**Jonathan:** Hey, Alysa, good morning.
**Alysa:** Hi, good morning.
**Jonathan:** Hey, good to see you. So, I'm in Colorado this morning, and it reminded me that everyone forgot about Colorado a little bit, because everyone's focused on California. So, I wanted to ask you, did they forget about Colorado? Does the Colorado AG think people forgot about Colorado? What's been happening in the enforcement world?
**Alysa:** Yeah, that's a good question. I was wondering whether you were in Colorado to go knock on the Colorado AG's door and ask. So what we saw last week, right, was a letter that the AG's office sent out saying essentially, hello everyone, be warned this law is effective and you need to comply with it, and that they had issued a number of letters to companies. I don't know that every letter — because who received the letter is not public — but in the press release they talked about prioritizing: are companies complying with attaining consent for use of sensitive personal information? Are companies complying with offering an opt-out for targeted advertising and certain types of profiling? So I think it certainly got some headlines and it's just a good reminder, post July first, that there are other states that have comprehensive privacy laws that are in effect and the AG's offices can enforce.
**Jonathan:** Yeah, perfect. So back to California. The California AG's letter and the focus on employees, I thought was interesting. Is that a priority area for them?
**Alysa:** Yes, well, so we had two developments in California, not to be outdone by Colorado's press release. The California Attorney General's Office issued a press release essentially saying that they were doing a sweep on California-based companies' employee privacy. At least from the press release, it doesn't sound like an investigation, more of a survey of how companies are addressing their employee privacy applications under the CCPA. So that was part one. Part two, we had the agency — right, not the Attorney General's Office, but the California Privacy Protection Agency — they had their first open meeting since that court decision that we had talked about last time. And they had the head — the new head of their enforcement, Michael Mako — essentially say, yes, there was the court decision and yes, we still have a statute that we can enforce and we will be. And they had talked about prioritizing certain things like children's data, notices — so there's plenty on the table to make sure that companies are compliant with. And I think it's also a good reminder that even if the regulations can't be enforced, the CPRA statute is actually fairly detailed on all of these obligations, and that wasn't affected by the court's ruling.
**Jonathan:** Okay, thanks. I find it fascinating — and this came up in the privacy workshop that we did in New York — this idea that the AG's office sends you a survey or says, hey, can I take a look at your risk assessment? How do companies think about replying to those things? Like, is it a safe harbor? Do you get in trouble by responding the wrong way? Like, do you have to do it?
**Alysa:** So anytime a state regulator asks you a question, ignoring it is at your peril. I think it's always more productive to develop a relationship and have a dialogue. I think with these surveys, at least they are set up as not an investigation. Of course, you want to put your best foot forward and you want to correctly and accurately describe what you're doing, but I think it's also a good motivator if you have not yet prioritized employee privacy — while you're focusing on other issues — that needs attention, and the press release was a good reminder of that.
**Jonathan:** How much time do you have to respond typically when they send these things out?
**Alysa:** You know, often it's like a month, and then depending on how extensive, you can always negotiate an extension, but ultimately — we'll see — I anticipate we'll see more press releases in August. If you recall, we had heard about the Sephora enforcement last August, so don't think that just because it's super hot and people are on vacations, there's not privacy news. So get your house in order, don't wait for the letter. A month is not enough time to figure this stuff out. Exactly — you want things in motion.
**Alysa:** So I want to flip the script a little and ask you a question, JJ, because I'm getting a question from clients really about privacy technology. And I'd love to know kind of the — what are the burning questions that you get from prospects and customers around what technology you offer and what do you think are some of the most important tools folks are really utilizing these days?
**Jonathan:** Well, there's a lot of blocking and tackling around slowdowns and data mapping. So we're still doing that. We've always done that. But lately, no surprise, ton of volume just around Gen AI. And it's early stages — there's people thinking about what do we need to do here? How do we think about this stuff? For example, Gartner's been out there on a ton of webinars, and they've been talking about how important personal data is to Gen AI models, and how having privacy-safe data can be an enabler of Gen AI. And if you don't have that — if you don't have your privacy house in order — then you can actually stop, block Gen AI initiatives, don't unlock the value. So, people are asking about that. How do we kind of tighten that up? And at Ketch, the way we think about it is basically there's a permission layer across your data, right? And it says, here's what you can do with it, here's what you can't do with it. The what you can do with it comes from privacy laws — different variations of consent, opt-in, opt-out — maps to jurisdiction. So, that's the start. And the idea is that you give people confidence to use it. One of the use cases is throwing it into Gen AI models, but then it throws up a bunch of other privacy-related questions, like DSRs. How do you execute a DSR in an AI model? If there's personal data that persists in the model, yes, you can pull it out. But if the model's being trained on that data, then do you remove it on the results as well? And do you retrain the model based on the latest set of data that you can use? And these are all questions people ask. I don't know if the law is super clear on that. As technologists, we're building a technology that helps you do that. But the law hasn't said, here's what we need to do, here's what you don't. Unless you've heard something there, Alysa.
**Alysa:** No, well, it's certainly developing and I think the reasonable approach is right now kind of the North Star — inputs, what you talked about, the data inputs — you have control over what is inputted. That's certainly a way you can honor DSAR requests. And then the outputs and really thinking about how the organization is using outputs of that data and whether you need to also do scrubbing. But in terms of the model itself, we've not seen any laws enacted that specifically say you need to untrain the model from that data. What we have seen in more general privacy cases, the FTC enforcement for example, where data practices were alleged to be really egregious — and the FTC's remedy there was the model had to be deleted. So I think we've seen some examples of if the data practices are not in order, what are potential consequences, but from a compliance, operational compliance standpoint, I think being reasonable, really thinking about your inputs and your outputs and your use case for the Gen AI tool is going to be pretty important and maybe fact-specific there.
**Jonathan:** Yeah, gotcha. And then people are extending this definition of sensitive and personal almost, and saying, well, there's business-sensitive data as well. And so the Samsung example really brought that to light — this idea that it's so easy to access Gen AI, and so easy to get company data and throw it against these models. And you saw at Samsung, somebody threw some code against ChatGPT. Right now it's on an external server. Now it's potentially public. So businesses are saying, does this definition of sensitive and personal extend to these other types of data? And how do we think about that? But it's very similar tools — tools for access control, tools for masking. And so, I think a lot of the privacy technology tools can apply there. And then the third one would be around model governance. One of the stats I loved from Gartner — they said forty percent of companies have thousands of AI models already. So, this idea of just understanding not just where the data is, but where the models are, and how to understand that data flows in and out of those. It's a data mapping exercise. So we're finding that a lot of these privacy tools have tremendous applicability to Gen AI. Everyone's talking about it.
**Alysa:** Yeah, no, I think that's where we end up going — at least the legislation on Gen AI and AI tools, it's really transparency around the models and good governance around the models. And so keeping track of all of the models you have and control safeguards that you have around that and who's monitoring. Interesting. So I'm sure we'll have more to come on that.
**Jonathan:** Yeah, for sure. And maybe we'll talk about this next week — but a lot of this news around Google getting — the Google lawsuit around, well, you had all this data that you applied to your own Gen AI model. Could you use it? Did you have the permission to use it? Like, the regulators seem to be really active on this front, and it seems like there's a new lawsuit every week — the Sarah Silverman thing, right? This is my trademark. Can you use it? The writers and actors strike in Hollywood was all about, can studios own your likeness? So it's fascinating. Maybe we can touch on that next week if it's relevant, but it seems like it's touching right where we are.
**Alysa:** Looking forward to it.
**Jonathan:** Yeah. Alright. Well, have a good week. I'll see you next week, Alysa.
