Privacy Daily is a service of Warren Communications News.
Trust Continuum

Grindr Privacy Chief Sees Expanding Definition of Personal Data

Regulators are looking harder at privacy and expanding what constitutes personal data, sensitive data and consumer health information, Grindr Chief Privacy Officer (CPO) Kelly Peterson said Wednesday during Privado’s Bridge Summit. However, Aaron Weller, HP privacy innovation leader, said it’s “not just about laws and regulations” for businesses seeking to prioritize privacy. “It’s also who are your customers and what are your customers’ expectations?”

Sign up for a free preview to unlock the rest of this article

Peterson said, “With news swirling around ad tech practices and” generative AI, “regulators in the U.S. seem to be saying notice and choice is not effective.” That’s a privacy approach where companies disclose how they will use data and provide consumers the ability to opt out. “In the absence of a federal framework … states are regulating this, and what we’re seeing is this vast expansion of what defines personal data,” the Grindr CPO said: It’s not just personally identifiable information “that matters anymore.” Moreover, with the recent Washington state My Health My Data law, “things that we never considered to be in the realm of consumer health information" are included now.

Attitudes toward privacy have changed due to data’s growing importance, said the Grindr CPO. “From our homes to wearable devices to how we get jobs, everything is controlled through … data transmissions -- and sometimes those devices are transmitting very sensitive data to companies.”

Formerly, businesses saw privacy “as a subset of security consideration,” she said. When Europe made the General Data Protection Regulation (GDPR), “businesses in the U.S. began to see the impact of privacy and began treating it as a compliance function, but not necessarily embedded within engineering flows or data transmissions.” She added, “But since then … consumer awareness has grown with understanding that they have … certain privacy rights afforded to them.” As a result, some companies, like Apple, now treat privacy as a competitive differentiator to win customer trust, said Peterson.

HP’s Weller sees trust as a continuum. “It goes from, ‘I have faith that this big company is not going to do anything bad with my data,’ to ‘I have experience -- I've worked with them for a while [and] nothing bad has happened yet, so it must be okay.’”

“Privacy harms are generated, for the most part, in the ways that information is used, rather than just whether someone has access to it,” Weller said. “With the historical dominance of lawyers in the privacy field, what I've seen across many companies has resulted in many privacy programs … [that] are overfocused on process controls, rather than technical controls that provide direct assurance that data is being used in the ways we state in our privacy notice.”

At an earlier panel, privacy leaders from Kohler and Marriott Vacations Worldwide said practitioners must show how good privacy practices support a company’s mission.

“Privacy can sometimes seem like the blocker when it comes to projects or initiatives throughout the business,” said Justin Lombardi, Marriott's director-data privacy. Accordingly, Lombardi is working on “building person-to-person relationships with ... different departments and … showing that we are here as a partner.” Lombardi attempts to use a proactive and “privacy by design” approach, ensuring his team is at the table from the start of a project, he said.

Privacy priorities must be “strategically aligned to the company’s mission and their roadmap for at least the following year,” said Sonia Siddiqui, head of privacy at Kohler. She advised that privacy practitioners tailor their communications to the needs of other parts of the business. “They don’t want to read a legal memo on … one-to-one consent,” she said. “What they want to know is … how do I operationalize that?”

With corporate privacy teams likely to remain small, Siddiqui said it’s important to perform “ruthless prioritization.” Privacy compliance officials should look for “quick wins,” like overhauling a privacy policy, while working on longer-term strategic goals such as operationalizing data deletion.