**Jonathan:** Hey, Alysa. How are you?
**Alysa:** Hey there. Good to see you.
**Jonathan:** Good to see you too. Hey. I wanted to tell you, you totally nailed it when I saw you at IAB. You made that movie recommendation everywhere. Anything Everywhere All at Once, something like that. That little film?
**Alysa:** That little film. I don't think I was the only one who liked it. At least you told me about that one. Good to see you.
**Jonathan:** Hey. So a lot going on this week.
**Alysa:** Oh my goodness. Yes. Yes.
**Jonathan:** Yeah. The FTC Office of Technology came out with a report — article — “Lurking Beneath the Surface.” I just love the word choice here. What’s the ins and outs of that on pixels?
**Alysa:** Pixels, pixels, pixels. And I think honestly everybody’s been talking about the health angle. I know you’ve spoken with my colleague Laura about the two FTC enforcement cases, GoodRx and BetterHelp. This goes farther and it’s really beyond health data. Obviously, the lead is all about health data, but when you read the article — A, this is new, Office of Technology, so that’s notable in terms of what they’re putting out. They’re asking for research on a few different topics, but the theme of this is pixels — essentially maybe dark patterns — consumers aren’t aware that personal information is being collected and may not have sufficient choices around it if they don’t want personal information to be collected and shared. And then broader questions on what about sensitive personal information and shouldn’t consumers have more control around that? And that point — if you just take that point — there’s been so much focus on state laws and which ones are an opt-out for sensitive personal information, but given the direction with where the FTC is going, it really calls into question — I think it calls into question with an exclamation point — I don’t think the status quo in terms of pixels on a whole lot of sites passes muster based on FTC scrutiny. And so I’m hearing from lots of companies both in the health space, but also just thinking about other kinds of personal information that get collected from their analytics and targeting tags. Do they need to do something different beyond what the state laws necessarily spell out? And moving very quickly on that front.
**Jonathan:** Gotcha. Would you say — I mean, an FTC that’s pretty technology-savvy, right? As I read this report, they kind of have a really good understanding of how the internet works, how it’s always worked, and they’re saying folks don’t know what’s happening here and how these things work and the lack of transparency.
**Alysa:** Right, you know, you’re so right. The FTC, I think, has always been pretty ahead of the curve when it comes to technology and digital advertising. I mean, going back to 2012, they had blog posts about hashed identifiers. But I think what’s so important about this most recent example is — one, it does it in a very concise plain language way, talking about what pixels are, but it also reflects what the agency’s concerns are. And so I would not take that part lightly, just because, for example, it’s coming from the Office of Technology rather than the enforcement side.
**Jonathan:** Got you. And just for the explain-it-like-I’m-five piece of this — when they say pixel tracking, what do they mean?
**Alysa:** So they mean you’ve got code essentially on your website, on all across your website. It could be on advertisements placed on your site. It could be video tracking so that you know how your site is really operating and who’s engaging with it, but also to help market or personalize your site. And some of those tags are by third parties. And those tags, when I go visit a site — either if I’m, let’s just say, not logged in — this starts collecting some of my interactions. It might be packaged up with other information about me, about my profile, about my interests, and passed along the web to other sites I visit. And that helps to have maybe focused marketing, but it’s also personal information that says a whole lot about me. And if you imagine going to a site for dietary supplements, it could be health insurance — there is the possibility of more sensitive information and preferences and profiles that get enriched by that data. And that’s really what the agency is concerned about.
**Jonathan:** Got you. One of the things I was fascinated by in that article was they talk about these pixels being invisible. And I was kind of curious what they meant by that. Do they mean you kind of have to be pretty sophisticated to know which tags and cookies are firing? Or do they mean actually even if you know that, there’s other stuff getting ushered in on the site that you have no idea about?
**Alysa:** Yeah, I think there — it’s this concept of what is the consumer’s reasonable expectations? And this is all passively collected, right? Very different from a consumer filling out a profile and telling the company directly what their interests are. This is more on the back end, based on how you’re interacting with a site — what information is both collected, but then added to that. And the argument is, look, this is actually — maybe in the past might not have been such a big deal depending on the data — but given the kinds of personal information that now may be collected and enriched with online activity, this could be a big deal and consumers don’t know about it. And that, for example, a cookie banner is not doing the job of communicating this. And so I think that’s really where I’ve heard folks fall back on — oh, alright, this just means a cookie banner. Case closed. And that is absolutely not the solution here. Consumers — if you ask a consumer what a cookie is, they’ll tell you Girl Scout cookies or chocolate chip — they’re not talking about a website code.
**Jonathan:** Got you. I mean the vibe of this article was — we understand how pixels work. We understand how the internet works. There isn’t clarity, transparency around how this data is being collected and used. Almost — there is personal information being collected here. And it was almost like a — we the FTC, we understand this completely. And now you know that we know, so do the right thing.
**Alysa:** I’ll just point out — you know, you talked about the health cases before — but in December HHS put out this bulletin also on digital advertising and pixels for HIPAA-covered entities. So you put all of these developments together and they really do highlight a very notable direction when it comes to digital advertising and analytics.
**Jonathan:** Thanks, Alysa. The second big topic — I mean, how do we not talk about Iowa and the impact on other states? So yeah, what’s the long and short of that?
**Alysa:** Yeah, so for so long we’ve been talking about five states, five comprehensive privacy laws. We always knew that that number was subject to change. So now we have a potential number six — waiting for Iowa’s governor to sign it. So it’s not a law yet. It still may not happen, but if it does, it would be number six. And just in case folks are wondering what’s the over-under — how does it compare to the other five? Honestly, a lot more business-friendly than some of the other laws. And for example, if you’ve already got infrastructure set up to comply with the existing five, I don’t think it’s going to be too much of a lift to address Iowa.
**Jonathan:** Oh good, yes. So I mean, as I’m scrolling through here — consumers get rights to confirm processing, get a copy of their data, to delete data. They’ve gone with the opt-out of sale of personal data where they’ve defined sale pretty narrowly, right?
**Alysa:** Very narrowly. And then whereas a lot of the other laws really are trying to regulate what we call pseudonymous data — that’s where you don’t know it’s Alysa, but maybe there’s an identifier with code that is consistent with who I am and how I travel across the internet — Iowa excludes that. And that’s pretty interesting.
**Jonathan:** Yeah. So I was wondering about that too — there’s exemptions for pseudonymous data. So what does that mean exactly?
**Alysa:** So it means that all of these consumer rights — think of opt-out of targeted advertising — may not apply to pseudonymous data. And like Virginia has a carve-out for pseudonymous data, but that went more to the right of access and getting a copy of the information as opposed to opt-out of targeted advertising, which often is based on pseudonymous data. So we’ll see. Maybe there’s some tweaks to it at the end and it goes back, or maybe this is the form it turns into upon signature.
**Jonathan:** Gotcha. Thanks. And anything going on with the other states or any progress?
**Alysa:** Yeah, so I know we’ve been focused on the comprehensive privacy laws, but there’s always the sneaker attacks on the side. And Utah — I know we’re familiar with their privacy law — but they have a new social media bill that the governor has vowed to sign. And it, while the focus is on social media companies, it goes probably the farthest that I’ve seen — well beyond California’s age-appropriate design code — in restricting the kind of information that can be collected, personalizing, there’s all sorts of notifications to parents. I mean, there is a lot packed in there. I think it’ll probably be subject to litigation over whether it can survive, but it sets a whole new precedent in terms of how states might restrict, for certain types of companies or certain sectors, the ability to personalize, the ability to collect information, and age verification.
**Jonathan:** Gotcha. No, thanks, Alysa. It looks like there’s some activity too around generative AI and I think the FTC can or something there. If we don’t have time today, let’s cover that next week.
**Alysa:** That sounds good. Maybe my closer on that one — UK’s ICO updated its guidance on AI, and so if folks are looking for just a useful resource on how to think through privacy risk mitigation, ICO’s guidance was really really on point.
**Jonathan:** Awesome. Thanks, Alysa. We’ll post these links in the comments here. I’ll post that FTC article. Aaron Bernstein wrote a great article in Admiral on Iowa. I’ll post that as well.
**Alysa:** Perfect. It’s great to see you.
