How We Celebrated the 40th #DataPrivacyDay in My Privacy & Technology Course

This year, I had a Data Privacy Day “first”: I celebrated it with a group of aspiring privacy practitioners in technology, my Privacy & Technology course students. As some of you may know, I am teaching my experiential Privacy & Technology course at Santa Clara Law’s leading privacy program this semester. I previously wrote about it here. We meet twice a week, and it turns out that our sixth class meeting fell on Data Privacy Day.

Quick background: Data Privacy Day commemorates Convention 108, which was signed on January 28, 1981 and is the first legally binding international treaty dealing with privacy.

We appreciated how far we’ve come in privacy awareness

To highlight the 40th Data Privacy Day, we spent the first part of class talking about the holiday. We discussed how far we’ve come when it comes to privacy awareness. Up until recently, “privacy is dead” has been a commonplace proclamation, even amongst tech company CEOs. This year, we had countless tech companies publicly celebrate Data Privacy Day, including Apple with their CEO, Tim Cook, tweeting about the occasion.

But we also sounded the alarm on “privacy washing”

After appreciating the upward trajectory of public privacy awareness, I pressed the students to dig deeper and think about how we can ensure that the public conversations we’re having about privacy don’t end in “privacy washing.” Privacy washing is the phenomenon whereby entities publicly proclaim their support for privacy without much action to support their claims. [The term takes after the green movement and the diversity & inclusion movement, both of which have suffered “greenwashing” and “diversity washing.”]

We brainstormed ideas for walking the privacy talk

Because the course is experiential whereby the students are assigned to work on real-life projects with privacy tech startups throughout the semester, I asked my students to come up with ideas on how they would capitalize on Data Privacy to push their organizations to go beyond their public privacy statements. I’m pleased to report that without coaching them, the students came up with ideas that include incentivizing engineering and product teams to innovate in privacy and persuading leadership teams to invest in privacy initiatives using research surrounding privacy’s value (i.e. consumer demand and business privacy ROI). Not one relied on legal requirements or penalties. In other words, they made the privacy business case, beyond compliance. This was a proud moment for me.

With our guest lecturer, we worked through specific hypotheticals drawn from real life experience

In addition to working with privacy tech startups, the course also features privacy practitioners in tech as guest lecturers, adding to the experiential nature of the course. Fatima Khan, experienced privacy leader and chief privacy officer, helped the class work through privacy & legal pitfalls in the privacy tech space. We went through hypothetical B2C and B2B privacy tech fact patterns. In creating the hypotheticals, Fatima and I drew from real scenarios we’ve handled over the years. The students pulled from FTC enforcement actions and complex GDPR provisions in issue-spotting the hypotheticals. But that’s not all. In addition to making legal points, the class raised points about brand reputation, customer privacy requirements, and appropriate business models. Again, I couldn’t be more proud of how the students are applying their foundational privacy knowledge and beginning to display the necessary soft skills required to deal with the hypothetical product teams to address privacy concerns raised by the fact patterns.

I’ve had quite a few memorable Data Privacy Day celebrations throughout the years, but I will remember spending this year with my Privacy & Technology course students as one of my favorite celebrations. It is so fulfilling to witness the students develop into thoughtful privacy practitioners, accessing and applying their foundational knowledge. I can already see them rising to the occasion and solving tomorrow’s pressing privacy problems by using the new skills in their privacy practitioner toolkit. What better way to commemorate Convention 108 and Data Privacy Day than to witness tomorrow’s Data Privacy Day champions?