Lorenzo Robleto is an Adjunct Professor at the University of San Francisco, School of Law, and the Legal Director, Head of Privacy, at DoorDash, where he leads the company’s global privacy team. The team’s responsibilities include incorporating privacy into new business initiatives, developing controls that align with domestic and international privacy laws, and partnering with the company’s cybersecurity team.
He was previously Privacy Counsel Senior Manager reporting to the SVP of Worldwide Privacy (former FTC Commissioner Pamela Jones Harbour) at Herbalife, where he managed a US privacy team and regional privacy liaisons. Prior to that, Lorenzo was the first in-house counsel at Inflection (now a Checkr company), a data and technology company. There, he worked cross-functionally with data scientists, engineers, and product teams to implement a privacy-by-design strategy.
While in law school, Lorenzo became the first legal intern for Yahoo’s Washington D.C. Government Affairs Team and focused on addressing the Electronic Communications Privacy Act. He also interned with the San Francisco City Attorney’s Office, where he researched and advised on police-worn body cameras.
A certified privacy professional, Lorenzo graduated from the University of San Francisco, where his privacy focus earned him a certificate in Intellectual Property & Technology Law. He also serves on non-profit boards including Juma Ventures, a non-profit social enterprise that aims to break the cycle of poverty for youth, and the Mission Cultural Center for Latino Arts, a non-profit that seeks to promote, preserve, and develop the cultural arts that reflect the living traditions and experiences of the Chicano, Central and South American, and Caribbean people.
Q: It was great to meet you at the IAPP’s Global Summit 2023 Tell us about your background. How did you get to be the head of Privacy at DoorDash?
Thank you. It was a pleasure meeting you in person after crossing paths virtually.
I was in law school when I first became interested in data privacy, after taking a class called Information Privacy. I found the topic fascinating and timely. At that time, people were beginning to transition from desktop to mobile web browsing—to access the internet via smartphones. I thought that with people constantly connected, this could be an important space. I was also intrigued by the complexities of privacy issues and how the field was constantly evolving.
So I focused my entire legal education on privacy. I took all the courses I could find and leveraged any opportunity presented to deepen my knowledge, whether attending events, writing on the topic, or listening to experts speak on the topic. I also tried to gain practical experience to complement my studies. I got lucky and had some great internships that opened doors for me. First I interned at Yahoo!, where I did a lot of privacy work around electronic communications, and then, at the San Francisco City Attorney’s office, which was evaluating how to roll out police-worn body cameras. All of this launched my career in privacy.
After law school, I went directly in-house at the tech company Inflection (now a Checkr company). Inflection was a data technology company offering various products, including a background-check and identity-authentication service. Having just graduated, a lot of my knowledge was largely academic. In this job I was embedded with engineering and analytics teams, which really shed light on the privacy issues at play. I began to see how privacy intersects with technology and business, and that was enlightening. This hands-on experience in-house was pivotal in my career.
Next I went to Herbalife and learned from my amazing mentors, Pamela Jones Harbour (former FTC Commissioner) and Kim Richardson (who is now the Chief Privacy Officer at Verily). This too was great: GDPR was just coming out, and I learned from very experienced privacy practitioners about what a global privacy program should entail. We built their privacy program from the ground up and launched it in numerous countries.
In 2019, I wanted an opportunity to use my experience to build a program from scratch. DoorDash presented me with that opportunity and hired me as their first privacy counsel. I was asked to build out their privacy program, but as happens in any small company, I initially found myself doing a lot more than just privacy. I was counseling on all products, advising on marketing issues, managing the intellectual property portfolio, and much more.
As time went on, though, and as the legal team (and the company) grew, I was able to focus more on privacy. We continued to build up our privacy program, and along the way we hired some amazingly talented folks who took us to the next level and helped build what we have today. It’s something that I’m really proud of. We’ve put a ton of work into building a host of privacy controls for users, developed internal policies and procedures, obtained SOC certification, and put a lot of other things in place.
So that’s a little bit about how I got to where I am today. It feels like a long journey, but also feels like I’m just getting started.
Q: Many people think of DoorDash only as a food delivery company, but the company is broader. What is DoorDash? What does the company do?
DoorDash is a technology company that connects consumers with their favorite local businesses in over 25 countries around the globe.
It’s really a local commerce platform that empowers consumers to order directly from their favorite brands and be connected with a Dasher who will bring them their orders. Most people use it to order from their favorite restaurant, but there’s really so much more to the company than that.
There are grocery and convenience stores on the platform, as well as DashMarts where we stock warehouses and operate as a first-party seller. The platform also hosts entrepreneurs offering virtual concept brands and many other exciting products. We also operate a Platform Services business, offering tools and services that help merchants grow their businesses and reach more customers. There’s so much innovation and development occurring every day that there’s no shortage of fun and exciting projects to be part of.
Bringing it back to the privacy discussion, one reason working on privacy at DoorDash is interesting is because we operate a three-sided marketplace. What I mean is that the company interacts with different user types directly, including consumers, Dashers, and merchants. This means that we are tackling privacy issues from all angles, sometimes operating as a controller and at other times as a service provider. This makes things more interesting, because we have to think about privacy in a range of different contexts.
Aside from being interesting, DoorDash is just a great place to work. The leadership is amazing, and my colleagues are awesome. I’m really enjoying the ride.
Q: Already this year we have seen several states pass new privacy laws. What is your strategy for keeping up? How do you avoid having to constantly reinvent the wheel?
Yes, there’s a lot going on and no shortage of work. There’s more movement and change in the space now than I’ve ever seen previously.
As privacy takes center stage, as issues become more complicated, and as technology evolves, my strategy has been to focus on the common themes across all these laws and build from there.
If starting from scratch, I begin with the highest standard (e.g. GDPR) and break the law down into high-level domains. This would include domains such as consumer rights, vendor management, cybersecurity, training, internal and external policies, data mapping, and so on. After that, I flush out all the potential action items to be completed within each domain, and I stack rank everything in order of priority. This gives me a roadmap and allows me to start developing the foundation for our privacy program.
It’s important to not tackle things piecemeal. If you hyperfocus on one thing, then it’s easy to get overwhelmed and end up with a privacy program that’s very difficult to maintain.
So, instead, I like to think more holistically and aim to build a program that can apply across multiple legal regimes. Ideally, the privacy controls that you implement should scale and be leveraged to address all legal requirements. It’s worth noting that in some cases that won’t always be feasible. But where possible, I’d strive to develop controls that can be applied across as many regions as possible. Doing this makes things easier to manage and also places less strain on the teams building your controls because they’re not having to make changes with every new development.
Regarding staying up to speed with developments, I’ve found it helpful to work with industry groups who share what’s coming down the pipeline, to subscribe to and stay informed through my favorite privacy newsletters, and to connect with others in the space to learn about what they're doing. I also stay vigilant and try to see around corners.
Q: How does your team partner with the business to ensure privacy is incorporated into new technologies and to build your privacy program, give us a peak at what that means for work from the privacy office? What does the privacy pro’s role look like in that process?
This can vary drastically, depending on the specific workstream at hand.
Our privacy team partners very closely with our product counsel team, which serves as the main point of contact for many business teams. This team is trained in privacy and is composed of excellent folks who can handle many privacy matters themselves. Given that the product counsel function is closely integrated with business teams, they are able to pick up what’s coming down the pipeline and flag any issues that need to be escalated to the privacy team. The escalated issues are directed to our privacy counsel function, who can provide the expertise needed to address the issues.
The privacy team spends a lot of time planning goals for the year and each quarter. Where our work requires cross-functional support from teams such as engineering, we try to incorporate our asks into their planning process. We’ll provide them a stack-ranked list of deliverables that we want to be completed that quarter. Some of those asks will need to be scoped out before the ask is made, and that’s where our privacy program management team comes into play. They’ll scope the ask ahead of time to understand what it would entail technically and which engineering resources are needed. That way, when the deliverable is submitted for review during a planning cycle, the engineering team knows exactly what we are asking for. Where asks are approved, we’ll partner closely with the team executing the initiative to ensure that we can help solve any issues that come up along the way and ensure it’s done properly.
I think the goal is to be a trustworthy partner, as in demonstrating that you can help teams navigate complex issues. We’ve built some very close partnerships with other teams, and when you can do this, it makes working with other teams pretty fluid.
Q: The privacy workload has exploded over the last 2 years with no sign slowing. What is your secret for “managing up” that you can marshal resources such as headcount and budget?
I think about this constantly.
Like you said, there’s so much going on, so on the one hand, I don’t want to overwhelm people with too much information—but on the other hand, I need to make people aware of what’s going to impact the business.
Early on, when I’m building a program, there needs to be an initial conversation with management to educate them on privacy: what it is, why it matters, and what it means for the business. This helps everyone get aligned and ensure that there’s top-down support. If there’s not, it’s going to be hard to get anything done.
Once that’s complete, I try to bring people along for the ride, so to speak. I break this down into two parts:
I want to ensure that major developments, issues, and work streams are escalated early on to provide visibility and align with management on the path forward. For example, if you’re starting to operate in Europe, there needs to be a conversation that educates management about the GDPR and what it’ll take to align your practices with its requirements.
Before meeting with them, I’ll perform a ton of prep work. I’ll research the topic and make sure I have a strong grasp on the legal requirements. I’ll also engage cross-functional partners to understand the impact to their verticals: Will it impact their operations? Will they need to dedicate resources towards the project? Are people aligned with any potential tradeoffs? I also like to engage others to ensure everyone is aligned on a proposed path forward.
Once all this leg work is done, I’ll condense this information into a one-page pre-read and schedule a call to educate the essential stakeholders about the issue. At these meetings, I’ll usually share a high-level executive summary, break down the legal requirements and business impact, and offer a proposed path forward that includes anticipated asks.
I’ve found that process pretty helpful, and everyone is usually amenable. On most of these calls I’ll try to spend more time answering questions than speaking. That’s why it’s helpful to do the homework and also pressure test the proposals with others in advance.
Let’s say your recommendation is approved.
The team will put together a cross-functional project plan and send out recurring progress reports that inform management on how the work stream is progressing.
This is helpful for a variety of reasons: It provides visibility into the amount of work being done, demonstrates how you are putting to good use the resources granted to you, and keeps the business educated on how they’re trending when it comes to tackling the issue presented before it.
This is all very tactical, but the visibility and awareness created through these processes are key.
Q: Across the industry, there is an incredible wave of new hiring. What are the top 1 or 2 must-haves when you look at a candidate? How do you know if a candidate is truly “doing privacy”? How much does exactly on-point legal experience matter compared to say project management or ability to craft a simple business solution?
I love this question. I think a candidate having a foundation is definitely helpful. But in reality, we’re working in a field that’s constantly changing. So I benchmark on things that are much different than just years of experience.
Don’t get me wrong. It’s always great to have a ton of experience. But the constant change creates a lot of opportunity for those who want to enter the space.
With that said, I look for someone who has a clear vision along with the ability to articulate how they’d accomplish that vision while navigating any hurdles that may arise. That type of candidate appeals to me because we operate in a space where there’s often ambiguity and uncertainty.
These traits along with others—like being naturally curious and driven—will set people up for success in the space.
Q: What advice would you give an up and coming privacy professional?
I’d seek out great mentors. Attend meetups, join the IAPP, and connect with other professionals in the field. Actively seek out people who inspire you. People who are where you want eventually to be. Don’t be scared to ask someone you admire to spend a few minutes telling you about their journey and what helped them get to where they are today. I think a lot of people are willing to help.
Countless people have been instrumental in my professional journey. Without them I wouldn’t be in the position I am today.
Q: The last several years have seen lots of change especially with covid, WFH, RTO policies etc. How do you maintain team culture? What does ‘culture’ even mean?
I feel like our team has been able to maintain a really tight bond. We’ve really tried to over-communicate. I find myself on calls with people on the team several times a day.
On top of that, we schedule recurring calls and have different skip-level meetings. And we have frequent team meetings where team members share insight into the projects they are working on and everything that’s going into them. This helps everyone stay apprised of what’s going on within their team and how everything overlaps.
We also do a lot of collaboration. We have brainstorming and planning sessions where we all get together to develop our roadmaps for the year or quarter. This helps everyone contribute to our overall strategy and stay engaged.
Then, on top of that, we still get together a couple times a year. We’ll have our legal team, and subteam on sites, and all of these different in-person meetings give us a chance to connect and bond.
Being remote definitely has changed things. But really, I feel just as connected to the team as I did when in the office.
Q: Anything else you’d like to share?
For those interested in the privacy space, I encourage you to dive in. There’s so much opportunity, and the more people we have in the space, the more thoughtful our solutions to the industry’s complex problems will be.
Elise Houlik is Chief Privacy Officer at Intuit. In this role, she drives Intuit’s data...Read More
Meredith K. Grauer is Deputy General Counsel and Head of Privacy at Marqeta, leading a te...Read More
As part of our Captains of Privacy Industry Interview series, Lawrence Brown, Sr. VP Lega...Read More