Simplify for Success - Conversation with Lauren Kitces

We invited Lauren Kitces on #SimplifyForSucess, a podcast series presented by Meru Data and hosted by Priya Keshav.

As a member of Sidley Austin's privacy and cybersecurity practice, Lauren discussed some of the upcoming privacy laws and how organizations can stay prepared for these laws.

Listen to the podcast here:

Transcript:

Priya Keshav:

Hello everyone, welcome to our podcast around simplifying for success. Simplification requires discipline and clarity of thought. This is not often easy in today's rapid paced work environment.

We've invited a few colleagues in data and information governance space to share their strategies and approaches for simplification.

Today, we'll be talking with Lauren Kitces. Lauren is a member of Sidley Austin's privacy and cybersecurity practice. She provides business-oriented privacy and cybersecurity advice to a wide range of clients. She has skillful knowledge of the subject matter across many areas of privacy, including the California Consumer Privacy Act, the California Privacy Rights Act, the GDPR, the Illinois’ Biometric Information Privacy Act, and cross border data transfers.

Lauren has advised and facilitated CCPA compliance program and all facets of CCPA remediation across a range of industries, including for ad tech, financial services, technology, automotive and retail. She regularly drafts and advises on privacy materials such as externally and internally facing privacy notices, corporate policies and training materials. She also coordinates and performs due diligence reviews. And advises on security incident response and analysis. Lauren further addresses the complexities of international data transfers leveraging her cross-border knowledge and experience to provide clients with a holistic and informed perspective. Lauren previously worked in-house advising a global risk management insurance brokerage advisory and benefit administration company on both US and international data privacy.

She was a key figure in implementing corporate compliance with GDPR and assessing and managing compliance with a myriad of other data privacy laws, including the CCPA, Chinese cyber security law and the Brazilian General Data Protection Law. As a certified information privacy professional and a passionate contributor to the privacycommunity, Lauren is regularly sought out for her perspective and is an active public speaker. Most recently, the National Law Journal named Lauren as the 2020 Go To Thought Leader for her contributions related to privacy legislation in California. Lauren served as a chair of the International Association of Privacy Professionals (IAPP), Washington DC chapter from 2018 to 2019, and remains an active participant in the IAPP through her local DC chapter and the women leading privacy section. She enjoys the opportunity to connect with and learn from others in the privacy industry, and to also help those developing in the industry to grow and advance.

Hi Lauren, welcome to the show.

Lauren Kitces:

Hey, great to be here.

Priya Keshav:

So we are in December and most of us are thinking about wrapping up current year and planning for 2022. And as you know CPRA, the Colorado Privacy Act and the Virginia Consumer Data Protection Act, will go into effect in 2023. If I am thinking about some of these regulations, what can I do now to prepare in 2022 for the upcoming regulations in 2023?

Lauren Kitces:

That's a really great question, and one that I'm sure a lot of people are thinking about right now. And unfortunately, there is no clear answer to everything, so the best we can do is walk through things to be mindful of and what to be aware of that's going to be forthcoming as 2022 starts and progresses. Because what we have right now isn't going to be the final state of laws and regulations when we hit 2023 by all accounts.

So first off, I would say knowing that for CPRA the rulemaking process hasn't really started. It has started in a fashion, the California Privacy Protection Agency, the newly created agency has started soliciting input in advance of their first draft. But there hasn't been a first draft of those regulations created. So while we have the text of the law and there's a lot to digest in there. There is first off a recognition that there's going to be a lot more and part of the reason everyone can understand that who has been involved in this from a CCPA perspective, is that the regulations for CCPA were profound in what they added. They added a lot of detail, a lot of minutiae, and in many regards, they added what I would say are kind of the meat on the bones of what we actually have to do on a day-to-day basis for compliance for CCPA and so the same is expected for CPRA. And similarly there will be new regulations added it's unclear as to what's going to happen with the old regulations, whether they might be modified or kept as is for subjects that aren't changing. There's a list in CPRA of all the regulations that are needed. So there is some guidance, at least as to what's expected. But there is the additional rulemaking authority available to cover other topics that are required to have regulations created similarly but in a different fashion. Colorado and Virginia, both of those laws we actually expect to change, we don't know exactly how, but when Colorado was signed, there was a release made by the governor that it was a great law, but that it could use to continue being refined effectively. And the expectation is that there might be some amendments forthcoming related to those statements. Similarly, in Virginia it doesn't have at the moment an explicit call for regulations, but there is a requirement that there will be a Virginia workgroup created regarding the law. That group wrapped their reporting in November and a full report is expected at the beginning of the legislative term in the New Year and at that time it is anticipated that there will be suggestions for amendments to the law and one of the items that was raised in that workgroup was the notion of changing the law to align it with other privacy laws that are out there right now, including on such subjects as a universal privacy control that has been created under the California law. So those are some just broad concepts to make sure people are aware of right now.

Priya Keshav:

Do you think even if everything is gonna change, we just say OK, what’s the point, can we just stop thinking about it now and wait for everything to get established?

Lauren Kitces:

No, so I wanted to start off by making sure people know that what you're looking at now. You can't assume it's going to stay that way, but it's imperative that you start thinking about it now and so from a moving forward perspective, I would say, first off, figure out what your current status quo is. Have you already complied with the CCPA? Have you complied with some other laws? So perhaps for some reason you weren't in scope of CCPA, but you've complied with GDPR, or perhaps you've had to look into PIPEDA for Canada or something like that. So figure out what your current status quo is and then it's going to be figuring out what you can leverage.

Priya Keshav:

I have a couple of questions. So, you elaborated on a couple of circumstances which is maybe I am not in scope for CCPA, which probably is not likely, but maybe I'm just in scope for GDPR, but I might be in scope for maybe the Virginia or Colorado. Or maybe I never had GDPR. I am in compliance for CCPA. So do I need to do anything from a CPRA/CCPA perspective? Because I'm doing a lot of the things right, so how different is the new law?

Lauren Kitces:

Sure, so CPRA is pretty significantly different than CCPA, so from the starting point, if you are covered by CCPA, you are not just done. And if you're covered by GDPR for example, I would not say you're done for any of the three, the current or the forthcoming 3 state privacy laws in the USA. There are absolutely similarities in both concepts and terminology. But there are not one to one equivalencies between any of these laws across the board. Full stop. There's absolutely more there, so an easy example for CPRA is that it's introducing the concept of sensitive data. Sensitive data has not existed in CCPA, so there is now going to be additional requirements in place for sensitive data. If you are obliged or complying with the GDPR, that might be something that you've already thought about and split out and have certain expectations on. Again, it doesn't align completely as to how you must treat sensitive data, but that's a concept that didn't exist before that came concept is now echoed in the Colorado and Virginia laws as well, so that is something that's an easy example of a brand new concept that has a definition that has certain requirements aligned with it that isn't presently in place. And it’s a big deal because for California, not only are you going to have to be able to notify specifically about sensitive data and allow people to have a right to limit the disclosure and use of sensitive data to certain criteria. In Virginia and Colorado, you actually have to have opt-in consent, express opt-in consent to use sensitive data and so that's an example that across all three laws is changing compared to both CCPA and also, I would say, compared to GDPR, just because of some of the fact that the way it's being handled, like apples for apples with how GDPR operates.

Priya Keshav:

So I want to kind of focus a little bit on some specifics, right? So you mentioned opt in consent for use, so which means I can collect but I cannot use without consent.

Lauren Kitces:

So no, that's to get it in the first place, to collect it in the first place, to do any type of processing. So the way I think of processing is if you're going to touch it in any fashion, it probably qualifies as processing. That's the way I try to think about it from a high level. To do any type of processing, you need to notify that it's going to be processed. So you need to notify and then you need to have consent in order to get

it and use it in the Virginia and Colorado examples in California. You will not need to have that consent, but you will need to have permission just to get it in the first instance. Now that may cause a bit of concern at first because there's a lot of companies that deal with sensitive data. But one thing to keep in mind is there are exceptions based on some of the types of sensitive data that we would commonly think about, such as data that may be regulated by other laws, such as the HIPAA or the Gramm-Leach-Bliley act that are exempt from some of all these state laws as well in different fashions. So the notion of sensitive data requiring consent across the board, it doesn't mean every single instance of health data, for example, requires consent. It means that those that are subject to Colorado and Virginia privacy laws will require consent if you're going to process them.

Priya Keshav:

Are there any other key definitions beyond just sensitive information that I should be aware of that are maybe either different or new?

Lauren Kitces:

Sure. It's not something that I'm going to be able to list off right now, but some big ones that have emerged not only in the state privacy law realm, but really across the board in the US at the AG and FTC level, is the concept of dark patterns. So dark patterns is something that I would say hasn't been discussed pretty regularly in the recent years, but it is for all intents and purposes, if you're tricking people or kind of manipulating people into taking certain actions on a website. So for example, if you are having a screen pop up that allows someone to opt in, but the opt out button is really, really small and it's over in a corner where you might not even notice it, like that could be argued to be a dark pattern. And this is defined under all three forthcoming state privacy laws and their restrictions on using dark patterns which I believe you can't for any of these laws. So that's a big one, because that really goes to style more than substance in some regards. It still goes to substance, but it goes to things like visual design. How are you literally laying out a website? How are you presenting choices? And that's a very different concept than some of what has been, if not most, of what have been considered as far when thinking about privacy requirements. I would also say that there is a difference between the laws and definitions that requires attention. So for example, they are not apples to apples as to a business in California, and a controller which is the term used for Colorado and Virginia. Similarly, a service provider in California is not necessarily identical to a processor in Colorado and Virginia. And then equally, you have to be careful about just equating those terms to what they mean in the EU, because everything that applies to a controller under GDPR does not necessarily apply to a controller as they're used in Colorado and Virginia. So there's a lot of nuances behind the definitions, and there's also a lot of changes to pre-existing ones. So an easy example for a change is the definition of “sell” has been updated in California such that it now separates out and has sharing as a separate definition and sharing is really related to cross context behavioral advertising, which has been a very sticky subject as to where and how that fits in under the concept of selling under CCPA, so that's something where there's been a split I would say in a definition to pull part of what has been conceptually tricky about the current definition of “sale” out and create a new definition of sharing.

Priya Keshav:

So there are so many differences in definitions and a lot of changes just to kind of get your arms around. But what are some of the fundamental things? And of course, some of this will change again as the rules

are defined and maybe there are some amendments. If somebody is asking you for an advice on areas to focus on today while I am anticipating changes, what would those areas be?

Lauren Kitces:

So, I think, first off, for California-only, it’s starting to wrap your arms around the concept of business to business data and employee data, personal data, applicant data, all of that being in full scope of the law. So, we can talk about that in more detail but as a big ticket change that is happening, the exemption for almost the entirety of the current CCPA goes away on January 1st, 2023, and those buckets of topics will be in scope for CPRA. So that's the first thing is start thinking about what that means and start looking at what that means recognizing appropriately, there's more to come there, including potentially regulations that will be specific to at least personnel is probably expected and potentially business to business data as well. So that would be the first thing conceptually. Just think about what that changes. Next step is thinking about your overall scope, so if you have all three laws in scope, they're not apples to apples between each other. They have a good amount of alignment, they're not completely and utterly different from each other, but to that end, figuring out what path you want to take. So looking at for individual rights, for example, do you want to make that something that is based off of what state is in play for the person asking, so where the consumer resides. Or do you want to try to have a “we just fulfill a request when it comes in no matter what situation”, because it will somehow be complicated or burdensome for you to try to segregate them out. What are the pros and cons of those different approaches for your company? So thinking about how the different geographies play in and then how you're going to take all the different provisions and format a program that allows you to have an ongoing operation. Now, for some companies who are smaller, the laws may all still apply, but it may be something they want to approach on a task by task basis or situation by situation basis as things come up. Some of this, however, such as Preparing g a notice for your website or for whatever other purpose you may need to, is going to be something that requires forethought. It can't just be something that's addressed when something comes up. For companies that are larger, that have more complex datasets, that have more complex data uses or sharing activities, thinking about these interconnectivity between the laws and how you want to create a program for your company is one of the most fundamental things to do now and I would really start thinking about that very soon with the recognition that, as we've discussed, you have to bake in some flexibility because you have to recognize that no matter how they end up changing, there's a likelihood that Virginia and Colorado are going to get some amendments to the current laws and California is going to get a whole swath of regulation that we really might not have in final form until July. And even then, there's a possibility because of how long the rulemaking process takes, they still may evolve after that as well.

Priya Keshav:

So you mentioned thinking about subject access rights. So, there are a whole lot of new ones that will be in play, especially if you are just complying with CCPA and thinking about CPRA. For example, automated decision making, we talked about sensitive data. Would you recommend doing some groundwork in terms of being able to comply with some of these requests from a workflow and a process standpoint? Or any other thoughts in terms of other than just what my approach would be, whether I'm going to have a unified approach across all states. Is there anything else that you'd like to share.

Lauren Kitces:

Sure, first off, I'm a huge planner, so I would always recommend thinking ahead of time about how you are going to be able to handle these new rights and making sure from the get go, you even understand what they are because the terms are not inherently obvious. So an easy example, earlier when I referenced “sharing”, sharing is very specifically defined under the CPRA. It's not just the mere act of giving the data to someone else, it has a specific alignment to cross context behavioral advertising. And so that's a situation where we want to make sure that you understand what's actually being talked about when you're thinking about opting out of sharing, which is a right that now exists in California. So when thinking about the rights otherwise, I think, learning what they are and then understanding how they fit in with what you already have in place is your starting point. So for CCPA, if you've done a mapping or if you have some help, put a program or a process including manual and automated processes in place, that's where you start with what you've already got in place. If you have nothing for some reason you've either made a determination, CCPA didn't apply, or perhaps you were just going it one at a time and you've decided you'd like to move on from that and take a more organized approach, that's when it was going to be looking at the different rights under the laws. Figuring out those nuances between them, and then how you want to move forward. So an easy example is California does not have an explicit right to appeal, but Virginia and Colorado have added in an explicit right to appeal with timeframes and some detail as to how you need to make that available. So if you deny someone a right for those two states, at least you have to give them a mechanism that explain to them as to how they can appeal that decision. That's a new concept no matter what if you have only been under the CCPA thus far. You may have still allowed people to email you ad hoc and ask questions. Say I'm not sure this is right, but there's a formality and a legality to it now. There is also now the new rights, such as right to correct that hasn't existed before. Entities that operate in a GDPR sphere will be more accustomed to this, right? But it is difficult to think about for some systems, how will I be able to update this data? So starting to have those types of thoughts, talking to your tech team, talking to the different proprietary software platforms that you might use of is there an issue with us trying to change data and trying to figure out what your boundaries are and what issue you might need to flush out and figure out how do we approach this? What are we going to do? Similarly, there is also no doubt of portability as a specifically enumerated right, that is something that was kind of inherently involved in the way the right to access was framed before under CCPA, but it wasn't explicit. It's now explicit across all three laws that you basically have an ability to take data with you again, that's not an easy concept to fulfill per se, and it's something to think about, are we in an industry where this is likely going to be even asked for? If it was asked for, how would we go about this? Starting to have those fact finding brainstorming type discussions is a much better thing to do now, so you don't go down a path of complaining and then realize wait a minute, we have a big technical hold up that's going to be an issue here. So it's starting to think about all the different pieces for your respective entity and how those are different for the different parts of your entity is the good starting point and then trying to frame a plan around that. The one additional thing I will note is for California in particular, there is an explicit look back period that is enumerated in the law that basically people are able to look back to January 1st, 2022. There is technically a provision that says they can ask for earlier, but it seems pretty clear under current readings that they can't require earlier but 2022 is currently the stopping point, so you also want to be thinking about the fact that whatever you're going to be doing, whatever you're going to be putting in place from a California perspective, you need to be thinking that the data you're going to be dealing with from January 1st, 2022 is in scope for all of these different requests and for how you're going to have to approach things because there is that lookback built in.

Priya Keshav:

So what do you see as some of the biggest challenges, both from a preparation as well as a compliance standpoint.

Lauren Kitces:

I think we sit on one which is the unknown, the unknown, I think is daunting. It is hopefully going to be helpful, but it is at present because it is an unknown daunting. I think after that, recognizing that there are probably going to be new laws and I don't want to add that into the mix too much, but recognizing that we can't say for certain that once we hit 2023 there aren't going to be additional laws that will go into place, so making sure that you plan a program and adapt whatever program you may already have in place with a degree of flexibility present, because making everything concrete and unmovable is not going to serve you well moving forward based on everything we can see in the current legal market. I think right now the overall need to make certain changes over a long period of time is going to build fatigue, so a lot of people have been working for what seems like an indefinite period of time for two to three years on different aspects of CCPA, maybe even carrying over from GDPR. This is going to keep going and so making sure that you've got good messaging and a solid framework in place that people understand That this is just the new norm, we have to continue to adapt and grow with this. And recognizing that some teams are going to be more taxed than others, probably so. For example, in CPRA there is no requirement, not only to have a contract with service providers if you're a business, but you have to have a contract in place with basically every entity with whom you are exchanging personal information in California. That's going to be a lot of re papering and new papering. That's going to need to happen. Never mind adding in contract considerations from Colorado and Virginia, if those now apply as well. So there's a lot of different polls within a company that are going to need to happen, and there's a lot of top-downsupport that will be beneficial there, but also just recognizing and getting that messaging going that “Yep, we've been working on this for a really long time.” It feels like at this point, it's not going to end. It has to keep going and there has to be more, and that, I think from a corporate perspective is a big hurdle. It's a lot to get people to continue to want to work on this after there's been what seems like many years of work ongoing already.

Priya Keshav:

So I was gonna think that you're gonna say there are no challenges. It's gonna be easy but maybe I'm just an optimist or maybe optimist is not the word, I'm a dreamer. But having said that, we're ending the year, so we want to end on a positive note. So do you see any opportunities that might be positive from all of this change that is coming?

Lauren Kitces:

Absolutely I think the biggest thing to take away from it is that there is a concerted effort between different states to try, I would say to try hard even, to have similarity between the laws they're putting forward. So in the face of not having a federal law that preempts state activity or that, at least at the baseline of equality between the state approaches to privacy, there is at least right now, a concerted effort by the new laws that are coming out. So both Colorado and Virginia, there have been statements made that the purpose is to have some amount of equality. That's not to say every law is going to be identical that's proposed or that is actually passed. But I think there's a good amount of hope there that

people are catching on that you can't just make it different everywhere, and so that's really beneficial. I think, similarly, the concepts are not that attenuated between the laws. There are differences and the differences matter and they matter for a lot of reasons, and one of them is foremost risk. If you aren't aware of the differences and you just follow one state approach, you're probably not going to be fully compliant for all of the other states. But I think that the similarities do allow for programs to pick a point that they like and evolve from there, and it allows to have some amount of a grounding with some variations on a theme. So it's not requiring 3 completely separate programs and you can try and have a one size fits all program, but I would say the middle ground that a lot of companies are probably going to take is that, hey, let's have a baseline. And then every now and then, we're going to have some variations on that theme, because we need to in the following circumstances, because that's the level of risk or the approach that we've decided to take as a company.

I would say finally the other thing is just people are getting more used to this. So there is a benefit even though fatigue can be a concern, and I don't want to be a down stair and bringing it up but I do think that there's a benefit that companies are getting more used to this. So you have contract departments that are more used to hearing about privacy addendum and privacy components of contracts. You have business teams who are more used to hearing about, “Well we can't just use that data set we got for this other reason for the X purpose we need to look into whether that actually works.” And things like that. While they may not be everyone's favorite in the moment, help because you don't have to teach everyone from scratch, you're building on something that's already there and if you are at that point where you're brand new to this because it either hasn't applied to your company, or perhaps you took the position that you were going to kind of, stick with GDPR and CCPA was very very small for your company. Whatever it may be, there is still room to build that out and know that the laws as I mentioned are trying to be similar for the most part. So what you're building likely isn't just going to become irrelevant in a year. You are likely building something that is going to be able to be further built in the future and refined and adjusted. But again, it will be able to continue, and so I think all of those are really important things. And there's obviously the other one, which is more people’s information is being protected, and so it is nice to see that there is some continuity in how that's being approached, such that individuals, also in theory, have an easier time interacting with companies such that they don't have to themselves go through a bunch of different things for different steps for different laws. Which also is a problem for the company because it's harder for the company if you have to do a different thing every single time, just as it is for the consumer.

Priya Keshav:

No agreed and, I think, to add to it, yes, it's been something that most of us in privacy have been at it for few years now, but also the awareness is there. They're probably just not hearing for the first time from the privacy experts within the company. They're hearing from there's a lot of news, there's a lot of information out there that's kind of talking about how first GDPR was coming CCPA was coming, CPRA is coming . There are conversations about federal privacy laws and most of us even though we have a corporate job, we're individuals too and I'm guessing we appreciate having more protection and privacy of our data Is important to us as well.. Any other closing thoughts?

Lauren Kitces:

I think the best thing that companies can do right now is to take a step back and try to take a deep breath before launching into this. And if you started already, it's still a good moment for a deep breath

and just make sure that you're trying to look at the big picture in the midst of all of the little tasks. Because it's that big picture that I think is going to carry companies through. It's that understanding that there needs to be a purpose and a goal behind the project. And there needs to be an alignment and it's that alignment I think between them and that recognition of the interconnectivity that even though you might have one team working on one aspect and contracts over here, updating a template that there is a relationship between them at a fundamental level and that holistic approach, really, I think, allows companies to be much better prepared now. That's not to say every company has to approach it the same way, but taking that moment of pause to just really make sure you're not jumping in out of fear and are instead looking at it from an organized and constructive approach is, I think, very important to ensuring that you're getting the best out of it from all of the wonderful effort that you're putting in.

Priya Keshav:

No. Yeah, amen to your thoughts right. So I remember 2-3 years ago when it was probably scramble 3 different teams within the company, sort of doing different things. And then you just sort of realize they don't connect with each other at all. They've completely approached it from three different angles and now you have a lot of data except you can’t bring them all together for any kind of holistic solution. I think most companies have probably hopefully learned from that and are approaching it more from a strategic standpoint in terms of it's not just being in compliance with the CPRA or Virginia or Colorado for that matter, because it's probably , who knows ten other states coming or a federal privacy law, or something else. So it's a marathon and it's here to stay so it's not a temporary thing, so the only thing that's going to be helpful is to sort of look at it holistically and think of this strictly so you can make it easier over time.

Lauren Kitces:

Absolutely I my joking but not joking in the least way that I like to explain it to people is everyone has their privacy love, language. I know there's been this whole trend of whether what is someone’s love language? How do you communicate to them to share a sentiment with them? I find the exact same thing for privacy and talking about privacy at companies. Different things speak to different people. Sales is going to be motivated by very different things than compliance. And compliance is going to be motivated very differently than marketing and figuring out how to have those communications in those relationships and if you've already started and you're not there yet, good keep going. If you haven't started yet, it's something to think about of that holistic approach. It's not merely aligning the laws, it's making surethat you're looking at it from that approach of how do you actually communicate this? How do you actually have these conversations internally as well? And so I think that's something that's really important. And I think that there's a lot of good stuff to come. There's just a lot of work that's going to be in there too.

Priya Keshav:

Thank you so much. Lauren, it was a pleasure talking to you.

Lauren Kitces:

Thank you as well.