OneTrust GM Advises Revisiting Privacy Settings Amid Regulatory Scrutiny
OneTrust agrees that businesses shouldn't set and forget privacy compliance tools, amid increased scrutiny from regulators, said Ojas Rege, general manager of privacy and data governance. In an interview with Privacy Daily, Rege also said that a great amount of enforcement action is happening behind the scenes, without becoming public. In addition, the OneTrust official warned that “AI amplifies every single privacy and data governance gap you have in your organization.”
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The California Privacy Protection Agency has zeroed in on consent-management tools. For example, the CPPA’s enforcement action earlier this year criticized how Honda set up its consent manager (see 2503120037).
Some lawyers say that recent settlements show the vulnerability of companies that buy tools from privacy vendors and think that they can just “set it and forget it” (see 2507240056). OneTrust sells such tools and is the market share leader by more than twice the closest competitor, IDC Research Director Ryan O’Leary said through a spokesperson.
“Privacy is living and breathing,” said Rege. “It changes all the time and business needs change all the time.” A company can’t “set and forget” its website, since they are always rolling out products, marketing initiatives and personalization programs, he said. “And all of those things require consent and privacy to be managed. So, it is an ongoing effort and investment that organizations have to make.”
Recent enforcement actions have made clear that it’s important to continually revisit one’s privacy controls, added Rege. “Just because you did it four years ago doesn’t mean that the stuff you did is going to be functional now, because you’ve probably got 1,800 new marketing campaigns.”
It’s like information security, added the OneTrust official. “You set up your firewall four years ago. Can you just forget about it? Like, no. Oh my gosh -- [there are] new threats coming every day.”
“We focus a lot on making sure our customers have the best practices to know what to deploy and how to deploy,” noted Rege. “Every company has a different risk profile, though,” and “different companies will take … different approaches.” Enforcement actions help make “clear to companies broadly what is viewed by the regulators as being most important,” he said. “It tends to drive action.”
For instance, some recent settlements have signaled “that you have got to really think through your privacy policy,” and make sure it’s transparent and comprehensive, applying not just to the organization but to relationships with third parties. Making it as easy for consumers to opt out as it is to opt in is also a “big deal for the regulators,” said Rege. “They don't want dark patterns. They don't want reject-all buttons to be smaller than accept-all” buttons.
Meanwhile, “there’s a lot of enforcement we don’t see,” said Rege. “Generally, what we see is when there’s a settlement.” However, “notifications to companies that something's going wrong” have been sent in large volumes for several years, he said. “Usually, they result in change of behavior … When the public becomes aware of an inaction usually is when there wasn't a change of behavior or the action is viewed as so egregious that it requires something broader.”
Rege said regulators have been especially active in enforcing consent requirements and lately have been showing increasing interest in automated decision-making technology.
Also, he said it’s noteworthy that some recent enforcement actions resulted from a consumer complaint, said Rege. That was the case with the CPPA’s recent settlement with Tractor Supply Co. (see 2510030028 and 2509300010). “Consumers are pretty knowledgeable … about their rights,” said Rege. And the rise of AI “amplifies some of the concerns that a consumer might have.”
AI Drives Privacy Shift
A major “inflection point” for privacy occurred when the GDPR and the California Consumer Privacy Act arrived and “boom, every organization had to get a program together and think about what this notion of privacy was,” said Rege. “The next inflection point … is where, for a lot of our customers, privacy expands from being focused on compliance to being also … focused on enablement,” with AI the catalyst for the shift. “Privacy by design is getting hot again.”
“There’s no AI without data,” Rege noted. Many of the AI systems organizations want to deploy are for “go-to-market processes” like customer interactions, personalization and loyalty, “which we’ve traditionally thought about from a consent perspective and a privacy perspective as really being fundamental.” AI systems, he said, “can do a lot of good quickly, and they can do a lot of harm quickly -- and you can’t retrofit privacy into an AI system.”
Before AI, one could address privacy issues by deleting data or changing business processes, said Rege. “The challenge with AI is if you've built the wrong data into the AI system, there is no technical recourse other than rolling back the model, which means that that two years of competitive advantage” the company gained are lost, he said.
One reason privacy professionals are gaining AI governance responsibilities is that their skills are transferable, said the OneTrust official: “You're doing risk assessment, you're thinking about data” and “intended use.” But also, the nature of the technology is forcing privacy teams to become “AI-literate,” he said. Organizations that invest in AI training will “be the ones that can take these privacy programs and drive them into part of the enablement of the company.”
Rege added that AI has “escalated” the tension between moving fast and mitigating risk. Companies must try to do both, said Rege: Privacy pros might not be able to cover 100% of a company’s data projects, but they can prioritize the 20% that are most valuable to the business and which use the most personal or sensitive information.
New Privacy Laws
Rege pointed to Maryland’s comprehensive privacy law as potentially being “an indicator of certain things becoming more important” to policymakers. The Maryland Online Data Privacy Act (MODPA) took effect on Oct. 1 (see 2509290023).
An interesting aspect of MODPA is its ban on selling sensitive data, said the OneTrust official: This reflects a general trend among lawmakers to focus more on sensitive data. Rege also flagged MODPA’s uncommonly strict data-minimization standard, predicting “we’re going to start to see more and more focus on minimization.”
“Companies are thinking about this too,” said Rege, “because minimization is the intersection of the Venn diagram between privacy, security and operations.” Minimizing data also reduces one’s “attack surface” and the extra costs that come from keeping unneeded data.
Earlier this week, California enacted a law requiring web browsers to include a setting to activate universal opt-out signals (see 2510080054).
OneTrust sees "an ongoing focus at ... both the state and global level on respecting universal opt-out signals," said Rege, adding that consent-management software can help businesses honor the signals. Also, he recommended that "each enterprise should consider a progressive consent strategy, collecting data and consent incrementally ... at the points where value is clearest to the consumer."
While there’s always talk about a possible national privacy law in the U.S., Rege said his company’s “customers are preparing for … increased fragmentation and increased complexity in the legal landscape.” As a result, "We see more and more people taking a national approach within their company, because it gets complex to manage it jurisdictionally.”