I spent the week in Washington, DC, attending two privacy- and public policy-focused events.
One was a relatively intimate gathering of a few hundred digital advertising executives, policy folks and ad tech lawyers hosted by the IAB at a Convene in downtown DC. The other was the IAPP’s Global Privacy Summit, a nearby gathering of several thousand privacy pros in a cavernous convention center.
And I have a single takeaway from both: When people tell you something with their whole chest, it’s probably best to listen.
In session after session, state regulators got up on stage to talk in detail about their data privacy enforcement priorities.
#priorities
So, what do regulators care about?
Exactly what you’d expect them to.
They care about transparency, proper disclosures and whether a company’s privacy policy is compliant.
They care about honoring opt-out requests and making sure consumers can exercise their legal rights.
They care about kids, about protecting sensitive personal information, including precise geolocation and health data, and making sure companies don’t collect it without consent.
They care about combating manipulative design patterns.
They also release detailed public reports on the number and nature of violations and cure notices in their state, as the Connecticut attorney general’s office did in February. They post detailed FAQs on their websites about data protection. They publish enforcement advisories to encourage voluntary compliance, as the California Privacy Protection Agency did just earlier this week.
And many states, including California and Colorado, also issue compliance guidelines in the form of implementation regulations to help businesses interpret the statutes. But even if a state doesn’t have rulemaking authority itself (like Connecticut, for example), you can easily use a sister state’s regs as guidance.
Because yes, state privacy laws have their nuances – and it’s important to acknowledge these differences – but there’s also a lot of overlap.
“The regulations issued by most states are relevant to us,” said Michele Lucan, a deputy associate attorney general in Connecticut’s AG office, during a session at IAPP earlier this week. “It’s there – the detail is not lacking.”
Knock, knock
Meanwhile, regulators are also paying close attention to media reports, social media posts and consumer complaints about data protection issues.
A company can be flying blithely under the radar one day and become the subject of an investigation the next.
DoorDash is a good example. The California attorney general launched an investigation into DoorDash in 2020 after one of the company’s customers complained on social media that she had received physical advertising mailers at her home, addressed to an alias she used solely when ordering food delivery through DoorDash.
When the AG looked into the issue, it discovered that DoorDash had shared this woman’s data many times over with numerous companies – a practice not mentioned in its privacy policy.
That’s how a simple grievance aired over social media resulted in an enforcement action under the CCPA. DoorDash received a relatively small $375,000 fine, but rather tough injunctive terms.
As part of the settlement, DoorDash is required to reassess all of its agreements with marketing vendors and submit annual reports to the AG for the next three years detailing any potential sale of or method for sharing personal information.
No such thing as ‘under the radar’
Against that backdrop, I’ll share a brief anecdote.
I was doing the networking thing this week after the IAB event and found myself chatting with a privacy/security pro who works for a relatively small company. He told me that he feels insulated from regulatory scrutiny because his company is probably too small and not consumer-facing enough for an enforcer to concern itself with.
To be fair, not every business is liable under every state law. There are exemptions and thresholds, including how wide-scale the processing is and/or how much revenue a company derives from selling or sharing consumer information.
But if a law applies to a company, there isn’t any protective armor against regulatory attention other than good faith compliance.
A company or client may think they’re flying under the radar, but that is a false sense of security, said Jill Szewczyk, an assistant AG focused on data privacy and cybersecurity in the Colorado attorney general’s office.
After all, it only takes one consumer complaint.
“If a customer goes to use their website and notices they’re not giving them their consumer rights,” Szewczyk said, “then that company is going to be on our radar.”
****************************************************************************
Unrelated, but I have to share: I went to a session at IAPP on Thursday about the regulator’s perspective on privacy-enhancing technologies. On stage, Chris Calabrese, Microsoft’s senior director of privacy and data policy, said that PETs can be very valuable, but “there is no one magic PET that you can use for everything.”
The first and immediate thought that popped into my head was, “My cat would probably disagree.” 😹
That’s okay. I’ll see myself out.
🙏 Thanks for reading! As always, feel free to drop me a line at [email protected] with any comments or feedback, although forgive me for any delayed replies. It’s been a long week.
