Navigating the complexities of privacy with Jason Sarfati

This week I’m joined by Jason Sarfati, the Chief Privacy Officer and VP of Legal at Gravy Analytics.

In our discussion, Jason outlines his perspective on how executives should navigate the complexities of privacy. He discusses the two guardrails that often govern data ethics and why it is so complicated to consider. Jason talks about the different privacy laws, their challenges at both a state and federal level and how social impact is starting to influence discussions.

Podcast Episode

Links

Jason Sarfati Twitter: https://twitter.com/JMSarfati

Jason Sarfati LinkedIn: https://www.linkedin.com/in/jasonsarfati/

Gravy Analytics: https://gravyanalytics.com

Transcript

Tim Crawford:

Companies are looking for new ways to transform their business. Technology plays a critical role in this transformation. Speed and innovation in both technology and thinking are key to this shift. Hello and welcome to the CXO In The Know podcast where I take a provocative, but pragmatic look at the intersection of business and technology through the lens of leading CXO executives. I’m your host, Tim Crawford, a CIO and Strategic Advisor at AVOA. This week I’m joined by Jason Sarfati, the Chief Privacy Officer and VP of Legal at Gravy Analytics. In our discussion, Jason outlines his perspective on how executives should navigate the complexities of privacy. He discusses the two guard rails that often govern data ethics and why it is so complicated to consider. Jason talks about the different privacy laws, their challenges at both the state and federal level, and how social impact is starting to influence discussions. Jason, welcome to the program.

Jason Sarfati:

Thank you very much for having me, Tim.

Tim Crawford:

Jason Sarfati, you’re the chief privacy officer and VP of legal at Gravy Analytics. So to get us started and to set the stage for our conversation today, why don’t you tell us a little bit about yourself and your role there as the chief privacy officer?

Jason Sarfati:

Sure thing. So, well, for starters, the position of chief privacy officer didn’t really exist in most companies 5, 10 years ago. It’s been a more of a recent trend. And it’s a response to the fact that there are laws that are being passed both in this country and in most of the major economies around the world that regulate how personal information needs to be handled. And yes, it’s a legal function, but it’s also a compliance function, it’s a marketing function, it’s a branding issue. So chief privacy officer is where all those decisions are made and usually recommended to the rest of leadership. So most of them tend to have a legal background. I went to law school, graduated in 2015. And even then, which was two to three years before the GDPR came out, which references the European privacy law, the indication was that privacy was going to become big and privacy positions were opening up. So I knew even back in law school, that one day ideally I would become a chief privacy officer. So it’s been a real pleasure watching the industry change and me growing within it.

Tim Crawford:

Even along those lines, if you look at regulatory compliance and privacy, it’s incredibly complicated and it seems like every time you turn around, it’s just getting more complicated. When I think about this from an executive standpoint though, how should I navigate through privacy in today’s world?

Jason Sarfati:

It is incredibly complicated. I agree with you, Tim. And I also have some bad news to share with the audience.

Tim Crawford:

Uh-Oh.

Jason Sarfati:

I foresee it getting more complicated versus less complicated in the near future as well. The big problem frankly, is the internet has a global reach and therefore legislatures across the planet can pass laws that impact the entire internet because, again, everything is global. Back in the day when we had an economy that ran around widgets things and supply chains were more regionalized. But today the internet is global. So one of the main reasons why things have gotten so complicated as of late is you have in the United States, the 50 states are beginning to realize, “Well, there’s no action happening on the federal level. We’re going to start passing our own laws that regulate data privacy.”

Jason Sarfati:

And elsewhere you have European Union, but also Brazil, South Africa, the ANZAC countries are also stepping up to the plate and saying to themselves, “We have lost sovereignty over our internet, and most of the big tech companies exist in the United States where they are not regulated, or in the alternative they are in China where they are absolutely not regulated or a byproduct of a government arm. We need to pass our own laws to protect our citizens to preserve the sanctity of our business environment.” So that’s why it’s so complicated.

Tim Crawford:

Got you.

Jason Sarfati:

Then you add on top of that, all those data breaches and it’s in the public eye. But I’m sure we’ll talk about that more.

Tim Crawford:

Yeah. And I’d love to touch on that. It seems like most of these efforts, at least of late, are focused around privacy law. Is that what you’re seeing? And again, coming back to that executive perspective, how do I start to think about that and what should I be focused on?

Jason Sarfati:

Again, what I tell my executives and the other executives I encounter is you really do want to focus more on the legal obligation, that’s the ground floor requirements for these laws. You want to stay away from the prying arms of regulators. But that is not enough. That is frankly the bare minimum, but for many companies, the bare minimum is all that they can do. So for those companies that have the budget and the bandwidth to have a little bit more of a forward looking approach to it, I do agree that privacy ought to be incorporated as a branding issue. We develop all of our products and the entire way our business model operates around the concept that people’s information is going to be both secure and also there’s going to be some thought into how we handle this information ahead of time, before we start collecting it. That makes people feel more secure and comfortable with doing business.

Jason Sarfati:

So I say to any executive that’s wondering, “Well, where does privacy fit into to this equation?” It’s a revenue thing, but it absolutely also is an expense problem too. So you have to figure out where to draw your attention.

Tim Crawford:

And you talk about the impact to brand. Can you help me understand what you mean by that?

Jason Sarfati:

Well, so I don’t want to call out any specific companies that have been in the news lately.

Tim Crawford:

Sure.

Jason Sarfati:

I think the audience knows who they are, but I would turn the question to a CEO, “Do you want your company to be in the news tomorrow for a data breach?” Certainly not. That’s the type branding problem that will last for several years in some cases, I think forever there’s some companies that might not be able to escape that shadow. And that’s a data security problem. As it relates to privacy, there are other companies that might not have a firm grasp on how the personal information they collect from the customers is being used. I think a huge problem right now is loyalty programs. There’s very little management around someone bought a product three months ago. Now they’re getting advertisements, or personalized coupons for that kind of thing, and they’re getting offered promotions, and that might distaste them.

Jason Sarfati:

I bought a shirt, I’ll tell you, from a company that I rarely shop at a couple of months ago and I still keep getting these advertisements from them. And I actually bought it as a gift, I hate this company. We never wearing their clothing. But I keep getting their coupons. So I asked myself, “Okay, well, as a customer, as a consumer, does this bother me? Does this make me less likely to go back into that store with my credit card and swipe and buy something?” And I think the answer is, “Yes,” for a lot of people out there.

Tim Crawford:

But do you think that that consumers are picking products based on privacy, or do you think it’s something else? From a company standpoint, what are the minimum requirements? What should I be looking at and thinking about in that continuum of first thing, second thing, third thing, and then where the customer fits in?

Jason Sarfati:

So certainly if you can figure out why consumers buy products, you would be a trillionaire. If you could figure out exactly what will motivate someone to purchase a product. I’m not here to tell your audience that privacy is number one. I think quality and price will probably always be one and two. But we are in a digital economy these days. And I do believe that, especially with certain transactions privacy and security are going to be something that people put a premium on. So I’m thinking things like mortgage, or re-insurance, or any type of financial transaction, anything touching children, or individual’s loved ones. You’re going to see privacy insecurity rise to the top of the decision factors that people have. For basic things like retail, it might matter a little less, but at the end of the day, people do care about how their information is being used still. And as the pendulum goes, I do believe that privacy will continue to appreciate in importance over time.

Tim Crawford:

Sure. And to some degree if you use an example, your shirt example, you had purchased a product, you might’ve purchased it as a gift for someone, thought it was a great idea, regardless of whether you were interested in buying it or not, but because of how the data was used now you definitely are not interested in engaging with that company.

Jason Sarfati:

That’s true. I don’t like the clothing, but now I’m definitely not walking in there. And I have a lot of friends who sometimes approach me, they know what I do and they say, “Oh, you won’t believe this. I keep getting emails from this one company.” And I know we do exist in a world where we get all these pop-ups, and notices and our internet experience hasn’t in a way degraded. But at the end of the day, people still understand that a company is collecting information about them. And they have a feeling when something’s wrong or something bothers them. So they might not actually be able to articulate it, but they will go to your competitor even subconsciously I think, if the competitor is not as aggressive with collecting more personal information than is necessary.

Tim Crawford:

Yeah. There’s one term that tends to be a trigger for folks in this space and that is data ethics. And I know you have a strong opinion in this space. What’s your perspective on data ethics?

Jason Sarfati:

Yeah. So the term data ethics is absolutely in vogue these days. The basic idea is companies are not going to do simply what’s required of them by the law, they’re going to do what’s ethical, what ought to be done in a certain situation. The problem there, of course, is when you’re trying to dictate, especially at the executive level, how personal information ought to be handled, the monetary considerations of how information can be, again, monetized is almost always going to trump. So I have been at the conference table at many organizations in my career where I’ve seen this conversation play out, and someone might say, “Well, it’s a little unethical for us to take information from subsidiary X and then provide it to subsidiary Y, and try to monetize customers who do business through subsidiary X and move it over to subsidiary Y to increase sales on the Y side.”

Jason Sarfati:

And the CEO, or CMO, or maybe a head of a business line will say, “Well, no, this is the parent company, and we absolutely are entitled to bring that information over.” And someone who’s saying, “Yeah, well, that’s not ethical. They don’t care about the new company. They might not even know that the new company has any relationship to the old company.” And I just never see data ethics really getting implemented in a way that is concrete, and that CEOs can actually understand what the action item is following that conversation.

Tim Crawford:

When you’re talking about ethics or data ethics specifically, Jason, you’re talking about it as potentially a higher level or higher degree of privacy beyond just what the law requires, or are you talking about it in a different way?

Jason Sarfati:

And that’s the problem, is it really even defined? So I explored multiple definitions there. I think one definition certainly for it is a company wants to do more than what the legal requirement is, but the problem then is where do you go? It’s like, they’re out to see and they have zero point of reference. And what’s equally problematic is that there really aren’t any industry standards, maybe with the exception of, I’ll go with financial services and education and healthcare, which tend to have more robust privacy regimes. But for retail, or B2B, B2G models, there really is nothing out there that says, “This is the ethical thing to do.”

Jason Sarfati:

I go to conferences a lot, looking forward to once COVID ends to actually start going to them in-person. And this topic comes up, they try to develop industry standards or norms, and they just simply don’t exist. And you see that if anyone is in the legal industry and they’re dialing in, they’re going to tell you that in contracting this is a huge problem because there’s no concrete idea of what’s normal and what’s not. So when you try to get into a [inaudible 00:12:42].

Tim Crawford:

You know this from law school, there’s a reason why they call it practicing law. Right? There’s an interpretation that comes with it. If I think of what you’re talking about, it sounds like there’s an expectation that there might be some framework or some prescriptive method in which to handle privacy, which there isn’t. But how do I wrap my arms around this then? I can’t just throw up my arms and say, “Okay, well, we can’t define it, so we can’t do it. What are some guidelines that you would offer to folks that are maybe trying to understand the legal ramifications and requirements, but also this ethical, or potentially ethical aspect?

Jason Sarfati:

I think there’s two guardrails, on the left is risk, and on the right as opportunity. So you absolutely, I think always need to be looking to your left and keeping a very close eye on the compliance obligations that stem from these laws, and by the way, those obligations change almost month to month these days. So that absolutely needs to be where most of your budget, most of your workforce, and most of your attention is directed to. On the other side of the coin though, there is a lot of opportunity around it. So I’m not going to mention specific companies that have branded themselves around privacy. I’m sure your audience can pick a couple off the top of their heads. But depending upon the business model, it absolutely is something that you would want to communicate to either, one, your consumers, number two, if you’re in the B2B space, tell your sales associates, “Hey, we put a premium on privacy. Yes, our product is better than the other competitor. Yes, our prices are competitive, but we will also protect privacy.”

Jason Sarfati:

I guarantee you that will help some of your sales cycles move along, even in the contracting phase. That’s been my personal experience at multiple companies. So it’s absolutely a tool that can be used to increase revenue and increase loyalty of your customers, because they’ll feel comfortable doing business with your company.

Tim Crawford:

When I think about who does this within a company, is that a single role, like a chief privacy officer and maybe an organization that they have? Is it your risk, or audit, or existing legal teams, or is it a culture that you have to build within the DNA that is your company and how you engage with customers?

Jason Sarfati:

At the risk of sounding cute, I would say yes to all three of those options.

Tim Crawford:

A little bit of each.

Jason Sarfati:

Yeah, yeah. A little bit of each. So it depends on the-

Tim Crawford:

I didn’t give you the option of all of the above.

Jason Sarfati:

Right. And I also understand, I know we’re joking, but it’s true that budgets are constrained today, especially at the corporate level. So if it makes sense depending upon the business model to have a chief privacy officer, I absolutely think it’s something that every company that can afford one ought to have, centralize a lot of these decisions. But depending, again, on the business model, there ought to be what I’ll call a privacy ambassador, or a privacy need within each core function. So marketing departments need to have one person in there that is responsible for data privacy. It could be the CMO or maybe someone else, the HR department for all internal data privacy issues, especially as we go back to the workplace with all of these overhangs from COVID residing over us. There needs to be someone in HR responsible for privacy, and in the business lines and sales, all of that. There needs to be someone in there that is the standard there. If they have a CTO behind them at the top level, even better.

Tim Crawford:

I think the pushback that I could see from that is, “Great. Well, as an executive, I’m the CEO of the company. Now I need a chief privacy officer and I need that expertise in every one of the departments.” Well, I just heard the same thing about cybersecurity. Well, I just heard the same thing about the last thing before that, and the thing before that, and eventually you start to feel like, “Well, wait a second here, we’re becoming incredibly top heavy from an administrative standpoint and aren’t able to truly focus on our customer and our product.” You start to lose that efficiency aspect and start worrying about bureaucracy coming into play. Does that weigh with some of the conversations you’ve had?

Jason Sarfati:

It does, but there are some solutions to it. So to anyone who’s losing sleep over this, for starters, employee training, and there are different grades of privacy training that’s appropriate depending upon a person’s function and role. But I would say that people are smart. They will catch on, and understand these concepts. And I think that some investment needs to be made into the preexisting resources to also wear a privacy hat at the same time. And as to the issue of whether or not they should have a chief privacy officer at the top of it, well, listen, if you’re doing more than 500 million a year in revenue, I’m just going to throw that number out there, you need to have as chief privacy officer, because you are by definition collecting so much personal information that it’s not plausible for there not to be a full-time role associated to that effort. So you just start there. And you’re legal can also hold onto a lot of the responsibilities as well. But again, training and decentralizing a lot of the responsibilities, I think is critically important too.

Tim Crawford:

Let’s maybe shift gears a little bit and move from talking about what happens inside the organization to what happens outside of the organization. And I want to get your take on legislation and privacy law. You mentioned GDPR, there’s also the California privacy law that’s in place, there are a number of them. Again, how do I start to tease apart these pieces in terms of federal versus state, and where do we go from here?

Jason Sarfati:

I think the first thing to focus on is, and there’s a cool term called data mapping, which I’m not the biggest fan of, but focus first on where does the personal information that flows through your organization come from? So if you are an American company, you already know that you’re going to have to comply with the CCPA. It’s an eighth of the country demographically. So look at all the rights and responsibilities that come out of that law and make sure your company is complying with them because there is absolutely going to be a robust enforcement regime that comes out of California for the CCPA. Still maturing, but it’s getting there and it will absolutely be there but I think by the end of the year.

Jason Sarfati:

And then abroad, yeah, there’s of course, the conflict that we might have between European privacy laws, American state laws, and even the potential US federal privacy law, which I know we’ll get to. And you’re going to have to create this, what I call it, privacy Jambalaya, throw in all the responsibilities that you have and try to create something from that. So an internal privacy program that can address each of these issues simultaneously. It’s a pain and it’s a very arduous task, but you have to do it.

Tim Crawford:

So if we just look at the US for just a minute, not trying to boil the ocean of the globe, which is complicated in its own right. But if we just look at the US as one example of this, we’ve got CCPA, the California privacy law that’s on the books. Does it become the gold standard that then other states adopt or potentially the federal government adopts, or is it potentially too centered around the state’s requirements specifically?

Jason Sarfati:

So a year ago I might’ve told you that the CCPA was the gold standard because it was the only comprehensive privacy law on the books in the United States. There’s some sectorial laws like HIPAA and the GLBA that affect certain industries, a CAPA for children, but there wasn’t a comprehensive privacy law with the exception of the CCPA. What we’re seeing this year, though, a Washington state has a privacy law that we’ll know if it passes or fails by April 25th. Virginia just passed its own privacy law that in many ways is actually stricter than California, especially as it relates to geolocation data. That’s something that impacts my company. There’s this patchwork of privacy laws that’s developing.

Jason Sarfati:

And the answer is no, I don’t think any particular state privacy law is going to be the gold standard. So one of the big questions for Congress is this issue of preemption. Is the federal privacy law going to supersede all of these 50 state laws, or is it going to supplement them? Is it going to be like the gravy on tops, sort of use my company’s metaphor. Right? So I personally strongly advocate for a federal privacy law that preempts all the state laws. By the way, that’s why the GDPR came out because the 28 member states in Europe had different rules and they needed to create what I’ll use the term, a federal standard on that continent. We should learn from them and apply a federal standard here in this country.

Tim Crawford:

But do you think that, let me play devil’s advocate on that for a minute. Let’s say the federal government can’t get behind it and states start building their own privacy laws individually, and maybe let me kind of wax philosophical a little bit here and just say, “Let’s say that there’s some collaboration that happens between states.” Is that necessarily problematic? And the reason why I’m bringing this up is because quite often you have enterprises that are working across states. So they have to navigate, “Okay, I’ve got employees and customers in each of these states. And how do they differ? How do the requirements differ from state to state?” Is there a problem with states creating their own laws?

Jason Sarfati:

Interesting how you define the word problem. It’s certainly inefficient-

Tim Crawford:

Fair enough.

Jason Sarfati:

… because, again, the internet is global. But okay, fine. The internet is national and it doesn’t make sense when we have an entity by way of Congress that is literally designed to regulate interstate commerce. That’s part of its main mission. For the 50 states to be kind of stealing their lunch, so to speak and doing that work for them. So right now we only have two comprehensive privacy laws that have passed Virginia and California. I think by Christmas this year we could have five or six.

Tim Crawford:

Oh, wow [crosstalk 00:23:11].

Jason Sarfati:

… we reach Florida, Washington state, and New York, Oklahoma, Colorado. I’m not just pulling those names out of my pocket. Those are actual states that have privacy bills that are moving through their legislatures that have strong support both from the legislators and the public. So at a certain point, federal Congress needs to step in. We cannot have this patchwork system. And it’ll be cost prohibitive.

Tim Crawford:

So there’s an inefficiency piece. And then there’s from the customer standpoint or the enterprise standpoint that just gets to just out of bounds in terms of trying to manage, especially if they conflict with one another, aspects that conflict with one another. You can do this in California, but not Washington. You can do this in New York, but not Texas. I can see how that’s going to be really problematic. Do you see something coming down the pike from the federal government that might supersede or provide some relief, for lack of a better word?

Jason Sarfati:

There definitely are some federal privacy bills that have been introduced in Congress. A particular note, there’s a Congresswoman from Washington State, Delbene. I hope I’m pronouncing her last name correctly. She introduced a bill that I personally read through that. I thought to myself, “This hits all the high points. And I believe it preempts the state laws and also gets rid of a big issue, which is the private right of action.” So some of these state privacy laws are including the right of individuals to sue in court, even under a class action setting, which would be very problematic. You could see the internet going the way of asbestos litigation and big tobacco of yesteryear. So privacy bills like that do exist at the federal level. The problem is, right now there just isn’t the willingness on the part of Congress to pass a law.

Jason Sarfati:

And it’s long overdue. My personal opinion on it is a failure that is commensurate with the inability to pass gun reform in this law, immigration, what have you. But for some reason we’ve talked about this, Tim. It didn’t get much play in the last presidential election. I don’t know why. It touches every piece of the daily experience. Our phones dictate to us how we spend our money, how we meet people, how we fall in love, all these other things. And for some reason it’s not getting regulated. So there’s increasing demand by companies to have regulation at the federal level. We see that now and the hearings. CEOs are actually calling for it. I’ll call at one company. Facebook is actually publishing TV advertisements calling for federal or what they’re calling internet law. But that’s the privacy law. And I think hopefully we’ll get more traction with time.

Tim Crawford:

We’ll see how this goes. I, for one, I’m not going to hold my breath just because the wheels move so slowly for things like that. So as we wrap on the episode, I want to get your take. Your two top pieces of advice for executives that are looking to navigate this space. As we’ve talked about this privacy space is complicated and going to get more complicated. And we’ve talked about the different guardrails you could consider to put in place. But what are your two top takeaways that you would offer to executives that are looking and thinking about privacy in their org?

Jason Sarfati:

So for starters, this is since we’re talking to the executives, unfortunately you do need to throw money at this problem. So allocate some budget to it, whether it’s outside legal counsel, outside consultants, or hiring internal resources. If you are hearing individuals in your organization say, “Hey, we need to make hires,” “Hey, we need to buy software, restructure some things.” Please listen to those folks. They are right and allocate some budget to the problem. Number two, I will say that I watch the news as much as anyone else. And I’ve noticed like two trends especially watching CNBC for example, climate change in the last year has become a corporate responsibility.

Jason Sarfati:

I’ve noticed that that individuals have been able to convince corporate America, that it is their responsibility to solve the issue of climate change. I’ve also noticed that a lot of the social justice movements have also been adopted by corporate America as well. And I’m sure your executives have differing levels, but at least a baseline experience with those two movements. Privacy is also included in that bucket. It’s not necessarily a social issue. It’s more of an economic meets social meets personal issue. But it is absolutely a problem that’s going to need to also be resolved by our corporations. It’s not going to be solved at the ballot box exclusively. It’s not going to be solved on an interpersonal level. It is something that corporate America must resolve on its own.

Tim Crawford:

Great pieces of advice there. Jason, thank you so much for taking part in the episode today.

Jason Sarfati:

Absolutely. It’s been a pleasure.

Tim Crawford:

For more information on the CXO In The Know podcast, visit us online at cxointheknow.com. You can also find us on Apple podcasts or wherever you listen to your podcasts. Please subscribe and thank you for listening.

Leave a Reply

%d bloggers like this: