Colleen
Alright folks, welcome to another episode of the Privacy Huddle. What a pleasure, Matt, Max, thank you for joining me for this fun episode. What a fun day we had yesterday here in the Kelly Dry office. Hosted a one day seminar to kick off the year with our friends at Kelly Dry. It was a pleasure. Got together with a number of privacy professionals to hear from regulators, hear from brand leaders about all the issues that are top of mind as we come into the year. And so we thought, why not take advantage of this time in person? And that's why we're bringing you together today with Matt Dumiak from Compliance Point and thought we'd sit down and and chop it up on issues that are top of mind, as we roll into twenty twenty six. So, Matt, I'm sure many of our viewers know who you are, but give us a little intro about yourself and Compliance Point.
Matt
Yeah. Thanks, Colleen. Hi, everyone. We'll try to look at the camera as well as at each other to keep it conversational. Try not to use too many hand movements here. We're new at this.
Max
Yeah. Exactly. I'm kinda new at this.
Matt
But my name is Matt Dumiak. I oversee the privacy practice at Compliance Point. We're a consulting firm, partner of Ketch. And, yeah, really enjoyed the State of the Union yesterday. A lot of great information. Glad we made it in the storm and excited to be talking to you all today. Thank you. Appreciate it.
Colleen
And, Max, I'm sure many folks know who you are, but but for those who don't.
Max
My name is Max Anderson. I'm one of the cofounders and head of product at Ketch.
Colleen
Matt, I'd love to start with you. Beginning of twenty twenty six, one of the things that many US brand leaders, I think, are thinking about are from a state law perspective, what are the nuances or top of mind considerations for this year? And I'd love to hear from you and what you're working on with customers. What's top of mind or what are you thinking about that, you know, we hear a lot about commonalities across the state laws, but, of course, there's outliers or or interesting things to watch out for. What's top of mind for you right now?
Matt
Yeah. Yeah. Good question, Colleen. So, of course, it's it's only natural to wanna crosswalk the patchwork of state laws. There's nineteen in effect now. It's very common to look at the one that's most active being California and saying, hey. We're gonna base our program off of that. I think what we're focused on with clients is primarily looking at their program and saying, okay. That's a that's a good fit. But there are some nuances that are starting to pop up in these different states with their privacy laws where even when we heard yesterday from John from Delaware where he said, as an example, when I look at a privacy policy and you say that that Delaware or don't even mention Delaware residents may have these specific rights, no. We do have those rights. I wanna see that Delaware is called out. I don't need a separate Delaware privacy policy, but it should be mentioned and be clear and transparent to consumers in my state that they they have this right under this privacy law as an example. So that's where we're seeing some nuances pop up where the state regulators will have or agencies will have an opinion about how that's approached. Certainly from a disclosure perspective, but then also as we were kind of prepping for this, we talked about some nuances in Minnesota with their data inventory obligation. I think some of or the majority of state privacy laws would probably indicate that you need to have an inventory even to simply comply with their privacy law and would expect that you operate from one. Minnesota and others are starting to outline specifically that an organization needs to have a personal information inventory that they operate from. They don't provide a lot of information around similar somewhat different, actually, from GDPR where they say, hey. You have to operate from a record of processing, and these are the components it needs to have. They're just saying you need to have a these state laws are outlined in that. You need to have a personal information inventory As an example. So I think that's an early focus from us is those are those nuances?
Colleen
Max, were you gonna I'm just it just feels like you're saying data mapping is back.
Max
Yeah. Data mapping is back. Yep. We're getting a lot of requests around that. You would be shocked at how many companies don't have it yet. Right? I think they they they started hot and heavy with those as a foundation back in twenty eighteen. Yeah. Kinda switched gears to probably some do not sell obligations that they had, which is still important, and we'll talk about that. But, you know, that's where a lot of our clients and where we're focused is that type of thing.
Matt
And then beyond that, which kind of adds on to the the inventory obligation is some of these states have very specific obligations under access rights, including providing a list of actual third third parties that the business sold personal information to. Like, the actual list. Not just the categories of, like, oh, ad tech providers and Yeah. You know, that type of thing. And as you all know, that third party definition is really critical under these state privacy laws. It's there are service providers. There's contractors. There's processors. Like, all these different things. So cutting through that and understanding that is really critical and I think a nuance that could be a gotcha for companies where an easy thing that the regulator looks at and goes, oh, nope. You didn't include that. Right?
Colleen
Interesting. And are you seeing people approach that by starting with the list of cookies and mapping those to vendors, or are you seeing that from the data inventory? What what's been the best practice for you so far?
Matt
Yeah. Good question. So to your point, the third parties are when we think about that in the US, that traditionally has is viewed as any type of targeted advertising, certain tracking technologies. There is a strategy there to go through those contracts and go through what any type of technology on the website is doing and put some in a service provider bucket. So it's not to say carte blanche, like anything on the website, that needs that's a third party automatically, and that needs to automatically be included in these types of of access requests. But, yeah, that is certainly a start is having a comprehensive inventory of what's on the website, looking through your CMP to do that, and, you know, and and saying, okay. But then let's let's go through this in that capacity. But then also as an individual goes through the website ecosystem, as they go through the website, as you all know, different things fire at different times. So helping under you know, helping the client understand that and what information's actually getting sent Yeah. To those trackers is also an area where you're like, okay. We're digging into, like, not just contracts, but network traffic. Yep. And that type of thing. It's really a forensic exercise to figure that out.
Max
I'm curious. I've had a lot of customers ask me, you know, they wanna put they wanna put that list in the we call them experiences. But in the actual, you can think of it as the, you know, cookie banner or the modal or whatever. I'm from Oklahoma. We say there's no kill like overkill. I'm curious, though. Is that is that an overkill situation, or do you do you expect people to to to take that that stance that it's not just in the nature or or in the process of an access request, but it's actually something that they wanna put more prominently either in the privacy policy or in some of these disclosures?
Matt
Yeah. I think that there's there's two trains of thought there. And I think that that is an approach that organizations will and have taken is saying, okay. We're gonna actually and that might reduce some of the level of effort they have as well in terms of trying to make and compile that type of request per consumer Yeah. Is saying we're gonna attempt to take an approach of publicly putting this out there in a privacy notice or within a preference center, whatever it might be to say, here is this information. You have access to it. You can access it in real time and this location. Absolutely. Where they would proactively put that information out there and rather than compile it per consumer request.
Max
Interesting. Yeah. Know, the the organization yeah. Exactly. I mean, sometimes customers ask for things and you do them, but, you know, maybe it's not gonna practice. Yeah. Yeah. Exactly. Exactly. Yeah. Interesting. Yeah.
Colleen
What what are you seeing this request manifest in in customer conversations from a tech expectations standpoint?
Max
Oh, yeah. That that hit big q four last year. Yeah. And it was less I mean, certainly, people people have been doing this in access requests for a little while with us, but the the the thing that changed for us last year in deals was I wanna I wanna make sure that it's it's accessible even without an access request Which I thought was strange and and didn't necessarily understand it, but it also just seems kinda it just seems kinda cool, honestly. Like, it seems like a a natural extension of a privacy experience. It's just more robust. It seems rational. So Yeah. Yeah. Of course, we, you know, we we went and did it, but I wasn't exactly sure how many people would bite at the end. So it's good to hear that it's not just the, know, ten or fifteen that got excited in Q4.
Matt
Yeah. Exactly. When you try to handle some of those things ad hoc, they can quickly become a fire drill and overwhelming. So I think that's the approach there for some businesses to say, we're just gonna put it out there proactively. And, you know, even during the State of the Union yesterday, the even even Michael Mako talked about that, that, you know, we're kind of on the cutting edge of these regal these regulations and these laws and how and Alisa talked about it with the community and how it is. Like, some of it's just putting your head together, brainstorming. Does this work? Does it not? What are regulators thinking? What feedback are they giving? That type of thing too. I mean, I find that working sessions are really helpful. Yeah. And you're just going through and trying to problem solve and make sure you're doing right by your customers and the people who are visiting the website but also, you know, balancing the business aspects of it. But it's so new, really, in reality when you look at the timeline of what we've had to from a compliance perspective, what organizations are focused on and what they've had to solve for. So even the regulators, I think, are trying to figure it out too No. No. At times. Right? Continue to hear the same thing from MAGO and other regulators which is do the best you can, be transparent about what you're doing Yep. Be proactive about your communication in the course of an investigation. It's just, yeah, continues to be similar. Yeah.
Colleen
I'd love to come back to the, website data collection bit because I think that was another theme we heard throughout the course of yesterday at the privacy state of the union. Of course instigated by these wiretapping lawsuits and demand letters but just a general, I think, desire and requirement now to for privacy professionals to have a better comprehensive handle on data collection practices on the website. Matt, what gotchas or what are you recommending when you're talking with customers for what common areas they're overlooking when it comes to website data collection?
Matt
Yeah. And it's it's an expectation at this point. I think that, know, I know we've asked about or had there's been conversations, and even Macco commented yesterday about, oh, a safe harbor, or do we have time once the DROP Act goes into effect and, you know, those types of things to get our feet under us and figure it out. And that time is coming past at this point, frankly. And they are our expectations about, at this point, having the technical wherewithal to dig into those types of collection practices, but, also, there's data minimization obligations in terms of what are you collecting, for what purpose. Some of that even is home really getting into, well, what's on the website, and are we receiving value from that, that type of thing. I think, you know, we talked about it more at the federal level yesterday, but chatbots and that type of thing are gonna be really a priority for for the regulators. What use? What benefit are you getting out of those? Why are they on the website? What what tracking technology, frankly, are they Placing and collecting? What information are you sending back to those? All of that is gonna be it's just more of an expectation that you have to know now. Yeah. Exactly. And making it a priority for your organization rather than, hey. We'll we'll table that and really focus on on, you know, some other revenue generated opportunity. Right? Certainly speaking from the marketer standpoint, if you're a privacy professional and and you, think, oh, my organization is not using a chatbot, I'm telling you, every marketer is thinking about how do we do the chatbot on the website. Absolutely. Ai enabled for sure. Yeah. Yeah. Yeah. It's a requirement now. Yeah. So no doubt.
Matt
And and one thing as well, we didn't really talk about it, but on the website, the data collection, what we're seeing and, you know, you saw it in the sling enforcement, and they talked about it a lot yesterday. And what we're focused on with clients, and I know you all are too, is it is shutting off cookies and trackers that is sufficient if that's the only way in which an organization is selling, but often cases is not. Also, understanding that they're the identity of the individual Yeah. And really tracking that through. Maybe it's because I'm reading the Steve Jobs or listening to the Steve Jobs autobiography now, but he talks a lot about seamless integration from, like, software to hardware and what, you know, how important it is for the consumer experience and that product. But that's what came to mind when I was hearing the regulators talk yesterday and when I've, you know, looked at your product and solution. Like, it's gotta be seamless. Like, you can't have someone opt out on this and then have to go over here and opt out when they're logged in, like that type of thing. You know, I don't know if you'd add any color there. But, like, that's a real focus is, like, let's finish this thought in stream, right, for clients.
Max
I think I mean, yes, of course. And I've I've been waiting for this for seven years. Maybe we are finally experiencing the moment where the the cookie banner as a kind of commoditized class of software dies. Right. Because the problem is so much harder than that. And it doesn't work at most companies simply because if you built a commoditized widget that scans cookies and maybe blocks them modestly sufficiently, the do not sell seamless integration, who's behind the screen, I've got data tied to email addresses and account IDs, but I've also got the TikTok pixel on the website and I did it through a form or I did it through a switch. And all that nonsense gets really complicated if you just built a cookie banner. So, yes. Yeah. Point. I think there's a future state way of thinking about that. And I just think some most businesses aren't there yet, but I'm glad we're talking about it. And I think it's something that needs needs more attention and needs more thought in this It does. I had a fun conversation with a with a customer who's in the process of leaving their current provider. And one of the things I thought was really salient that she said was, you know, when we bought, you know, company x back in whatever year Yeah. The privacy team can manage it because it was just a cookie banner, we did the thing, and, know, we could manage it. But now the obligations and the enforcement suggest this is a much harder, deeper problem. And Frankly, the the product teams need to own this. Yeah. The the privacy team just can't do that anymore. And so in the same way, it's if you treat it like a first class citizen, but, of course, you're gonna have more tech involvement, and it's gonna be a much richer, deeper experience. And then, you know, by by virtue of that, the seamless experience actually Yeah. Becomes a little bit more feasible. So I I I thought that was an interesting tell, and I I think we'll see more of that this year.
Colleen
Well, gentlemen, thanks for this conversation. Matt, appreciate you being a guest and joining us on this Thanks having me.
Matt
Thanks for having me.
Colleen
What's on what's on the docket for Compliance Point this spring? Any anything you want folks to be aware of?
Matt
Yeah. Sure. So we have our customer conference in in Orlando this spring, which is really what we're excited about right now. It's Compliance Point Exchange. I hope to see you all there. I believe you're gonna be there. Absolutely. Yeah. We have a lot of clients coming, a lot of law firm partners that we work with. And, again, that's in mid March in in Orlando. So if if anybody needs any information about it, please reach out. I'm happy to share the link to register.
Colleen
Awesome. Thanks, Matt. We'll post links in the comments, folks, for everything we talked about, and and thank you both for joining me. Appreciate Thanks, Colleen.
Matt
Thanks, Colleen.
