Traditionally, data privacy regulations were principles-based and would result in companies determining how to best implement the principles across their organizations.
In more recent years, however, regulators have begun moving away from principles-focused regulations to specific technical requirements.
This shift should prompt privacy professionals, including those working under the umbrella of in-house legal departments, to more closely collaborate with their engineering colleagues, said Brandon Wiebe, general counsel and head of privacy at the privacy platform Transcend.
“Because these regulations have gotten so much more specific and technical, privacy organizations really need to have a direct line of sight into the way these rules are actually implemented throughout the tech stack,” Wiebe told Legal Dive.
Workflow involvement
Wiebe joined Transcend from Twilio in May and said at the time that he had seen firsthand “how privacy compliance continues to evolve from policies to complex technical implementations.”
As a result, he recommends that legal teams’ privacy personnel be involved with engineering workflows to ensure that privacy management practices are incorporated when products are being built.
This approach could include privacy professionals performing privacy impact assessments for new products that are in development. These assessments ideally would be added into the product requirements documents known as PRDs, he said.
“Getting in early and being part of that product development or engineering process goes a long way to making sure that privacy controls are technically implemented early on, so that you don't have to retrofit privacy after a product is already built and shipped,” Wiebe said.
Privacy teams should also work with UX teams when they are designing opt-in and opt-out website banners to ensure they comply with dark patterns requirements, he said. Additionally, these types of collaborations will help companies comply with data sharing requirements under the California Privacy Rights Act (CPRA).
Education
Wiebe acknowledged that employees working on the privacy side, including lawyers, are sometimes hesitant to converse with company engineers because of a fear of not being able to communicate about technology in terms both sides understand.
He says privacy professionals should make the effort to gain additional knowledge about key technologies so they can more easily converse with engineering and product colleagues and break down this divide.
Wiebe called this approach meeting engineers and product personnel “where they are,” which will better equip organizations to ensure they are in compliance with important data privacy regulations.
“I think based on the regulations, we’re effectively required to develop really positive relationships with these teams and find a way to work really closely with them,” he said.
Government enforcement
Wiebe pointed to an enforcement action in California in recent months as one example of the type of technical privacy requirements necessitating the need for privacy professionals to work closely with engineers.
California Attorney General Rob Bonta alleged that Sephora failed to disclose to consumers that it was selling their personal information and failed to process user requests to opt out of sale via user-enabled global privacy controls in violation of the California Consumer Privacy Act (CCPA).
As part of a settlement requiring Sephora to pay $1.2 million announced in August, the multinational retailer must provide mechanisms for consumers to opt out of the sale of personal information, including via the Global Privacy Control (GPC).
“Technologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights,” Bonta said in a prepared statement. “But these rights are meaningless if businesses hide how they are using their customer's data and ignore requests to opt-out of its sale.”
Bonta also said he hoped the settlement “sends a strong message to businesses that are still failing to comply with California’s consumer privacy law.”
