Data privacy icon

What Happens in Vegas: My Experience at IAPP’s Privacy, Security and Risk Conference

By Sarah Rasmussen

I just experienced my first visit to Las Vegas (a business trip) not long after I started my dream job here at First San Francisco Partners (FSFP). I talked about my career pre-FSFP here on the blog, but one part I didn’t share is that I’ve successfully avoided Las Vegas business conferences many times in 20+ years. Too much cement. Too many people and bright lights. And not enough dogs, trees or water.

But there’s an area I’m passionate about — data privacy — that I needed to explore. And Vegas was the place to be at last month’s Privacy. Security. Risk. (PSR) conference.

I’m a Big Fan of IAPP

PSR is produced by the International Association of Privacy Professionals (IAPP). IAAP, founded in 2000, covers a specific practice area — similar to how the Project Management Institute or DAMA International function, but for privacy certification. Side note: I highly recommend you peruse IAPP’s news feed. You’ll find breaking privacy information and great webinars, too. But I’m here to tell you about PSR.

I’ve been to many tech and data conferences before, but I now realize I had much more to learn. In my career, I’ve seen how partnering with organizations’ Privacy, Risk and Security groups directly correlates to more robust and stable data governance and management functions in organizations. The PSR conference not only furthered this point, but it had a specific and commendable use case for people and data privacy.

IIAP conference swag

Fun conference swag from IAPP’s September 24–25 Privacy. Security. Risk. 2019 conference in Las Vegas.

CCPA: An Acronym to Know

CCPA, a.k.a. the California Consumer Privacy Act, is a hot topic at PSR. Please tell me you’ve heard of it. If not, it’s time to read up, as CCPA will change how privacy is done, not only in California — but it promises to impact broader U.S. privacy regulation and worldwide policy, too.

CCPA is like Y2K on steroids. (I snuck in another acronym there. That’s Year 2000 for you Millennials). Y2K, as a matter of fact, is how I landed a job in IT in 1997. Companies had several years to plan, invest in, recruit, train and test how to address Y2K and what data was CCYY or YY.

CCPA is much bigger than Y2K, and there’s a huge amount of compliance complexity that companies, government and lawyers are feverishly working through. Because starting next January 1, California residents will have several new privacy rights based on information businesses collect on them — or that the companies pass along to sell to other firms. This means you have just three months to figure out what CCPA means to you, if your company has a “CA” in the consumer state code field.

CCPA’s Main Man Mactaggert

At PSR, there were eight tracks for conference attendees — including, data intelligence, privacy, risk, Internet of things and preventing “dark” data (hmm) — but I didn’t see any of those, because I attended for the CCPA track and, really, for CCPA education only.

CCPA wasn’t even highlighted on IAPP’s PSR conference home page, except for a mention of another CCPA conference in NYC next month. But I knew Alastair Mactaggert was a PSR keynote. Mactaggert, a wealthy real-estate investor from the Bay Area-turned activist, used California’s ballot initiative and his own money to pump the breaks on companies gathering whatever data they want about CA residents, with little to no personal rights.

I was very interested to hear this CCPA superstar and better understand his intentions. I was pleasantly surprised to see how gentle and thoughtful Mactaggert was in his answers — and smart! By funding just $3.5M of the CCPA initiative, he made a huge impact on how multi-billion dollar companies treat their consumers’ data.

Everything CCPA Was SRO

When I arrived early at the first CCPA break-out session, I encountered a shockingly long line of people still getting their conference badges scanned, and I didn’t get in! I was part of a large group who was denied entry and was told even the standing room only (SRO) spots were filled. Disappointed, I wandered into another session, but then feared if I didn’t get in line early for the next CCPA session on deck, I would miss it, too.

My instinct paid off, and others were thinking the same thing. I waited in line for 45 minutes and, once the first session was over, about half the room emptied but the rest stayed. We were let in and I hunkered down in that room for the remainder of PSR. Needless to say, IAPP woefully underestimated the number of attendees who wanted to get a handle on CCPA. People I spoke with at the conference believed there were a lot more questions than answers coming out from PSR. I agreed the sessions were informative but not instructional. But I still got a comprehensive view of the struggles and some areas to lean into that will benefit my data privacy work here at FSFP.

PSR Takeaways, From Me to You

Here’s what stands out from my experience at the conference:

  • If you’re worried about CCPA, you’re definitely not alone. At PSR, I repeatedly heard the question how many of you believe your company is prepared for CCPA compliance? Each time, only a few hands went up in the audience, and that seemed to surprise the presenters. (I think they were actually expecting no hands.)
  • Companies generally agree with the intent of the law. But most are struggling with the extent of CCPA’s impact, with the technology-related challenges they face and the fact privacy rights have never really been their focus.
  • About that “Do Not Sell My Personal Data” checkbox: It’s complicated. Data monetization, including selling data assets to other organizations who many benefit from that information, has been increasing with little to no privacy regulation in our country. What I learned at PSR is corporate legal counsels are recommending getting out of the data-selling business when it’s not the primary function or source of income for the company. If you sell data, complying with that portion of CCPA is much more difficult, and selling data exposes a company to a whole host of financial risk under CCPA.
  • CCPA is going to take a village. There’s no automated IT solution to easily scan, index and put in order how the data is being used, where it comes from and where it’s going.
  • Privacy protection is powering up. The California attorney general’s office has minimal resources, but county and city municipalities can also enforce CCPA. And there are private law practices already prepping to identify breaches so they can benefit from the high per record/per incident fee. Violation fines may cost up to $2,500 for each violation/individual and $7,500 for each intentional violation/individual, but there is no overall maximum fine for an organization; unlike GDPR which is 4% annual global turnover or €20 million, whichever is greater. If companies don’t comply, they could be devastated financially.

So how was my Vegas experience outside of PSR? I’ll share that I didn’t gamble once. I figured out that using Lyft instead of walking reduced my stress level and perspiration significantly. The food was fantastic, and the people were kind.

While I probably won’t revisit for at least another 20 years, the privacy perspectives I got from my Vegas experience are definitely not going to just stay in Vegas.

AI and generative AI article