Listen to the full episode by clicking here.
Introduction: Welcome to the BBB national programs podcast, the Bistro, where we will discuss today’s hottest consumer trends, predict the future with consumer experts, and learn how elite businesses and entrepreneurs continue to push the envelope to meet and shape the consumers’ needs in the marketplace.
Elaine: Hello, and welcome to the Bistro podcast. I’m your host Elaine Espinola. Today we’re going to talk about privacy. Joining us in the studio is Cobun Zweifel-Keegan from BBB EU privacy shield and Jon Brescia from the Digital Advertising Accountability Program. Both programs are part of the BBB national programs. Now, we’ve talked privacy before, but we wanted to take a more expansive look at the topic, especially in regards to the EU and the US and their differing approaches on the subject. So why the EU? Well, in 2018, GDPR came into effect. Let’s get started. John, Cobun – thank you so much for being here.
Cobun: Thank you for having us.
Elaine: Yeah! This is going to be a great discussion. Cobun, can you start off for those who aren’t familiar — What is GDPR?
Cobun: Well GDPR, the General Data Protection Regulation, like you said, came into effect last year. It’s a regulation, so it differs in the EU from a directive, which is what it replaced. It has binding authority over all of the member states, and it is their sort of privacy rules that protect personal information of people in the EU that companies and governments collect and use about them.
Cobun: So it provides a bunch of rules for the types of rights and responsibilities that consumers have in the EU and that businesses have that are doing business there. It is based — it’s a little bit different than the US and that it’s based on the fundamental rights of EU citizens. There’s an idea in Europe that privacy is a fundamental right. And because of that, the GDPR sort of expands on that right by providing EU consumers with redress options with the ability to bring complaints through their local regulatory agencies and the ability to actually ask businesses for copies of their personal information to delete personal information, stuff like that.
Elaine: Got it. So, essentially this gives consumers more power when it comes to their privacy.
Cobun: Yes, definitely.
Elaine: And then you mentioned it’s different than a directive. So this is law now across the EU?
Cobun: Yeah, exactly. It’s different from the directive, which was in place since like 1995 in that the directive has to be implemented by each member state, so what happens is you get a little bit more like a patchwork. It ends up being slightly different in each member state. But a regulation has binding authority immediately.
Elaine: Got it, so all things equal.
Elaine: Got it. And so, Cobun, your work also involves something called Privacy Shield, another European thing, am I correct? And how does this tie into GDPR, if at all?
Cobun: Yeah, it definitely ties into GDPR. So Privacy Shield is the bilateral agreement between the US and the EU that allows for the transfer of personal information from the EU to the US. So it’s only one mechanism. There’s a few different ways that you have to legally transfer personal information to the US, but because the US doesn’t have the same protections as the EU, one of the rules in GDPR is that you can only transfer personal information to a country that has adequate, what are deemed to be adequate data protection rules.
Cobun: And when I say data protection, it’s basically synonymous with privacy. People in the field might — Europeans in the field might kill me for saying that, but from a US perspective data protection is synonymous with what we think of as privacy, especially from a company perspective of protecting people’s information — making sure that only the right people have control of it. So my work in privacy shield is that BBB runs an IRM, an independent recourse mechanism.
Elaine: Got it. I mean you mentioned we don’t have this similar regulation or law here in the US and Jon, I know you usually work with the US facing market. How do GDPR and Privacy Shield compare to privacy laws here in the United States?
Jon: Sure, so Elaine, thanks for having me again. Good to be back.
Elaine: It’s great having you back! You’re a wealth of knowledge. Thank you.
Jon: Well, don’t oversell it.
Jon: So when it comes to the differences between the EU and the US, the place to start is just sort of fundamentally how those structures view privacy. So in the EU, privacy is considered a fundamental human right, and that differs from the US approach over the past fifty, sixty years, which has been to view privacy fundamentally in terms of regulation as a commercial activity. So privacy is what is your right as a consumer in a given commercial context.
Jon: So we’ve had as a result, instead of general sweeping laws that encompass everything, a number of sectoral laws, as they’re called, that govern different sectors of the economy. And so you’ve got something that everybody’s probably familiar with – HIPAA. The point with HIPAA is that it is not meant primarily as a privacy rule to govern medical data. It’s actually extremely narrow about entities that are doing third party insurance billing.
Jon: Ya know, these entities, when somebody is using a doctor’s office, for example, is to get a diagnosis for a medical issue. You’ve got all these narrow little paths that you’ve got to trace to trigger this HIPAA rule that then governs what you can do with that information, but at the same time, you go to some sort of fitness tracker, let’s say. Put one of those on your arm. Got an app, you’re tracking your runs, your walks. That’s not HIPAA covered data in virtually any context unless there’s some sort of special medical nexus in your case, but the consumer use of it — not covered.
Jon: And so these are much narrower laws that we have here — and — with one, I think the force of GDPR and also Brazil’s data protection law, and there’s a trend sort of moving around the world toward more general data protection rules. That pressure is being applied bit by bit to the United States. And we’ve seen it start to change in two ways. The first way is the state of California (and there are other state efforts that we could talk about), but California’s the most robust because it actually exists. There are others Nevada and such, but California is the big one and then federal law. So start with California, this will be a two-second summary.
Jon: California had a ballot initiative on the ballot in 2018, then through some last-minute bargaining, became an actual bill that was passed into law by the state legislature, signed into law, and now has some draft regs out from the Attorney General of that state. And it is based in a more human rights notion of this. It’s still very economical in its particulars, but it at least claims to draw from the California constitution’s human rights essentially that you have as a resident of California, one of which is the right to privacy.
Jon: On the federal side, there’s musings about whether California’s not enough or too much and debates about whether we want to preempt a patchwork of state laws that might be difficult to comply with. Altogether that might be somewhat contradictory, and that’s all very speculative right now, and there is no federal law that’s really up for debate at this point. There are a billion proposals, and not one of them seems to have full traction at this point, given the state of Congress, good luck with that right, right now.
Elaine: Right. Right. Now, I think you shared a little bit about how the perspectives between the EU and the US are different. One question we have here is can one country mandate another country to comply? How’re the networks architected?
Jon: So that’s really difficult. Um, you have a number of overlapping things when it comes to data flows moving around the world. So you’ve got questions of who’s the user and where are they located? Where the company’s located? What jurisdictions are they in? Do they have vendors? Where does the information transit through? Where does it get stored? And so it sort of depends on the specific fact pattern really at issue, but it could be that you end up with multiple countries involved.
Jon: You know this is somewhat unrelated, I think, to our day-to-day here, but you think back to the Cloud Act from I guess a couple of years ago. This was an issue where Microsoft is being asked by law enforcement, and this is a noncommercial situation, but being asked to provide information that resided in a different country. And they said well [00:10:29 – 00:15:18] you can’t request that because it doesn’t exist here. You don’t have the power to compel us in this jurisdiction to do some search over there because the search is happening overseas, and that would violate X Y and Z rules.
Jon: And this went up to the Supreme Court, and it got muted. The Supreme Court never got to decide it because Congress said okay we’ll smooth all of this out. They rapidly passed some legislation sort of setting out the rules by which and the procedures by which countries, in this case, the US and Ireland can deal with this sort of data search/data-sharing arrangement for law enforcement purposes and things of mutual legal assistance treaties sort of also touch on this. So it’s really complicated. It can involve multiple nation-state actors, ya know, giant corporations – all over the data perhaps of a single person that’s residing in a server somewhere. And so it’s quite complex.
Cobun: Yeah and that’s not really anything that’s new in terms of, I mean, we’ve always had global trade for a long time, lots of these kinds of issues of laws running up against each other and countries having to figure this out. But nowadays I think we’re seeing so many companies that are operating in a lot of different countries. And that does create these interesting kinds of flex questions I think even for smaller companies that maybe are just doing business in, like for example, in the EU and the US you have um, they’re still transferring that data between those jurisdictions. And so yeah, the compliance burden becomes a little bit more, a little bit higher for those companies trying to navigate those waters.
Elaine: Sure, and I understand the enforcement and the penalties are pretty stiff. Maximum, I think, twenty million-euros, something like that, I don’t know if that’s correct, but you touch on this a little bit, but how are the companies, in general, responding to GDPR?
Cobun: When companies are trying to comply with GDPR and align their practices with it, especially US companies we’re talking about here is more my expertise, I don’t have as many connections with people in the EU who are trying to do this, European companies complying, but the main requirement under GDPR like I mentioned, is to provide those rights to consumers.
Cobun: So that involves a number of things, both providing sort of a mechanism for consumers to assert those rights. So you have to be able to have a place where consumers can go to say, “I want to delete my information,” and “What are the instructions for me to reach out to you when I want to assert my rights?” And then sort of more fundamentally, you have to have all of the operational things and the background to be able actually to give those people what they were asking for.
Cobun: So you have to figure out in your systems where is personal information stored. And this sort of goes back to privacy best practices that have been around for a really long time, well before the GDPR and even before the directive, there’s been sort of establishment over the past. Since the 1960’s, of a set of practices and procedures that are considered to be industry standard (with regard to personal information) and that includes sort of knowing where you have the information, and this is what privacy is about and what systems internally do you store personal information in? And who has access to it? And then who are you sharing it with? What is your deletion protocol? Stuff like that. That’s sort of data mapping that has to take place. That’s one of the biggest asks of companies that haven’t already implemented some of those best practices.
Elaine: Got it, okay. You mentioned the individuals and the consumers. Let’s get a quick discussion about those individuals in the EU. How are they responding to these new legal rights, and then, Jon, if you could follow up and tell us how does this differ with consumers and their concerns in the United States?
Cobun: So yeah, individuals in the EU are becoming more and more aware of these rights because the GDPR has come into effect. I think we’ve seen a surge in the number of people bringing complaints, asking to assert their rights. I think Google has the best statistics on this when they talk about right-to-be-forgotten requests, which are essentially take down requests. They’ve seen a massive surge, it continues to go up and up, and they’re dealing with thousands of those a day.
Cobun: Yeah, so EU [00:15:18 – 00:20:01] consumers are becoming more aware and asserting their rights both under GDPR and under Privacy Shield with some US businesses under Privacy Shield. And that’s actually what my program does is handle those complaints. If the company didn’t respond to the consumer adequately, they can come to the IRM program and ask for the IRM to step in, and we perform a dispute resolution process to make sure to make everyone happy.
Elaine: Sure, sure. Jon, how does this differ with consumer concerns in the US?
Jon: Sure, so I’ll just say from a programmatic standpoint, the program that I operate, the Digital Advertising Accountability Program, we do take consumer complaints. So we’ve got a pretty decent sense, I guess, of popular sentiment in a lot of ways. Our process is sort of less formal than the one in Privacy Shield, but it actually gets a tremendous number of complaints every year, we have since we started the program, in the thousands each year. And we, by the way, respond by hand to everybody who gives us contact information to respond back.
Jon: So if you’ve got a problem, you can find our complaint forum online and get in touch with us. But what we’ve seen over the years is a growth in the sophistication of the complaints. By and large, when I started doing these say six years ago, or so, people had a lot of general complaints about the Internet, a lot of general complaints about advertising. Those persist.
Jon: But there’s been a small number that’s grown over the years of people who have really pinpoint questions. “I wanted to opt-out of this particular company’s interest-based advertising practices,” like we talked about in the last episode, and they try, and it doesn’t seem to work. And then they provide us with their list of seven troubleshooting steps that they took and said, “but why doesn’t it still work?” And there’s almost always a good answer buried in the browser settings or in their routers, for example. They could be in a corporate network. That’s one of the more common ones. Where whenever everything else seems exhausted, turns out your corporate firewall doesn’t like this traffic and is shutting it down. So…
Elaine: Got it. So it sounds like consumers are becoming a little bit more savvyer when it comes to privacy in the United States.
Elaine: Got it. I was going to ask you about CCPA, but you talked about it a little bit earlier, and I’m going to say that whether the US follows suit with federal law on consumer privacy similar to GDPR – that is left to be seen in the future. Right?
Elaine: So we’ll have to follow up. We’ll have to follow up with you, Jon, on that down the road here. As we wrap up here with all of this swirling around, what’s a business to do? You know what should they be aiming at? And then, you did share what your, what the BBB NP does to aid efforts around privacy and data collection. We’ll ask you for your websites again, but just real quick, what’s a business to do?
Jon: So, I mean, I guess the first step is call your lawyer now.
Jon: So honestly, taking stock in what you’re doing right now is the most important first step. Seeing what data you collect, what you hold, how you use it, making sure you’ve got reasons for all of these things. Then starting to set up policies and procedures to govern all of those things in compliance with whatever regime it is that you’re trying to comply with, whether it’s a very high bar, best practices sort of standard beyond even the law or whether it’s specific things. GDPR/CCPA.
Elaine: Got it. Cobun – anything to add there?
Cobun: Yeah, I totally second everything that he said. I think, yeah, it really is a function of embracing those best practices and making it part of the day-to-day, which it’s not something that’s necessarily easy to implement. One good thing about things like GDPR and CCPA is it gives some pressure, if you’re within the organization trying to get people to embrace these best practices and incorporate it into business processes, it’s easier to sell it to the C-Suite now if there’s big possible fines on the horizon for the people that don’t comply.
Elaine: Absolutely. Yeah, well here at The Bistro, we are all about discussing better business. So I’m going to third everything you both said, and I want to thank you both so much for joining us today in helping us just dive through this conversation. Jon, Cobun — where can our listeners find more information like what we discussed here today?
Cobun: On BBBNP.org. is where both of our programs’ information is. You can find everything from there.
Jon: Can you?
Cobun: I think so. (Everyone laughs)
Elaine: Check it out. Check it out. Look it up. Let us know what you think. Thank you again, both, so much for being here. [00:20:01 – 00:21:10]
Jon & Cobun: Thank you.
Elaine: Sure! I’m Elaine Espinola, host of the Bistro podcast. We thank you for listening. And hey, if you haven’t already subscribed to the Bistro on iTunes, go ahead and rate and review us. Let us know what you think. And please share our episodes to help inform and inspire others. Until next time, it has been my pleasure discussing better business and privacy with you.
Outro: You just enjoyed The Bistro podcast. Be sure to tune in next time for a brand new episode. To learn more about our other shows, visit betterbusiness.blubrry.com. That’s better business dot b-l-u-b-r-r-y dot com. Follow us on Twitter at BBB_NTL Programs. Send your comments and ideas to email@example.com.
Legal Disclaimer: You just enjoyed the Bistro podcast. Be sure to tune in next time for a brand new episode. To learn more about our other shows, visit betterbusiness.blubrry.com. That’s betterbusiness.blubrry.com. Follow us on Twitter, @BBB_NTLprograms. Send your comments and ideas to podcast@BBBNP.org. The thoughts and opinions expressed on this podcast are the views and opinions of the guests. Not those of the BBB national programs or it’s affiliates. This podcast is for information and educational purposes only and is copyrighted with all rights reserved. This podcast is protected by Blubrry’s terms of service.