When I was delivering a telephone conference privacy presentation to management at a large technology company last year, I included a list of major federal privacy laws. Some experts within that company--among the leading privacy experts in the world--weren't familiar will all the laws on that list.

The privacy-law landscape is just too big for anyone to follow the current laws and the bills working their way through state, local, and federal legislatures. Yet failing to keep up can cost you dearly.

New state privacy laws are multiplying quickly, with California the busiest of the privacy-active states. Keeping track of the existing, new, and upcoming laws in California alone is a challenge, and it gets harder by the day when you must advise your company on compliance or assist in creating privacy frameworks--even with experienced privacy counsel. Luckily, as treacherous as navigating the privacy minefield can be where California is concerned, privacy professionals have found a secret weapon: Joanne McNabb.

Joanne is chief of California's Office of Privacy Protection. I spoke with her recently after meeting her at the International Privacy Professionals conference. She's a very well-respected and -liked privacy professional. She's also the perfect person for the job. Her role and that of the Office of Privacy Protection isn't enforcement or regulatory. Its mission is to protect and promote privacy. It's Joanne's job to provide an interface between government, business, and consumers on privacy issues. She's essentially the "privacy guru" for California.

Happily for consumers, Joanne sounds more like a privacy advocate than a government official. And her belief in being accessible and finding practical ways of building improved and realistic privacy practices is good for business.

The Office of Privacy Protection's Web site is a first stop for most privacy professionals when trying to understand California's privacy laws and recommended best-practice guidelines. When new laws are proposed or adopted, the Office of Privacy Protection pulls together a group of advisers from the advocacy, education, and business communities to help create best-practice guidelines and view the practical side of compliance.

Some respected privacy professionals, such as Privacy Clearinghouse's Beth Givens, are always invited to advise on the best practices. Others are invited on a onetime basis. Joanne welcomes those who want to be more active by providing input. She notes that in these days of fiscal belt-tightening, volunteer experts who can devote the requisite time for virtual and telephone meetings and travel for one face-to-face meeting are essential to delivering on their mission.

It's refreshing that Joanne came from marketing, not a law firm. She's known for her ability to take unintelligible laws and make them understandable. She advises that businesses communicate with their customers using privacy messages crafted by their marketing and communications staff, not their legal staff. Once drafted, the lawyers should look over the messages and make sure that they're accurate and complete. But the lawyers should not be drafting the message.

In describing what takes up most of their time (the staff, because of budgetary pressures, has been reduced from eight to five, including McNabb), Joanne says they're frequently seen as "Breaches 'R Us." The recent California breach-alert law (Notice of Security Breach, Civil Code Sections 1798.29 - .84) requires that businesses notify consumers of any security breaches involving their personally identifiable information (see story, "The Law Itself"). Consumers who have received notices of security breaches can call to figure out what the notice means and what they should do to protect themselves. Businesses contact them for help on preparing and sending the notices. While Joanne's office is not permitted to provide advisory opinions, it can point everyone to its helpful guides.

A very thoughtful and complete FAQ can be found at the Office of Privacy Protection's Web site. The guide advises consumers about the first steps to take in the event they're notified of a privacy breach involving their personal information. They're advised to contact the three main credit bureaus to post a fraud alert and given the numbers and instructions on voice mail use at the bureaus. They're even taught how to read the credit report when it arrives. The site also contains one of the best identity-theft link and resources pages I've ever seen. If you need help dealing with a case of identity theft and can't figure it out on your own, you can contact WiredSafety.org for one-to-one help.

Parry Aftab is a cyberspace lawyer, specializing in online privacy and security law, and she's also executive director of WiredSafety. You can read her blog or visit her at aftab.com.

Continue to the sidebars: "The Law Itself" and
"Five Laws You Should Know"

---

To discuss this column with other readers, please visit the Talk Shop.

To find out more about Parry Aftab, please visit her page on the Listening Post.