I suspect I wasn’t the only person watching the recent (and ongoing) election returns who wondered: when are they going to talk about California Prop. 24, the California Privacy Rights Act (CPRA). Perhaps it was because the outcome of this proposition—which was intended to strengthen California’s much celebrated but still fledgling California Consumer Privacy Act (CCPA)—was not in much doubt. Though it didn’t win by the margins polls predicted (ugh), it still won handily, with 56% approval two days after the election. Soon (starting in 2023, with a lookback to 2022), California and everyone who does business with California will have a tough new privacy standard to meet.
There’s a reason privacy pros watch these changes in the way privacy is regulated so intensely. After all, they have to translate these regulations into practice every day. And the last few years have made them dizzy, with a rash of regulatory changes, judicial decisions, and scandals that have sent people scrambling. Here are just a selected few in the last five years (presented in the simplest possible terms):
The General Data Protection Regulation (GDPR), adopted in 2016, enforced starting in 2018.
The California Consumer Privacy Act (CCPA), passed in 2018, enforced starting in 2020.
The California Privacy Rights Act (CPRA), a proposition approved by California voters in November 2020 which will supersede the CCPA by 2023.
Schrems I, a decision by the European Court of Justice in 2015 that invalidated the Safe Harbor Principles around cross-border data sharing (and led to the creation of the EU-US Privacy Shield in 2016).
Schrems II, a decision by the European Court of Justice in 2020 that invalidated the EU-US Privacy Shield.
The Facebook-Cambridge Analytica scandal, which became public in 2018 and revealed how improperly obtained Facebook data was used to influence multiple elections in the previous years.
And looming behind it all, like a gathering storm that rumbles with thunder but has yet to produce any rain, the possibility of federal privacy legislation in the United States.
Keeping up is tricky …
I’m not trying to say that keeping up with the details of shifting privacy laws and societal demands isn’t a big job. If you’re reading this, you likely know well how much work is involved in delineating shifting definitions of what constitutes “personal information” (let alone “sensitive personal information”), the nature and powers of enforcement agencies, and the requirements and timelines behind breach reporting. Hell, it’s these changes that have driven rapid increases in the number of privacy lawyers and International Association of Privacy Professionals (IAPP) membership. Privacy is complicated!
But when it comes to running your employee training program, I’d like to convince you that it doesn’t have to be that hard. You can build a privacy program that meets every one of the compliance requirements out there and doesn’t force you to constantly shift your program to meet changes. The trick is, you have to have the discipline and the focus to keep the core elements of your program focused on some basic principles. When it comes to training your employees, you’ve got to focus on the forest, not the trees.
But your privacy training doesn’t have to be
A great way to start thinking about simplifying your approach to privacy training is to ask yourself: what do you really want people to know and do related to personal information?
If your answer is: I want them to know the names and dates of every privacy regulation we must comply with; or I want them to define the nine types of personal information we must protect, and whether that information is sensitive or not; or you want them to know the reporting timelines for each breach notification clause … well, you’re in the wrong article.
I’d like to suggest your answer could be as simple as this:
I want everybody to know that protecting personal information creates a bond of trust between us, our customers, and our employees.
I want everybody to know what rights they have to control and access their own personal data—and in turn, how we apply those rights in the ways we interact with the data of others.
I want everybody to know and apply some really simple rules around what is personal information. At its very simplest this comes down to: if it’s about a person, it’s personal information (thanks to my friend Richard Purcell for that one). This one requires a tiny bit more complication, because you have to help people see that our entanglement with technology means there are many more ways to identify us than ever before: location data, device IDs, cookies, etc.
And I want everybody to know that if they see something that goes awry with personal information, they’ll report it quickly and accurately.
Keep it simple
In the end, this comes down to you sharing a simple mental model about privacy and personal information and then making it really easy for people to apply that mental model in their day-to-day work.
While the direction of what I’m implying is simple, I know that the application is not. It takes real work to express a mental model clearly and simply, and more work still to embed that in an ongoing communication campaign that reaches into every facet of your culture. And it takes more work still to streamline the application of that mental model for daily work: to create simple rules for identifying information; to ensure that encryption and deletion are the default choice in the right situations; to instill a privacy-by-design process deeply into software development; etc.
When you have a clear and simple expression of your core privacy principles, you’ll be able to weather the shifting winds of privacy regulation with a few adjustments here and there because you’ll know that you’re heading in the right direction. So let the regulatory winds blow; you’ve got your north star.