Groupon's Privacy Lawyer Dishes on CCPA, GDPR Compliance Challenges and Tips
Groupon privacy counsel Brock Wanless shares his GDPR compliance journey and tips for approaching CCPA.
March 28, 2019 at 06:42 PM
6 minute read
Brock Wanless, managing counsel, global privacy and regulatory at Groupon.
In-house privacy counsel roles are getting more challenging—and interesting—as data regulations change worldwide.
Over the past year, the European Union implemented its General Data Protection Regulation, California passed the first U.S. privacy law and Brazilian legislators approved a General Data Protection Law. Plus, support for a U.S. federal data privacy law is gaining traction.
Brock Wanless has to consider all of these new and pending rules every day as managing counsel, global privacy and regulatory for global e-commerce platform Groupon. He'll be speaking about GDPR and the California Consumer Privacy Act specifically at SuperConference, an upcoming Corporate Counsel event in Chicago.
This week, Corporate Counsel spoke with Wanless about his GDPR and CCPA compliance strategies, and tips for other legal teams. This interview has been edited for clarity and length.
Corporate Counsel: What are some of the major privacy changes we've seen over the past year or so?
Brock Wanless: Clearly GDPR first comes to mind. That was a rather significant and first-of-its-kind type of data privacy regulation, both in substance and its impact on companies and consumers. So GDPR is clearly something most companies have spent a lot of time studying and complying with.
CCPA is a newer law compared to GDPR. It is different in a lot of ways but the impact is to be determined. Not only with California businesses and consumers that are subject to the law, but also whether or not CCPA will result in other states following suit with similar laws or even prompting the federal government to pass a federal data privacy bill that is all-encompassing for the first time.
CC: In terms of CCPA, you mentioned that it's newer and not yet clear what it's going to look like, or if we'll see more regulations from other U.S. states. As an in-house lawyer, how do you prepare to comply with a law that isn't quite clear yet?
BW: I think we are in the same boat as most companies in wading through the issues where we feel there is some ambiguity in CCPA. But there are also other areas that are pretty clear. One challenge with the CCPA is around the various legislative amendments that have been introduced in California. That will offer, hopefully, some increased clarity, or in some areas significantly change aspects of the law.
The other unknown is what the attorney general's ultimate administrative rule proposal will look like. That will hopefully also offer some clarity on certain areas of ambiguity. The challenge for companies is sort of speculative. We think we have a good idea as to what the attorney general will address, but we're left with today what the law actually says. So I think most companies are just making their own determinations as to how they view the law and are building compliance around it.
CC: I spoke with in-house counsel before GDPR went into effect who took a wait-and-see approach. It's been almost a year since implementation. Were there aspects to your compliance strategy you've had to adapt since the law went into effect?
BW: Not really. I think we took a different approach. We did not take a wait-and-see approach to GDPR. We spent a lot of time. We felt pretty confident about our compliance program around it. What has been interesting to watch is the enforcement of GDPR. I think we're going to see more enforcement that will also offer some clarity around what regulators really care about and how they're interpreting some of the more interesting provisions of GDPR. Obviously there was the recent action against Google, which was very interesting for a variety of reasons. As we see more enforcement actions like that, it will be interesting to watch and hopefully that will provide some clarity.
CC: How long did it take your company to comply with GDPR?
BW: I'm hesitant to put a number on that. I couldn't even begin to guess. We looked at it as building on the existing foundation we had for our privacy program. We had a good foundation for it. Obviously there were resources we needed to deploy to build compliance.
CC: Talking about building on foundations, has your GDPR compliance helped in CCPA preparations?
BW: I think there are certain aspects of GDPR compliance that will help companies become compliant with CCPA, but they are very different laws in terms of depth and areas that GDPR covers versus CCPA. The one area with the most overlap is around individual rights and data access requests. That is one area of overlap where companies that have a foundation to handle those requests for GDPR are probably more ahead for CCPA compliance. That's one overlap. But in a lot of ways, CCPA is a very different law.
CC: What are some of those key difference in-house counsel should keep in mind as they approach CCPA compliance?
BW: The one that jumps to mind is the “do not sell” requirement of CCPA. GDPR does not have an equivalent to that. So from a matter of legal interpretation there's a lot to work through with what constitutes the sale of personal information and what does not and how to operationalize that. The other is the definition of what is considered to be personal information is broader than GDPR. That is another element that companies are evaluating. Again, just because you are compliant with GDPR doesn't mean you're going to be compliant with CCPA.
CC: Do you have any advice for in-house departments that weren't impacted by GDPR but now have to comply with CCPA? Where should they begin?
BW: My advice, and this is pretty basic, is start preparations now. Every company is different in terms of what they're doing with data. Whether you're a tech company or manufacturing company or a brick-and-mortar retailer, CCPA is agnostic to your industry. So you should start evaluating now how the law may apply to you. Talk to your outside counsel and start building a compliance program now. Don't wait.
Join hundreds of general counsel and senior legal leaders at the 2019 SuperConference, the premier forum designed for and by general counsel from Fortune 1000 companies.
Read More:
GDPR vs. CCPA: Privacy Counsel Weigh In on Compliance Challenges
Privacy Notices, Opt-In Clauses Debated as US Regulators Shape Federal Privacy Law
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
'True Leadership Is About Putting Others First': 2024 In-House Award Winners Inspired, Took Road Less Traveled
Datasite's Ethics and Compliance Team Drives Transformation
Trending Stories
- 1Uber Files RICO Suit Against Plaintiff-Side Firms Alleging Fraudulent Injury Claims
- 2The Law Firm Disrupted: Scrutinizing the Elephant More Than the Mouse
- 3Inherent Diminished Value Damages Unavailable to 3rd-Party Claimants, Court Says
- 4Pa. Defense Firm Sued by Client Over Ex-Eagles Player's $43.5M Med Mal Win
- 5Losses Mount at Morris Manning, but Departing Ex-Chair Stays Bullish About His Old Firm's Future
Who Got The Work
J. Brugh Lower of Gibbons has entered an appearance for industrial equipment supplier Devco Corporation in a pending trademark infringement lawsuit. The suit, accusing the defendant of selling knock-off Graco products, was filed Dec. 18 in New Jersey District Court by Rivkin Radler on behalf of Graco Inc. and Graco Minnesota. The case, assigned to U.S. District Judge Zahid N. Quraishi, is 3:24-cv-11294, Graco Inc. et al v. Devco Corporation.
Who Got The Work
Rebecca Maller-Stein and Kent A. Yalowitz of Arnold & Porter Kaye Scholer have entered their appearances for Hanaco Venture Capital and its executives, Lior Prosor and David Frankel, in a pending securities lawsuit. The action, filed on Dec. 24 in New York Southern District Court by Zell, Aron & Co. on behalf of Goldeneye Advisors, accuses the defendants of negligently and fraudulently managing the plaintiff's $1 million investment. The case, assigned to U.S. District Judge Vernon S. Broderick, is 1:24-cv-09918, Goldeneye Advisors, LLC v. Hanaco Venture Capital, Ltd. et al.
Who Got The Work
Attorneys from A&O Shearman has stepped in as defense counsel for Toronto-Dominion Bank and other defendants in a pending securities class action. The suit, filed Dec. 11 in New York Southern District Court by Bleichmar Fonti & Auld, accuses the defendants of concealing the bank's 'pervasive' deficiencies in regards to its compliance with the Bank Secrecy Act and the quality of its anti-money laundering controls. The case, assigned to U.S. District Judge Arun Subramanian, is 1:24-cv-09445, Gonzalez v. The Toronto-Dominion Bank et al.
Who Got The Work
Crown Castle International, a Pennsylvania company providing shared communications infrastructure, has turned to Luke D. Wolf of Gordon Rees Scully Mansukhani to fend off a pending breach-of-contract lawsuit. The court action, filed Nov. 25 in Michigan Eastern District Court by Hooper Hathaway PC on behalf of The Town Residences LLC, accuses Crown Castle of failing to transfer approximately $30,000 in utility payments from T-Mobile in breach of a roof-top lease and assignment agreement. The case, assigned to U.S. District Judge Susan K. Declercq, is 2:24-cv-13131, The Town Residences LLC v. T-Mobile US, Inc. et al.
Who Got The Work
Wilfred P. Coronato and Daniel M. Schwartz of McCarter & English have stepped in as defense counsel to Electrolux Home Products Inc. in a pending product liability lawsuit. The court action, filed Nov. 26 in New York Eastern District Court by Poulos Lopiccolo PC and Nagel Rice LLP on behalf of David Stern, alleges that the defendant's refrigerators’ drawers and shelving repeatedly break and fall apart within months after purchase. The case, assigned to U.S. District Judge Joan M. Azrack, is 2:24-cv-08204, Stern v. Electrolux Home Products, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
