Sourcepoint CPO Sees Struggle to Balance Regulator Priorities and Litigation Focuses
As the privacy landscape continues to evolve, companies may find it difficult to manage regulator expectations of compliance and consumer demands as outlined in lawsuits, said Julie Rubash, chief privacy officer for Sourcepoint, a vendor.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
While 2025 saw an increase in consumer litigation (see 2512310048), it's clear regulators can't be ignored either.
Posting a “cookie banner to address the litigation side of things isn't going to put [a company] into compliance under … the comprehensive privacy laws,” for example, Rubash said. “You can't say, ‘Oh, let’s just pretend we're an opt-in regime now and put up a cookie banner’ and that's it. It doesn't work that way."
The “challenging thing" is that regulators and plaintiffs are “actually addressing different activities.” The California Invasion of Privacy Act (CIPA) and the federal Video Privacy Protection Act (VPPA), for example, “are addressing very specific types of technologies and very specific types of transmitting information to third parties.”
To get consent under either statute, the courts have made it “pretty clear” that a website must be “very specific about what you’re getting consent for,” not just “passive, vague consent to everything,” Rubash said.
But under comprehensive privacy laws, like the California Consumer Privacy Act (CCPA), there are requirements for a “very specific opt-out that is specific to the sale and sharing of personal information.” This is “not limited to the tracking technologies that might trigger a CIPA action,” making it a different calculation.
Businesses “still have to have an opt-out that applies to … all of the other sales and sharing” they are engaged in outside the scope of CIPA, as well as dealing with what is within the scope of CIPA, she said.
“Balancing that out” and having all the different requirements for each law is not only “challenging in and of itself, but … it also creates confusion for the consumer, because they don't necessarily understand" the different opt-ins and opt-outs and "what that means.”
“We’ve seen regulatory action in that respect,” in instances where the consumer may not “necessarily understand that if they say no” to the simple cookie banner, “they're not necessarily opting out of everything else.”
This puts a lot of businesses in a corner where “they're struggling to figure out the right solution,” Rubash said. “There are some solutions, but it really requires threading that needle very carefully.”