Groupon's Privacy Lawyer Dishes on CCPA, GDPR Compliance Challenges and Tips
Groupon privacy counsel Brock Wanless shares his GDPR compliance journey and tips for approaching CCPA.
March 28, 2019 at 06:42 PM
6 minute read
The original version of this story was published on Corporate Counsel
In-house privacy counsel roles are getting more challenging—and interesting—as data regulations change worldwide.
Over the past year, the European Union implemented its General Data Protection Regulation, California passed the first U.S. privacy law and Brazilian legislators approved a General Data Protection Law. Plus, support for a U.S. federal data privacy law is gaining traction.
Brock Wanless has to consider all of these new and pending rules every day as managing counsel, global privacy and regulatory for global e-commerce platform Groupon. He'll be speaking about GDPR and the California Consumer Privacy Act specifically at SuperConference, an upcoming Corporate Counsel event in Chicago.
This week, The Recorder affiliate Corporate Counsel spoke with Wanless about his GDPR and CCPA compliance strategies, and tips for other legal teams. This interview has been edited for clarity and length.
Corporate Counsel: What are some of the major privacy changes we've seen over the past year or so?
Brock Wanless: Clearly GDPR first comes to mind. That was a rather significant and first-of-its-kind type of data privacy regulation, both in substance and its impact on companies and consumers. So GDPR is clearly something most companies have spent a lot of time studying and complying with.
CCPA is a newer law compared to GDPR. It is different in a lot of ways but the impact is to be determined. Not only with California businesses and consumers that are subject to the law, but also whether or not CCPA will result in other states following suit with similar laws or even prompting the federal government to pass a federal data privacy bill that is all-encompassing for the first time.
CC: In terms of CCPA, you mentioned that it's newer and not yet clear what it's going to look like, or if we'll see more regulations from other U.S. states. As an in-house lawyer, how do you prepare to comply with a law that isn't quite clear yet?
BW: I think we are in the same boat as most companies in wading through the issues where we feel there is some ambiguity in CCPA. But there are also other areas that are pretty clear. One challenge with the CCPA is around the various legislative amendments that have been introduced in California. That will offer, hopefully, some increased clarity, or in some areas significantly change aspects of the law.
The other unknown is what the attorney general's ultimate administrative rule proposal will look like. That will hopefully also offer some clarity on certain areas of ambiguity. The challenge for companies is sort of speculative. We think we have a good idea as to what the attorney general will address, but we're left with today what the law actually says. So I think most companies are just making their own determinations as to how they view the law and are building compliance around it.
CC: I spoke with in-house counsel before GDPR went into effect who took a wait-and-see approach. It's been almost a year since implementation. Were there aspects to your compliance strategy you've had to adapt since the law went into effect?
BW: Not really. I think we took a different approach. We did not take a wait-and-see approach to GDPR. We spent a lot of time. We felt pretty confident about our compliance program around it. What has been interesting to watch is the enforcement of GDPR. I think we're going to see more enforcement that will also offer some clarity around what regulators really care about and how they're interpreting some of the more interesting provisions of GDPR. Obviously there was the recent action against Google, which was very interesting for a variety of reasons. As we see more enforcement actions like that, it will be interesting to watch and hopefully that will provide some clarity.
CC: How long did it take your company to comply with GDPR?
BW: I'm hesitant to put a number on that. I couldn't even begin to guess. We looked at it as building on the existing foundation we had for our privacy program. We had a good foundation for it. Obviously there were resources we needed to deploy to build compliance.
CC: Talking about building on foundations, has your GDPR compliance helped in CCPA preparations?
BW: I think there are certain aspects of GDPR compliance that will help companies become compliant with CCPA, but they are very different laws in terms of depth and areas that GDPR covers versus CCPA. The one area with the most overlap is around individual rights and data access requests. That is one area of overlap where companies that have a foundation to handle those requests for GDPR are probably more ahead for CCPA compliance. That's one overlap. But in a lot of ways, CCPA is a very different law.
CC: What are some of those key difference in-house counsel should keep in mind as they approach CCPA compliance?
BW: The one that jumps to mind is the “do not sell” requirement of CCPA. GDPR does not have an equivalent to that. So from a matter of legal interpretation there's a lot to work through with what constitutes the sale of personal information and what does not and how to operationalize that. The other is the definition of what is considered to be personal information is broader than GDPR. That is another element that companies are evaluating. Again, just because you are compliant with GDPR doesn't mean you're going to be compliant with CCPA.
CC: Do you have any advice for in-house departments that weren't impacted by GDPR but now have to comply with CCPA? Where should they begin?
BW: My advice, and this is pretty basic, is start preparations now. Every company is different in terms of what they're doing with data. Whether you're a tech company or manufacturing company or a brick-and-mortar retailer, CCPA is agnostic to your industry. So you should start evaluating now how the law may apply to you. Talk to your outside counsel and start building a compliance program now. Don't wait.
Join hundreds of general counsel and senior legal leaders at the 2019 SuperConference, the premier forum designed for and by general counsel from Fortune 1000 companies.
Read More:
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllNLRB Bans 'Captive Audience' Meetings, Yanking Away Platform Employers Used to Combat Unionizing
FTC Receiver Eyes Fraudulent Messages Ecommerce Company's Clients
Judge Splits Couple's Potential Recoupment of Punitive Damages Against eBay's Harassment Campaign
4 minute readGoogle expert at antitrust trial says ad-dollar competition is underestimated
4 minute readTrending Stories
- 1Commission Confirms Three of Newsom's Appellate Court Picks
- 2Judge Grants Special Counsel's Motion, Dismisses Criminal Case Against Trump Without Prejudice
- 3GEICO, Travelers to Pay NY $11.3M for Cybersecurity Breaches
- 4'Professional Misconduct': Maryland Supreme Court Disbars 86-Year-Old Attorney
- 5Capital Markets Partners Expect IPO Resurgence During Trump Administration
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250