In an era where data is the new currency and high-growth companies have to keep up with new advancements in AI, General Counsels now find themselves at the forefront navigating evolving privacy laws and compliance requirements.

As the boundaries between the legal and tech worlds continue to blur, GCs working within the tech space face unique challenges that demand a deep understanding of current privacy issues and what changes may be on the horizon.

In this blog post, Andrew Woods, GC at PubMatic, Brian Mannion, CLO at Aware, Brent Tuttle, Associate at Fenwick, Mudasar Khan, Associate at Fenwick, Samantha Ong, Associate at Fenwick, and Michael Sussmann, Partner at Fenwick share strategies for today’s GC on how to move their business forward while navigating the changing privacy landscape. 

Review Current Internal Procedures and Data Safeguards

It’s crucial for GCs to constantly review internal data policies to ensure legal compliance, assess risk, and foster a culture of trust among your team and with customers. Earlier this year, the California Privacy Protection Agency issued and received subsequent approval of their initial draft regulations. GCs need to pay attention to the wording and review their current systems to ensure they won’t land in legal trouble in the future. 

“Think hard about what consents you’re gathering and how. Recognize the inherent risk associated with the “reasonable” and “consistent” language in the CCPA. Always provide fairly detailed guidance on contracting requirements for service providers, contractors, and third parties, so review all data processing agreements to verify that they meet the requirements. Remember to review when you’re providing an opt-out. Adjust your privacy notices and opt-out mechanisms.” –  Andrew Woods, GC at PubMatic

“Regulations are supposed to add color or clarity to a law, not change or increase a burden.  It is important you read the regs but always sync them back to the statute. Additional guidance will be identified based on how the regulators will enforce the law and the regs. Will enforcement actions add an additional layer to our obligations?  There are several regulatory schemes today (anti-money laundering, securities laws, pharma, etc) and we can only hope that CA follows the traditional pattern and not using enforcement actions or regulations to go where the law did not.

Dark Patterns are not new. They’re just a more “sexy” description for bait and switch. Basically, your website should not be designed to hide your intentions or manipulate the customer into collecting data that is used for some other purpose.” –  Brian Mannion, CLO at Aware

“The CCPA covers personal information about all California residents, not just “consumers,” so legal teams will need to ensure their CCPA compliance program covers all California residents including employees, job applicants, and business partners.

The CCPA also requires businesses to satisfy a number of notice requirements and respond to individual rights requests. Legal teams should ensure these notices and processes for responding to individual rights requests meet CCPA requirements.

Finally, the CCPA contains an express obligation that requires businesses to “implement reasonable security measures and practices.” Importantly, there is a private right of action under the CCPA that allows plaintiffs to recover statutory damages in connection with certain data breaches that resulted from the business’s failure to implement these reasonable measures.

Legal teams will need to work with their information security counterparts to ensure that all personal information is protected by reasonable security measures and practices. Likewise, they also will need to ensure that their contracts with vendors reflect these security requirements and provide appropriate coverage in the event of a data breach.” – Brent Tuttle, Associate at Fenwick

Stay Informed of Industry Changes, Even Those That Seem Far Off

Change is a given in the tech industry, and as a GC, you need to stay abreast of upcoming developments – even those that don’t seem like they’d have a major impact on how you runs your business or collect data. Join networking groups, meet with peers, and read up on developments well before they happen so that your team is prepared.  

“As relevant to their operations and processing of data, GCs should consider tracking recent privacy and security legal developments. In particular, there are three core developments most GCs will want to stay apprised of.

First, GCs will want to track regulatory developments that are forming in response to the increasing use of AI and machine learning technologies. In Europe, the recently adopted EU AI Act imposes additional scrutiny on companies engaged in the processing of sensitive personal data (e.g., data regarding health, biometrics, race, and ethnic origin) through the use of AI systems. The EU AI Act also enables European regulators to review and test certain innovative AI systems for compliance with the requirements of the Act before their commercial release. In the United States, the FTC has required algorithmic destruction (the deletion of entire algorithmic systems) where companies have used particularly sensitive data collected through AI systems without first obtaining required consent to do so.

Second, GCs should also stay apprised of the legal mechanisms available for onward transfers of personal data from Europe to the United States. Following negotiations with the Biden Administration, the European Commission recently issued a long-awaited adequacy decision finding that the United States ensures an adequate level of protection of personal data – comparable to that of the European Union. While  the decision may simplify future cross-border transfers of personal data from the EU to the United States under the EU General Data Protection Regulation,it remains to be seen whether the decision willsurvive anticipated legal challenges in European courts.

Finally, GCs should assess the applicability of, and compliance with, privacy state laws in the United States.To date, tenstates (CA, CO, CT, FL, VA, IN, IA, MT, TN, UT) have adopted consumer protection data privacy laws, and other state legislatures are considering similar legislation.  While these state laws are similar in many respects, they also have but differing applicability criteria and controller/processor obligations that GCs will need to evaluate.” – Mudasar Khan, Associate at Fenwick

Work Closely With Product Teams And Shift Your Mindset To Serve As A Product Counsel 

General Counsels today should have input across all areas of the organization, and it’s even more important that GCs work with product and sales teams to ensure that features or integrations are compliant from day one. Working closely with leaders will enable you to provide crucial insight during the planning phase of any new developments or agreements. 

“GCs should help their business shift from considering data as a liability to considering it an asset. Like any asset, data needs to be inventoried and managed appropriately if the business wants to maximize its value. As GC, you can work with internal teams to prepare and maintain a live tracker of the types of data the business collects, and work with product teams to evaluate the benefits and risks of contemplated data use at every step of the product development process.

Additionally, GCs can work with commercial teams to structure contracts in a way that minimizes compliance obligations while giving the business flexibility around data use. Simple things, like having standard data processing agreements and information security exhibits, can go a long way in expediting contract negotiations.” – Samantha Ong, Associate at Fenwick

You’ll Make Mistakes, so Have Backup Plans

Data breaches and security incidents can have significant implications under privacy regulations, so you need to have backup plans (both within your organization and with any vendors you work with) to ensure that your company’s success isn’t derailed by a legal oversight or non-compliance.

“Preparedness is the key to reducing legal risk and enhancing effective and efficient responses to network security incidents that are consistent with federal and state obligations. The two cornerstones in corporate cybersecurity are not new, but they remain vital for GCs in light of CCPA and other recent or upcoming legislative updates.

First, every company needs an incident response plan that is comprehensive, practical, and usable; well understood and practiced by all who could need to rely on it; and routinely reviewed and updated.

Second, every company needs to understand what third-party personal data it collects, how it uses and stores that data, and with whom it shares that data. Once that information is understood and documented, those practices must be compared with any related statements in the company privacy policy, terms of service, contracts, and other communications.  Finally, those practices must be held up to longstanding and recent privacy laws to ensure legal compliance and the use of best practices.”  –  Michael Sussmann, Partner at Fenwick

Do you want access to the best resources and network for confronting today’s privacy challenges? Apply for membership at TechGC today.