Serious Privacy Podcast – CCPA: Aiming for a Moving Target

The 1st of July has come and gone – the date that marks the beginning of the enforcement of the California Consumer Privacy Act (CCPA).  Not all companies are ready for CCPA enforcement. And many companies are confused among the many moving parts – the law and potential amendments, the regulations, the ballot initiative, and enforcement.  

California’s Attorney General Becerra describes the CCPA is a “first-of-its-kind data privacy law in America.” In his press release he encourages every Californian to know their rights to internet privacy and every business to know its responsibilities. The website of every business covered by the law must now post a link on its homepage that says ‘Do Not Sell My Personal Information’. Click on it – Becerra recommends. Remember, it’s your data. You now get to control how it’s used or sold.” Listen in as Paul and K discuss the various aspects of the CCPA, from amendments to enforcement and class actions. This week’s episode can be found on our website or can be streamed below. 

Up Close and Personal: Paul’s Favourite Privacy Topic

Welcome to our 21st episode of Serious Privacy. There is no better way to celebrate 21 than to return to our basics and have a kitchen table conversation with our own Paul Breitbarth. This week, Paul will discuss his favorite privacy topic. We limited it to one topic – will he go for two topics? Does he have one overwhelming favorite issue in privacy?  With Paul’s background with the data protection authorities, he has more of a legal scholarly slant – so this should be a very interesting treasure hunt to find out what resonates most with him.

Paul’s favorite topic incorporates elements of politics, fundamental rights of individuals, legal discourse, and the international relationship among countries. In this episode, we cover counterterrorism and whistleblowers – bodycams and cell phones. All of these center into one overarching topic that is fascinating and controversial, but also necessary in modern life. Listen to this week’s episode on our website or stream the episode below.

TrustArc and BigID Deliver Automated Data Discovery and Privacy Program Management


TrustArc and BigID have announced a partnership to help organizations uncover, classify, understand, and protect personal and sensitive data for ongoing privacy compliance.

“Data is a company’s most vital asset. Maintaining data privacy reduces the risk businesses incur while simultaneously unlocking the business value of that data,” said Michael Lin, SVP product and engineering of TrustArc. “Our partnership with BigID combines its excellence in data discovery, an essential element of a strong privacy program, with a simplified, automated view of privacy compliance that only TrustArc can offer.”

The TrustArc/BigID partnership enables organizations to optimally define, build, and maintain flexible, responsive, and automated data privacy-management programs. As regulations and business requirements shift, privacy managers can leverage TrustArc’s Privacy Management Platform and knowledge to adjust their processes accordingly, modify operational frameworks, and automate fulfillment based on up-to-date accurate and comprehensive data intelligence.

Through the partnership, customers can also:

  • Take action on privacy insights generated from continuous analysis of all data platforms and types, including cloud software, files, big data, and traditional data stores;
  • Automate discovery, classification, and inventorying of personal and sensitive data based on how data is related to individuals across the enterprise;
  • Automate the management of consumer and data subject access requests (DSRs) at scale using data inventories;
  • Seamlessly populate the TrustArc Data Inventory Hub and update it based on new discovery findings.

“This partnership highlights TrustArc and BigID’s approach to bring clarity and intelligence to the complex data privacy regulatory environments,” said Nimrod Vax, co-founder and chief product officer of BigID. “With this partnership, we aim to ensure that customers can automate and manage privacy compliance for the long haul, beyond the initial manual controls many organizations have started with to address regulatory compliance.

Read more about this partnership here.

Webinar Recap – 2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best Practices


As part of the Privacy Insight Series, TrustArc presented the webinar “2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best Practices” earlier this week with speakers Gary Edwards, Co-Founder and President of Golfdale Consulting, and Paul Breitbarth, Director, EU Policy and Strategy at TrustArc. This blog post will give a brief summary of that webinar addressing the recent global privacy survey and its subsequent findings; you can listen to the entire webinar and download the slides here.

In May 2020, TrustArc conducted a comprehensive Global Privacy Benchmarks Survey of more than 1,500 senior executives, privacy office leaders, privacy team members, management, and full-time employees outside the privacy function. This week’s webinar focused on the various findings from the survey which covered topics, such as privacy initiatives, CCPA readiness, COVID-19 impact and privacy budgets. Gary pointed out that,  “this global survey provided great coverage, hearing from many different voices across the world, which provided a strong top to bottom view of emerging trends in the privacy space during the COVID-19 pandemic.” 

Looking at organizations’ top initiatives and the changes afoot in 2020, the results were consistent and clear. Adapting to new regulations, adjusting privacy and data protection policies, and training staff on how to get this work done are top priorities. While Paul was happy to see companies were prioritizing these undertakings, he was disappointed to see that only 55% of survey respondents chose “rights requests” as a top initiative, considering data subject rights are commonly required under many regulations.  

In terms of preparing for the CCPA, only 14% of respondents reported being done. Paul noted that even though the July 1st enforcement date is on the horizon, many companies consider the CCPA a “moving target” as the CCPA regulations have not been fully finalized yet. Gary commented many respondents view the CCPA challenges as moderately difficult which may be a result of companies being in the early stages of CCPA compliance. If you haven’t started CCPA compliance, you’re more likely to find challenges (such as managing third-party risks and maintaining an incident response program) more difficult than if you’ve started or are in the late stages of CCPA compliance. 

Gary and Paul provided the webinar attendees with some advice on companies that are behind: Work on the most visible things first, such as your privacy notice, the “do not sell” button, and the mandatory hotline. They went on to review the impact of COVID-19 on privacy and data protection and discussed new digital technologies. Watch the full webinar to learn more about the comprehensive survey’s findings. Download the 2020 Global Privacy Report here.


Serious Privacy Podcast – At the Heart of Privacy: What are K’s favorite privacy topics?


After many weeks discussing a huge variety of topics with our guests, it is time to go back to basics: a privacy conversation about our favorite topics while sitting on a sunny back porch, drink in hand. This week, it’s K’s turn to discuss her favorite privacy topics. Listen in as K and Paul discuss her two favorite topics in depth, both of which are global privacy concerns. This episode can be heard on our website or can be streamed below.

Webinar Recap – CCPA Update: What You Need to Know About CPRA & July 1st Enforcement


As part of the Privacy Insight Series, TrustArc presented the webinar “CCPA Update: What You Need to Know about CPRA & July 1st Enforcement” last week with speakers Teresa Troester-Falk, President and Founder of BlueSky Privacy, and K Royal, Associate General Counsel at TrustArc. This blog post will give a brief summary of that webinar addressing the California Consumer Privacy Act (CCPA), its new regulations and the ballot initiative, the California Privacy Rights Act (CPRA); you can listen to the entire webinar and download the slides here.


With the possibility of a July 1 enforcement date quickly approaching, there was a lot to cover in this webinar. K and Teresa discussed the current status of the consumer privacy acts in California, how the CCPA regulations compare to the CPRA, what to expect on July 1st, how to prepare for all possible scenarios and provided resources to ensure compliance by July 1st and beyond. They expanded upon the various definitions for terms within the CCPA regulations and CPRA. For the CCPA, the definition of “business” was clarified in the regulations that the revenue prong of $25M applies to all revenue, and not simply revenue within California. This was a point of confusion for business leaders trying to interpret the often vague text of the CCPA. 

July 1 Enforcement 

In regards to enforcement, K and Teresa discussed the recent communications from the California AG’s office: “The OAG has determined that any delays in implementation of the regulation will have a detrimental effect on consumer privacy as more and more Californians are using online resources to shop, work, and go to school.” Despite the COVID-19 pandemic, it is clear that the AG’s office is serious about protecting Californian’s personal data and unlikely to waiver on the impending enforcement date.

One of the hot topics in California privacy has been whether or not the use of Cookies on websites constitute a “sale” as defined by the CCPA. The attorney general’s comments in the “Final Statement of Reasons” confirm that the office considers this determination to be highly fact-specific and recommends that companies should seek clarification from counsel. However, under the CPRA, there is a new definition of “sharing” that addresses the cookie scenarios – 

“Share,” “shared,” or “sharing” means sharing, renting, releasing, disclosing, disseminating, making oval/able, transferring, or otherwise communicating orally, In writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and o third party for cross-context behavioral advertising for the benefit of a business In which no money is exchanged. (§1798.140(ah)(1)).

TrustArc CCPA “Opt-Out” Solution  

One of the main aspects of CCPA compliance is fulfilling consumer rights requests as consumers have the right to opt-out of the sale of their personal information. As such, the ability for consumers to exercise this right must be found in an easy-to-find location on your website. With TrustArc Cookie Consent Manager now integrated with TrustArc Individual Rights Manager, you can display the “Do Not Sell My Personal Information” link on your cookie banner, providing transparency and improved user experience to your consumers.

In addition, TrustArc Cookie Consent Manager allows you to configure the consent experience based on any geographical compliance requirements as different regulations have different rules. Utilizing TrustArc Cookie Consent Manager allows you to display the applicable consent banner based on the location of the website visitor. For example, you can display a GDPR opt-in notice banner to EU residents and a CCPA notice-only banner to California residents. 

Companies are understandably in varying stages of preparedness, and with less than a month to go, prioritizing compliance elements is key. Wherever you are in your CCPA compliance journey, TrustArc can offer support at any stage of your compliance plan.

For more information on how TrustArc can help, visit or contact us here.