|
We're thrilled to bring you the highly anticipated Part 2 of our exclusive interview series on Navigating Data Privacy. Join our Chief Revenue Officer, Lori Paikin, as she delves deeper into the complexities of data privacy with renowned legal expert David Bertoni from Brann & Isaacson.
Part 2 of Navigating Data Privacy offers a deeper exploration of key aspects of data privacy that every marketer should be aware of. In this insightful continuation of the interview, Lori and David explore advanced topics and provide further guidance for marketers in navigating the ever-evolving landscape of data privacy.
Get ready to gain even more valuable insights and actionable strategies that will empower you to protect data, maintain compliance, and build trust with your customers.
(Podcast Transcript)
(Music)
Lori:
Hi, everyone welcome to part 2 of our special edition Two Gals & Some Data with David Bertoni. As we discuss his white paper, An Advertiser's Guide to Data Privacy in 2023. David lets just pick up right where we left us. I think I know the answer to this next question that I'm going to ask you. Many of our customers also have an international component to their business forcing compliance with international regulations like GDPR. And so, I'm curious how you think the state of consumer privacy in the US rates in comparison to others worldwide.
David:
GDPR is a good example. The Europeans have this paternalistic notion about government and really have created an activist regulation that really has no concern over its impact on private business. And there's a trust in government on the part of Europeans that Americans have never really shared, it's one of the reasons that we broke away in the first place. I think unfortunately America is coming around to a European model, and I say that it's unfortunate because one of the things that I think we're going to watch closely for are laws, for example, that require consumers to have the right to go into your files and delete things, even things that are material to your business like sales records. And that's a really dangerous proposition because those sales records and your obligation to maintain them and the uses to which they can be put are quite important.
For example, if there's a product recall and you need to identify the individuals who purchased a product, having a right of consumers to delete that history is dangerous. And the reason those kinds of rights exist under GDPR is that in Europe along the same path that there's this remarkable trust in government, there is a remarkable cynicism about business. The presumption in the EU through its board of governors is essentially that businesses are looking to harm you and therefore you have to have superior rights to prevent that. Where I think in America, it's quite clear that the only thing businesses generally want to do is to provide you something that you wish to buy and find a way to get that information to you to see if you're willing to use it not to cause harm to people. I'm worried about Europe's values getting transmitted to America through these laws.
Lori:
Yeah, I think that's a really interesting point that you bring up because, again, I'm going to date back to my days from working at Abacus and DoubleClick, but at that time, there wasn't any real privacy regulation established for online advertising. And I remember our guidance was always to provide consumers with Notice and Choice. I mean, I just remember Notice and Choice being beat into our heads and having those conversations with our clients, but today there's so much more. And you mentioned having the right to access data, right to correct their data, right to be forgotten, right to not be discriminated against for taking some of these stands. And just like with Notice and Choice, we start to get that ingrained in our thinking that these clauses, these criteria make you privacy compliant, but speaking for myself personally, I've really not given thought to the implications of each of those.
The example that you just gave about giving a consumer or right to access their data and correct their data or delete their data could have much greater implications to the business as a whole, that has nothing to do with privacy or respect for consumer privacy.
David:
Yeah. And I think that a lot of this is traceable back to the Obama administration. The Federal Trade Commission began talking about privacy regulation preventing psychic injury. Up until that point, the government was principally concerned with tangible injury, did someone steal your identity? Did someone empty your bank account? Did someone use your likeness for profit and deny you the ability to control that? But the sea change began when harm began effectively transmuting into this psychic injury. It's almost impossible to prove psychic injury and it unleashes the potential for laws that do no real harm to anyone other than your feelings might be hurt. And I hate to be so crass about it, but once feelings are hurt, then all behavior is off limits because there is one person whose feelings are hurt and probably 100 million for each action you might take. And so, a lot of internet sellers were caught by surprise because they were careful to do things that caused no harm to people, but then suddenly they were inundated with requirements that created this amorphous standard.
So I'll give you an example. Once DoubleClick had separated identifying information from online information, that in theory solves the problem, it solves the problem of someone who's concerned about what they do being surveilled and connected to them. But that's ancient history right now, that's almost a question that has faded in significance because now states are defining personal information so broadly that it doesn't really even necessarily identify a person. There are categories.
California has essentially in one context determined that a ZIP Code is personal information, even though a ZIP Code has never been thought of that in any other context. And so, you're forced to look at these laws through a prism that is almost like looking through the looking glass because it's hard to figure out what the harm is and how to protect against that harm other than to shut down your business.
Lori:
I am going to ignore for a second that you referred to my time with Abacus and DoubleClick as ancient history. I'm forgetting about it. Don't worry.
David:
Feels that way. It's not.
Lori:
But because you mentioned that, I have given a lot of consideration just to how online data is treated, how offline data is treated. It's interesting how you talked about a ZIP Code, but are there any other things that you could share that we should be thinking about, about how online and offline data is treated differently or similarly? Back to my days at Abacus, again, advertisers were contributing offline data, they were contributing names and addresses, they were contributing full transactional information that was going into a shared database and then was getting leveraged for everybody, but that was all offline data. Today, we have online data and it seems that there are very different guidelines, restrictions, different ways that we need to be thinking about and treating online data. Is that right?
David:
It is, and for the longest time, the data protection rules left this offline behavior completely untouched. And the greatest irony for those of us who were working with the mail order industry, and then found ourselves segueing into online was that a lot of the things that were getting the press and the government all exercised were things that had been going on for decades in the mail order industry, and these shared databases, these collective databases were and are very similar in functionality to what companies like Facebook and Google may do when they're doing online advertising, using information about household size, using information about geographic location, and then combining it with actual interests that are shown by people, by the websites they visit, etc. It didn't really concern the press before all of this online focus in part because it's one of those things that cries out what is the harm. Companies were using that data in order to determine whether to send someone an advertisement.
And it always struck me as having been caught in this shift from pre-online to online world that for some reason the government saw it as an opportunity to shift the focus to private companies as opposed to what the government was doing with data. And so now online, the equivalent of these cooperative databases has been demonized by the popular press and has been demonized by class action lawyers, even though it really can be highly privacy protective, just as it was when catalogs were being mailed, and actually does a real public service, it gets people information about things that will make their lives better, and so it is a big shift. And that's one thing to keep an eye on with these new laws that are coming into place because they are now blurring that distinction.
And so you used to be okay under California and federal law. For example, the Children's Online Privacy Protection Act, the federal act only applied online, so there was nothing stopping someone at a children's store collecting information, having children fill out forms, etc. Now we're seeing those merge together, and so multichannel retailers are going to have to now begin, if they haven't already, thinking hard about universal practices that apply to all of their channels, not just online. And gathering consent, by the way, offline is an entirely different animal, there isn't this box you can check, there isn't a notice you can provide easily.
Lori:
Yeah, that's right. We asked our clients what is the biggest concern that they have about privacy, and the number one response that they gave us was around the proper handling of opt-outs and do not mails. They understand the importance of securely sending that PII data, but can you share anything about what's acceptable or how these requests should be managed? Any thoughts on that?
David:
Yeah, I do, and this is an area that went unregulated for a long time and industry tried to do its best to come up with its own practices. We are now reaching a point that I think best practices require, and it can't be implemented in all cases, but some direct presentation to the consumer of how to find out information about privacy practices. There used to be a standard in the industry going well through the 2020 even where every website had a privacy policy link on the bottom of their page and people knew to go there, that's not acceptable today given the way things are changing. I encourage people to think beyond that old paradigm, not only because I think that you'll want to be as upfront as you can. In the face of all of these laws, your principle, frontline defense is to demonstrate to any regulator that comes knocking that you're making a good faith effort to inform your customers, and customers are becoming more used to having these pop-ups appear, they're more used to having choices in hyperlinks being presented to them.
If you're absolutely risk averse, having a box that has to be affirmatively checked, if not a requirement now, I think is going to become a requirement and you may want to get ahead of the curve on that and be able to retain that information. One of the problems that I have clients dealing with right now is what happens if you have a consumer that changes their position on multiple occasions as to what they agree to and what they don't in terms of marketing, you're responsible for keeping track of that. And so, every time someone places an order, they may check a box one time and not check a box the next time. It can become quite difficult to do that, and we've got a new suite of telemarketing laws that are in process too.
Florida has one that effectively requires you to have a form of consent that you may not even be able to get online, that's being tested right now. You've got a push by some states to require offline consent, much like the biometric privacy cases you've probably read about that people get trapped in because they don't have written consent leading to some absurd results like the theme park that got sued because it was taking pictures of children so it could identify them if they were kidnapped and they got sued, and for a very large judgment, over failure to have consent. So, I urge clients to push the envelope as far as they feel comfortable with getting some clear recordation of consent. It isn't going to guarantee them a clean bill of health, but it helps when a regulator comes knocking to show that you've made a fairly conservative effort to try to prove consent has been obtained.
Lori:
Yeah. I have one more question, a two part question for you. Within the industry, I think it's fair to say that advertisers are concerned about how advertising will change with new regulation, how that will impact their businesses. One example is the looming loss of the third-party cookies, it's a valid concern. I think we all know today that when that happens online advertising as we know, it's going to be very different. What do you think the next newest imminent landmine will be for advertisers to look out for?
David:
I think that to the extent that there's any technology that replaces cookies, therein lies the next landmine. There were these cookies that they weren't technically cookies, but they were effectively technological ways of avoiding cookie settings and browsers, they were these permanent cookies that got set in the browser, there was no easy way to erase them. That's the real risk and that's the real problem.
And what I would recommend is that before you enlist any person to help you market, make sure that they understand the legal lay of the land, make sure that you have a good conversation with them about what is will be collected, how it will be used so that you understand it, and if they're using any new technology to describe it. Because I think the risks are you've got a bunch of very hungry wolves who see the departure of the third-party cookie as evidence that there is misconduct afoot, that their view is that the only reason you would get rid of third-party cookies is because web browsing software allows consumers to control third-party cookies, and so that anything you're doing to maybe replicate that functionality is almost per se evidence of some nefarious motive, even though it really isn't.
Lori:
Yeah, absolutely.
David:
But that's where I think the risk is. Then the other area which I would recommend people be very careful about is if you've got video content on your website, we're now seeing a flood of lawsuits under the Video Privacy Protection Act, which was created, and you may remember Judge Bork when he sought confirmation to the US Supreme Court, this was in the 1980s, Judge Borks rental history was obtained by the City Paper, which was one of these local free papers, and Congress moved very quickly to make it illegal to collect the name of a person along with any titles that person might have read or rented because it was made public. I didn't recall what Judge Borks watching history was, and I kind of assumed it was probably pretty anodyne compared to what children are watching online today.
But I went back, and he actually was a cinephile, these were all great movies, and so I think I figured out how the Video Privacy Protection Act came into play. A bunch of the senators and congressmen suddenly got worried that their salacious video rental histories would be exposed. And so now, you've got plaintiff's lawyers who are suing every online seller that has video content, even if they don't have subscriptions, even if they're not selling the video content. So you go to a clothing retailer that has a little video showing people frolicking in their clothes, your potential target for this act, and often the video titles are embedded in the URL. So if you've got any kind of third-party communication going on, the titles of those videos will be transmitted. So that's another area to be very careful about.
Lori:
Oh, sure. Video is very big within market[inaudible 00:30:15]
David:
It's everywhere, right?
Lori:
It's everywhere now. Yeah. Only fair then to ask you the flip side, what is the biggest point of optimism that you have? What can advertisers get excited about?
David:
I think advertisers can get excited about what is sort of the flip side of this growing mass of inconsistent, ridiculous state laws is that it may give us finally a federal set of rules and standards. And I urge everyone who's in this industry to work with their lobbyists, work with their trade organizations, go to Congress and present something that makes sense, and for goodness's sake, don't include a private right of action in it because that's where most of the problems arise. There'll be pushback from lawyers, but that's okay, they're used to the pushback. But I do think that this is an opportunity, like CAN-SPAM was, to seize the day and maybe in connection with this upcoming election, there may be some appetite to finally put an end to all this state meddling.
Because I can tell you something, California started off in a fairly mild form in its first online privacy law a decade ago, and this new California Consumer Privacy law is getting trimmed systematically of the things that protect online sellers. For example, they're getting rid of this cure period. California had a period where they'd notify you if you had a problem under the law and give you 60 or 90 days to fix it, that's going away if it hasn't gone away already. We're watching these states now incrementally change these laws to make them more aggressive against consumers, and it's really time for Congress to act, and a good case can be made to Congress that's going haywire if they don't get involved.
Lori:
David, I said optimism, to give us optimism.
David:
Well, I'd like to be optimistic about this area. I'd like to think that the public would eventually realize that it isn't private companies that they need to be worried about, it's the folks who surveil them and can put them in jail that they need to be concerned about. But I think that the appetite for these kinds of online lawsuits and regulation, I think that we're reaching a point where people will begin to pull back. I always think that there's a balancing that goes on and whether Congress plays a part or not, I think people will eventually say enough is enough, because it will interfere with their ability to do the things they want to do and to buy the things they want to buy.
Once you've dealt with companies that can understand what you might be interested in before you may even realize it, it's actually a great thing and providing you with solutions that you wouldn't have found on your own. So, I think at some point, there's going to be a balancing, but as long as 99% of lawyers make the rest of us look bad, I think that there's always going to be some problems and reasons for being a little pessimistic, but we're working on it.
Lori:
I think that's fair. We are actually up against time, so perfect time to end our discussion. I was promised in advance of this call that this would be one of my favorite calls of the week, and it absolutely was. So thank you, David.
David:
My pleasure.
Lori:
Thank you for participating in this special episode of Two Gals & Some data. If you want to read the white paper, please go to www.brannlaw.com or www.navistone.com. And if you'd like to read more from us, check us out at navistone.com/blog. And if you enjoyed today's show, head over to iTunes and leave us a five-star review. Thanks for listening, and thanks again, David.