October 17, 2022
Issue 9: A dispatch from P.S.R. 2022
Oh hey! Welcome to The Privacy Beat Newsletter!
Here’s the gist: Come here for insights on the hottest topics in privacy according to our peers’ tweets so you can walk into any happy hour or team meeting and sound like the absolute baller you are. No current topic gets by you. Did you post a hot take you want included? Tag it #PrivacyBeatNews and see if it makes it into the next edition!
Howdy y’all!
The IAPP's P.S.R. conference in Austin, Texas, this year indicated a shift in focus. I asked one of my buddies, Julian Flamant, a privacy attorney at Hogan Lovells, what he felt was different. And he noted that despite the topographically diverse privacy landscape these days — or maybe because of it — we're getting back to basics. There's a renewed focus on what matters most: using privacy's foundational wisdom on data minimization, transparency, and use limitation to grow your business but still do right by your people. The ones who trust you with their data.
I felt that too. Looking at the sessions, it seems we've moved on from simply "How to comply with the CCRA," or "What's a data 'sale.'" Several sessions took on the practical nuances of life in a digital economy. For example, "Designing for inclusive privacy," "Data privacy and civil rights: Governing discriminatory AI data," and "The evolution of LGBTQ data protection."
Sure we've had discussions on these things before, but this year felt like we've stopped asking hypotheticals and realized some hard truths about consumer rights in the U.S. today. It felt like a moment. But maybe I'm just tired and nostalgic. You decide.
Here's a rundown of the show's highlights and some key soundbites.
The world's a scary place, post-Dobbs
We all know the IAPP's decision to keep the conference in Austin after the Dobbs decision triggered Texas' anti-abortion law. Smartly, the opening keynote squarely addressed privacy's amplified importance since the Supreme Court overturned Roe v. Wade.
This is a profession that's always been proud of its work protecting humans' data rights, but the Dobbs decision has elevated the severity at the real-life risks at play. P.S.R keynote speaker Alex Reeve Givens, CEO at the Center for Democracy and Technology, cited the proliferation of bounty-hunter laws as cause for vigilance.
"We need to think about the vast repository of information that can be accessed and shared not just by law enforcement but by anyone on the street," Reeve Givens said. "It increases the burden even higher on the owners of that data to protect it."
Calling on privacy professionals and data owners to step up to the plate, Reeve-Givens said "the real story in all of this is minimization, minimization, minimization. If you don't have the data, law enforcement can't come after it."
Get up on your subpoena policies now
In a later break-out session, Rite Aid CPO Andrew Palmer — who's also a pharmacist! — discussed the Dobbs decision's real-life privacy and security implications, noting how the company reiterated to its pharmacists, "Keep your voice low, only the patient needs to know."
Dallas-based OB-GYN Sheila Chhutani said organizations, now more than ever, need to do privacy training on company-wide disclosure policies, including on bounty-hunter laws.
Walgreens CPO Lara Liss told the crowd to get especially vigilant on a game plan for law enforcement subpoenas.
"When they come into your organization, [the subpoenas] don't say 'it's Dobb's related,' they come in with all the other requests for records," Liss said. "So whatever your system is, you need to sit down with the team on the ground doing reviews and make sure you've got a plan for how you're going to respond. We've already seen some companies unwittingly providing information and that resulted in criminal prosecutions of the actual patient receiving reproductive care."
In that case, Facebook shared a private exchange between a Nebraska mom and her teenage daughter with law enforcement. Police charged the 41-year-old woman with a felony for allegedly helping her daughter abort a pregnancy.
You gotta 'meet them where they live'
You may have heard our rallying call by now that it's time to shift privacy's traditional place in the product deployment timeline. Rather than treating privacy as a checkbox compliance exercise just before products ship, it's privacy time to shift left, to the pre-deployment phase.
But it takes some strategy to do that. In "A privacy pro's guide to herding cats," TerraTrue COO Chris Handman chatted with Unity's Alex Tarnow and Mastercard's Diana Balan for practical advice on how to align marketing, product, and engineering with privacy and legal.
"The textbook answer on how to shift left is put processes in place, knock on the doors of those who own those processes, and say, "privacy is a legal requirement," but that's not the kind of thing that makes a lot of friends. People get fatigue from answering PIAs for days, Balan said. "What gets you over that hump and makes you valuable to the business is not being that compliance person that just says, 'Fill out this form,' because no one likes that person, and that's how compliance gets a bad rep." Rather, privacy roles should be curious, reach out and say, "I want to know who you are as a person." Building those earnest relationships changes the privacy's perception from the place good ideas go to die, to an ally. And that goes a long way toward cross-functional collaboration.
Tarnow agreed. He's built relationships with product teams with the attitude, "I'm here to help you get everything you want and stay in compliance." He's facilitated those relationships through slack, mainly, because he learned that's where product wants to communicate.
"Slack is really where they live, so that's where I live," he said. For more on this session's practical tips, check out this Twitter thread for the play-by-play.
Finally, some good news from Taylor Swift and the FTC
The same night the FTC planned to quit accepting comments on its plan to regulate commercial surveillance, Taylor Swift drops her new album. For some of us, there was a certain poeticism to that. Sure that day haunted us, but at least we'd have new TayTay. Regardless, lawyers and advocates clinked their glasses in unmitigated joy when the FTC announced it's extended its deadline by a month. Pontificators now have until Nov. 21, 2022, to tell the agency what you'd like to see included or omitted in any future rule.
Hey, also, before I go, the new CPRA regulations just dropped. The California Privacy Protection Agency is meeting Oct. 21 and 22 to talk about it. Check them out here. They are 72 pages long, and I'm sorry about it.
Did you miss the latest Privacy Beat Podcast drops?
He basically took down Cambridge Analytica
Prof. David Carroll, featured in the Netflix Documentary, “The Great Hack,” swung by The Privacy Beat Podcast to discuss his crusade for data protection rights in the U.S. and suing Cambridge Analytica in the wake of the 2016 presidential election.
California’s new children’s law could dismantle the status quo: Is that bad?
Last week, Eric Goldman visited the podcast to rip California’s Age-Appropriate Design Code to shreds. Some of you did not like that. On this episode, Stanford University’s Dr. Jen King has a different take, “We’ve had nearly thirty years of design masquerading as being values-agnostic driving the development of the internet. Do we really want to defend this status quo?”
Who’s gonna own the data in the end?
Reporting on a specific industry gives journalists unique views on the inside baseball and its players. In this free-ranging conversation, host Angelique Carson talks to longtime privacy journalist Mike Swift about the ADPPA, the Biden administration’s aims on consumer privacy in the U.S., and who’s gonna own the data in the end: the companies or the consumers?
Next on The Privacy Beat Podcast
Oct. 20, 2022: Your one-and-only LIVE dispatch from P.S.R. 2022, y'all. Featuring from-the-show-floor interviews from the IAPP's Privacy.Security.Risk conference in Austin, Texas last week. Unsuspecting guests answer host Angelique Carson's questions about the tone, substance, and best parties at the annual show. You'll laugh. You'll cry. You'll privacy even harder.