Ahead of the launch of Lexology PRO Compliance, a unique information platform for chief compliance officers, general counsel and their teams, we provide a sneak peak of some of the content that will be available...
Q&A: How Amgen prepared for the CCPA
As of 1 January 2020, the California Consumer Privacy Act (CCPA) officially came into force. The CCPA is the latest data privacy law to take effect in the wake of the EU's sweeping GDPR legislation and heralds the arrival of strict data privacy regulations in the US for the first time.
Failure to comply can lead to enforcement actions by the California Attorney General, including the imposition of civil penalties and a heightened risk of lawsuits and class actions from customers in the event of a breach, so companies must ensure their policies and procedures are up to standard.
Zoe Philippides, chief privacy officer at multinational biotech company, Amgen, outlines some of what the company has been doing to prepare for the changes as well as the importance of raising awareness internally.
How will the CCPA impact businesses in the US?
Zoe Philippides: I think some of it is still to be determined, but the actual impact for privacy officers or departments will be an upscaling of processes and requirements, as well as trainings throughout the organisation. I think there are differences between the CCPA and the GDPR - the regulation we saw come into force in Europe. The biggest difference is the environment the CCPA comes into. In Europe, you already have decades of familiarity and compliance with omnibus privacy law, in the US things have been very much sectorial and substantially different, depending on the project, the team, the business, the industry and so we are now coming to a point where you have a population that is not as sensitive to, or familiar with privacy laws as we see in Europe, so that is obviously a concern we have. As a result, we are working hard to make sure that we are upskilling our employees and updating policies and practices to the best of our ability, working with the different business groups across Amgen to make sure that they are sensitive to, and familiar with, the new laws that came into place on 1 January.
What exactly are you doing to prepare internally ahead of the law’s enactment?
Zoe Philippides: First, we had to determine what information we had on consumers, how it is used and who it might be shared with, then we jumped into how to develop informative notices. Obviously the CCPA affects California residents, so we have drafted notices specifically for residents in the state. Under CCPA, there are different rights provided to different groups and so we have updated and ensured our notices take this into account. For example, employees have certain rights while healthcare providers or patients have others. Moreover, transparency is a critical component of the CCPA so we have taken care to ensure that our notices, regardless of which population they are directed at, are transparent. In addition to the different notices for certain groups, we have also prepared a general online notice as well.
How exactly are you ensuring you are able to respond to consumer exercises of rights?
Zoe Philippides: We have implemented a toll-free number that is required by law and we have an email inbox that we stay actively engaged with and monitor regularly throughout the day, every day, including weekends. We have also implemented some new tools here, including a website that provides an interface to OneTrust – a privacy, security and third-party risk technology platform and we have worked with the different areas of Amgen to ensure that they have good understanding and knowledge of what is required so that everything gets reported very, very quickly. For example, if there is an access or a deletion request, we are working with the relevant people both from the IT department as well as internally with the business to make sure that those are responded to within the timeframe required.
How important is it to involve other areas of the business in this process?
Zoe Philippides: Absolutely critical. As a privacy team it is really our responsibility to make sure that we are good counsellors and advisors to the business. We are helping them, giving them the tools and the knowledge to make sure that they know what is going on, what to do and how to respond, but there are a lots of different moving parts in the business that requires assistance and support from everybody, from our colleagues in information security to the IT department, to law, to the actual business people that are running certain types of programmes like consumer marketing in the commercial organisation. I think it also important to involve senior leadership, sort of bottom up as well as top down because you will miss things along the way if you do not take a holistic approach.
Are you adapting the company’s policies only in the US or are you making changes on a more global scale?
Have you identified any challenges in terms of compliance with the new law, is there anything that you have spotted already that you think may be difficult for you and your team?
Zoe Philippides: I think parts of the law are very challenging and everybody has an opinion – many differ on what is required and how to interpret it. The bottom line here at Amgen is that we feel very strongly about privacy and we structure our programme to ensure that, among other things it is transparent, and we emphasise that individuals have and retain control of their personal data as the law requires. In short, making sure that we are running a compliant programme based on privacy principles is not the challenge, it is more about how we ensure that people outside of Amgen understand some of the legalese that the law requires us to use in our notices, and the practical implications of how you actually implement the theoretical side of things does not always result in what was anticipated. For example, when I think about all the requirements that go into a privacy notice, you really want the notice to be understood by the general population so it should be simple and short because no one wants to read 10 pages of content. Creating that kind of notice is challenging and almost somewhat of an art. And so, the tension for us is worrying about whether these policies are easily understood, while also ensuring that we are being thoughtful about including all of the information that is required by the law.
Do you think the law leaves any gaps or grey areas for companies? Is there anything that you have identified so far that is particularly challenging?
Zoe Philippides: I think one of the things that we have identified as a challenge, is that there are still some grey areas or ambiguity that we hope will get fleshed out as organisations implement the law and as consumers raise questions or concerns, and I am hopeful that issues will come to light and there will be further guidance or further opportunity to solve issues in the right way. For us as an entity, one of the things that’s been fairly labour intensive and burdensome has been the section on “sale” of information, because it has been such a broad definition that is not necessarily one that is intuitive to a consumer, and this has caused us to do quite a bit of investigation to make sure that we are getting through and identifying all potential pieces or all potential opportunities that we need to be transparent with. Added to this, when you have a broad sweeping law like the CCPA, which takes a blanket approach to try to solve everything for all sectors with one set of rules, there may be practical implications and it can cause other challenges that may have been unforeseen. Therefore, we are still trying to properly understand how it is going to affect all activities and projects, in particular as it pertains to medical research and for activities mandated by the FDA with respect to oversight of the use of our medicines.
Do you think companies have been given enough guidance to have to prepare for the new law? Do you feel you have been given enough time to adapt the company’s policies?
Zoe Philippides: I’m not sure if companies have been given enough guidance just yet, I think it will become more apparent to us as we see where things start to move forward.
With regard to being given enough time to adapt, I’m still not sure. Though full enforcement of the law is not expected to begin until July 2020, once something is raised to an organisation they have 30 days to cure it, and I think that is a great opportunity because there may be things that are highlighted that an organisation may not be aware of yet, so giving them the time to review the issue and deal with it is key. There is also a look-back period of 12 months within the law, where you can go back to spot issues and there is an opportunity to share and deal with these. For me as a privacy officer though, it’s working with the team as well as seeing where other organisations are going to understand what this all means all while trying to be proactive and solve any “issues” before they actually become issues. Whether an organisation is in good shape will depend, in part, on the ability to learn and develop best practices and processes, including leveraging programmes, platforms and technologies, as well as seeing what best practices other industries or sectors have identified.
Some members of the legal community have highlighted that the new law may result in companies facing a higher risk of litigation. How are you going about preparing to ensure these risks are mitigated?
Zoe Philippides: I would agree with that statement and the way that we at Amgen are choosing to mitigate this risk is by utilising our principle based privacy programme and ensuring our practices, our procedures, our processes are in place as required. In addition, we have embarked on a great deal of awareness- training across the organisation and trained many different groups to ensure that things are raised quickly to the privacy office, so that we can fully resolve those issues as soon as they arise.
There is a huge emphasis on awareness internally because the faster the issues are raised, the faster we can resolve any issues or provide guidance as to why something may or may not be a concern. While awareness campaigns can sometimes mean that people over index and raise everything because they are worried, we would rather this happens so we can talk about it and solve it together. It’s about making sure that we hit the right level of sensitivity so that people are not panicking, but they are raising things quickly so that we can solve them quickly.
How important would you say that employee training and raising awareness is with regards to preparation for the CCPA?
Zoe Philippides: I think it is really important because we have over 20,000 employees at Amgen and the privacy office has 10 people, so if we do not leverage our relationships and our staff members in the right way, things may be happening that we would not know about. Training and awareness are really important, so we involved our HR department in the process to assist with collaboration between the different groups.
There has been some talk of other states implementing similar bills across the US. For example, New York has been considering legislation that would be broader than the CCPA. Do you think that individual state laws make it particularly challenging for businesses and do you see a need for a federal law?
Zoe Philippides: Obviously if there is a federal law, it certainly helps global companies or those that operate across state borders, and it would be incredibly helpful to have a more consistent approach or standard, especially since I think there were around 14 states that had raised privacy legislation at various levels or stages in their legislatures. On the other hand, while a federal law would certainly make things a bit more simple, assuming pre-emption of state laws, we also operate across the globe and we are pretty comfortable operating in different places with different laws, making sure that we are compliant. However, the varying laws and complexities across the globe requires a fair amount of resources.
Do you envisage any sort of conflicts with the existing laws such as the GDPR?
Zoe Philippides: At this point in time, I have not seen anything that has caused conflict between the GDPR and CCPA, which is a relief. I think, because of how the GDPR came into effect in 2018, we had the two years prior to get ready for it – this time helped us hone the programme and make sure that we were in good shape. Also, because of the work that we did to ensure compliance with GDPR that definitely put us ahead of the game for CCPA, which is great. Despite this, one of the things that makes the job fun and interesting, is that there is always work to be done and there is always opportunities to do things better, so we are constantly looking at that to try and stay ahead of the game, rather than behind.
Finally, if you had any tips for compliance officers or privacy professionals on how to adapt in the best way possible, what would be your advice?
Zoe Philippides: I guess the best practices are to make sure that you are out there listening to folks in in the business as well as across the industry, but also to ensure that people are aware that there is a place to go for questions. This is part of the training and awareness side of things, because anybody that is trying to do something like this on their own, will run into challenges because it is a huge task. You should leverage relationships, teams and groups and use their areas of expertise to help you further advance your goals for CCPA compliance.
I think that the law is an opportunity for organisations to make changes that are the right thing to do. You must be proactive, because if you are just waiting to be reactive to the law, then you will miss opportunities. You can never feel 100% ready, but I feel like we have definitely made good steps and we are in a good place, but we will continue to work to ensure that we stay ahead of the game.
Zoe Philippides has been at Amgen for almost 15 years. She first started as a senior counsel in the legal department specialised in litigation, but was later appointed to the position of chief privacy officer in 2015 where she now leads a team of 10 professionals across Europe and the US. Prior to joining Amgen, Philippides spent almost five years as an associate at Seattle firm, Perkins Coie LLP.