Posted
April 26, 2024
Four Boltive team members – and 5,000 of our closest friends – went to the IAPP’s Global Privacy Summit (GPS) in DC earlier this month. GPS is one of the highlights of my conference year: it’s always a great time to connect with friends, meet new people, and learn from peers and luminaries in the privacy world.
This year, as in years past, we had great sessions featuring regulators from around the world. As I went through my notes, thinking about what I wanted to share with those who couldn’t be there, my mind kept returning to the regulator sessions.
I hear so many misconceptions about regulators and enforcement as I talk to people in my day to day:
These are common – and dangerous – blind spots.
The panels and interviews I attended featured regulators at the US federal and state level (California, Colorado, Connecticut, and Oregon), as well as the UK, Ireland, Germany, Italy, France, Finland (who is also the chair of the European Data Protection Board), and Singapore. Regulations differ, as well as details around legal processes, but a number of common themes – busting these myths, and more – emerged.
In this post – part 1 – I will sum up what I heard regulators tell us they want us to know.
And in my next post – part 2 – I will sum up what I heard them tell us they want us to do.
Regulators aren’t trying to play gotcha. They want to help companies understand our obligations under the law, and are investing a lot of time and effort to tell us what “good” looks like.
The rules published by California and Colorado are there to provide nuanced guidance on the statutes, and if you look at a regulator’s website, you will find a range of FAQs, advisories, and guidelines that are published with the intent to educate and clarify.
For example:
Regulators also want us to ask them questions when we are in doubt. The sense in the sessions’ audiences was that it’s uncomfortable to stick your neck out, but several regulators were very clear that they want to help companies get to “yes,” in a lawful way. Guido Scorza, from the Italian Data Protection Authority (Garante per la protezione dei dati personali), noted that while individual privacy is a fundamental right in Europe, so is the right to do business.
Further, to facilitate the ability for companies to function across jurisdictions, regulators are also devoting resources to harmonization. This is actively happening within the US, among state and federal regulators, who speak and cooperate frequently, as well as within the European Economic Area, where member states meet 350 times per year to collaborate and produce unified guidance documents.
As Michele Lucan, Connecticut’s Deputy Associate Attorney General, put it, “We care about being helpful and transparent.”
There is a widespread misconception that regulators don’t understand digital technology in general, and ad tech in particular. My guess is that this comes from the Congressional hearings we’ve all seen, where Big Tech CEOs sit through a series of questions that increasingly reveal how little some members of Congress understand digital.
What companies need to understand is that the regulators are a very different story.
Take the California Privacy Protection Agency (CPPA) as an example. The Executive Director of CPPA is Ashkan Soltani, a technologist with degrees in cognitive science and information management, and a background as a security architect and researcher in a wide range of private and public organizations. Take a look at his LinkedIn profile, paired with his public comments that the CPPA is actively staffing up with technologists, and decide for yourself what this says about the CPPA’s capacity to handle enforcement in digital environments.
Further, even regulators with a legal or policy background live in the world with us, and realize that there are technologies in the marketplace that they can use to power their investigations.
As John Edwards, the UK Information Commissioner, declared, “Our bots are coming for your bots.”
Another common misunderstanding is around what enforcement actually looks like. Many people look at the big public settlements in the news, and think that’s what enforcement is all about: headlines and fines. And because we don’t see those kinds of big announcements often, there can be a sense that enforcement isn’t happening.
In reality, those large public announcements are only one piece of the puzzle.
Enforcement is actually a range of tools, including inquiry letters and subpoenas, reprimands and cure notices, injunctions and deletion orders, which, if ineffective or if the violation is large enough, escalate to the types of settlements and fines – which typically take years to negotiate – that we see in the news.
Regulators begin enforcement as soon as the law goes into effect. Which companies find themselves on the receiving end of a letter is determined by the regulator’s priorities and own research, as well as media reports and consumer complaints. John Edwards (UK) observed that it’s common, in fact, for a customer service issue or an employer/employee dispute to end up in a privacy regulator’s inbox as a complaint.
Each of those complaints becomes a case that needs to be investigated and closed. The regulators in the sessions I attended all concurred strongly on this: if you get a letter from a regulator, please cooperate. The inquiry may just be seeking information that will help them respond to the consumer and close the case. Regulators have limited resources – they want to get through the small matters as quickly as possible so that they can focus on the bigger harms occurring.
Further, several regulators also specifically noted that if you stonewall an investigation, it will raise suspicion that triggers a deeper look into your company, taking resources from other investigations.
As John Edwards (UK) put it, “If you drag it out, you will see that reflected in the fines.”
To get a sense of what enforcement is happening across the range of tools regulators use, look for the reports that they publish periodically. For example, Connecticut recently published a report covering the first six months of the Connecticut Data Privacy Act. These reports are also a form of guidance in themselves, containing helpful explanations intended to help others understand the regulation and improve their compliance.
As Commissioner Rebecca Slaughter of the Federal Trade Commission remarked on a panel, “We’re not trying to be mean.”
Sometimes, I think it can feel like regulators are out to get us, so to speak, because in digital, we’re used to operating in a pretty freewheeling manner. And as we all adjust to a more regulated business environment, I hear very black and white thinking sometimes – all data collection is bad, all data collection is good.
As with most things, the truth probably lies somewhere in the middle. Data collection enables businesses to offer great products and services. And data collection also has caused real-world harms. Good regulation can help us get to a more balanced point, where businesses can grow and innovate, while consumers can be protected.
Every day, Boltive helps companies work through questions about whether their technology stack is keeping up with both their obligations under the law and their promise to consumers. And with our AI and automation tools, we help them cover more ground when validating compliance across their entire consumer-facing footprint, including their offsite digital ad campaigns. To find out more about how we can help you, as well as get a complimentary scan of your site, please reach out!
