"I am not data."

These words are displayed on a piece of art hanging prominently in Paige Boshell's office. There, she said, because "I think of every person my decisions, or my advice, will impact."

Privacy counsel at multinational energy corporation Chevron, Boshell, CIPP/E, CIPP/US, CIPM, FIP, PLS, began her law career in 1992 as a financial services regulatory lawyer, drawn to the fact that there was "a right answer, a correct way to do things." Her work transitioned into privacy — including time as privacy counsel at financial services company USAA and associate general counsel, privacy at social media platform Meta — and Boshell said she came to love working in the field's "gray area" and is "energized" by the work "every day."

"It's not for the faint of heart. It's not for the young lawyer who wants to be certain, who wants to find the right answer. You have to be willing to play the long game in privacy because you have to look at all the different parts of the organization that impact individuals' privacy at the end," she said.

At Chevron, where she began in March 2023, Boshell leads privacy for the Americas and the Asia-Pacific region. Both areas are teeming with legislative privacy activity — from new laws in China, India and Vietnam, with more to come around the world, to California, Colorado, Connecticut and others, in the U.S. In navigating the hectic terrain, Boshell said privacy's fundamental principles are her "North Star" and she is tuning in with interest as different jurisdictions establish their own take on those core principles.

"Some parts of it are very technical, but what I love about it is practicing in the gray areas. You look at things, you assess them, and you can react emotionally or instinctively, or logically and technically, but if your thinking is informed by those core principles you can make some really great decisions," she said. "But on the other hand, it is true that so many different jurisdictions are coming up with highly technical and sometimes inconsistent requirements. What I like is it's a mix of judgment, understanding and appreciation of and respect for privacy and individuals.

"It really takes a lot of faith in your ability to understand and implement the principles, recognizing that there are technical variations proliferating throughout the country, throughout the world," she said. "But you have to have this north star and you have to assume the people you are working with are doing their best, and that if they are missing a piece of the puzzle that you explain it in a way that is accessible to them."

After the Gramm-Leach-Bliley Act was enacted in 1999 — a "sea change for banks" that happened while she was in financial services law at the firm Bradley Arant Boult Cummings in Birmingham, Alabama — Boshell said her "cradle to grave" background with banking clients made working with the act's consumer financial privacy protections "a natural fit."

"Banks always had a sense of protecting their customer confidentiality, so it wasn't that far of a stretch, but the concept of data inventory, the concept of disclosing practices, the concept of having specific requirements in vendor contracts was all new and different," she said. "I could work on the service provider issues, I could work on the consumer disclosure uses, I could work on privacy programming and privacy strategy and so it was a natural evolution. I really liked the privacy work and the principles behind it."

Boshell especially liked that federal regulators were looking at data and data practices as something the consumer has an interest in, should understand and should participate in. That concept, and the privacy practice, further exploded when the EU General Data Protection Regulation was adopted in 2016.

"It's certainly become a lot more complicated than when I started, but I think my vantage point from those very naïve first days has really helped inform my practice as a whole and the way I look at privacy strategy. You're not just trying to comply with the law that's in effect now, or in six months. If you have a larger practice, you have to keep in mind what other jurisdictions are doing, you have to keep in mind the trends toward greater regulation, you have to keep in mind the technological trends, the different ways of collecting data. You really have to look at the individual problem or issue, or the business goal or strategy, in the context of this larger privacy world and not just the privacy legal world."

Inspired by her father, who was a "brilliant litigator," Boshell said she always knew she wanted to be a lawyer and loved the sense of "a corporate practice as advocacy for the individual." Her career in privacy has been "wonderful," as she's watched the field grow into what it is now.

"I can anticipate where it's going for some issues, and I cannot anticipate where it's going for others. It really has been fascinating to see the development and to see the impact on individuals and the way individuals have used technology for good. I'm also in cybersecurity, so I see how a lot of that is used for bad, but I think at least on the privacy side, there's room for ideas," she said. "It's another reason I love this practice. How do we fit these ideals into a tech that we don't quite know the capabilities of yet. That's the scary thing about AI. That was the scary thing about biometrics. That was the scary thing about geolocation. How do you apply these core principles to a technology that is rapidly evolving and is enabling the rapid development of new data practices. I think that's where those of us who really have a passion for privacy can help advise our clients because we think that way, we dream that way, we breathe that way."

Privacy practitioners, Boshell said, are lifelong learners.

"The laws are evolving, the tech is evolving, the data practices are evolving — and will continue to do so for the foreseeable future," she said. "So you have to be someone who likes to practice in the gray, who likes to flex into different areas, who likes to have a true North Star but apply it in vastly different use cases."