There's a lot to like about the privacy profession for Greenberg Traurig Of Counsel Darren Abernethy, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP, PLS. Undoubtedly the leading point of enjoyment for Abernethy is the networking opportunities, whether it be connecting new practitioners or seasoned veterans. As Abernethy put it, "Privacy just seems to attract awesome people." He has learned as much as a member of the IAPP Publications Advisory Board, conference speaker and organizer of local IAPP events in San Francisco, California.
Darren-Abernethy.png
Darren Abernethy, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP, PLS

In this Volunteer Spotlight, Abernethy details his views and thinking on a range of current privacy happenings, including the third-party cookies dilemma, the California Privacy Rights Act and other developing U.S. legislative action.

The Privacy Advisor: There's a lot going on in the privacy space these days. Is there a particular focus you've had lately, and why has the subject had your attention? Also, is there an overlooked topic that deserves more attention?

Abernethy: At Greenberg Traurig, I spend a lot of time with clients on matters relating to privacy in digital advertising — across U.S., EU and global laws — as well as self-regulatory frameworks. I enjoy this area because of its technical nature, its regulatory and business-led constant evolution, and the fact that it touches so many people as the basis for the "free" internet as we know it. An exciting but sometimes overlooked topic is the role of advertising technology in gaming, in particular, the expansion into mobile gaming.

The Privacy Advisor: Questions remain as the use of third-party cookies winds down. Why is the move away from this form of advertising tracking such a crucial change?

Abernethy: The deprecation of the third-party cookie is significant because it has been the primary connective tissue, so to speak, for tracking segmented audience behavior on the web for really the first two-plus decades of the internet. And, so, a move away from third-party cookies in the form of major browsers blocking them by default, in addition to the rise of other consumer tools, understandably has many brands, marketers and advertising technology firms concerned about how these restrictions will impact their abilities in relation to improving personalization for consumers.

The Privacy Advisor: A variety of initiatives have popped up to develop cookie alternatives. Do any of these projects seem viable? What's your take on the best way to respond to this change?

Abernethy: There are countless very smart people in this space providing serious proposals. I don't know that any single idea will be a silver bullet or obtain instant industry-standard status, as I think it's more likely that at least initially there will be a mix of competing ideas and technical solutions as the market figures things out. Putting the industry-led projects aside for a moment, depending on the particulars of a company's situation, publishers seeking to grow their revenue streams may wish to consider some of the advancements made in contextual advertising, authentication, identity solutions, single-sign-on consortia and developing robust first-party data strategies, like a mini-walled garden. I must stress as well that, at least at Greenberg Traurig, we help clients realize that unavoidable technical and regulatory changes are actually opportunities to engage openly with consumers and further earn their trust.

The Privacy Advisor: What stands out most with the California Privacy Rights Act? Give me a positive and a negative aspect.

Abernethy: As a San Francisco-based privacy professional, I can say that 2020 certainly was an exciting year in California privacy law, and 2021 is shaping up to be the same. The passage of (California Privacy Rights Act) means a new set of compliance objectives for companies to prepare for. As a positive aspect, the creation of a privacy-focused regulatory agency — alleviating undue strain on the California attorney general’s office — will likely be a net positive in providing focused guidance and rules for businesses to organize around to the extent the new agency attracts knowledgeable privacy folks to serve in this important role. As a negative, the CPRA's clarification that the right to cure does not apply to fixing security vulnerabilities following a data breach — meaning that businesses will still be subject to the private right of action and statutory damages even if no consumer harm is demonstrated — means increased litigation risks for businesses.

The Privacy Advisor: How are you advising clients as far as balancing California Consumer Privacy Act compliance efforts and early preparations for CPRA's new or differing provisions? Despite the CPRA's 2023 effective date, is there a sense of panic over this balancing act?

Abernethy: At Greenberg Traurig, we're fortunate to work with clients of all sizes — from Fortune 100 to startups — and so we see companies coming at this from different levels of privacy program maturity. In general, I wouldn't say there is a sense of panic, but the reality is that the CPRA contains a 12-month look-back for consumer access requests and expiration of the CCPA's business-to-business and employee personal information exemptions, and so we are urging clients to have CPRA compliance in place as of Jan. 1, 2022. I think it’s important to start working now on understanding the major definitional changes and how that will affect companies' business models, data collection and usage practices, website privacy features, and written contracts. Wrapping one's head around the newly defined "cross-context behavioral advertising" and the "sharing" of data is also understandably the subject of much confusion, as well. 

The Privacy Advisor: California and Washington are not the only states moving on privacy legislation. Have any other state bills caught your eye as Legislature opens in 2021, and what makes them worth watching?

Abernethy: Yes, the bills are starting to roll in and with each successive year since the (EU General Data Protection Regulation) and CCPA have gone into effect, it seems more likely that U.S. states will join California, Nevada and others in heightening their privacy requirements and imposing restrictions on the "sale" of consumer personal information, however defined. Plus, there are states like Texas that previously introduced legislation and then set up committees to analyze consumer privacy and economic impacts as direct input. In January 2021, New York introduced the Data Accountability and Transparency Act. My colleagues and I will be watching that bill, given that it is based on the CCPA/CPRA, has a more direct linkage to data security than the CCPA, and leaves ambiguity in not defining "selling" or "sharing."

The Privacy Advisor: With a change in administration at the White House, an opportunity for a federal privacy law may be on the horizon. Is this realistic, or are we getting ahead of ourselves?

Abernethy: I think it certainly is more realistic than a year ago. Bills have been percolating for several years now, and the parties and committees are aware of the key issues, though certain sticking points remain around things like preemption and private rights of action. With all of the pressing issues before Congress in 2021, it may be a bridge too far to expect federal privacy legislation, but a bipartisan "win" on consumer privacy rights before the 2022 midterms does not seem so far-fetched to me given the goodwill it can engender from constituents — more and more of whom are starting to see consumer privacy rights mentioned on websites and in mobile apps.

Photo by Keagan Henman on Unsplash