A Comprehensive Look at The New York Times' Privacy System Implementation

With the increase in data regulations and privacy expectations among consumers, many companies are looking for ways to integrate engineering systems with governance and legal requirements to empower individuals to exercise their data rights.

Policies alone can’t guarantee privacy-protecting outcomes—technical systems are needed to enforce rules and allow consumers to effectively express their privacy preferences.

Senior data governance manager at the New York Times, Kelsey Johnson, and senior software engineer Jacquelyn Wax joined our most recent Privacy_Infra() event to discuss how the publisher built a technical system to honor user’s privacy rights and build more trusting relationships with readers. Watch their full talk below.

According to Kelsey, the Times decided to invest in technology to support privacy due to the complexity of new regulations, both domestic and foreign. Not only can the regulations be complex, organizations are often given very short grace periods to make the necessary changes in order to comply with new or amended laws.

“Our team of two was tasked with simultaneously discovering our organization’s data, advertising, marketing, and business operations,” Kelsey recalled. “All the while, designing rules and finding ways to make them work across our products. So, two data governance members, over 70 product teams that we had to work with, and five months to figure it out.”

Companies can either adopt a reactive approach to any future changes required—an unpredictable, disruptive, and exhausting strategy—or they can invest in privacy as part of their business strategy. Kelsey said the New York Times opted for the latter. Two years ago they formalized a project called Privacy Users Rules and Regulators (PURR), a technical system that centralizes business rules and logic for instructing products how to enforce privacy regulations.

PURR allows the data governance team to quickly and efficiently adjust user data practices, while simplifying implementation for new requirements across the company’s 70+ products in scope for these regulations. And there’s proof that it works!

“In the summer of 2020, when the United Arab Emirates passed their data privacy law, we were able to get over 60 of our products compliant within four working days with zero roadmap disruptions to product teams,” Kelsey explained. “When Brazil’s privacy law went into effect a month later, it took us only one day.”

Jacquelyn Wax walked through some of the technical details behind PURR including the directives, rules, and architecture behind the scenes.

“PURR has a contract with our 70+ users [product teams] that we have a given set of directives and each one of those directives has a given set of values that the client can rely on,” Jacquelyn explained. These directives are the result of rules and user inputs. They depend on inputs like a user’s geolocation, billing address, and previous opt-out choices. The logic that maps inputs to directives is maintained as a set of rules created by the data governance team.

Another internal called ABRA and used for publishing business rules, allows the data governance team to express rules as SQL and make them available for PURR over HTTP.

“We have this PURR platform and ABRA allows the consumption of these rules to be a process that’s completely self-service,” Jacquelyn continued. “It shouldn’t take an engineer to go in and do any work to change rules.”

Note: This post reflects information and opinions shared by speakers at Transcend’s ongoing privacy_infra() event series, which feature industry-wide tech talks highlighting new thinking in data privacy engineering every other month. If you’re working on solving universal privacy challenges and interested in speaking about it, submit a proposal here.