GDRP and the Five Stages of Grief: Adapting to New Privacy Laws

Now that we have hit the three-year anniversary of GDPR taking effect, it seems an especially fitting time to reflect on its impact, along with similar privacy laws in the United States that followed in its wake. As General Counsel of a tech company, I can say that adapting to these regulations closely resembles the five stages of grief: denial, anger, bargaining, depression and acceptance.

Eventually, winners in the market will be those companies that genuinely are committed to meeting the increasing expectations of regulators and consumers. That is my personal belief. Nevertheless, it is fair to say that for emerging growth companies like Quora, where I work, digesting GDPR (which stands for Europe’s General Data Privacy Regulations), was a challenging process, corresponding to the five stages of grief. The California Consumer Privacy Act (CCPA), the first extensive privacy regulation in the United States that went into effect two years later, repeated and re-triggered that process.

1. Denial

When GDPR first passed, it marked an effort by EU regulators to force tech companies in the United States to grapple with the sensibilities and expectations of Europeans about privacy. Up until that point, privacy regulations in the United States mostly took the form of self-regulatory mechanisms, such as disclosing data collection practices in a privacy policy, fulsomely. Few people actually read the privacy policies, and relatively few people in the United States cared deeply about what they said.

From across the Atlantic, GDPR codified very different sensibilities of European citizens into a new, far-reaching law. Under GDPR, it is no longer sufficient to obtain consent by disclosures piled into a privacy policy. Instead, in many circumstances, consumers must choose to permit specific uses of their personal information, and they have a right to change their mind easily. Products must now account for this in all of their nooks and crannies.

Additionally GDPR imposes processes and new requirements in the product development cycle to ensure that the privacy interests of consumers are properly considered and respected. For example, GDPR requires written documentation, called privacy impact assessments, as new features are being developed. GDPR also requires companies to respond promptly and in an individualized way to consumer requests about information collected about them.

For relatively small companies like Quora that operate globally, this sea change of expectations was difficult initially to comprehend. The implications are significant for a company like Quora that offers a highly personalized product, which in Quora’s case is a social media platform designed to share and grow the world’s knowledge. At first, the inclination within the company was simply to deny the impact it could have on operations and product development and the work ahead.

2. Anger

The next stage was anger. Did the regulators really understand what they were requiring? Did they not grasp the heavy lift that compliance with these new regulations would require, especially for a small company like Quora that did not have the resources of Facebook or Google?

And, oh, the ambiguities! In the case of GDPR, gray areas are still being defined today, especially as they relate to behavioral advertising practices. For CCPA, the Attorney General’s regulations and interpretive guidance, which seek to explain the meaning of the law, did not arrive until more than six months after the new law went into effect. All of this ambiguity, unfortunately, came together with the prospect of enormous fines: up to 4% of a company’s global annual revenue for GDPR and the threat of potentially billions of dollars in fines under the CCPA for non-compliance.

Many people referred to CCPA as California’s version of GDPR. However, while preparing for CCPA several years after GDPR went into effect, companies like Quora learned that, unfortunately, many requirements of the California law were just different enough to require a whole new work stream. By way of example, the two laws define “personal information” differently, and they define a consumer’s scope of rights to request information differently.

3. Bargaining

After the anger came the bargaining. This came in the form of interpreting the gray areas of the law in ways that both practicality and reasonable, good faith decision-making demanded. Legal advisors like myself explained to companies that compliance under these massive new privacy laws should be viewed not as a one-time effort, but instead as an iterative process.

4. Depression

Despite the best of intentions toward compliance, depression was inevitable at times. GDPR, and later CCPA, commanded a huge amount of time, resources, and cross-functional coordination. Ironically, although regulators seemed motivated to bring the largest tech companies in line for sins of the past, the burden of the regulations are felt most heavily by the smaller companies, with fewer resources to throw at the problem. Small and mid-sized companies actually are placed at a huge competitive disadvantage, struggling to grow and compete against tech giants under a different set of ground rules than were in place before those other companies were giants.

5. Acceptance

At long last, after more than six months of intensive work, acceptance arrived, together with a wave of relief and tinge of pride about how these new requirements have been woven into the very fabric of innovation at the company. Privacy compliance is no longer a concern primarily of the legal team and certain silos or figures within the company. It now has well-coordinated allies and supporters in all areas of the business.

Today privacy no longer seems to be a concern primarily of European citizens or even a minority of U.S. consumers. Because it is hard to differentiate the product for consumers based on their location, the new privacy rights of Europeans and Californians have become, by and large, the adjusted baseline of rights offered to all users. Consumers across the United States, who used to collectively yawn about privacy, have begun to take notice, and many have grown increasingly curious and engaged about their privacy rights now.

This is our new normal. As tech companies prepare to comply with Virginia’s new privacy law and the amendments to CCPA that will take effect by January 1, 2023, all with similar goals yet different requirements, this cycle undoubtedly will begin again — unless the federal government steps in with a unifying regulation, which would be a welcome relief from all these waves of grief.

About the author: ­­­­ Karen is a strategist, thought partner, and seasoned legal advisor for media and technology companies of all sizes, from startups to Fortune 500 companies. She has been deeply engaged in the intersection of media and technology law since before the two fields converged.