**Jonathan:** Hey Laura, thanks for joining us today.
**Laura:** Hi JJ.
**Jonathan:** Hey, good to see you. Hey, it’s your first time with us, so tell us a bit about your practice and the areas that you specialize in.
**Laura:** Well, I’m so happy to be here. I am a partner at Kelley Drye, and I’ve worked in the privacy group and do federal and state privacy information security work. My background is at the Federal Trade Commission, where I practiced for about ten years. And so while I do a ton of state work because that’s where the locus of privacy is, it’s really informed by the birth of US federal privacy at the Federal Trade Commission and the work that the FTC continues to do in that space, including the cases that continue to come out of the FTC and the work that we’re seeing there on the regulatory side and the enforcement side. So it’s a really interesting diverse practice both on the state level and the federal level.
**Jonathan:** Recently in the news, BetterHelp, right? Can you share your perspective on that?
**Laura:** Really interesting that the FTC seems very concerned about companies that collect and use health information broadly defined to advertise. And so we’re seeing the takeaway from that is that the FTC certainly is defining health information broadly and seems to be requiring affirmative express consent in order to advertise against that information. So as we look ahead — and we’ll be publishing on this this week — companies really need to be looking very carefully at how they define health information and what they’re doing with health information.
**Jonathan:** You know, Laura, one of the things I wondered about that is — they’re using the FTC Act. Right? Is that first of all, is that right?
**Laura:** That’s correct. Yes. Section Five of the FTC Act. Although the FTC also in September of 2021 published a policy statement about how it’s interpreting its health breach notification rule, as applied to health apps. But it did not apply that rule in BetterHelp.
**Jonathan:** Is that enough, Laura? I mean, does HIPAA need to be revamped? Or are they kind of okay working within that FTC Act, do you think, for health data specifically?
**Laura:** Yes, such a good question, JJ. HIPAA, of course, applies to certain covered entities and business associates, but largely, as a matter of statute, doesn’t include the app space. And so that leaves the FTC to cover that waterfront. Oh, it’s an example of these gaps that it’s trying to fill at the state level, but also with some of these sectoral laws perhaps.
**Jonathan:** That’s right. Yep. Well, perfect. Thanks. Anything else interesting about BetterHelp? I mean, for us, it’s been about how do you involve marketing in the conversation? And we’ve been hearing a lot that they just haven’t been in it. I mean, not as much as they should. Fifteen percent in some cases is what we’re hearing from places like Forrester. And given BetterHelp, it was an advertising thing, right? It was using that data to advertise into Facebook and other places. Is this an argument that privacy and marketing stakeholders need to work together a little closer?
**Laura:** Oh, yeah, that’s a really great point and a point that the FTC makes in its complaint — that the team that was working on the matter was inadequately trained as it relates to safeguarding consumers’ health information and personal data as a general matter, and that the company needed to provide greater training and safeguards of that information, greater training to its employees. And so that really is an important message for companies just as a general matter — that if you’re collecting consumer sensitive information, again broadly defined, it’s really critical to invest in your human resources to make sure that they understand what’s required to protect that information.
**Jonathan:** And reading the deliverable that the FTC came out with — the consent agreement — I think, which is one of the first times I really kind of dug into one of those — super interesting, jumping into your world a little bit. It was so prescriptive about what BetterHelp needed to do. And one of the things — we try not to talk about the fines because I don’t think the regulatory fines motivate anybody. I don’t think. But looking at how prescriptive they were in that consent agreement — you need to do this, you need to do this, auditing for twenty years — I mean, that in itself should be a motivator, right? I mean, really you should be motivated by the consumer and protecting their data. But if that doesn’t motivate you, that kind of prescriptive behavior from the FTC for twenty years has got you, right?
**Laura:** Well, no, you’re exactly right. I mean, I sat on that side of the table for ten years and there was a lot of criticism of the agency because it didn’t have significant civil penalty authority, but knowing that companies who needed to provide that kind of insight into their practices for periods of twenty years — that can be quite motivating. And of course, important to note that if a company violates that injunctive order, there then is tacked-on civil penalty exposure. So I think that there’s significant incentives both for companies under order to comply as well as for there to be signals to industry about what the FTC and its sister agencies in state attorneys general expect.
**Jonathan:** Gotcha. And actually that reminds me — we did a privacy matters conference October last year and someone from the Connecticut AG’s office was there. And one of the things she told us was — we all talk. All the state AGs talk. The FTC and AGs talk. So it’s kind of interesting. They are sharing information, discussing these things.
**Laura:** Absolutely.
**Jonathan:** Hey, we promised last week when we were with Alysa that we’d talk about flow-down requirements on the CPRA. So I was hoping you could shed some light on that for us. You know, we’ve been calling it orchestration, but why use a fancy word when a word like “flow-down” adequately describes it? But what’s the high level on those requirements? What do we need to do?
**Laura:** Right. Well, the CPRA regulations — with the California’s Office of Administrative Law until March twenty-ninth or whenever they complete their review — require that rights requests flow down from businesses to service providers, contractors, third parties as appropriate. And so what that means is — for requests to opt out, correct, delete, or limit sensitive PI — the business has an obligation to flow down a consumer’s right request. And so, you know, from the consumer’s perspective, this makes sense, right? My mom — she’s not in the best position to determine where her information may go after she interacts with the business. It makes sense intuitively, but it doesn’t mean that it’s easy for a business to operationalize on a dime. And so as we’re talking to clients, this is a challenge. It can be a challenge certainly for businesses with complex ad tech in particular. And so, you know, the first step — and this is one I’m interested in, JJ — what are you seeing on your side? The first step, of course, is knowing what companies are collecting, selling, or sharing. It’s no small feat in a complex online ecosystem. And so on the tech side, it’s really important to have your arms around what’s there. So what are you seeing on that side?
**Jonathan:** We’re seeing — I mean, yeah, data discovery as an example. You can’t do that in a manual fashion anymore. It has to be automated. You need to be able to see when systems get turned on and whatnot. The partnership with marketing is important here. That team is usually the one that understands the ad tech environment and where audience segments and data is being sent. So that’s two places to start. Trying to do this manually is just impossible. I know back in the day you had to send an email to somebody at the service provider — you can imagine how that goes. But we’ve built the APIs and kind of technical infrastructure to do this. And one of the things that falls into that is the IAB’s Global Privacy Platform. And you can use that signal as an example. There’s more to it than that, but anytime you need to send that signal down, we do it via APIs essentially — or technical pipes that send that request. And you can actually enforce it in those third-party systems. So you can turn it off. It’s more than just a request. It’s actually turning off that data. That works for deletion. That works for opt-out of sale and sharing, and it works for limiting use as well.
**Laura:** Yeah. And so then another piece on the legal side — and so that technical side, I think, is critical to make it happen and make it happen in a timely fashion, because those emails, exactly right, that doesn’t scale. And it works for the one-off. It doesn’t work at scale, and we’re going to see consumers effectuate their rights requests in greater numbers — not just because of authorized agents, but because consumers understand that they have privacy rights. And then on the legal side, businesses can become signatories to the IAB’s Multistate Privacy Agreement. And while an explanation of that requires more time than we have, JJ, it’s a dense document. But suffice it to say, it’s a set of privacy-protective terms that spring into place among a network of signatories, and it follows the data as it flows through the digital ad supply chain. IAB has lots of information available on its site to explain more, and it’s something to explore for companies that are interested to learn more.
**Jonathan:** It’s funny, every time we do one of these, I think of the topic for next week. So maybe we should — we’ll get the IAB on. We’ve done a couple. But I love this idea about — it’s contracts, but you can’t just have a contract, you need the controls as well. And so did that come up in BetterHelp actually? It’s not just the legal requirements, you need to actually have some kind of technical infrastructure. Or did I read that? Did I wish I read that in there?
**Laura:** Well, I’m trying to think about the exact counts. I would need to go back. There are, I think, eight counts in BetterHelp, and they relate — six of them relate to deception and two of them to unfairness. So I don’t know that there was a specific contracting count, although often there are. So I need to go back and check.
**Jonathan:** Yeah. No worries, Laura. Hey. We’re looking forward to seeing your piece on that. Are you coming out with that later this week?
**Laura:** Yes. That’s the plan.
**Jonathan:** Awesome. Laura, we appreciate that — adlawaccess.com. Excellent. Alright, maybe we’ll post it to this.
**Laura:** Oh, that’d be super.
**Jonathan:** Yeah. Perfect. Laura, we appreciate your time. This is just a little kind of bullet points on what’s happening this week in privacy. We appreciate your perspective.
**Laura:** Oh, terrific, JJ. Happy to be here.
