Lessons Learned from California on Global Privacy Control
August 2, 2023
The patchwork of privacy legislation at the state level is challenging, at best, and right now enforcement of CCPA in California is providing many lessons learned for both other states following in California’s footsteps and businesses trying to remain compliant with new, and old, privacy laws. Last year’s landmark Sephora settlement with the California Office of the Attorney General, for example, has led businesses to pay much closer attention to a technology called Global Privacy Control, or GPC, first introduced in 2020. The settlement reminded businesses, in a big way, that they must respect consumer choices.
In this episode, the hosts of Priv are joined by Jeewon Serrato of BakerHostetler, who represented Sephora in this landmark settlement, to break down GPC and outline the lessons learned for businesses.
CPRA Compliance Services
In this episode of Privacy Abbreviated, hosts Dona Fraser, the SVP of Privacy Initiatives for BBB National Programs, and Jason Cronk, the President of the Institute of Operational Privacy Design, are joined by Jeewon Serrato, a partner at BakerHostetler. The three experts discuss how small- and medium-sized businesses can harness the power of Global Privacy Control (GPC) to comply with privacy regulations and protect their users. GPC is a tool that allows users to opt out of online data tracking and is required under the California Consumer Protection Act (CCPA).
02:00 - Dona explains how a particular settlement between Sephora and California’s Attorney General in August 2022 forced businesses to pay more attention to GPC. California’s Attorney General Rob Bonta alleged that Sephora failed to disclose to consumers that it was selling their personal information, failed to process user requests to opt out of the sale of their personal information using user-enabled GPC, and did not remedy these violations within the 30-day period as required by the CCPA.
Attorney General Bonta states, “Technologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights. But these rights are meaningless if businesses hide how they use their customer’s data and ignore requests to opt-out of its sale.”
In the online world, consumers are persistently monitored and tracked. The settlement reached with Sephora highlights the rights granted to consumers under the CCPA, empowering them to combat commercial surveillance.
14:32 - Dona then points out that CCPA won’t apply to all businesses. Businesses that must adhere to CCPA are for-profit businesses that do business in California and meet any of the following: have gross annual revenue of over $25 million; buy, sell, or share the personal information of 100,000 or more California residents, households, or devices; or derive 50% or more of their annual revenue from selling California residents’ personal information.
Because many medium and small businesses won’t meet those prerequisites, they won’t be required to comply. However, Jeewon points out that compliance is almost impossible after collecting data. She suggests that businesses abide by the guidelines early on so that if and when they grow past the threshold, they’re already in compliance. She says it’s a much easier process to do upfront than retroactively.
20:11 - Jeewon reiterates that complying with privacy laws is not a simple task. It’s complex, and it requires expertise. She recommends finding outside vendors or counsel that have experience with GPC and CCPA regulations. By engaging professionals with a practical understanding of these specific regulations, organizations can navigate the complexities more effectively and ensure adherence to privacy laws.
According to Jeewon, ensuring compliance “is a matter of finding the right tools, technology, and partners who can shed light.”
Before closing the episode, Jason and Dona ask Jeewon a few questions about herself and her experiences in the privacy sector. In answering those questions, Jeewon continues to press the importance of creative problem-solving within the complex world of data privacy and the need for partnership and teamwork while tackling complicated situations. No one can solve privacy problems alone.
Signing off, Dona encourages listeners to listen to previous episodes of Privacy Abbreviated to learn more about the current privacy landscape. To do so, you can visit BBB NP’s Accountability Studios website or subscribe to Privacy Abbreviated on Apple Podcast, Google Podcast, Spotify, or where you access your favorite podcast!
Privacy for Start-Ups
With tens of thousands of entrepreneurs in the United States, how do these business leaders ensure privacy is part of any pivots or growth plans? What are the data wants vs the must haves? Priv hosts are joined by the Tech Diplomacy Network’s Katharina Koerner and Santa Clara University’s Professor Linsey Krolik to discuss the privacy questions entrepreneurs face when getting their business started.
The Government Purchase of Private Data
In this episode of Privacy Abbreviated, professor Matthew Tokson joins our hosts to discuss how the collection and sale of private data may help government agencies circumvent legal requirements.
Ad Watchers: What is the appeal of an appeal? Getting to Know NARB
In this episode of Ad Watchers, your hosts discuss a critical link in the chain of advertising industry self-regulation: the National Advertising Review Board, or NARB, the appellate body for National Advertising Division cases.
Filling Privacy Gaps with Soft Law Solutions
In this episode of Privacy Abbreviated, our hosts are joined by the Future of Privacy Forum’s Jameson Spivack to discuss how industry-developed standards and best practices can guide policymaking allowing hard law to adopt the lessons learned from soft law.