**Colleen**
Alisa. How are you doing today?
**Alysa**
Hi. Good. Happy summer.
**Colleen**
Yes. It's a summer of travel for me. Hopefully, the spring conference season is gonna be over soon. It's just taking a long time. How's your schedule these days?
**Alysa**
I'm just laughing at that because there's always privacy conferences. I'm, you know, just getting every kind of ping and already planning all the ones in the fall. So, never a dull moment.
**Colleen**
Well, speaking of never a dull moment, I would love to focus today on an article that you have coming out soon, which is on the seven considerations for opt out compliance. Always a moving target, certainly a lot different than it looked one year ago, even six months ago. Can you take us through some of what you're advising brands and businesses on today in terms of modern considerations for opt out compliance?
**Alysa**
Yeah. Sure. There's so many privacy compliance obligations, and we've talked about opt out a lot. I harp on it because that is the biggest risk when it comes to privacy from a regulator, from a litigation perspective, certainly with all the wiretap suits. So none of this is being perfect, but if you wanna feel highly confident on one area, it's opt out compliance. As we look at the litigation, the demand letters we're seeing, and the AG, the CPPA investigations, there's some pretty common themes. And I thought, let's just put it all in one place, what those common themes were. So one, it sounds easier than it is, but knowing your data flows when it comes to all of your marketing and analytics practices, that's more than just your web experience. You know, what are all the types of data that you sell and share, use for targeted advertising, and what are those different pathways? You have API usage. You have data collaborations through clean rooms. There's just a variety of touch points, and I think sometimes it's ad hoc and having governance around all of that to be able to say efficiently, here are my flows. Why that becomes important is now you with Dfinity. You can look at each one and saying, are all the ways that I'm accounting for my opt out measurements in place? And we're finding that it's just not always the case, or you're missing some of the contracts, which we saw in some of the CPPA enforcement examples. So that's one. Number two, leveraging the right tools. We're so quick to, like, throw up the banner and say, alright. I've got a CMP, and I am fine. I'm also interested in your perspective. Just having a contract with a CMP and having a banner, you're just scratching the surface if you don't know, one, do you have it set up the right way? Is it actually accounting for what you need when it comes to opt out? And two, the focus on the cookies, right, as opposed to that entire sales share experience, which is not limited to just your web and cookies and SDKs for your app. So I think it's the think broader and making sure your solution, whatever it is, accounts for that full picture. And we see that comes up short in many cases.
**Colleen**
There's so many places to get stuck there. Easy to think that putting a banner up is the end of the story, and you're collecting the data. First of all, if it's not configured properly and connected to your tag manager, it's not gonna stop those tags from firing. You're just not gonna be respecting consumer preferences. So already, there's hiccups in the consent collection. But then, of course, there's the actual consent usage and what we talk about a catch with consent orchestration and actually sending it not only to your internal systems, but to all those third party apps and set platforms that your marketing team uses. The myopic focus on cookie scanning comes up all the time. Our head of product, Max Anderson, loves to harp on this. Right? Cookies don't collect data. They're storage vehicles, and the data collection and activity is actually happening, and the network flows and traffic on your website, which is precisely why we recently launched our product Ketch data entry to do more comprehensive and granular monitoring of all those network traffic flows. Because if you're just looking at cookie scans, you're not gonna get the full picture.
**Alysa**
No. It's so true. And I also think, like, who is looking at those scans? Right? Who who is knowledgeable enough to know, is there a gap here? What are we missing? Is anybody looking at them? I think that's always interesting. Our third point was configurations. We touched on this kind of a little bit in the last one, but things are not static. Digital environments are constantly updated. And if you're relying on, let's just say, one aspect and yet you wanna comply, And do you have control? Do you have governance over that last mile when it comes to permissions? We just often see it's not all in sync timing wise. Right? To your point, like, the tags are still firing after you've opted out because you've set up the timing on your permissions and when things are checking incorrectly, or you have new tags that are added that are not part of your tag manager and not configured with your CMP. So the configurations on that front and making sure you've got the right testing to be able to verify that you've got that set up and that you're this is my next point, monitoring. Having some cadence where you have somebody that's part of their role and responsibility who are checking. Maybe it's quarterly. Whatever the cadence is, you have somebody and they've got a particular checklist that they are looking for that are your top items to make sure that everything is working as you intended, notwithstanding site refreshes, new promotions that add pop ups that mess with the CMP. Just all of those things tend to come up, and you don't need to be perfect here. But if you have a way to catch your errors before anyone else does, that's a good thing. And that area in particular, the configurations and the monitoring, like, privacy pros have to be in lockstep with your marketing team and your digital teams.
**Colleen**
I'm a marketer. I can tell you in my past, before I worked at Catch, there's a number of times I just threw a tag on the site because I wanted to know what my visitors were doing, and I wasn't in lockstep with the privacy or legal teams. And, like, you have to be in close collaboration to know what they're up to because they aren't thinking of privacy principles first. They're thinking about consumer experience first.
**Alysa**
Right. Have a lot of empathy. Because if there is a group that often changes and there's a lot of turnover, it's marketing. And so you've worked to build up relationships and so they know to come to you, and then head of marketing changes or whoever was your ally there changes. And so I think have a cup of coffee, have a beer, have a something, a virtual meet and greet periodically is a really important part of that. I'll hit the other ones pretty quickly. Dark patterns, everybody's talked about dark patterns, but yet when you see if you choose to have a banner or modal, really looking at the UX and not having the more privacy protective experience take more clicks, be less prominent, be in non contrasting font, whereas the other one is bigger. Those are all things that the regulators are looking at. So just keeping that consumer hat on when you look at the experience and making sure that's part of your checklist when you go through testing. Monitoring was a separate one I called out. And in the article, I just walked through what are things when you actually go to monitor that you're looking for. And I think being specific around that, because that way for consistency, if you get investigated to be able to show, you might have errors. But when you can show that you were doing this, there's a lot of prosecutorial discretion. And I think that counts for a whole lot to be able to show that your program wasn't just on paper, but you were really doing something about that. And then finally, last two points, training. And not training as in the here's the privacy landscape familiarity one zero one level, but training on roles and responsibilities. If somebody is accountable on CMP configuration, are they trained to know what they are looking for? How do you document that? What is the standard go to deck that you are going to be leaning on if you're working with Ketch, CMP? Like, what are the CATCH materials that you are using to incorporate into your training? Because part of it is learning how to use your dashboard, learning how to use the solution that you've invested in. And then scope. California has some unique ones there when it comes to scope. Right? So b two b, job applicants. I get that question a lot. A lot of the employee and the job applicants more so because those tend to have the ad in analytics tags on those publicly facing sites and not having the compliance, the opt out side to that, and the AG's office has asked about that. So they are looking. That is something that I would make sure is compliant. The other one, which I think will be a surprise, is scoping on GLBA, so financial services. A lot of the states have entity level exemptions, but now we have more states, a growing number, Connecticut, add to that list, where it's based on how you process the data. And most ad tech is outside any kind of direct GLBA coverage. And so there's a compliance obligation on that. I think some had geofenced it to California thinking it was just California. We have more states than California now. So just to make sure your scope is is in line with your program.
**Colleen**
That's that's seven, but there's a lot packed in there, Alisa. It feels like fifteen. It feels like a lot more. I don't know. It is seven. We put more details in the article, but they are top seven list. I'd love to get to a top ten, but I figured I'm gonna stop at seven. I think privacy professionals everywhere appreciate that you stop at seven. That's the plan. Well, folks, there you heard it. That's your cheat sheet. As soon as the article's out, we'll make sure to post it for you. But in the meantime, Alisa, thank you for giving us a preview. Helpful tips as always. Good to see you.
