Privacy Lawls with Donata

Ep.19 | What do State and Financial Privacy Laws Have in Common? (Guest: Elliot Golding)

Privacy is a big deal in the financial world and rightfully so. The industry posses very important and sensitive information.

So, how do financial privacy laws match/differ from the privacy laws passed by countries and states? What can they learn from each other?

We discuss this and more with Elliot Golding, a partner in McDermott Will & Emery’s Data Privacy and Cybersecurity Practice.

Show Transcript

[00:00:00] Hello, and welcome to episode 19 of Privacy Lawls, where I, Donata Stroink-Skillrud, speak with amazing privacy professionals, and we have some laughs along the way as well. Today, I’ll be speaking with Privacy Attorney Elliot Golding about the overlap between financial and state privacy laws. Elliot is a certified information privacy professional, and at And a partner and McDermott will and Emory Elliott provides business oriented privacy and cybersecurity advice to global companies spanning virtually every sector of the economy with a particular focus in the technology, healthcare, life sciences, retail, e commerce, automotive and financial sectors.

He routinely counsels clients on the latest cutting edge issues such as online advertising and tracking technologies, digital health tools, data monetization strategies, and artificial intelligence. So Elliot, thank you so much for joining me today. Yeah, thanks for having me. So what made you interested in working in privacy?

[00:01:00] Well, I had come out of Law school back in 2009 and I was like a wonderful time under the legal market and as I was sort of looking around I Realized I probably had to do something that other people weren’t doing to to be in a good spot It pretty good a law firm and you know HIPAA had been amended in 2009 and no one was really doing that And so I just kind of threw myself at that and I kind of liked it, um, and then sort of right place, right time, I ended up getting seconded to a large health plan and, you know, just basically said yes to anything remotely related to data and it kind of grew and grew and grew and now it’s Now it’s kind of the cool thing to do, but back then it didn’t really exist as a practice.

So kind of a little bit of lucky, a little bit of just hard work. Yeah, I think it was the same for all of us. It’s not most of us, right? We just kind of fell into it, loved it, and then kept going. I mean, I don’t know anyone who’s been doing it a long time who didn’t fall into it at some point. Like no one went to law school to be a [00:02:00] privacy lawyer back then.

Right. So. In your practice, you do work with privacy, but you’re also working with cyber security, um, as well. Can you tell us a bit more about how these fields intersect, um, in your work with your clients? Yeah, I mean, I sort of think of them as flip sides of the same coin, right? You can’t really have privacy without security and you can’t really, you know, but to be honest, over the years, I’ve shifted a bit, right?

At the beginning, I did a lot of breaches, a lot of cyber, because that’s kind of what there was back then. More recently, I tend to do more privacy, but kind of. It’s really just data. I mean, the distinction between privacy and cybersecurity, I don’t think really matters as much as, you know, just protecting data.

And that could be privacy, could be security. People call it different things. It doesn’t really matter. It’s sort of how do you leverage data to support a business, right? And, and that includes keeping it confidential, keeping it available. And making sure it doesn’t [00:03:00] get corrupted, right? Confidentiality, integrity, availability.

So confidentiality is kind of the privacy one, but they’re all sort of privacy and they’re all sort of cyber security. And most of these laws have both privacy and cyber security components. So I, you know, yes, they are a big difference between them, but at the end of the day, When I’m advising a company, I don’t really think of it in terms of like two different buckets entirely, right?

Yeah, they definitely overlap. Um, probably a little bit unfortunate that they called it the CIA triad. Right, right. Yeah, totally. In terms of, you know, with privacy and cyber security, there’s a lot of stuff to stay up to date with, right? There’s a lot of things always happening, new laws, rules, regulations, enforcement actions, fines.

Um, you know, what are your favorite resources to stay up to date with all of this? I mean, I read the usual trade press that everyone looks at, um, but to be honest, my [00:04:00] main tool is having an amazing, you know, big team of people here at the firm at McDermott. And what I found is between one of us, we pretty much catch everything.

I mean, I, I, I’d say if I really, I can’t, I can’t think of a single situation where we kind of just miss something in a long time. And that’s, and that’s kind of what our clients are looking for us. To do right to be the ones that stay up to date on this stuff. And you’re right. Privacy is one of those fields where it’s constantly changing, constantly evolving, you know, unlike a lot of the other more classic legal fields people go into, but at the end of the day, I mean, a lot of trade press, I sign up for most of the major regulator.

Distribution lists and between those I feel like that and having a great team. That’s how we catch everything. Yeah, that’s great I’ve made the mistake of signing up to some general attorney general lists and I end up getting like so much [00:05:00] stuff That’s not related to privacy. I know it’s really hard to keep up.

So you have to like cut through the noise Yeah, I always appreciate publications. They kind of give me A few headlines and don’t just pick up every single little thing. Absolutely. And that’s one of the things we do together at the E Privacy Committee is it’s how people stay up to date with all this stuff.

Cause there, there can be so much going on at any given time. I appreciate the we, but it’s, it’s all you, Donata.

Well, now we have law students helping us too. So that makes things a lot easier. It does make it easier for sure. Um, all right. So let’s get into it. So today we’re talking about harmonizing financial and state privacy laws. Um, you know, we hear about this a lot, state privacy law patchwork. Um, it’s becoming more difficult to manage.

Um, you know, we’re talking about organizations that need to comply with federal privacy laws and state laws, um, can be a monumental challenge that requires a lot of manpower and leads to a lot of costs. So, you know, [00:06:00] why do we care about that? Um, well, aside from, you know, the law is the law and all that, but there really is quite active enforcement.

Um, I’d say more on the state, like the general state privacy law side, then like GLBA, right under with the FTC or the CFPB, but the other part is the states that enforce. Other laws like, uh, New York Department of Financial Services, the SEC, they’re all really turning it up a lot on both privacy and cybersecurity, right?

The classic, you know, there was a breach and then you get investigated, but. In many cases, the enforcement can be created just by like reviewing someone’s website, right? The latest bastion of privacy disputes and litigation enforcement is really over cookies, and that’s just, you just look at someone’s website, you can Tell immediately if you know what you’re looking for, right?[00:07:00]

Same thing with the litigation. Um, in terms of, again, again, cookies is just a big one for financial institutions, uh, also is under the California invasion of privacy act. And there’s like, you know, several flavors of that. One of which is something that financial institutions do a lot, which is voice printing.

Um, and so creative plaintiffs are using that to bring these suits. And I guess the point is it’s really active enforcement. It’s really active litigation. And If you ignore it, it’s, you’re going to spend a lot more in the back end than you would on the front end, just, just trying to comply. Yeah. I think it’s interesting that you mentioned, you know, cookies and all that other stuff.

I think, you know, it’s so easy to see that you could just run scripts on websites and see who has analytics or ads, but doesn’t obtain consent for, for that. Yeah, I mean, I just use Chrome developer tools, to be honest, and learn to look at those tools to figure it out. Um, you know, I mean, there aren’t [00:08:00] really many laws that actually require opt in consent in the U.

S. But the plaintiff’s attorneys are arguing that, that the California Evasion and Privacy Act requires that. No court’s decided it yet, but, um, it’s going on and on. Now, now there’s like, you know, several dozen plaintiff’s attorneys bringing these suits routinely. And again, most of them are looking for settlements, but they’re prevailing on motion to dismiss.

So it’s sort of Gonna come up sooner or later for most companies. Same thing with the California AG. Tons of enforcement, if you look at their published examples, involving financial institutions. Yeah. When you were, you know, in law school becoming a lawyer, did you ever think you’d be using Chrome developer tools?

Never. I, like, if you’d asked me even probably two years ago, would cookies be You know, probably half of what I do right now, I’m in a city for crazy. And again, I, I don’t think it’s the most important privacy issue, but you’ve got to focus on the things that are [00:09:00] impacting clients and that’s what it is. So I’ve taken a lot of time to learn from a very technical level, how these work and how to do a cookie audit and, and how to configure all the.

Consent management tools. And, you know, you sort of go where the clients need you to, right? Yep, absolutely. Um, so what are some of these laws that we want to seek to harmonize, both from a state privacy level and federal financial laws? Yeah, I mean, financial companies probably have it the hardest of any sector other than health, because there’s, there’s four completely different buckets of laws that they’re going to have to deal with, right?

So, so first we already mentioned, there’s those general privacy laws that started with California, the CCPA, and now there’s 20 of them. And, or that are either enacted or soon to be enacted, and although many of them have exemptions for, uh, GLBA covered entities or the equivalent under state law, um, some of them don’t, right?

Um, in [00:10:00] California, the CCPA only has a data level exemption, so it only exempts data subject to the GLBA or, or the California Financial Information Privacy Act or CALFEPA. Um, Right. Same thing with Oregon. There’s a handful of other states that don’t just exempt entities altogether. And, um, you know, we have a comprehensive map on our site.

Maybe you could put that up when you release the data, but it’s hard to keep up. And beyond the state, at the federal level, the FTC still has unfair, deceptive Section 5 authority over financial institutions, even if they don’t have Jurisdiction over the privacy aspects of the G. L. B. A. Anymore for most companies.

And of course, there’s all the state data recertification. So bucket one, all these general privacy laws. Um, the second bucket are the financial privacy laws, right? So there’s the G. L. B. A. At the federal level, um, which was implemented Um, in [00:11:00] states, for the most part, um, with, with sort of mini GLBA laws, um, particularly in the insurance sector, and those getting forced by the FTC and the CFPB, and there’s, you know, the FCRA, Fair Credit Reporting Act, um, a lot of states have almost like three different versions of the privacy laws.

There’s like, Particularly for insurance, there was like the older Insurance Information Privacy Protection Acts and then the ones that they enacted after GLBA and then a more recent version of them. Um, and there’s a whole bucket there that don’t really line up all the time across states. Then the third bucket is cyber laws and standards, right?

So, you know, there’s the forthcoming cyber regs and the New York Shield Act, and then all the state financial, financial cyber security laws like New York DFS cyber security regs. You know, the insurance has the same types of things. There’s PCI, there’s the FTC safeguards rules, there’s cyber laws. And then the fourth bucket is activity specific laws, [00:12:00] right?

Laws that apply to marketing, like canned spam and TCPA, or laws that apply to the use of artificial intelligence in California, Utah, and Colorado, and the wiretapping laws that we alluded to earlier based on You know, the use of cookies and other things. So like there’s a lot of them and they all don’t line up nicely and you have to harmonize them all.

So it’s really tough for financial institutions. I really like the idea of harmonizing things. And that’s something that I do almost every day at my job is. trying to make compliance easier by seeing what the overlaps and what the differences are so we can save time, you know, and save money. It just, it’s definitely something that I think every attorney should be engaging in because it’s going to save them time.

It’s going to save their clients money. It’s going to save effort. It’s just going to make everything easier. So, you know, speaking of harmonization. What are some of the main differences and similarities between these laws? Yeah, [00:13:00] well, so the applicability differs across them all, which makes it so tough, but they all have similar sets of rules with different details, right?

They all have some sort of notice requirement, right? Where you disclose your data practices. They all have rules around what are the permissible uses and disclosures of data, right? And that’s where a lot of them overlap, particularly in the financial ones. Um, they all have special rules for consent in some situations, and whether that’s opt in or opt out, right?

GLBA has opt out of sharing with non affiliates. Um, other states like California under CalFIPPA have an opt in requirement, so it actually becomes a bit more stringent than the CCPA in some ways. Some of them have consumer rights. Like GLBA doesn’t, CalFIPPA doesn’t, some of the other ones do. Um, a lot of them have contracting requirements.

So there’s a lot of overlap between them. It’s the details [00:14:00] that matter, and if it’s opt in or opt out, or what’s the content of a notice, or how often you have to deliver the notice. So, you know, you can bring it all together in that sense, but then you really do need to pay attention to the details. I like to think of it similar as, you know, let’s say you were in high school and you were writing a paper, and so was your friend, and you copied their paper, but You make it just different.

Richard doesn’t notice. That’s right. That’s right. Think about it. Like, uh, California, when they started with the CCPA, it was like all over the place. Um, and then Virginia came out with the, with a version that, um, had some support from industry and that’s sort of become the model, I think. Same thing with the GLBA and, um, you know, the NAIC putting out model laws that states tend to largely adopt and then they make their own.

It’s like, Cooking, like you make your own changes to it to make it yours. So yeah, it’s totally right. That’s, that’s funny. It’s funny. I’ve even seen bills that are proposed that are like an exact copy of [00:15:00] an existing law, except they forgot to input the number. So like for the law to apply, you have to collect X amount of personal information from people, and they forgot to input the number into the X.

Really? Yes. And I’m like, how did this make it through, uh, enough to be considered? Like, didn’t you guys do any proofreading? Um, or, you know, response to consumer requests. One state will have 30 days and the other state has to have 45 so that it’s different, you know? Yeah. Yeah. This is going to be difficult.

California always has to be difficult. Yep. And that’s why we all just. Uh, are constantly losing our minds on, on trying to work this out. Right. Um, but you know, to harmonize these laws, you want to create an action plan. So what are some elements of your compliance program that you’d want to take a look at?

Yeah. I mean, if, if I’m thinking about it, there, there’s so many rules and, and the, the question I get is just like, tell me what to do, bring it all together for me. And so. When I’m either looking at building a [00:16:00] program or evaluating one and doing an assessment or just Improving and strengthening over time.

I kind of break it down into seven major Buckets, right and at the beginning the project the first bucket is doing some information gathering and scoping and harmonization and You know that can be a big range of things. Maybe I’ll just walk through all seven first and then we can talk about what each of them mean.

But the second bucket then would be, you need some sort of data inventory or mapping. I’m not like a big fan of doing a comprehensive data map because as soon as you’re done with it, it’s out of date, but getting like some sense of. Where the data is, it’s just, it’s not possible to comply with all the requirements without some amount of mapping or inventorying data and keeping that updated.

The third bucket is your external privacy policies, which are requirement across all the laws. Fourth is data subject rights procedures. Fifth is contracting. [00:17:00] Sixth is internal governance, you know, documentation, training, privacy, impact assessments, policies, procedures, all that. Um, and the seventh is cyber security and breach readiness.

Um, you know, each of those could be an hour on its own, but That’s the way I sort of break it down. And then I try to do a comparison across and, um, figure out what we’re going to do, but, but, but that first scoping step is really probably the most important. Yeah. So I really like how you said that, uh, before, have you said that, you know, figuring out that.

Which privacy laws apply to you? Um, you know, you start there first because you can’t know the rest of the requirements unless you figure out which laws apply to you. And I started, I’ve been jamming that, that down everybody’s throats for years now. Um, can you talk about the initial requirement of gathering information and scoping?

Yeah. I mean, the way I do [00:18:00] it is. I do what I call like mini discoveries. I start by like somewhere between two and four interviews, and I’m trying to gather key facts about data flows. Like what data elements do you collect from where? How do you use it? How do you disclose it? All that. But also, more importantly, like the context of it, right?

Are you getting data in order to sell insurance? Are you getting data? You know, are you a regulated data? Yeah. Financial institution or not. Or maybe some functions are some functions aren’t, um, and trying to figure that out initially. And it might sound like it’s obvious, but it’s it’s not right. Um, a lot of companies are kind of right at that edge and what is considered, you know, financial in nature for purpose of the GLBA.

It’s a lot of edge cases, particularly within tech, um, going on. So trying to gather the data and figure out what to do. And then more importantly, making it right. Kind of scoping decisions, right? Like, are you going to [00:19:00] try to figure out the exact nuance? Or are you just going to do highest common denominator?

Right? Um, so, between CCPA and JLBA and all the other ones. But, you know, starting with, what are we working with here? And then figuring out, like, what does the company already have? Right? Why reinvent the wheel if something’s working? And sometimes it’s easier, faster to just replace something. Sometimes it’s not, but starting with a sort of mini assessment of what are we really working with here?

So that’s kind of like the key first step. And I like to think of it as well. 100 percent compliance is impossible. Just just put that out of your head. It’s not going to happen. So part of that information gathering is also defining what are we going to consider good? 70 80 percent you’re probably doing better than most companies.

Yeah, we talked about this before, um, regarding privacy policies. Um, you know, one of the things that we’ve seen a lot in the past is that a lot of external facing privacy [00:20:00] policies have, you know, disclosures for each. specific privacy law, or maybe they even have specific privacy policies for each privacy law.

Like here’s your California privacy policy. Here’s your Montana privacy policy. Do you see this as something that’s unsustainable with the system that we’re currently in? Yeah, I think it’s totally unsustainable. So when, when we started having the state laws pass, there was interest in doing, okay, here’s a California notice and here’s a Colorado notice and Virginia notice.

And I just think that it’s not sustainable. Now, you know, the counterpoint to that is we are seeing some states and some regulators harp on companies that don’t make it clear which rights apply to which people, right? Particularly if you combine several different notices, like a financial notice and a CCPA notice in the same.

Um, we’ve seen Oregon start sending enforcement letters over that sort of thing, saying it’s not clear. I personally [00:21:00] think that having 25 notices in one place is way less clear, right? And I just try to make it, you know, the notice really transparent about what applies and what situations, in a really concise, consumer friendly way.

Um, I like to think there’s, you can always tell someone’s new to privacy based on how long they write a privacy notice, right? And if it’s like 30 pages long, you know, they haven’t been doing it that long. I like to keep mine super short, um, and to the point and, um. Yeah. So, so to answer your question, yeah, I think it is unsustainable.

I think also for consumers, it’s really frustrating as well. You know, you start reading the privacy policy and okay, here’s the data that they’re collecting about me. And then you scroll down and there’s a California notice and it has 10 more data sets in there. And it’s like, well. What are you collecting from me?

Why is it different for people from California than somebody who’s from Illinois viewing it? And then, you know, you get intimidated by having to read [00:22:00] 30, 000 pages of the same information restated over and over again. Yeah, right. And, and having that many, these companies to just sort of adopt almost templates.

And then you get, you know, weird things like a flashlight app disclosing the category of sensitive personal information for, you know, reproductive health or something, because they just copied a template and, um, it, it, it ends up, the complexity ends up making it. Less transparent many times. So I often just, we have to combine the laws and that means sometimes we’re going to have to take some risk and not comply with every last single requirement in every last state.

Cause it’s just not feasible. Yeah. There’s nothing worse than your company’s name ending up in the legislative notes for why the law was passed. I think there was one back in the day where there was a calculator app that was collecting geolocation information for some reason. That sounds about right.

And I believe that [00:23:00] there is a price. Well, I think it was callow, but it was in the legislative notes saying, you know, companies such as flashlight apps, collecting way too much consumer data is why we need to create these laws. And I was like, Ooh, yeah, that’s never good. You never want to be that company.

Right, right. Exactly. What about consumer rights requests? Um, how does the harmonization work there? Yeah, well, there you need to sort of start off with, um, well what are the rights and, and all that. So, you know, whether it’s a right to know or access or correct or delete or opt-in or opt out or whatever.

Yeah. You need the substantive backend. At some point to fulfill the right, but I sort of think about it as what’s your process going to be and and and creating a harmonized process. So, you know, the first step is half like intake. How are you going to get a request? Right? How are you going to verify [00:24:00] identity?

Right? To make sure you have the right person? What communications are you going to send out? And then, you know, obviously the substantive response there. But to be honest, I have a lot of clients who years ago started off with, well, we’re only going to give people the exact rights that apply in the exact state that they’re in under the exact law that they’re in.

And there’s a cost complexity there. And a lot of folks over time just said, all right, well, maybe we’ll do a one size fits all I play by the clients who started the other way. Saying no, we’re just gonna give everyone all the rights and quickly realize that that was unsustainable, too So I think there’s got to be like a happy medium there and it’s always gonna depend on resources and a client’s Particular risk tolerances.

So what I do is I create a template I have a whole template set it has a flow through it of how to handle each request and then all the template responses but the part that Always has to be customized is okay, and then how are you going to substantially [00:25:00] respond, right? Correcting seems easy enough.

Delete also easy enough because it’s usually an exception. But the right to know, the right to access to me seems really, really tough. Like actually going and grab a copy of every data point and that’s going to require a lot, a lot of thinking and fortunately, it doesn’t seem like too many people make those requests.

It’s, it’s mainly delete and it’s mainly opt out. Yeah, that’s, that’s what we see too. And I think it really depends on the size of the company and how much data they’re processing. Like for us, we’re a much smaller company and we work in privacy, so we’re going to offer the same rights to everyone. Um, but you know, somebody who has.

The data of millions of people across a lot of different databases might not want to do that just because of the cost and the time consuming aspect of all of this. Right. Exactly. We, you touched on this previously a little bit, but you know, when it comes to harmonizing these laws, you know, what do we have to [00:26:00] think about when it comes to tracking technologies and online advertising and things like that?

Yeah, I mean, I sort of think of that as part of the data subject, right? Bucket, right? Um, because most laws will have either an opt in or an opt out of these sorts of things at this point. Um, you know, maybe, maybe half at least of states. The thing to think about is whether it’s a sale, right? Or sharing or target advertising, whatever it is.

Black companies didn’t want to call. These things, a sale because it just sounded bad optically, but it’s been defined and enforced so broadly that most cookie use pixel use for target advertising is almost surely going to be a sale. And at least some states like California, right? That defined sale broadly to mean.

To include non monetary consideration, but I think the more important point is how are you going to operationalize that, right? And if you’re trying to think about compliance across [00:27:00] CalFIPA and the CCPA and CIPA and the whole alphabet soup, I think it really comes down to a few key decisions of are you going to get opt in or opt out?

Or nothing. Or are you going to geofence and do some states one, some states another? What’s the language going to say? I see that being a big pitfall, people sort of over promise. And you have a banner that says, please click accept. Uh, to allow cookies, but the cookies have already fired and all of a sudden something you were trying to do to give people choice has turned into an unfair deceptive practice.

And that’s something that plaintiffs, attorneys and regulators have been focusing on in particular because a lot of the tools are, they just don’t work out of the box without configuring. Um, and then sort of, you know, what language to use and how does it map to your other data subject rights request? So there’s not that a sale, you’re going to have to use a solution that basically drops the first party cookie to stop the cookie related selling, sharing lots of companies sell in other ways, [00:28:00] too, right?

Like, like, like creating custom audiences, taking your list of customers and uploading it to create three custom audiences using social media. So. You’re gonna have to have like an offline process, when I say offline I mean non cookie process. Yeah. So, so the cookies have really become a huge part of this and it’s mostly because it’s the most litigation enforcement, way more than any other data subject, right?

Absolutely. Do you see like with this evolving legislation, do you see companies moving away from ads and tracking? Maybe? No, no. I mean Google had threatened to deprecate. Third party cookies for like several years and they eventually moved away from that. No one is just turning off the advertising right now, you know, a small percentage, but it’s growing are moving to opt in at least in California, like, you know, 20, 25%.

But I still don’t think that’s market yet. And I don’t see people just turning off [00:29:00] these technologies. What I do see is when we do these assessments, we find out that a site has a ton of queries and trackers and no one has any idea why they were there or why they’re not being used. So yeah, in that sense, we turn them off because we’re not using them anymore.

But not, not intentionally and broadly, we’ve seen that too, where, you know, somebody has analytics on the site. I haven’t logged into that analytics platform in like two years and haven’t seen of it. Maybe I don’t need it, you know, right. Um, so it does come up. Um, sometimes your companies are more cautious about this rather than just, oh, let’s install everything and see what happens.

Yep, exactly. Yeah. Um, what about, you know, working with vendors, um, are you seeing a lot of your clients updating vendor agreements, um, to, to harmonize these laws? Yeah. I mean, if you didn’t already. Right. One of the key things that needs to be done is update these contracts. And we do see that get enforced surprisingly for not having the right agreements in place to make [00:30:00] someone a processor.

And in California, you even need a controller controller agreement. That’s sort of like GDPR. Um, for the most part, if you already had a good contracting process that was done for the CCPA, when the CPRA amended it, all the new states aren’t really materially different. So. You know, recounting with all your vendors is a big, big hassle.

I wouldn’t suggest doing that, but I would suggest though, is, is having a template agreement to have some consistency and then building a playbook around that is something we do with a lot of clients is, you know, try to use your paper. Depending, you know, you’re probably not gonna be able to negotiate with one of the big cloud providers, but for a lot of other vendors, you can.

And then having a set of pre approved fallbacks if you need to negotiate to maximize consistency. And if you’re sort of a, a vendor yourself, same thing. Even more so, you can’t have a different contract for every one of your [00:31:00] customers. Um, but yeah, that’s, that’s definitely a key part of it. Especially No, go ahead.

Um, especially for things like data breaches, you know, if you have 12 hours to notify one client, 24 to notify another 72 to, to notify the third one that can get very confusing. Yeah, yeah. And I don’t think most companies, it’s just not possible to operationalize 12 hours for the most part. But yeah, you, you end up with these like.

Contracts of, are you really going to enforce that provision anyway? People tend to get too wrapped up in it sometimes. What about, um, training internal staff? I mean, you know, how complex do you want that to be? Yeah, I mean, most employees don’t need a complicated training. It drives me nuts when I see like an hour or two of privacy training for everybody.

Because not everybody needs that much. Yes, you need to know the basics. You need to know not to do bad things. Right. You need, you need to don’t [00:32:00] do bad things training, like, like, don’t give out data. Don’t show your password. I’d say it’s more important on the cyber front, given that how much we’re seeing breaches increase of, of from social engineering attacks or deep fakes and making people aware of those, of those tactics.

But the privacy training, you know, if you look at the legal requirements, it’s like in California, you need to train people who are either customer facing who might get a request and they need to know what to do with it. Um, or people that are actually handling data subject rights. Those probably need a lot more detail.

I don’t think every single employee does a lot of detail. Like, you know, 10 to 15 minutes should really be plenty. Because people are going to zone out anyway. Might as well make it worthwhile. So I’m going to put my hat on the chopping block here. I got way too excited. And our privacy training is like two hours.

Yeah. But it might depend. No, I go [00:33:00] through it myself with them. So it’s not like a video we watch, but, um, Oh, well, no, so that’s fine. That’s fine. It’s, it’s, this is like self learning modules, right? Well, in my defense, like 20 percent of our privacy training is just memes. Yeah. Okay. Well, so you can keep it interesting.

Yeah, I try to keep it fun. Um, and there’s no shortage of privacy and security memes out there. So I personally think it’s very entertaining, but our employees probably don’t think so. So you gave us a lot of really, really good information here. What are some main takeaways, um, that you want businesses and, and attorneys to know?

Yeah. I mean, this stuff is complicated. Um, and if you’re trying to. Build a program in particular, a lot more lead time is needed than you think. Right? It might sound like, okay, we’re gonna get some notices and put it all together like that. And really the operational [00:34:00] aspects get really messy and just, you need to think about how much time do you really need and what’s feasible, what’s achievable while people are doing other things for their day job.

And there’s a lot of options to implement. I mean, there really isn’t a one size fits all. Now, I have plenty of clients that say, just give me a basic program. And for them, yeah, something’s better than nothing. We can probably make it, you know, pretty turnkey. But if you really want a program to work and to scale, particularly for a large organization, you really have to take the time to think about how you’re going to implement.

Um, remember that most of the exemptions are construed pretty narrowly. Right. So, um, for example, the CCPA itself has a section at the end and granted it’s about insurance, but the same would apply to other exemptions and say general website visitor data is not exempt, right? It’s, it’s, it’s not subject to CalFIP or the insurance laws that have an exemption.

So you need to think about really, right. How broad or [00:35:00] narrow is the exemption? Part of that is the devil’s really in the details. And the last thing I’ll suggest is you have to test before launching it. A lot of folks, again, bringing it back to cookies again, will have this solution, and they just launch it, and I go check it, and it just doesn’t work.

So make sure that all your processes work, you know, whether it’s secret shopping or other sorts of testing. Otherwise, you’re going to kind of find yourself not only with compliance problems, but also unfair deceptive representations and acts. Problems. Absolutely. Yeah. Testing is, is a pain, but it’s definitely a worthwhile, um, absolutely.

So last question for you, Elliot, um, where can businesses reach you if they want to retain you for your services? Oh yeah, sure. I mean, if you just Google me, you’ll, you’ll find, you’ll find me online, but email is probably the best way, um, which is, uh, egolding at MWE. So E G O L D I N G [00:36:00] at MWE. com. Um, but yeah, just feel free to reach out.

They’re LinkedIn, whatever. Um, I, uh, I’m, I’m a workaholic, so you’ll probably get a message back from me pretty quickly. Awesome. Good. Um, well, Elliot, thank you so much for taking the time to speak with me today about harmonizing these laws. Um, and to our listeners, please make sure to subscribe to our podcast so that you don’t miss our next episode.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy

Culture

Disclaimer

EULA

How To's

Privacy Policy

Terms of Service

Subscribe for Updates
Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy

Culture

Disclaimer

EULA

How To's

Privacy Policy

Terms of Service

Subscribe for Updates