Colleen
Hi, Alisa. Hi, Max. Pleasure to have you on the privacy huddle today.
Max
Thanks for having me.
Colleen
Good to be It's exciting because, we are often remote for these, and what a pleasure to be in the Kelly Dry Podcasting Studio.
Just congrats on this amazing space,
Alysa
Thank you.
It is so fun to actually use the new studio and the new space.
Colleen
Well, we'll be here every month. We love it. Yeah.
Alysa
There we go.
Colleen
Well, of course, we are here because we had an amazing event this week with the Privacy State of the Union, right? Maybe our inaugural Privacy State of the Union because I thought it was great. We might have to try it again next week.
Alysa
Maybe not in a snowstorm, but Yes.
But I'm all for I'm all for
Colleen
having it.
We're gonna avoid the once in ten year snowstorm next time somehow because that is just too crazy. But it was a great event yesterday, a nice intimate setting of privacy privacy professionals, and we had a lot of great conversation. I thought the through line was very topical, Alissa, one that we haven't covered on the privacy huddle yet, which was children's privacy US requirements. Can you just set the stage on children's privacy as you see it right now? What are the things that privacy leaders should be paying attention to?
Alysa
So I think there's this hardwired, oh, under thirteen, that's all we need to worry about. We have that federal COPPA standard and the reason it was such a through line is because we have online safety. We have app store age verification laws. We have comprehensive privacy laws that deal with certain specific, considerations for children's data.
So I think we're really thinking through, if you're under thirteen, you've got a whole number of obligations federal and state but you have a number of obligations that kick in if you're under eighteen, under seventeen, under sixteen, depending on the state. So we've got jurisdictional considerations within the US depending on the age. You have some states that say you need opt in consent from the teen if it's a teenager or you need opt in consent from the parent.
You have some states that say you cannot even capture consent. You just cannot collect and use information for XYZ purposes. So you need to make that level of distinction. And then you have knowledge.
Knowledge fuels so much of this and I think that's another hardwired concept where actual knowledge was such a big one. And many companies would put their terms of use to say, oh, it's eighteen plus, I'm good. And what the App Store laws, the concept of that is starting to share knowledge. Knowledge of what is a good question.
But age signals, right, when the app store is collecting and verifying or estimating age and then passing it to the developers, developer now has information about age of a user.
It doesn't just live in isolation for the App Store laws. All these other laws we talked about, I think we really are going to be facing that challenge of, well, what do you have to do then now that you have knowledge?
Max
I have a question.
Alysa
Yes.
Max
Not that I advocate, but if an the developer stops to make an API call.
Alysa
Correct.
Max
But what if they just don't?
Alysa
So, you know, Texas law was the first one online and it got enjoined. So, of course, there's a lot of unknowns with what happens with these laws and litigation challenges to them. But you have an affirmative obligation as a developer, right?
So there's the legal obligation of what do you have to do and if you don't do that, is that a violation of law? But if you want the privilege of being on that App Store, that App Store has requirements because it is subject to certain obligations and your app may be kicked off. It may be, you know, and so that obviously has serious business impact. So I don't think you there's no luxury of I don't like this.
This is really burdensome. No, thank you.
Max
You always see it when this stuff happens. There's someone looking for a clever easy out. Yes. Sounds like we should skip that and get right to dessert.
Alysa
Yeah, I think that's about right.
Max
So we know the app stores are gonna show up with APIs to allow developers to get context about the age.
I've heard rumblings about other browser providers may be doing this, but it's it's it's not clear. That's all in the context of of obtaining age. We'll come to what you do with it after. But what about customers? Like, I I get into meetings and customers are like, wanna do age gating, which, by the way, I don't even know if that's the right terminology to use and maybe it's already stuck, but should customers be thinking about experiences where they wanna collect the age of the individual outside the App Store context?
Alysa
You're on notice, right? So I think the past maybe approach was I'm eighteen plus, as I said, and cover my ears and that was good enough because COPPA was really driving that or you're, you know, couldn't be that a large part of your demographic was or teens or kids for the comprehensive privacy laws. We hadn't seen enforcement on that issue yet. So there really wasn't an urgency to do something different. I think the difference here though is that, to your point, you can't just say, I don't want to play.
So you can't just say, I'm for eighteen plus. I don't Yeah. You still get the API call so you're still gonna get information and then you have an obligation if you have under thirteen data signals coming in or under fifteen or depending on the state. So I just don't think you can avoid the issue and then once you have some kind of information, we heard this kind of going out to the opt out context, the idea of if monetizing, getting some commercial benefit out of tying identity together in different contexts, then you can't ignore the compliance component to that. You can't say, I can't tie identity together for compliance, but I can do it for advertising.
We heard, nope, that's
Max
did come up and, you know, someone was very forceful about, well, no, no, my obligations are.
If they're logged in, I need to do X, Y, and Z, but it sounds like while maybe what it says, this idea that you can use it for benefit on one side but then maybe not for the privacy obligation on the other.
Alysa
So I think the real issue here is that is a moving target. You know, we have clear enforcement on the opt out side for the logged in status. So that's like one lever that we know has been pushed. I don't think we know that but I certainly think you've heard from regulators releases of XYZ identity graph and collaborations.
And so the kinds of questions they ask in these subpoenas are like, what information do you collect? Who do you share it with? How do you use it? And so it becomes pretty stark when you don't have an answer on one on the compliance side of it.
So I think it's an open question how far they push on that and how they interpret their laws.
Colleen
So knowing it's a moving target, I mean, how should brand leaders approach this from a tooling perspective, right? We had someone ask in the privacy state of the union yesterday, Okay, well, I see sixty eight age dating apps in Shopify, which one do I get? Or do I get this with my CMP? And it sounds like maybe some of those apps won't even meet the legal requirements.
Alysa
Well, I think there is this whack a mole, we're going back to that all over again, where like, give me the easy button. I want the easy button. There's not an easy button. The easy button was I don't want to even know or have any information about under eighteen.
That is not an option under these laws, kind of putting them all together. So then you get into what problem at different points am I trying to solve? I have to solve the App Store requirement. That means I get a signal and I have to do a specific something when I get that signal in.
Then I have this other problem I have to solve of I need to comply with privacy laws and they say I need to do certain things with data based on geography and age. So you've got some complexity there. Consent may be a part of that but it's, you know, we talk about that. It's not the banner, as soon as you say consent, everybody's thinking cookie banner, there's a consent component, but it's not the cookie banner. It is what are you doing to get consent in the right way from the right person? And so you've got those two components.
And I think looking at it in the context of what am I collecting already? What do I need to comply with? Knowing that's not necessarily settled for every component, doing the best you can at it. And when you're looking at vendors that are gonna help you, what is it that they're doing to support these things versus giving you something you may or may not need in addition to things that you do need? And I think it's this age gating widgetization that I'm a little like, be careful because what a tool provider shows up with in the context of age. Great. I'm gonna build a widget that tells you, you know, the age band and then what?
Alysa
Right.
Max
Well, I've got this other machinery that's controlling the nature of the data I'm collecting and using. Either those two are gonna have to be integrated or the CMPs are gonna have to show up and build software to solve that problem.
Alysa
Right. I think that that's right and I think when you're stitching this all together, the challenge for, let's just say, the business who's using these tools, there's not consistent transparency around what these companies are putting up. We saw with the App Store laws, you know, the different platforms, some of them, not all, were putting out information in drips and drabs and it kept changing. And I think, you know, if you get a letter by a subpoena and you have to answer it, you're now trying to comb together what information you have to be able to defend that your practice has complied with the law.
Max
Sounds brutal.
Alysa
It's doable but it's going to take time and we're in choppy waters right now
Colleen
on that.
Yep. Well,
Alysa
that.
Colleen
Yep. Well, we'll see what twenty twenty six brings us on this topic. Folks, I know you have questions because we had a room full of people yesterday that had questions on this topic of children's privacy. So please drop them in the comments, because we'd love to keep unpacking this as the year goes on.
Max and Alisa, thank you so much for chatting on
Alysa
it.
It's good to be here.
