As if the changing shape of data wasn’t enough, corporate legal teams across the US are now grappling with an evolving—and increasingly complex—set of privacy laws for how they collect and use personal information. Of course, greater protection of consumer privacy is ultimately a good thing, but new and shifting regulations do create quite a few headaches for in-house counsel.
At Relativity Fest 2023, four industry experts shared their insights and advice for the challenges that in-house counsel face with this patchwork of state laws. Let’s dig in.
Several States, Several Laws, One Big Headache
The sheer variation in privacy laws across different American states has opened the door to questions for corporate counsel. Justine Young Gottshall, co-managing partner of the InfoLawGroup, shed light on the complexities.
“How do you operationalize a privacy program when we have multiple laws that use different definitions and nuance that have a lot of import?” she asked the audience.
Justine went on to explain how things can be lost in translation because different states tend to use different terminology, causing more challenges—and questions—for legal. As an example, she pointed out how many in-house counsels are accustomed to the terms “controller” and “processor” from the GDPR. However, California law—as just one example—uses the terms “company,” “service provider,” and “other.”
“And we’re still working out what ‘other’ means,” Justine quipped. “We have to, at some level, look at each state and their requirements […and] ensure our that in our privacy policy, web form, cookie manager, or other disclosures that we’re using the right words and are hitting the state compliance.”
Regardless of the state, there is one area of consistency: new privacy laws will affect marketers and advertisers. Heavily.
“Go hug your marketing leaders,” said Justin Antonipillai, CEO of WireWheel. “Because this is going to be hard.”
For years, marketing teams have often operated with limited oversight, using diverse technology stacks and third-party tools, often without a comprehensive understanding of the data flows involved. The increased scrutiny from regulators makes it imperative for organizations to revisit their marketing and advertising policies.
“Most marketing teams are using something between three and eight backend systems to serve the customer, and they’re storing legal opt-outs in all of them with no way to join the data. That’s a pretty big set of risks. The state laws are bringing focus to AdTech and MarTech practices and they are super enforceable,” he said.
Enforcement Is Coming: How to Mitigate Your Risk
When it comes to how regulators are enforcing these new state laws, Justine shared that she has not seen a tremendous number of enforcements … yet.
“We have seen a lot of letters and a lot of investigations have started,” she said. “However, enforcement is coming. There’s no question.”
To mitigate risks, Justin advised that organizations conduct regular scans of their websites and mobile apps to identify potential compliance issues—a tactic that regulators are using themselves for enforcement. Legal teams should also collaborate with marketing and product teams to better understand their risk. Specifically, he recommends asking:
- What scripts, tags, or pixels are being used on your websites?
- What data are you collecting and with which third parties are you sharing that data?
- Does your team use a Systems Tool Kit (STK) to create mobile apps?
- Have click trackers been implemented on the website?
Justine, agreeing with Justin’s point, added a word of caution about these discussions: “Trust but verify,” she said. “They don’t know what was put on the website 10 years ago and wasn’t taken off.”
From a broader standpoint, Mark Antalik, principal, BDO USA, explained how the product development process for large tech companies often includes privacy as part of the standard operations. More companies may need to take on that approach. Mark recommends taking a page from the GDPR and implementing a Data Protection Impact Assessment for every new project.
“It can act as a gate for privacy. It’s privacy by design because you’re engaging folks who are designing systems at the beginning so it’s not a fire drill further down the line,” Mark explained.
Privacy Change Calls for Process Change: Here’s Where to Start
To address these new and evolving privacy laws, both Steven Stein, principal at KPMG US, and Mark had some practical advice that in-house teams can implement today.
Steven emphasized the need for in-house counsel to define a clear operation model and privacy framework—and one that the entire company, not just legal, takes part in.
“In the old way of doing things, like with GDPR, legal might have stood up a cross-functional committee to be responsible. But with a flurry of new laws, you don’t have time for that, and it doesn’t make business sense,” he said. Instead, he explained how his firm created a group that oversees how activities would be affected under a variety of laws. “What comes out of it is a set of controls that can be cascaded to marketing, IT, and the rest of your business. And that can be overseen by the privacy group.”
Similarly, data minimization and retention are, as always, critical concerns. It’s vital to understand where data is stored, how it flows through the organization, who has access, and what the retention periods are.
When it comes to solving this puzzle, Mark offered some direct advice: “Start somewhere. Don’t wait and look at it like a daunting task that no one wants to touch. Spearhead it and you will save your organization so much time, money, effort, and risk down the line.”
He went on to offer a practical approach, again taking note from the GDPR, for data minimization: a Records of Processing Activities (ROPA). A ROPA can help determine where data lives, how it comes to the organization, how it flows through the organization, who has access to it, and what the retention period is.
“Do this exercise from a higher level and get a handle around your data in general. It’s the logical first step to retention and data minimization,” Mark explained.
While there’s no doubt that in-house counsel face formidable challenges with these new privacy laws, the panelists all seemed to agree: being proactive can help you navigate the complexities ahead. Like Mark says, you have to start somewhere.
Kristy Esparza is a member of the marketing team at Relativity, specializing in content creation and copywriting.
