The following is a transcript of our recent podcast conversation with Sam Castic. Sam is a partner with Hintze Law with 15 years of global privacy and cybersecurity experience. Sam counsels clients from early-stage startups to the biggest global companies on privacy and data protection. Sam was formerly Chief Privacy Officer for Blackhawk Network, a global fintech company. Prior to joining Blackhawk Network, Sam was Senior Director Privacy & Associate General Counsel at Nordstrom, where he led the teams responsible for privacy law, compliance, and operations.
This transcript has been edited for publication.
Can you briefly explain what the California Consumer Protection Act is?
The CCPA is the first comprehensive data privacy law in the United States. It took effect in 2020 and it has had a pretty profound impact on the privacy landscape in the U.S. and we've got some significant changes to it that go into effect next month on January 1st. It’s getting its copycat laws in other states with has fast follow laws coming online next year and in the years ahead in Connecticut, Colorado, Utah, and Virginia.
Can you walk us through the recent CCPA enforcement action against Sephora?
The CCPA generally limits enforcement to the attorney general. The attorney general did a sweep of companies that appeared to be using tracking technologies, tags, pixels on their websites but didn't make the appropriate disclosures or have the appropriate operations to let people opt out of what they call ‘selling personal information’.
Sephora was one of the companies that was caught up in that sweep, and according to the settlement, they didn't fix the violations that the attorney general warned them about. As a result, there was an enforcement proceeding brought. It was the first enforcement proceeding under the CCPA. It's significant in that regards and it really shows the importance of the attorney general's guidance on what “selling” is and what you need to do on your website to respect the global privacy control signal that is sent.
The requirements that they've highlighted really can't be met in disclosures alone or fine print in a privacy policy. It really shows the importance of operational and business practices that are required to comply with the law.
I think the fine of $1.2 million, while small in the scheme of things relative to some of the other headlines we've read, seems to me to be a little bit of a shot across the bow as the first enforcement action with a number so big. I think they'll only go up from there.
What’s the significance of this enforcement action?
I think it previews the importance of really understanding and following the requirements in the CCPA. The AG really said, look, these requirements have been out there for years now. Companies haven't gotten their act together and the time is expiring for companies to comply.
I think it signals that they are not going to be as soft with future enforcement actions. Indeed, at the end of the year, the grace period that's been offered to so many companies of, hey, you've got 30 days to cure your violation, goes away at the end of the year.
So out of the gate, you know, they are going to be coming, potentially with fines and with enforcement proceedings that are public, that are reputationally damaging. And they're not going to be doing it as much behind the scenes. We've seen dozens and dozens of companies get these enforcement warnings and then cure them and then not really be punished in the court of public opinion or with a fine. That all changes starting January 1st.
A common misconception seems to be around the language of whether a company sells data to another. Does this interpretation set a precedent for similar and emerging state laws across the country?
Yeah, I really think it does. In California specifically, it really shows the regulators are looking at this as a black and white issue. You're either selling or you're not. You're only not selling if you've got the very specific contractual provisions in place with the vendor or the service provider that you're working with.
The California AG is taking a very binary view on that, which the text of the law really supports. With these other laws that are coming online, they all have different shades of ‘Do Not Sell’. I think this could definitely be kind of a precedent that they look to in interpreting what is a sale or what isn't. They may be really focused on that technical definition and the compliance burden of ‘do you have all those right clauses in your in your contract?’.
I think there've been a lot of companies that have taken a view that, oh, well, we're getting a benefit from this, or this is a vendor of ours, so we're getting value from it. So, it's a service provider, it's not a sale. That's really not consistent with how the AG is interpreting it, and it's not consistent with how the law is or the changes that go into effect January 1st. The CCPA really requires that agreement to have very specific provisions, and not all vendors on the marketplace are offering those.
You've got to have an understanding of what the contract terms say, and if it is a sale, if it doesn't meet those [service provider] requirements, those operational components need to be in place to honor those Do Not Sell requests.
What are some of the practical steps companies should take to ensure compliance with CCPA?
At the highest level, you've got to understand your risk profile. Understand where your key gaps are and how likely are those to be discovered or identified and then complained about or investigated by the attorney general. Then you've got to have a roadmap that makes business sense for how you are going to close those gaps.
Nobody that I've advised over the years has been able to get into perfect compliance with the CCPA. There are too many requirements that are ambiguous, subject to interpretation. The regulations under the CCPA are a moving target and aren't even finalized; they're months past due. So, it's a bit of a guessing game.
But you do have to have an understanding of what's in there and then a practical approach of, what are the two or three things you're going to focus on first? You can't boil the ocean, you can't start with everything. Addressing your most significant gaps first is the most practical way of approaching it.
Are there technology solutions on the market today to ensure compliance?
Having led a global privacy program for a fintech company and having led a privacy program for a leading luxury retail company, my personal view on it is that there is no tool that is a silver bullet. There's a lot of money behind some of these privacy tech service providers that invest in slick marketing and a lot of promises of how easy it's going to be and how great it's going to be. In my experience, no tool really solves it all.
There are tools that can be helpful, to be sure, but with each and every one, you ought to make sure first that it's solving a need that you have that fits with those key risks that you are focused on, and that it does it in a way that's going to be scalable and appropriate for your company.
There's a lot of tools out there that are pretty expensive, and it does take quite a bit of labor and ongoing support to maintain any of these tools. So, you really need to factor that into your decisioning before you procure a tool. There are absolutely great tools on the marketplace that can solve particular needs. I just don't think we're there yet with maturity where simply procuring a tool solves all the issues.
Could these privacy controls for CCPA compliance also reduce private action litigation? For example, we're seeing a lot of class action lawsuits under the VPPA, and state wiretapping laws?
Yeah. One kind of tool that's on the marketplace is those annoying cookie consent banners. Those consent banner approaches, if they're implemented properly, can be a strong shield to the type of liability that companies are facing for session replay recordings, chat bots, and other kinds of third-party integrations companies have on their sites that are processing consumer data.
It also gets down to that first question of do you have the right contract terms in place? Are they acting as a service provider? Are you getting the right consent and notice to them which the banner can help solve before that technology loads?
Those two things are two pieces of the puzzle that I think could help shield companies significantly against these waves of class actions we're seeing on these topics.
As a consumer, is there a way for me to tell whether this website or that company
is complying with the privacy laws?
It's a challenge for consumers because you really don't know unless you're technically sophisticated and using browser plugins or other sorts of analyses to understand where the data is going, and then compare it against a pretty long privacy policy, written by lawyers like me, that may not really be the most transparent because we are trying to shield against all these lawsuits and legal requirements.
I do think a lot of consumers do use browser plugins to try to block cookies and tracking technologies right off the bat, or to try to get a sense of what the privacy practices are of the site when they get there. But I do think there is some remaining challenge for an average consumer who cares about their privacy to really know on the backend whether these companies are living up to their promises or doing the right thing with their data.
Going into 2023, what do you think will be the number one data privacy issue for companies?
It all boils down to having privacy programs and operations that scale to these new laws and this increased enforcement. That requires more than just having a privacy lawyer or a couple of privacy lawyers on a team.
It really requires having a thoughtful approach to privacy program management and privacy operations. That area has really grown in the past five years. Ten years ago, only some of the biggest tech companies really had mature privacy teams and programs. It was few and far between.
Now you've seen a lot of growth in that space and that investment and growth is what's really needed to change the practices at a company and to really keep up with what these new US laws are requiring and what the laws around the world are increasingly requiring.
In your opinion, what are the chances of new federal data privacy framework,
such as the American Data Privacy and Protection Act passing in the near future?
It’s a question that everybody always asks. We all wish we had had the answer to it. I haven't been following what's happening on Capitol Hill very closely because you can call me cynical. I've been hearing for 15 years that we're on the verge of a national privacy standard. We're on the verge of a bill that's finally getting momentum. And while the current proposal has gone farther than any have in the past, I think there's still some fundamental differences of opinion among key stakeholders that are going to prevent it from going anywhere any time soon. Maybe it'll happen in the next Congress, but I'm not very optimistic about it.
Do you have any final takeaways for data privacy compliance as we move into 2023?
I have five suggestions of what companies should focus on with CCPA and the CPRA amendments to the CCPA.
First, you really need to think about formalizing privacy assessment processes to cover what these new laws are requiring.
Second, figure out how you're going to address tracking technology practices in your app or on your site, both for this class action litigation you talked about and for these new requirements for Do Not Sell, Do Not Share, and the global privacy control.
Third, on the vendor management side know how you're operationalizing these Do Not Sell requirements for service providers and getting the right terms in place.
Fourth, know how you're going to do these new data subject rights if you haven't focused on it
yet, like opting out of automatic decision making or opting out of behavioral advertising.
Fifth, from a litigation perspective, an area that we haven't seen a lot of attention yet, but an area you really should focus on is what you're saying in your privacy disclosures, because all these laws are requiring you to say and make promises in different ways than companies have had to do in the past. And all of that is just surface area for UDAAP class action in any state. So, you make the disclosure in California, all of a sudden, you've got 50+ UDAAP laws across the country that you've got to worry about.
So really scrutinize those disclosures. Don't just let the privacy team do it in a vacuum. You've really got to have a pressure test of those before you put them up there.
If you have any questions for Sam, please email him at sam@hintzelaw.com.
You can find Sam’s 2022 end-of-year privacy ‘to do’ list here.
The opinions expressed in this podcast and transcript are the views of our guest and do not necessarily reflect the views of the firm, its clients, or Simpluris, or any of its or their respective affiliates. This podcast and transcript is for general information purposes and is not intended to be and should not be taken as legal advice.
