Episode Show Notes: Lessons Learned from California on Global Privacy Control

In this episode of Privacy Abbreviated, hosts Dona Fraser, the SVP of Privacy Initiatives for BBB National Programs, and Jason Cronk, the President of the Institute of Operational Privacy Design, are joined by Jeewon Serrato, a partner at BakerHostetler. The three experts discuss how small- and medium-sized businesses can harness the power of Global Privacy Control (GPC) to comply with privacy regulations and protect their users. GPC is a tool that allows users to opt out of online data tracking and is required under the California Consumer Protection Act (CCPA).

02:00 – Dona explains how a particular settlement between Sephora and California’s Attorney General in August 2022 forced businesses to pay more attention to GPC. California’s Attorney General Rob Bonta alleged that Sephora failed to disclose to consumers that it was selling their personal information, failed to process user requests to opt out of the sale of their personal information using user-enabled GPC, and did not remedy these violations within the 30-day period as required by the CCPA.

Attorney General Bonta states, “Technologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights. But these rights are meaningless if businesses hide how they use their customer’s data and ignore requests to opt-out of its sale.”

In the online world, consumers are persistently monitored and tracked. The settlement reached with Sephora highlights the rights granted to consumers under the CCPA, empowering them to combat commercial surveillance.

14:32 – Dona then points out that CCPA won’t apply to all businesses. Businesses that must adhere to CCPA are for-profit businesses that do business in California and meet any of the following: have gross annual revenue of over $25 million; buy, sell, or share the personal information of 100,000 or more California residents, households, or devices; or derive 50% or more of their annual revenue from selling California residents’ personal information.

Because many medium and small businesses won’t meet those prerequisites, they won’t be required to comply. However, Jeewon points out that compliance is almost impossible after collecting data. She suggests that businesses abide by the guidelines early on so that if and when they grow past the threshold, they’re already in compliance. She says it’s a much easier process to do upfront than retroactively.

20:11 – Jeewon reiterates that complying with privacy laws is not a simple task. It’s complex, and it requires expertise. She recommends finding outside vendors or counsel that have experience with GPC and CCPA regulations. By engaging professionals with a practical understanding of these specific regulations, organizations can navigate the complexities more effectively and ensure adherence to privacy laws.

According to Jeewon, ensuring compliance “is a matter of finding the right tools, technology, and partners who can shed light.”

Before closing the episode, Jason and Dona ask Jeewon a few questions about herself and her experiences in the privacy sector. In answering those questions, Jeewon continues to press the importance of creative problem-solving within the complex world of data privacy and the need for partnership and teamwork while tackling complicated situations. No one can solve privacy problems alone.

Signing off, Dona encourages listeners to listen to previous episodes of Privacy Abbreviated to learn more about the current privacy landscape.

To do so, you can visit BBB NP’s Accountability Studios website or subscribe to Privacy Abbreviated on Apple Podcast, Google Podcast, Spotify, or where you access your favorite podcast!

Visit to Learn More: NAD FAQs

Contact Information: programs@bbbnp.org

Listen to the full episode here.