**Jonathan:** For this live edition of the Privacy Huddle. So funny. Here at the IAPP’s GPS conference. So yesterday we were at the IAB conference, which was great.
[gap in recording]
**Alysa:** Yeah. I love what she was saying. Well, for two things. One about the rule making. And she’s saying, look, you guys get on to us to do rule making and say we shouldn’t do it. She’s super clear about what she wants and setting expectations with rule making.
**Jonathan:** Do you generally agree with that? I thought it was a great way to be transparent.
**Alysa:** So I’m, you know, on the defense side of things. Yeah. I think there’s certainly the criticism on just the kind of the ordinary person who wants to know what does the FTC want when it comes to compliance. And right now, you do — you have to parse through each of the cases to know incrementally what is the risky issue, what does the FTC expect for compliance. And her point was that, look. If we had regulations, it would be really clear, and we would know exactly what the rules are. That may be the fact that we also have a number of state laws, right, that we are also trying to account for. And I think at this moment, having a long series of regulations that may or may not happen is given up to process — adds even more complexity and more confusion to what I see as a lot of privacy laws. And there’s so much already, and that’s getting in the way of actually, like, some of the complaints. So I think the long road is the bottom line. I think she has a point. I think, honestly, we probably need federal legislation to have a clear baseline so that everybody knows what they need to do, but that’s not where we are.
**Jonathan:** Gotcha. The other thing I love is she was talking about — I showed up here so you can see that I’m not scary. But she said some scary stuff. You know, at the end when they asked for any questions and everybody was like, no. We’re good. No questions. What the FTC — if you are being investigated by the FTC, that’s a scary thing. Right? And what we’ve seen with remedies in some of these cases, I think, is pretty scary for a lot of companies. Now if we take the glass half full, maybe that helps to motivate and get the resources you need to devote towards some clients. Like, we had heard from a colleague who was saying, you know, business wants to know what’s the quantification of risk. Right? Because that they can take back and understand as opposed to saying something’s just risky. And some of the remedies that Commissioner Slaughter and others have pushed — deletion of data. You can quantify the risk to the business, but you had to delete really important data. So I thought that was — that personal liability. That’s a motivator if the CEO is going to be held liable.
**Jonathan:** AI?
**Alysa:** Yeah. I’ll come back to that. The FTC put out the office of technology — we talked about it last time — put out some guidance on this. And at the end of the day, you have to be truthful about what you do.
[gap in recording]
And what I read between the lines is — starting principles, and you will need to audit your AI usage, generative AI — what you’re representing, what you’re not saying. Right? How many companies right now with privacy policies or notices are actually explaining that they are using generative AI? I’m getting client questions all the time with different ways to use it, and I have not really seen that come up yet in privacy policies. So I think those are good factors. There’s always gonna be something new. How are you staying on top of it in terms of how you’re using data and then how you’re talking about it in privacy.
**Jonathan:** It’s interesting that you’re kind of moving beyond privacy. Privacy is this foundation for an ethical internet. You start to talk about, well, is there bias in there as a result of the algorithm? Is it affecting minority classes? Can you just see an opportunity? And it just seemed to really expand the scope of privacy. It’s consumer protection. I mean, that privacy is a part of consumer protection.
**Alysa:** But I’ll also just say kind of the interesting thing with AI and discrimination is that you would need more data to be less discriminatory. Otherwise, if you have less data input, right, then you get more emphasis with certain — like, what you extrapolate from that. And so there’s always this conflict with AI — the type of data coming in — and so you have that balance to prevent unnecessary bias or implicit bias.
**Jonathan:** Yeah. I guess that makes it more important, as you think about privacy, to have it connected to your data maps. You ever understand how it goes straight to winning, how you fed the algorithm, what generated the output basically.
**Alysa:** So that is such — we heard that in a bunch of panels yesterday at IAPP, and I think data mapping has always been this expensive wish list, nice thing to have, but very few companies have the resources to do it. And now we’re seeing the consequences of not really knowing what data you have — it’s coming to bear. So let’s talk about our panel. We have a whole panel there. We have folks from Fanatics, folks from Instacart and Meredith, which is awesome. State compliance for publishers. What were your highlights out of that?
**Jonathan:** So everybody’s dealing with privacy compliance with this — you see this kind of glazed look in the eye because there’s so much going on. I thought it was really interesting to hear all of the publishers talking about — and go back to notice — like, nobody has it exactly right. That is a work in progress on how to calculate everything and do it in a pretty way. That was one of the themes.
[gap in recording]
**Alysa:** ...were saying we’d love whether to eventually be an industry standard on that front so that it’s just more efficient and scalable.
**Jonathan:** Gotcha. And then accountability at the end came up. It seems to be a hot thing. Accountability, slowdowns, and getting calls throughout the day yesterday. Are you seeing similar trends?
**Alysa:** Yeah. Well, so one of the new legal requirements is you can’t just say, I did my thing. That’s all I need to do. You have to flow down the requirements — different requirements to your service providers and to even third parties to resell or share data with targeted advertising. And this all has to be done in a way that works. And so we were talking about IAB’s multistate party agreement, and that is one scalable way to at least get everybody on the same page with the same contractual commitments — that helps when it comes to diligence. I think at some point, there’s probably gonna be certifications and whatnot, which will be useful. So we are on a path. We’re just — we can see maybe the horizon. There’s just a lot of work to get there.
**Jonathan:** To close on this, there was a theme of privacy as opportunity, which we’ve been talking about for years and quite frankly wondered if other people thought the same thing. That was definitely a theme yesterday. Did you feel the same way?
**Alysa:** I absolutely felt the same way. It’s not going away. And so you can either complain about it or you can do it really well. And you can make it part of your marketing strategy and you can get trust with it. And I think we’re starting to see the companies that have really poor privacy — so it’s not just a legal thing, it’s not just a compliance thing — but it actually can be a whole user experience. Like, Han, the GC of IAB, talked about — maybe a year from now we’re gonna be talking about the privacy UI. Yeah. You know, we talked about the marketing UI. And I think that that is right. That’s — we are right on the cusp of that.
**Jonathan:** Well, thanks for joining us here at the Ketch Group for this live edition of the Privacy Huddle. Final question. Do you think I have a future in journalism?
**Alysa:** Only if you’re on a bench...
