In-house privacy counsel roles are getting more challenging—and interesting—as data regulations change worldwide.

Over the past year, the European Union implemented its General Data Protection Regulation, California passed the first U.S. privacy law and Brazilian legislators approved a General Data Protection Law. Plus, support for a U.S. federal data privacy law is gaining traction.

Brock Wanless has to consider all of these new and pending rules every day as managing counsel, global privacy and regulatory for global e-commerce platform Groupon. He'll be speaking about GDPR and the California Consumer Privacy Act specifically at SuperConference, an upcoming Corporate Counsel event in Chicago.

This week, Corporate Counsel spoke with Wanless about his GDPR and CCPA compliance strategies, and tips for other legal teams. This interview has been edited for clarity and length.

Corporate Counsel: What are some of the major privacy changes we've seen over the past year or so?

Brock Wanless: Clearly GDPR first comes to mind. That was a rather significant and first-of-its-kind type of data privacy regulation, both in substance and its impact on companies and consumers. So GDPR is clearly something most companies have spent a lot of time studying and complying with.

CCPA is a newer law compared to GDPR. It is different in a lot of ways but the impact is to be determined. Not only with California businesses and consumers that are subject to the law, but also whether or not CCPA will result in other states following suit with similar laws or even prompting the federal government to pass a federal data privacy bill that is all-encompassing for the first time.

CC: In terms of CCPA, you mentioned that it's newer and not yet clear what it's going to look like, or if we'll see more regulations from other U.S. states. As an in-house lawyer, how do you prepare to comply with a law that isn't quite clear yet?

BW: I think we are in the same boat as most companies in wading through the issues where we feel there is some ambiguity in CCPA. But there are also other areas that are pretty clear. One challenge with the CCPA is around the various legislative amendments that have been introduced in California. That will offer, hopefully, some increased clarity, or in some areas significantly change aspects of the law.

The other unknown is what the attorney general's ultimate administrative rule proposal will look like. That will hopefully also offer some clarity on certain areas of ambiguity. The challenge for companies is sort of speculative. We think we have a good idea as to what the attorney general will address, but we're left with today what the law actually says. So I think most companies are just making their own determinations as to how they view the law and are building compliance around it.

CC: I spoke with in-house counsel before GDPR went into effect who took a wait-and-see approach. It's been almost a year since implementation. Were there aspects to your compliance strategy you've had to adapt since the law went into effect?

BW: Not really. I think we took a different approach. We did not take a wait-and-see approach to GDPR. We spent a lot of time. We felt pretty confident about our compliance program around it. What has been interesting to watch is the enforcement of GDPR. I think we're going to see more enforcement that will also offer some clarity around what regulators really care about and how they're interpreting some of the more interesting provisions of GDPR. Obviously there was the recent action against Google, which was very interesting for a variety of reasons. As we see more enforcement actions like that, it will be interesting to watch and hopefully that will provide some clarity.

CC: How long did it take your company to comply with GDPR?

BW: I'm hesitant to put a number on that. I couldn't even begin to guess. We looked at it as building on the existing foundation we had for our privacy program. We had a good foundation for it. Obviously there were resources we needed to deploy to build compliance.

CC: Talking about building on foundations, has your GDPR compliance helped in CCPA preparations?

BW: I think there are certain aspects of GDPR compliance that will help companies become compliant with CCPA, but they are very different laws in terms of depth and areas that GDPR covers versus CCPA. The one area with the most overlap is around individual rights and data access requests. That is one area of overlap where companies that have a foundation to handle those requests for GDPR are probably more ahead for CCPA compliance. That's one overlap. But in a lot of ways, CCPA is a very different law.

CC: What are some of those key difference in-house counsel should keep in mind as they approach CCPA compliance?

BW: The one that jumps to mind is the “do not sell” requirement of CCPA. GDPR does not have an equivalent to that. So from a matter of legal interpretation there's a lot to work through with what constitutes the sale of personal information and what does not and how to operationalize that. The other is the definition of what is considered to be personal information is broader than GDPR. That is another element that companies are evaluating. Again, just because you are compliant with GDPR doesn't mean you're going to be compliant with CCPA.

CC: Do you have any advice for in-house departments that weren't impacted by GDPR but now have to comply with CCPA? Where should they begin?  

BW: My advice, and this is pretty basic, is start preparations now. Every company is different in terms of what they're doing with data. Whether you're a tech company or manufacturing company or a brick-and-mortar retailer, CCPA is agnostic to your industry. So you should start evaluating now how the law may apply to you. Talk to your outside counsel and start building a compliance program now. Don't wait.

Join hundreds of general counsel and senior legal leaders at the 2019 SuperConference, the premier forum designed for and by general counsel from Fortune 1000 companies.

Read More: