Hi, folks. I'm Colleen Barry back with another episode of the privacy huddle. If we don't know each other, my name is Colleen. I lead marketing at Ketch, data privacy software company.
And the privacy huddle is our weekly series where we talk about privacy industry trends, topics, headlines of all sorts. I am so thrilled to be here today with two guests on the huddle line, friends, Max and Ezra, and we're excited to chop it up about some new trends and old trends and what privacy leaders are currently grappling with. So let's start with some intros. Ezra, what a pleasure to have you here on our little show.
Please tell the audience who you are.
Thank you so much. It's great to be here. My name is Ezra Sternstein, and I lead the privacy, cybersecurity, and consumer protection legal functions at AMC Global Media.
We are a company that makes content, you know, Breaking Bad, Walking Dead Universe, Mad Men, Better Call Saul, and so on.
The goes on.
I love it. Big job at a great company.
I just want to add one thing, which is that I am speaking on my own behalf and not on behalf of my employer or certainly on behalf of the Attorney General of the State of New York or any other state.
Max, some of our viewers know who you are. You're a familiar face, hopefully a comforting face.
Tell us who you are.
Hi, guys. I'm Max Anderson. I'm one of the cofounders and head of product. Good to be here.
So, Evan, back to you. You're a new guest on the show, and I would love to hear just a little bit about your background. Privacy is a discipline that many folks stumble into. Not always a straight and clear path that's winding. What first got you interested in privacy, and how did you end up here?
Well, I definitely did not take a direct path to privacy. I started off my career after law school at a big law firm in New York City, and I enjoyed law school, so I went into litigation, which to me felt like the natural progression afterwards. And I was doing litigation at a big firm for a number of years, and in my sixth year or so, my mentor pulled me aside and said, you know, if you want to have a strong future here, you should start thinking about a specialty. Up until that point, I had been a generalist, and that's actually what drew me to the firm, because I didn't know what I wanted to do.
I had no idea, except for to pay off my student loans. That I knew what I needed to do. And so I started looking around, maybe what I should have done after law school. So what area was really interesting to me?
This is around the time that the GPR was being considered and passed. It hadn't been brought into force yet.
But other things were starting to burble up, and all of a sudden there was Cambridge Analytica. And then California started getting into the regulatory game, it seemed to me that there was this opportunity for me to get into privacy. It felt like I had a stake in it as a person with data that I didn't really have in any of the other areas of law. And so, I started thinking, okay, how do I get into this?
At this point, I'm an eight year big law litigator generalist. Do I And my firm did not have this practice. But I was lucky enough to get a job at the New York Attorney General's office in the Bureau of Internet and Technology, which is called BIT. And BIT is the smallest group in the New York Attorney General's office.
There were seven or eight attorneys when I joined. And it's focused, and still is focused, on enforcing New York state and federal law concerning privacy, cyber security, consumer protection. Obviously, no comprehensive law in New York, but through general consumer protection statutes, stuff like the FTC. I was there as a regulator, as an enforcer for four and a half really wonderful years.
And then when I started looking for, okay, what's my next now I've got I have this privacy background, or at least background in the substantive area, how do I transition, but what's my next job? And I was really fortunate to get a job at AMC doing what I'm doing now.
I love it. What a cool background. From outside counsel to regulator to inside on the brand side. When I think about privacy trends right now, you can't get away from all the enforcement headlines, right? And when you think from the regulatory side with that old hat on, what do you think a lot of brand leaders are overlooking or missing today?
That's a good question. I don't know if misunderstanding is the right word or if misalignment is the right word. But one thing that leaked out at me in some of the recent settlements in media, particularly Disney and Sling, was this It was very evident that these companies had posited as a defense to the regulators. We don't have the right technology.
We have problems with our vendors. We have technical limitations. We can't propagate this opt out in the way that you want us to. We just don't have the ability to.
And the reason that we know that this was defense in those cases is because it's in the settlement agreements. The attorney general says, the company says that it could not propagate its opt out because of vendor limitations, but its ad sales department didn't have that problem. It's almost a laugh line in these. And so, I think that one of the things that privacy leaders may have thought, but certainly don't, or shouldn't be thinking anymore, is if I come close, if I don't have the right tools, but I have a story to tell, I'm not strictly complying, but I have some story and I can blame someone else, then maybe that's a story that I can tell the regulators.
And I think what is very clear now is the regulators don't want to hear that. They want you to comply, and this was certainly the case when I was in the Attorney General's office. The view is this is the law, and don't come and tell us that you can't comply with the law. You have to find a way.
Absolutely. Given your background at DAG's office, what do you think the likelihood is of, at some point, enforcement being focused on vendors, whether it be incident capabilities or claims that are being made about the capabilities that may not be true in real life?
Those are two different things, and not legal advice. This may be near and dear to your heart as a vendor in this space. But for the capabilities that you're offering to your customers and any vendor who's offering to their customers in this space, I think it's very unlikely that any regulatory authority would be probing the vendor. I think it's the business' responsibility, first and foremost, to do due diligence on the vendor, make sure that they can operate in the way that the business wants or needs them to operate, to handle their data.
And in most cases, the vendor is contractually required to honor the business' directions unless the directions themselves are unlawful. And the business is in the best position. They know their own data. They know their business.
And they are or should be advised by good lawyers who know how those laws apply to the business and to that data. And so I think for the most part, I think it's very unlikely that anything like that would happen. Of course, you're not truthful about what the capabilities are, that's a different that's a different claim, and that, to me, is a consumer protection issue. We've seen in New York some cases, actually, where businesses, not just consumers or individuals, but businesses themselves have been the consumer for purposes of enforcing those laws.
We've seen that in AI space, where AI companies and some startups are not necessarily truthful or are over exaggerating their abilities and their claims.
Software?
Who would have thought? So you do have to be truthful in what you can do, but as long as you are truthful, I don't think that the attorney general should be too much of a problem, given the business' processing of their data.
It's it's interesting. We've been in software for a while and formerly more marketing and ad tech. And so the nature of the problems that you're solving and the unfortunate reality of the software game is that there's a lot of the ratio of claims to pay down is a little bit out of whack, unfortunately, in most software categories. But the stakes don't seem as high if you're slinging ad tech software, whereas the nature of a privacy software company and the nature of the kinds of things that happen when things go, you know, correctly, there's a couple of vendors that are most commonly involved as the provider in a lot of these suits.
And so it just strikes me as more likely that given the nature of what's happening in the category, that there would be some spillover into a unfair, deceptive business practice type investigation just because, hey. I'm enforcing all these companies, and there's a common element in all of these enforcement. I wonder if I should go tell Bill over there about this thing. I'm just wondering, does it work like that?
Is that completely far fetched?
The regulators are are going to be more focused on the consumer as an individual. Right? That's their mission, is to protect the residents of their jurisdiction. And so, to the extent that a vendor has a business in between it, and the business is the one interacting with the consumer, I do think it's unlikely. Not impossible, obviously. But that being said, if anyone can read these settlements, anyone can see what the California regulators thought of Disney's argument about its software suite, and smart and knowledgeable people can read that and figure out that maybe there's some space here to iterate or to improve and to get to and help businesses get to a place where they can satisfy the regulatory enforcement.
Of course, if you tell the business that you can do it, and then the business is not doing it because the software can't do it, maybe there's indemnity issues in the contract, that might be some way that a vendor could wind up with Fall victims of that unfortunate claim to pay down the Yeah.
Exactly. All of a sudden, no. The business says, well, I thought this was happening because that's what Here's all the communications where the vendor assured me that this was happening that way.
They're, you know, gonna indemnify me for these claims that I'm receiving because we're not doing it. So that that's also, I guess, a potential way an avenue that I can have. I don't mean to scare you. I feel great.
I mean, look. Back to your point, Andrew. I just I can't see it happening.
And we hear on so many regular panels at these conferences, they consistently reinforce regardless of what your vendor is doing, you are on the hook.
Yes.
Think that's because they care about the consumer and they step into the consumer's shoes.
The closest I've heard to them intimating any kind of looking into the vendors is we have calls for comments and you're welcome to submit those thoughts there.
A few murmurs at CLA this year and I'm Exactly.
Fixated on this idea. I'm just wondering, is that really possible? I mean, it would be an interesting outcome, but it's of course, I would ask someone who's got experience to opine more effectively than I can.
Oh, we'll see. The industry is really going through this evolution of going from privacy as cookies and cookie banner and web form to a more data and complex problem. I think one of the one of the common themes and threads we see there is, of course, identity and the concept of identity management and privacy. Let's talk about identity for a moment as it relates to privacy next. Can you break down what we're seeing in the settlements as far as what the problem that the regulators are suggesting to the brands to fix.
Yeah. I think the first one is relatively obvious and easy. It's the idea that you make a choice on one of the devices that you use, and it should be reflected, respected, etcetera, on the other devices that you use to engage with that brand. There's, of course, a lot of nuance around whether or not the individual is logged in, and we can dig into that if we choose.
But that's requirement one. And I think the other one that may not always be pegged as an identity requirement is the opt out of sale invocation coming from a form that has no impact on the track the trackers, the cookies, whatever you wanna call it, beacons, network requests, etcetera, for data collection. And and the lack of connectivity between those two things, of course, buttresses this frictionless requirement, but it's in and of itself fundamentally an identity issue for a lot of boring reasons that we can unpack. But that's the number one misunderstood thing in the identity arena, not just cross device, but there's a frictionless expectation that is hindered by a lack of identity behind the scenes.
Ezra, how are you thinking about identity as a kind of tenant or responsibility within your privacy program?
I sort of see our role in privacy as being a conductor of the orchestra. Right? We're not the soloist. Identity is going to be defined by the product team and the business team because they need a product that works, and they need a product that they can monetize.
And they're gonna have some identity layer that is gonna be defined, at least at our organization. Yeah. And it's not my decision to make. At least I don't feel that way.
I don't feel like I should be telling the business, you you need to have this identity or this identity or you need to link people in in in this way. The business is gonna tell me what they wanna do. And then my job is to work with them and to counsel them on, okay. Well, if you wanna do it this way, then these are the issues that are likely to arise from that.
And if you wanna do it this way, then these are the issues that get solved, and these are the other issues that arise, and we have to work through that. But there's a lot of different identities. Issue by email address might be one. Or there might be some string of numbers that that uses his identifier.
And that's gonna depend on, I think, the the the product team is telling you is gonna be the one that doesn't make the app crash. You're not gonna monetize anything that doesn't work.
So that that's that's how I see how.
Role. Yeah. And so as you talk about that, working with the product team, working with marketers, digital, whoever, the cross functional collaboration is equally important, right, to make sure that they have the trust in you to share with you what they're up to. How do we make sure that that happens on a regular basis?
I like to think of ourselves as nimble. There are media companies that are orders of magnitude larger than we are. We're still a small ish organization in this industry. And at least for me, it's easy enough to set up a meeting or to get a call with the right people.
I've been there now for three years. I know who the right people are. I know who report to the right people, and that's really how how I do it anyway. Just get the right people on on on the call.
We have processes also. Right? We have intake forms. Okay. You wanna do something new or do something different, or you have to fill out this form that explains to me what the data is and what you're gonna do with it and how you're gonna use it and who you're gonna send it to, and then we can have that conversation about what what needs to get done, what issues arise from that.
I'm very fortunate, I think, in my position where I don't have a whole lot of layers to go through in order to reach the decision makers.
I'd love to touch on one more topic with you, Ezra, which is these recent amendments to the CCPA, right? We saw the new amendments come out on risk assessments, EDMT, and then cybersecurity. That last in particular is new territory for many privacy pros, but yourself, maybe not since that is under your purview at AMC Global Media. So I'd love to get your perspective on how you're looking at handling these new amendments and maybe maybe advice to privacy pros that haven't typically had cybersecurity under their purview. Right? Something new to deal with.
Yeah. Definitely. So as I mentioned at the outset, I think I do also lead the cybersecurity legal function. And during my time at the attorney general's office, one of the responsibilities that our bureau had was to investigate.
We would receive all data breach notifications. Now our department was the one that intook those. As you may know, there's a lot of all all fifty states have data breach notification laws. Usually, you have to report to the attorney general of that state, and so that was our bureau.
We were then charged with investigating once. So I do have a number of data breach investigations, cybersecurity investigations under my belt. So that is very helpful background. And I understand not all privacy practitioners who practice sort of pure privacy may have.
That being said, there's always, I think, been a of a Venn diagram between privacy and cybersecurity. There's some overlap. Those circles are squashing together now with these amendments. It's really long.
It's very exhaustive. There's Five or six pages of very specific, very prescriptive requirements that the business needs to analyze. I think the question that a lot of companies may face is, well, who is responsible for this? It's a privacy law, but it's a cybersecurity aspect, and there's an audit component.
Yep. So as a public company, I think most public companies have some sort of audit function already built in that you may be able to leverage. There's requirements in the statute about who the auditor needs to be on. Depending they need to be until, obviously, any company's mileage may vary with their own internal audit.
But some companies may not have any audit function. Private companies, small companies may rely on an external auditor, and it's going to be very costly to do this. This may not be something that they've done. The challenge for the privacy practitioner, particularly if they're the one charged with this because it's a CCPA, to become more educated in cybersecurity generally, but also how your company handles cybersecurity and handles data protection with respect to personal data.
And I think the the two pieces of advice that that I have at this moment, it's still early. The first audit isn't due for another little less than two years now, is number one, you need to have a data map. You've got to know where your data is and what systems store what data, because not all of your assets and databases may even be in scope for this. If they're not handling Californian's personal data, they may be mission critical to the business Yep.
In some way, but they're not part of this. So you need to have a data map and know what you actually need to look at. Number two is to become really good friends with your CSO or whoever else holds that security operations function at your business. Who's in charge of cybersecurity?
Who knows what the company is doing? Who's engaging those vendors? Who's doing the pen test? That that person is gonna become your best friend in in in twenty twenty seven if they're not already.
So start that. Buy buy a coffee. Do something to get them on your side.
I'm curious on that on that topic.
Certainly, I subscribe to the idea that privacy and security probably will merge both in the kind of practitioner side, but also probably on the software kind of vendor side. I'm wondering with these new requirements, are you trying to piggyback on existing patterns or plays that are run by the security team? If you are, are you seeing amongst your peers kind of gaps in those areas, or just how do you fit these two things together? Because at least as a market watcher and just someone participating in the community, there's a lot of stuff that security vendors who facilitate, you know, pure play security driven testing assessments, etcetera.
Those requirements are filled in large part. There's maybe a few exceptions in very privacy centric nuances. But are you thinking about kind of piggybacking, or are you thinking about there's a huge gap?
Like, I'm fascinated to see where the market decides they're to go from a tooling perspective in this space.
Yeah. So I think it's still too early to know exactly. I think the first question you need to ask your CISO, your new friend, is what are we already doing? Because you don't have to reinvent the wheel.
Yeah. And but the law is very clear. To the extent that you're already doing something that meets the requirements of the statute Sure. You can repurpose it.
So you have to conduct a gap analysis of what are you already doing versus what do you need to do. Is there even a gap?
Probably, again, depends on your company, but your company is looking at a lot more in terms of the assets and in terms of the databases that they need to secure than what you may be interested in.
But there also may be things that are very important from a CCPA perspective that the security team doesn't think is necessarily as important as some mission critical asset. And those are the the the pathways that companies need to start navigating soon, I would say, because the you know, especially if you're gonna be auditing yourself over the calendar year of twenty twenty seven. Yeah. It no nobody wants unwelcome surprises in twenty twenty seven.
And we have some runway now. And I I know it's hard. It's hard for anyone. It's hard for me with apt age assurance laws and settlements coming, you gotta read all the time, and new states passing amendments.
It's a very rapidly changing landscape, and it always has been and it continues to be.
But this is something I think that companies will ignore at their own.
I think we hear generally, related to the cybersecurity assessment, get a data map in place.
Yeah.
Max, I'm curious from your perspective as a builder, has this new amendment made you rethink the way you're thinking about the data map product or expansion of it? Because I imagine as a builder of privacy software, you maybe never thought folks would be coming to you saying, how can you help me with my cybersecurity assessment? But now maybe they are. Does it change the way you think about the evolution of the data map?
Yes and no. I think yes from the perspective of these requirements are quite a bit more robust than we previously contemplated. We've always felt that there's a convergence and an overlap, as you mentioned, between privacy and security. The practices in place for how you secure information and the processes that surround access controls and things like that, those manifest in these requirements, we've always contemplated those.
But the rigor that's going to need to exist around auditing those particular things, it starts to bleed into a totally different software category. And I actually don't know how those things are fully gonna fit. I think if we were gonna go and do every single thing as listed, yeah, there's stuff that hasn't been contemplated probably for any privacy vendor, and that's where this privacy security software category partnership overlap problem gets a little bit more more interesting. And so I think I've always felt that the security space will join the privacy space.
We've already seen that with security AI and Veeam, maybe for different reasons, but I expect that there's gonna be a lot more partnerships to fill this need and or the burden is gonna fall on folks like you to kinda stitch it together.
That's nothing new. That's what we that that's why we got that's why I got it in. I feel like that's why most of us did.
So, yeah, I'm I'm excited about that, actually. I mean, just like you can be a builder, but you can also just kinda watch the market unfold. And I do think that this is just another catalyzing event that will make pure play security companies think, oh, this privacy thing we've been talking about, it's interesting. We need to figure that out.
It's only gonna bring those two categories closer. And, of course, there are gonna be vendors that may claim to supporting all of the things all under the science. I think privacy pros over the last seven, eight years have realized the one shot for every single thing humanly possible has downsides, notably in -depth and expertise in each of the discrete categories. And that's why you see cookie banners that are in, you know, a broad shop of a portfolio of products are woefully insufficient.
I don't know the answer, but I do think that it's gonna cause more convergence in the space.
Well, as you said, Ezra, moving fast. Time will tell. Who knows? We all signed up for an exciting journey here.
That's right.
Well, gentlemen, it's been a pleasure talking with you both today. Really appreciate you coming on the privacy huddle. Max, as always, thank you. And, Ezra, thanks for joining us for the first time.
Appreciate you. Having me.
Thank you.
