S3 E9: The Top Privacy Priorities of 2025

Audio version

The Top Privacy Priorities of 2025

Transcript

Jordan Eisner: Welcome back to another episode of Compliance Pointers and another episode with the Privacy Prophet himself, Matthew Edward Dumiak. Matt, for short. How are you?

Matt Dumiak: Doing well, Jordan. How are you? Good to see you.

Jordan Eisner: Pretty good. This is your first week in, what, a month that you’re not in Texas, but you’re in your hometown of Atlanta, Georgia.

Matt Dumiak: That’s right. It’s good to be back. I did start off February three weeks in a row in the great state of Texas. So a couple different cities, though. So it was nice. Good to see you around.

Jordan Eisner: Right. And I would imagine after being on the road for three straight weeks, everything’s a little bigger, just kind of like Texas.

Matt Dumiak: Yeah. My calendar is certainly a little bit bigger, as is the inbox.

Jordan Eisner: Oh, okay. I just meant, you know, dietarily.

Matt Dumiak: Oh, yeah. Plenty. Enjoy plenty of barbecue. Absolutely. You were there for one of them. So yeah, there’s some great food there. And as you know, when you’re on the road, you’ve really got to be disciplined. And, you know, make sure that you don’t let things get out of hand. No, I tried to be. I tried to be so spoiled myself, indulged occasionally. But as I’ve gotten older, I’ve realized how important it is to maybe, you know, have a balance with your going out to eat and what you get.

Jordan Eisner: Yeah. Easier said than done.

Matt Dumiak: I do seem to recall enjoying some banana pudding with you. So maybe I wasn’t that good.

Jordan Eisner: Yeah, I’ve been on the road a lot too. And then what you usually have to do is you have to double down and be that much healthier when you’re home, because it’s a little more difficult on the road. So Thursday, when I was back in office last week, I opted for the small blizzard at Dairy Queen instead of the medium or the large.

Matt Dumiak: Yeah, I wish I could say the same. I opted with the medium, but it was a great choice.

Jordan Eisner: Okay, for those of you who don’t know Matt or don’t recognize him by seeing his face, he is known as the Privacy Prophet, but he is also a 15-year vet at CompliancePoint, lead guru for all things data privacy and marketing compliance here at CompliancePoint. The organization that sponsors this podcast, Compliance Pointers.

And today, he’s going to be given, I kind of looked at this podcast and we talked about some of the topics and questions Matt, I look at this as if you were just implanted in an organization right now, that feels like they’ve probably been doing pretty well from data privacy standpoint, in terms of maturity of their operations, security, even other things, maybe a mid-market company or even small that’s been moving along and trying to do what they can. And you were implanted today and they said, hey, you’re an expert on this, what are the top five things we should be concerned with or what should we make sure we’re doing right now to really lock the doors, class the windows shut, and ensure that we’re doing some of the perhaps maybe not higher risk, but common areas that organizations are maybe getting themselves in a little hot water on. Does that sound good?

Matt Dumiak: Yeah, that sounds good.

Jordan Eisner: So what should be top priority for organizations in 2025 from both the compliance, regulatory compliance standpoint, but also operations. As a lot of organizations have learned, it’s not just about putting policies and processes and technology in place to comply with these regulations that have been placed for several years now and continue to spring up and be put in place, but also building a privacy program and a systematic approach and how that requires ongoing maintenance and management and personnel and technology and yada, yada, yada.

Matt Dumiak: Yada, yada, yada. All the talking points. Exactly right. Yeah, yeah, absolutely. So I think the first one we were preparing, the first thing on our list, it’s data protection impact assessments.

Jordan Eisner: Oh, are you stealing some of my thunder now? I’ll just answer some of the questions. Go ahead. Go ahead.

Matt Dumiak: I like that. Yeah, actually, let’s reverse this. So Jordan, could you tell us about your experience in conducting data protection impact assessments for organizations, why it’s important, why it’s going to be on the regulators radar this year, and what organizations need to do about that?

Jordan Eisner: So a data privacy impact assessment, or also known as a DPIA, is an assessment of the impact on your data privacy program that some sort of issue could present, adding a vendor, adding technology, implementing something new in the organization, introducing something new in the organization. What are the implications that could have on your data privacy program, posture, maturity, compliance, risk, and so on? And the type of company you are, you got to do these pretty frequently, but that’s about it. You should probably answer the question.

Matt Dumiak: Yeah, no, you got about half of it, right? So absolutely, an organization should do a DPIA to understand how certain processing activities will impact the data privacy program. That’s important. That’s something you should continue to, or businesses should include in a DPIA.

The main point of doing a DPIA though, and why it’s going to be required by the regulations is that for organizations to understand the impact or risks to the consumer’s data privacy from that initiative. So the states have a lot of different requirements around DPIAs in terms of when they should be conducted. Sometimes I see that businesses are overdoing that, where they do any type of change in a system, technology, new types of personal information collected, they’re going to do a DPIA no matter what.
Hard to argue against that unless resources are really constrained, and that is certainly a pain point for a lot of businesses. On the other end though, and what I see more commonly is that organizations, businesses are not doing DPIAs often enough. And that is because they’re unaware of the requirements. They don’t have the resources and these DPIAs, as we’ll talk about a little bit, they can be somewhat cumbersome to conduct. They can take a while. It’s really a cross-functional exercise in terms of at least the information that you need across the organization. You have to talk to a lot of different folks. It could be the marketing team, it could be the website team, it could be the development team, sales even, whoever might be involved in that processing activity, we would want to talk to to do that.

Why I’ve listed it as one of the top priorities is because I believe that it’s going to become more of a priority for regulators. As these laws go into effect, the majority of the states have an obligation for businesses to do a DPIA in certain circumstances, and many times they can be made or they must be made available upon request. And so I think of it as likely as we see the enforcement regime grow, as we see that the states are more comfortable with presenting or pushing out inquiries to companies and businesses about what they’re doing and how they’re complying with their privacy law. If they have a question about a specific processing activity or they’re getting some complaints from consumers, I believe they’re going to request the DPIA first and foremost and say, why don’t you show us your DPIA for this process? We’ve gotten some complaints. What does that look like?

Jordan Eisner: Why do you believe that? What gives you that hunch?

Matt Dumiak: So it’s a good question. So because it can be made available upon request and it’s going to break down, it’s going to give the regulator a great idea of a couple of things. Have they operationalized privacy as it throughout their program? What is the processing activity that’s generating these complaints? Because I want to see that in terms of why. And so that’s going to, should be all outlined within the DPIA.

And there are a few things that regulators can look at from a privacy program perspective. We’ve talked about it on some other podcasts like privacy policy, some cookie governance that you can check out online, but this is one of those things that organizations are required to conduct in certain circumstances and has to be made available upon request. So it’s something that I think the AG sees that as a low hurdle. The state’s, state AGs, I should say, see that as a low hurdle to go, okay, they’re supposed to be doing these and they need to make it available upon request. Let’s see them. And it doesn’t have to go even as formal as a full-blown investigation or some type of civil investigative demand with a formal launching of that. I think it can be a simple inquiry to the company to see the DPIA amongst a couple of other things.

Jordan Eisner: That’s a good one. Yeah. And I think you also talked previously about AdTech, A dTech governance.

Matt Dumiak: Yeah, that’s, that’s a pretty straightforward and easy one to talk about with data privacy because it’s okay. It’s a priority for the States. Every state privacy law has the requirement to opt out of target, to allow the consumers to opt out of targeted advertising. There have been bulletins from state AGs about the importance of cookie governance.

The new one, we talked about the one, I think on the last podcast or maybe the podcast before that with the New York, exactly right out of New York, but it continues to be a priority in California. There continues to be investigative sweeps, if you will, for lack of a better term regarding that type of thing.

And then when we talk about just ad tech governance in general, and we’ve talked about this a little bit too, but the trap and trace lawsuits out there regarding the wiretapping, also seen as wiretapping under the California Invasion of Privacy Act, it’s really clear that professional plaintiffs or plaintiffs have, plaintiff attorneys have identified an area of weakness for organizations in terms of either they could go the wiretapping route, which is one way to go about it. But as we’ve seen in the news, there are also lawsuits or cases where perhaps a business was presenting an option to consumers to opt out of certain types of cookies and trackers. The consumer selected that option and it didn’t work. And so basically that was going to fall, that’s going to go back to falling under an unfair deceptive trade practice.

And so kind of a broad sweeping kind of enforcement mechanism, if you will, for many states, for every state to look under, but the plaintiff attorneys have also identified that. So, you know, I think that’s why we call that out is that it’s, businesses really don’t want to be an easy target for that. It’s pretty easy to check.

Jordan Eisner: Trapped and traced, that is?

Matt Dumiak: The trap and trace. Yep. The wiretapping wire.

Jordan Eisner: Sounds like a Metallica song from the mid-80s. Well, I think I’m Trapped Under Ice from the album Ride the Lightning.

Matt Dumiak: Okay. I don’t know that one.

Jordan Eisner: Oh, I’ll send it to you.

Matt Dumiak: Please do. So I checked out the song you sent me on Friday. Agreed.

Jordan Eisner: Yeah. It’s off my angry playlist.

Matt Dumiak: Oh, okay. Yeah. All right. Got it. And so, you know, I think it would be if we were talking about top priorities, that’s a no brainer just because of the risk around it and that it’s easy to check on. Right. So it’s got to be up there. It’s you can it’s almost it’s up there in the privacy space with AI. It’s just like everybody’s talking about it. But we continue to talk about it because it continues to be an area of risk. Businesses really need to make sure they do that.

Jordan Eisner: Because one thing I remember about that was that New York did not actually have a privacy law. But here they were commenting on or advising on how, you know, businesses need to do that from an anti-governance standpoint. But now it does look like they’re putting privacy law in place, but specifically health information.

Which brings me to our next point. Are we going to be seeing more of this? Right. For protected health information, PHI. Any states focused on anything around that other than New York?

Matt Dumiak: Yeah. That’s area number three. States are focused. It’s not as many as the comprehensive state privacy laws just yet. But four states are looking at these types of laws that will go and govern how organizations or businesses are processing health information.

It’s a little bit unique in that obviously we have HIPAA at the federal level, at the national level. These state laws take a little bit of a different approach in that they broaden that definition of what person, what health information is. And they say they have additional obligations for organizations in terms of collecting consent, the types of notices, opt outs, even disclosures around the types of third parties that this information is shared with. And again, I think the broadened definition though is what’s critical. And as you’re aware, we have a health care practice. I’m not on the healthcare team. I know enough to be dangerous about HIPAA, but that there are some components, there are some interesting nuances with these state laws that have made these definitions of health information so broad, including like when you look at the potentially information that’s collected via a wearable device could be considered that. Or if an organization was traditionally not seen as being covered by HIPAA because they collect adverse reaction information about their product or something like that, these laws come in and really broaden how that’s defined. And not only that, but there’s obviously fines under these laws. And I think that it’s an area of focus. They’re passing these laws for a reason at the state level. And we’ll see where that goes.

But to kind of talk through a little bit of, there’s New York, which it hasn’t passed yet, but it looks promising. But there’s My Health, My Data in Washington. There’s a law in Nevada that looks promising as well, almost in Las Vegas. So no, that state is actually Nevada. I don’t know if many people knew that.

Jordan Eisner: What’s the capital?

Matt Dumiak: Reno. What is it?

Jordan Eisner: Carson City. Keep going.

Matt Dumiak: Carson City. Okay. I think I did not know that. So unfortunately, I have to admit that on the podcast.

Jordan Eisner: Washington, Nevada, New York. What’s the other?

Matt Dumiak: Connecticut has expanded their privacy law to further define sensitive categories of information. So they’re taking, they’re amending their privacy law, but the other states, they outright created their own law to govern this data.

Jordan Eisner: Always try and find a theme, but one’s not coming to me with those four.

Matt Dumiak: I think all four might have a capital city of Carson City.

So I think that it is something certainly that the state legislators are looking at and they’re new. So we’ll see if it’s enforced or not. But I do think understanding a business needs to understand the impact of these laws. Exactly.

Jordan Eisner: And who enforces them? Is it the states? And what does the OCR think about that? Because HIPAA, how long is it going to take on some of this stuff? Because I’m just one person and I haven’t looked into it very closely, but a lot of the HIPAA violations or allegations, they take a long time to prosecute. Long time. Years and years and years. And we’ve talked about protecting data, infosec personnel, and even data privacy personnel. Just the state of things today. People aren’t staying in jobs as long as sometimes these cases take. Not that that necessarily has a direct impact on it. They still bring the people back or interview them elsewhere as you’ve seen.

Matt Dumiak: As we’ve seen. Yeah, that’s right. They do call them back. Yeah. Just because you’re off the payroll doesn’t mean you’re off the hook.

Jordan Eisner: Can’t escape that. No. They’re going to find you. What else needs to be a priority?

Matt Dumiak: The other item we talked about in preparation was children’s personal information. So realizing that, you know, it’s a little bit unique now, the timing here. So the Children’s Online Privacy Protection Act, there’s some finalized rules that update the requirements under that. Also, even under the state privacy laws, they’re going to they have some obligations and some amendments around collecting information of minors.

It’s going to be consent forward, right? It’s going to a lot of these requirements are going to rely upon either on verifiable parental consent and really putting the onus on businesses to ensure that they’re taking the necessary steps to actually get consent from a parent and not just say, oh, I had an unchecked box. Well, what kid isn’t going to just check that and go, yeah, allowing my child to visit this website or for you to collect my information or whatever it might be. Right. So there’s some obligations.

And so that’s where I say this a little bit unique timing, because with the changes to the Children’s Online Privacy Protection Act, that was finalized. The Trump executive order, however, with in terms of the FTC and the requirement that that agency seek approval from the White House for rules and regulations and initiatives or priorities that they’re going to pursue slows that down a little bit. So that was that rule was finalized, but it wasn’t published in the register, which means that it’s subject to now going through to the White House to get finalized and then get published in the not finalized, but get published. So basically, the White House needs to approve it to move forward.

The commission that’s two and two right now, two Republicans, two Democrats. Well, you know, that will be eventually three Republicans and two Democrats likely. We’ll see where that goes. That rule when it was finalized, the individual who’s the head of the FTC at the moment, Ferguson, he voted in favor of the finalized rules with some commentary regarding or some concerns about some of those requirements. It’s kind of up in the air right now. We’ll see where that goes. And so it may be that the states are really the ones who are pursuing through them through either existing privacy laws or through amendments the protection of children’s data, which, you know, I mean, you and I have had several conversations about that in terms of social media and how detrimental that can be to both adults and kids. I mean, even, you know, so we’ve talked about that at work. And I think that the states see that too. And so they’re really looking at that.

There’s already, you know, there was already a prohibition on targeted advertising without consent, but they’re going to put some controls. I think they’re going to really look at, and I mean, the COPPA did, but then the states too are going to put some obligations around organizations in terms of targeted advertising to people under the age of 16 and what that looks like, including maybe even a consent obligation, which is not the requirement today for targeted advertising period in the U.S. That’s more of an EU approach.

So now when we think through, well, you know, look through if an organization believes that they’re collecting and targeting individuals who are under the age of 16, how are you going to get that consent is kind of a different story. Right. There are several tools out there in the marketplace that allow organizations to manage cookie consent, but we’ll just have to see where that goes.

Jordan Eisner: Okay. And you mentioned that Up in the Air. Great movie. George Clooney. I’m sure that’s what you meant.

Well, okay. As a wrap up then, our final question, final topic, this has to be in there or tell me if you think everybody’s just doing this pretty well and don’t need to worry about it. But what about website compliance, privacy notices, cookie opt outs, the functionality, you know, you’re talking about trapped in trace.

Matt Dumiak: I think businesses are starting to realize how challenging it is to ensure that your website remains compliant with data privacy laws. And here’s what I mean. I’ll give an illustrative use case working with a client through an assessment they had previously implemented not too long ago, a cookie preference center with website developers on the surface sounded like a firm implementation, correct? Appropriate rights. They followed their software development life cycle. They got the Google tag manager down, all of that.

Jordan Eisner: It’s like they won back to back Super Bowls. Then all of a sudden…

Matt Dumiak: And then all of a sudden, exactly right.

Jordan Eisner: They get their teeth kicked in.

Matt Dumiak: CompliancePoint privacy team comes in, does some simple tests and finds that the website is not honoring preferences, the script isn’t in the right place or actually they duplicated the script. And so there’s just a lot that can go wrong.

And you’re working with people who as of today, and I think this will evolve, as most things do, they don’t have privacy experience. So, you know, many times they’re working to implement something, they test it, it looks good. And then someone comes along and puts another script in there and breaks the website.

Jordan Eisner: They’re not thinking about sustainability, which goes back to the top of this call really with it’s not a set in and forget it. And people always write that and they go, no, no, no, no, no. You have to think about the long-term and maintenance and management and roles and responsibilities and checkpoints, PIAs.

Awareness across the organization as to the implications of marketing or web development or somebody changing the website after a lot of these changes have been made and implemented. What that could mean and how could that expose your organization to potential risk? You know, how could you be trapped under the ice?

Matt Dumiak: Right. Trapped under the ice and that and bring it full circle. I love that. And that brings up a bonus topic too. And I realize we’re coming up against time here, but training that’s relevant and meaningful. It can’t just be the learning management system out of the box training. That’s great. Good for check the box exercise, but those who are involved in the privacy program and have privacy responsibilities, you have to make sure that training is tailored for them or else you’re going to continue to fall into this trap of setting something up and then something slips through cracks.

Jordan Eisner: And it is not a good feeling to be trapped under that ice.

Matt Dumiak: No, exactly right. Don’t be trapped under the privacy ice.

Jordan Eisner: We got pretty dark here today on this podcast. That’s okay though. We’ve kept a pretty light recently. So we want organizations to heed the warnings.

So all right, Matt, good stuff. Thanks for coming on. And for those who are listening and watching that desperately want to talk to the privacy prophet, he’s available. He’s on LinkedIn. He can be accessed right through our website, through calling in many different channels that you can reach out to CompliancePoint and set up a call and do fact finding discovery type session, talk about maybe some of your issues, what we’d recommend and if we could be a good fit to help you.

So please don’t hesitate to reach out. That’s compliancepoint.com or emails that connect@compliancepoint.com.

Reach out to it. Like I said, Matt and myself individually are both on LinkedIn. We’d love to chat. Till next time.