Multi-State Legislation Operational Readiness
• read
I lean to the side of operations because the relationship between the privacy office and the business is critical. We look at these laws and we want to ensure that we can operationalize them for the business.
—Lisa Barksdale, Zillow
Beginning January 2023, three comprehensive state laws go into effect: California (expanding on previous privacy regulation), Colorado, and Virginia. And right behind that, Connecticut, and Utah.
The plenary session of the SPOKES Privacy Technology Conference (held June 22-23) – Multi-State Legislation: An Operational Readiness Discussion – brings together expert privacy practitioners who are experienced in crossing the legal, business, and technology divides necessary to translate what the law says into privacy programs that work in practice.
Lisa Barksdale, Director of Privacy at Zillow, Tara Jones, Yahoo! Legal Services Senior Manager, Global Privacy, and Katie Pimental, AGC, Global Privacy, Yahoo! joined WireWheel Founder and CEO Justin Antonipillai for this widely requested discussion.
The Challenge of Multichannel Consent
It is necessary to think about a central source of truth and the ability to update downstream to your critical systems to understand what [consent] status is at any given time so that you can market in an ethical and legal way. A complicated set of challenges.
—Justin Antonipillai, WireWheel
The three major laws and most of the follow-on laws coming have two critical components that are the highest priority: 1) All of the new legal choices that brands and publishers have to make available to consumers across every channel and 2) the state law requirements concerning privacy risk assessments and filing requirements.
While the initial focus of privacy regulation emanating from Europe was cookie consent (resulting in the proliferation of website banners), in the years that followed, California required companies that sold data to provide a clear opt-out choice. And technically, you couldn’t finish that job just in the browser. The opt-out signal must update your databases.
Now in California Colorado and Virginia, you have a whole slew of opt-out choices including, for example, targeted advertising and under Colorado law, profile creation. Adding to the complexity is the proliferation of IOT advertising channels such as Smart TVs and connected cars further necessitating a “central source of truth” to understand consumer consent status at any given time across all channels.
Privacy assessments, while not new for many, now include California’s requirement to actually file assessments to the CPRA on a regular basis. And recent proposed California regulation includes assessing third parties with whom you share data.
Ultimately, it comes down to the choices and legal frameworks that have to be put in place, and how you think about the critical assessments and privacy systems you need to have.
Solving the Challenge of Multi-Channel Consent
Leveraging GDPR Experience
You’re going to have to understand what information you are collecting, processing, and storing (and where and how you are storing it) to ensure your mechanisms for consent, notice, and transparency actually reflect what your systems are doing.
—Katie Pimental, Yahoo!
“Yahoo is very fortunate in that a lot of the framework processes and technologies that we were required to build out for GDPR, we are now able to leverage for what we’re seeing come down in CPRA and other States when it comes to consent,” says Pimental.
She recommends looking at what your organization has already done. “Odds are you already have either a third-party or homegrown consent framework and mechanisms within your website for GDPR consent.
“One thing to keep in mind,” cautions Pimental, “is the notion of sensitive personal information and its nuances within each of the States. You’re going to have to…understand what information are you collecting, processing, and storing – and where and how you are storing it – to ensure that your mechanisms for consent, notice, and transparency actually reflect what your systems are doing. There’s a lot of third parties out there that can assist with that.”
The U.S. has always traditionally been an opt-out regime where the default is always to opt-in. Now, the CPRA and the regs are bringing the opt-in concept to the U.S. for the first time in areas like online behavioral advertising.
—Katie Pimental, Yahoo!
“We didn’t have the legal or statutory obligations to provide these types of options to users,” notes Pimental. “It’s interesting because the technology hasn’t quite caught up with what the statutes are requiring today” which has resulted in some of these statutes’ start dates and requirements being pushed back. “We definitely need to keep our ears to the ground in terms of how the laws are coming online, she advises.”
Managing Privacy Policy
While it is painstaking, the most efficient way to look at what needs updating and what changes to the privacy policy need to be made is to literally go line-by-line and State-by-State: [so it is] absolutely clear and transparent and the consumer can understand how and what we’re doing with their data.
—Tara Jones, Yahoo!
Jones notes that “unlike other pieces of the various regulations coming out, privacy policy notification and transparency is not a one size fits all. You can’t use “the most common denominator.”
This makes for a significant management challenge. And while it is painstaking, the most efficient way is to go line-by-line, state-by-state she offers.
“And then there is a completely separate operations team that manages the updates and sends all of it out for translation,” explains Jones. “It is painstaking, but this ensures that it is absolutely clear and transparent. This is not just a one- or two-person job, the whole team is involved in what is a multi-level process”.
Managing Consent
We need to just start looking at where we can be at the top of the funnel from a consent perspective – how many clicks does that represent? At what points do we need to add additional consents? And not just plug the holes.
—Lisa Barksdale, Zillow
“It’s challenging because there are so many different pathways for the user experience,” continues Barksdale. “You always want to think about the impact to the user…about how we achieve a more centralized way of establishing preferences and consents, while avoiding what could be perceived as dark patterns.”
She notes that the consumer is smarter today and “having consent choices at every point of data capture is becoming a nuisance to them. To counter this, we need to just start looking at where we can be at the top of the funnel from a consent perspective. How many clicks does that represent and at what points do we need to continue to add consent capture?
“If we just look to plug the holes, it’s not going to be good for the consumer and it’s definitely not going to be good for adoption rates – particularly as additional regulations come along.
From opt-out to opt-in?
What really caught my eye, and I’m not the only one, is that draft regulations in California have language about reasonable and proportional use of data, consistent with the perspective of the consumer. If it isn’t, the proposed language suggests that in those areas you might have to enable somebody to opt-in instead of opting out.
—Justin Antonipillai, WireWheel
As consumers are indeed much savvier, they now have “expected uses” of their data. “The question then becomes, what’s expected?” opines Pimental. “Is a free website expected to have advertising? Is advertising expected to result in the sale and share your data?
We are really on the cusp of a fundamental shift in how we have to notify consumers to get consent.”
Interestingly, Pimental, proposes that when considering what is reasonable and proportional, the GDPR provides a solid framework emanating from legitimate interest or contractual requirements. This, she suggests, may be a helpful perspective as a baseline for what may be “potentially reasonable and proportional within the new state laws.”
Ultimately, the evolution of consent and privacy assessment requirements is a complex set of legal and technological challenges. And as Barksdale suggests, “traditional concepts like ‘know your customer’ (KYC) are valuable. The more you know your customers, the easier decisions concerning navigation of consent will become.” And as Pimental notes, with regard to the technology implementations, there are many third parties available to help.
Key Takeaways
- Think about a central source of truth (your databases and systems) to capture and understand what the consent status is at any given time.
- Leverage what you may have already done under GDPR and compare that to what information and obligations are required under the state laws and ensure you are capturing that consent from an operations perspective.
- With privacy policies, there is no “most common denominator.” It’s painstaking to update privacy policies line-by-line for each State, but necessary if you want to ensure clarity and transparency for your consumer.
- Consider a top-of-the-funnel perspective for consent. How many clicks does that represent? At what points does consent capture need to be added? Don’t just look to plug the holes.
- Have a program centered around know-your-customer (KYC) and consent navigation will become easier.
- For those doing business in the EU, consider the GDPR framework around legitimate interest and contractual requirements as an internal measure when baselining what is reasonable and proportional.