Colleen
Hello, everybody. It’s Colleen again, head of marketing at Ketch, and we’re back with another episode of Privacy Huddle. A little different this time because we are sitting in a quiet corner in UCLA for the California Lawyers Association Annual Privacy Summit, and I’m here with two of my favorite Privacy Huddle guests, Celine and Max. Welcome, guys. Hi.
Max
Thanks for having me again.
Céline
Thanks for having me and letting me sit in for one of your normal guests.
Colleen
Celine, you know we love you.
Céline
I know. I I love you too. Yeah. Yep. Yeah.
Colleen
Well, it’s such a pleasure to be here with these two.
It’s been a packed two days at the California Lawyers Association Annual Privacy Summit. We thought we’d take a quick break to just talk about issues that have been top of mind. Selena, let’s start with you. What’s the vibe been? Serious, I think.
Céline
People are really starting to get gonna dive deeper into some of these topics, and it feels like the enforcement is starting to bite. So between that and just the general, you know, it’s it’s the elephant in the room, the biometric litigation, the wiretap litigation. These are issues that people are really it’s a lot of stress for people to speak to, you know, it’s it’s a precarious and low lean disposition to be holding the bag as the company owned privacy. But for the first time ever, it was really obvious that the enforcement folks are not just thinking about brands and their accountability, but vendors and how they participate in the ecosystem as well.
Céline
Yeah. And what was really interesting is hearing all the chatter behind that Yeah. From people saying there’s a real issue here, and it needs to be addressed.
Max
When we
Céline
look at the last full sprint actions, brands relied on vendors and there were issues.
There’s a lot of chatter around that.
Colleen
No doubt. And a lot of the holy conversations just have been around what the US regulators are focused on and is there a CNP that can meet these requirements? Is there something out there that can do it? You know, Max, in our work at Ketch, we talked to a lot of companies that are using other privacy vendors. There’s a couple big legacy ones that that have a lot of market share. What’s been your take from today?
Max
It’s interesting. Like, a big theme for me was listening to the enforcement speakers. And there were a lot of them. There’s a lot of enforcement people here. And a big theme was what we’re calling, like, the fitness gap. Most of the solutions in market were built for one use case, GDPR compliance with cookie consent, and then it was kind of adapted for the US market. But the US market is a fundamentally different use case. And this is something that we talk about at Ketch pretty frequently.
But to hear an enforcement organization say, we see your banner, but we can see on the back end your tags are still firing, or we see that you presented a choice, but you never actually dropped the cookies or you never actually stopped the data flow. And to hear that very clearly from the front of the room that enforcement now has really good technical posture. That’s it’s scary and amazing. And it I think the lesson for a lot of companies is, you know, when you talk about enforcement, one of the first things that you’re going to look at is what tools you have in place to show that you’re in compliance. And a lot of them are gonna come to you and say, yeah. Actually, it didn’t work at all.
Colleen
I had to write all the code to make
Max
it happen, or I’ve been using it, and it’s actually never worked.
And what’s the difference with Ketchum? They just showed you. It actually works. But it’s a very, very hard leap for them to make after being burned for seven plus years with with other vendors.
Céline
I I’ll add one thing there because I think there’s something we talked about that’s really important is that when you’re looking for that vendor, you really wanna be thinking about what you can actually do, but also the record keeping obligation. That’s something that not everybody is doing. And as we ramp up in enforcement and plaintiff’s litigation, by the way, and you’re gonna be asked for your number of opt outs you’ve received, that kind of thing. It’s really very important to to make sure your vendor is telling you what they can do.
Max
It’s interesting. You know, the record’s looking. The the hard thing about that is most people don’t ask the question can I see one of my records in the RFP process. They sort of take it for granted. And what they find out once they’re in and one of these things happens is wait a minute. The record was stored in my browser.
Or the record was stored in a way that’s not efficiently accessible because it would have to be pulled out of a database by an engineer. Things like that are very difficult to discover in an RFP process and something that we pay a lot of attention to. So you know, anyway, I think the the lesson for me from from the conference was a lot about the fitness gap. It’s it’s a real thing, and and the enforcement speakers are saying the quiet part out loud.
Colleen
Yeah. Selena, I also heard you talking to a few people about just the general consent management challenge across the US. You know, you have, there’s about twenty states now with comprehensive privacy laws. Companies need to serve up the right consent experience and opt out experience for each consumer based on the state they’re in. What were you telling people about that?
Céline
I think the challenge is and it’s not an easy one is that, you know, the US model is very, very different from the opt in model that we have in Europe. That’s a fundamentally different legal model. And a lot of the companies are really still applying their European model in the United States.
And what I mean by that is when you ask the question, why do you have a cookie banner? When someone says, I have a cookie banner because I need it for, you know, European compliance, PECR, things like that, that’s an acceptable answer.
But a lot of folks are saying, well, we just have a cookie banner in the US because that’s what our CMP does. And we’ve been told that that’s what you need. And that’s not really adequate because the whole thing that goes on the back end. And so I think it’s very frustrating to see basically a repurposing of tools that were created early on and that are now being thrust on companies often unknowingly. They think that they’re complying. And that’s a real problem because not all companies have forty people on their global privacy team.
Some have zero. And so when you’re implementing your tools, especially when you’re a smaller company, you really need to think about, if I’m being just given some kind of plug in that doesn’t actually that’s not adapted to what I need to do.
Colleen
Max, I think you should double down on that for folks watching from an educational perspective. Other CMPs, you’re saying collect the opt out signal. They store it in the browser usually, and that’s not enough.
Max
Frequently. Yeah. I mean, there’s a lot of there’s a there are a lot of failure modes. One is where you store the consent.
That has implications on the auditability of it. Right? So if you’re storing consent in a cookie, it’s ephemeral by nature, but also it’s it’s very, very hard to collate for the purposes of a regulatory, inquiry. Right? So if someone in your former chair were to say, can you tell them what’s going on? It’s part you can’t, but you don’t have to copy it.
That’s one failure mode. And Another failure mode is just in the architecture of the storage for the consent. It’s not that every COB doesn’t store it. It’s that in the way you store it, it has to be readily fetchable.
So if you have to make a phone call to your account executive to collate all the information about an individual for the purposes of a complaint, is operationally inefficient and and takes a lot of time. So there’s architecture decisions that you can make in the building of these products that lend themselves to use cases like that, and that’s the kind of discernment that you need to have when you’re in the RFP process. If you approach this problem from, I just need a cookie banner, you you’re gonna get exactly that. And I think that’s the lesson learned.
This is not a cookie banner
Céline
for No. Cookie banners aren’t required in
Max
the United States.
Céline
We have them because of SIPA litigation. That’s a different story. But your opt out model for California and other states, you should be very clear. This idea of just taking something that works in another jurisdiction with a completely different requirement is really kind of mind boggling to me.
And the last thing, of course, is enforcement is really ramping up. We’re seeing your letters, inquiries all the time. These are regulators who know what they’re doing. They’re smart.
They have they have bigger teams,
Colleen
more technologists, so you need to be able to tell your story.
You know? Absolutely. This conference has certainly stood out to me as one of the first one. Not only are we talking so much about recent enforcement, but we’re talking about what tech is available. I think we got time to tackle maybe one more issue. Selena, know you attended a really interesting session today about the DELETE Act. What should folks know?
Céline
I think it’s a great this is really important. The DELETE Act is the basically, the data broker law in California, but it has the drop mechanism, basically, a deletion obligation for data brokers. Data brokers are very broadly defined and the potential penalties come August first when the drop mechanism goes into place are really potentially very high. Now one thing that’s really interesting is that we always think of a data broker, you know, your typical data broker reselling information.
They are going to need to be able to implement the API and and make sure that they can honor the drop mechanism. But more companies are going to be data brokers. So they’re gonna have to think about that. And one of the questions that I thought was really thoughtful from you guys was when are we gonna get to see this information?
Because when you have a CMP that’s doing this right, you really wanna be able to layer the different obligations, whether it’s opting out, deletion, whatever, in a kind of a seamless, frictionless way. So I don’t have the answer to that. Interestingly, it’s going to be the the doc the developer documentation essentially will be in the data brokers account. So what’s really interesting is that right now it’s not publicly available. So I can’t go and see what the questions are for data brokers and you have to have your account approved. Liz Allen just specifically called that out. So I’m hoping that those materials come out soon so that tools like Ketch can actually help you. So I think that’s gonna be an interesting area.
The data broker fever is really gonna spread to other states.
Max
I appreciate that.
Colleen
Thank you. No. Sure.
Max
It’s it’s I’m serious.
It’s one of those things where, you know, there’s a new requirement that comes out and, you know, brains are scrambling and how am I
Colleen
gonna comply with it? But they depend on the vendor who
Max
I don’t give much any time either.
Céline
No. And I think it’s important to think that the agency is working on it. I know that they’re making updates, and I think they were there originally in April as kind of a deadline to have all that information about the API. So hopefully, that’s the case. And then August first is really the date that people need to be thinking about. Got it.
Colleen
Well, thank you both for joining me on this episode. Always a pleasure.
Céline
Thank you for having me.
Colleen
Absolutely. Folks, thanks for joining us as always. Any questions, drop them in the comments and we’ll tackle it on the next episode.
