• Privacy Law Update

Privacy Law Update: May 16, 2022

Stay up to date with this weekly release covering key developments on data privacy laws, technology, and other hot privacy topics!

Newsworthy Updates

US Senate Confirms Alvaro Bedoya to FTC as Fifth and Final Commissioner

After a series of delays during the confirmation process, the U.S. Senate approved the nomination of Georgetown University law professor Alvaro Bedoya to fill the remaining commissioner vacancy on the Federal Trade Commission. Bedoya’s confirmation now gives Democratic appointees a 3-2 majority on the FTC’s Board of Commissioners.

California Privacy Protection Agency Holds Pre-Rulemaking Stakeholder Sessions

The California Privacy Protection Agency (CPPA) in charge of implementing and enforcing the California Privacy Rights Act (CPRA) and California Consumer Privacy Act (CCPA) held a series of pre-rulemaking stakeholder sessions over three days last week. Executive Director of the Agency, Ashkan Soltani, opened the sessions on Wednesday, May 4, welcoming those in attendance which included Professor Jennifer Urban, Chair of the Agency. Urban was appointed Chair of the five-person CPPA Board by California Governor Gavin Newsom in March 2021.

Potential Roe v. Wade reversal brings ‘urgent need’ for federal privacy law

U.S. Rep. Suzan DelBene, D-Wash., issued a statement explaining how overturning Roe v. Wade further amplifies the need to “swiftly pass a strong” federal privacy law. DelBene said Congress “can’t afford to wait” on a law because “our tech laws are so behind.” She also noted how the impacts on women’s online privacy from the pending Supreme Court decision could be best addressed through a national privacy standard. She said sensitive data risks include “internet searches about reproductive health care including abortions, menstrual tracking and other women’s health apps, and which medical facilities a woman has visited.”

Digital Advertising Alliance Launches Initial Certification Process for Addressable Media Identifiers

The Digital Advertising Alliance (DAA) announced the launch of its initial certification process for providers of Addressable Media Identifiers (AMIs). AMIs are used to enable relevant advertising, optimized outcomes, measurement tools, and other important functionality with new privacy safeguards for the ad-supported digital content and services enjoyed by millions of consumers worldwide.  “Over more than a decade, the DAA has built the advertising industry’s leading independent self-regulatory platform for interest-based advertising, and the AMI certification process is the logical next step for our efforts,” said Lou Mastria, CIPP/US, executive director of the DAA. “The DAA has continuously adapted our industry guidelines and consumer tools to keep pace with new technologies and industry changes, and we are proud to continue to evolve our program with important new cross industry privacy safeguards including prohibited data uses.”

UK announces data protection reform

The U.K. government announced in the Queen’s Speech its intentions to reform the country’s data protection regime, Euractiv reports. The speech did not include specific details regarding the extent of the reform, but those are expected in the weeks to come. The changes may affect EU-U.K. adequacy, as Centre for European Reform Senior Research Fellow Zach Meyers said the U.K. “was repeatedly found to have breached” EU data protection standards previously with its national security practices and further divergence may lead the European Commission to a withdrawal.

Privacy Legislation

California: The California Privacy Protection Agency (CPPA) heard public comments from approximately 100 stakeholders in a series of virtual sessions held from May 4-6. A brief summary of FPF’s presentations to the CPPA on the topics of automated-decision making, data minimization, and opt-out preference signals can be found here. The Agency heard from various representatives of industry and civil society, with commentary largely matching responses to the September 2021 request for comments. Alastair Mactaggart, proponent of the CPRA ballot initiative, spoke to reiterate his argument that the plain language of the CPRA requires that businesses recognize opt-out signals like the Global Privacy Control.

Connecticut: On Tuesday, May 10, Governor Lamont signed SB 6, An Act Concerning Personal Data Privacy and Online Monitoring in law. The majority of this comprehensive privacy legislation will take effect on July 1, 2023. FPF’s summary memo on the bill is available in our member portal here.

Florida: Florida’s special session is scheduled to run from May 23 to May 27. While the only formally announced topic for the special session is property insurance, rumors have circulated that data privacy may be added to the agenda. As a reminder, HB 9 passed the state House in early March (CCPA-style + graduated PRA).

Louisiana: The ‘Louisiana Consumer Privacy Act’ (HB 987) introduced by Rep. Daryl Deshotel (R) received a hearing in the House Commerce Committee on Monday, May 9. While initially closely following the Utah Consumer Privacy Law, the Committee adopted amendments offered by Deshotel to add correction rights, expand deletion rights, create risk assessment requirements; remove all carveouts for pseudonymous data, and expand responsibilities for biometric data. The Commerce Committee advanced the bill without objection.

Then, on May 11, HB 987 received an unexpected hearing in the House and Governmental Affairs Committee (the late amendment to include risk assessment requirements included the standard public records exemption, and all Louisiana bills that touch on public records must go through House and Governmental Affairs). Chair Stefanski (R) shared that he had heard concerns about the legislation and that action on HB 987 would be deferred until the Committee’s next hearing, Tuesday, May 17th.

Pennsylvania: HB 2202 originally introduced in December 2021 by Rep Mecuri (R) with 23 Republican and 7 Democratic cosponsors has been scheduled for a hearing in the House Consumer Affairs Committee on May 25. This is a fairly unique bill containing elements of both the CCPA and CPA, it lacks a definition of “sensitive data” and would require recognition of opt-out signals. The Pennsylvania legislative session adjourns on November 30.

Future proof your privacy program with WireWheel’s Trust Access and Consent Center and WireWheel’s Privacy Operations Manager.

Request Demo
  • Privacy Law Update
  • Regulations

Connecticut Passes the Next U.S. State Comprehensive Data Privacy Bill

On May 10, 2022, Governor Ned Lamont signed the Connecticut Data Privacy Act (CTDPA).  Connecticut became the fifth state to pass a consumer privacy law. The CTDPA is similar to ColoradoVirginia, and Utah’s privacy legislation.

Effective Date: July 1, 2023

Applicability: CTDPA applies to:

  • Individuals and entities doing business in Connecticut, or that produce products or services that are targeted to Connecticut residents; AND
  • That in the preceding year, controlled or processed the personal data of at least
    • 100,000 Connecticut residents (excluding for the purpose of completing a payment transaction); or
    • 25,000 Connecticut residents, if the individual or entity derived more than 25% of their annual gross revenue from selling personal data

Exemptions: CTDPA does not apply to:

  • State and local government entities
  • Nonprofits
  • Higher education
  • Financial institutions subject to the GLBA
  • Covered entities, business associates,and protected health information under HIPAA
  • Information regulated by FCRA
  • Personal data regulated by the FERPA

Consumer Rights: Consumers are defined as Connecticut residents who are not acting in a commercial or employment context (employees).

  • Rights may be exercised directly or through an authorized agent
  • Information must be provided to the consumer free of charge, once per 12-month period

Consumers have the following rights:

  1. Know if a controller is processing their personal data
  2. Access to their personal data
  3. Correction
  4. Deletion
  5. Portability
  6. Opt-out of the processing of personal data for Sale, targeted advertising, or profiling.
    • Consumers may opt out through an opt-out preference signal such as Global Privacy Control.
    • This is optional until January 1, 2025, when it becomes mandatory
  7. To appeal when their consumer requests are denied.

Sale of Data: Sale is defined as “the exchange of personal data for monetary or other valuable consideration.”

Assessments: Impact assessments are required when a controller’s processing activities present a heightened risk of harm to a consumer including:

  • Targeted advertising
  • Profiling
  • Sale of personal data
  • Sensitive data

Consent: Consent is required for the following:

  • Processing of sensitive data
  • For those under 16 years of age
    • The sale of data
    • Targeted advertising
  • Secondary use of data

Dark Patterns: CTDPA prohibits dark patterns. Dark patterns are manipulative decision-making or choice techniques that falsely influence consumer choices.

Controller Obligations: Controllers are required to:

  • Practice data minimization
  • Only process personal data for necessary purposes or for the purposes to which the consumer consented
  • Have reasonable administrative, technical, and physical data security practices
  • Provide a mechanism for consumers to revoke consent that is at least as easy as for providing consent
  • Provide reasonably accessible, clear and meaningful privacy notice

Privacy Notices: Controllers must provide consumers with a privacy notice with the following information:

  • Categories of personal data processed
  • Purposes for which the categories are processed
  • Categories of personal data shared with third parties
  • Categories of third parties the controller shares personal data with
  • An active email address or online mechanism for the consumer to contact the controller
  • How to exercise rights

Enforcement: The Attorney General has exclusive authority to enforce violations

  • No private right of action
  • Cure period – 60 days
    • This will be optional beginning July 1, 2023, and until December 31, 2024
    • Will be mandatory January 1, 2025

Exploratory Task Force: CTDPA requires the Connecticut General Assembly’s  General Law Committee, to establish a task force to provide additional recommendations on important privacy related issues.  A report of its findings and recommendations must be presented by January 1, 2023.  Recommendations will consider the following topics:

  • Healthcare
  • Algorithmic decision-making
  • Children’s privacy


What should you do to get ready for this new law?

While Connecticut may be the next state to enact a data privacy law, it won’t be the last.  Complying with this law will in many ways be consistent with what you are doing in California, Virginia, Utah, and Colorado.

If you’ve mapped to those requirements you’re pointed in the right direction to comply with CTDPA.  There is however still work to be done including: updating your policies, vendor agreements and subject request mechanisms.

WireWheel offers a complete solution to help manage the requirements of CTDPA, including a solution to fulfill employee DSARs, including an integration with Microsoft Priva and connectors to over 500 plus systems including HR systems such as Workday and Oracle. Contact us to learn more.

  • Privacy

Risks and Challenges of Data Privacy Program Management

As the world slides farther into a fully-digital landscape, consumers want to know how the companies they interact with handle their data. Names, addresses, financial data, and other sensitive information should be handled carefully in order to protect consumers. Data privacy programs can help regulate access and give consumers more control of the data they submit.

The results of a recent survey drive home the need for data privacy programs:

  • 47% of respondents were troubled by the prospect of their information falling victim to cyber-criminals.
  • 40% were uncomfortable with their information being sold and used without their permission.
  • 31% had no idea what companies do with all the information they collect.

Erasing consumers’ worries, giving them control over their data, and having transparent policies are key reasons why companies should initiate data privacy programs.

Organizations looking to build out privacy programs may run into a few obstacles at the outset. Common barriers to successful privacy program implementation include recruiting the right professionals in addition to organizational resource constraints. Unqualified professionals and limited resources can expose organizations to financial and legal penalties, reputational damage, preventable errors, and a false sense of security.

Financial & Legal Consequences

Financial and legal consequences are two widely known risks of mismanaged privacy programs. The 2021 Annual Privacy Governance Report published by the International Association of Privacy Professionals and EY found that a company’s average privacy budget is $350,000. Depending on the size of the company, this figure can send a budget out of control.

Consider what toll a data breach would exact. In 2021, compromised companies spent just over $4 million for each incident. While the primary goal of an effective data privacy program is to achieve legal compliance with applicable regulations, it’s hard to ignore the financial risks that come from non-compliance (i.e., legal fees, fines, settlements, public relations, etc).

Organizations must be prepared to meet and report on the requirements for compliance in order to reduce their financial and legal risks.

Reputational Damage

In addition to financial and legal ramifications, privacy program mismanagement can also lead to reputational damage.

When mishaps occur, the manner, speed and efficacy at which a team handles the crisis has a large impact. In addition to coming across as irresponsible for an initial mishap, a team that is unable to effectively respond can appear to not care for their customer’s best interests. In an effort to combat negative sentiment surrounding a brand after a privacy mishap, organizations often have to resort to costly PR campaigns as a means of damage control.

Reputational damage can place companies with the greatest products and services at critical risk since consumers are just not willing to provide personal information to an organization that can’t be trusted. It is important for organizations to understand compliance requirements to avoid the brand damage that can stem from mismanaged privacy programs.

Manual Error & Oversight

Data privacy compliance can be intimidating for those not familiar with all of the work that goes into it. Without privacy automation processes set in place, organizations risk making manual errors. Even practiced experts, tasked with managing programs by themselves, might struggle to effectively keep up with the rigors of the job. Maintaining an entire program that is consistently compliant across numerous areas, each with different regulations, is a tremendous undertaking.

With so much data being collected and transferred between systems, it becomes unscalable to track varying data flows without the support of technology and automation. For an effective privacy program, it is critical to understand the type(s) of data being stored, how it is classified, the policies that govern the data, the location of that data, and who has access to it. Automating some of this work can help to lower the risk of human error and further prevent oversight that may stem from teams that are spread too thin.

False Sense of Security

Another privacy management risk is a false sense of security. Being able to objectively assess the current situation that your privacy program is facing is a difficult task, even for seasoned privacy professionals.

For this reason, it’s valuable to have a fresh set of eyes to provide additional perspective and support for privacy program health. This is even more important when a team lacks the expertise of more senior privacy experts that know what to look for and how to read between the lines in a scenario that might appear normal to a novice privacy team.

Reduce Privacy Risk & Overcome Challenges

Managing your own data privacy program doesn’t have to be burdensome. Managed data privacy services are a great solution for organizations that may not have the resources available to manage a full end-to-end privacy program in-house. Having an additional resource with subject matter expertise can make the difference between sustained operations and multi-million dollar lawsuits and settlements.


Future proof your privacy program with WireWheel’s Trust Access and Consent Center and WireWheel’s Privacy Operations Manager.

Request Demo
  • Privacy Law Update

Privacy Law Update: May 2, 2022

Stay up to date with this weekly release covering key developments on data privacy laws, technology, and other hot privacy topics!

Newsworthy Updates

Connecticut Senate Passes Comprehensive Privacy Bill

The Connecticut Senate voted 35-0 to advance Senate Bill 6, an act concerning personal data privacy and online monitoring, to the House. The bill features provisions for “dark patterns,” recognition of global opt-out mechanisms, explicit children’s privacy measures, a right to cure that sunsets, and a July 1, 2023, effective date. A strike-all was adopted in the final Senate vote that moved the coverage threshold up to companies holding data on more than 100,000 users and a clarified definition for biometric data. The House will move right to floor consideration once the bill is transmitted.

Congress Pushing Forward With Federal Privacy Law Talks

The Wall Street Journal reports on a bipartisan appetite within the U.S. Congress to take action on federal privacy legislation. Talks among key U.S. Senate and House committees are reportedly finding more areas of compromise toward guardrails for collection, storage and use of consumers’ personal information. Discussions around preemption are fluid and include perspectives from TechNet, a Big Tech lobby group working with Congressional leaders and previously lobbying at the state-level for laws modeled after Utah and Virginia’s privacy laws. “The engines are revving on this in a way they haven’t in a long time,” TechNet Senior Vice President Carl Holshouser said.

Political Agreement Reached On Digital Services Act

EU institutions announced a political agreement on the final text for the Digital Services Act. The legislation includes provisions for various prohibitions on targeted advertising, specifically, the targeting of minors and ads based on sensitive personal data. European Commissioner for the Internal Market Thierry Breton said the DSA shows “the time of big online platforms behaving like they are ‘too big to care’ is coming to an end,” while European Commission President Ursula von der Leyen said the regulation “will upgrade the ground-rules for all online services in the EU.” The DSA will immediately take force once adopted but applies to platforms 15 months after its entry.

Sneaking into the Data Business

One of the benefits of GDPR and similar U.S. state privacy laws is that many companies are forced, cajoled, or encouraged to ask permission before capturing, analyzing, repackaging and selling the information they gather about you. Apps delivered under the new laws call attention to behind-the-scenes data activities, when past versions would have quietly hide the evidence.  So now we are more likely to see when a website grabs our personal information and to decide whether we like it. Score one for transparency.

US Commerce Dept. Announces ‘Historic’ Global CBPR Forum for Data Transfers

Transborder data flows are among the most significant and complex issues in the privacy profession at the moment. As the U.S. and EU work to finalize the highly anticipated Trans-Atlantic Data Privacy Framework, an announcement involving the other side of the North American continent aims to help mitigate some global complexity and promote data flows with privacy protections. 

Calling it “a historic moment for international cooperation in the digital sector,” U.S. Department of Commerce Secretary Gina Raimondo announced Thursday the creation of the Global Cross-Border Privacy Rules Forum along with Canada, Japan, the Republic of Korea, the Philippines, Singapore and Chinese Taipei.

Customer Experience And Data Privacy Need To Go Hand-In-Hand

Consumers are burnt and disenchanted with privacy in the 21st-century digital world that has seen endless data breaches, spats about cookies and walled approaches, the pandemic and nonstop disinformation. They’re fed up with tech companies, advertisers and marketers that use their data however and wherever they like. It’s a tenuous relationship at best and their inaction only fuels consumers’ demands for accountability, transparency and change.

United States and 60 Global Partners Launch Declaration for the Future of the Internet

The Internet has been revolutionary. It provides unprecedented opportunities for people around the world to connect and to express themselves, and continues to transform the global economy, enabling economic opportunities for billions of people. Yet it has also created serious policy challenges. Globally, we are witnessing a trend of rising digital authoritarianism where some states act to repress freedom of expression, censor independent news sites, interfere with elections, promote disinformation, and deny their citizens other human rights. At the same time, millions of people still face barriers to access and cybersecurity risks and threats undermine the trust and reliability of networks.

Privacy Legislation

California: The California Privacy Protection Agency’s pre-rulemaking public stakeholder sessions have been scheduled for May 4-6 via Zoom. The CPPA reports that 140 stakeholders have registered and will have 7 minutes each to speak. FPF team members will present on consumer opt-out rights; automated decisionmaking; and data minimization.

We continue to track a series of privacy bills in California, some of which would amend the CPRA directly and others that would create new obligations for regulated entities. A non-comprehensive list of recent legislative activity on significant bills follows:

  • AB 2273 filed by Reps Wicks (D) and Cunningham (R) would establish an ‘Age-Appropriate Design Code’ requiring services likely to be accessed by children (under 18 years old) to establish the age of consumers with a level of certainty appropriate to risks and to implement default limits on profiling, collection & use, ‘dark patterns,’ etc. This week the bill was significantly amended, including removal of the “best interests of the child” standard from its operative text (covered in detail by Amelia Vance here). The bill previously passed the Privacy & Consumer Protection Committee by a 9-0 vote on April 19.
  • SB 1189 filed by Senator Wieckowski (D) would impose new BIPA-style requirements on biometric data (with a 1 year retention schedule and statutory damages capped at $1,000 per day). On April 5 the bill passed the Senate Judiciary Committee by a 7-2 vote. On April 25 it was heard in the Senate Appropriations Committee and advanced to the Suspense File.
  • SB 1276 filed by Sen. Durazo (D) would provide that “shared mobility service data” is not covered by CalECPA and would authorize government agencies to require that providers of shared mobility services turn over vehicle and trip data. The bill sponsor removed the bill from the agenda of a committee hearing scheduled for Tuesday, April 26.

Connecticut: On Thursday 4/28 SB 6, an Act Concerning Personal Data Privacy and Online Monitoring passed the Connecticut State House by a 144-5 vote. The bill will now travel to Governor Lamont for his signature, which would make Connecticut the fifth U.S. state to enact comprehensive privacy legislation.  The bill is closely based on the Colorado Privacy Act.

Florida: There are increasing indications that Florida may take up privacy legislation in a special session, though no formal announcement has yet to occur. It is unclear what legislative approach to privacy a special session may take, though as a reminder, HB 9 passed the state House in early March (CCPA-style + limited PRA).

Pennsylvania: HB 2202 originally introduced in December 2021 by Rep Mecuri (R) with 23 Republican and 7 Democratic cosponsors has been scheduled for a hearing in the House Consumer Affairs Committee on May 25. This is a fairly unique bill containing elements of both the CCPA and VCPDA, it lacks a definition of “sensitive data” and would require recognition of opt-out signals.

Future proof your privacy program with WireWheel’s Trust Access and Consent Center and WireWheel’s Privacy Operations Manager.

Request Demo
  • Privacy

Benefits of Managed Privacy Services

Consumers want to do business with organizations and companies they trust. With data privacy being a prevalent subject in the global news sphere, people worry about who has their information and how it can be exploited.

One way companies can alleviate their customers’ concerns is to form and implement programs that ensure compliance with consumer expectations and data privacy legislation. Fortunately, more organizations are increasing their data privacy practices to gain consumer trust. The 2021 Annual Privacy Governance Report published by the International Association of Privacy Professionals and EY found that 45% of surveyed organizations plan to hire one or two privacy professionals.

Taking action now can prevent future breaches, increase compliance, and enhance brand reputation. However, not every organization has the resources to start, update, or maintain its data privacy programs. It takes time, training, and competence to plan and execute a program. Some businesses forgo securing their customers’ information to keep their profit margins within reach. This risky practice can backfire.

Managed privacy services like the ones offered by WireWheel are designed to support struggling programs. Companies initiating or already running routine operations can come to appreciate the benefits of managed privacy services.


What Are Managed Privacy Services?

Managed privacy services streamline and optimize data privacy programs. They are cost-effective options that can replace or support untrained staff. The best services also keep organizations compliant with new and changing regulations.

Removing uncertainty and increasing efficiency can facilitate the running of privacy programs, no matter how robust they are. Companies that do not have to focus on managing their programs can instead spend their time improving their businesses in other ways.


What Are Some Challenges of Data Privacy Programs?

When data privacy programs are running at peak efficiency, companies can rest easy knowing their customers’ information is securely being used for the intended and approved purposes under which it was collected.


What would create a weak data privacy program?

Limited resources

Time and money are two of the most valuable commodities. Companies usually do not want to waste either – if they can spare them in the first place. Prioritizing other aspects of business over data privacy because of expenses can doom a program.

Employing experts takes time and costs money. Setting up a suitable infrastructure requires a notable investment. It is critical that organizations dedicate the resources necessary to develop a sound privacy program. Taking shortcuts due to limited resources might result in a lackluster program that can do more harm than good.

Evolving regulations

Data privacy has grown to be a major concern in recent years. Governmental entities have been forced to catch up with technology. As they scramble to set guidelines that give consumers better control of their private data, new regulations are continuously being planned and enacted. Current ones sometimes see changes. For a data privacy program to successfully function, constant compliance is mandatory.

Many companies can not keep up with all of the changes while some do not even try. Without assistance, these organizations fall further behind and take a back seat to competitors that have employed managed privacy services.

Insufficient expertise

Privacy professionals must help ensure that companies collect only the personal data that they need for the disclosed and specific purpose.  They have to help manage and categorize the data for its intended collection, use and deletion at the end of its life cycle. In doing this your exposure should there be a breach is minimized. They need to know how to ask the right questions without


What Are Some Benefits of Managed Privacy Services?

Privacy programs in any stage of operation can benefit from a managed solution. By offloading a bulk of the heavy lifting and complex operations that come with running an effective privacy program, organizations can reduce the number of hassles they deal with every day. They don’t have to stress about high overhead, and tarnished reputations.

What are some major benefits of managed privacy services?

Low impact on resources

Companies don’t have to hire more staff and pay to train them if they supplement their privacy program with outside resources. Building your own data privacy program is ideal if you want the largest amount of control and oversight to your privacy operations, but that can take a lot of time and resources to get there. The benefit of managed privacy services comes with adopting an already-built framework with processes that have been optimized, along with the expertise of a team to ensure that your privacy program is on track.

Access to experts

Experts with years of experience can support a program better than a team put together at the last second at a cut-rate price. Experience can be just as valuable as time and money.  Companies can be confident their programs are in capable hands if they use technology that is backed by privacy authorities.

Quicker compliance

Technology and expert advice can accelerate compliance. Companies can automate their compliance using configurable tools. Leveraging automation can not only cut time but reduce risk since the technology is strengthened by industry expertise.


Another advantage of leveraging a platform to meet privacy challenges is that it will most likely not require an overhaul of existing processes. Choosing a service that supplements what is already in place can make a noticeable difference and eliminate the fear of something new taking over.

Excellent customer privacy experiences

Any organization that fulfills consumer data requests, collects consent preferences, and displays privacy notices should do so clearly and promptly. Consumers can feel better knowing the company they’re doing business with cares about their needs.


Are Managed Privacy Services Worth the Investment?

A complete solution like WireWheel’s Managed Services can run a privacy program efficiently and effectively. Companies of any size can automate and scale privacy to stay up-to-date with modern standards and demands.

  • Privacy

7 Things to Do to Get Ready for Employee DSARs

Once you start gearing up for the wave of new state-level data privacy laws in 2023, you’ll notice that the California Privacy Rights Act (CPRA) has one big distinction that sets it apart: it protects both consumers and employees. If your business falls under the guidelines for compliance under CPRA, employee data is also included. What does this mean for businesses that’ll be fielding Data Subject Access Requests (DSARs) from Californians? Not only should you expect to receive a greater volume of DSARs, you’ll also be dealing with the intricacies of employee data.

Let’s take a look at the unique challenges of employee DSARs and how you can prepare your business to process them.


Learn how does CPRA protect employees

CPRA defines a “consumer” as any person who is a California resident, including employees, former employees, job applicants, contractors, or other staff of a business. This is similar to Europe’s General Data Protection Regulation (GDPR), which also protects the data rights of employees. Two other US-based privacy laws coming into effect in 2023, the Colorado Privacy Act (CPA) and Virginia’s Consumer Data Protection Act (CDPA), do not include employees in their definition of consumers. To date, CPRA is the only state-level privacy law that grants the same data protection rights to employees as it does to consumers.


Know your obligations as an employer

Under CPRA you’re required to extend the same rights to your employees as you do other consumers, including:

  • Notice: Employers must provide notice of the collection of PII to their employees, job applicants, and contractors
  • Right to access: Employees have the right to access the PII you’ve collected
  • Right to correct: Employees have the right to correct their PII which they believe is incorrect
  • Right to delete: Employees may request the deletion of any of their PII in your possession
  • Right to restrict uses of sensitive PII: Sensitive PII may include a social security number, account login, financial information, geolocation, racial or ethnic origin, religious beliefs, sexual orientation, health information, and biometrics
  • Right to opt-out: Employees may opt-out of the sale of their PII to third parties


When it comes to employee DSARs, know what employers should expect

Employee DSARs may impact your company in ways you haven’t experienced up to this point with consumer DSARs. If your company operates in the Business-to-Business (B2B) space, you’ve probably received relatively few DSARs to date. Business-to-Consumer (B2C) companies collect much more consumer data so it’s only natural that they would receive the vast majority of DSARs. And if you’re a B2B company in a commercial relationship with your customers, you likely have a Master Services Agreement in place that covers data privacy requirements and allows your customers to access or remove their data whenever they want.

Under CPRA, however, B2C and B2B companies are equally liable to receive DSARs from their employees. If you’re a B2B company that’s been relatively immune to DSARs, here’s your wake-up call: you could receive a huge uptick in DSARs starting with the introduction of CPRA in January 2023.


Understand how fulfilling employee DSARs introduces new complexities

California includes employees in its definition of consumers, but employee DSARs have some unique characteristics which can make them more complicated than typical consumer DSARs. These complexities warrant extra attention to ensure you’re in compliance. Rick Buck, Chief Privacy Officer at WireWheel, delved into the intricacies of fulfilling employee DSARs in a recent interview. Rick explains:

“What complicates employee subject requests, particularly when we are looking for employee data in unstructured formats, is that data is going to be exposed potentially about people other than the person who requested the information and those people’s information are completely out of scope and completely inappropriate to be presented by an employer (in response to an employee DSAR) and so that data needs to be redacted.”

Let’s take a closer look at the two issues Rick highlights: unstructured data and redaction.


Learn how unstructured data weaves a tangled web

Typical consumer data is stored in structured databases. However, your employees’ personally identifiable information (PII) is more likely to be stored as unstructured data. Most companies store large quantities of employee PII in unstructured data sources such as emails, text messages, and audio files. If the employee has a long tenure with your company, their unstructured PII may span countless systems and applications.

This makes it even more important for companies to automate their process for locating and retrieving PII in unstructured data when fulfilling employee DSARs.


Know not to overshare: rely on automated redaction

Another challenge you may face when locating employee data is the inevitable co-mingling of your employees’ PII. Let’s look at an example of how this could happen.

Employee A submits a DSAR to your company requesting access to her PII. When searching for Employee A’s PII in your unstructured data, you find that Employee B’s PII is also mixed in the same HR files. This presents a predicament because you don’t want to violate Employee B’s privacy rights when fulfilling Employee A’s DSAR.

“When responding to a DSAR and there is third party data involved, a careful balancing exercise should be carried out by an employer as to the employee’s request and any third party competing rights.”

—Data subject access requests: data redaction in an employment context, Shoosmiths LLP


What can you do if you face this DSAR dilemma? You could try to obtain Employee B’s permission to disclose his PII to Employee A, but that scenario is rarely feasible. The best solution is redacting Employee B’s PII before you fulfill Employee A’s DSAR. Redaction ensures that you’re completely removing Employee B’s PII before handing over any data related to Employee A’s DSAR.


Utilize integrations to streamline employee DSARs

If tackled manually, redaction is an onerous process. You don’t want to rely on an old-school black marker when CPRA comes into effect in January 2023. It’s critical to have a scalable, automated DSAR solution that includes comprehensive data search, discovery, and redaction capabilities. Employee PII is stored in the apps that employees and HR teams use the most, such as emails, SharePoint sites, and Microsoft 365 applications. WireWheel’s integration with Microsoft Priva is part of WireWheel’s DSAR solution that automates the process of finding and retrieving PII in unstructured data. This kind of integration can save your team thousands of hours and make DSAR fulfillment a much easier process.

Get a head start on CPRA by talking to WireWheel about how we can help you simplify employee DSARs for your organization.

Further Reading

Innovating DSAR Fulfillment with Microsoft and WireWheel

CCPA vs CPRA: A Guide to California’s Data Privacy Laws

The DSAR Guide: Overview of Data Subject Access Requests

  • Privacy

Guide to Data Privacy Program Management

Data privacy program management incorporates policies, procedures, and programs that protect companies and their customers’ information. Strong data privacy and protection can influence whether or not customers will do business with particular companies. Weak management can make companies easy targets for costly breaches that can devastate fortunes.

A well-managed program helps make data privacy an integral piece of business that gives the company a competitive advantage. By meeting or exceeding requirements in laws and industry standards, companies can:

  • Improve their brand’s reputation
  • Meet and exceed consumer expectations
  • Uphold consumer rights
  • Guard data from threats and attacks
  • Keep the trust of business partners and clients
  • Sustain regulatory compliance


Privacy program managers guide the company’s use of client and prospect data for marketing purposes.  Their teams must use data privacy’s best practices to keep their companies compliant with current laws and consumer demands. They must create and continuously enforce policies. Although their responsibilities may not change, their preparation and approach are vital so their companies can keep up with the evolving landscape of privacy.


Understanding Data Privacy Program Management

Knowing the basic pillars of privacy protection can launch and guide programs through any legislative changes. The pillars ask:

  • What data is being collected?
  • Was notice and consent presented or collected where required?
  • What is it being used for?
  • Where is the data being stored?
  • Where is the data being processed?
  • Who has access to the data and for what reason?


Having a deep understanding of the answers to these questions allows companies to build privacy programs that increase compliance and decrease risk. Addressing each of the pillars can facilitate planning and the evaluation of a company’s strengths and weaknesses regarding privacy.

However, having a firm foundation is only one facet of the overall scheme. Even creating a plan, although instrumental, is not the end-all. Continuous implementation is required otherwise the best plans will go to waste and businesses can suffer.


Data Privacy Program Management’s Best Practices

The processes and procedures to keep data secure entail several tasks. They range from inventory creation to incident reporting. Staying up-to-date with each task can mitigate breaches even though it will take expertise and time.

Asset inventory and data discovery

Companies can better manage their privacy risk when they know where they store personal data. They can do this by creating an inventory of data assets. This inventory can also reveal what kind of information is stored. Clear visibility can better identify risk levels according to where it is stored, who has access to it, and how it was obtained.

Privacy assessments

Since data privacy management is an ongoing process, occasional assessments offer time-sensitive reports that can identify privacy risks. Companies can prioritize actions and make required regulatory documentation based on the results of assessments.

For companies that partner with third parties, vendor assessments can ensure third parties responsibly handle personal data. Every entity in a data supply chain must be accountable for securely dealing with data. One weak link can expose customers’ private information and damage the reputations of everyone in the chain.

Privacy assessments are not just an important part of your program, they are required by laws such as GDPR, and many of the emerging U.S state privacy laws.

Privacy incidents

How fast a company is made aware of a transgression can determine how soon it can respond. Empowering employees to easily report on privacy incidents is a sound plan. Triggering a response is important but so is assessing what went wrong. Taking the results of a data breach assessment can help prevent it from occurring in the future.

Some regulations require companies to report privacy incidents. Having a system in place can keep data safe and maintain compliance.

Privacy rights requests

Privacy rights are required by GDPR and all of the new U.S state privacy laws.  Sometimes an individual wants to obtain their own information that is being stored. Companies have to ensure requesters are who they say they are before sharing data.

Data Subject Access Request (DSAR) management concerns granting access to customers, verifying identities, and delivering information – seamlessly so as not to inconvenience the customer.

Global cookie consent

More and more privacy laws state that websites must allow visitors to control their cookie preferences. Complying with regulations satisfies government entities. It also can build consumer trust. Giving customers what they expect when it comes to cookie consent might seem insignificant but it can keep them happy and coming back for more.

Privacy policies and notices

Almost as important as cookie consent are a website’s privacy policies and notices. Publishing them educates visitors about how effectively the website owner handles data. In many jurisdictions, notices must be presented prior to the collection of personal information.  This can instill consumer trust and increase compliance.


Data Privacy Program Management Challenges

Privacy programs appear to be a lot of work because they are. Running one effectively is a full-time job. In addition to all of the program’s privacy operations, challenges can arise that affect a program’s effectiveness.

Evolving regulations increase complexity and uncertainty

As more countries and states enact data regulations, data privacy managers and their teams can find themselves lost amid all the different rules. Compliance is not easy when regulations often change. It takes dedication to stay current with every law.

Small budgets make prioritization difficult

Some companies can’t afford strict data privacy measures. People, hardware, and software cost money. Financially-beleaguered companies sometimes place their customers’ data security behind profit margins simply out of survival. It is only a matter of time before these organizations receive large fines or penalties for non-compliance.

Hiring privacy people takes time, energy, and patience

Implementing a data privacy program does not usually happen overnight. If a company does not employ privacy professionals, then they will have to hire them. The hiring process can be a chore that companies do not have time for, especially in today’s hectic business climate. Plus, one more employee is another expense that might not fit into a tight budget.

Companies typically want results immediately. However, if they can not spare time to recruit the right person or people who can operate their privacy program, then they will gain nothing.


Data Privacy Program Management Solutions

Some companies struggle with data privacy management for a variety of reasons:

  • Lack of subject matter expertise
  • Limited resources (time, money, knowledgeable personnel)
  • The complexity of privacy program management
  • Complicated regulations

Privacy compliance software and managed services packages can align with companies’ needs, technologies, and timelines to overcome the challenges and struggles centered around data handling. A fully-integrated platform can:

  • Create a central hub for data asset inventory to see what kind of information is stored, how it is used, and where it is transferred.
  • Automate privacy assessments that automatically collect data and trigger actions such as approvals and alerts.
  • Allow employees to quickly report data breach incidents and automate privacy incident follow-up.
  • Automate data requests that adhere to regulations.
  • Easily modify and publish website privacy policies and notices.

Additionally, some privacy compliance platforms augment existing systems and processes and provide scalable compliance. A company that finds itself dealing with a high volume of requests can use a framework or automated solution built on a privacy platform to ease the load.

Every company’s privacy needs are impacted by several factors. For example, a company’s industry and regulatory requirements can dictate privacy program demands. Regardless of the reasons, taking an assertive approach to compliance and risk can reduce and even prevent serious issues in the present and future. Companies that follow data privacy best practices are better positioned to maintain their market share through consumer and public trust, and possibly overtake competitors that are slower to adopt.

  • Marketing
  • Privacy

IAPP Global Privacy Summit 2022 Recap

This past week I attended my first IAPP Global Privacy Summit. It was a wonderful experience to be in person with so many privacy professionals and to hear firsthand about their challenges. Many people focused on the key note speakers which included:

  • Tim Cook, CEO of Apple, spoke about the privacy issues that drive and divide the major tech companies 
  • Lina Khan, Chair, Federal Trade Commission, who in her first public address spoke about how the FTC will leverage its rulemaking process to address data security. 
  • Brad Smith, President and Vice-Chair of Microsoft, stated that the failure of the US to pass a federal privacy law makes the US less globally competitive


When I asked privacy professionals what they took away from the event, most of them spoke about the practical things they heard about how to operationalize privacy. Here is a summary of my takeaways from the event:


1. The business benefits from building trust

Many privacy professionals talked about how they have small teams and small budgets and expressed how challenging it is to get funding and support from other people in their business. Support from other people in the business is critical as new regulations are rolled out and companies need to really examine their data practices.

By emphasizing the benefits of trust to the business and business growth and measuring how their contributions helped the bottom line, privacy professionals felt that they had a better chance of getting buy-in and budget and cooperation from their teams.


2. Consent is more than cookies

During a speaking session featuring WireWheel’s CEO, Justin Antonipillai, Ruth Boardman from Bird and Bird and Dona Fraser from BBB, they talked about, while consent today is cookie consent, with the new regulations, it is moving towards getting and managing consent across the multiple channels (including phone, tv, and other devices) in real-time. This will make managing consent more difficult but also brings opportunities. If they do it right, companies can use consent as a way to build trust and collect more first-party data.

3. Marketing + Privacy: teamwork and trust are key

On a panel that I spoke on that included CMO Juliette Kopecky from LinkSquares, GC and CPO Andy Dale from Alyce, and Attorney Scott Lashway, privacy professionals were highly engaged and asked questions about how and when they should get involved with marketing as marketing evaluates new technologies. The panel suggested that privacy should get involved with marketing early and often while keeping in mind marketing’s motivation – driving revenue. The privacy team can offer a lot of value to the marketing team as marketing, especially in the cookieless world, relies on buyer trust.

Marketing can also help privacy teams to market their message to sales, clients, and other stakeholders in the company.

  • Privacy Law Update
  • Regulations

Utah Consumer Privacy Act (UCPA) Explained

The Utah Consumer Privacy Act is the 4th U.S. comprehensive state privacy law. On March 2, after only five session days of discussion, the Utah Senate and House unanimously passed the law. The bill was signed by Gov. Spencer Cox, R-Utah, on March 24, 2022. The law will go into effect on December 31, 2023.

The UCPA is a business friendly law that closely resembles the Virginia Consumer Data Privacy Act. Senator Kirk Cullimore, R-Utah, said “the bill accomplishes a balancing act by focusing directly on Utah consumers and their guaranteed rights, not the red tape that confuses businesses and consumers alike. It creates a workable standard for businesses and clarity for Utah consumers.” The Senator goes on to say “The Utah bill does not make the life of a business or privacy professional a lot more difficult in trying to comply with multiple bills across states,” Braithwaite said. “I don’t think there’s anything in this bill that makes it an outlier or something that requires special consideration.”[1]

Applicability: The law applies to controllers or processors that do business in the state, or produce a product or service that is targeted to consumers who are Utah residents with:

  • Annual revenue of $25M or more; and either
    • Control or process personal data of 100,000 or more consumers during a calendar year or
    • Derive over 50% of the entity’s gross revenue from the sale of personal data and control or process the personal data of 25,000 or more consumers.

Exemptions: The bill includes exemptions for employee data, non-profits, higher education institutions, covered entities and business associates, personal health information, and GLBA-regulated entities.

Consumer Rights: The UCPA provides many familiar rights to consumers.

  • Confirm whether a controller is processing their personal data
  • Access their personal data
  • Deletion of personal data
  • Portability
  • Opt out of targeting advertising or the sale of personal data
  • The bill does not allow for the right to opt out of profiling

Notice: Controllers must provide a privacy notice with the following information:

  • Categories of personal data processed
  • Purposes for which the categories of personal data are processed
  • Categories of personal data the controller shares with third parties
  • Categories of third parties the controller shares personal data with
  • How consumers can exercise their rights

Definition of Sale: The Utah definition of “sale,” “sell,” or “sold” means the exchange of personal data for monetary consideration by a controller to a third party. Notably, it does not include the words “other valuable consideration.”

Controllers are exempt from the disclosure of personal data to a third party if the purpose is consistent with a consumer’s reasonable expectations. This exemption is not found in the California, Colorado or Virginia laws.

Consent: Consent is only required (by a parent) for the processing of children’s data.

Consent is not required for processing sensitive data as it is in CO and VA. Utah only requires presenting the consumer with clear notice and an opportunity to opt out of the processing of sensitive data.

Processing Agreements: Controllers are required to enter into data processing agreements with processors processing personal information.

Assessments: The bill does not require privacy impact assessments.

Enforcement: The law is enforceable by the Utah AG’s office.

  • It has damages up to $7,500 for each violation
  • A 30 day cure period
  • No private right of action

The UCPA has a unique enforcement process. To file claims Utah consumers must first reach out to the Utah Department of Commerce’s Division of Consumer Protection and the Utah attorney general’s office. If a claim is determined to be legitimate, it then goes before the for further review.

What should you do to get ready for this new law?

While Utah may be the next state to enact a data privacy law, it won’t be the last. Most likely, complying with this law (as currently written) will in many ways be consistent with what you are doing in California, Virginia and Colorado.

If you’ve mapped to those requirements you’re pointed in the right direction to comply with UCPA. There is however still work to be done including: updating your policies, vendor agreements and subject request mechanisms.

WireWheel offers a complete solution to help manage the requirements of UCPA, including a solution to fulfill employee DSARs, including an integration with Microsoft Priva and connectors to over 500 plus systems including HR systems such as Workday and Oracle. Contact us to learn more.

Future proof your privacy program with WireWheel’s Trust Access and Consent Center and WireWheel’s Privacy Operations Manager.

Request Demo
  • Privacy Law Update

Privacy Law Update: March 7, 2022

Stay up to date with this weekly release covering key developments on data privacy laws, technology, and other hot privacy topics!

Newsworthy Updates

Utah On The Cusp Of US’s Latest Comprehensive State Privacy Law

Senate Bill 227, the Utah Consumer Privacy Act, cleared the Senate Feb. 25 on a 28-0 vote and the House followed suit with 71-0 approval March 2. There are a few formalities left in the legislative process. The bill will require concurrence with the Senate and signatures from leaders of both legislative chambers prior to 2022 session adjournment March 4. The bill will then head to Gov. Spencer Cox, R-Utah, who can sign the bill within 20 days after receipt, let it become law at the end of 20 days with no signature or veto the bill.

The Florida House Passes Data Privacy Legislation (Again)

The Florida House of Representatives today passed HB 9 by a vote of 103 to 8. The bill would be Florida’s first “comprehensive” data privacy law.

Biden’s Endorsement Could Be A Game-Changer For Kids’ Privacy Legislation

President Biden called on Congress to boost data privacy protections for children and ban digital advertising targeting them during his State of the Union address Tuesday night — a prominent endorsement that could jolt lawmakers into action after years of stagnation.

Why You Shouldn’t Wait to Build Out Your Company’s Data Privacy Function

Waiting even a year or two to start building out a compliant data privacy and management program will cost more, take longer, and be more disruptive to business operations.

Privacy Legislation

Connecticut: The General Law Committee heard Senator Maroney (D)’s SB 6 an act “Concerning Personal Data Privacy and Online Monitoring” on Thursday March 3 but did not take further action. The bill follows a VCDPA-style framework but includes various distinctions. Elements of note include a narrower GLBA exception, no rulemaking, mandatory recognition of opt-out preference signals, a narrow right to cure that sunsets, and a requirement to provide an easy mechanism for revoking consent.

Florida: Representative McFarland introduced a third strike-all for HB 9 that is intended to strengthen the exceptions for warranties and recalls, permit certain advertising measurements, increase the deadline to implement opt-out requests to 4 days, and allow businesses to collect attorney fees when a consumer lawsuit is in bad faith. On Wednesday March 2, the Act passed the State House by a vote of 103-8. The House further rejected a series of amendments offered by Rep Learner (D) aimed at minimizing small business impacts, extending the 3-year deletion schedule, and creating an opportunity to cure in private litigation. The Florida Legislature adjourns on March 11.

The “Florida Privacy Protection Act” (SB 1864), a VCDPA/CPA style bill filed on January 7 by Sen. Bradley (R) has remained idle.

Nebraska: LB1188, a version of the ULC’s “Uniform Personal Data Protection Act” introduced by Sen. Flood (R) was heard on Monday, February 28 by the Committee on Banking, Commerce and Insurance but no action was taken. In announcing the bill, Senator Flood noted that he does not expect the Committee to pass it this year.

Utah: The Utah Consumer Privacy Act (SB 277) has passed the State House and Senate by unanimous votes and will soon be transmitted to the Governor for signature. This is a VCDPA-framework bill but contains notable divergences in the scope of consumer rights and business obligations. If signed, the Act will go into effect on December 31, 2021. A full FPF analysis memo is available in our membership portal.

Virginia: This was yet another busy week for the proposed amendments to the VCDPA. Amendments from Sen. Marsden and Del. Hayes, the original sponsors of the VCDPA (HB 714) (SB 534) that would add “political organizations” to the nonprofit exemption and replace the “Consumer Privacy Fund” with the existing “Revolving Trust Fund” have passed the House and Senate.

An amendment (HB 1259) narrowing the definition of “sensitive data” under the VCDPA that had passed the House by a 96-4 vote on February 15 failed in the Virginia Senate General Law and Technology Committee following testimony in opposition from the Virginia Poverty Law Center and the Future of Privacy Forum.

Amendments to allow controllers that collect consumer data indirectly to treat deletion requests as opt-out of processing for all non-exempt purposes (HB 381) (SB 393) have passed the House and Senate.

Washington State: On Monday February 28, the House Appropriations Committee adopted a second substitute to HB 1850 that appears to drop most of the bill except for the enforcement provisions. The Committee also favorably referred the bill by a 17-16 vote, sending the bill to the House Rules Committee. On Thursday March 3, House rules was “relieved of further consideration” and the Act was placed on second reading. The Act is currently scheduled for the agenda in the *Senate* Ways & Means meetings on March 5 and March 7. The Washington State legislature adjourns on March 10.

There has been no further movement on SB 5062, Senator Carlyle’s 2021 Washington Privacy Act, since it moved to the “Rules White Sheet” on Thursday 2/24.

Future proof your privacy program with WireWheel’s Trust Access and Consent Center and WireWheel’s Privacy Operations Manager.

Request Demo
  • Privacy Law Update

Privacy Law Update: February 28, 2022

Stay up to date with this weekly release covering key developments on data privacy laws, technology, and other hot privacy topics!

Newsworthy Updates

CPRA regulations delayed past July 1 deadline, expected Q3 or Q4

The CPRA provides for regulations to be finalized by July 1 to allow for a six-month compliance window ahead of the law’s Jan. 1, 2023 effective date, but a surprise announcement from the CPPA suggests a compliance scramble is on the horizon. While offering a rulemaking update at a recent board meeting, CPPA Executive Director Ashkan Soltani indicated completion of the rulemaking process will go beyond the July target date.

The New Rules of Data Privacy

The data harvested from our personal devices, along with our trail of electronic transactions and data from other sources, now provides the foundation for some of the world’s largest companies. Personal data also the wellspring for millions of small businesses and countless startups, which turn it into customer insights, market predictions, and personalized digital services. For the past two decades, the commercial use of personal data has grown in wild-west fashion. But now, because of consumer mistrust, government action, and competition for customers, those days are quickly coming to an end.

At Least 22 States Have Consumer Privacy Legislation Pending – Will 2022 Be the Year for More State Privacy Laws?

At the current time, the IAPP Westin Research Center is tracking comprehensive consumer privacy bills in 22 states. Many states, including Alaska, Hawaii, Massachusetts, New York, Pennsylvania, Washington, Wisconsin, and New Jersey, have multiple privacy bills pending. Most of the bills listed in the chart are described as “in committee,” and two states (Indiana and Oklahoma) have bills in cross- committee status. According to the IAPP, the focus of the bills selected for the tracker is on bills that provide legislative approaches “governing the use of personal information in a state.”

Privacy and Data Protection – The Year of Privacy Framework Implementation

For those involved in supporting a privacy and data protection program, continued expansion of new regulatory requirements will likely be the biggest trend in the coming year. Whether it be new laws being discussed, pending, or already in place such as those in a U.S. state or at the country or regional level – privacy experts and the organizations they support cannot escape the constant change. Along with this continually evolving environment comes the need to adjust the privacy program to address new requirements. In addition, those in charge of privacy policy and implementation sometimes struggle to support frustrated line-of-business leaders who don’t understand or appreciate privacy program requirements and see privacy as a distraction or barrier to productivity.

Countdown to State Law Privacy Compliance: 10 Months to Go | New Rules for Sensitive Personal Data

As noted in our intro alert for this series, new omnibus privacy laws are coming to Virginia and Colorado and California’s existing comprehensive privacy law has been further modified by the CPRA. Don’t wait to implement your compliance updates as it could require changes to your operations. These state privacy laws can even apply to businesses that do not have offices or employees in that state. The new laws can also reach activities conducted outside of the applicable state.

Privacy Legislation

California: Last week saw multiple amendments to the CPRA introduced including:

  • AB2871 filed by Rep Low (D) would extend the B2B and employee data exceptions indefinitely.
  • AB2891 also filed by Rep Low (D) would extend the B2B and employee data exceptions until 2026.
  • AB 2273 filed by Reps Wicks (D) and Cunningham (R) would create an “Age Appropriate-Design Code” modeled on the UK ICO’s code.
  • AB 2486 filed by Rep Gabriel (D) would create an ‘Office for the Protection of Children Online’ within the CPPA.
  • SB1172 filed by Sen Pan (D) would apply specific limitations on proctoring services.

Connecticut: The text of Senator Maroney (D)’s SB 6 an act “Concerning Personal Data Privacy and Online Monitoring” has been released. The bill follows a VCDPA-style framework but includes significant distinctions. Elements of note include a narrower GLBA exception, no rulemaking, mandatory recognition of opt-out preference signals, a narrow right to cure that sunsets, and a requirement to provide an easy mechanism for revoking consent. A General Law Committee hearing has been scheduled for March 3rd.

Florida: On Wednesday 2/23, the House Judiciary Committee voted 13-4 to favorably report HB 9. The Committee also adopted a new strike-all offered by sponsor McFarland intended to narrow the applicability of the Act to large companies engaged in online advertising and also ramp up relief available under bill’s private right of action based on the size of a business. The committee further rejected a series of amendments offered by Rep Learner (D) aimed at minimizing small business impacts, extending the 3-year deletion schedule and 48-hour deadline to implement opt-out requests, and creating an opportunity to cure. On Thursday 2/24 the Act was placed on the House ‘Special Order Calendar’ for March 1.

The “Florida Privacy Protection Act” (SB 1864), a VCDPA/CPA style bill filed on January 7 by Sen. Bradley (R) has remained idle.

Iowa: The Iowa House privacy legislation has been renumbered and placed on the calendar as HF 2506. This bill (along with its companion SF 2208) follows the VCDPA.

Kentucky: On Thursday 2/24, HB 586 was introduced by Reps Pratt (R) and Decker (R). This bill closely follows the VCDPA, yet lacks a right to opt out of profiling and requires “clear notice and an opportunity to opt out” of processing sensitive data, rather than “consent.”

SB15 picked up a third sponsor, Sen. Schickel (R). We continue to await an anticipated substitute amendment from Sen. Westerfield (R) that will: (1) Raise the minimum coverage threshold to entities that hold information on somewhere between 10k-100k consumers; (2) add exemptions for organizations that are “affiliates” of entities regulated under existing federal privacy law (like GLBA); (3) add an ‘opportunity to cure’ to the existing injunctive private right of action. The Act appears informed by the VCDPA/CPA frameworks but contains distinctions such as consumer rights to opt out of “tracking,” unique consent standards, and transparency obligations for the locations where data will be stored by third parties.

Nebraska: LB1188, a version of the ULC’s “Uniform Personal Data Protection Act” introduced by Sen. Flood (R) is scheduled for a hearing on February 28.

Ohio: The “Ohio Personal Privacy Act” (HB 376) has been “re-referred” to the Rules and Reference Committee. The Act includes a right to opt-out of sale and various unique elements such a broad pseudonymous data carve out and safe harbor against AG enforcement for adhering to the NIST privacy framework.

Utah: On Wednesday 2/23, the Senate Revenue and Taxation Committee advanced the Utah Consumer Privacy Act (SB 277) by a 6-0 vote. The Committee also adopted a substitute amendment that included the alignment of certain definitions with the VCDPA, adjusted controller/processor contracting requirements, and strengthened the consumer right of access. This is a VCDPA-style but contains notable divergences, such as lacking rights to opt-out of “profiling” or obligations to conduct risk assessments. On Thursday 2/24, the Act passed a second reading in the Senate.

Virginia: This was yet another busy week for the proposed amendments to the VCDPA, what follows is our best understanding of the state of play:

  • Amendments from Sen. Marsden and Del. Hayes, the original sponsors of the VCDPA (HB 714) (SB 534) that would add “political organizations” to the nonprofit exemption and replace the “Consumer Privacy Fund” with the existing “Revolving Trust Fund” continue to advance. The House bill passed the House 100-0 on February 15 and was reported by the Senate General Laws Committee 14-0 on February 23. The Senate bill passed the Senate 38-1 on February 11.
  • An amendment (HB 1259) narrowing the definition of “sensitive data” under the VCDPA passed the House by a 96-4 vote on February 15 but has not yet seen movement in the Senate.
  • The House version of a pair of amendments to allow controllers that collect consumer data indirectly to treat deletion requests as an opt-out of processing for all non-exempt purposes (HB 381) (SB 393) has passed both the Virginia House and Senate by unanimous votes.

Washington State: SB 5062, Senator Carlyle’s 2021 Washington Privacy Act has moved to the “Rules White Sheet.” It is not immediately clear from looking up Washington State Lawmaking Rules what the significance this carries. Last year, the Act passed the Washington State Senate but stalled out in the House after receiving significant amendments (that went on to inform HB 1850).

HB 1850, the “Washington Foundational Privacy Act” which passed the House Committee on Civil Rights and Judiciary on February 2 was tentatively scheduled for a second hearing in the House Committee on Appropriations on Thursday, but was subsequently removed from the agenda. The bill would create opt out rights over targeted advertising, data sharing, and profiling, which may be exercised by user-enabled global privacy controls. The bill would further require annual registration of covered entities, create a Consumer Data Privacy Commission (with rulemaking authority), and provide for private rights of action.

Wisconsin: On Tuesday 2/22, the Committee on Consumer Protection reported AB 957 on a 5-3 vote and adopted an amendment that (1) amends the definition of “biometric” information; (2) limits the right of access to once per year free of charge; and (3) modifies the right of deletion where data is collected from a third party. On Wednesday 2/23, the Wisconsin Assembly voted to enact AB 957 on a 59-37, a largely party line vote, with Republicans mostly in favor. On Thursday, the bills was read for the first time in the Senate and referred to the Committee on Government Operations, Legal Review and Consumer Protection.

There has not been movement on SB 977 / AB 1050, a CCPA-style bill that has been introduced by Wisconsin Democrats.

Future proof your privacy program with WireWheel’s Trust Access and Consent Center and WireWheel’s Privacy Operations Manager.

Request Demo
  • Privacy Law Update

Privacy Law Update: February 21, 2022

Stay up to date with this weekly release covering key developments on data privacy laws, technology, and other hot privacy topics!

Newsworthy Updates

What An Independent Redress Authority Could Mean For EU-US Adequacy

Georgetown University Law Center’s Kenneth Propp, Université Grenoble Alpes’ Théodore Christakis and Alston & Bird’s Peter Swire, CIPP/US, wrote a post for European Law Blog proposing the creation of a U.S. authority for foreign intelligence redress mechanism to help resolve the redress issue in EU-U.S. adequacy negotiations. Propp, Christakis and Swire write that a “Foreign Intelligence Redress Authority” could strike “a non-statutory solution” that is “compatible with the ‘essential equivalence’ requirements of Article 45 of the EU General Data Protection Regulation.”

UK Issues New Model Clauses for International Data Transfers

After Brexit took effect last year, the United Kingdom was no longer subject to the European Union’s General Data Protection Regulation (GDPR). While the UK already follows a data privacy regime that is substantially similar to the GDPR, the approach to data protection in the UK and the EU does differ in a number of ways that affect businesses.

Top-5 operational impacts of China’s PIPL: Part 2 — Obligations and rights

The Personal Information Protection Law of the People’s Republic China entered into force Nov. 1, 2021. As the first comprehensive personal data law of China, the PIPL imposes a number of legal obligations on businesses in relation to the collection, processing, provision, transfer, deletion and destruction of personal data.

IAB pushes back against public perception following TCF ruling

IAB Europe urged reserved judgment regarding the Belgian Data Protection Authority’s ruling against the Transparency & Consent Framework until a resolution is reached. IAB indicated two EU DPAs advised against further use of TCF while “many sources have published partial or incorrect information about the scope of that decision.” The association reiterated it is appealing the decision and has two months to rectify its alleged violations.

What data privacy could look like in the metaverse

Government and private-sector organizations want to update data privacy and management approaches. Dense privacy policies and misleading website cookie notices are legacies of a bygone era. Today, data collection is becoming more ambient, often happening in places where there’s no ability to post a notice at all. Instead, digital experiences have expanded beyond our phones and web interactions, and data is collected in virtually augmented environments, whether through IoT devices on city streets or in our homes.

Privacy Legislation

California: The CPPA held a Board Meeting on February 17th at which Executive Director Soltani gave the following updates:

  • The Agency intends to hire 34 total staff with this year’s budget. Informational hearings with experts on key rulemaking issues will begin in March, public sessions to receive stakeholder input will begin in April
  • Formal rulemaking proceedings are expected to begin in Q2 and conclude in Q3 or Q4 of this year (notably after the CPRA’s July deadline).

Connecticut: On February 17, the General Law joint committee voted to “draft” SB 6 an act “Concerning Personal Data Privacy and Online Monitoring.” The bill will be the product of Senator Maroney’s (D) summer working group with stakeholders; however, official text has yet to be published. The Committee Chair anticipates a forthcoming hearing dedicated solely to the consumer privacy bill.

Indiana: SB 358, a VCDPA-style bill that unanimously passed the Indiana Senate on February 1 was heard in the House Committee on Small Business and Economic Development on February 15 where it received a 12-0 vote to “Do Pass Amend.” The successful Amendment comes from the Indiana Office of Technology and concerns exceptions for third parties contracting with government entities. The Committee Chairman also offered an amendment to create a private right of action if CSAM appears on the services of large market cap companies; however, it was withdrawn after several committee members raised concerns as to whether the privacy bill would be the appropriate vehicle for such provisions. Furthermore, during public testimony, a representative from the Indiana Attorney General’s office suggested that the AG would not support the bill unless language establishing a specific consumer privacy fund for enforcement is reinserted.

There has been no activity on HB 1261, which was introduced on January 10 by Rep. Carey Hamilton (D) and would create CPRA-style rights to opt out of the sale or sharing of personal information and to restrict the use of sensitive personal information

Iowa: HSB 674 received an “Amend and Do Pass” recommendation from the House Committee on Information Technology on February 15. The text of this amendment has yet to be uploaded. This bill (along with its companion SF 2208) is essentially the VCDPA.

Kentucky: The Senate Committee on Economic Development, Tourism & Labor held an informational hearing on SB15 on February 15. Sponsor Sen. Westerfield (R) shared that he is preparing a substitute amendment that will: (1) Raise the minimum coverage threshold to entities that hold information on somewhere between 10k-100k consumers; (2) add exemptions for organizations that are “affiliates” of entities regulated under existing federal privacy law (like GLBA); (3) add an ‘opportunity to cure’ to the existing injunctive private right of action.The Act appears informed by the VCDPA/CPA frameworks but contains distinctions such as consumer rights to opt out of “tracking,” unique consent standards, and transparency obligations for the locations where data will be stored by third parties.

Maine: On February 15, Senator Rafferty (D) and Representative Talbot Ross (D) introduced the “Maine Consumer Privacy Act” (SP 713/LD 1982). This is a CCPA-style bill with an additional section that creates rights and protections involving small dollar loans to consumers.

Massachusetts: Our legislative tracker has pinged procedural actions on several privacy bills originally introduced in 2021; however, Massachusetts in a ‘roll over’ state and we continue to believe the primary bill to watch is the “Massachusetts Information Privacy and Security Act” (S 2687) passed through the Joint Committee on Advanced Information Technology, the Internet and Cybersecurity on February 1. This bill contains distinct elements from the GDPR (bases for processing); CPRA (definitions and consumer rights); CPA (contractual requirements); VCDPA (enforcement) and ODPA (safe harbor for breach litigation). Staff for Senator Feingold (D) asked us to share with our network that they are open to stakeholder input on this bill and we are happy to share contact information.

Nebraska: LB1188, a version of the ULC’s “Uniform Personal Data Protection Act” introduced by Sen. Flood (R) is scheduled for a hearing on February 28.

Ohio: The “Ohio Personal Privacy Act” (HB 376) “informally passed” in the State House on February 16, but we do not understand this to be a procedurally significant event in the Ohio legislature. The Act includes a right to opt-out of sale and various unique elements such a broad pseudonymous data carve out and safe harbor against AG enforcement for adhering to the NIST privacy framework. Note that Rep. Carfanga (R), a key sponsor of the Act, recently announced that he will leave the legislature to join the Ohio Chamber of Commerce.

Oklahoma: On February 16, the House Committee on Technology voted 6-0 to advance the “Oklahoma Computer Data Privacy Act” (HB 2969) from Reps Walke (D), West (R), and Sims (R). The sponsors also introduced two strike-all amendments this week. The first appears broad, and the second raises the minimum revenue threshold for coverage from 10 to 15 million dollars per year. The Act provides that “a business shall not collect a consumer’s personal information directly from the consumer prior to notifying the consumer of each category of personal information to be collected and for what purposes information will be used, as well as obtaining the consumer’s consent.”

HB 3447 a ULC privacy bill filed Rep. O’Donnell (R) on February 7 has remained idle.

Utah: On February 17, Rep. Cullimore (R) introduced a new version of the “Utah Consumer Privacy Act” SB 227. This is a VCDPA-style but contains several notable divergences, including lacking rights to opt-out of “profiling,” or obligations to conduct risk assessments.

Virginia: This was yet another busy week for the proposed amendments to the VCDPA. The Virginia legislative process is somewhat opaque and fast moving, but what follows is our best understanding of the state of play:

  • Amendments from Sen. Marsden and Del. Hayes, the original sponsors of the VCDPA (HB 714) (SB 534) that would add “political organizations” to the nonprofit exemption and replace the “Consumer Privacy Fund” with the existing “Revolving Trust Fund” passed the Senate on February 11 and the House on February 15. Both the House and Senate amendments appear to have removed provisions that would have allowed an opportunity to cure only where “deemed possible” by the AG and permit the AG to recover “actual damages” sustained by consumers.
  • An amendment (HB 1259) narrowing the definition of “sensitive data” under the Act was replaced by a substitute February 14 to further remove the VCDPA’s consent requirement for sensitive data used for “marketing, advertising, fundraising, or other similar uses related to outreach, communications, or information sharing.” The amendment passed the House by a 96-4 vote on February 15.
  • Amendments to allow controllers that collect consumer data indirectly to treat deletion requests as opt-out requests (HB 381) (SB 393) had substitute language incorporated and passed the House on February 9 and Senate on February 14.

Wisconsin: On February 16, the House Committee on Consumer Protection heard AB 957. Unfortunately, the Committee record is sparse and we have been unable to find a recording. Rep. Subeck, the bill’s lone Democratic supporter, was also withdrawn as a supporter. This bill (along with its companion SB 957) is essentially the VCDPA.

Future proof your privacy program with WireWheel’s Trust Access and Consent Center and WireWheel’s Privacy Operations Manager.

Request Demo
  • Regulations

3 Tips to Get Ready for CPRA, CPA, and CDPA

3 Data Privacy Fundamentals to  Prepare for CPRA, CPA, & CDPA

If your business handles consumer data, chances are you’ve become conversant in consumer data privacy regulations such as Europe’s General Data Protection Regulation (GDPR) and California’s California Consumer Privacy Act (CCPA). Those data privacy laws offer a preview of new requirements coming your way in the months ahead.

On January 1, 2023, California will be amending and expanding provisions under the California Privacy Rights Act (CPRA) and Virginia will roll out its Consumer Data Protection Act (CDPA). Colorado is rolling out the Colorado Privacy Act (CPA) on July 1, 2023. More state-level privacy legislation is in the works for 2023 and beyond.

Do you think data privacy laws won’t impact your business?

Businesses that are so far untouched by data privacy regulations can expect to have a greater legal obligation to protect consumers’ data as more consumers demand privacy rights.

How can you prepare your business for so many different privacy frameworks? At this stage in the game, it pays to step back and look at the requirements on a macro level. You’ll see there are more similarities than differences among the various state laws.

Three “big-picture” privacy fundamentals

No matter how many privacy laws impact your business – no matter how many are enacted down the road – getting three fundamentals in place will set you up for compliance (and fewer headaches).

1. Understand where your data is and how to get to it

One requirement CPRA, CPA, and CDPA have in common is responding to Data Subject Access Requests (DSARs) and compliance reporting requests. That means you’ll need to be able to access, modify, and possibly delete data from backend data management systems that are hosting personal data. When you start receiving DSARs, you’ve got to know where the relevant data resides and how to efficiently access it.

If you’re like most companies, you have vast data warehouses, which often reside in silos. Customer data may be inside CRM systems, marketing databases, product databases, customer care logs, or other repositories. Employee data may live in HR, financial or healthcare systems. To uncover where all of this data lives, it’s important to run a data discovery and data mapping process to give you visibility to the systems that hold personal data and understand how the data flows.

Doing thorough data discovery and data mapping will provide you with a good data inventory and enable you to quickly query your data stores. This will make the DSAR process go smoothly in the future.

2. Understand how your data is used, who can access it, and ensure that usage aligns with consent and policies

Once you know where your data lives and how it’s accessed, your next step is getting a grasp on how it’s being used, who is accessing it, and whether those uses align with your policies. Start by outlining all of your company’s approved use cases for each type of data. Also, identify any unapproved or revised use cases. Run a privacy impact assessment (PIA) to determine how personal data is used. After the privacy impact assessment is completed, determine if that usage should be adjusted, terminated, or if it requires a change in your privacy policy to allow for it. If you developed some rudimentary documentation and processes for GDPR and CCPA, now is an excellent time to review what you have in place and perform a gap analysis.

Leverage the privacy impact assessment to be a step ahead as it will identify how all categories of personal information (PI) are collected, used, transferred, or disclosed and for what purposes. These categories may include:

  • Sensitive consumer personal information (PI)
  • B2B contact personal information (PI)
  • Employee/contractor personal information (PI)

In addition to reviewing your own internal policies and compliance, it’s time to review how and what you communicate to consumers about your privacy practices. Above all, transparency is key when it comes to consumer privacy rights.

Some questions to ask yourself:

  • Are you giving appropriate notice to consumers?
  • Are your policies easy to find on your website?
  • Where is consent required and how do you collect and manage that consent?

Just-in-time notices of data collection and use before you download a mobile application

3. Think about data privacy automation to operationalize your program for scalability

Now that you’ve got a good understanding of your data, it’s time to consider the speed and scale required to access it under the new privacy laws. No matter how well you’ve mapped your data and scrubbed your use cases, the sheer volume of consumer data requests and reporting requirements could crush even the most nimble business.

It’s virtually impossible to manually collect data at the scale, speed, and accuracy required for DSARs and ongoing compliance reporting. To have that level of granular supervision and control, you need an automatic way to log, classify, and validate your repositories of personal data that may be subject to DSARs. Now is the time to start exploring ways you can leverage technology to help build out your privacy program so it can scale for the volume and variety of DSARs and compliance requests you’ll receive under CPRA, CPA and CDPA.

Start exploring different technologies for automating your privacy program so you have time to choose a vendor that’s the right fit for your business. You’ll want to find a solution that can take on the heavy lifting as more and more jurisdictions enact privacy laws. Whether it’s managing DSARs or documenting the maturity of your privacy program, the technology should be capable of taking on those operational burdens.

Remember that consumer data probably flows beyond the (virtual) walls of your business and into the hands of third-party vendors.  For example, it’s common to turn over customer lists to an external marketing company to run your advertising campaigns. Make sure your contracts with those vendors obligate them to the same data privacy and security standards that you maintain in-house.

If you’re reading this now, you’ve already got a head start

Congrats! You’re taking a proactive stance and place a high value on consumer data privacy. By assessing your current privacy practices, identifying gaps, and making plans to automate and scale your processes, you will be a step ahead. Get the moving parts in place now and you’ll be ready for any state laws that come your way.

Download Data Privacy Readiness Checklist on how to prepare for CPRA, CDPA and CPA.

Download Checklist

  • Privacy
  • Privacy Tech

How to Win Over Your IT Team

Making Privacy a Strategic Advantage

The necessity of organization-wide collaboration to affect privacy by design is agreed by all privacy professionals. And while privacy by design may currently remain “aspirational” for many, even baseline compliance – dependent upon sound data governance – demands breaking down silos.

Consequently, regardless of where the organization sits on the privacy maturity scale, an effective collaboration with IT is paramount. Both at a baseline compliance level and helping privacy to mature to a position of strategic advantage.

To celebrate privacy week, WireWheel invited Forrester Principal Analyst, Sara Watson to discuss “Making Privacy a Strategic Advantage: How to Win Over the Tech Executive.” Sara met with Steven Jacobs, WireWheel’s Director of Product Marketing  & Partnerships to provide valuable insights into the common ground challenges shared by privacy and IT that can form the basis of the CPO, CIO, and CTO relationship.

The following is excerpted from Watson’s presentation which was followed by an extensive Q&A.¹  And well worth a listen.

Privacy and IT: A similar transformational path

As privacy becomes increasingly strategic my interest is in how these two functions can actually learn from each other’s transformation to having closer ties to the business and becoming more customer obsessed. Something at Forrester that we are obsessed with as well.

—Sara Watson, Forrester

We know that the privacy function is traditionally seen as a cost center focused on mitigating risk and ensuring compliance. And in some ways, this parallels how the IT function used to be positioned within most large enterprises: as an infrastructure provider.

But that model has been completely disrupted as technology, of course, becomes essential to all business transformation. And so, we think that future fit CIOs and CTOs are now partnering more closely with the business,

This means that they’re measured not just in terms of cost or uptime, but also in terms of business outcomes.

From cost center to strategic business partner

Sara walked through the importance of moving beyond the compliance-as-backend-cost-center approach to privacy in the enterprise, as we move towards privacy as a strategic partner in generating business value.

She shared, “there are key levers elevating the importance of privacy for basically all stakeholders right now…which are catching up to the reality of our data economy and shifting emphasis to first-party relationships rather than optout consent models. Ultimately driving the idea of giving users more power over their data.

Of course, this is going to drive the compliance function, but that’s really just the floor. It is not the ceiling of where the spirit of these changes are leading us.

Values-based customers are demanding more privacy from platforms and brands.”

That 45% of US consumers have said that they’re willing to pay for products in lieu of having companies collect, share, or sell their data (consumer reports survey) is an indicator that there is a market for privacy.

Consumer norms and expectations are changing as we become more digitally mature consumers. This means that trust is becoming imperative to all of these business relationships and yet at the same time, trust in technology as an industry is actually down.

According to Forrester’s 2021 “Consumer Technographics Benchmark Survey,” 20% of US online adults don’t trust any company to keep their personal information secure. Trust is really becoming a core issue.

—Sara Watson, Forrester

The shift towards digital experiences demands the integration of privacy considerations into the entire [customer] experience. It’s not just talking about checkboxes and opt-outs, but rather thinking about what is the privacy experience throughout the entire ecosystem, throughout the entire experience.

This means thinking more holistically about how these design choices can actually shape that experience.

From data protection to data as the currency of trust

These forces are also changing the nature of what privacy actually means to consumers. It is moving away from a strict legal definition of privacy towards the way privacy shows up in consumer experiences –  consumer choice and enabling agency – and starting to speak to consumer values in those experiences.

In that effort, data is becoming the currency of trust and future-fit privacy functions will need to figure out how to support those emerging customer interactions and expectations as a means of partnering with the business in more involved ways.

—Sara Watson, Forrester

The Forrester Ladder of Privacy Competitive Advantage model is about how you can start to think about building towards higher levels of strategic positioning – a journey that parallels how tech organizations have evolved towards more future-fit strategies: how the tech exec is actually thinking about making privacy technology function more adaptive, creative, and resilient and becoming more strategic to the business as well.

The Forrester “ladder” of maturity posits 5 rungs:

  1. Regulatory compliance
  2. Operational efficiency
  3. Sustained compliance
  4. Business strategic enablement, and ultimately
  5. Customer and employee trust

Many IT organizations are on the path towards modernizing from a back-office infrastructure provider to a more strategic partner and enabler. Forrester research shows that:

  • 59% of organizations are still in the traditional IT model. These are very large enterprises and, as we know, big ships take a lot of effort to move in a new direction.
  • 33% have developed modern IT practices and have closer ties to the business, more adaptive setups, and infrastructure that’s cloud-based, and more agile.
  • Only the top 8% of firms demonstrate the characteristics of what we call future-fit: truly building an adaptive, creative, and resilient IT practice with very close ties to the business. And shared accountability for business outcomes.

Not just enabling business but tied to revenue targets or customer-focused metrics.

Partners in data stakes and goals

Privacy professionals and tech execs both hold stakes in the firm’s data. It is the key driver of both practitioners. This presents a huge opportunity to find partners on this maturity path to strategic business relevance.

The future-fit tech execs will inevitably need to partner more with privacy professionals to achieve some of their customer and business goals as privacy becomes more essential to the experience.

—Sara Watson, Forrester

Privacy naturally falls into the technology executive’s priority bucket of embedding privacy and security to increase business continuity and mitigate risks. But I would argue that that positioning is still very much in a compliance and security mitigation risk posture rather than a competitive advantage. Therefore, I argue that privacy professionals have a role to play in each of these categories.

This presents opportunities to start talking about how privacy fits into the organizational structure. To start to talk about change management and embedding privacy protection principles in the engineering organization or in the case of emerging technology, how you provide privacy-focused input on emerging tech pilot programs from the start.

Ultimately, privacy has to make its way across all of these priorities. That’s going to be the next level of maturity.

How to make privacy a tech exec first priority

Most importantly, privacy needs to be part of the tech exec’s top priorities; which is to plan, govern, and communicate the business value of technology: everything from implementation planning, budgeting, measurement, communication, and governance capabilities. All of which tie business targets and customer value to the technology enablers.

Forrester 2021 survey: 29% of global purchase influencers say that aligning performance metrics to business outcomes would be a high or critical priority in the next 12 months

This is the greatest area that privacy professionals can learn from the IT organization’s journey and become a strategic partner in focusing on those ways of communicating value.

So how do you practically do that?

Privacy professionals can future-fit their approach to privacy metrics through the development of KPIs that look at key outcomes beyond compliance and focus on things like business enablement and customer engagement. (Tech execs have gone through this transformation.) Now we are starting to see that tech execs will be targeted against revenue goals, and that’s a huge shift.

—Sara Watson

In the realm of privacy, we are very familiar with KPIs focusing on the number and frequency of incidents, the number of customer inquiries you’ve received, or the number of requests handled. According to ISCA data 58% of firms measure incidents response and 57% use data protection and privacy impact assessments. But none of those communicate business value or measure tangible outcomes to the business.

The same survey found that only 11% of firms are measuring customer or brand impact of privacy efforts.

What I propose are future-fit metrics that can help privacy professionals develop these closer ties to the business and to customer experiences. Some are technology driven, but some in many ways are organizationally driven.

The metrics of business outcomes and customer experience

[From a business outcomes perspective] the questions become: how do you start to find the right stakeholders to support these data-driven initiatives? And how do you collaborate with the business on new projects and keep track of that?

[From a brand trust or customer experience perspective the questions become:] how do you increase the trustworthiness of your brand? What are the metrics that can tie to that? How do you positively influence the customer experience and contribute to creating the brand reputation?

Some of that does have to do with thinking about the number of transparency reports or the number of customers opting in versus opting out. Those are indicators of brand health.

Here are some of the metrics we’ve considered as we continue to think about how privacy can become more mature and more strategic to the business:

How do we use technology to change behavior that’s deeply embedded, not only in the organization, but as a marketer, or the way we think about and use data?

Always meeting that first-order demand, which is making sure that as the privacy officer you are meeting your compliance requirements – meeting those first-order metrics – but second, how technology can be used to gain credibility.

—Steven Jacobs, WireWheel

It starts with that customer-centric shift. The next step is to find those shared metrics, shared governance models, and shared frameworks for how privacy is going to fit into those processes.

There’s an argument to be made to meet people where they are.

¹ Quotation marks have been omitted and comments lightly edited for readability.

  • Privacy

Practical Tips for Building your Privacy Operations

Privacy is a dynamic, cross-functional discipline that, no longer confined to the arcana of lawyers and cybersecurity experts, underpins nearly every aspect of the employer-employee and employer-consumer relationship. Nearly everyone in the organization has a direct or privacy-adjacent role: marketing, technology, HR, research, engineering, sales, product development, legal, et al.

To codify and operationalize privacy at this scale – regardless of the size of your organization – requires talent. And the competition for that talent is fierce. In short, the privacy field is booming, and demand far outstrips supply.

The resulting mobility among privacy professionals means that many who are responsible for operationalizing privacy are new to their companies and face the dual challenge of acclimating to a new culture while needing to improve privacy operations with near-term impact as well as laying the foundation for long-term maturation.

On January 26th, WireWheel CPO, Rick Buck (who is a privacy veteran with decades of experience) moderated an IAPP Webinar, Practical Tips for Building Your Privacy Operations.

Rick was joined by Rebecca Shore who recently joined Albertsons Companies as VP and CPO and Eric Paulson, Grant Thornton LLP Manager of Advisory Services and Cyber Risk Privacy and Data Protection.

Paulson presented the concept of “Privacy Assurance” in operationalizing privacy followed by very practical tips from Shore on how to do this when you are new to a company that may not even have a privacy program yet in place.

Privacy Assurance

“Privacy is not going to be the responsibility of one department or function within the company. It’s going to require cross-functional collaboration and buy-in from them to sustain compliance and manage risk,” says Paulson.

“It is through what Grant Thornton calls a Privacy Assurance Program – the second line of defense behind privacy operations – that provides a governance model,” noting that the three lines of defense model  – 1. privacy ops, 2. privacy assurance, and 3. Audit – are adopted from the financial industry.

The role of privacy assurance is to monitor regulations and risks and set policy guidelines. It also provides a framework for the internal audit team to independently assess compliance.

In all of this, collaboration is going to be a key part. Working with the legal team, privacy can make sure the organization’s meeting its obligations, setting the risk appetite, establishing roles and accountability for the framework, and leaving it to the business to align to those objectives and provide the customer experience.

The added benefit is creating a communication platform that creates and promotes privacy by design.

— Eric Paulson, Grant Thornton LLP

Privacy assurance in practice

To effectuate privacy assurance Grant Thornton offers three pillars on which the program rests:

  1. A Privacy Control Framework: This is “how the organization understands, rationalizes, and operationalizes regulatory requirements…and align to the company’s risk appetite.”  (Here an organization can leverage existing frameworks like NIST or ISO.)
    Importantly “business users are going to be responsible for knowing how to meet those objectives….business owners don’t really want to be told how to implement privacy,” opines Paulson. “They want to be provided with the main objectives and really work to define a process that’s going to work best for them.”
  2. Compliance Monitoring: It’s critical that both privacy and the business operations team are continually reviewing requirements [against] their business objectives and a) making sure that all those controls are still [functioning properly] and b) the control objectives are being met. “One way to support that is through a self-assessment process.”“A critical piece is going to be evaluating emerging regulations…to quickly identify gaps.”
  3. Key Risk Indicators (KRIs): “KRIs help you evaluate the program and look for maturity opportunities,” notes Paulson. “These could be the number of DSARs coming in or the number of PIAs that need to be completed,” for example. “They help make sure that are “within compliance and the objectives that the organization has set.”

Importantly, KRIs helps support the business case for program budget, investment, and maturation.

In short, opines Paulson, “understand your regulatory compliance needs, outline your responsibilities…and don’t hinder your program by developing a framework that is very singular. Make sure it can be modified easily for future impending regulations.” Then, you can begin to “identify improvements and “embed privacy assurance…and enhance through automation.

The first 30, 60, 90-day plan

Albertsons’ Shore (who notes that she is speaking on behalf of herself, not Albertsons) relates that she has just gone through a transition herself:

“It’s a pretty big shift to come into a new organization. I think the most important thing – and it’s really hard to do in the first 30 days, particularly because you’re just really wanting to run – is to learn the company and the culture,” which can be very different.

You’re walking in and either have an existing program or you’re the first privacy person they’ve ever had in house, whether you’re an attorney or not, that’s a pretty big shift.

[If there is an] existing team, you’re listening, learning, and trying to understand your team. If you’re leading a program, the really key part during that listen and learn piece is not necessarily jumping on change yet. You want to understand how to make change and where it’s meaningful.

You’re building out your brand and your persona within your organization.

—Rebecca Shore, Albertsons

The 30-day plan

“You don’t immediately dive in when you have an existing program,” continues Shore, “and earning a reputation as someone who’s not taking the time to understand how the culture and systems work.

And when there’s no privacy program at all?

“My first guidance is don’t panic. It’s okay. A lot of companies, particularly in the United States may not necessarily have an embedded team,” says Shore who recommends meeting with the cyber teams who likely have protocols you can build on.

“If you’re in an existing program, you probably see there are a charter, a mission, and values, while in a new program, you likely don’t have those things. So, start to think about what you want your program to be.

“You may be in a position that you have no budget or resources when you walk in…and I would say don’t have them [yet] but start to prepare for your resource discussion in the first 30 days.”

The 60-day plan

“At 60 days you’re gaining momentum. This is when you start to socialize your direction and gain buy-in,” says Shore.

“The Privacy Assurance Framework is what this looks like. How do you develop pieces of it that allow for changes in laws? You might see a particular point of view that you want to start to implement within the organization.”

I recommend you start thinking through branding. [It signals] the type of approach privacy will take to address change.

Then implement the small changes that have a big impact. Lay the foundation for the push forward. You have a lot of work to do to get buy-in across the board.

—Rebecca Shore, Albertsons]

  • Existing program: Socialize your direction and gain buy-in.
  • No privacy program: Create the program’s values and socialize. Prepare for the significant influx of questions.

“What kind of privacy program do you want to instill within the organization? Do you want to have a value associated with transparency and the ethical use of data? Is your company ready to embrace that concept? And how do you start to stand behind that?”

  • No budget or resources: Capture metrics (KPIs and KRIs) for those resource discussions.

“You may not have that budget or resources conversation within the first 60 days. But you want to be prepared. You want to start building the foundations of what your deck is going to be. And as you hit 90 days, you’re going to outline your strategy.”

The 90-day plan

If you have an existing program, you’re going to have strategic planning sessions with your team. If you don’t have a privacy program, I recommend you do a below-the line-exercise. Outline what’s possible in six months to a year. You’re not doing a three-year roadmap. You’re not ready. That’s just not where your program is or where your organization is. But you can solve for what the bigger projects are for six months to one year.

—Rebecca Shore, Albertsons

“And if you don’t have an existing technology (which is likely if you don’t have a privacy program),” suggests Shore, “you’re going to start to evaluate privacy technology vendors. Plan for your future technology enhancements, because you’re not going to be using Excel or MS Word documents for the next 20 years.

“At 90 days you need to be prepared for the resource conversation. It might be a few months before you feel like it’s the right place to have it, but your deck for resources should be complete.” To do this you must have metrics.

Key Takeaways for the first 90 days

  • Focus on the most impactful thing that you can do to help in the near term.
  • Build out the concepts that you can use in the future in those foundational first days.
  • Understand, prioritize, and distinguish the “must-haves” from the “nice-to-haves.” And understand what you “can have:” What do you really need now, next month, next year…?
  • Understand what can truly be achievable.
  • Establish your cross-collaboration “governance group.” One or two people alone can’t make it happen.
  • Gather the KPIs and KRIs and operationalize those important key controls to start building out your program.
  • Understand the company culture, and over time, the data flows, systems, and processes

Download our free guide on how to develop a data privacy program in 90 days

Download Guide