Privacy Risk Assessments: Aligning Business With Compliance

Intro 0:00

Welcome to the She Said Privacy/He Said Security Podcast, like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels 0:22

Hi, Jodi Daniels, here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies. Hello.

Justin Daniels 0:36

I am Justin Daniels, I am a shareholder and corporate M&A and tech transaction lawyer at the law firm, Baker Donelson, advising companies in the deployment and scaling of technology. Since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cybersecurity risk. And when needed, I lead the legal cyber data breach response brigade.

Jodi Daniels 0:59

And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trusts so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology e commerce, professional services and digital media. In short, we use data privacy to transform the way companies do business together, we’re creating a future where there is greater trust between companies and consumers to learn more and to check out our best-selling book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com. Well, hello, hello. 

Justin Daniels 1:35

How are you? 

Jodi Daniels 1:36

I am just Jackie, actually peachy because I’m in the Peach State. 

Justin Daniels 1:40

There you go. 

Jodi Daniels 1:41

But I used to say decade, all right. Well, today we have Alan Friel, who is the chair of Squire Patton Boggs, data privacy, cybersecurity and digital assets practice. He is a tier one ranked by chambers and BTI Consulting Group, and has named Alan a client service all star, recognizing lawyers who stand above all others and delivering the absolute best in client service. Alan, I’m so excited that you are here today.

Alan Friel 2:10

Good to be here.

Justin Daniels 2:12

So Alan, would you like to tell us a little bit about your career journey and how you got to where you are today?

Alan Friel 2:19

Sure, you know, it’s funny. I was talking to a USC student yesterday who just cold called me and asked me more or less the same question. And what I told her was, I really just followed my interest. I started out clerking for a judge, did a fellowship for the American Civil Liberties Union. That was my first sort of introduction to privacy from a different perspective than I’m practicing now, somewhat. And then ended up in a big law firm where I gravitated towards technology, media and telecom. And as technology has evolved, privacy has become more and more important. But our global data practice looks at data and digital holistically, not just a compliance or an incident response practice.

Jodi Daniels 3:13

So Alan CCPA is often a hot topic issue, and in this episode, we were going to talk a little bit about the CCPA draft regulations for some time, and a long list of other fun CCPA things and the recent regulations drafts, rather are talking about cybersecurity audits, automated decision making, technology like AI and profiling and, Of course, privacy risk assessments. And a recent study by the CPPA, the regulator, the agency, has estimated the total cost to businesses complying with these regulations to be $4 billion for California based businesses in just the first year, which that’s a really big number, and it doesn’t even include, you know, businesses outside of California. My question to you is, what are your thoughts on the cost of these regulations? And essentially, I mean, we, we’re hoping to have regulations because they derive value. So what is your thought on the cost and the connected value?

Alan Friel 4:18

Yeah, you know. And that number, as you said, is low because I can tell you, if they’re hiring your firm or my firm, or any of our firms, the costs that they’re estimating are going to be a little bit higher. Also, they don’t take into account the cost that companies are already bearing to deal with the Colorado regs. So it’s really the delta where, where, where. It’s additional cost. And then, you know, this was a cost impact, and a study that also had to weigh the benefits, and it’s really hard to quantify the benefits of privacy, right? And I. So the agency concluded that the ultimate benefits to individuals and to just better business and investment client climate would outweigh in a number of years, the investment for compliance, really mushy stuff. It is a big number. You know what? I think that, you know, this is really public policy, and we’ll talk about some of the legal implications of the Proposed Regs in a little bit, I think. But you know, it, you’ve got to try to quantify, you know, is this worth the burden on businesses? And one of the things that the impact study did not do would be to look at how can you achieve the same goals. It is unquestionable that protecting consumers privacy is not just a legitimate but it’s a crucial state concern. And the goal question is, can you do it in a way that is materially less burdensome and less expensive while still achieving those goals. And that’s not something that the study really looked into.

Jodi Daniels 6:08

Alan, I’m curious what are some of the thoughts that your clients share about how we need to comply. Obviously, there’s a law so they choose to comply. We often hear, for example, that they can’t move forward in a sale, especially in a B2B environment. And so they come and say, Well, I have to comply, because I’m going to lose this sale if I don’t. I’m just curious, what are some of the reasons that might be a similar one that you hear from your clients?

Alan Friel 6:37

Yeah. I mean, for sure, investment in M&A transactions have been a driver for companies to get their information governance house in order. There’s no question. I mean, people say, what data is the new gold or the new oil, but it can also be the new asbestos, right? And if one of your significant assets are your digital assets, your data assets, and you can’t transfer them, or you’ve ultimately can’t commercialize them because you didn’t have good data hygiene, information governance, hygiene to start with, then you’ve just blown the whole purpose of your business. That’s an extreme example, but we’ve certainly seen the investment community and the corporate M&A advisors really looking at diligence in a much more robust way than, say, even 18-24 months ago. So for sure, that’s a driver. Eventually the fines are going to be a driver, right? They’re kind of low right now, but if you also look at the AGS, privacy and and cybersecurity related civil penalties in the last two years, so same period of time with these little six and baby seven figure settlements, tens and hundreds of millions of dollars, just using the UDAP, just going under plain old consumer protection laws. That’s going to flip. You’re going to start seeing those same levels of fines under CCPA. You’re going to — Oregon is getting active. Texas is getting active. So the penalties, just like with GDPR, they’re going to start driving better hygiene as well.

Justin Daniels 8:28

Makes a lot of sense. Thank you for sharing. So why is the First Amendment relevant to the California privacy regulations? And what are the key free speech concerns that are raised by these proposals in your view?

Alan Friel 8:38

Right? So this, I think, is one of the most fascinating aspects of where we are right now in the maturing of privacy in the United States. You know, we come at it from a different point of view than Europe. Europe had this little problem in the 1930s 1940s 50s, 60s, depending upon what part of Europe you’re in, of totalitarian governments, people were way more privacy conscious. As we developed the Marshall Plan, we established privacy as a fundamental human right. I guess we didn’t. We highly encouraged it, and they did. It’s not a fundamental human right. In the US, there are a few state constitutions like California that apply privacy protection, not just to the government but to the private sector. But they they really haven’t matured, and we’ve got the First Amendment, something Europe does not have, and the Supreme Court has said, in a case called Sorel that dealt with data brokers in Maine that collecting and commercializing personal data is a free speech right, they only supplied strict scrutiny, which makes it almost impossible for a regulation to withhold. Will withstand scrutiny and be upheld. They apply intermediate scrutiny, which is usually reserved for commercial speech, and it’s so is there a materially less burdensome way to achieve the same important state goal? And this particular case had to do with prohibiting the the purchase and resale of pharmacy physician prescriber information, so that pharma companies could send ads to doctors that you know don’t do Viagra, do whatever the other one is called, or whatever example you can come up with. And that was found to be overly burdensome, that there would be less burdensome ways in order to provide for the goal of it really, was really kind of done to limit the over prescription of opioids. So an important goal. And in the most recent sort of case, we’ve got two cases in the Ninth Circuit, one net Choice versus Bonta, and the other 1x Corp, and they had to do with the age appropriate design act, and they look particularly at assessments dipas and compelled speech. Little different situation there, because the assessments under the age appropriate design act went beyond just data practice, but also the potential harm of editorial content. So anytime you’re regulating editorial content, you’re more likely to get strict scrutiny, which is what the court applied. But it said in dicta in the net choice case, you know any kind of compelled assessment is subject to First Amendment scrutiny and decline to apply it to the the current statutory language for privacy notices, consumer rights requests, reporting and data risk assessments Under the the CPRA didn’t even look at the draft rags, but said, If appropriately tailored, would not necessarily be unconstitutional. So that’s going to be the next challenge, which is, okay, you’ve got these really complex assessment regs that require very specific questions to be answered, a report to be written, subject to inspection, and, most importantly, a risk benefit analysis, a harm benefit analysis. There have been other cases that looked at that as being the crucial commercial free speech problem. You could say, Okay, this is the data that’s collected, this is how it’s processed. These are the risk remediation measures that we’ve decided to take. But when you make somebody give a subjective opinion of risk and benefit, there are courts that have said that goes too far. The case that I’m thinking about is a DC Circuit opinion on SEC reporting, where the SEC had passed a rule that said companies have to disclose whether or not they use conflict minerals. There was a war in the Congo. The government was alleged to be using the proceeds from its valuable mineral resources to repress certain populations and arguably even genocide. So, bad thing, right, social good. Try to minimize that but the court said when you tell companies that they have to put in their quarterly reports or their annual reports whether or not they’re using conflict minerals, you’re making them make a public value judgment. And you can’t do that. That’s going too far. There are other ways to achieve the state’s goal of minimizing the conflict in the Congo. On the other hand, the same court said, more or less in the same period of time, you could, however, require meat packers to put the country of origin label on the meat package, because that’s objective, not subjective. The consumer will conclude if there’s any value to the meat being from one place or the other. So it’s a pretty, pretty fine line, and the question is, how far is too far?

Jodi Daniels 14:56

Alan, with all that we have just discussed and these draft regs, and knowing that it takes companies time to do any of these assessments, it’s not just a really simple exercise, companies are confused about what to do now. How do they prepare? Should they assume they’re going to need to do these assessments and get started? Do they keep waiting for them to get passed with more information about what should be included. What would you recommend?

Alan Friel 15:25

I mean, that’s a good question, because I think you can probably read between the lines and conclude that I think that the Colorado and California regs go a little too far and are subject to challenge. On the other hand, I am encouraging clients to consider them best practices. You know, I think that it is impossible to comply with your obligations under the law without doing robust assessments. You’re not going to be able to maintain your data inventory. You’re not going to be able to respond to consumer requests. You’re not going to be able to manage your information assets, which means you’re not going to be able to appropriately, be able to ensure that you can commercialize them in the way you want to. So it’s not just a compliance issue, it’s really, you know, a business issue as well being able to know what you’ve got and how you’re going to be able to commercialize that data. So I think companies should be engaging in robust data practice assessments, and I think risk benefit is part of that, but that’s a private issue in my opinion, right? That whether I think my reputational risk outweighs my commercial advantage, that’s my free speech, right? And do not have to disclose I believe, on the other hand, companies ought to be asking that question, and they for sure, need to know, what data are they collecting? How are they processing it? To whom are they disclosing it? Is it being properly secured? So the concept of assessments is crucial. The way the state is going about implementing it in certain states, particularly Colorado, California, is questionable. All that said I would, I would say that the abridged assessment that the CCPA or CPPA is proposing have to be filed is pretty objective. It’s pretty factual. It is what it is. It’s like an, it’s like a, like a label on a kind of can of soup, telling you how many calories and what the ingredients are. On the other hand, those 35 assessment questions that I think companies should be given more flexibility to decide how they’re going to conduct the assessments.

Jodi Daniels 18:11

Thank you. It is a complicated thing, and it also goes to your favorite phrase. Know your data, indeed, favorite phrase, yes, really, one day we’ll have t-shirts.

Justin Daniels 18:21

I hope so. So Alan, do you have a favorite personal, private tip, privacy tip that you would like to share with our audience?

Alan Friel 18:31

Yeah, for sure. And I think I don’t know, maybe my dad told me this, so I don’t know where I heard it. It’s not an original quote, but, you know, don’t, don’t put anything in writing that you’re not prepared to see widely published or distributed, read in open court, published in a newspaper, what have you, people over share, right? And this is what I tell my daughter. It’s like, you know, think about what you post, right? That’s my personal privacy tip.

Jodi Daniels 19:00

It’s a good one, absolutely. Now, when you are not providing privacy guidance and reading regs and draft regs, what do you like to do for fun?

Alan Friel 19:10

I like to find and listen to old vinyl records. 80s new wave and indie.

Jodi Daniels 19:27

We have an 80s fan over here, Justin, a time warp. It’s music types that his daughters are not liking.

Justin Daniels 19:36

Neither does my wife.

Jodi Daniels 19:41

Well, Alan, we’re so grateful that you came and shared with us. If people would like to connect and learn more, where should they go?

Alan Friel 19:47

They can go to the Privacy World blog at the Squire Patton Boggs web page and subscribe for more information than you probably ever wanted. And you can find me there too. But this has been lovely. I really appreciate the opportunity. It was a lot of fun.

Jodi Daniels 20:04

Absolutely. Thank you again.

Outro 20:10

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.