Serious Privacy Podcast – At the Heart of Privacy: What are K’s favorite privacy topics?

After many weeks discussing a huge variety of topics with our guests, it is time to go back to basics: a privacy conversation about our favorite topics while sitting on a sunny back porch, drink in hand. This week, it’s K’s turn to discuss her favorite privacy topics. Listen in as K and Paul discuss her two favorite topics in depth, both of which are global privacy concerns. This episode can be heard on our website or can be streamed below.

Webinar Recap – CCPA Update: What You Need to Know About CPRA & July 1st Enforcement

As part of the Privacy Insight Series, TrustArc presented the webinar “CCPA Update: What You Need to Know about CPRA & July 1st Enforcement” last week with speakers Teresa Troester-Falk, President and Founder of BlueSky Privacy, and K Royal, Associate General Counsel at TrustArc. This blog post will give a brief summary of that webinar addressing the California Consumer Privacy Act (CCPA), its new regulations and the ballot initiative, the California Privacy Rights Act (CPRA); you can listen to the entire webinar and download the slides here.


With the possibility of a July 1 enforcement date quickly approaching, there was a lot to cover in this webinar. K and Teresa discussed the current status of the consumer privacy acts in California, how the CCPA regulations compare to the CPRA, what to expect on July 1st, how to prepare for all possible scenarios and provided resources to ensure compliance by July 1st and beyond. They expanded upon the various definitions for terms within the CCPA regulations and CPRA. For the CCPA, the definition of “business” was clarified in the regulations that the revenue prong of $25M applies to all revenue, and not simply revenue within California. This was a point of confusion for business leaders trying to interpret the often vague text of the CCPA. 

July 1 Enforcement 

In regards to enforcement, K and Teresa discussed the recent communications from the California AG’s office: “The OAG has determined that any delays in implementation of the regulation will have a detrimental effect on consumer privacy as more and more Californians are using online resources to shop, work, and go to school.” Despite the COVID-19 pandemic, it is clear that the AG’s office is serious about protecting Californian’s personal data and unlikely to waiver on the impending enforcement date.

One of the hot topics in California privacy has been whether or not the use of Cookies on websites constitute a “sale” as defined by the CCPA. The attorney general’s comments in the “Final Statement of Reasons” confirm that the office considers this determination to be highly fact-specific and recommends that companies should seek clarification from counsel. However, under the CPRA, there is a new definition of “sharing” that addresses the cookie scenarios – 

“Share,” “shared,” or “sharing” means sharing, renting, releasing, disclosing, disseminating, making oval/able, transferring, or otherwise communicating orally, In writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and o third party for cross-context behavioral advertising for the benefit of a business In which no money is exchanged. (§1798.140(ah)(1)).

TrustArc CCPA “Opt-Out” Solution  

One of the main aspects of CCPA compliance is fulfilling consumer rights requests as consumers have the right to opt-out of the sale of their personal information. As such, the ability for consumers to exercise this right must be found in an easy-to-find location on your website. With TrustArc Cookie Consent Manager now integrated with TrustArc Individual Rights Manager, you can display the “Do Not Sell My Personal Information” link on your cookie banner, providing transparency and improved user experience to your consumers.

In addition, TrustArc Cookie Consent Manager allows you to configure the consent experience based on any geographical compliance requirements as different regulations have different rules. Utilizing TrustArc Cookie Consent Manager allows you to display the applicable consent banner based on the location of the website visitor. For example, you can display a GDPR opt-in notice banner to EU residents and a CCPA notice-only banner to California residents. 

Companies are understandably in varying stages of preparedness, and with less than a month to go, prioritizing compliance elements is key. Wherever you are in your CCPA compliance journey, TrustArc can offer support at any stage of your compliance plan.

For more information on how TrustArc can help, visit or contact us here.

New TrustArc Survey Data Shows Nearly One-Third of Organizations Are Just Starting CCPA Planning


TrustArc has announced the results of its “Global Privacy Benchmark” survey on how organizations are protecting and leveraging data, their most valuable asset. One of the most extensive surveys ever conducted on data privacy, it polled more than 1,500 respondents from around the world at all levels of the organization. Survey results examined a wide range of  topics, such as organizational commitment to privacy, the measures and investments companies are making to embed privacy, and company readiness for looming privacy regulations, such as CCPA and its July 1 enforcement date.

“There are more than 900 global privacy laws to which organizations must adhere, making privacy management an ongoing and dynamic challenge,” said Chris Babel, CEO, TrustArc. “The TrustArc survey highlights just how difficult it can be to comply with even a single new regulation, such as CCPA, let alone the entire list of existing laws. The results also show how the COVID-19 pandemic and its attendant technologies, such as video conferencing, have exacerbated an already difficult privacy challenge and forced respondents to rethink their approaches.”

CCPA Compliance Readiness Mostly Lacking; Prior GDPR Preparedness a Boost

Nearly one-third of survey respondents (29%) say they have just started planning for CCPA. 

  • More than 20% of respondents report they are either somewhat unlikely to be, very unlikely to be, or don’t know if they will be fully compliant with CCPA on July 1.
  • Just 14% of respondents are done with CCPA compliance. Nine percent have not started with CCPA compliance, and 15% have a plan but have not started implementation. 
  • Of respondents who reported as being slightly or very knowledgeable about CCPA and GDPR regulations, 82% are leveraging at least some of the work they did for GDPR in implementing CCPA requirements. 

Privacy Professionals Still Use Inefficient Technologies for Compliance Programs

Though 90% of respondents agree or strongly agree that they are “mindful of privacy as a business,” many privacy professionals are left building privacy programs without automation. 

  • 19% of respondents report they are most deficient in automating privacy processes. 
  • Just 17% of all respondents have implemented privacy management software, which matches the 17% who are still using spreadsheets and word processors. 
  • In addition, 19% are using open source/free software and 9% are doing nothing. 
  • Even in the U.S., which boasts the highest rate of privacy management software adoption, just 22% of respondents use privacy management software as their primary compliance software. 

Respondents understand the importance of data privacy and continue to invest in ongoing privacy programs. However, many are still attempting to implement these programs using manual processes and technologies that do not offer automation. Moving forward, the companies that can leverage automation to simplify data privacy can protect their most valuable asset—data—and use it to drive business growth.

Pandemic, New Technologies Present Additional Challenges to Compliance

With the move to all-remote workforces, companies are increasingly turning to technologies, such as video conferencing and collaboration tools. These tools present new avenues for data creation that privacy professionals must consider in their company-wide plans. 

  • Twenty-two percent of respondents said personal device security during the pandemic has added a great deal of risk to their businesses. “Personal device security” received the highest proportion of “a great deal of risk” responses, compared to the other four response options. 
  • A majority of respondents said that third-party data, supply chain, personal-device security, unintentional data sharing, and required or voluntary data sharing for public health purposes all added at least a moderate amount of risk to their businesses.
  • Seventy percent of respondents say video conferencing tools have required a moderate or great change to their privacy approach, and 65% of respondents say collaboration tools have required a moderate or great change to privacy approaches.

Despite Financial Impact of Pandemic, Privacy Compliance Remains a High Priority 

Though many respondents expect a significant decrease in their company’s revenues as a result of the COVID-19 pandemic, they are still prioritizing privacy-related investments.

  • Forty-four percent of companies expect a decrease or steep decrease in overall company revenues for the balance of 2020 as a result of COVID-19.
  • Just 15% of respondents report they plan to spend less or a great deal less on privacy efforts in 2020 as a result of the pandemic.
  • Nearly half (42%) of respondents plan to spend $500,000 or more in 2020 on CCPA efforts alone.

Boards of Directors Actively Involved in Privacy Management

The mandate for increased privacy investments is coming from the very top of organizations.

  • Eighty-three percent of respondents indicate their board of directors regularly reviews privacy approaches.
  • An impressive 86% of respondents say that everyone from the board of directors to the front-line staff knows their role in protecting privacy.
  • Four out of five respondents view privacy as a key differentiator for their company.

To download the entire report, click here.


Serious Privacy Podcast: Gaming! It’s All Fun and Games Until…


Gaming! It’s all fun and games, right? Not exactly. There are hidden dangers in online gaming that many individuals do not consider. When you are stuck at home for many weeks, chances are that you have downloaded one or more gaming apps on your phone, or purchased a game console either for yourself or your family. Games are also great sources of data collection from all corners of the world and all levels of society. What kinds of data are collected? How are they used? Is it all transparent? And of course – how do we tell children – and more importantly – protect children? 

In this episode of Serious Privacy, Paul and K discuss the dark side of gaming with two gaming and privacy professionals Leena Kuusniemi and Ben Siegel. We discuss the  worldwide multibillion dollar industry, the most downvoted post on Reddit, ads in gaming, mobile notice, fragmented regulations, and how to educate your kids about the dangers of gaming. Listen to this week’s episode on our website or stream the episode below.

Serious Privacy Podcast – The Business Side of Privacy: Money, Mergers, and Mandates


Personal data can often be a complicated side to critical business activities, such as mergers and acquisitions and bankruptcy. Since the beginning of the year, the world has been dealing with a global health crisis. But unfortunately, that is not the only crisis the world will be dealing with this year – by now it is clear our economy will take a serious hit as a result of COVID-19. Companies will go under, or may become targets for mergers and acquisitions while in a weakened state. That also may have an impact on the data holdings of organisations. Can sets of customer, employee and third party data just be handed over from one company to the other, or sold to the highest bidder to return some money to investors?  These highly impactful business activities, that are often executed rapidly, are not the times to overlook critical data allowances and restrictions. 

In this episode, we discuss how companies can prepare for and manage privacy issues in M&A and bankruptcy with Constantine Karbaliotis, a privacy veteran who has managed these issues for companies. Listen to this week’s episode on our website or stream the episode below.

Serious Privacy Podcast – Unfiltered: An Englishman’s Information Ideals


What do you get when you put an Englishman in charge of information privacy? A lot of experience, ideas, and expertise when it is Ralph O’Brien.  With all the news on the Coronavirus, one could almost forget there are still Brexit negotiations taking place. There is still a question whether the United Kingdom can obtain an adequacy decision from the European Union. Is the UK data protection legislation enough to offer an “essentially equivalent” level of data protection? What are the British views on using and protecting personal data? What about national surveillance? And how does this all tie in to the life and work of a privacy consultant? These topics and more will be addressed in this episode with Ralph – a highly respected privacy professional located in the United Kingdom.

The conversation takes us from how Ralph first entered privacy and the considerations and areas of focus at that time to how privacy has evolved. As we can imagine, the world of privacy, including Brexit issues, has dramatically changed and not all changes are necessarily good. Listen as Ralph shares his thoughts on data privacy, technology, the privacy profession, and Brexit – including what caused him to “go ballistic” on Twitter. Listen to this week’s episode on our website or stream the episode below.