Here's What You May Have Missed From IAPP GPS '22

You’ve likely seen a few articles about some headliners of the International Association of Privacy Professionals’ (IAPP) Global Privacy Summit (GPS) held in D.C. earlier this month. You probably already know that FTC Commissioner and Chair Lina Khan spoke on her continued commitment to fight big tech, and that Tim Cook came and stated that “The fight to protect privacy is not an easy one, but it is one of the most essential battles of our time.” 

But there was so much more to the conference than these headliners and the rest of the conference deserves some attention. 

Disharmony in the FTC

First, and this was somewhat publicized, we heard from FTC Commissioner Noah Phillips, (moderated by the legendary - in the privacy world - Jules Polonetsky of the Future of Privacy Forum) in the session “New Chair, New Agenda: The FTC’s Priorities and Identity Under New Leadership.” The differing viewpoints of the commissioners left the audience confused. While Commissioner Phillips said that he wasn’t speaking for the FTC, he unabashedly contradicted the new FTC Chair Lina Khan with his comments about the slow-moving, partisan stalemate between voting FTC commissioners. And in contrast to Chairperson Khan who reiterated her, and by virtue of her position, the FTC’s commitment to fight against big tech’s privacy missteps via anticompetition, Commissioner Phillips contradicted her stance and stated that the FTC should go after privacy wrongdoers, regardless of size. Directly at odds with Chairperson Khan’s promise to regulate at the intersection of privacy and anticompetition. This session showed the audience that there isn’t harmony within the agency. Attendees remained in the room long after the session ended to discuss their confusion at the irresoluteness of the FTC. Commissioner Phillips vocalizing his opinion in this session is all the more intriguing knowing that democratic nominee, Alvaro Bedoya, is about to be appointed as a FTC commissioner, breaking the 2-2 partisan stalemate in the democrat’s favor. So what was the point in griping? I believe that Commissioner Phillips wanted to share his beliefs before his opinions are officially outvoted (by Bedoya). Along with his concern for only addressing privacy as it touches anticompetition, Commissioner Phillips also focused on two other points of disagreement with Chair Khan. First, he expressed concern about Chair Khan’s labeling targeted advertising as “surveilance” advertising. He argued that the term “surveillance” pares back the objectivity of the problem of data use and abuse by instilling fear of practices that aren’t harmful. Second, he argued that Chair Khan’s approach to rulemaking edges into legislation, a job that isn’t in scope for the FTC. Specifically, Commissioner Phillips question the FTC’s authority to create new remedies for harms (such as requiring Weight Watchers to destroy any algorithms derived from illegally obtained data), something Chair Khan has pushed.

There was a lot of practical advice given

For example, in the session “Privacy Metrics: Best Practices to Drive Improvements in Performance and Trust” we heard from Omer Tene - Partner @ Goodwin, Harvey Jang - VP and CPO @ Cisco, Amanda Weare - VP, Deputy GC, Product and Privacy, DPO @ Collibra, and Barbara Cosgrove - VP and CPO @ Workday speak on creating privacy metrics to report to the board of directors. We learned that 94% of companies report one or more privacy metrics to the board of directors. The top metrics being reported (in order of most reported to less) are audits, data breaches, impact assessments, data subject requests, incident response, privacy gaps identified, third party contracts, training, maturity model, and value/ROI. Particularly insightful is the image below that details what metrics are important to what stakeholders and how those metrics should be tailored to each team. 

But how do we even come up with these privacy metrics? Start by documenting your company’s internal privacy program, policies, and procedures. Then use this internal documentation to identify gaps in your program and then benchmark your program against others’. These are your reportable metrics. This internal document should be revisited frequently, to identify new gaps against benchmarks. Rinse and repeat often. 

Adtech’s day of reckoning is a drawn out process that’s already begun

In the “Shaping the Future of Online Tracking” session with Stephen Bonner - Executive Director, Regulatory Futures and Innovation @Information Commissioner’s Office, Marshal Erwin - CSO @ Mozilla, Kristin Chapman - Senior Directory, Privacy Technology @ Salesforce, and Nick Doty - Senior Fellow @ Center for Democracy and Technology, we learned about the adtech landscape and its shaky future given the upcoming deprecation of Google’s third party cookies. Mozilla’s Marshall Erwin boasted his company’s commitment to privacy in embedding privacy solutions such as FireFox Private Browsing. In response, Kristen Chapman argued It shouldn’t be the browser’s/platform’s obligation to instill privacy guidelines for websites/apps respectively. Because hoping these companies do right is a short term solution at best. All panelists were in agreement that without adequate governmental regulation, what else are we left with? The current state of self-regulation isn’t sufficient as evidenced by ineffective opt outs and the movement to ban targeted advertising altogether. Stephen Bonner of ICO reiterated the need for privacy solutions to not be anticompetitive (*ahem* Google you were mentioned), that adtech needs interoperable solutions that are in compliance with laws (*ahem* IAB TCF you were also mentioned). In the end, the panelists couldn’t predict the future, but the audience was left with the feeling that the winds were about to change on adtech. 

There are so many privacy platforms, it’s time to get your company onboarded

Lastly, I want to address the vendors. The main conference floor was packed with privacy vendors of every kind, big and small. It’s clear that the privacy industry is growing. Take for example Didomi, a consent/preference management platform raised $40 million in series B last year. OneTrust, the world’s largest privacy management technology platform, closed out series C at $510 million at a $5.3 billion valuation. And a company’s privacy concerns don’t just apply to its own practices, but the practices of all of its vendors as well. Safeguard Privacy, founded in 2018, provides a solution to this problem through its assessments. All this being said, if you are a medium to large organization, it's time to get on a platform. The market is competitive and as long as privacy continues to be a growing field with increasing regulation (and the above numbers tell us it will), it’s time to seriously consider a privacy platform to manage your data maps, data subject requests, privacy assessments and everything else your privacy team has requested. 

Conclusion

IAPP GPS ‘22 was jam-packed this year and the publicized stuff was worthy of publication, but there was so much more. While there was a good amount of pontificating (about whether there will be a federal privacy law, what cross-border data transfers will look like, whether IAB TCF will continue to exist, what the cookie-less advertising and online tracking world will look like, etc.), there were a lot of practical insights too.  There were sessions and meet-ups for every privacy specialty. And with IAPP having increased their membership by nearly 50% since the last GPS, it's unsurprising that a lot of the conference went uncovered.