How Levi’s Values Influences its Privacy Program With Karen McGee

Intro  0:01  

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels  0:21  

Hi, Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.

Justin Daniels  0:36  

Hello Justin Daniels here I am a shareholder at the law firm Baker Donelson, where I am a corporate m&a and tech transaction and attorney. I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

Jodi Daniels  0:58  

This episode is brought to you by Red Clover Advisors, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, e-commerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more and to check out our best selling book Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com.

Justin Daniels  1:36  

Alrighty, then.

Jodi Daniels  1:37  

You excited?

Justin Daniels  1:39  

Well, we’re going to combine privacy and security with iconic US brands that are globally known.

Jodi Daniels  1:45  

Well with that, who are we talking to you?

Justin Daniels  1:49  

And today’s mystery guest is now revealed. We have Karen McGee, who serves as the chief privacy officer for the iconic denim brand Levi’s and LS&Co. subsidiaries. Beyond Yoga and Dockers, she developed its global privacy program in harmony with the company’s essential philosophy of profits through principles. Private prior to LS&Co., Karen was managing counsel at Intel Chief Privacy Officer at LifeLock, and General Counsel at ID Analytics. Recently, she was honored with the In-house Legal Advisor of the Year Award at the Woman in Law Awards by Lawyer Monthly and she also enjoys speaking at a variety of events and conferences.

Jodi Daniels  2:33  

Welcome to this channel,

Justin Daniels  2:35  

I was going to leave that to you.

Jodi Daniels  2:37  

Oh, you bet. Okay, gotta get our communication decks over here.

Justin Daniels  2:42  

Are you sending us to couples therapy already?

Jodi Daniels  2:47  

No. Karen, welcome to the show. We’re so excited to dive into all the great work that you’re doing. And we always like to start with understanding how people found their way to their current role. So can you walk us through your career journey?

Karen McGee  3:03  

Yeah, it’s always a fun one to talk about. Thank you so much for having me. It’s great to be with you guys. I always get a kick out of answering this question because I have a unique path to being where I’m at today. When I started law school, reaching back into the Wayback Machine, I wanted to be an environmental lawyer. And so I started out with that in mind. And you know, my first summer I did an externship, and I realized that the majority of environmental law is going to be deciphering regulations. So we could align on things like what’s a release. And we did a lot of Prop 65 work, right. And that wasn’t something that really excited me. So I went back to the drawing board, and I took a class on a new law that had passed that was aimed at preventing maritime pollution. And I got into maritime law. And I went to law school at University of San Francisco. And they’re one of only two schools in the country that have a maritime law program. So I got heavily into maritime admiralty law and graduated and went to work for a maritime law firm. So I spent the first few years of my practice doing Collisions at Sea and personal boating cases and trying cases in and out of California. And then I went in-house with another iconic Bay Area company. No longer unfortunately, but was founded during the Gold Rush American president lines and I went in house thinking that I was going to be doing maritime law in-house that this company, and I showed up and they said, you know, we actually filled that maritime role with somebody else, but we liked you a lot. And we think the internet is going to be important or something. So could you figure that out? Too late to say no. And so I said, “Sure, no problem, how hard can it be?” So I started doing technology licensing, outsourcing, working very closely with the IT and cyber teams. And from there realized, “oh, there’s a bunch of privacy laws that, you know, actually apply, like, we’re shipping goods and cargo around the world. And we have employees all around the world.” And that’s how I started doing privacy. So I created that company’s very first privacy program. And from there, just that area of the law got more interesting and dynamic and global and evolving. And I never really looked back. So you know, long story short, I talk a lot about being open to the opportunities and the unexpected, and especially for young lawyers, to, you know, look at these kind of curveballs as a chance to, you know, really step forward and say like, you never know where it’s going to take you, you could wind up being in a really innovative, exciting space down the road.

Jodi Daniels  6:13  

That is definitely, probably one of the most interesting stories we have ever heard. We filled that one, there’s this internet thing, go figure it out. But that’s actually why I feel like many of us are doing these days, because a new law appears to be passing every day. And then we have to go and figure it out. Absolutely right on that internet thing being big.

Karen McGee  6:35  

Right? Yeah, you know, it went from I mean, the maritime industry without going, you know, down a rabbit hole that most people listening to this podcast probably are like, “don’t care.” But you know, the maritime industry, which has been around for a very, very, very, very long time, was really paper based, you know, there were a lot of transactional legal documents, bills of lading, and things that were like, wet sign in paper, and converting that industry and to something that could be done online.

Jodi Daniels  7:11  

You know, that’s really pretty complex and interesting.

Justin Daniels  7:17  

That is interesting. Well, turning to your present day role, in our intro, we talked, touched on the idea of this philosophy of profits through principles. And one of the things I wanted to ask is, how does Levi’s corporate values impact how the organization approaches privacy, because ultimately, you are a consumer-facing global brand.

Karen McGee  7:47  

You know, it really is one of the reasons that I came to work for Levi’s four years ago, back in 2019. was, as I thought about where I wanted to practice privacy, the, the, not just an idea, but really the reality, right that like, the philosophy around social values, and issues that exist at this company, was something that aligns so well with how I think about privacy and individual rights to personal data, that I was really excited about the idea of kind of linking those things in a way that felt very real and genuine. And, you know, it comes down to kind of, I think, doing the right things, in the right ways, do the right things, right. And not just talking about the values that the company has, but actually incorporating them in everything that we do. We have something at the company called AR and CO expectations, and those consist of behaviors like courage, integrity, and originality. And those are evaluated equally for every employee and every job performance conversation. Those are looked at not just what you’re doing, but how you’re doing those things. And so I think it’s been really inspiring to see how we can insert better understanding around data to those ideas, right? Like how does work or work with data, you know, make us original make us a classic American brand. And we want our work to be consistent with that. More than ever, we’re seeing consumers really focus on doing business with companies they trust, and consumers are smart, you know, you can’t tell them that you’re a company with values, and then for very long act in a way that’s inconsistent with that. I think that that’s at the heart of so much of what we’re seeing around even privacy legislation and focus on big tech companies. us as consumers are asking hard questions, and you need to be able to answer those doesn’t mean that you have to be perfect. And we’re all going to, you know, have challenges and possibly make mistakes or try to avoid them. But being open communication, and really trying to do those right things, right makes a big difference.

Jodi Daniels  10:21  

And is there an example, maybe it’s a project or how you work collaboratively with other departments that can bring to life some of the different values?

Karen McGee  10:34  

I mean, you know, we’re trying to evolve as a company into one that, again, does business effectively online, and reaches consumers all over the world. And the methods to be able to do that effectively depend on data in many respects, right. So like marketing, obviously, marketing and advertising is a hot area. Adtech and martech present huge opportunities for companies, but they have significant privacy implications. And that, I would say, we put a lot of time into trying to form relationships with our e-commerce and our marketing teams. So that we can talk to them about not just how the privacy laws are evolving, but how the concerns behind those laws are the consumers’ concerns where they don’t really understand how these technologies work. And they are very complicated. So how do we talk about it in a way that’s clear? How do we make sure that our business teams understand what might those concerns be? And that we’re continually kind of iterating and partnering — it isn’t just, we hear about something, you know, a week before it’s supposed to go live. That’s not easy to do. But it’s a focus of trying to get better and more savvy and more agile at change management and process and moving quickly.

Jodi Daniels  12:08  

Speaking of moving quickly and iterating, the concept of AI is here, every podcast and conversation I feel like has to have that in there. How is Levi’s thinking about AI use cases and its risk profile for the company?

Karen McGee  12:26  

You’re absolutely right, it seems to be a part of so many conversations these days. And you know, I’ll start by honestly saying we do not have it figured out. But it is something that we’re talking about many layers right in the organization. The privacy team does seem to have taken on the legal issues around AI, which is interesting for us, I think, because I’m you know, a lawyer in the department that has a technology background and some of my past experience was around working with machine learning and AI solutions. So that’s been fun for us to kind of think about not just the personal data elements within AI, but like the larger issues around what that means for us, both in terms of complying with complex legislation that’s coming to pass. I think the last time I took measure, there was something like 100 pieces that proposed AI legislation and some form, you know, of the process around the world. 800 that’s, you know, compared to right up there with privacy, evolving legislation. But few of them have actually been passed. So we’re kind of trying to all read the tea leaves, like what is the future gonna look like? So it’s kind of an interesting dynamic of things around generative AI especially, right, have happened so fast. And yet, the guardrails are coming so slowly. So companies are grappling with how do we again do the right things, right? We’re not a technology company. So while yes, we work with data, we’re not it’s not our bread and butter. It’s not our products. So we’re doing a lot of solutioning around things of how to insert generative AI to improve just our ways of working internally. Not a lot of it involves personal data, but it’s still different technologies, different partners, thinking about what data that we’re putting in those solutions and how do we protect that? So we built them internal guardrails, you know, some sort of like aspirational principles, some working guidelines, and then a cross functional review process that proposals are going through. Generative AI is kind of like opening the floodgates right to every employee to be able to work with these technology solutions. And so we found that the best approach is to talk about it and communicate about it to give people somewhere to go to get their questions answered. And to start experimenting and ways that are safe risks, I suppose I would say right, like, how do we sort of start testing out some of this technology in ways that will help enable the business to move more quickly, but don’t involve sensitive information, proprietary data, personal data, things like that?

Jodi Daniels  15:35  

Well, on the AI front —

Justin Daniels  15:38  

As your background, as you’ve been learning about technology, what can you talk to our audience or share when it comes to? I find with AI, I have to understand what is deep learning? What is reinforcement learning? What is a neural net? All these types of technologies that get into pretty deep weeds? Because I’ve decided AI is kind of like Mad Libs gone crazy. Can you share with us how you think about approaching that? Because I’ll be honest, I’m struggling with how to understand how AI regulation works unless I really understand how AI actually works itself.

Karen McGee  16:18  

Yeah, great, great question. You’re not alone? I think there’s a, you know, a lot of confusion between, you know, AI, generally, and generative AI. And, you know, why is gi so different? You know, retrospect now, like we look back at, you know, we obviously have a data science team in the organization, I think, like most companies do, and historically, they’ve, they’ve focused on machine learning, right? Like, how do they take, you know, data about regional productivity? Or like, what, what products are people enjoying? Right? What are they buying in different parts of the world? How does the difference in what consumers are purchasing in Japan differ from what they’re buying in France, right? And helping derive, you know, learnings from that. And, you know, We’re looking now at sort of these large language models, and people not really understanding how that’s different. And also, you know, how queries that they’re putting in and prompts that they’re putting into those tools are being used to fuel future results, how results coming out of G AI, can be hallucinations, they can look very real, but actually not be real. And that’s very different than the way that you know, machine learning and neural nets work. And so it’s there’s a tendency to kind of, I guess, like, lump them together, but because people don’t understand the difference. I would say internally, you know, we haven’t done as much of that formal explanation across the organization. But there are a few things that we do that we have done that are somewhat unique. Our former chief data officer, Katya Walsh, she established a bootcamp that was really focused on AI, understanding AI being able to work with AI solutions that any company employee across the company could apply to attend. And it was a very intensive program with the idea that those folks would then be able to go back to their business teams in the organization, and help spread awareness on, you know, maybe how to utilize these solutions, or how to think about working with AI differently. So that was really unique and experimental for a company, especially like Levi’s, again, not a tech company. And so, you know, we’ve got employees that have had that upskilling, across the organization who are able to be voices when it comes to some of those issues. As a privacy team, we’ve tried to bring in a number of different speakers and presentations, both within town halls and team meetings, but also through our data privacy champions program to talk about AI, both where it overlaps where that Venn diagram overlaps with privacy, but also where it doesn’t, and just at a higher level, what it is, how it works, and what are some of the opportunities and risks associated with it.

Justin Daniels  19:22  

Thank you for that. So now, I have to turn to my other favorite topic that goes with AI and that is the new SEC cyber rules. And so, you know, obviously, as Jodi and I always say privacy and cybersecurity are the peanut butter and jelly of technology area. And so I’d love to get your perspective on how the new SEC cyber rules are impacting how you know you and the privacy team would collaborate with the cyber team.

Karen McGee  19:55  

Well, you know, you said something so important. I love that peanut butter and jelly analogy. right that the relationship between privacy and cyber is totally integral to being able to protect data and personal data as a part of that. So, you know, certainly that level of connection isn’t something that’s novel in and of itself. I think what does feel new is the emphasis on getting maybe a little more formal, a little tighter on roles or responsibilities on how we talk about the governance and the accountability of the program. And that’s just not so much changing the way things really work, as opposed to the way that we talk about it. And also, internally, who we make sure has visibility because other people outside of the privacy team and the cyber team now have, as part of their role when they didn’t before accountability to these, you know, to the SEC and to be able to talk intelligently about the requirements in the program and in cyber and privacy. So we’ve we’ve done some work in that area, like expanding out our governance team, our cyber leaders governance team, to include new players, and to be focused, I think, in the year to come on, looking at our documentation, looking at the framework of the program, and where do we need to make sure that we’re really, Chris, when it comes to policies and procedures and ways of working? You know, the potential historically right, like of a data breach, we’ve been working in that parameter for a while, right, like if there’s a risk of a data breach, knowing that we need to go and talk to our corporate governance team, for example, at least for public companies. But what’s unique here for us is that privacy may or may not always be in the loop, that there are cyber incidents that could occur, that don’t involve personal data at all. And yet, you know, those teams need to develop that collaboration muscle in the same way that maybe privacy and corporate governance have in the past or privacy and cyber have in the past. So I think our unique opportunity is to be part of that conversation between those teams, and try to kind of coach and develop those behaviors. We’ve updated our incident response training programs to talk about the roles specifically and make sure that we continue to monitor for more guidance or activity and talk to experts who you know, are close to the SEC. And that’s a little bit new for privacy to be able to do. One thing I think that will really be helpful is something that our cyber team did before the rules came into effect. But it’s turned out to be something that we’ve talked a lot about the value of is to create your kind of a dedicated Business Information Security Officer function. And their sole remit really is to build relationships with the businesses around the world that are personal, that are close, so that the business feels they have a face to the name. And even though we have a formal incident reporting mechanism, as you know, relationships are critical. And so when we think about the need to move as quickly as we need to move under these rules, or under other new laws that are coming to pass, having a relationship even if we don’t have a body on the ground, right? Like we’re not lucky enough to have privacy, people are information security people in every country where we do business, but they’re putting the time into building those relationships. So somebody has a question, or a concern, or they see an unusual activity. You know, they always know that they have someone to go to.

Jodi Daniels  24:00  

Speaking of building those relationships, and being a global brand, many companies are still trying to figure out how to build a privacy program. What could you share that you feel has worked really well to be able to build a global privacy program?

Karen McGee  24:18  

It definitely isn’t an issue that we talk about in most of the working groups. The kind of cross functional groups that I belong to is, “what is the answer to building a global privacy program when the laws continue to evolve at such a pace?” And then on top of the laws, we have guidance that comes out or enforcement decisions that we have to respond to. And there’s a fork in the road for companies. Do we look at every country where we do business and try to build a unique privacy function and maintain this patchwork approach based on local laws? Or do we think more globally about a framework that covers core commitments, right Like openness and choice and access security, and but most of our time into aligning globally around those principles, we’ve taken that latter approach. And so our framework is really founded on the fair information, practice principles, and developing an accountability framework to, to align across those and make sure that we’re communicating about what those really mean, at a global level. And then we nuance those locally. So, you know, hopefully 70%, or 80% of our program is is consistent, right, and that, whether you’re working in E commerce in Japan, or Australia, or South Africa, or the US, you’ve heard the same thing from us, you’ve heard the same, the conversation about individual participation, and choice and consent, and those things are in common. And then we do go out, and we look, we work with local counsel, we work with our local business teams to understand the variances and the operations, because those certainly do exist. The development of the company over time has been such that, you know, there were certain parts of the organization that were very enterprise focused. And then there were other parts of the organization where maybe they were operated by a distributor, or we have a lot of franchisees, and the way that works is different. So we certainly have to nuance the program, you know, based on those kinds of variances. The other thing that’s unique is we have this combination of retail stores and products being sold online and corporate employees and distribution centers and factory workers, and the personal information that we process, and those functions vary a lot. So we have to look at like, what kind of business are we doing in different countries? And how many employees do we have? And where’s the information on those employees going? So there still is, you know, a lot of need to look at locations differently. But that’s been our approach so far.

Jodi Daniels  27:07  

I think that makes a lot of sense. And I like how you articulated how you have to look at the different places and the different business functions and the different kinds of people in each of those, because they are really different. And a lot of times, I think some companies might forget that. So thank you for calling that out.

Justin Daniels  27:27  

So given all of your wealth of private experience over the years, what is your best privacy tip for our audience?

Karen McGee  27:35  

Gosh, yeah, I think, you know, I have sort of, like, from the practitioner perspective, I think what’s been really important for me and effective in my career is to try to balance the compliance elements that my job with the business need to create. And I think that that makes being in house really interesting and exciting is the thing that I love about it. And so the conversations that we have with our business partners are doing a lot of listening to what they’re trying to accomplish. And while compliance is clearly essential to my function, I always try to think about the function being part compliance, part, just common sense, risk reduction, and part enabling the business to do the right things, right. And, and so, remembering to go in and think with an open mind. And to really hear what the business is trying to do is essential. And it is an individual, I think it’s really around managing information that I put out into the world. You know, it felt like 10 years ago, you know, I used to see folks putting all this information on social media, about, you know, their family, their kids, their pets, the vacations that they were on, maybe not slowed down a little bit, you still do see it. But I always think about how that data can be misused if it’s not protected if people don’t have the right access controls. And I see all these young, you know, influencers, putting their whole lives out there. So just think about how my actions impact others around me. And, you know, if I’m posting photos of my kids today, how is that going to impact the way their data is used, or that they’re targeted in the future? So, as a result, my posts are usually pretty boring, like landscapes and sunsets.

Jodi Daniels  29:34  

Well, when you are not building a global privacy program, what do you like to do for fun? I’m,

Karen McGee  29:42  

I think, first and foremost, passionate equestrian, so I’m a competitive dressage rider. So I spend a lot of my time on the back of one of my horses and that’s great for getting out of my head and getting outside and getting some exercise in. And then my husband and I are also avid scuba divers. So we’re always thinking about the next time that we can get underwater. And you know where we’re gonna go to do that. So I’m in the midst of planning a trip to Egypt for the summer to do a liveaboard diving trip, and I’m super excited about that.

Jodi Daniels  30:17  

Wow, that does sound really interesting. Oh, fun. I have to say, I don’t think we’ve heard that one before. We hear lots of hiking, traveling and eating. So we haven’t heard these.

Justin Daniels  30:27  

You might get a unique award.

Jodi Daniels  30:30  

So well, Karen, thank you so much for sharing all of this with our listeners. And if people would like to connect or learn more, where could they go?

Karen McGee  30:43  

Oh, absolutely. I’m on LinkedIn for sure. So welcome, anybody who wants to reach out, you know, on that platform, and you know, certainly available. kmcgee@levi.com. If folks want to drop me an email, it’s always great to connect with other privacy professionals and hear what folks are doing and what questions they’re having and working together is the best way that I think that we can move the needle forward.

Jodi Daniels  31:10  

Absolutely. It takes a village to do all this furniture store. Well, thank you again. Yeah, my pleasure.

Karen McGee  31:16  

Thank you so much for having me — I enjoyed it.

Outro  31:23  

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.