Over the past five years, the number of people on LinkedIn who list their title as chief privacy officer (CPO) has increased by 35%, according to the International Association of Privacy Professionals.
And it’s no wonder: In that time, 17 US states have passed data protection laws, with more on the way. As a result, privacy compliance has shot to the top of company to-do lists.
In that sense, Ron De Jesus was a privacy executive before it was cool. He has 15 years of in-house operational experience in privacy-related roles at Deloitte, American Express, PwC, Coach and Tapestry (following the Coach rebrand), Tinder, Match Group and, most recently, Grindr.
(He was chief privacy officer at Grindr, in fact, in 2021, when the Norwegian data protection authority fined the company $7 million for GDPR violations. But more on that below.)
But now De Jesus is doing something a little different. In February, he joined data governance and privacy platform Transcend as its – and the industry’s – first-ever “field” chief privacy officer.
Rather than directly managing risk and regulatory compliance as a traditional CPO would do, De Jesus is a liaison between Transcend and the broader privacy professional community. He’s out in the field at events and taking meetings to evangelize Transcend’s technology and gather intel to inform future product development.
He also spends a lot of time talking to stressed-out CPOs about their challenges.
So, what are chief privacy officers talking about two or three drinks in at a cocktail party when they’re feeling a little loose?
“I mean, honestly, they’re probably taking the chance to not talk about privacy,” De Jesus said. “But if you’re asking what’s on their mind, it’s the evolving landscape of regulation. They’re sick and tired of dealing with a patchwork of laws and they’d really love some legislation at the federal level.”
De Jesus spoke with AdExchanger.
AdExchanger: How does Transcend’s technology work in a truly nutshell-sized nutshell?
RON DE JESUS: We’re a privacy platform that uses machine learning to help simplify and automate compliance. There are automated tools for privacy impact assessments, for data protection impact assessments, for consent management, for AI governance.
If a company is launching a new feature that collects health information, for example, the CPO is required to review that feature through a privacy impact assessment – like an audit of the proposed feature. You have to ask questions like: What personal information are we collecting? Who is it being transferred to? Are we updating our privacy policy? These are all requirements stipulated by existing laws and regulations, and we automate that process.
How does the platform change or adapt every time a new privacy bill is signed into law?
There are a lot of new laws in the US, but they do have a common baseline. Roughly 70% to 80% of these laws say the same thing, but there’s also nuance by state. It’s our job to help CPOs stay on top of all of it, including dealing with the outlier situations.
Take Maryland, for example, which passed recently. That law is being touted as even more stringent than CCPA, and the broader privacy community was surprised because some of what’s included breaks out of the norm. It has very strict data minimization requirements and rules for how to handle sensitive data and children’s data. Our platform needs to adjust to meet these requirements and also whatever else comes down the line.
You’ve worked as an in-house CPO, but you’ve also done independent consulting to help startups set up best practices to manage privacy compliance. What sort of compliance challenges crop up for startups?
Mainly, it’s a resourcing issue. They’re subject to many of the same requirements as a fully established fortune 1,000 company, but they don’t have 100 people working in their privacy department. A 10- or 20-person company doesn’t need a full-time CPO, but they still need help navigating the laws.
I would always take a risk-based approach with smaller and medium-sized companies to identify gaps and help them prioritize what to focus on.
You were at Grindr in 2021 when the Norwegian Data Protection Agency fined the app for passing data without consent to third parties, including MoPub, Xandr, Smaato, AdColony and OpenX. What did you learn from that experience?
Suffice it to say this whole thing was an, uh … “interesting” experience.
Companies don’t typically deal with regulators on a regulator basis, but when you do, it’s clear these are very smart people.
As a company, we obviously took this very seriously, and for me, personally, it was a unique experience because it actually helped me up-level my game. It was my responsibility to provide robust documentation of how we were making changes based on their recommendations throughout that entire process.
It was challenging, but I like challenges.
This interview has been lightly edited and condensed.
🙏 Thanks for reading! As always, feel free to drop me a line at [email protected] with any comments or feedback. And do you think someone should maybe tell Cookie Monster what’s likely coming in early 2025? It doesn’t look like he knows.