Episode Show Notes: The State of Privacy: How Did We Get Here?

The Accountability Studios formally presents BBB National Programs (BBB NP) and Osano’s new podcast, Privacy Abbreviated—helping business leaders manage and prepare for the future of privacy. In its first episode, hosts Dona Fraser, Senior Vice President of Privacy
Initiatives at BBB National Program, and Catherine Dawson, General Counsel, and Chief Privacy Officer of Osano, introduce themselves and set the stage for their new listeners.

For this episode, they’re joined by distinguished guest Daniel (Dan) Solove, Law Professor at George Washington University and Founder of TeachPrivacy, a company that provides privacy and data security training to businesses, healthcare institutions, universities, and other organizations.

Before diving into conversations with Dan, Dona and Catherine address the top privacy news of the hour. Released in early June by key Congressional leaders, the American Data Privacy and Protection Act calls for the creation of national standards that provide consumers with foundational data privacy rights. Catherine proposes that this bill may be a step in the right direction, progressing towards a comprehensive federal privacy law. Dona agrees with
Catherine’s sentiments and adds:

“What’s fascinating to me is that it [the American Data Privacy and Protection Act] does provide a roadmap for a lot of issues that we know are being thought about. So even if this draft doesn’t go through, it’s clear that this congress is thinking about issues surrounding algorithms, surrounding targeted advertising, surrounding not just data collection, but really what is now sensitive data.”

Another noteworthy development in the privacy landscape is the anticipated first draft of the draft California Privacy Rights Act (CPRA) regulations. Regarding this news, Dona reminds listeners to keep in mind that “where California goes, the country goes.” Both hosts agree that
California’s progression coupled with the American Data Privacy and Protection Act creates numerous levels of complexity for businesses, especially multinational companies already struggling with how best to comply with current privacy laws.

After catching up on the present world of privacy, Dona and Catherine lead us through the privacy landscape by asking Dan to help listeners understand the US versus the EU perspective on data privacy. Dan describes the US approach as more complicated and complex than its EU counterpart. There are various entities involved, from state legislation to federal agency regulation. “But generally speaking, the US relies on a notice and choice approach. You can use data however you want, as long as people don’t object to it or it doesn’t cause some serious harm,” Dan explains.

Regarding the EU, the law states and spells out valid uses of data. Under GHPR, there are six allowable uses, and “if you don’t have one of those uses, you can’t use the data, even if it doesn’t cause any harm in that use,” Dan warns.

However, there is a shift taking place in the US. Catherine mentions that the concept of data minimization is consuming state and privacy laws coming in 2023.

On this subject, Dan mentions that most of the present US privacy laws have leaned towards data minimization principles. “The tricky thing with data minimization is … how do you do it on the side of the policymaker? We ask companies to please be data minimalists, but how do you actually enforce it? We really haven’t seen ways to give rigor to this principle yet from enforcers,” Dan questions.
Keeping to enforcement, Dona asks Dan to help companies understand how to navigate multiple state privacy laws while thinking ahead about a potential federal law? The rule of thumb
Dan provides listeners is to “follow the strictest standard.” He mentions that California
Consumer Privacy Act, the CCPA, is the standard. There are various other state laws, but all are weaker versions of CCPA. “So if you’re complying with California, you’ll likely be pretty good with the other laws.”

Dan’s expertise in training via Tech Privacy made for an appropriate segue into the topic. He shares the top three pain points businesses face regarding data privacy compliance.

1. The number of laws globally and various complexity levels related to each must be understood and managed. Dan notes an estimated 150 countries have comprehensive privacy laws. There’s GDPR, varying state laws, and federal laws targeting specific areas, such as health data for HIPAA, FERPA, CAPA, etcetera.

2. Universal data security best practices contrast the varying privacy laws businesses must know and follow. “Data security could be a one size fits all, or vary with different organizations based on their risk, but it’s not going to vary like privacy law, which is a challenge,” Dan clarifies.

3. Developing a training message that businesses care about. “The point of training is to create a culture of privacy in an organization to make people understand why they should care … because it depends on the cooperation of everyone in the workforce,”
Dan reminds listeners.

After delving into each pain point, Dan leaves listeners with one final word, “I think industry and policymakers are often focused on the short term, but if we really want to get a handle on this, we need to start thinking more long term and create laws that are going to stand the test of time. Until the consumers feel that they are protected, we’re not going to see an end to the law.”

Explore BBB NP’s Privacy Initiatives
Subscribe To Never Miss An Episode

Listen to the complete episode here.