Why privacy policy should shift left

June 29, 2022

Shift Left Privacy: How to successfully scale


written by Chris Handman, Co-Founder & COO

In this installment of our series on how to help your company shift privacy to the left of the product deployment timeline, I want to talk about some of the places your progress might stall as you build and grow, and how to avoid those roadblocks.

Growin’ ain’t easy

There’s no avoiding this reality: Scaling can be a glorious mess.

As I mentioned in the first two blog posts, it was 2014, and I’d been hired as Snap’s general counsel. After a privacy misstep, Snap had just entered a consent decree with the FTC. It mandated that we create and operationalize a privacy-by-design program, one which the FTC would audit for the next 20 years. Back then, we didn’t have many options for tooling. We borrowed generic tools built for functions other than privacy. But eventually, those tools collapse under the weight of a program that’s rapidly growing.

Back then, Snapchat had fewer than 100 employees but tens of millions of users growing by leaps and bounds, who were sharing hundreds of millions of photos and videos every day. To keep up with this meteoric growth, the company began onboarding scores of new employees each week — sometimes as many as 70 — all of whom needed to understand our privacy-by-design program on day one. That’s to say nothing of the acquisitions we were doing, which required us to train hundreds of new employees at once.

We had to build the plane as we flew it.

But we knew the plane wouldn’t even take off if we reflexively followed the usual privacy playbook. That’s because privacy then — and too often still today — sat in its reactive compliance silo. There, privacy was consulted rarely, if at all, before products shipped. With the FTC audits we faced, that privacy-as-usual playbook wouldn’t do.

So we literally rewrote the playbook. We realized that for privacy to provide the rigor we needed without slowing down the relentlessly inventive product minds at Snap, we needed to weave privacy right into the fabric of product development. In other words, it was time to shift left.

To do that, we relied initially on generic solutions that we could leverage to get the plane off the ground. Specifically, our team created one “tracker” for every launch coming down the pike, as well as ways to notify the teams that needed to review them. The ugly truth is that we had a Google sheet with 100 tabs. But it worked. With a few tweaks here and there — backed up by a wonderful culture of privacy promoted by the CEO on down — we were able to perform 5,000 (not a typo!) privacy reviews a year without ever slowing Snap’s product roadmap.

To do that, we implemented several strategies to promote success. The following tips could help any organization quickly scale their privacy program.

Learn how to roll out pre-deployment privacy

Maintain uniformity and consistency

It’s essential that you establish a shared language. Otherwise, you might have six different people referring to the same type of data – user email vs. email vs. account email – in six different ways. Create a data classification glossary and share it with your stakeholders. If you’re all using the same terms, the less likely a privacy misstep occurs because of a simple misunderstanding. 

Create institutional knowledge

Once you’re all speaking the same language, you should start building a history. As you know: Much of privacy isn’t black and white. There’s a lot of gray. But if you comfortably anticipate that ambiguity, you can empower your teams to paint with primary colors that run true with the law.

One complication is that many privacy decisions are made in one-off interactions. So you can and should record decisions in a product spec. It’s important to take that information and consolidate the important points in a shared resource, like a wiki, so you can start building institutional knowledge. I should mention here that part of the reason we founded TerraTrue was to automate this process. Inevitably, deliberations on similar data sets will ensue. If you’re documenting the what and the why of decisions as you go, you’re empowered to build on your previous work, and you allow project managers insights on how to plan in the future. That eliminates having the same arguments or deliberations on a loop.

Without a centralizing force or hub to help your team understand what the rules are, you start having sidebar conversations over email, and more stand-up meetings. It invites the same manual processes of yesterday, and the program starts to realize diminishing returns.

You can only achieve scale without slowing down the business if you’re leveraging the hard work you’ve done in the past. In addition, there’s no faster way for the business to lose trust than providing inconsistent privacy advice over time or across reviewers. Find a central repository to distribute historical decisions, and maintain that in real-time.

Forum shopping is a no-no

You might have heard the term “forum shopping.” Sometimes, lawyers aiming to win a lawsuit aim to try it in a state that might have a more favorable precedent. In a similar way, this happens within companies’ compliance functions.

For example, a product manager might know one privacy counsel is more permissive or more risk-tolerant than others when one of privacy’s many gray areas rears its head. And with the pressure to ship being what it is, that PM might seek out the permissive lawyer for this one product.

As your teams and programs grow, they’ll inevitably become more decentralized. It’s harder to enforce cross-team rules on data uses. It’s not that it’s often nefarious in nature, but it can sometimes be difficult to communicate across a dozen or so teams how one legal voice came down on one issue versus another.

In the next installment of this series, we’ll talk about how to evaluate your growing program’s success and what kinds of metrics you might use to do that.

About the author:

Chris Handman, Co-Founder & COO

Chris Handman

Co-Founder & COO


Before co-founding TerraTrue, Chris was the first General Counsel at Snap, where he built the company’s legal, compliance, public policy, and law-enforcement teams. During his time there, Chris developed a transformative privacy program that coupled rigorous review with tools and systems that were nimble enough not to restrain the relentless pace of execution. Chris is a Homeland Security Project fellow at Harvard’s Belfer Center for Science and International Affairs. And he’s constructed two crossword puzzles that have been published in the New York Times (one of which was featured on the Colbert Report). He graduated from Yale Law School.