TrustArc Blog

Women in Privacy Leadership Roles: Interview with Joanne McNabb

October 24, 2014

Joanne McNabb, Director of Privacy Education and Policy, California Attorney General.

Guest Post: Alexandra Ross, The Privacy Guru interviews Joanne McNabb, Director of Privacy Education and Policy, California Attorney General
Privacy is high-profile right now. From major retail and financial sector breaches to revelations over mobile device tracking and intrusive surveillance technologies, the question of whether or not we’ll submit to living in a “post-privacy” society is squarely at the center of tech start-ups, legislation, and personal rights.

What few realize, though, is how many women are leading the way when it comes to protecting and promoting privacy rights. From Ireland’s data regulator Helen Dixon to newly appointed White House CTO Megan Smith, women hold high offices when it comes to championing privacy.

Add to this list California Attorney General Kamala Harris and her director of Privacy Education and Policy, Joanne McNabb. Joanne will be participating in a panel at Always On: The Digital Consumer, co-hosted by TRUSTe and The Center for Democracy and Technology (CDT) on October 30th in San Francisco. This event will explore how we can realize the full potential of the Internet of Things while maintaining our privacy and control of personal data.

Joanne was kind enough to answer some questions via email for TRUSTe.

Alexandra Ross: What is your role at the California Attorney General’s office?

Joanne McNabb: I’m part of the Privacy Enforcement and Protection Unit that AG Kamala Harris created 2-1/2 years ago. I develop educational programs and materials directed to both businesses and consumers. I also advise the AG on emerging privacy issues and on pending privacy legislation – and there’s been a lot of that in the California Legislature over the past decade or so. In the two-year session that just ended, we were keeping an eye on about a dozen bills.

We don’t take official positions on many of them, but we do provide technical information to the Legislature based on our knowledge of privacy issues, laws and practices. In 2013 we sponsored a bill – AB 370 on DNT (“do not track”) disclosures – that was ultimately signed into law.

I don’t think that every privacy problem can be resolved by a new law, but in an area that is evolving rapidly with technological developments, it’s important to have standards that preserve important societal values. Sometimes such standards can take the form of best practice guidance, sometimes “co-regulatory” codes like those the NTIA has been working on, and sometimes laws. Laws that require transparency, like the breach notice law and CalOPPA (which AB 370 amended), can push organizations towards better privacy practices.

AR: How does the AG’s Privacy Enforcement and Protection unit work with businesses (in terms of providing education & resources)?

JM: Much of our educational work is done for and with businesses. In 2-1/2 years, the Privacy Unit has produced four best practice guides:

  1. on mobile with a focus on app developers;
  2. on medical identity theft for health care providers, payers and policy makers;
  3. on cybersecurity for small-to-medium businesses;
  4. and on developing meaningful privacy policies.

For each of these, we consulted with stakeholders representing a broad range of interests, always including privacy and consumer advocates. I really enjoy working on these projects, getting the perspectives – and the help – of many people. On one of them, we had a meeting with 15 people in the room and 76 on the phone. After a cacophonous beginning, I realized we could not all introduce ourselves, so we just plunged into the work. It takes time and it isn’t always easy, but I think the end products are generally viewed as helpful. I certainly hope so. Our aim is to help set standards for data practices that are respectful of individuals’ privacy interests, even when not clearly required by law.

We make the documents available on our web site and we take them on the road. We held two workshops for app developers, where we shared information on the legal framework and our best practice recommendations. Most of the workshop, however, was not spent on the rules, but featured other developers explaining how they’d approached building privacy into their apps. I think the audience was more interested in hearing from their peers than from panels of lawyers.

I take our best practice messages to many seminars and conferences every year. I find that this is not only a good way to spread the word we want to spread, but it’s also a good way to keep learning about current business practices and how companies and their attorneys are thinking about privacy. I enjoy the company of my fellow privacy professionals. I find it a very collaborative profession, likely because we all have to keep learning all the time.

AR: Can you speak about the tension between innovation and privacy compliance? Does there need to be one?

JM: I think that there’s a tendency to exaggerate the tension between technological innovation and privacy compliance. There are always limits facing any innovator. Creativity lies in using or overcoming the restraints you are faced with. Think of how Twitter forces us to communicate concisely and of how the limitations of poetic forms like the sonnet or haiku result in great beauty. It’s the grain of sand that irritates the oyster into creating a pearl.

And of course privacy is a human concern and a user issue – innovators ignore it at their peril. I think that privacy is also an ethical issue and how we address it has implications for society as a whole, as well as for individuals. In fact, how to understand and tackle privacy concerns (including mere compliance) is part of the reason to innovate.