Live from the IAB privacy compliance salon

Recorded live at the IAB Privacy Compliance Salon, this episode unpacks five of the hottest topics on the agenda. The conversation opens with the definitional complexity of health data — what it means in concept versus in practice across HIPAA-regulated entities, consumer goods, retail media, and even publishers whose readers may simply be browsing articles about mental health or vitamins. The consistent theme from the salon's panelists was that context and use case drive everything: companies need to ask probing questions, build out playbooks, and resist the temptation to let terminology like "de-identified" or "tokenized" substitute for actual analysis of data flows. The discussion then turns to retail media and clean rooms. With health-adjacent retail media revenues in the hundreds of billions of dollars, businesses are chasing the opportunity while privacy and legal teams struggle to be heard as strategic partners rather than compliance gatekeepers. On clean rooms, a key panelist observation crystallized the issue: there is no magic eraser. The obligation to ensure data is properly consented and permissioned rests with the brand, not the clean room vendor — and the outputs of any data collaboration are only as compliant as the inputs and rules governing them. Privacy teams must be embedded in platform design from the start, not brought in at the end. The episode closes with a candid update from the Texas Attorney General's office. With roughly 500 consumer complaints received — more than half reflecting noncompliance — and a fully staffed enforcement team armed with new legislative tools, Texas is actively looking to enforce. The AG's office is signaling that companies should have documentation ready: not just initial vendor diligence, but ongoing monitoring and evidence of how risk assessments translated into controls. The broader takeaway is that a movement is forming among state AGs focused on interoperability and real enforcement, making vendor accountability and GPC signal compliance urgent priorities for any organization operating at scale.

**Jonathan:** Hey, Alysa. **Alysa:** Hey. **Jonathan:** Hey. So we're here at the IAB Privacy Compliance Salon. Great content. Right? Gone into the Nuance. Wasn't too high level. I was talking to the C with these conferences. Loved it. My pen ran out of ink, actually. **Alysa:** Ah. **Jonathan:** Yeah. I got a whole book of stuff to talk to you about. But we're gonna keep it to five things. So firstly, your session on health data, just the complexities that companies are navigating on this. Right? How you define it? I mean, just tell us a bit about what you guys found. **Alysa:** Yeah. So we try to really focus on the questions that we are hearing all the time. And maybe it was unfair because some of these questions don't have a clear answer. But starting with just what what is health data? You know, that is that is easier to say in concept, a little harder, obviously, to apply in context. And so we really try to break that down, talk about particular use cases, and maybe the theme of that was ask a whole lot of questions. The use case matters. Context matters. And then we talked about scalability because if you're putting so much human time assessing, how how can you do that for just at, you know, at scale? And I think there was some really practical points that were relayed in — you have a playbook. You see patterns. Don't let perfect be the enemy of the good, but you really just start creating your program around that. And, obviously, you're gonna iterate. **Jonathan:** I think there were some other really good takeaways. **Alysa:** Gating questions. Are we in HIPAA land? Are we not? There was a lot of we called it, buzzword bingo. You know, you hear privacy safe, de identified, tokenized, hashed, anonymous, not PII, all these things. And we all maybe mean something different with what we're saying. And so maybe the first question is really probe. What do you mean by that? So that you can at least make sure that your understanding of the facts of just the data flow is the same as the person on the other side who's trying to explain it to you so you can do the risk assessment. **Jonathan:** Seeing that a ton. Like, so for example, now we don't have to worry about that because the data is anonymized. What does anonymization mean to you? Are you collecting IP addresses? Yeah. Yeah. Well, actually, you know, this broadening of the net that gets captured by this. Like, you know, we used to think of it as, alright, those HIPAA regulated entities and then the non HIPAA but still health adjacent, and then actually also consumer goods, and then actually publishers. Like, what if someone's reading an article about mental health? Are they caught up in this? Reading about vitamins? Like, how do you figure this out? **Alysa:** Well, so I always kinda start with follow the money. And it's been really interesting to put together. On the one hand, you've got pharma and health care and even retail media. I'll say lower case h for health and wellness because the lens just got so big. And part of it is the way that we think about how we take care of ourselves. You know, health care can certainly be go to the doctor, but it can be your fitness routine. It could be the nutrition, the meals that you're eating, and how you're tracking that. It can be wellness, dietary supplements, and the money. If you look at revenue projections on retail media in this space, it's billions and billions and billions of dollars. And what I thought was really interesting in the panel was the disconnect between the privacy legal side — that's business is not as usual. You know, we're not the people of no, but we're trying to certainly do it not in a flagrantly violating way. There's a way to do it thoughtfully, and yet you have on the pure business side, let's just say, trust is really important. But when you peel that back, what does that even mean on the business side? And there is — we're not yet speaking the same language. **Jonathan:** I thought that was interesting too. Hundred billion dollars in retail media network revenue. We know search dollars are flowing to it like crazy. So businesses are gonna chase it. And while they're chasing it, they're saying the consumer's at the center of this thing. And these are businesses that are not media companies. They're merchandising companies. The consumer is important. Now they're gonna see ads on that website, you know, out of context, a little bit non-endemic. And are they talking to their privacy lawyers about this? It felt like maybe they weren't quite just yet, but they should be. **Alysa:** In a strategy way. Yeah. The difference between privacy as compliance at the end versus privacy as strategy in building these new platforms and how you're going to do business. Those are — you have a whole different set of tools depending on where you come in. Like I said in your session, it's a whole new way of what you're doing. Yes. Right? You gotta understand data flows. You gotta understand the business strategy and technical strategy so that you can advise on — let me help you do the thing that you want to do. Right. Like, I want to enable you. I need to know the facts. I'm not here to send you a contract. **Jonathan:** No. No. Good lawyer. It's not bad saying that, but it's like, how do we get there? There's a way to get there. Yeah. That's I love that. And this — lawyers as a business partner. Right? That's what I think you've always wanted. Thirdly, clean rooms. Talk about buzzword bingo. Alright. So what are they supposed to do? Purpose limitation, data minimization? **Alysa:** Yeah. Of course. I think we finally got to this point where people understand what clean rooms are and what they're not. And one of the quotes I really loved in that session was when one of the panelists said, the obligation to make sure that data is consented and permissioned is on the brand. Don't assume that it magically gets fixed in a clean room. No. There's not a magic eraser that makes it all okay. They offer tools. They offer privacy enhancing technologies. They offer different ways to do data collaborations or analytics, but it's tools. And they could happen anywhere with any kind of data collaboration. So it matters what you are doing in the clean room, what data you're bringing in, and the rules associated with that data, and then what are the outputs of the clean room. You don't — there's not a shortcut to get around looking at the data flows. **Jonathan:** Yep. And the obligation is for you. **Alysa:** And the obligation is for you. Yeah. The participants, either side. Yeah. I love that piece of it. **Jonathan:** Fourthly, you talked about digital ad flows and the complexity of managing privacy. Jeez. I mean, they showed a couple of flash shots, and I thought they were awesome. That could have been a half day session. **Alysa:** It absolutely could. Maybe I'll just flag one thing. IAB Tech Lab's taxonomy on personal data, and how do you flag it to the engineers? Because I thought that was a really good point. We're talking ad tech. We're talking privacy. But how do you build to make sure that you're talking about the right teams to support the ad tech privacy compliance overlay? **Jonathan:** Mhmm. Large discussion around GPC on that point. It has seemed like businesses are taking this conservative approach on it where — I didn't hear anybody say, well, one person said it — I didn't hear anybody else say that hey, we're just snapping to GPC and the two states that require it. They're kinda saying the FTC — the way we interpret the FTC looking at this is consumer made a choice. And if they made that choice, we're gonna apply that nationally as a brand that's looking to do right by the consumer. Also, way less complicated. Right. It's way less complicated, and they started naming some of the complexities. Like, I know it's my customer. They're logged in. If they go on a trip to New York, I can't stop offering them the same privacy that I offered them when they were in California. Yeah. And so when you add in just real use cases that you can absolutely anticipate, the benefits of that start not looking so good compared to the risk that you're taking on if you take a very narrow interpretation of how you extend those rights. **Alysa:** Yeah, so people felt like they're finally getting the message that there's — on the UDAAP laws, right, on the deceptive conduct. And alright. Because the consumer made a choice. Let me think about it through that lens rather than, you know, how can I be super precise about this? Right. Right. **Jonathan:** So lastly, you heard from Esta Chavez at the Texas AG's office. She was great. What did she say? **Alysa:** Texans are feeling ornery about privacy. We asked them. She, I think she said they had something like five hundred complaints. Don't mess with Texas. **Jonathan:** Don't mess with Texas. Like, more than half of those were noncompliant. Twelve percent were opt outs. So, I mean, going back to opt outs, deletion access, she thinks that's only gonna increase. And she said she's staffed up? Like, her team — staffed up. Her team has a lot of lawyers, and they now have a lot more tools that the Texas legislature gave them, and they're looking to enforce it. And so that was really — I think there was one line she said was, like, get your documents ready. When you get these letters, you need to be able to show the homework. Show how you've addressed the compliance. So a movement has begun among state AGs. Alright. Where the federal law is gonna happen, she said we're gonna focus on interoperability with other state laws. Other state AGs. People love that. **Alysa:** Right. And I love this line. We wanna maximize utility of privacy rights for Texans. That was straight up from the legislature intent. The other thing that I thought she said was really practical and very helpful is — we hear so much angst about vendor diligence and assessments. And she reminded — look at the data security settlements, because there's tons of breach settlements. And it used to be, like, just hire a third party auditor. It was very general. But now, when you look at those settlements, they're very prescriptive — don't just do audits. Don't just do diligence. What are you doing the assessment on? What about during the onboarding? What about during the period of engagement? Are you doing any monitoring? What about if you made the risk assessment that we don't need to put controls on that vendor? Did you evaluate consumer harm in the context of that? So you're really being able to talk through the process, the foreseeable harm. How did you address it with whatever the practices that, you know, a vendor may have caused some damage? **Jonathan:** Thanks for reminding me of that, actually. That was great because it reminded me of something you've been talking about for ages, which is about — it's not just the contracts, it's controls. And what she said — Michael asked her about diligence. She said, sure. You know, when you onboard a vendor, do your assessments, make sure they're good, make sure the contract's right. And then she said, make sure the vendors are doing what they're supposed to be doing. That came up in an earlier session, especially when there's an imbalance between a company as a data controller and a vendor as a processor, that controller is much bigger in revenue. There's an expectation that they kinda know what their vendors are doing. So then she said, if you haven't done it, then get ready to tell me why. Get ready to tell me why. And what about if you did the assessment and it came known that you have a vendor that is not doing anything that they promised in the contracts or where they started? She's looking to see what did you do in response to that. And so you didn't ratify it. **Alysa:** Yeah. So yeah. She gave us a lot to think about. She's great. Well, thanks, Alysa. This was great. **Jonathan:** It was awesome. It was good to kinda see you on stage today as well. Thank you. Thank you.