We recently sat down with Frank Gonnello, Jr., Associate General Counsel at Shopify. Frank has been a working privacy professional for more than a decade. In his current role, Frank handles product, privacy, and AI-related legal issues in Shopify’s product development. His previous experience includes stops at PlayStation and Cruise, where he also focused on privacy and AI-related legal issues.
We wanted to know about Frank’s path into the privacy profession, where he sees the profession headed, and what his life is like day-to-day as a practicing privacy and AI lawyer. The below conversation has been lightly edited for clarity and readability. You can reach out to Frank via his LinkedIn account, located here.
Q: You’ve been practicing as a privacy attorney from shortly after you graduated law school and at a time when the privacy profession was still relatively immature and evolving rapidly. What do you think it was that set you apart that allowed you to break into privacy and obtain a role as an in-house privacy counsel relatively early in your career?
I pursued a Computer Science degree in undergrad anticipating that it would serve as credibility that I’m a technologist at heart and can understand “computery stuff” really well. But I didn’t know about the privacy field at that time, so to gain credibility for in-house privacy work, I got my CIPP/US certificate from the IAPP and frequently attended their events while spending two years at a consulting firm performing privacy audits for Fortune 500 companies. Between my education, credentials, and targeted audit work, I was able to show interviewers I had both the technical chops and the privacy-specific knowledge to help any privacy compliance program.
Q: Do you have any recommendations for early career professionals hoping to break into the privacy profession?
For those just starting out, I highly recommend networking at industry events and picking up jobs—even pro-bono or non-legal consulting gigs—to gain relevant experience before moving in-house. And if you are a lawyer that took the law firm route, try and get involved in any work that you can that speaks to technological competency or data protection.
Q: You recently obtained your Artificial Intelligence Governance Professional (AIGP) certification. What was your motivation for doing so?
At the time I earned my AIGP certification, I was still working at Cruise, which was GM’s self-driving ride hail service, and much of our product development centered around AI implementation for safer driving and road user experiences. The AIGP served as a crash course on how data governance applies to AI technology development, and it also validated much of what I already thought I understood on such topics. Regardless of whether I remained at Cruise, I knew I was well-suited for working in this space, and it made sense to have a credential to back up what I already viewed as relevant work experience in order to position me well for remaining in this evolving field for the foreseeable future.
Q: You recently changed jobs. Do you feel as though having an IAPP certification set you apart and helped you secure your new role? If so, in what way?
Speaking only for myself here, I think I would probably raise an eyebrow to anyone seeking to practice product or privacy in-house at a tech company that didn’t have either a CIPP or AIGP cert (or some equivalent), unless they had ample experience to justify why this wouldn’t be necessary.
These certifications are relatively inexpensive, but force two things: baseline understanding in order to pass the exams, and Continuing Privacy Education (CPE) credit requirements that help keep privacy professionals and AIGP’s current in the evolving legal landscape. And now, knowing what I know of my current role, privacy is an absolutely critical piece of the puzzle, so I’m confident it spoke to some degree to my credibility, alongside my years of practice.
Q: In your experience, what does the typical career progression look like for a privacy attorney that works in-house for a corporate entity?
There are some standard progression paths, but it can be a little open-ended based on your interests. Corporate hierarchy will still apply, so you could consider the vertical chain to be junior counsel, counsel, senior counsel, associate general counsel, and then director or VP level counsel before reaching a General Counsel type role. But many folks take less direct paths, with some opting to remain independent contributors, others seeking management experience, and some leaving the legal path to pursue executive type roles within the business. And of course, people also leave to join regulatory agencies, consulting groups, and partner tracks at firms. In-house roles help develop very transferrable skills and industry experience, so don’t feel locked in if you begin down this path.
Q: Are you part of any professional communities related to privacy, cybersecurity, or AI governance? If so, what are they and how have they helped you advance your career?
I’m an IAPP member, and I think their network is second to none in the Privacy and AI legal space. Everyone in that world recognizes this group as one of the most prominent organizations full of thought leaders, and their resources, events, webinars, and other networking opportunities are incredibly valuable for both the folks just starting out, as well as the seasoned experts. I highly recommend staying active in this community and taking advantage of the resources made available to both members and non-members.
Q: Have you had a mentor in this space? If so, how did they help influence and shape your career development? Do you think having a mentor of some type is particularly important in privacy law compared to other legal practices or professions?
I was fortunate to have a Seton Hall Law professor and practicing attorney steer me towards the privacy world very early in my law career. He also instilled in me the importance of networking and industry group events, which led to more and more influential connections, career opportunities, and my own mentorship opportunities as time went on.
If you don’t have someone like this in your life, I recommend good old fashioned reach outs to folks on LinkedIn—whether or not you have an intro from someone—because people are generally happy to afford time to talk about themselves a little bit and encourage others to pursue a career path like theirs. As much as it has grown, the privacy field is a surprisingly small world, and you will see the same people and names pop up throughout your career. The more positive connections you can build, the stronger your network, and the more learning opportunities you’ll probably have as you grow in your career.
Q: Turning more towards your day-to-day life as a privacy professional, what are the departments or types of employees that you interact with most frequently?
Though it may not always be represented by a company’s org chart, privacy attorneys are really a subset of “product counsel,” with a privacy subject matter expertise. Because of this, I interact with folks responsible for building and designing the company’s products like product managers and engineers on a routine basis. But privacy issues touch nearly every part of a business, and so you may find that you’re responsible for supporting things like employment privacy (and interact with your recruiting, HR, and employment counsel), vendor risk management (and deal with procurement, corporate transactions teams), cybersecurity and incident response (partnering with InfoSec and IT), and customer interactions (marketing, communications and support). It all depends on the particular employer but be prepared to engage outside of the legal department on a daily basis.
Q: What are some of the types of questions that employees in other departments come to you to answer? What are the most common privacy issues or questions that you deal with on a daily basis?
Because Privacy Counsel always needs a deep understanding of the technologies and data used for any given product feature in order to provide effective counsel, you may find yourself being the go-to product expert for other legal colleagues in areas of commercial contracting, regulatory work, and even IP. Throughout my career, I’ve been asked by many peers “hey, do you know how such and such technology works?” Most of the time, I do, and when I don’t, it’s usually a worthwhile venture to dig in and find out, since the information will inevitably be valuable at a later time.
Q: Beyond the co-workers you interact with, are there any specific tools that you use on a day-to-day basis?
At scale, a robust privacy program can’t function without some kind of tooling to manage DSAR requests. There are many vendors out there that can help with this. The key is figuring out how they can integrate with your enterprise systems, what kind of support they can offer in building those integrations, and how well your internal engineering teams can implement the hook-ins throughout your enterprise. The more automation you can design, the less likely you are to introduce human error into the loop and miss important compliance obligations and deadlines. Privacy lawyers shouldn’t be spending a ton of time on DSAR requests, so the system you use should take the load off your legal personnel as much as possible.
Q: In what way does your role as an in-house privacy counsel differ from when you were previously in private practice?
The biggest change I see is that you tend to become far more connected with a company and its people when you’re working full-time on their business and products. You gain a better, more practical understanding of their needs, their risk tolerances, and how everything fits together when you’re living it day in and day out.
Some outside counsel will act as more of a function of simply stating the law and providing the risk writeup. But as in-house counsel, it’s your application of this info to your business’s unique problems, market position, and capabilities that challenge you and keep things varied and interesting. I also find there’s a stronger bond to the shared mission, and you get to stay with that mission for as long as you remain employed there, as opposed to working on a more temporary retainer basis.
Q: You just mentioned the way that some outside counsel act, how often do you rely on outside counsel to address privacy issues? And what types of issues are you likely to refer to outside counsel?
This is always going to depend on the resources available within your organization’s privacy group, budgeting, and time. The best and most universal uses of outside counsel is for when breadth of research is critical. Think things like “we want to expand internationally and need to know what nuanced privacy or quasi-privacy laws will apply to our products or business model in a new country or continent.” Or, you may want to get a second opinion on the first iteration of your company’s privacy policy or user agreements. Outside counsel are great for research, validation, and sanity checks, but they likely don’t have as much context or the relationships with your product teams to be as good an issue spotter or collaborative partner as you can be within your organization.
Q: You’ve now worked in a number of companies that span different industries, including consumer electronics and autonomous vehicles. So, as a related question, how do you think the industry that these organizations are part of affects their approach to privacy and AI governance?
Privacy is a neat field to me because its application spans every industry, but the details of how it applies are constantly evolving. Being a privacy professional is a very transferable skill, no matter the industry you might be in. Organizations just have different priorities that are influenced by the industry. For example, autonomous vehicles had considerable privacy risks related to the volume of cameras, microphones and other sensor data that would rove major cities, so privacy was prioritized for building community and user trust. In consumer electronics where there was an enormous user base, cybersecurity and children’s privacy rights were the biggest risk areas.
The good thing about Privacy legislation today compared to when I first started in this profession 12 years ago is that there are considerable privacy laws that establish baseline compliance obligations applicable to most companies. Leaving aside certain industries where there’s industry-specific regulations like healthcare or finance, I think industry only really shapes prioritization and risk determinations.
Q: How do you stay up to date with changing privacy and AI regulations? Are there processes in place to do this systematically?
Joining privacy professional organizations like the IAPP is the absolute best way to keep up with changes to the privacy regulatory landscape. In addition to daily and weekly email updates and articles, the IAPP is constantly adding webinars, meetups and conferences which both educate, and serve as Continuing Privacy Education (CPE) credits necessary for any certifications you might hold through the organization. If your company leverages outside counsel at all, you can also ask them to forward you updates they may put out when there are new developments in applicable regulations. If you have just a few feeds to keep you apprised, there will be no shortage of resources to find out about changes, and then you can delve deeper into those which impact your organization using more traditional legal research methods.
Q: With AI regulation newly emergent, do you anticipate that “AI law” will become its own field of practice or be subsumed under privacy law or another area of practice?
I think “AI law” will certainly become its own thing, but maybe not in the way one might expect. Existing laws impacting privacy, copyright, consumer transparency, fraud, misappropriation of likeness, etc. already apply to the technology, even though interpretation and application still need to be figured out. I think for privacy professionals, it will take the same technical prowess and skill for understanding data flows and processing that will be a baseline requirement before applying any other layer of law to these technologies. In that sense, a privacy attorney is already positioning themselves well for tackling the next great tech wave of legal complications.
I think beyond that, “AI Law” itself will need to evolve to keep citizens safe from corporate influence and consequential design decisions that impact these technologies that will permeate every facet of modern human living. The negative impacts of attention- and engagement-optimized social media has already shown us we need to do better as technologies rapidly grow, and I believe legal professionals have a responsibility to uphold that.
Q: As a final question, in what ways do you see AI impacting your day-to-day role as an in-house attorney in the next 5-10 years?
This comes in two forms. The first: nearly every new product feature and internal tool review in every major company involves some use of AI, some foundation model provider, and some component of data ingestions for machine learning improvements over time. If you are seeking an in-house legal role at any company leveraging technology, you’re going to see this, and you should begin familiarizing yourself with how all this stuff works if you haven’t already.
The second: I’m continually experimenting with AI tools myself to make my legal analysis more comprehensive, articulate, and well documented. Today, these tools are very prone to errors, and require very deliberate prompts, calculated use cases, and massive amounts of fact checking. However, I wouldn’t be surprised if in just a few years’ time, these tools become enormously more trustworthy, and the productivity gains that can be had will be enormous when leveraging them the right way. For now, stick to using these tools as a brainstorming partner and a high-level sanity check that you’re thinking about issues on a broad scale. And always continue to do your diligence when drilling deeper into an issue you encounter.
