I I imagine that for a lot of sectors, this is starting to, like, really challenge them in new operational ways. So so those those are kind of the new trends that I'm seeing. And then I I lastly just wanted to highlight and echo what Heather said about thinking whether your practices are ethical.

I think one of the best approaches we can take is to really put ourselves in the shoes of the end user, and think about how we're processing data from their perspective. I think that really goes a long way. That's one one extension on this that I really like where this conversation is going about the ethical part. So I know when I engage a lot of, privacy professionals, we talk about creating the floor for, making sure that we're compliant with as many state laws and international laws as we can. But we also extend that beyond the states that, to states that do not have, privacy laws, and it's it's it makes it easier for us to, make the submission process more general, but, also, it creates a sense of fairness for those who do not have a privacy law that they fall under.

So they are not they don't feel left out. They feel included. We think optically, it's better for us. One thing I'll say, though, is if you're gonna move to this model and it's not one you're not currently doing to make sure you involve all your internal stakeholders, You don't wanna run into someone that way, so communicate early and communicate often. Yeah.

And but to really echo what you just said, it drives customer trust. It's, oh, you don't have a law that we have to abide by, so we're not gonna do it. That really doesn't drive customer trust. Being able to say, we recognize this is your data. And even though there isn't a legal requirement for us to do it, we're gonna do it anyways.

I think really demonstrates a commitment to ensuring that people feel valued and respected. And I think that that, you know, I hate to say that, you know, doing it is something that really is great for your brand, but it is. It's not really the reason for doing it, but it does really promote your brand as being respectful of humans. And I think that that's something that we're going to continue to see be very important to consumers because we're already seeing that. If they don't feel that they're valued and respected, they don't wanna do business with you.

And the last thing I wanna say about this because I love this topic so much is that I think that at least in my case, like, I I practice privacy because I really think that privacy is a human right and that everybody deserves it. So as a privacy professional, like, fighting for that and trying to make sure that everybody has the same rights around privacy is something that really, like, motivates me to do my best work, when I when I show up. So that's the final thing I wanted to say on that. 100%. Yeah.

I agree with everything that's been said. I think there's an overarching trend, that kinda is weaved throughout all this, which is there's a trend that is allowing these regulators and legislature to they're they're leaving the door open to expand the definitions of what sensitive data or personal information really means, or who qualifies, kind of like Audrey said. This, you know, new AB 3286 allows, CCP CPBA to change what, certain thresholds there are for the the organizations that qualify. So I think the the trend of just just because we set it now doesn't mean this that's what's gonna apply next year or in 2 years or 3 years. So, just just be ready, and, these things will be updated as, as time goes on.

Yes. I can definitely agree. Those are all such great points. It's always been very clear that privacy laws are always evolving quickly, and privacy teams will always need to stay flexible and ahead of that curve. So now I wanna zoom out a bit and actually think about the future.

How do you see the role of privacy teams actually evolving within organizations? Specifically, how should privacy leaders prepare their teams for the future, and what skills or expertise will be essential for these types of professionals, to kind of just thrive in 2025 and beyond? So, I I would say the biggest thing is having an understanding of technology. A lot of the things that we are thinking about from a privacy perspective, it's not, bits that are on paper. Yes.

There are some companies that really have to worry about, privacy information on paper, on physical things, But a lot of this is technology. And when you think about why privacy rights have come about, a lot of it is because of the utilization of that data. Not just that it's stored, but how is it that we are actually utilizing this to drive consumer insights to, you know, fuel a ton of other, parts of the industry. And so I think that an understanding of technology is key. As an example, I recently brought someone on board who had zero privacy experience, has a really, really rich, technology background, but was very interested in privacy.

I'm more than happy to help train, but I really needed someone who understood how a back end works, how AI is built. And I think that there is a piece around, oftentimes in the past, privacy professionals haven't necessarily been embedded in the technology processes. And that's something that we actually strive to, have our team embedded within our engineering team and really have that strong partnership. In order to have that strong partnership, you have to be able to speak the same language. When they're telling you about how an AI model was, developed and trained, you need to have some baseline understanding.

So I think having an understanding of technology across the board, but especially around how, like, AI systems are operating or how you might be utilizing that data to drive insights and, furthermore, drive targeted marketing is going to be really key for privacy professionals to continue to grow and evolve as these laws continue to grow and evolve. Because ultimately, they are growing and evolving based on how technology is growing and evolving. And we are gonna continue to see novel technologies, over the next couple years, I think, and beyond that we're really gonna have to be able to gain an understanding of and have intelligent conversations about. So, I would say that's probably my biggest piece there. Yeah.

I couldn't agree more with what Heather said, and I specifically wanted to highlight what she was mentioning about building strong relationships with the technical teams. I think it's essential to do that early on and make sure that you have some best friends in the engineering team and the products team, especially before you start implementing a tool like Datagrail or any other privacy compliance tools that are out there. One of the one of the things that I've seen a lot of other teams and companies miss is taking the importance of those relationships into consideration before launching one of these tools and then running into a situation where they don't have the buy in. They don't have the technical, the technical headcount to actually make this stuff happen. So, yeah, I really wanted to highlight the importance of of the connections that you build with the technical folks at your company.

And and, you know, not every privacy team has a budget for a privacy engineer. And and in that case, it's even more important to to make close friends with the engineering team. Yeah. A 100%. I think one of the other things, here is also as privacy teams are looking for that buy in that Audrey, mentioned, is really about being able to establish this is actually how this benefits us and drives revenue.

Because that's another part of how you get buy in is being able to establish this is how this actually helps us make more money. This is how this drives our customer branding. And that's how you get a lot of buy in, not just from your tech teams, but also from senior leadership who may not want to give that budget until you're able to demonstrate, but look at how much more revenue we can actually drive as a resort as a result of this. And I think that's something that's really key for being able to say, I need resource, but this is how much revenue we think we can drive as a result of taking on that resource. Absolutely.

And that talk track is typically so much more conducive than the stick approach where you say, if we don't do this, we're gonna hit get hit with these regulatory fines. But really showing the ROI is is the way to go there. So I I love that, Heather. I'll just add one point as that technical resource that gets stuck between the the legal team and engineering team, which is fine by me. Happy to be there.

One thing that we also try to do is we all know that an access request is quite burdensome, but kind of figuring out what the customer, the employee, or the applicant is looking for and creating ways where they can self-service. So the example I'll give is that we found that a a large portion of our customers really only wanted one thing, but they do an entire access request. And that would spend up a ton of time internally to, to fill. And so once we establish what they were looking for and gave them an easy path to get it, it saved everyone internally a ton of time. Alright.

That was really a great point. And, also, as we heard, technical expertise, I think, paired with strong communication skills will be vital for all privacy teams going forward. And I wanted to actually mention a really great question from the chat, for our panelists here. What is the biggest concern for these, industry leaders going into 2025? Anything you wanna add here?

Wow. That one actually threw me off. I'm trying to think of, you know, going through annual planning. I would say probably the biggest concern is resource constraints. You know, we're continuing to see the economy slowly crawl, and that inevitably drives resource constraints, especially for support teams, compliance teams.

So that's probably my biggest concern. You can definitely put the carrot out there with look at the revenue that we can produce, but it doesn't give you everything that you might be hoping for in order to drive the goals that you've kind of outlined for yourself. As a leader here, I that is a concern for me. How do we accomplish the things that I have in my 3 year strategy roadmap without necessarily having the funding or the bodies to do it? And that's where you kinda get creative with your partners.

I think for me, at least what's been on my mind the most and where I haven't been able to figure out perfect solutions is around, adapting our use of AI and emerging data to all of these new regulations. Oop. Am I still here? Yeah. Sorry.

My Zoom was being weird. So there are so many difficult questions at the intersection of AI and privacy. And I'm really thinking about what is happening when personal data is going into training underlying foundational models. How do we effectuate data subject access requests? It is literally not possible from a technological standpoint right now.

You cannot remove personal data that has gone into training a foundational model without completely destroying and redoing the foundational model itself. So I've been really focused on figuring out how we're going to have to adapt, with the emergence of all of these new technologies in AI and machine learning. I think it's a very fascinating area, and so much to to grapple with. So I would say that's probably my biggest concern in 2025. Yeah.

Thank you so much for that. I think, Adri, as you mentioned, adopting and working with different departments such as engineers or working with the product managers is so important. And it's kind of related to a chat question that we got. As the leaders of your organization's privacy teams, maybe what skills or roles are on your privacy teams or maybe what you're looking forward to expanding here? I'm a privacy team of 1.

So the skills and expertise, or positions really are involving the rest of the company, like was already discussed beforehand, really being open and friendly and communicative about the importance of privacy and the emerging further importance of it and identifying system admins, to help to have them help you understand what data these systems hold, what is the data being used for. Luckily enough, I was I made friends with with somebody who's no longer with the with the organization, but they were a compliance engineer, which was absolutely perfect for what I needed when we were setting up Datagrill. And they were they they had every skill I did not, but needed in order to understand exactly how to set up, a data map and the systems that needed connecting and as well as implementing a tool like Datagrill to allow us to automate our, deletion requests. Yeah. And to to piggyback off of that, those those relationships are so key to success, especially since, to Larry's point, these individuals have a different skill set than you do.

So if you're operating as a team of 1 or 2 or strategically thinking about it, one of the things that I look at is how do I keep my team small? Because my team is considered a cost center. The development team is not. The sales team isn't. And so you're really looking at how do we create these partnerships to be allow our team to sit stay small and act as advisers within the business without creating a larger cost center, and thus being able to keep the company going in the right direction.

I will say another piece of that is also these individuals have a different skill set. So a lot of when we think about people, process, and technology, it's really about educating your partners in the business. This is why we're doing this, and I I hate to say it, but, oftentimes, the easiest route there is what's in it for me. Not what's in it for me, but when I'm looking at an engineer, I need to assist on something. What's in it for them?

How do I make sure that this request that I'm giving them actually resonates with them as something that they do wanna do because it helps them in the long run? Great example when you think of data management, which is foundational to privacy. Well, why would I want to give you a data inventory and tell you what the data dictionary is? Well, the next time you have someone come on board as a brand new individual, this actually helps you with your flywheel for onboarding them. This is how it helps you.

And oftentimes, that actually gets you assistance faster because it's not something that they're doing strictly for the program. It's something that they also get a benefit out of as well. And so a lot of those relationships that you're cultivating along the way, you can actually establish. This they were asking you to do to assist in the privacy or AI governance program actually gives you a long term benefit as well. I love that, Heather, and I I think that it is so important to, come to other teams with a sense of curiosity, and really getting to know what their main issues are, what their blockers are, and then strategically using that information in order to link the importance of privacy to what they're doing so you are making their lives easier.

You are actually helping them achieve their goals. And I feel like in the last 5 years of my practice, I've really been trying to cultivate, cultivate that curiosity and asking a lot of questions from these other teams. And, you know, not only does it give you a lot of information and data into what is important to them, what they're working on, what their biggest pain points are, it also helps build true human connection. And once you have that with them, they're going to wanna help you. So, yeah, that's something that I've really been trying to cultivate in the last 5 years, and I've been finding it very helpful.

At the end of the day, everything that we do is about human connections. Right? Totally. Whether or not you enjoy your job has a lot to do with that. And it also those connections and those relationships in and of themselves drive trust with those partnerships, which is honestly key to being able to support each other through your journeys, you know, around your goals that you've established.

Yes. I can totally agree. I think, Audrey, Heather, you mentioned, you know, kind of building this privacy team. And speaking on the privacy department as a whole and just creating this team, how do you feel that your team actually collaborates with these other departments such as IT, legal, or marketing to just achieve your privacy goals and just to stay ahead of all these, you know, vast new laws coming out? So for for my team, I would say we originally, started out reporting up through the security team.

And then after two and a half years, my team was actually shifted over to the legal team. And part of that was that relationship had been, really cultivated because strongly because we were part of that team. And we'd always had a very strong partnership with legal. But once the program was established, we really needed to keep up on legal trends. And so in many ways with privacy, privacy and their relationship to both security and legal, we all have the same goal in many ways, but from different facets of a diamond, if you will.

We're looking at it from slightly different perspectives. When it comes to the rest of the business, ultimately, we're all striving towards what the overarching goals are for the business. As an example, if you are a medium sized business and you are really shooting for bringing on enterprise customers, you're all aiming for that goal. And so it's about how it is that, the roadmaps that you have prepared for yourselves align with the roadmaps of your partners in the business. Great example.

If the privacy roadmap wasn't focused on getting towards enterprise, when we go to do privacy by design reviews, we may not be looking at it through the lens of the enterprise customer, but our pro our product team would be or vice versa. And so we have to make sure that we're aligned at those overarching company goals and able to demonstrate how this goal aligns to this overarching company goal, so does yours. How do we make sure that they align to each other, which is then completely fostered by those relationships that you've already developed? Like Larry, I am a team of 1 on paper, but I am lucky that I have another, attorney on our team who's more associate who reports up to our head of corporate and employment who gives 50% of his time to privacy work, so that's great. I really get to to lean on him, and help him learn the ropes of privacy.

And I'm also lucky that I have one of our, risk management folks that reports into security. I have about 50 percent of her time. So I do have 2 team members that help me do all the nitty gritty work in the weeds. But aside from that, the 3 of us are very serious about cultivating relationships with all of our different cross functional stakeholders. We've developed a program where we have privacy champions in all of our different x cross functional departments.

We only meet quarterly, and it's a pretty lightweight approach, but we talk about changes to the regulatory landscape. We talk about changes to the business. We talk about specific issues that they're grappling with and any sort of information that the privacy group wants to disseminate downstream to all of those different functions. And we try to keep everybody really close and working together. Another strategy that we've taken is we go pretty big for data privacy week.

We don't just do data privacy day. We do data privacy week, and we have webinars and all sorts of events and games, and happy hour. And we really use that as a really fun tool to get folks aware of privacy within the organization and, help them understand why it's important and also, yeah, make it really fun. So those are those are the strategies that I take. I'll just oh, sorry.

Go ahead. Oh, no. Go ahead, please, Jesse. Yeah. So we're a networking company.

Security is, you know, top of mind for us, and having that external, perspective of if security is important, privacy is related, they're important together, it's consistent to our our customers. It also aligns with our internal values. So making sure that we have buy in throughout the entire chain leadership down. Alright. Those are really great perspectives, and I love the idea of data privacy week.

Always a big fan of that. I do wanna wrap up now with just our final question and just gonna leave the audience here with some final thoughts. So for each of our panelists, can you share some final words of wisdom you would like to give, just kind of for privacy teams looking to stay ahead of the curve and just effectively prepare for all these future privacy challenges ahead? Yeah. I can kick this off.

I think these days, privacy is not a a reactive, obligation. It's you have to be proactive. You have to be vigilant. It's given the fluidity of everything, you have to stay on top of it. You can't wait.

If you're waiting till it hits your plate, it's probably too late. Start now. No matter where you are at and you're building out your privacy processes, I would say start now. Be consistent while you're building that out. It can seem daunting with there being so much already in play if you're just beginning, but also it can feel daunting given the the consistent flow of of new updates and and releases of different states.

It can also feel daunting if you already have something in place. I would say use all the tools that you have available to you. If you're at a at a smaller company like I am and privacy is just one part of what you're doing, you have to use those tools. To to manually do it, especially with the nuances of each state, it seems a little impossible. So, you have to, you know, find the champions around you, that can help support you to build out, the structures that you need to protect your your client and and your organization.

Educate, educate, educate. Get everyone that needs to know to understand the importance of privacy, not only today, but the importance of I mean, in a year from now, 2 years from now, 5 years from now, it's it's just gonna be a multiplier of importance. And I would say starting today and being proactive is, the most important thing you can do. I would probably say I I would boil this down to 3 points. Number 1, and really this is this is Audrey's point, but, be curious, ask questions.

You know, really understanding what your teams are doing is gonna be key to your understanding, of how your, overall program needs to evolve. So that would be point 1. Point 2 is if there is a way for you to, align your privacy program to the most stringent or broadest of requirements depending on which one you're looking at. It really does simplify things for both you, your company, your partners, everybody along the journey. And there are actually a lot of, really good reasons to support that.

So getting buy in from your organization to do that will actually simplify things not just for your own privacy program, but for the partners who have to help you enable it within the organization. And I would say the 3rd piece of advice is, and I know it sounds cliche, but Rome was not built in a day. You should never expect perfection from yourself or your program right off the bat. There's a reason that we all talk about crawl, walk, run. It might be a belly scoot, but understanding that you can't do everything at once.

And, I recognize that's it's kinda hard when you're looking at, you know, upwards of 97 work streams. But really looking at how do we triage? What is the most important thing to do? How do we get us to a baseline set of compliance first and then look at evolving that once we feel like we've gotten ourselves to at least baseline compliance? I think that that is something that's really important for privacy professionals to remember, especially coming into a business that may not actually have a privacy program built out or one that doesn't necessarily check the boxes is that just remember to give yourself a little bit of space and grace, to build things out as resources allow because, again, Rome was not built in a day and neither is your privacy program.

I like that a lot. You know, small pieces at a time. So I know a lot of people on this call, myself included, wear multiple hats. We don't get to focus on privacy all of the time, but trying to instill a bit of of privacy as a normal part of your every day or your every week so you're at least observing it, consistently, and it doesn't just come up and surprise you over and over again. Making friends in the privacy space, I have some rich conversations and some threads.

We don't talk about the nitty gritty at work, but we at least get to banter about what's coming down the pipe and where we find our challenges. And so finding your community. And then the other part is that when I've gone back and engaged with, people at, my grad school is to help feed the pipeline, make people aware of privacy, Give them all the resources and opportunities as a as a potential career path. I love everything that Heather and Larry and Jesse said and absolutely agree. I don't think I have a ton of new information to add, but I'll, you know, focus again on building strong cross functional partnerships.

Privacy definitely does not happen in a vacuum. I think it's incredibly important to ensure buying from technical product and business teams to make sure that you can implement all of these different things, and collaboration really is key to embedding privacy into all of these different workflows and achieving compliance. Again, I Heather and I have both said this multiple times now, but really staying curious, I think, is an essential way to be and also staying adaptive. Privacy is always changing. Teams are always changing.

Companies are always changing. I think it's imperative for privacy professionals to be able to adapt to those changes in a healthy way. And then I think the last thing I will add is to really focus on the privacy principles. I think that navigating the details of the patchwork of laws that we've been discussing is really critical, but I always want to ground my work in the the core privacy principles. So thinking when I'm making decisions, thinking through transparency, accountability, data minimization, fairness, you know, going back to the basics when things start to feel too complex and too overwhelming.

So, yeah, I think I think those are the the last three things I'd have to add. Yes. Thank you so much for all those thoughtful insights from everyone. Just a really big thank you to our panelists here, Larry, Audrey, Heather, and Jesse, for sharing all your invaluable expertise with us today. I'm sure everyone here walked away with a lot of fresh insights and practical advice because I know I definitely did.

So thank you again. Now before we close, I just wanna take a look at some helpful resources to ensure that you guys are all ready for what's ahead. So first, if you're interested in continuing in continuing privacy discussions and wanna stay up to date on the latest privacy news or expand your network, I do highly encourage you to join our privacy Basecamp Slack community. It's the go to space for valuable privacy insights and connections. And then also keep an eye out, on your inbox for our guide to state privacy laws.

This guide will also be a really great and essential resource for basically navigating all of those 15 state privacy laws as well as the 5 I just mentioned for today. And then for our Datagraph customers, you will automatically see the new policies reflected in your settings on December 19th. And if you like to opt out of leveraging these, please do contact the email right there, support at datagrowl. Io, before 19th. And for everyone else on the call, be sure to check your email tomorrow for instructions on how to claim your CPE credit.

I just wanna say thank you again for all of you joining us today. We truly appreciate your time and attention as we navigated through the latest updates in privacy law. And I do want to mention, that I hope you all found this, you know, session today very valuable and insightful and that you feel way more equipped to face all these privacy regulations. Once again, a huge thank you to our expert panelists, Larry, Audrey, Heather, and Jesse. You guys were amazing, and it was wonderful for you guys to share all your knowledge and perspectives.

As always, feel free to reach out or connect with us on the privacy Basecamp Slack community. And if you're not already a DataGrill customer, please do stick around for a quick poll after the webinar. We'll stay on the line, though, just to continue answering any questions that anyone has, you know, for the remainder of the chat, for the next few minutes. But in the meantime, thanks again, everyone. We really look forward to seeing you at our next event, and have a great day ahead.

Thanks. Thanks so much, everyone. Have a good one. Bye bye. Everyone.

expand_more Show all