In this episode of DigitalNOW, Matt is joined by Sarah Davis, Logic20/20’s Data Privacy Expert. They discuss how data privacy is affecting companies and impacting your personal life. They’ll also look at what’s on the horizon for data privacy that we should keep an eye out for. You won’t want to miss her final takeaway at the end. It will have you asking yourself, does my company pass the creepy test?

Transcript

Matt Trouville: You’re listening to DigitalNOW, an original business and technology podcast by Logic20/20. I’m your host, Matt Trouville. Each episode, I’ll be interviewing a new expert to learn more about industry trends, fascinating new tech, shifting customer expectations and the steps every business can take to stay ahead.

Hey everyone and welcome to the podcast. Today I have a very special guest with me, Sarah Davis, who is a data privacy manager at Logic20/20. She’s experienced data privacy regulations and privacy assessments, team management, and all things business process improvement. Sarah, welcome. Thanks for joining us.

Sarah Davis: Thanks for having me.

MT: And actually something that just came to light is it’s your birthday today.

SD: That it is, yep.

MT: Happy birthday! Now, when people are hearing this, it’s not gonna be your birthday. But today at the recording, it’s your birthday, so really appreciate it. And I hope you have a very wonderful day.

SD: Thank you.

MT: No worries. OK. So, we are talking about all things data privacy today, right? So, I’d like to start the podcast off today, talking about the impact data privacy plays on companies and sort of why is data privacy important to companies for all those listening out there. Can you take us down that road?

SD: Yes, of course. So, data privacy has really come to the forefront of the news, with GDPR, CPA, all these regulations coming out that impose these large fines. But it’s actually not the fines – or not just the fines – that I think are really important for a company to be aware of, but also the impact to a company’s reputation. So, if there is a data breach, what does that impact to the company? You know, I’ve seen a lot of people moving away from Google and Facebook and all these companies that maybe they don’t trust as much anymore because of data privacy incidents.

MT: Right. So yeah, once you lose that customer trust, right, it’s really hard to get that back. So, it’s not just the financial impacts, it’s losing people for life essentially.

SD: Exactly. We like to use the term readiness. You’re ready for GDPR. Yeah, but you’re right. It’s not that single moment in time.

MT: And just for those for those who may not know those acronyms… GDPR, CPA. Can you explain what they are?

SD: Yeah. So GDPR is the European General Data Protection Regulation, and that went into effect in 2018. And the CCPA is the California Consumer Privacy Act. So those are kind of two of the big names that you hear a lot, but there are… Virginia has a new regulation, Colorado, and the UK now after Brexit has its own GDPR.

GDPR kind of became the standard that most countries have started following.

MT: Right. OK, cool. I want to come back to that in a little bit. Some of those, some of those regulations. But I want to continue down the impact on companies. So what are some of the current events that are affecting data privacy? Things, trends… force these regulations to come about, right? So, what are the most recent things you’re hearing?

SD: One of the big things that just came out in beginning of October is the new executive order within the U.S., which was the U.S.’s response to the shrimps decision to invalidate the Privacy Shield? So let me explain that a little.

With the EU Regulation, GDPR, there were some standards put into place about transferring data from an EU country outside to another country, for example to the US. So, a company that it may be within their normal day-to-day, they’re actually collecting data in the EU, but they’re storing it in the US… That’s actually a data transfer across country lines.

So GDPR put in certain standards for that and then the shrimps decision came about after GDPR was enacted, saying actually this Privacy Shield, which were those standards, is not valid. We don’t think these are meeting the standards that GDPR put into place. And so, this new executive order is the U.S. saying, OK, here’s what we’ve put in place internally in the U.S., so that the EU is comfortable with sharing data to the US.

So the EU / US Data privacy framework, which was just announced in October, there will be more information coming up out about how this will be implemented and how companies similar to the Privacy Shield will be able to self-certify themselves. More information to come on that, but that’s one of the biggest things that’s come out in the last year in regards to data transfers.

MT: OK.

SD: And then the next big news in the data privacy world is about the CA, the California, age appropriate design code. So, some people may be familiar with the UK age appropriate design code and the California one really follows that same model as the UK.

This code is really asking companies, or requiring companies, to make those terms of use that we just click, yes, OK, and maybe we read, but they’re very dense. You’re accepting, you know, all these different terms. Making those really understandable for different ages.

So, if a company is targeting a game for a specific age group, maybe 10-12, they are really making those terms of use and anything related to consent or data privacy understandable for a person of that 10-12 age. So maybe it’s a video, maybe it’s more simple language. Again, it’s something the UK has already implemented, but now California is coming out with its own.

MT: Well, that’s great to see, because you’ve got to make sure the kids are protected, right? So, I’m glad to see that coming over here to the U.S. as well.

OK. So, on that, let’s talk about the consumer side, right? And the impact to the consumer. What are the data privacy impacts to the individuals themselves?

SD: Since GDPR, it’s really been the shift in mindset where companies used to be the owner of data. So, you use an e-mail service or some social media and they’re just taking all the data and using it however they like. And since GDPR, there’s been this switch where companies are now actually just borrowing the data. I don’t expect them to be doing anything as a consumer, I would expect a company to only be doing using my data exactly how they’ve told me they’re using it.

You may see things like… I’m sure everyone’s seeing these cookie banners popping up. I mean that that’s been over the past couple of years, every single site you’re going to, you’re seeing that.

You’ve probably heard of data subject rights. So, you can go on and… let’s say you no longer want to use a specific social media. You can go on and not only just delete your account or close your account, but you can actually request that they delete all your data.

MT: Hmmm.

SD: And then the last thing is really around consent. We see a lot of these maybe when you’re checking out on a store online and or you’re creating a new account and you’re consenting to their terms of use, you’re checking that box. I think you’ll see it both ways, but I think we used to see it more with the check box was already checked. And now we’re seeing it more with a checkbox that isn’t checked yet and so that’s more of that affirmative, “Yes, I’m consenting.” Not more of a passive consent.

MT: Is an example of that too, when I open up my iPhone and I look at something. It’ll say on a particular app or website or something, “Ask this app not to track my data”. Is that in response to this? Does it align with what you’re saying?

SD: Exactly. Yeah. And that’s a great segue into kind of one of the biggest things in the news that just came out is this Google location data settlement.

MT: Yeah, I heard about this.

SD: So, Google was tracking locations even after a consumer had turned off that feature. There was just a settlement for $391.5 million with 40 different states that Google just settled saying, “Yes, we did this and X, Y, and Z is what we’re doing to fix it and have fixed already”. One of the biggest settlements within data privacy and that just came out, that news, a few days ago.

MT: Yeah. They just said OK, here’s a lot of money. We’re sorry.

SD: Exactly.

MT: And I’m sure events like that shape these regulations, right? They all go into consideration for these bigger, bigger regulations as they come in. Which, actually, leads me to a question.

What what’s on the horizon like when it comes to regulations? Is there anything that that you’re seeing out there that’s going to be important to the world?

SD: Yeah, I think the one big thing we’re really seeing is around AI and responsible AI. So, we’ve seen the EU, which seems to kind of be who starts and kicks off all these regulations.

MT: Yeah, they set the standard right. They’re really on it.

SD: Yeah. So, the EU AI act broadly governs the use of AI systems, but it does follow this risk based approach which many countries have sort of following. So, we’ve seen regulations in the UK, Canada, China.

And then in the US, we’ve we have the Algorithmic Accountability Act. This was just introduced, or reintroduced, and it would require all companies who use AI to conduct critical impact assessments and then self-report to the Federal Trade Commission.

MT: Sorry, that’s really interesting. Can you explain how that might work like in real time?

SD: A critical impact assessment, without going into too many details… And there really aren’t too many specifics on what that would mean, but if you are implementing a new AI system, you would have to provide a certain read out.

So, there’s a X number of questions around what is the AI system doing? And within data privacy it’s actually looking at the fairness of it, the transparency of it. Does the consumer know it’s an AI system? And looking at the risks of that AI process.

Then whatever the findings from that assessment would be, they would have to then send that over to the Federal Trade Commission. How that’s all packaged and how that all looks isn’t fully fleshed out yet. But that’s kind of a high level what that could look like.

MT: OK, awesome. Thanks.

SD: And then kind of the second part within the US that was just announced in October is the Advancing American AI Act. With that was released these AI Bill of Rights, and that’s five different principles that should design, or guide the design and use, of AI systems to make sure the American public is safe in this kind of new world where all these companies from small to large are using AI.

We could dive into those, but yeah it’s kind of around as I mentioned before, like data privacy notice, alerting customers that this is being used, as well as fairness. Making sure that the algorithms are fair to all persons.

MT: Interesting. In the data privacy world, and you’ve got through a lot today, they love acronyms. Am I right to assume that that’s going to be AAAA?

SD: I think so.

MT: Wow, that’s gonna be tough to say all the time in meetings. But anyway, let’s hope they make something different there or change one of the words.

OK, so how should companies prepare for all this? You know, you said what’s on the horizon. Are this things they can do now to make sure that they’re going to be in the right place or be in a state where they can implement a readiness plan, for example?

SD: Yeah. So, specifically around, I think the AI regulations, it’s really comes down to four things: Transparency, fairness, accountability and engagement. I sound like a broken record, but letting consumers know that there is an AI behind the scenes, or this is an AI process.

Fairness – Companies who are using these AI processes need to do fairness testing, making sure that these systems are treating all people fairly.

Accountability – Really setting clear principles internally, getting the C-Suite buy in, and understanding all components of your AI systems. And then finally…

Engagement – Actually engaging in these regulatory and legislative processes and helping shape what’s coming, even around like guidelines and standards as well.

MT: Awesome. Well Sarah, this has been really fun.

SD: It has.

MT: You delivered all this really great information, but also you’ve had to tackle all these acronyms on your birthday of all days, right? So, I really appreciate you joining us and going through anything and everything.

Just the last thing I always ask is, is there something that you would leave the audience with that might be their takeaway from today?

SD: I think something I heard recently was the “creepy test”. If you are designing something new or a new product or a new process or something, and you want to collect certain data. If you’re sitting there and you’re thinking, well, that that would be creepy if they collected that from me or if they had that knowledge or that data for me… That should be a trigger for you to think, maybe we shouldn’t collect that or maybe we don’t need to collect that.

MT: That is awesome. And I can’t wait to hear the “Creepy Act of 2023” or whatever when that regulation comes in. That would be fantastic.

OK. Thank you so much. This is really important information for both companies and individuals. So I really appreciate it and we will see you next time (if you’ll come back).

SD: Thanks. I would love to. Thank you, Matt.

MT: OK, appreciate it. Bye.

SD: Bye.

MT: You’ve been listening to Logic20/20’s podcast DigitalNOW. To learn more, visit our website at www.logic2020.com or follow us on social media. See you next time!

DigitalNOW is an original business and technology podcast by Logic20/20 that is released on a monthly basis. In each episode, host Matt Trouville interviews a new expert to learn about industry trends, fascinating new tech, shifting customer expectations, and the steps every business can take to stay ahead. Check back here for future episodes, OR you can find us on all major podcast sites, including Spotify, Apple Music, Pandora, and more.