Privacy in California State Government: A CPO's Perspective

min read

Image 1 - Joanne McNabb

Joanne McNabb is the director of privacy education and policy within the Office of the Attorney General in the California Department of Justice. She is also an appointed member of the United States Department of Homeland Security's Data Privacy and Integrity Advisory Committee. EDUCAUSE sat down with Joanne to discuss her career, her thoughts on the current privacy landscape, and how they are partnering with other organizations to provide outreach and education about privacy issues.

EDUCAUSE: You spearheaded the California Office of Privacy Protection from 2001 until 2012. What led you to that role and the field of privacy in general?

JOANNE: I got lucky; I was in the right place at the right time. In 2000, a former colleague who was director of the California Department of Consumer Affairs told me about a newly passed law creating the Office of Privacy Protection and asked if I'd be interested in heading it. I had worked in consumer protection in the past and was in marketing at the time. I "AltaVista-ed" [Googled] to see what privacy was and found good stuff at the Privacy Rights Clearinghouse and the ACLU. It looked interesting and I liked the idea of starting up a new organization, so I took the job.

It was a pivotal moment to get into privacy. The FTC had just published its first major privacy report, Privacy Online: Fair Information Practices in the Electronic Marketplace, in May 2000; the first Gramm-Leach-Bliley financial privacy notices went out to consumers in July 2001; and the International Association of Privacy Professions (IAPP), then called the IAPO, was new and had about 200 members in 2001 (now it has over 20,000 and is truly international).

California was the only state to have an office dedicated to consumer privacy — until Wisconsin created a similar office, modeled on California's, around 2006. In more recent years, state attorneys general have focused resources on privacy and in some cases created separate units that enforce privacy laws.

California Attorney General Kamala Harris created the Privacy Enforcement and Protection Unit in 2012, with the mission of civil enforcement of state and federal privacy laws, privacy education for individuals and businesses, and policy development and advocacy. We try to be innovative in our efforts to improve privacy practices and protect Californians. Enforcement actions aren't the only tool we use to encourage privacy-respectful practices. That's why we work with industry, as in negotiating a 2012 agreement with the major app platform companies to add a field for a privacy policy to the app pages in their online stores. We also publish best practice guides in an effort to raise the bar, and we sometimes support privacy legislation. Of course, enforcement actions can be very educational as well. Information on our completed enforcement actions can be found on our website.

EDUCAUSE: What are your biggest accomplishments in terms of education and outreach over the past few years as part of the California Attorney General's office?

JOANNE: My role in the Privacy Enforcement and Protection Unit includes developing educational programs directed to individuals and to businesses and other organizations. Our resources for individuals include a range of consumer information sheets on topics like practicing safe social networking, protecting personal health records, preventing identity theft, and controlling location information on smartphones. Consumer resources can be found on our website. We devote a lot of effort to educating businesses and other organizations that collect and maintain personal information on their privacy responsibilities and good privacy practices. Business resources are available here.

I also work on reports on data breaches. We publish a report every year or so, and I think these reports have had a positive impact. Since 2012, the California breach notice law has required organizations that experience a breach involving the personal information of more than 500 Californians to notify the attorney general. The reports can be found here.

We review all the breaches submitted to us, often asking for additional information, sometimes conducting an investigation, and sometimes taking an enforcement action. We always look for patterns and trends that suggest lessons to be learned as a contribution to the effort to prevent breaches and mitigate their harmful impact.

We also make recommendations in the breach reports, to organizations and to policy makers. Many of our policy recommendations have been enacted into law. The breach law has been strengthened by the addition of online account credentials to the definition of personal information and by the requirement that companies offer an identity theft prevention and mitigation product to victims of breaches of Social Security or driver's license numbers. In addition breach notices must use a format that makes them easier to understand, with a title and headers. And substitute notices, which are most often used in breaches of payment card data when the company doesn't have sufficient contact information, now must remain posted on company websites for at least 30 days and must be conspicuously linked from the home page.

One recommendation we've made in all three breach reports also seems to be getting results. The recommendation is to use strong encryption (e.g., full-disk encryption) on laptops and other portable devices. We have particularly called out health care on this point because that industry experiences more of this type of preventable breach than other sectors. While we can't know how much our recommendation is responsible, we are happy to see some improvement. In 2015, 39% of health care breaches were the preventable type (compared to 13 % in the other sectors); this is down from 68% of health care breaches in 2012 (compared to 21 % in other sectors). There's still a long way to go, and we will continue to press this point, particularly with health care because of the extreme sensitivity of the data they hold.

EDUCAUSE: What are the biggest challenges in terms of privacy for California and states in general (i.e., what issues or concerns are keeping you up at night)?

JOANNE: Apart from security, which is essential to privacy and very challenging, I think the biggest privacy concern facing Californians — and people everywhere — is the Internet of Things (IoT), perhaps more aptly termed the Internet of Everything. The number of Internet-connected devices keeps going up, with an estimated 12.5 billion devices connected in 2010 and a recent prediction of up to 50 billion by 2021.1

These billions of connected things that send and receive data — including data about individuals — range from cars and parking meters to farm machinery, thermostats, and televisions. There are clearly many current and future benefits of the IoT — from the more efficient use of energy, to safer cars and highways, to the real-time monitoring of people with chronic illnesses.

There are also many privacy concerns. Some of the privacy issues are specific to the various connected devices and data streams, but there are also some serious overall privacy concerns with the phenomenon. When 50 billion things connected to the Internet and to each other are collecting data on where we are, whom we are with or near, what we're doing, waking or sleeping, 24/7, we become nodes in the network of everything. This degree of ubiquitous surveillance risks realizing Jeremy Bentham's vision of the Panopticon, where the knowledge of being observed is intended to affect behavior, or the world of Minority Report, where the data collected is used by the powers that be to control behavior, including predicting and preventing undesired behaviors in the future.

This may sound hyperbolic, but the potential for misuse of such vast amounts of information — collected from individuals who have increasingly less ability to disconnect from the network — is significant and should not be ignored. We want to be able to enjoy the benefits of our innovative economy, while at the same time ensure that we retain the liberties guaranteed by our Constitution, which in California includes an explicit privacy right.

In considering appropriate policy approaches to emerging technologies, I think Melvin Kranzberg, professor of the history of technology at Georgia Tech in the 1970s and 80s, has some helpful things to say. He rejected technological determinism in favor of technological voluntarism, formulating what came to be called his six laws of technology. His fourth law is instructive: "Although technology might be a prime element in many public issues, nontechnical factors take precedence in technology-policy decisions."2

EDUCAUSE: With whom do you partner to provide outreach and awareness about privacy issues and concerns, at the local, state, or federal levels?

JOANNE: We have partnered with a number of organizations in our outreach efforts on privacy laws and best practices. When we've developed a best practices guide, we then want to get it out to its intended audience. We do this by participating in more than 50 seminars and conferences in a typical year, and in some cases by holding our own workshops. After issuing our best practice guide on mobile privacy, Privacy on the Go, we held workshops for app developers in partnership with developer associations and start-up incubators. We worked with health information management associations to share our recommendations on combatting medical identity theft with their members, based on our guide Medical Identity Theft: Recommendations for the Age of Electronic Medical Records.

In addition to consulting regularly with privacy and civil liberties advocates, we are very fortunate to have some of the leading universities in the world in our state. We've found working with them to be invaluable as we explore the implications of technology and formulate public policy approaches. Among others, we've worked with UC Berkeley's Center for Law and Technology and Center for Long-Term Cybersecurity, as well as Stanford's Center for Internet and Society. We are also embarking on a collaboration with the new Stanford University Cyber Initiative.


  1. Dave Evans, "The Internet of Things: How the Next Evolution of the Internet Is Changing Everything," Cisco white paper (April 2011).
  2. Melvin Kranzberg, "Technology and History: 'Kranzberg's Laws,'" Technology and Culture 27, no. 3 (July 1986): 544–60.

Valerie M. Vogel is program manager for the EDUCAUSE Cybersecurity Program.

© 2016 Valerie M. Vogel. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license.