It’s that time of year again — P.S.R. is upon us. If you’ve never been, P.S.R. is one of IAPP’s premiere US-focused conferences on privacy. As someone who went last year, I highly recommend it as somewhere to learn, grow your career, and meet amazing privacy professionals. Plus, DataGrail will be there with lots of fun in store! 

In this edition: 

• A fresh perspective on the ADPPA 
• The Privacy & Ecommerce Report – just-released privacy research
• What's cooking with DataGrail's Inaugural Dinner Series

–DeAndrea Salvador

DG PERSPECTIVE

Stuck in the middle

It is only a matter of time before a federal privacy bill becomes law. But when?

🤔 Some have their doubts

The American Data Privacy and Protection Act (ADPPA) is the closest a bipartisan, bicameral proposal has come to a floor vote. Yet, the prospects of a vote happening is sinking faster than Bobba Fett into the Sarlacc Pit.

Earlier this month House Speaker Nancy Pelosi (D-CA) joined a California delegation that includes Governor Newsom and the new Privacy Protection Agency to oppose the federal bill. The blocker? Unsurprisingly, preemption.

✋ Thanks, but no thanks
While Pelosi applauded the House Energy and Commerce Committee for its efforts, she echoed concerns that overriding California's landmark Privacy Protection and Privacy Rights Acts (CPPA/CPRA) will hurt Californians. As a panel of experts recently discussed, the coalition's concerns have merit, but not necessarily because one law is stronger in the Privacy Force than the other. 

⚖️ Striking a balance

Congress is like the Jedi Council – it favors tradition and consensus, and is ponderous in its decisions. In contrast, State legislatures are like the Mandalorians – they have similarly strong principles, but are more agile and can adopt guerrilla tactics (i.e. California's ballot initiatives). For those opposed to a preemptive ADPPA, so-called 'ossification' is a major concern. A federal law that offers protections at first, but then stagnates from neglect while blocking state-driven reforms is a dubious sacrifice.

A US federal privacy law is caught in a duel of political fates. Striking the right balance between uniform protections and future relevance is no easy task. One thing is clear, renewed consensus on what's tenable will be critical... even if it takes another 2-3 years.

DATAGRAIL RESEARCH

Tell us how you really feel

DataGrail surveyed thousands of people across the globe to better understand their sentiment toward privacy online. Spoiler alert: generations with the most purchasing power want to buy from brands they trust. 

On that note, here are 5 tips for building brand trust with customers: 

1. Be transparent and reasonable. Ask for the data you need up-front and explicitly state why you need it.
2. Respect consumer preferences. Listen to your customers, and honor their requests.
3. Make it easy to opt-out of tracking. Check the user interface – is it fair, understandable, and easy?
4. Write a clear privacy policy. It should be clear and easy to read. 
5. Make it simple to exercise privacy rights. We estimate that upwards of 30 million people have exercised their CCPA or GDPR privacy rights. Make that process easy.

For more data and actionable insights on building brand trust, check out the Privacy and Ecommerce Report.

PRIVACY ROUNDTABLE

Welcome to the Trust

On September 22, DataGrail kicked off its inaugural dinner series in NYC. We welcomed leaders in the space for a lively discussion on all things privacy. Here's what was on the menu:

Antipasti: Data Transfers

The night started with a savory topic around the future of EU>US data transfers. Discussion participants wondered if a political solution would ever calm troubled transfer waters, and whether the path of least resistance would be to simply go with local alternative solutions. Some felt ripping out GA entirely would be too bitter a mouthful for marketing teams.

Primi: Sephora Settlement

Sephora was the special of the evening. We unspooled where the CA AG's interpretation of universal opt-out requirements departed from the CCPA statute, how this may influence a finalized set of CPRA Regulations, and whether these may clash with analogous requirements out of Colorado and Virginia. Irrespective of whether everyone agreed with the AG’s approach and philosophy, we agreed businesses now face a very real enforcement risk. And, that businesses want to feel confident their solutions could meet the mark across data channels and state lines.

All in all, the intimate space sparked open, and at times, spicy discussion. It was a great time and we cannot thank our guests enough for bringing their energy and experiences to the dinner table. Cheers to more 'Trust' dinners in the future! 🥂

RECOMMENDED READING

What is a Record of Processing Activities?

What is a RoPA? And what's it for? And do I even need it? Glad you asked – we're answering all your questions and more in this new blog post.

Lessons from the $1.2M Sephora Settlement

This article explores the lessons learned from two "significant privacy-breach matters." This is a thorough and interesting breakdown of why the Sephora news is significant and how others can avoid the same fate.

California's Kids Code Complicates Federal Privacy Bill Talks

California continues to lead the way when it comes to state privacy legislation. But could it all be put to bed as a federal bill advances?