**Jonathan:** Lisa, how are you?
**Alysa:** Hello, how are you doing?
**Jonathan:** Good to see you. I'm here in not so sunny San Francisco. So there's been a lot going on this week. Mental Health Month. A lot of work around the FTC and HHS and healthcare data. I was curious to get your thoughts on that. I know we've talked about it, but it seems now it's a little more critical, little more urgent. And children's privacy with the FTC proposal on Meta restricting their ability to profit off minors' data. Was just kind of curious — these are the themes, right? It's children's privacy, it's healthcare. This is where the FTC is today.
**Alysa:** Right. Maybe the headline is sensitive data is getting a whole lot of privacy attention. Compound question. So maybe we can piece that up in parts. I think the mental health — I know we've talked about health and privacy and some of the earlier episodes, but that drumbeat is just getting a whole lot louder. So Thursday, we had Governor Inslee from Washington sign Washington's My Health, My Data Act. So that is law. And one of the things that has — I think there's a lot of chatter about is in the past, I think we've talked about that bill. It's not effective until March for most businesses. But the way they wrote the statute means it's unclear, and it suggests that some of those provisions actually go into effect end of July, this July. So think about that and think about the breadth of the definition of what's really regulated. The kind of health data includes wellness data, includes maybe fitness data, includes maybe you're walking into a CVS shopping for shampoo — kind of could be covered. And so there's just so much in that statute that for companies who are already working to address the other more comprehensive state privacy law July deadlines, now they need to think about, they have this whole other line, and the issue there is that there's a private right of action, which means plaintiffs attorneys have a whole new area to focus on. That in some ways is scarier, I think, to a lot of businesses than the odds of having a state attorney general, for example, investigate you. And all of that, while there's not a whole lot of clarity. We also saw Mozilla put out a report on mental health related apps and their privacy practices. And I thought that was really interesting because, you know, in the past, we see some scores of apps for different things. And this is a really focus on this sector and their privacy practices and whether you get a good or bad score. And that can be really damaging to a brand. Need consumer trust. And then you have this like fail rating next to you that's being covered by the media and which could prompt more inquiry, right, by regulators or in the future by plaintiff's attorneys under the Washington state law. So I just think, wow, sensitive information — we'll get to FTC in a bit — but sensitive information and health information in particular is so fraught right now and really just needs a whole lot of attention to make sure that the path ahead is going in the right way.
**Jonathan:** We've seen some evidence of this fear, right, with advertising in the healthcare industry has gone down a ton. It seems like it's a little more than just a cyclical downturn. There's secular pieces to it. It seems like we're back to the old days of early days of GDPR and whatnot, where people didn't know what to do, so they just stopped doing everything. Are we there with healthcare and all these kind of the broad definition of it? Advertising?
**Alysa:** Yeah. Right. Well, I think so. So I've read some of the same reports you have in terms of the digital advertising spend by health oriented companies has taken a sharp downturn. And I think a lot of that is just confusion, right? You had the FTC actions that we've talked about in terms of BetterHelp and GoodRx, right? These are not HIPAA covered entities. Then we saw what HHS had done. And now we see this Washington Health bill. And I think a lot of companies are just not sure what they need to do. And so as they're figuring that out, right, do they need some super clear consent? Some of them didn't even — had not really a good sense of what their digital advertising was beforehand, right? And so there's that. There's private rights of action under wiretap laws, right, with pixel tracking. So I think it's really a reflection of confusion, maybe a resetting, right, of, wait a second, this now is a business priority, and we need to think about the right way to go forward to manage risk. But also, this is part of our strategy, right? This is how we find new audiences.
**Jonathan:** Yeah. Where does it end? I mean, it starts with healthcare, it gets broader into wellness and all these other things that you mentioned. And does it go beyond that? I mean, is there a danger that it goes beyond that? Regulators focused on digital advertising more broadly. I mean, there was some of that chat, right?
**Alysa:** Right. I always think about like hot zones, right? What's in the center right now? Health data is certainly in the center. But what's related to that? Other types of sensitive personal information or vulnerable audiences. So kids data, we've seen the FTC really focus on kids data. We've seen a lot of legislation, right, with social media platforms. Some might argue like surveillance of kids by parents or just their activities monitored online. That's a really big area of focus. And so I think the question is, well, there's other things that get categorized as sensitive personal information. And so as you're thinking about strategy, that's in the hot zone right now, but what's next? And you could think of all different scenarios that are right behind.
**Jonathan:** Gotcha. And so what's the latest in children's privacy, I mean, given the FTC's proposal against Meta this morning?
**Alysa:** Yeah, so it's unique, right? The FTC had a press release out yesterday on an order to show cause for Meta in terms of its compliance with settlement order. It had two settlement orders. The second one was modified. I think I'll focus more on the FTC process as one who's practiced before the FTC for many years — not seen something like this. I mean, is really unique. Usually, you settle with the agency, you're under a settlement order, and a violation of that settlement order can mean a whole lot of things. But often it means the order is amended. There's additional provisions, and that's what we saw in that second order. But to now say, first, in order to show cause — usually there's so much we never see. It's behind the scenes on negotiation in terms of review of your compliance with the order. You have to submit compliance reports. Here, it seems in all privacy and security orders, there's a third party assessment. They come in and they look at your practices and say, are there gaps? So here from me, it's heavily redacted. But for the parts that you can tell, it seems like it was an issue with what the third party assessor was identifying as gaps. But it also looks like the FTC just ran right out with this public announcement. And to the kids data point, raising new rules that were never at issue in the earlier ones. And it really raises that question of FTC authority, what can we expect with you're under an order for a set of practices, but does that mean suddenly anything's fair game in terms of what's tangential, what's adjacent to that? And so as we think about FTC risk, right, when you're due practices, are they likely to be interesting to the FTC? Then the risk of being under an FTC order, then there's just like the future path, right? What else might the FTC allege? And I think so much of this is in response to the FTC. They had a lot of their tools and their toolkit taken away by the Supreme Court in terms of being able to seek money for equitable redress. I think we're just seeing a lot more creative approaches by the agency to have a big stick. This is one of the latest examples.
**Jonathan:** Sure. I know, by the way, on regulators generally, I really enjoyed the webinar Kelly Dry did last week or the week before with the Connecticut Attorney General.
**Alysa:** Yeah, well, he sounded very FTC like in his, hey, we have our own FTC type act, right? And we're going to go after deceptive and misleading practices. Well, it's a good public service announcement. Yes, we focus on the FTC. There are so many, obviously, state attorneys general offices, and each one is really focused on consumer protection, and some in particular on privacy practices. Connecticut, if you've had not gone to their website, I mean, they've got really helpful FAQs on their new privacy law. And I think that's like my kind of tools of the trade. I watched the press releases by a number of the state attorney general's office who are really focused on privacy, and that can also give you a trend line of the kinds of issues they're thinking about, maybe if they're focused on particular sectors from a risk assessment. Always good to both be listening and try to have a relationship in advance of any issues.
**Jonathan:** Yeah. And we said this before, the state AGs, they talk. They talk to each other. They talk frequently.
**Alysa:** Absolutely.
**Jonathan:** Well, there's a steady drumbeat of state privacy laws being passed as well. And we might be running out of time here, but I want to get your quick thoughts, Alysa, on Indiana and I think Tennessee, Montana perhaps coming. What do we take away from that? I mean, is there any — it doesn't necessarily mean that there's a likelihood for a federal law just because there's a ton of states doing it, right? Is that fair to say?
**Alysa:** I just, I'm an optimist generally. I'm not an optimist on comprehensive privacy law just because of now how entrenched California, for example, is, and companies really designing practices around that. If there's anything, it would maybe be kids privacy and we've seen some bills reintroduced this week on that front. So I'd watch that space, I think, as a strategy, if I were, let's say in house counsel and I'm seeing all these new state privacy laws, it really just emphasizes having a durable plan, having resources. Because a lot of companies, the first time they've had to stand up this kind of large enterprise wide plan, and maybe they start with just the few states that have these privacy laws. But as you continue to see new and more states added to that list, I mean, you can imagine an alphabet length privacy policy calling out the different practices with each state. That gets really hard to operationalize in practice. It also just makes you think about, gosh, can I have different ways of doing this? How long can that last? And so just really trying to get the right resources and having a plan. How do I, what does this look like over the next twelve months, twenty four months? How do I get to that final point where we do feel like we've got a responsive plan? And then the thing we just — to take it full circle, what we're talking about at the beginning with you have like the Mozilla reports, right? Where one of the dings that Mozilla did was when companies only offered privacy rights to a few states, right, residents of a few states, and that their grade went up when they offered it nationally, even though the state didn't have a specific privacy rights law. So I think that's really interesting and wondering whether that also may be a motivator to have just a more holistic privacy program and strategy.
**Jonathan:** Yeah, then just a final question for you. It's been on my mind, Alysa. Heard from the regulators at IAPP and other places at the IAPP conference. They talked about the consumer as a North Star. And if you generally do right by the consumer and you're transparent and you're accountable, you should be okay across these multitude of state laws. And I always wondered, is that really okay? Like best efforts around that, is that really okay? Or is there — the other side of it is I heard the Connecticut AG talk about, hey, we've built these laws in Connecticut for a reason. We really care about them. And it means they probably need a specific response from brands, right? They're not expecting a broad brush. I just wondered how to think about that and I wanted your opinion.
**Alysa:** So I would be just really practical about that. Honestly, the variations are on the edges, and some of those are important edges. But if you start at the center with, we care about this relationship with this consumer that we're trying to build and have them want to come back to us, right? Associate our brand with, we see who they are. That does mean really caring about the relationship so that you start to see the investment in an account, account preferences, marketing preferences. Well, privacy preferences are part of those account preferences. And if you're thinking from a business side, well, bad PR, if I get a bad grade that's suddenly very much covered in the media, that's not great for my customer relationship. So I do think if you put that customer relationship first and you think about the privacy strategy around that, then the nuances with Connecticut. Yes, California has some things with combinations of data. I just see that being much easier to do because that's really tertiary, you know, way down the list because you've already got that consumer first and an experience centered around that.
**Jonathan:** Gotcha. And that's maybe a nice way to think about it. It's not a broad brush that just fixes everything. But if you start there and start to build on it and think about some of the nuances in these laws as primary, secondary, tertiary, make your way through in a twenty four month plan, kind of like you said earlier. And the really practical approach is — I love that. Thanks, Alysa. So good to chat. I'm sure more to come in the next weeks.
