**Jonathan:** Alyssa. Happy New Year.
**Alysa:** Happy New Year.
**Jonathan:** We talked a lot last year about data brokers. Kinda left towards the end of the year with some of the decisions about to be made in California. Can you give us an update?
**Alysa:** Yeah. We left on a cliffhanger, and, of course, we were thinking, oh, administrative law, the normal cadence would be not effective until April. Well, we had a nuance there where we said it's always possible the CPPA could file a petition with the office of administrative law making the case for why the new data broker rules, the expanded definition had to be effective immediately. And in fact, that is what they did. They didn't post it publicly. We had filed a FOIA request, and they had made that submission. And so the new expanded definition of a data broker, it is effective currently, and so the requirement at the end of this month applies. And what is more is California's expectation that data brokers are gonna have to disclose metrics from before the law even had this broader definition, so going back in time. So I think a lot of companies are doing some scrambling to determine whether given this new broader definition, one of the priority areas of enforcement is, are you a data broker? Have you registered? That's a yes or no question. We saw at the end of last year, the CPPA really cracked down on data broker registration. We saw four enforcements, and that is only likely to continue in 2025.
**Jonathan:** Now, Lisa, can you help me with this broader definition of data brokers? We're not just talking about companies that sell third party data. We're talking about everyday marketers that we know and love, products that we buy off the shelves, right, and their use of third party data for advertising. So if I run through a few examples, firstly, let's just say you're relatively data poor. You don't have as much first party data. You're a consumer goods company. You don't see who actually buys your stuff. Right? The retailer gets that. And so what you do is you buy a huge amount of third party datasets, and then you use that to build an audience, omnichannel across Facebook, Google, wherever you are, and then use that for targeted advertising. Does that make you a data broker?
**Alysa:** If it has California data in it, then yes, under this new definition because think of an a plus b equals c. A, you purchase third party data. B, did you sell third party data? And the facts matter, but sounds like from that scenario, you have. And so that is going to be enough to trigger whether you are a data broker. You have a lot of brands that are going to need to think. What practices or edge cases exist for us, or what can we modify if it's really important not to be a data broker?
**Jonathan:** Gotcha. So an example might be — here they are. They're buying big datasets. You're selling shampoo, and you wanna buy this audience across different channels and media players. But if you just went into, let's just say you're in Facebook or Google, and you just play with their little segmentation tools and you kinda map to somehow some shampoo bio-category — you might be okay within that walled garden.
**Alysa:** Exactly. So it's really about are you buying from a third party and selling to a third party. And that is different when you are not purchasing. And that is different with — are you purchasing data when you are asking another company who is not selling their data to you, but you are asking that company, can it communicate, for example, with its own audience? I think that's a scenario. Every one of these, you really have to break it down into each step of the data processing to think about where is there risk. And this is new. We have yet to see how California is going to interpret. I think history has shown they tend to interpret it fairly broadly when it's in the arc of protecting consumers.
**Jonathan:** Gotcha. And then so then, of course, some of the implications of that is companies that are just selling shampoo as an example. They're now telling their consumers we're a data broker. And consumers will need to understand what that means in this context.
**Alysa:** Right. And it also means that California's definition of a data broker further departs from what other states define who have data broker registries. And so you have a scenario where companies may be registered in California, but not in other states. Those other states may have questions. Why aren't you registered in my state? And so being really clear on why in one state, but not in others.
**Jonathan:** Wow. That's a huge change. Can I use another example which is on the other side of the spectrum? You're data rich. You have a massive first party data set. You have direct relationships with your consumers. And then you add an attribute that you bought from a third party traditional data broker. Here's my customer now. I know that she likes white turtlenecks. And I use that to advertise because I've got a huge supply of white turtlenecks. These are purchasers these folks wanna reach.
**Alysa:** I think it really goes into that last mile. So you're informing your audience, but what data or data points are you selling? Are you sharing? Are you further activating on? If you have informed your audience, but it's still an ID that maybe you had a cipher to it. Right? It's not my email. It's an ID that for good data security reasons, it's not gonna bleed my information out over the Internet. Well, if that data to activate isn't a disclosure of the third party data you purchased, I think you have the argument there that you have cut that off. But that is going to be one of those questions. And, look, we've talked about clean rooms a lot. There's a lot of different kinds of data processing that's happening in the clean room. I think you have a real big question on different types of activation scenarios based on data collaborations in the clean room, whether some of those practices might also trigger a sale and the data broker definition.
**Jonathan:** Gotcha. That's huge. I mean, not to oversimplify, but it sounds like if you have your first party data segment, you add this attribute, but it doesn't add new audiences. Just adds something else you knew about that person. You probably don't have to register. But if I said, no. Actually, give me some new people that are into white turtlenecks. I'm gonna buy that from a third party broker, and I target based on that on your channel — I could get caught.
**Alysa:** Yes. But I think even that append data — look, there's a lot of data being shared no longer via tags and pixels, but just via APIs. And if you're sharing the data, provenance matters. Right? If you're sharing that purchase data onward or you don't even know what you purchased from third parties originally and it's going into the co-op, think of the DoorDash scenario. So I think every marketing strategy has to be evaluated now under this new definition.
**Jonathan:** Wow. And let's face it. Right? If you're doing this for California, the reality is it's kind of a US law. Right? It's so massive, such a big part of companies and their audiences.
**Alysa:** Well, Alisa, thanks. What's the next step on that? Like, what should we look out for? Well, if history is a guide, California usually likes to do enforcement suites, and we saw that towards the end of last year. There's no reason to think that they won't continue to do that and wanna make an impression. They raced to get this new definition effective immediately, which I think is some signal that they want to be able to get going and enforce that as soon as they can. It will obviously tee up the questions of just the expedited nature of what they did, the retroactive application of the definition to prior acts. Those are good legal questions, but I think most companies don't wanna be in a position where they have to make these legal defenses. They'd rather not be a target at all.
**Jonathan:** Well, Lisa, thanks as always. You caught this one pretty early, and now it looks like a pretty huge issue.
