Katriel Cohn-Gordon, Meta
Imagine you want your test suite to pass for all commits. Would you create a Test Review process where all teams answer a Tests Questionnaire and submit screenshots as proof, which are then reviewed by Tests Engineers? Obviously, only a maniac would do this: it works, but is much more annoying than a pre-commit hook.
Many companies have some form of Privacy Review. You start with "we'll figure out the requirements", and then ask "did you integrate with deletion tooling?", and before you know it you have screenshots of tests. We can improve privacy and remove manual processes by defining requirements upfront and checking them automatically: you just need to translate engineering language ("write a script that checks all relevant data is delete-able") into compliance language ("mitigate Deletion risks by verifying Key Control Indicators for the Deletion Framework Controls").
We spent the last years at Meta making this change to our Privacy Program: we reduced ad-hoc human decisions in favour of upfront requirements and systematic verification, making our Privacy Reviews both faster and more effective. Out of ~500 requirements, roughly half now rely on automated verifiers. In this talk we'll explain how hopefully you too can do the same!
Additional author: Ben Fonarov
Katriel Cohn-Gordon is a software engineer on Meta's Privacy Infrastructure team, where he has worked on data access rights, data transfers and portability, cookies infrastructure, deletion, and other Privacy topics. Before moving to Meta he wrote pen-and-paper proofs for secure messaging protocols, and still dabbles in end-to-end encryption topics such as accountability for Javascript cryptography. He lives in London with his partner, a pea-brained black cat, and a large collection of houseplants.
author = {Katriel Cohn-Gordon},
title = {Privacy Review for {Non-Maniacs}},
year = {2026},
address = {Santa Clara, CA},
publisher = {USENIX Association},
month = jun
}