The SXSW workshop Privacy by Design and by Directive tested audience members’ knowledge of the California Consumer Privacy Act, or CCPA, and the General Data Protection Regulation, or GDPR. Both measures are designed to protect people’s personal data that is collected by businesses.

The panel aimed to show attendees how, as business owners, they can build required safeguards for the personal information they process, including IP addresses and device IDs.   

“You want people to have consent (with how personal data is used) but it shouldn’t be assumed,” panelist Shoshana Rosenberg said. “The user shouldn’t have to do anything extra to ensure they’re protected.”

The panelists included Rosenberg, a privacy officer focused on privacy law and assistant general counsel to WSP Global; Jessica Katz, Whole Foods’ data security and privacy counsel; and Lexi Fearon, a data project manager for mobile ad platform startup Kargo.

Data privacy, the panelists said, must:

  • be user-centric;
  • be proactive, anticipating privacy issues before any code for a website or app is written;
  • be the default setting—a user shouldn’t have to take actions to secure their privacy;
  • be embedded into the design of the website or app as a core function and not as an add-on;
  • offer end-to-end lifecycle protection; and
  • have standards that are visible, transparent, open, documented, and independently verifiable.

The CCPA is intended to give California residents the right to know what personal information is being collected from them and if and how it’s being used. It is also meant to give them the right to opt out of having their information collected or sold. The act has extraterritorial reach, applying to for-profit businesses or organizations that provide goods to or monitor the behavior of people in California.

The GDPR also aims to give individuals control over how their personal data is used. It applies to individuals within the EU and the European Economic Area, which includes the EU plus Iceland, Liechtenstein, and Norway. Under the regulation, data controllers must use collection processes that safeguard personal information by default and make data available publicly only with explicit consent. The GDPR requires businesses to provide individuals the option to opt in (and to opt out), whereas the CCPA doesn’t.

The panelists gave advise on forming consent and opt-in/out policies for businesses: keep language concise and clear; keep the option to exercise user choice down to one click; use common anchoring techniques for including information; and use a visual, clear, and summarized menu of services provided by data collected, as well as opt-out options.

“Transparency,” Rosenberg said. “should be granular so you can understand what (businesses) are doing.”