Ashlen Cherry, Epsilon’s chief privacy officer, would bet on federal privacy legislation happening – just not before the end of the year.
“This can be a bipartisan issue, and there’s an appetite for it on the hill,” said Cherry, who joined Epsilon last October after almost a decade as the global privacy program manager at Dell. “It will take at least another session of Congress, though.”
Cherry has been in the privacy business for 20 years, and knows that technological innovation often drives public interest in government action.
Despite industry lobbying, lawmakers on both sides of the aisle have said they don’t want a federal privacy law that isn’t at least as tough as the California Consumer Protection Act (CCPA) set to take effect in January 2020.
But whoever wins the debate, Cherry and her fellow chief privacy officers across the industry have to be ready.
“It’s CCPA today, who knows which states tomorrow and what could be coming on the federal level,” Cherry said. “We’re preparing where we can and using flexibility as our guiding criteria.”
AdExchanger spoke with Cherry about getting acquired by Publicis, mobilizing for CCPA and why GDPR prep didn’t end on May 25, 2018.
AdExchanger: Publicis is a data controller with hundreds of subsidiaries around the world. How is the Publicis acquisition of Epsilon/Conversant changing how you approach privacy compliance?
ASHLEN CHERRY: Because of where we are with the integration, I can’t go into specifics. A lot of that will be nailed down after the acquisition closes [sometime in the third quarter]. But we will of course have to look at the current organization and how we can continue to provide adequate support to deal with this shifting landscape, both internally and externally.
I’m optimistic that Publicis will continue to support our commitment to notice, transparency and being good custodians of data. That’s part of the reason Publicis appeared to be interested in Epsilon, and it was a big part of their due diligence. There were a lot of questions about our data privacy and security practices.
How has your job changed before and after the General Data Protection Regulation (GDPR)?
AdExchanger Daily
Get our editors’ roundup delivered to your inbox every weekday.
Daily Roundup
GDPR has definitely raised the profile of data protection in parallel with some not-so-great stories that hit the headlines. The last few years were hard on those of us in the privacy world. There was a lot to do, and it’s an area we need to continually monitor for additional guidance.
Now, we’re looking at what we did – and do – with GDPR and thinking about how we can apply that work elsewhere, including to the CCPA. Privacy-by-design is baked into how we approach technological innovation, but GDPR underscored how important it is. Privacy is a team sport, and we need to be having these conversations across the organization.
How many hours did you devote to GDPR prep?
That’s hard to quantify, but I will say that I don’t know of any privacy professionals who reached May 25, 2018, [the day of GDPR enforcement] and did a full victory dance. This is an ongoing journey, there’s still guidance coming out and detailed documentation is an ongoing requirement.
Everyone was working long and hard hours before GDPR and they continue to do so.
How are you getting ready for CCPA?
We know we need to act now and focus on the parts of the law that seem somewhat straightforward. But there is considerable confusion about definitions and requirements that are still not altogether clear. We’re trying to be as thoughtful as we can and we’re working with trade associations to understand how other industries are approaching this.
Where things are unclear, we’re working with legal counsel to try and interpret them in a way we believe is defensible.
Nevada also has a data privacy law that goes into effect in October, three months before CCPA.
There are so many open questions, and so it’s all about flexibility. When we design tools, such as our consent tool, which gives people the ability to see what data a company has on them and then to delete it on the Conversant side, we do so with an effort to contemplate future regulations.
We build so that when the rules become more defined, we can easily modify tools and processes as needed.
This interview has been edited.
