- Of Counsel
Wiley Rein Spotlight Interview: Joan Stewart on State Privacy Laws and Compliance
Privacy in Focus®
Peter: Let’s say I’m a fast-growing web-developer who has created an app that accesses personal data on a customer’s smartphone, and I am looking for privacy-related advice. How can you help me?
Joan: I help clients determine whether and how various privacy laws and regulations apply to their business, and then help them design and implement compliant privacy programs. I usually work with clients to create a data flow chart to ensure that both the client and I have a full understanding of what personal data they are collecting and how they are using and sharing that data. Once we have that in place, then I help the client create policies and programs – including privacy policies, terms of service, and internal procedures – to ensure they are complying with International, Federal and State laws. In preparing for the implementation of the General Data Protection Regulation (GDPR) in the European Union, I was trained as a Certified Information Privacy Professional with a specific focus on European regulation (CIPP/E). As many of the emerging state laws are based on the concepts first adopted in the GDPR, this allows our clients to benefit from my additional training and experience in designing and implementing programs that comply with these more stringent requirements.
Peter: Have there been instances where you have advised clients to re-orient their entire data flow chart – or is your general approach to work with what the client’s systems have?
Joan: I always try to leverage the system the client has in place. However, sometimes the existing flow must be changed to comply with privacy requirements. When I encounter those situations, I strive to identify the least invasive changes that will result in compliance.
Peter: As you are tracking the legal landscape to help clients maintain compliance and best practices, what are the trickiest privacy-related issues going forward?
Joan: The rollout of competing state privacy rules is going to make privacy compliance in the U.S. very difficult. Companies are working to come into compliance with the California Consumer Privacy Act even though many of its requirements are still subject to amendment or clarification. At the same time, other states are proposing legislation that would impose more stringent or just different obligations on companies that do business in that state. The evolving patchwork of state laws makes it tricky for companies to create a uniform compliance system or update their current system, but there are steps they can take to try to account for these different state laws.
Peter: You’re a regular attendee of IAPP’s Global Privacy Summit and will be in attendance later this month. What are you looking forward to at that Summit?
Joan: I always look forward to the IAPP conferences – I know I am going to come away having learned new information or been challenged to think in new ways. During the upcoming DC conference, I am particularly looking forward to the sessions on the California Consumer Privacy Act, given that the CCPA’s final requirements are still in flux. I also enjoy the opportunity to meet and discuss developments with other privacy professionals. In fact, we’ll be hosting a networking reception at Wiley Rein on April 29, right before the Summit.
Peter: If you look into your crystal ball, what are the key issues in privacy that you think the government and industry will be grappling with going forward?
Joan: The key issue I am watching is the obligations imposed by new privacy regulations – such as opt-in rights, deletion, or access to data – and whether existing privacy structures can accommodate these demands. For each state that considers and passes legislation, the privacy compliance framework is becoming more complicated. We actually help clients track proposed state privacy laws and consider their advocacy options. But regardless of any one state law, to be nimble enough to be responsive to these evolving privacy standards, it is crucial that any company that is collecting and using personal data embrace a privacy by design structure and be deliberate about what personal data they are collecting and how that personal data is being used and shared.
© 2019 Wiley Rein LLP