Webinar - On Demand
How to Prepare for 2026’s New State Privacy Laws
DATAGRAIL EVENT SERIES
January 2026 marks another turning point in U.S. data privacy. Kentucky, Rhode Island, and Indiana will enact new comprehensive state privacy laws.
View Webinar
Thank you for your interest!
Please click below to view the on-demand webinar.
View WebinarInterested in seeing DataGrail in action?
Take a self-guided tour of the platform right now!
If a new window did not open with the product tour, please click here
Meanwhile, California will begin rolling out Delete Act requirements for data brokers, and states across the country continue to evaluate new laws on data privacy and AI governance. With over 20 unique privacy laws now enforced in the U.S. alone, the nature of privacy management has changed.
Join our expert panel to unpack what’s next for privacy in 2026 and beyond.
You’ll learn:
- What’s changing in the U.S. privacy landscape
- How real privacy teams are adapting their programs to keep pace
- Tactics to stay ahead of risk, not just respond to it
Speakers
Hannah Poteat
former Assistant General Counsel, LTK
Jordan Smith
former Vice President of Privacy Compliance & Government Affairs, Peloton Interactive
Ian Phippen
Senior Manager, DataGrail
Ian Phippen: Great. So, welcome everyone to How to Prepare for January 2026's New State Privacy Laws. If you're feeling a bit of deja vu, you are not alone. We were here last year for January 2025's five new state privacy laws. We do have three state privacy laws we're going to talk about today, but we'll also get into some other laws going into effect in January.
Ian Phippen: including amendments to state privacy laws. So, gear up, we've got a lot to go through. I'm very excited to dig in. One thing I want to be very transparent about before we get in is that this webinar is not going to be exhaustive. We're not going to tell you everything about every single law.
Ian Phippen: It's not customized legal advice. I still encourage you to review the laws with your counsel.
Ian Phippen: determine your response, and you can also see more information about each of the laws that we'll discuss on our website as well. So, back up a second.
Ian Phippen: Hi, my name is Ian. I'll be hosting you at the webinar today, so we're going to talk to a couple of guests, but you might find me familiar. I work in Privacy Base Camp, our community space of around 1,600 privacy professionals from around the world. So, I've been collecting your questions, your thoughts about each of these laws.
Ian Phippen: And I'll be posing those to the guests I'm going to introduce you to in just a moment.
Ian Phippen: A little bit about our format here. At this point, I'm not going to be keeping a close eye on the chat. We've gathered a lot of questions already, but I will take a look a little bit later to go through any Q&A.
Ian Phippen: We're going to get into, talking about our guests. We're going to look at the three state privacy laws that are going into effect in Kentucky, Indiana, and Rhode Island. We're going to discuss the California Delete Act. We're also going to discuss some amendments happening in California, as well as a couple of other related amendments at other states. And then we're going to zoom out and say, okay, if we pull back from all of these acronyms, what is the big picture? What does this really look like?
Ian Phippen: What is changing for the privacy manager or the chief privacy officer today, and how they need to approach things.
Ian Phippen: But before I go any further, let me introduce you to… oh, excuse me, that's our agenda. Let me introduce you to our guests. Jordan and Hannah, would you like to introduce yourself?
Jordan Smith: Go ahead, Hannah.
Jordan Smith: Okay, I'll go first. My name is Jordan Smith. I'm happy to be here today. If you're in the Northeast, we were just talking about how cold it is, so if you're anywhere warm, I am very jealous.
Jordan Smith: I have been working in privacy, for the past 15 plus, probably closer to 20 years. I didn't have as much gray when I started. And now, with everything going on, I have even more. And I've been, generally building, creating, working.
Jordan Smith: With privacy, privacy teams, across, you know, from, you know, high, technical digital companies that are publicly traded to, startups, and anywhere from.
Jordan Smith: apps to websites to marketing across the board, from fitness and health to, financial. So, it's really exciting to be here today because we, I think, are now, you know, kind of getting into an area where privacy amendments are now starting to come into force, new privacy
Jordan Smith: State laws are coming now into force as well, and so I think we are going to a state of operationalizing, right? How do we operationalize? How do we move this forward from a privacy program standpoint? How do we get these things in place, and how do we work with our product and engineering teams to make this a consistent day-to-day action? Because if we don't.
Jordan Smith: We're gonna have issues, and we won't be dealing with violations and not dealing with the everyday risk that we should be dealing with.
Jordan Smith: I will hand it over now to Hannah.
Hannah Poteat: Hi, Jordan, I completely agree with you. Hi, my name is Hannah Petit. I also have been in privacy for way too long.
Hannah Poteat: I have been working in privacy as an attorney for 14 years, and before that, I had a career in information security for 14 years.
Hannah Poteat: Before I went to law school. So, I know privacy from the technical side, as well as from the legal side.
Hannah Poteat: And this actually comes in really handy right now, as we're about to look at things like the cybersecurity audits requirements coming out of California. It's, there are a lot of changes going on. It's funny because I think anyone who's been in privacy for a minute, keeps saying, oh gosh, this year is so turbulent, this year is so
Hannah Poteat: crazy, but it's gonna settle down next year. It's gonna get better. It never does. It really never does, and it's not gonna. So, buckle up. Let's talk about what's happening next year.
Ian Phippen: Thank you both, and although I promised not to look at the chat, I did take a peek, and Jordan, we do have some people to be jealous of, just to warn you, we've got some warm weather attendees.
Ian Phippen: So, going right in, we'll start with the three state laws. I'm gonna give you all in the audience a couple of basic pointers about each of these new state laws, and then I'm gonna invite Hannah and Jordan back to discuss a little bit about what we're seeing overall.
Ian Phippen: So, let's start with Rhode Island. Rhode Island is… most important thing to know about Rhode Island, in addition to, like, all three of these states, you're going to see access, portability, correction, deletion, and opt-out rights.
Ian Phippen: In the case of Rhode Island, there are high penalties here, and there is also no cure period and a pretty low revenue threshold. So, what's relevant there is that there are likely some smaller businesses that this is going to be relevant for who might not have been thinking about privacy as seriously in the past, and really need to start at this point.
Ian Phippen: It's also relevant to note that there are some additional requirements for your privacy policy notices here, specifically for commercial websites and ISPs. There are no exceptions to those.
Ian Phippen: But overall, what we're seeing for the most part in this law is pretty standard. There is one little caveat I will give to that as well, which is that controllers are required to disclose both their current and potential third-party recipients of personally identifiable information.
Ian Phippen: In Kentucky's case, a little bit different here. So, for Kentucky, we are seeing a cure period, and there's no sunset date on that at all. The rest of Kentucky is pretty similar to what we're seeing elsewhere, including a very literal definition of sale, unlike what we've seen in California.
Ian Phippen: And then lastly, if we look at Indiana.
Ian Phippen: There are some small quirks to this law. So, first, access requests are permitted to be resolved through a representative summary instead of a full copy of that individual's results. And another piece I would highlight for you here is that consumers cannot revoke consent once they have given it, technically, according to the Indiana Consumer Data Protection Act.
Ian Phippen: And overall, although you are seeing that there's no revenue threshold at all in this law, there are above average exemptions, so even if you are…
Ian Phippen: technically, within the revenue threshold, you might actually be off the hook in a different way. So, taking a look, zooming backwards, at all three of these laws, what we're seeing overall, they're relatively lightweight, they might be considered more business-friendly than some other laws, but if we look at the total impact across
Ian Phippen: all 20-plus state privacy laws we have now, right around 30% of Americans are under some form of comprehensive privacy law. So, as we add up all these fines, cure periods aside, that number does get larger and larger. And we do continue to see some variance in between individual state laws. So, with these things in mind, I'm going to back up here and invite Jordan and Hannah back.
Ian Phippen: First of all, are any of these laws similar, from your perspective, to a law that we already have in effect today?
Hannah Poteat: I'll dive in on that. Oh, sorry, were you asking Jordan or me?
Ian Phippen: Go ahead.
Jordan Smith: Go ahead.
Hannah Poteat: Cool. they're, they're all, sort of Virginia-style laws.
Hannah Poteat: And that's, you know, that's been kind of the… the theme that we've seen in these sort of lightweight, business-friendly laws. And that's what we've kind of…
Hannah Poteat: gotten used to is the Virginia-style law with a few tweaks.
Hannah Poteat: And that's allowed privacy professionals to sort of build these programs that target sort of a common denominator of, here are the rights that, state privacy laws
Hannah Poteat: generally require, and then we'll look at the anomalies. We'll patch here and there for this state, this state, this state, as required. But,
Hannah Poteat: even though these are actually pretty lightweight, what we're starting to see is kind of a tipping point where that approach isn't working anymore. Jordan?
Jordan Smith: Yeah, no, I'm gonna… I'm gonna bring out some, you know, from an operational standpoint, some of the things that I see, you know, looking at Rhode Island, you know, they have the nice little tweak of, you know, you have to put in your notice who you sell to, but it's also who you may sell to. So, that really kind of throws a wrench
Jordan Smith: in everything, because you have to then think on a, you know, think about all different types of trackers that you might have that, you know, change all the time, vendors that come on all the time. You have to continually think about those things, and that causes…
Jordan Smith: you know, some heartache, right? Because you're trying to deal with all this, and you want to try to do as much as you can, but
Jordan Smith: the May sell is a difficult one, and those are some of the tweaks that makes it hard, you know, as everyone tries to… we talk about trying to standardize. Well, that's one of those that it's hard to standardize. It's hard to do that. You know, and then I think also.
Jordan Smith: And this might be getting into some other questions that others might have, is, you know, how do we, it, you know, are some people just going to do the lower left? And I think…
Jordan Smith: of some of those states, and I think they are, if you're in just that state, right? But if you're not, am I gonna do just the summary? Probably not, because I'm already doing
Jordan Smith: it across the country for other states, right? So I'm not going to do the summary. I think, you know, from a privacy standpoint, operational standpoint, you have to look at those things and decide, what can I standardize, and what… what shouldn't I standardize, because I can't from a business perspective.
Ian Phippen: That makes complete sense. If you were, say, a chief privacy officer trying to assemble an update for the executive team about these new laws, about what's going into effect in January, and we'll put aside the rest of today's conversation for now, what do you think that
Ian Phippen: executive leaders really need to make sure the C-suite understands about the new regulation.
Hannah Poteat: For me, I think the, the biggest thing I'm going to point out is the much lower threshold and… or the…
Hannah Poteat: the much lower number to hit the threshold in Rhode Island. If we're not already taking a holistic approach and just giving data rights to everyone, then we need to start considering it. Because otherwise we need to start counting users
Hannah Poteat: to see if we hit that threshold in Rhode Island, if we hit those thresholds in Kentucky and Indiana, and as more state laws come online, we're going to need to start providing these users pretty much, I mean, these rights to users pretty much across the board.
Hannah Poteat: And also, the thing that I'm going to highlight is the lack of cure period, in, in Rhode Island. That's, you know, we can't afford to, to, you know, screw this up and then catch up. We need to be right on it.
Jordan Smith: Yeah, I'm gonna 100% agree with everything Hannah said, and then I'm a big metrics guy, and I think your business leaders
Jordan Smith: understand what… what… from the business perspective, what fines can do, what… what… from… what do you need in order to make yourself compliant, what… what… so if you need third-party, tools, those types of things, I think those are the things you need to also bring into the conversation, and then think of the, you know, set the long game. Set, like.
Jordan Smith: what you… we can't anymore just think of this month, or this quarter, or even this year. You have to start thinking about where is it going, right? Like, you know, something like.
Jordan Smith: might add up my health, we know that wasn't going to be the only state that had health laws, right? We have to start thinking, okay, do we need to start thinking about this holistically, because other states are going to start to have it.
Ian Phippen: Right, and you're gonna…
Hannah Poteat: Last one.
Hannah Poteat: Today.
Jordan Smith: Today, yes.
Hannah Poteat: Yes.
Ian Phippen: I have not prepared a slide on that, just to make sure everyone is aware.
Ian Phippen: But even if Kentucky and Indiana do have a cure period, we also have other states that are… their cure period's ending, right? So, even Rhode Island aside, to your point earlier, Hannah, if you're doing this for some states, be prepared to do it for all at some point.
Ian Phippen: I'm gonna transition us to discussing the DELETE Act next, but we are going to circle back and return to the state laws again at the end of our conversation. So, as we mentioned in the chat, folks, feel free to put in some questions in our Q&A. We'll circle back there soon. But let's talk about the DELETE Act, because I know this is a very big topic this year. I would say I'm seeing more chatter about this from privacy teams than I am
Ian Phippen: about Kentucky, Indiana, or Rhode Island.
Ian Phippen: It will affect, potentially, a lot more of us than we might have cared to admit. But starting off.
Ian Phippen: Essentially, the DELETE Act applies to data brokers in California, and what's important about that is that California defines data brokers a little differently. It's not just about if you are selling personally identifiable information, it could also be sharing that information. So, if you are leveraging pixels, third-party trackers, things like that, and you permit secondary use.
Ian Phippen: That could qualify you as a data broker in the state of California, and CalPrivacy has been very open that they're going to look at folks who have failed to register that are considered data brokers under California state law. So, really take some time to evaluate your marketing practices and if the DELETE Act applies to you.
Ian Phippen: Even if you don't think of yourself as in the data broker business, we will share out a full resource with kind of a step-by-step guide to understanding whether or not you're a data broker. This particular graphic I have to credit
Ian Phippen: some members of our Privacy Basecamp community, Dwight Turner and Kenneth Fibnalli, with helping us to create, but you can also scan the QR code there to jump right in if you don't want to wait for us to send that follow-up.
Ian Phippen: a little bit about what is required in the DELETE Act itself. So, this law came in, was passed back in 2023.
Ian Phippen: There have already been data broker registration and public disclosure requirements since 2024. We have seen, like I mentioned, some cases already come up of enforcement on those requirements. What is going into effect in January 28-26 is two things. One, that registration period is open again, so if you are a data broker, you are expected to register.
Ian Phippen: within the month of January. And two, consumers in California can begin submitting their drop requests, or their requests
Ian Phippen: To this consolidated space where
Ian Phippen: A consumer can submit one request, and all data brokers, or all data brokers of their choosing, are expected to process that deletion and opt-out request.
Ian Phippen: That does not mean that effective, you know, in a few weeks here, data brokers need to process requests from Drop.
Ian Phippen: That will actually take place in August, after a couple of other things come to process. So, CalPrivacy is working on an API feed for Drop right now. We're expecting to hear a little bit more about that in the spring, but there are no requirements other than registration in January, even though consumers can begin submitting these requests.
Ian Phippen: This also won't be the last time we're talking about the DELETE Act. We'll likely bring this back up again in 2028, when the auditing requirements begin.
Ian Phippen: So, once again, just a quick flash of looking this over.
Ian Phippen: When we understand the DELETE Act, essentially what this means is that, again, you will be expected to essentially respond to requests that you receive through Drop as if they're from an authorized agent. So, this is a bulk management
Ian Phippen: experience, and it's also a major transparency experience. So…
Ian Phippen: Pulling back to Jordan and Hannah here, I want to ask, when you look at those requirements for data brokers, do you think that anybody's maybe changing their business practices to avoid having to comply with DELETE? Or are people going to start registering in droves? What does that look like?
Jordan Smith: I think you're going to get both, right? I think you're going to get…
Jordan Smith: people, companies that are gonna start looking at their data and start deciding, okay, we are taking in data directly from consumers, but then looking at their data minimization practices, right? Which also, by the way, helps with other privacy data laws.
Jordan Smith: So that's a good thing.
Jordan Smith: And saying, okay, well, do I have to… do we have to keep it after 3 years, right? Can we get rid of it? And that's gonna be hard for a lot of companies. Different companies, different things, right? If you have a subscription business, and people leave, and then come back, and leave and come back, it's… it's… and they expect you to have their data.
Jordan Smith: that might be difficult for you. So those are some big business decisions that will have to be made.
Jordan Smith: But then on the other hand, you know, and to try to get out of it, you might say, we're just… we're stopping at 3 years, right? We're gonna take it out. And then, on the other hand, you're gonna find that, no, we need to, and so they're going to have to register. They're going to have to do these things, which is going to make it, very… from now until August, there are a lot of things that you have to do and put in place to get things ready.
Ian Phippen: You bring up an interesting point, too, Jordan, in that I guess I didn't consider somebody could.
Ian Phippen: decide to register as a data broker for a few years, divest from those practices, and eventually
Ian Phippen: you know, no longer register as a data broker. But if they're going to set up the infrastructure to support requests from drop, why not just continue to adopt those practices long-term? Hannah, I see that you had a thought there.
Hannah Poteat: I was going to say I actually disagree with Jordan on this, and that's pretty much why.
Hannah Poteat: CalPrivacy has really signaled, with the formation of their strike force and all of the early, enforcement actions that we're already seeing around data brokers, that they're taking an extremely broad interpretation of what a data broker is. And that is great, but it means that
Hannah Poteat: If you do anything that might fall into a gray area around being a data broker, you're a data broker. And so there's no benefit
Hannah Poteat: to not being a data broker. You may as well set up the whole infrastructure, because you're gonna have to, because CalPrivacy's gonna crack down on you if you
Hannah Poteat: kind of cell data that you didn't necessarily get directly from the individual. And so there's no difference between
Hannah Poteat: Someone who maybe gets data from a lead gen vendor, and someone who is actually hoovering up crap tons of data from all over the internet.
Hannah Poteat: And…
Hannah Poteat: And so, all of a sudden, everyone's going to have to have this infrastructure, everyone's going to have to,
Hannah Poteat: just build it into their business practice, and there's no benefit to not hoovering up tons of data. I think it's a… it's going to backfire.
Jordan Smith: Yeah, let me be clear. I'm making a clear risk assessment by the business as to what they can and can't do. Once again, I'm talking about operationally, and people, in many cases, small companies, small startups, whoever you are, you're going to have to make a risk assessment.
Jordan Smith: And so, I agree with you, Hannah, but there, you know, some companies out there are going to want to try to make that risk assessment, and I'm not saying that that's the right assessment. I'm saying that
Jordan Smith: you could go that way, and you could see what happens. We don't know, we, you know, I hate, I keep bringing up my data, my health. We didn't know, and we still somewhat don't, we've seen some things, but we, you know, how the regulator is going after that, right? We've seen some cases. So here, same thing, we do know, yes, they have a broad sense.
Jordan Smith: But I'm just saying, the different types of companies are going to take this different way, and there's a cost. Not only the cost of registering.
Jordan Smith: Right, but the cost of actually putting these things in place, having suppression, matching the data, doing all those things.
Jordan Smith: And plus, keeping whatever business you are up and running, and doing that, you know, there's a weighing.
Hannah Poteat: Yeah, I think it's very similar to, you know, 7 years ago, when we had the question about, well, is there a downside to putting the Do Not Sell My Personal Information link on your website?
Hannah Poteat: Are users going to get scared off? Is everyone gonna freak out if we have to do that? And for a while, you saw companies
Hannah Poteat: try to go through the effort of, alright, what do we have to do to not sell data? And over time, the creep has been.
Jordan Smith: Everything is a sale.
Hannah Poteat: And no one cares anymore, because everyone has to put this on their website. There's no downside
Hannah Poteat: to just having it on the website, people just kind of gloss over it. Therefore, there's no downside to just selling all of the data.
Hannah Poteat: And it's… It's… there's been just this… this huge, you know, It hasn't worked out.
Ian Phippen: Now…
Jordan Smith: I'll let you go Hannah and I could go back and forth all day, if you like.
Ian Phippen: Let's say that the opposite happens. Let's say I do a pretty comprehensive review of all of our data sharing practices, I scrutinize all of our trackers, I'm pretty sure that I am not a data broker. How often would you recommend that I do all that all over again?
Hannah Poteat: Six months.
Jordan Smith: I'm not gonna describe it.
Hannah Poteat: Quarterly, 6 months.
Ian Phippen: Yeah, I mean, registration is required to be re-upped every January, so that makes sense to give you some lead time to work ahead.
Jordan Smith: Yeah, I think, and Hannah, correct me if I'm wrong, I think it is… you have to register, for the year after that you would be considered a broker, right? So, I think 6 months does make sense, because it does give you some time, to do it. I think if you did it annually, you might… you might be in a snag.
Hannah Poteat: Yeah.
Ian Phippen: And if you are expecting that you do need to comply with drop come August, if you've confirmed you're a data broker, you've already registered, is there anything that you can be doing differently at this point, even if you're not yet required to start processing these mass requests?
Jordan Smith: Well, I think, I mean, some of the things I said, I think you're gonna have to start setting up, at scale, you know, data matching with… and pulling from the database and suppression, you know, internally. Those are the types of things you have to start working towards and understanding
Jordan Smith: you know, not only, internally, but also third parties. Like, what, you know, look at your data, look at your contracts with third parties, you know, what do those say? All those things, you have to… I would start that now. Start that process now.
Ian Phippen: Great, okay. Moving right on forward, we're gonna talk about state amendments. I know that this is what, contains some of the topics that Hannah and Jordan are both most excited to discuss.
Ian Phippen: So, we'll move right in. To knock a couple of easier ones out of the way, let's talk about Oregon. So, you are aware in the chat, on January 1st, there are a couple of amendments to Oregon State Privacy Law going into effect. The first relates to children's privacy. So, you cannot sell data or serve targeted ads to any consumer under the age of 16. And the second relates to geolocation data.
Ian Phippen: cannot sell geolocation data even with consent. There's no condition under which you can sell it. I would compare this kind of to what we saw recently in Maryland, where there are some greater restrictions on selling of data, even with the user's consent.
Ian Phippen: In the case of Virginia, we're once again seeing an amendment relevant to children's privacy. In this case, we're talking about age screening for social media, new time controls, and content restrictions for consumers under the age of 16. And I think what's interesting about this is that these ideas are getting tied into that state's privacy law, not necessarily where all of us would expect to see that type of governance occur.
Ian Phippen: All right, the big one, California's amendment. So, there are a lot here. We're going to break up this discussion, into several parts, and I'm going to invite Jordan and Hannah back as things come up. So, a couple of just facts I want to talk about related to California. Once again, we're going to see children's privacy.
Ian Phippen: children's data, any consumers who are under the age of 16 is considered sensitive, subject to the relevant protections in the state of California. There's also quite a lot happening in California related to correction requests, and specifically if you dispute with the requester about their correction, if you disagree with the data that needs to be corrected, there is a stronger expectation of the process that you will follow to both evaluate that
Ian Phippen: And to correct the data across other sources.
Ian Phippen: Next, we also see in the state of California, there are additionally some changes to how opt-outs are expected to be handled. Businesses should be confirming if they're receiving a GPC, a global privacy control, or do not sell or share opt-out as part of their consent notice.
Ian Phippen: And last, but certainly not least, there are certain industry-specific protections in place related to mobile apps, connected devices, and AR or VR devices around transparency requirements. Actually, similar to what we saw earlier in regards to Rhode Island's expectations around more specific privacy policy notice requirements for these specific groups.
Ian Phippen: So, before I tell you about the rest of what's happening in California, let's spend a little bit more time on what we're seeing on the screen right now. I'm going to invite Jordan back, and we can start on the topic of children's privacy. So…
Ian Phippen: We've talked about, actually, 3 different state laws that are being amended for kids' privacy. What makes this complex? Where should companies be paying attention?
Jordan Smith: Yeah, it's really complex, and it's getting, more and more difficult, as states now realize, oh, we need… we want to play in this… in this game of… of helping to protect children, which, listen, that's what they're trying to do. The problem is, is…
Jordan Smith: it comes to the idea of age. Age is what makes this complex, because we have…
Jordan Smith: different ages across the states that are doing this, from, you know, Connecticut, which is coming… it's coming later in 26, but that's, you know, ad targeting under the age of 18.
Jordan Smith: California, you have, do not sell share for under 16 or under, you know, you could consent if you're under 16, 13 with parents. It's getting difficult because of all these different rules and these different ages. And so, it's really, from an operational standpoint, from a privacy and from a legal standpoint, it's really hard to say, hey, let's standardize this. Let's just do under 18,
Jordan Smith: We're not gonna do it anymore, we're not gonna have kids, because
Jordan Smith: it depends on your business, right? Some… some… and it goes back to that question, Ian, that you had, you know, what are… what are companies gonna do with, you know, some of these new state laws? It's the same thing here. I think that you have to look at your business, you have to understand that, okay, you know, I am… I'm Microsoft, I'm targeting to kids because of the Xbox.
Jordan Smith: I'm not gonna do it, right, in Connecticut, because I can't, but I want to do it in the other states, so how do I do that appropriately? So you're going to have to work
Jordan Smith: with your engineering teams, your marketing teams, your product teams, to figure out how do we put toggles in place? How do we figure out, easily to do this? We don't want to… if we can, we'll standardize some states, but we don't want to do this on a state… you know, we… it's really difficult on a state-by-state basis, but in some cases, you might have to, just because of your business and where you're going.
Jordan Smith: I know in my past, we've had to deal with certain states differently, right? We've done that. We've dealt with a group of states one way, and one state in another way, because it was going to hurt our bottom line too much, right? If we dealt with everyone
Jordan Smith: let's say here, under the age of 18, we just didn't want to target, or we just don't want children under 18. It'll also come into play when we talk about apps and the new mobile app stores and what we're getting from there, but I think we're going to get into that a little later. But, you know, I think those things will come into play. I think also the difficult thing, and we're seeing this now, especially with mobile apps.
Jordan Smith: across the board is… we just saw Jam City get hit with a fine. Notice, right? Being… putting things in your apps are really important. And so, I think California is kind of pushing forward in those… that transparency of making sure that you're transparent of what the data is using… what you're using, how you're using it, and where you're going. And so, I think all those things are really important, and then the signals and opting out
Jordan Smith: Listen, that's just becoming standard, right? I think that more and more, states are kind of implementing, some aren't, some are, but I think more and more are as we move forward. So those are the types of things, I think, from a company standpoint, you should be thinking about and kind of figuring out
Jordan Smith: How you want to deal with this, because standard… as we've been saying, standardization sometimes is just really difficult.
Ian Phippen: I want to return to what you said about mobile apps in a moment, but I also will just observe as we think about these children's privacy laws, is that it's important to look at this new regulation with the context of what litigation we've already seen related to children's privacy as well. So, for example.
Ian Phippen: I think it was just a month or two ago, with Roku, essentially the AG declared, you know, just because you don't have a birthdate collected for that user doesn't mean you don't know that they're a child. They're using the children's screensaver, they're watching all children's shows, don't tell me you don't have a data profile telling you that this is a child, you're aware. So I think it's really important, you know, you might dismiss, like, okay.
Ian Phippen: three children's privacy laws. We don't market to children, that's not a big deal for us. Let's also look at
Ian Phippen: The litigation that's happening, or at the enforcement actions that are happening as well.
Jordan Smith: Yes, and you're going to also, if you do have an app, and I know I keep… I'm getting an app, so I'm just gonna go there.
Ian Phippen: go there.
Jordan Smith: You know, with new app store rules, you know, you're going… it doesn't matter.
Jordan Smith: if you say, oh, we don't deal with children, you're going to get these signals back from the app stores, right? You're gonna have an understanding that there's a 16-year-old on your platform, even if you didn't mean for that to happen, and your platform says that they're over 18, you're gonna have to do something about that, right? You're gonna have to action that. So, you're getting a lot more information with a lot more of these laws, so even
Jordan Smith: Even companies that, you know, yes, the regulation is important, but now with more and more regula… I mean, more and more regulation, we're going to get more information that we're going to have to deal with, and more action that we're going to have to take. So it's really… it's really important to understand where you are, what you're doing, how you're doing it, and getting that prepared, you know, with all the internal teams, because it's going to have an impact.
Ian Phippen: And…
Ian Phippen: Yes, like you said, let's get right in on mobile apps. I know you have a lot of experience in this area. From your perspective, do you think privacy teams at companies that have mobile apps are really prepared for these new transparency requirements, policy components? Even though they've been, you know, a mainstay of a typical privacy program, what does that look like in the mobile app space?
Jordan Smith: I… I… you know, mostly, I don't… I don't think so. And, you know, I think that we're getting there, right? It's almost like we… what happened was, we were dealing with websites, we were dealing with what's on our website, we were dealing with all the data that was there, and so we were… and that's where the regulators had been concentrating on, so that's what we were doing, and now, all of a sudden.
Jordan Smith: things are starting to… like I mentioned Jam City, there's other, you know, that these types of things are coming into play, so now we're starting to concentrate. So I think it's…
Jordan Smith: I don't think…
Jordan Smith: everyone is there? No. But I think that we're going there, and I think the reason that you need to go there now, and what makes this even more important, and Hen and I have had a discussion about this
Jordan Smith: previously about SIPA, and wiretapping, and all those things. That could be a whole noth… I know that there are other webinars out there, you can talk about that, but this is also not only a website, apps are the… are… is where it could happen as well, right? You need to understand your SDKs, you need to understand what's going on
Jordan Smith: out and coming in. You need to get an audit. You need to figure it out. And if there are tools out there that could help, trust me, if you just ask your engineering team, they will give you a list of hundreds, and you won't know what they are. So you're gonna need some help.
Jordan Smith: But you need… the same thing that you did with trackers, you're gonna need to do with SDKs on the mobile site. It's really important, because that's where regulators are going now. And especially if you're sharing any sensitive information, especially if you're sharing information that could be deemed sensitive, you need to pay attention to this, because from an app standpoint, that's where I think a lot of companies are lacking.
Jordan Smith: And, and need to kind of get up to par.
Hannah Poteat: Yeah, and let me dive in on what Jordan said, because I think a lot of…
Hannah Poteat: privacy leaders, people who are responsible for the privacy program, don't know that this is an area that they need to be cognizant of or looking at. Like, we know that there are trackers on websites that we ought to be, you know, aware of and looking at. I don't think a lot of us know
Hannah Poteat: what an SDK is.
Hannah Poteat: Or that it might have libraries that are shipping data to a third party that we aren't even aware of.
Hannah Poteat: So, sit down with your mobile app engineers, assuming you have a mobile app and this is a risk to you, and ask them to walk you through what SDKs are you… SDK is a software development kit.
Hannah Poteat: And so, ask them to walk you through what SDKs they're using, and how they're configured.
Hannah Poteat: And are those SDKs talking to third parties, and sending data to third parties, and connecting to different sites, and sending users to a different site? Be aware of this.
Hannah Poteat: As the privacy person, so that you can see if there's, a configuration that you can change, because the default may be, yeah, go send data here, but you may be able to configure it a different way.
Ian Phippen: That definitely comes up a lot in the data broker conversation as well, to go full circle, as a lot of folks don't know that they could, you know, turn secondary use off for many of these services.
Ian Phippen: Last question before we dig into the rest of the CCPA amendments. I did not include a separate recognition here for the App Store Age Assurance Law, like we're seeing in Texas, also going into effect January 1st, but is there any intersection there that we should be thinking about, Jordan?
Jordan Smith: You know, I think I kind of mentioned it a little bit, in that you should, you know, number one, even as… this is for app stores, but as developers, I think there was, in the beginning, people thought, oh, I'm a developer, I don't have to do anything. You have obligations as a developer, because you will be receiving this information, right, from the app store as to age, and you have to work internally with your engineers.
Jordan Smith: Make sure that there's communication.
Jordan Smith: Between your engineers and what's going on, because I'm sure there are engineers who will just get it and not do anything with it. So make sure there's communication that this is going to start happening, and then once you get that information, you have to take action, right? If you find out that someone is under the age of 16, and you didn't… in California, and… well, not in California, but under the age of 16, there's certain things that you have to do.
Jordan Smith: Right? Under certain ages, that the things that are in place that you have now may have to change just because you're getting this information. Also, don't let what the app store is giving you be the only thing that you're looking at age, right? You should have something else that you're bringing in, whether it's an age gate or something.
Jordan Smith: This is how all these companies are saying, well, we've never had to deal with this before, you're going to have to deal with it. You just are. So that's, I think, the main thing, is if you aren't starting to think about this, even if you're a company that says, I don't get things from, you know, from kids, well, you have to at least start thinking about this, and thinking about what you're going to do to get yourself compliant in case something does come in.
Ian Phippen: Thanks, Jordan.
Ian Phippen: We are halfway through California's amendments, so to take us home, let's look at the last four here, and I'll also be discussing this a little bit more with Hannah, based on their cybersecurity background they told us about earlier today. But first off.
Ian Phippen: CCPA introduces a risk assessment requirement. These are required to be completed continuously, but only reported on annually. And there is also an expectation here that
Ian Phippen: depending on the agency or the Attorney General's discretion, the GC, or Chief Privacy Officer, or whatever member of the C-suite is considered responsible for these can attest them to be truthful. There's also a new cybersecurity audit requirement for certain types of businesses.
Ian Phippen: We also change how California interacts with authorized agents, so…
Ian Phippen: A business can verify that a request for an authorized agent is a true request, but not require that the data subject go and submit a brand new request. You do have to accept the request as shared through the authorized agent. You can't force people through your own separate methodology.
Ian Phippen: And last, but certainly not least, really bringing California to parity with a number of state privacy laws that were introduced later. There is, there are new requirements around opt… excuse me, opting out of automated decision making. So, looking at these four, I want to talk about risk assessments first. Hannah, tell us
Ian Phippen: What's at stake here, and… What does that mean for how privacy teams approach risk assessments?
Hannah Poteat: Absolutely, sure. I, I think, this is maybe the biggest shift in governance generally since, like, Sarbanes-Oxley. And I…
Hannah Poteat: I… I'm not… I'm… I'm not trying to oversell it. This is… this is a really big deal.
Hannah Poteat: Because, it has to be, a member of the executive team that signs off on this annual summary.
Hannah Poteat: And Ian, I know you've put, GC, CPO, CISO. The CPO and CISO are often not members of the executive team.
Hannah Poteat: They got the chief
Hannah Poteat: title, but they're not… they're often not technically members of the executive team. So it has to be a member of the executive team. So we're talking CEO, GC, member of the executive team.
Hannah Poteat: And, that, that member of the executive team has to attest, this is not a corporate attestation, this is a personal attestation under penalty of perjury. And perjury in California is a criminal statute. It's a felony punishable by 2 to 4 years in prison.
Hannah Poteat: So, if you, if you sign off on this, and you don't, do your due diligence.
Hannah Poteat: actually check to see that what you're signing is correct. The liability for this executive is significant.
Hannah Poteat: And that signatory is personally exposed. It's not that the company might lose some reputational… have some reputational risk, it is personal liability.
Hannah Poteat: So, I think if you are leading your privacy program, and you're not talking to your executive team, and figuring out who is going to be responsible
Hannah Poteat: For making this attestation and letting them know what they are responsible for.
Hannah Poteat: Get on that. This… January's coming up, this is really important.
Hannah Poteat: Ian, you're muted?
Ian Phippen: Thank you, Hannah. Just giving you a really full pause of effect here. Because I do think that is so important, I've noticed that privacy teams are really recalcitrant to continue discussing regulations, right? We've had enough of our broccoli, but this is a massive, massive change in U.S. privacy regulation. So, really something that, above anything else we've talked about
Ian Phippen: today, and sorry to bury the lead.
Ian Phippen: We should be thinking about discussing, and reporting up to leadership.
Ian Phippen: Another piece here that I would say really salient is that authorized agent piece. I know this is going to be very challenging in practice. Authorized agents are already a challenge to work around. Many of these companies are submitting bulk requests pretty much indiscriminately, not checking with the consumer on whether or not they want that deletion request to go to this company that they have an active relationship with, for example.
Ian Phippen: And deleting that data in a persisting relationship has plenty of challenges for the consumer that the request is on behalf of. So, do you have, Hannah, any thoughts on how businesses can walk the line complying with this law without compromising their own users' experience?
Hannah Poteat: this is… this is potentially very messy.
Hannah Poteat: A business does have to respond to an authorized agent, but there are some real security risks.
Hannah Poteat: In using… in allowing authorized agents willy-nilly to request deletion or request access.
Hannah Poteat: Because, if I am a bad actor, and I can go through an authorized agent to get someone else's account data, or to get someone else's account deleted.
Hannah Poteat: then…
Hannah Poteat: cool, I don't even have to hack anything, I can just, abuse that system. And you think about, if I am, a small company, and I can get my competitor's GitHub repositories deleted.
Hannah Poteat: Cool. I've just screwed over my competitor. If I am, a small business and I can get my competitor's Etsy profile deleted.
Hannah Poteat: Awesome.
Hannah Poteat: My competitor's gone. There's a lot of money.
Ian Phippen: anxious, Hannah.
Hannah Poteat: Absolutely. You know, that's… you can think about ways that you can abuse the authorized agent system to attack someone that you may have a problem with.
Hannah Poteat: And so, as a business, your responsibility is to ensure, before you delete, or my god, before you expose someone's account information, make sure that the request is verified. And so.
Hannah Poteat: Since you can't require the data subject to submit a request
Hannah Poteat: through an authorized portal or whatever we've all been doing. Make sure that when an authorized agent sends the request.
Hannah Poteat: You're responding to them and copying the account information you have on file and confirming.
Hannah Poteat: Like, you can't require the data subject to submit a new request, but you can confirm with the information that you have on file for that individual.
Jordan Smith: I think… I'm sorry, I have to pinpoint… that is exactly the most important thing right there, because if you don't do that, then you are at risk, and Hannah…
Jordan Smith: really hit the nail right there, because I think… and we do that, you know, that's the process in companies that we do, because it's really important to give that notice to the person, because I can't tell you, there have been times where people are like, wait a second, I didn't
Jordan Smith: do this, and you find out it's maybe a friend of theirs, or it's an ex, or something else, right? So, it's re… this is extremely great advice, and really important to do when you have these to make sure, from a security standpoint, because otherwise.
Jordan Smith: You delete someone, and they didn't want to be deleted, or you give data to someone, and that was… it… they're…
Jordan Smith: You're gonna be in some issues.
Hannah Poteat: Absolutely, yep, yep, yep.
Ian Phippen: Great points.
Ian Phippen: So, I know for everyone on the line, your to-do list just doubled. We went through a lot of information. Do not worry. In our next section, we're both gonna go through some Q&A, as well as talk about, you know, from Hannah and Jordan's experience as leaders of privacy functions, what is most important, realistically, to actually change after today.
Ian Phippen: However, I do want to be transparent, we're not going to talk about DataGirl very much, or our product, in this Q&A section, so if you have questions about how the DataGirl platform specifically helps you with these, we're going to push a poll to you now. That is how you can volunteer for getting information about those details. But, in the meantime, let's talk about
Ian Phippen: all of this information overload you've just received. So, first off, I want to hear, you know, from both of you, if you could take away just one to three ideas that privacy teams need to be thinking about right now, where would you focus that attention?
Hannah Poteat: since I see Jordan is still thinking, I think, I will hit back on the… the one that I sort of touched on at the very beginning, which is that, for years, privacy professionals have really built our programs to this sort of.
Hannah Poteat: Common denominator plus, you know, plus whatever weird anomalies each state is doing.
Hannah Poteat: And we're getting to a point where those anomalies are
Hannah Poteat: Overwhelming that approach, and so we need to take a hybrid approach.
Hannah Poteat: We need to have that core of just giving individual rights to everyone. To everyone that gets them, or to everyone just generally, because, Lord, that's easier.
Hannah Poteat: And then understanding where you need to be piecemeal, because
Hannah Poteat: There are some of these regulations where you just shouldn't be doing this.
Hannah Poteat: for all states. Some of that is the age assurance stuff, but some of that is, for example, California's risk assessment requirement. If you just say, well, we're just going to do this for everything, for all of our processing, great, cool, you start collecting a huge amount of information that other state AGs would very much like to have.
Hannah Poteat: And we've seen, for example, the Texas Attorney General, is a very aggressive regulator.
Hannah Poteat: And so, if you're doing above and beyond where you don't need to, you're creating liability for yourself.
Hannah Poteat: And so, it becomes a better approach for a privacy program
Hannah Poteat: to understand where you can be blanket, and where you absolutely need to be specific to each state. And that's harder.
Hannah Poteat: But… Lord, it's safer.
Jordan Smith: Yeah, and then…
Ian Phippen: Oh, sorry, go ahead, please.
Jordan Smith: No, no, and then I was gonna say, and then mine are to go then take what Hannah said, and then go a level deeper, and I think now we need… we're moving more from… away from the policy first, and retrofitting against the policy to data and architecture.
Jordan Smith: start understanding your data across the board. Work with your engineer, product teams. This is… this is, you know…
Jordan Smith: This is a time where you could have a lot of friends, and you need a lot of friends, because, you know, you need to understand the data. Go in there, start figuring it out, work with them, because if you don't start now with the data architecture for all of these things, every single thing we mentioned today, from SDKs, to the age assurance, to even risk, you know, risk assessments, you need to understand where the data is coming from, where it's going.
Jordan Smith: and how you need… and then from there, then you could have those conversations and understand, like Hannah said, where do we need to go? What type of company are we? Where is the risk?
Jordan Smith: And I think that's where you start. Because on a lot of these, it'll be new, you know, you've done it before, it'll be new, especially in app world with SDKs. With age, it'll be new, because you don't… you weren't thinking about age before. So, a lot of this is new, and a lot of this, you have to take some time and do it, but it will be really important.
Jordan Smith: The other thing, too, is just, like I said before, start thinking about the long game.
Jordan Smith: start thinking about, you know, we're doing things now, for some of these, but is this gonna go to other states, and how can we then maybe toggle it on when it happens in another state? Or how can we maybe just do it now? Maybe we do it… those are the types of things you need to start thinking about, because, what's happening in one state most likely will happen in another state. It might be a little different, but
Jordan Smith: Every state is starting to think about these things.
Ian Phippen: For both of you, and I do have some resources I want to share with the audience before we close, so we'll keep this really quick. If there's somebody listening here today who feels very overwhelmed, they feel like they do not have the resources from their organization to be successful with all these regulatory changes.
Ian Phippen: What is your advice to them in terms of either advocating for themselves, for more resources, or getting more scalable with what they have?
Jordan Smith: Well, resources… listen, in the privacy world, getting more money and resources and a budget is very difficult. It always is, right? It's always something that you have to fight for. I think I said I'm very metrics-driven, and because I think that businesses are very metrics-driven, so what I would say is.
Jordan Smith: Put together a plan of, Here's the cost, here's the cost to us if we don't do this.
Jordan Smith: here's the cost if we do do it, and here's the cost, you know, from a regulatory perspective of what could happen, you know, and here is my plan, right? I'm not doing… maybe you're not doing it all at once, maybe you're doing it a little bit at a time, but I think you need to kind of start in baby steps, but also work out that plan of, here's the risk.
Jordan Smith: here's where we are, here's what we need to do, and here's what could happen, and here are all the financial… finance is very big.
Jordan Smith: And so I think that's really important to put forward, because that's how a lot of, of course, if you're talking to your chief revenue officer, you're talking to your CEO, even if you're talking to your GC, you talk about the finances behind it, they're gonna say, well, you know, what is the cost? And you need to give them the cost-benefit of everything.
Hannah Poteat: I completely agree with Jordan, and my approach is even a step farther than that, is here is the cost to us in terms of man hours, in terms of impact to our roadmaps, impact to our deliverables.
Hannah Poteat: if we don't do this, or here is the beneficial cost to us if we do.
Hannah Poteat: For example, the, the age assurance
Hannah Poteat: part. What do we need to do to build, new age, assessments into all of our products?
Hannah Poteat: If we, if we need to do this state by state.
Hannah Poteat: or versus what is the cost impact to us to just raise our threshold to 16? To just raise our threshold to 18.
Hannah Poteat: what is… what is the benefit to our business? Are we really child-focused? Where are we? And so, how can we have that conversation as a business
Hannah Poteat: In terms of cost, because that's what your executive team cares about.
Hannah Poteat: Other than that, there's so much of this that you can actually just do with spreadsheets. You can actually make a spreadsheet. There are…
Hannah Poteat: available spreadsheets online of state laws, but take one of those and modify it to what are your risks? What are the things that you care about? And update your spreadsheet
Hannah Poteat: Quarterly, every 6 months, when new privacy… state privacy laws come into effect, or new elements of obligations come into effect, and just
Hannah Poteat: keep aware of the things that you as a company care about. There are only a scant few things that you really need to spend money on, and one of those is sort of rights management, because we're seeing a lot more
Hannah Poteat: rights management issues becoming costly threats for companies. Other than that, there's a whole lot that you can build yourself.
Ian Phippen: Thank you. I'm gonna thank you even more in a moment, but really quick, I want to, before the end of the hour, show up a couple of resources. First, we saw several new states introducing opt-out requirements. We still see, year over year, the majority of websites that you visit do not actually opt you out from all trackers when you go. You can check if that is your situation with this resource here.
Ian Phippen: We can include it in our follow-up as well.
Ian Phippen: We've mentioned a couple times our Slack community. Hannah is there themself. You can meet them and talk to both Hannah and I after the webinar, if you'd like. You can join at datagirl.io slash community. We also have a Guide to State Privacy Laws resource for keeping track of all 20-plus of these.
Ian Phippen: And I said I wouldn't tell you anything about what was happening in the DataGirl platform, but I will tell you that if you are a customer, don't worry, we've set you up with automatic policy updates as new states like these go into effect to make sure you are ready and compliant. And we are going to be sending, as was mentioned in the chat, a recording of this webinar and instructions of how to get your CPE credit afterwards.
Ian Phippen: So, hang tight for that.
Ian Phippen: And with that, I think I'm at the final bell here. Thank you so, so much, Jordan and Hannah, for sharing your expertise today. I know I have a lot of notes, I'm sure everyone in the chat has a lot of notes, so I appreciate you both. Thanks for lending your thoughts.
Jordan Smith: Thank you.
Ian Phippen: Thanks, everyone. Have a great rest of your day.