**Jonathan:** Good morning. Good to see you.
**Alysa:** Hello. Good morning.
**Jonathan:** Great to see you in Seattle last week.
**Alysa:** Oh, that was fun, right?
**Jonathan:** It was fun. Regulators out in force as they've been joining. So we were at the NAI Summit, all the policymakers and ad tech players. The regulators were there from Washington and other places. I wanted to ask you about a couple things there with those folks. If we start with the FTC, they've been focused on deceptive practices, and one of the really good discussions we had last week was, are they moving towards the unfair in unfair and deceptive practices? Are they trying to hang enforcement actions on unfair? Are they doing it in the context of AI? And I was curious to get your thoughts on that, Alysa, and how easy it is to do that. Does it make sense to chase those cases in the context of AI as an example?
**Alysa:** Yeah, no, good question. I think you're right. The FTC is known for its deception prong. That's the more straightforward — you made a representation, whether in advertising or in your privacy policy that turned out not to be supported, right? They also have an unfairness authority and we've seen them use it over the years and there's a whole test. But ultimately it goes to, is there a foreseeable injury to consumers? The consumers don't know about it, they can't avoid it, and that whole business practice is not outweighed by good things, right, for consumers or to competition. We've seen the Kochava case is a good example of where the FTC used its unfairness authority that something was, a business practice was unfair. That case has had kind of run into some legal roadblocks for the agency, but we expect them to refile that. I think if you look at history, unfairness was like spyware. Payment processing that you know was unauthorized charges, right? Something that the consumer could not get out of and there was real injury. It's always been a hot button question though on what are the privacy injuries, right? These intangible injuries that may warrant an unfairness claim. So, agree with you. I think we are gonna see the agency and some state AGs also have that authority as well under their mini FTC acts. So, you know, that's what the agency pushes the bounds of that and I think it'll be interesting to see how that might apply, but at the end of the day, right, if you're a company, it's really foreseeable risk, right? Like you're thinking about your data practices and you're thinking about what are the potential implications to this and how do we mitigate any of the negative aspects? Like, you would need to do that anyway.
**Jonathan:** Right. That was another thing that came up with this idea that AI and ethics have just landed on privacy practitioners' desks. So in addition to privacy laws and thinking about if we're being deceptive anywhere, now we need to think about it in all fairness. Is that fair to say?
**Alysa:** Yeah. I think that that's right. The privacy lawyers are often the data lawyers, right? And that's why AI is kind of at least starts with them. And that's risk assessment and there's different types of risks. Some are not straightforward privacy harms or obvious legal harms, but are ethical issues that really could affect the company, its brand, and so to think really broadly about that.
**Jonathan:** Yeah, one of the interesting sidebar conversations I had with some of the lawyers there was, we talk about these privacy promises, and hey, we're going to be transparent and we'll be all these things. And it's your way of signaling how important privacy is to you as a brand when you're talking to consumers. And when you read some of these cases like BetterHelp and others, do you blame some lawyers when they say, maybe just don't make any promises? Look, for us at Ketch, of course, we make the promise, we're going to enforce it. But you hear some of this undertone of, maybe just don't say anything. What do you think of that?
**Alysa:** I think they're worried about the gotcha, right? The more that you talk about your business practices, there's a lot of nuance to how data is used, to all the different ways it's processed or shared, and worried that if they make a statement that sounds a little too absolute and is not, doesn't have the right caveat, that then they could be liable for a deception claim and so or the gotchas if there's a private right of action. So, I think it's constantly cat and mouse on staying ahead with the business to make sure you fully understand everything that's happening with the data and that's challenging.
**Jonathan:** Yeah, don't miss the opportunity to communicate this value to your consumers, I think, right? Because of this. We need to find — I think it needs to lean towards the opportunity in my view.
**Alysa:** I agree. I think we're moving in a trajectory where resources are being devoted to really kind of getting in the weeds on your data practices. And I think that builds and controls around that. And so I think that builds confidence to then actually even use less words to describe those promises, right? Because you know them as opposed to hovering around the edges and making some assumptions based on anecdotal interviews.
**Jonathan:** Thanks, Alysa. You mentioned the private right of action. I really enjoyed the Washington AG's little keynote at the NAI Summit. And look, I hang around lawyers all the time, I start to get this view that private right of actions are cumbersome and maybe they're not good. But he made a pretty interesting case, I think, on why it's important to him and why it's important to Washingtonians. And so I wanted to ask you, why is private right of action such a hot button issue for people?
**Alysa:** Yeah, I mean I think it's like there's a rotten small bunch that ruins it for everyone type of thing. And look, people make money. They have whole business enterprises on bringing private right of actions for really small — what we would call frivolous practices, but the gotchas. And so then you end up having privacy be a perfection standard. And I think we all, even with good faith and risk assessments, I don't think it's perfect. And so we've seen Illinois, for example, with BIPA, just millions and millions of dollars, right? And there are some — you could say there are some examples there where maybe the company did owe that money and truly did, but there's also ones where they did the notice and they got the consent, the consumer or the employee knew what they were agreeing to, but there's a technical infraction that then exposes the company to so much. And that's really — it's kind of those examples where we don't actually agree that there's real harm, but there wasn't perfection. And that's massive exposure for the company.
**Jonathan:** Gotcha. And one of the sidebar conversations we had after that, the keynote, was somebody was talking about how private right of action isn't corrective. It actually encourages more and more lawsuits. You have to fix the behavior. What do they mean when they say that?
**Alysa:** One lawsuit then multiplies. It's like gremlins. You fed them after midnight and gave them, you know, put water on them. It just, it multiplies. Your brand is in the headlines and you're going to often face a whole lot of lawsuits. So then money is devoted to defending lawsuits as opposed to internally on data governance and improved controls and processes and less transparency. So I think it in some ways, sadly, it has the opposite effect.
**Jonathan:** Gotcha, thanks. How do we get the balance? I mean, these rights are important, right? I think you made a really good case post Dobbs in Washington why he needed to do it. I'm totally within. How do you find that balance, you think?
**Alysa:** I don't know that we ever fully reach it. I think you end up having to have litigated decisions and having courts give some clear standards. I think we might see guidance from the Attorney General's office and that that may be persuasive more to the courts than necessarily to the plaintiff's bar, but that's money is going to have to be spent on lawyers to, I think, get to clarity or close to clarity where you can have a little bit more of a balance.
**Jonathan:** Gotcha. Thanks. And according to AG Ferguson, are there AGs a colony? How did you do this? How'd you get it passed? And maybe we see more private rights of action in states across the country.
**Alysa:** Maybe. That tends to be the poison pill, but we'll see.
**Jonathan:** I wanted to ask you about clean rooms. They're still confusing for people. I know we've talked about it a few times. It's just still this idea that, oh, clean rooms are just going to fix everything and people are still rolling in with that attitude. Where do you think the confusion is on clean rooms and what they are, what they do?
**Alysa:** Sure. So I think one of the really important things is about really having an understanding of what's happening in the clean room. I mean, it often starts with, look, I'm using consented data, permission data, the data's clean that I put into the clean room and therefore everything's good, but that it really ignores what is the processing that happens in the clean room because it doesn't mean that it's a privacy free zone, depending on the use case. And that's really the key. What is the use case and what is happening to the data to support the use case has a different privacy outcome. And I think really it's a whole lot of data security, which is good, right? It prevents a lot of data leakage, but it doesn't mean that there's no privacy considerations and no obligations that come from that. So really it's what happens to the data going in, what's happening in the clean room, and what is the relationship between both the clean room, but also who are the other collaborators, right, who get access to the clean room and thinking about the privacy laws and the relationships associated when does involve personal data. So I think, look, it's nascent, it's evolving. I think we'll get to a place where there's better industry standards around that, but we're not there yet.
**Jonathan:** Yeah, thanks, Alysa. To play it back, just to make sure I understand, data goes in and sometimes it's easy to say, well, yeah, I have the permissions on that data, so it's all good. But permission needs to be nuanced. Permission for what? Is it permission for analytics? Is it permission for targeted advertising? Will you activate on the data? Do you have permission for that? Once that is in the clean room, there isn't necessarily magical ways to make it privacy safe if it wasn't in the beginning. Maybe there's some anonymization that can happen in aggregation. Some of that — there's not talking about the privacy enhancing techniques that have increasing sample sizes and things like that that help. And then once it's in the clean room, if you start activating secondary use cases, like it was there for analytics, but now actually there's an activation use case or there's another use case that wasn't anticipated in the permissions, you need to be able to go back and check those permissions. There's not a ton of magic that happens in a clean room that helps you with that.
**Alysa:** Right. It tends to be — you're matching identifiers to then do something, and that's not — that could be in a clean room, that could be anywhere else, but that still has a very direct privacy set of obligations as opposed to — you're not matching identifiers, but maybe you're matching cohorts or there's something happening to that data that in fact does evolve it. So it's outside the definition of personal information.
**Jonathan:** Gotcha. And look, at Ketch, we're obsessed with this idea that clean rooms can ping CMPs like Ketch and ask for the latest status of permission, so you're not relying on the original file. You get more nuanced permission. And also, the permission is up to date. Even after you've sent something to the clean room, say, well actually yeah, that person's opted out now. Right, and one of the things we heard at NAI that I thought was really helpful is, you know, we're so focused on laser, narrow targeted personal identities for effective advertising, which look, it's been really fruitful. But with AI, how does that evolve that standard? So maybe you don't need user level personal information, but AI and predictive capabilities actually for cohorts start to get a whole lot more effective than they have in the past. We have better tools than we have, and I think that may also contribute to improving privacy.
**Alysa:** Gotcha. Thanks, Alysa.
**Jonathan:** Hey, lastly, a couple of plugs. You and I and Jakob Solomon, who's an expert in machine learning and AI, we're doing a webinar with the IAPP on the thirty first on January of AI. We've been getting so many requests for, I just wish there was practical way to think about privacy and what do I actually do? And so if we can plug this here — on June twenty second in New York, we're doing one of those.
**Alysa:** Right, right. The how to's, right? And really benchmarking with peers. So we are going to host a workshop, right? Nothing fancy, June twenty second in our New York office and we'll have to cap the registration. But I think the idea is Chatham House rules and get people together and work through a DPIA. Use ad tech maybe as the subject, use clean rooms, but walk through what's the right balanced way. I don't think there's a perfect way to do it, but I certainly think for a version one, a little consensus from the crowd may be useful for folks to take back with them.
**Jonathan:** Awesome. We'll post it in the comments here. Alysa, thanks as always. Appreciate the quick little update here.
**Alysa:** So fun. Good to see you.
