Episode 2: Privacy is a Customer Service | On Your Radar Podcast

We’re back with another episode of On Your Radar! In this week’s episode of our podcast, we sit down with Paige Boshell, Privacy Counsel at Chevron, to dive into the ever-changing world of regulations and how they relate to customer service. With data breaches and privacy concerns on the rise, companies are under pressure to not only comply with regulations but also provide top-notch customer service when it comes to protecting their customers’ data. 

Paige Boshell has been practicing law for almost 34 years, much of that in the privacy space. She worked in private practice for many years and has served as an in-house privacy counsel for. Her practice has three pillars: compliance; product development; and transactions. She is PLS, FIP, and IAPP-certified in US law, EU law, and privacy management.

Paige shares her insights on the importance of privacy as a customer service and how companies can navigate the complex landscape of regulations to build trust with their customers. Tune in to hear her expert advice and stay informed on the latest developments in privacy and customer service. 

Privacy is a Customer Service

Judy: Hello and welcome to On Your Radar. I’m your host, Judy Titera. Whether you’re a privacy, security, compliance, or risk professional, we can all relate to the challenges of trying to keep on top of the rapidly evolving operational, regulatory, and technology changes. We can easily become overwhelmed without focusing on the right things.

Judy: In this show, I’ve invited privacy professionals to understand what keeps them up at night, what excites them about the privacy sector, and what’s on their radar. Today, I’m speaking with Paige Boshell. Paige has been practicing law for almost 35 years, much of that in the privacy space. She worked in private practice for many years and has served as an in-house privacy counsel for USAA, Meta, and now Chevron. Her practice has three pillars: compliance, product development, and transactions. She’s a privacy law specialist. IAPP certified in the US, and EU, privacy management, and also a fellow of information privacy. Paige, I am so thrilled to have you here today, for full transparency, Paige and I worked together at USAA for many years.

Judy: And the one thing I love about Paige and I’ve always loved is when we start talking about privacy—situations, different things going on—we always get deeper, right? I mean, it’s not just, you know, this is what it is. We always go into those additional layers underneath of what is going on.

An International Affair

Judy: What does this mean to society? What, you know, really bringing in that, additional flavor into any discussion. So when I was thinking about this podcast and we were thinking about, we’ve talked about US laws, you know, quite a bit, and I was thinking about what we need to know about international laws.

Judy: And I know now at Chevron, you are a global privacy expert and a counsel for Chevron. So I thought, well, let’s bring Paige in and just talk about, you know, what’s going on. But before we get into that, welcome and thank you, for being here, Paige.

Paige: Thank you so much for having me. It’s thrilling doing this with you and, getting to have our conversation this way.

Judy: Yes, I am, again, just thrilled to have you here. So, let’s just jump right in. We’re talking about international laws. So, Paige, we spend a lot of time, like I said, you know, the US has been, the laws have just been crazy the last few years. So many new states coming out with laws.

Judy: We have different, I mean, the Federal’s given even more crazy—what’s going on? We can’t lose track of what’s going on internationally. I was wondering if you could give us just a flavor of what you’re seeing outside of the US on privacy laws, maybe a little bit looking back and what’s going on now and into the future regarding what we’re seeing for privacy in the world.

Paige: Yes. And I think just to sort of bring it back to the States, since that’s what you’ve been discussing with your viewers so far, I think we in the States are, for the first time, really experiencing what a lot of our international, colleagues have been feeling, which is different laws applicable to different sectors, layers of general privacy regulation, variations among geographic regions.

Paige: I practice also in the US and we do have a little bit of whiplash with these state laws. And, I think that gives us an increased sensitivity to what has been happening worldwide. And you and I talked about, have talked about this before, but GDPR was really sort of revolutionary in that way.

Paige: Because in 2017, and 2018 here, we still looked at privacy a little bit more like a property right. Like who owned the data? So this influx from the European Union of this concept of privacy rights was tremendous. The shot heard around the world. And so what we’ve seen since then is the development of GDPR-like laws internationally.

Paige: And what is exciting as an international privacy pro is to see, not just the similarities, you know, the same underlying concepts of the fair information, privacy principles of notice or consent of transparency, of proportionality, use minimization, but also it’s interesting to see how different regions and within different regions, different countries apply those requirements or principles in a slightly different way due to their own culture and the posture of their government.

Paige: And I think we’re seeing that with state laws here. You know, California is not quite Connecticut is not quite Texas. And so, that’s something that the international practitioners have been struggling with a little bit longer.

Paige: So, for example, you know, in LATAM, we see strong privacy laws in Argentina and Brazil, but we also see an effort by the region to be business-friendly, whereas we might see in APAC, many variations on the GDPR themes, most recently with Vietnam and with China, where they have added, reporting requirements, filing requirements with the government.

Paige: So you might file your, SCCs in China or your processing agreement, your inter-affiliate agreements. That is sort of a new concept—this concept of making sure that you’re internally compliant, but then have to justify it before regulatory authority before there’s even been any enforcement or administration.

Paige: And in some cases without a lot of guidance, so that makes it makes it fun and kind of challenging and an opportunity for us to try to understand more what the instrumental end is behind the privacy legislation. Is the concern more around security, national security, or is it more around fundamental individual rights and how we see those tweaked from country to country?

Paige: And, you know, we’re seeing in GDPR, the enforcement actions and the litigation actions are getting fairly advanced. How do we need to ensure adequacy or sufficiency in cross-border and onward-border transfers?

Paige: In some of the APAC nations, we’re seeing a requirement of consumer consent. So you have to be forward-thinking when you give your notice or obtain your initial consent from the consumer because it’s not just a notice about the collection or consent to the collection. It may be consent to exportation.

Paige: And so these variations, on a theme, some more trending towards data localization, if you will, rather than the initial concept of cross-border transfers was to facilitate digital and electronic commerce. And we’ve seen hiccups with that in the E.U. We’ve seen pretty strong requirements out of the U.K.

Paige: Israel has extremely protective and restrictive exportation requirements. We’re now seeing that in Vietnam, in China. We’ve got new laws coming out in Indonesia, India, and Sri Lanka. Amendments in South Korea. It’s a fascinating time to practice everywhere.

Judy: Wow, that sounds like fun and very overwhelming.

Paige: It is. It’s a lot of fun, but it’s challenging.

Tracking Data Privacy Laws

Judy: Right. So how do you, do you have any tips on how you’re keeping track of this? I love what you talked about. That’s not only what’s written in the law, but what’s, what’s behind it, right, and understanding that. So how do you keep track of everything that’s moving for your organization?

Paige: You know, it can be difficult. And we have mechanisms for that. I’m always reading and thinking about privacy. I rely a lot on different websites, different professional industry groups, and outside counsel, certainly. The law firms in this country have done a terrific job of trying to keep everyone, not just their clients, up to date on developments.

Paige: But the initial guidance tends to be very general and high-level. And when you work, you know, this, when you work in the privacy sphere, it’s the devil in the details. It’s when you get down to the nitty-gritty and you have to interpret the application to specific types of personal data and specific types of data practices and data flows that it becomes more challenging.

Paige: And, I think that’s another reason, for example, why I love being in-house counsel because you get to know your business. You understand the data practices. You understand the mindfulness and the intention behind it. And I’ve said this to you, I’ve said this before, a lot of clients for whom I’ve worked both outside and internally, potential misunderstandings or potentialities for gaps in privacy, I think, are more around education and culture.

Paige: And you did a terrific job at USAA of really making some complicated privacy requirements accessible to everybody because it’s like we have to get in privacy, like where we’ve gotten with phishing. It’s down to every employee, it’s down to decisions that you’re making daily.

Paige: And I’m not giving short shrift to access controls and privacy-enhancing technologies. You know, I’m all about the boots and suspenders. But to make these complicated and sometimes varied requirements accessible to the people on the ground, the people who are interacting with consumers, the people who have access, you know, like at USAA, our member service representatives.

Privacy as a Service

Paige: You know, and I think one thing that the USAA did a terrific job of and that you did a great job was building on the service to members culture and privacy is customer service. It’s a service to your members. How do you help them process financial transactions efficiently, and quickly?

Paige: You know, we all want to use Zelle and Venmo. We want, you know, my daughter used to text me from college and say, “I need $50”. And then before I’d even typed it in, she’d text me and say, “It’s not in my account yet.” You know, everything’s so fast and we want to make these payment technologies, and we want to allow members to have access to their money, to their transactions, to their information, and everything’s going at warp speed.

Paige: And yet you want to be protective of that information. You want the member to feel protected, and so, I think when you can take very complicated and varied privacy requirements and distill them down to the FIPS, or some other common understanding, within a culture, sort of the mission-critical highlights, then the privacy office, the privacy operational folks, and the privacy strategy people can do their things. You know, they can plan for the specific variations. But I think the culture of privacy is critical to an international practice.

Judy: Right. Yeah. So I think a few of the things that I’m hearing you say, number one is understanding your business and understanding the culture, and understanding the data and where it is and what you’re doing with it. But the other huge piece, I think, you know, what I’m hearing, and I think it’s important is the educational piece.

Judy: Simplify. Simplifying your privacy message and communicating that and having that not just be, it’s not a one-person job. It’s everyone’s job to understand and be able to, really understand what they need to do for the organization. So, I think those are outstanding tips and I also love, you know, looking at the US and the complexities that we’re dealing with here and seeing that that’s similar to what we’re seeing internationally, keeping an eye on what we can do, and the different flavor of the intent of the information.

Judy: So, you know, hard to believe this time has gone fast. I think these are some really good tips and nuggets for us to be looking at. But, you know, let me ask you a specific question.

Judy: I know you’ve been, you know, practicing law for years. You’ve been in privacy for years. Back when we were younger, privacy wasn’t even a field. It wasn’t an area of expertise. Where did you think you were going to go? What kind of field did you, were you looking at? And what brought you into privacy? I’m curious.

Paige: I started as a young, young lawyer with a firm as a financial services regulatory lawyer. And I loved that. So doing a lot of consumer, you know, truth in savings, truth in lending, drafting the Schumer box, the Fed box. What I loved about that practice, and that was a national practice.

Paige: What I loved about that was the sense that there was an answer. And I liked that if you worked hard enough, you could find the answer. And so I got from that sort of practice to this sort of practice, which is entirely different. It’s a science, but it’s also an art.

Paige: What I love about what I do now is there are a lot of judgment calls. You know, there are a lot of new laws in APAC, there’s no guidance, there’s no enforcement actions. I don’t want to say any guidance, but we haven’t seen the maturity that we’ve seen in the GDPR. So a lot of it, there are a lot of unknowns, is using, bringing to bear that judgment and understanding there might not be a right question.

Paige: So I’m in an entirely different practice than I started. But what I loved about the Federal Regulatory Service practices was the concept that you could communicate this information to the consumer in an apples-to-apples way, which we found very hard in privacy. But I sort of started making the transition.

Paige: There were two primary impetus for that. One was the Gramm Leach Bliley Act, and so that was my first effort at it at an entirely privacy practice because before that, it was just common law, right? There might be a lawsuit against a bank in tort. Or breach of contract. So it was very general.

Paige: But the other thing I was able to do in my practice, and one thing I loved about outside counsel practice, is if your client likes you, and likes what you’re doing for them, and likes the way you’re thinking about their business more holistically, they’ll give you more work. So I started out drafting the FedBox, but then they would ask me behind that, they would say, okay, how do we do that online?

Paige: How do we do that on a mobile phone? And before that, how do we contract with the vendor for that? So I, for a long time, had a practice that intersected financial services and privacy but was very cradle to grave. And now even more so because you start with product counseling, right?

Paige: And privacy by design. And then it is so much easier. I know you know this. Judy, it’s so much easier to build privacy and it’s very hard to retrofit for privacy. So starting at the inception of an idea and then looking and working with different vendors, negotiating the vendor contract, planning the vendor management, and dealing with implementation.

Paige: I used to do a lot of implementation, bank acquisition, conversion, and then working on the consumer-facing disclosures. Then dealing with data breaches or other client service issues. Just really, it was a unique opportunity, I think, especially in a large full-service law firm to go to work through the entire life cycle of a product or service.

Paige: And so that helped in the way that I learned privacy. And applied privacy in my practice and how I started seeing connections between privacy and every single part of the life cycle of a consumer and now not even a consumer, B2B. You know, it’s covered now in California, it’s covered, personal information, it’s covered a lot abroad.

Paige: So, thinking about small business customers and those sorts of interactions, it’s been a lovely way to have had my practice evolve. And a lot of fun to do.

Judy: Yeah, fantastic. One quick last question. What’s on your radar for the future of privacy? What do you, what are you seeing out there? What is it going to look like in 5 to 10 years?

Paige: Yeah, it is so hard to tell, isn’t it? Because I, okay, so since I started in privacy to now, I have had three children and they’re all adults and I have a grandchild and so my children grew up with the internet and phones and iPads and it was early days, it was that onslaught of all this great technology, a little bit like what we’re seeing with AI. All this technology and it was going to be such a learning opportunity for small children and then you just see, before you know it, your children’s privacy, it feels like it’s gone.

Paige: And you just think the genie’s out of the bottle, but my children are now, you know, they would never listen to me. I would say you need these privacy settings for Facebook, for Instagram. Now, my grandchild is not on the internet. Her face is not on the internet. They’ll take pictures of her behind, but they’ve had very thoughtful discussions.

Paige: And so between that, between these savvy young adults, understanding specifically how this online engagement may impact their privacy and that of their children, and then also seeing this proliferation of state laws that are making people in this country focus on what their privacy rights look like. It’s almost like we’ve gone through an incredible abbreviated cycle.

Paige: And so it’s hard to guess, but I hope that we are going to continue to have the same conversation about what privacy means. I think we’re doing that with AI already. How can privacy inform AI? I’ve already seen that in my practice with biometrics, wearables, and geolocation. 

So it’s, I see more of that, I see more conversations about what fundamental human privacy rights look like in a time of great change, not only in data science, but in technology, how we collect data, how we can use it, what kind we can collect, and I just see that accelerating, and it’s been delightful for me to see that these young adults who are worried about his children and teens, and we’ve all seen, you know, the data on negative impacts on teens, but seeing these young adults have a sophisticated and thorough grasp of privacy rights that that we’re just beginning to get ourselves and we’re privacy professionals.

Paige: It’s interesting. And so I think we’ll see more of that. And hopefully, we’ll see, I would love for there to be, more standardization even across privacy laws, regionally and domestically, certainly.

Judy: That would be wonderful. Let’s look to a future that looks like that.