Mastering Basics Is Best Foundation for Handling Privacy's Evolution: Sourcepoint
Companies should master the fundamentals of privacy, which will form a solid foundation when handling new privacy regulations, enforcement actions and emerging technologies like AI, said Sourcepoint’s Chief Privacy Officer Julie Rubash and Brian Kane, the chief operating officer of the privacy software company that was recently acquired by Didomi (see 2507080040).
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
For Rubash, fundamentals are critical since one of the trends running through recent enforcement actions is that companies are "failing on fundamental basic principles.” Yet once you “get the basic principles down … everything else is just icing on the cake.” The enforcement actions she referred to include California’s actions against Honda (see 2503120037), Todd Snyder (see 2505060043) and Healthline (see 2507030026), as well as Connecticut’s settlement with TicketNetwork (see 2507110003).
While you must "dig in and understand the laws," she said, "if you haven't mastered the basic principles … don't even worry about the nuance, because that's only 2% of it; 98% of it is making sure that you understand and disclose what you're actually doing.”
As such, companies must be familiar with their data collection practices and "transparent" about them. Moreover, "extend user rights that actually work."
Rubash is quick to say she doesn’t want to minimize the challenge of compliance. “Even though I make it sound easy, some of those foundational principles can actually be the most challenging for companies,” especially when technology is constantly evolving.
An emphasis on fundamentals, particularly in the advertising space, is only just starting to sink in, Kane said. “There's still a growing level of awareness that happens when you talk to a group of marketers about data privacy,” he said. “Everyone, collectively, is starting" to understand that "it’s not enough to just check the box, that you really have to culturally bring privacy [and] best practices to your organization, or else it's just not going to work.”
‘Set It and Forget It’ Not Enough
Similarly, privacy lawyers have noted a takeaway from the recent California enforcement actions is that companies are at risk when they engage a software vendor and then forget about privacy compliance (see 2507240056).
“Regulators have made very clear that privacy compliance should not be a one-and-done exercise,” Rubash said. “Data-collection practices, internal processes, consumer touch-points, third-party tools, and backend architecture are changing on a daily basis for most companies. If you couple this with continuously evolving legal requirements and technical advancements, it would be impossible to stand up a privacy program, walk away from it, and expect it to function in a vacuum.”
“A compliant privacy program requires ongoing monitoring, testing, updating and due diligence,” Rubash added. "A key ingredient" in ensuring compliance "is up-to-date knowledge of the company's business, which can only come from the company.” This necessitates that organizations constantly think about privacy.
Additionally, “If you're going to be extending opt-out rights or other user rights, they better be consistent with what your actual practices are, and they better actually work.”
“You can't just put something in place and ignore it,” she added. “You have to [review] it against what your actual data-collection processes are and ensure that they are exhaustively working the way that you're describing them and the way that's required under law.”
Similarly, Kane advised against purchasing AI-based tools and assuming they're compliant. Read “through the [tool's] data-processing agreement” to make “sure that [the companies that created it have] specific privacy practices ... that would allow [you] to feel comfortable” using it.” Education, training and experimentation can also help decide on tools that drive efficiency while also following data-protection practices.
“In some ways, a lot of it is just good housekeeping,” he added. “If you're already doing things like vendor review … AI really falls within a bucket that is just very similar to what you need to do anyway.”
Predictions
When it comes to legislation, “the big new trend that we're seeing is with data-minimization requirements,” Rubash said. “There's a lot of different flavors of this ... but a lot of them seem to be getting more and more strict,” with Maryland’s comprehensive privacy law set to be the strictest when it takes effect on Oct. 1.
Another trend is “meaningful transparency," since “the AGs are really looking for [companies] to not only make disclosures deep in [their] privacy policy, but to make disclosures in a way that consumers actually understand them.”
In the longer term, Kane said, "agentic privacy is something that's going to be really important as well" as AI evolves. That is “the ability to allow agent-to-agent communications,” he said. But “we still have to make sure that personal data is respected, and we're complying with regulatory requirements.”