This is a rough transcript from a conversation that Steve had with Carlos Melvin, the Global Data Privacy Officer at Starbucks in June, 2020. The transcript has been edited for readability. Use of italics is done for clarity.
Steve Tout: Describe your role, your background and how it has evolved into the Global Data Protection Officer role, which is your current position.
Carlos Melvin: I started off as a software engineer for a government contractor and then a healthcare company, then Alaska Airlines, and then almost 20 years at REI, and now at Starbucks. While at REI, at one point in my career, I pivoted to become a security engineer and then an architect, and ultimately became responsible for cyber security and privacy at REI. I held that role for almost nine years.
About three years ago, I decided to look for other opportunities. Starbucks reached out to me at that time and ultimately hired me as their global data privacy officer. While at Starbucks, I’ve had the opportunity to build the data privacy program based on the company’s global presence. My early focus was on GDPR, China data privacy, and then Canadian privacy and now US privacy practices, which many people think is new, but there has been a lot of privacy regulations in the US for some period of time. It just isn’t unified under federal legislation. Any area you think there’s data privacy, or at least there’s the bill of human rights that helps govern how data is collected and used, Starbucks probably has a footprint there and so that falls within the scope of our responsibility.
ST: The regulatory environment and the data economy being what it is has been favorable for your career, but at the same time, we cannot scale business without having these kinds of security measures and controls in place.
CM: Yes. Then, privacy regulations, as you know, vary globally. What works in the US may not work in the EU. At Starbucks I designed a two-tiered approach, called “Can We, Should We.” One tier being based on global privacy regulations, the other tier of the program focused on ethics. It’s not just can we collect personal data? It’s really how do we [collect the data], and what’s our ethical posture on that as a company? Both tiers are actively being deployed and governed.
ST: I love that. Let’s dig a little bit deeper into that, if I may. There’s the question on one hand, do you/we incorporate Privacy By Design into IT systems and data ethics into our data modeling, which is the Should We part of it. I love it when global organizations have social responsibility and a corporate conscience — a sensitivity to those kinds of things.
Then, the next half of the question is Can We? But, let’s begin with Privacy By Design. What is yours and your team’s sensibility around embedding Privacy By Design principles into your products and your services?
CM: Sure. Privacy By Design, I think it depends on who you talk to, has different flavors, but from a privacy perspective we approach it using global privacy principles. Those principles ultimately get translated into both technology and data governance practices. We follow principles that have been around for at least 10 years with GAPP, and that’s around notice, consent, limited use and limited collection. I’ll talk a little about how that translates into technology and data governance practices.
Our goal is to make sure that any data we collect, that we collect it in a very transparent way and that data collected is used specifically for the services that you would expect Starbucks to use it for. Right? We don’t sell it and we don’t use it inappropriately. We try to make sure that our notices, which is really our contract between Starbucks and the consumer, articulate the data that you’re sharing and that we get appropriate consent for those services. That’s really the relationship part.
Then, from the data governance perspective, we talk about limited use and limited collection, and that gets translated in a whole bunch of different practices. When we say limited use and limited collection, what we’re talking about is we’re only going to collect the data needed to provide the service to an individual. Then, we’re only going to use that data for its original purpose. What that means is that we need to, as we’re collecting this data, that we tag it and watermark it, so we know that we’re using it appropriately. That means that the data needs to be centrally… that data architecture is central to design. It’s associated to your profile, that we know what services you signed up for.
If you decide that you want to unsubscribe from those services, we have that ability. It’s really kind of watermarking all the data collection points. I think it’s really important. We talk about creating this unified identity of a consumer and ensuring that the data we have collected and the service you signed up for are all associated with you in a clear and transparent way. I think that’s really our direction. Like many companies, there’s often an opportunity for data centralization and data minimization practices to be implemented to ensure that we have a clearer view of the data throughout our ecosystem.
ST: With the California Consumer Privacy Act of 2018 (CCPA) and now the California Privacy Rights Act (CPRA) coming up on the ballot in November in California, what are your thoughts about how you might need to flex or adjust as you move forward in this new regulatory environment in the US or in California in particular?
CM: Yeah, sure. I’m a strong believer in that regulations are going to come and go, and precedents will be established at some point, so you need to understand what the regulators or the attorney generals have in mind. The idea is you implement a privacy framework and privacy principles, and that’s your beacon of light and that’s what you do. Those principles should be extensible enough to accommodate new regulations, because I have yet to see regulations show up that are really deviating from principles that have been in place in the EU and I think in GAPP, which has been around for, I think, at least 10 to 12 years.
When it comes to CCPA, if you look at notice, you look at consent, you look at transparency of information collected, I mean they’re synced up. You just make certain changes to, whether it’s your operational changes from GDPR has four to five days to respond, a DSR 30 days, you have to make certain operational changes, but the principles are the same. California introduced a couple of concepts such as selling data and then what’s the definitions of selling data? I’ve been in many conversations and seen many different interpretations of what sell means and what it doesn’t mean, etc.
You always need to refer back to the principle concept, I can guarantee that Starbucks doesn’t collect and sell data. Some of these outliers that CCPA has introduced aren’t relevant to Starbucks as a company and probably more relevant to data brokers, etc. So far, the principles that we’ve designed and implemented with minor tweaks and adjustments have been able to be extended into both CCPA, and we looked really close at all the work that Washington State was doing as well. As you’d imagine, other states are at different stages of implementation. We haven’t found significant outliers yet.
ST: Getting to the next logical question, which is what controls are in place, how does Starbucks measure and demonstrate compliance with global data privacy regulations?
CM: It’s highly complex because the regulations vary dramatically. When you have a global footprint, which means that you could be collecting and using data anywhere in the world, you also have a business model where some markets are owned, equity markets, and then some markets are licensed out. You have to come up with an approach that you can have regulatory oversight across all the different permutations of these markets. As everyone probably knows at this point, it’s all about the data. We put a lot of effort in understanding what data is collected globally and how it’s being used and make sure we have structure there.
Now going back to the principle concept. As a global company, you can do a couple of things. You can create permutations of your controls to adapt to every single regulation as those regulations are changing. However, “reasonable security” is set by precedent through civil, legal, regulatory oversight. Things are moving too quickly, to adapt controls to newly clarified definitions of “reasonable security” or other privacy controls. What you can do, and this is where I’m going back to our principles concept, is consider personal data [privacy] a human right, which it has been internationally for quite some time.
If you consider privacy as a human right and you put in what you consider appropriate processes and practices and controls to cover all those regulations, I guarantee you’re going to be in pretty good shape. If you need to adapt and change all your processes every time a new data protection authority or AG changes their mind on something, or gets political influence to change their direction, you won’t be successful.
How we approach this is really following those same principles, we know what data we’re collecting, we know how we’re using it, we have cross-border transfer processes in place, we maintain data privacy assessment processes globally to make sure that we’re consistent with our principles. I think the best way forward for any company is make a declarative human rights/ethics statements for collecting personal data. Don’t focus on the minimal threshold of regulations and make this really part of your culture and consider personal data as a global human right.
ST: Final question for you, with regards to governance, do you see the trend in decentralization of identity and data management, like self-sovereign identity or there’s a new movement called Trust Over IP, I’m sure there are others, playing a role in the future of Starbucks data management compliance architecture?
CM: Thank you for a little more background. It’s a pretty complex question. I’ll give you my opinion on it and where I think Starbucks may or may not be headed. When you talk about decentralizing identity, whether you’re using BigID, blockchain, etc, I think there’s certain assumptions that one can infer. If those assumptions aren’t in place, I think it’s going to be incredibly complicated to do. One is, I think we all know, Facebook and Google consider these identities to be gold, right? Ultimately, they have processes in place, and I don’t think they’ll deviate from them anytime soon when it comes to having those identities.
When I look at a company like Starbucks, we collect information on consumers because we want to make sure we are providing the best service to you, and that’s really our focus. We want to understand who you are, how you buy coffee, how do you like your coffee, elevate our ability to provide that service. I don’t think that some of these other services, I.e. the data brokers, follow similar principles. I think it would fundamentally break their monetization model to come up with a decentralized identity approach.
If they have no financial incentive, then I think they would have such a foundational change or adjustment, which could be good, could be bad, to how data is collected and how privacy is managed. If we said, suddenly, that, “Hey, going forward, there’s no such thing as Facebook ID or Google ID or Google Analytics or Google Ad ID, that we’re just going to have this de-identified structure in place that your personal information is yours. You can monetize it, you can do whatever you want with it, but how you engage with the internet is just kind of this token approach, right? Using blockchain or something like that.”
The question is when you have all these other companies that are trying to identify you, to know that you’re Carlos and you live in Washington State, do we think they’d be able to adapt to this new paradigm shift? I don’t think they will. I mean I’ve watched Washington State two years in a row try to get privacy legislation out of committee and failed both times, primarily due to external lobbying. I support the concepts and I’d love to see individuals have more control of their personal data with other companies, but, man, there’s a lot of headwind against that.
Watch Carlos and other executives speak during the Executive Panel at the Nonconformist Innovation Summit.