Hi, everybody. Welcome to the privacy huddle. I'm Colleen Barry from Ketch, and this is your weekly dose of real talk on privacy headlines. With me is, of course, the one and only Alysa Hudnick, partner at Kelly Dry, who has some of our favorite hot takes on these new headlines and issues. Alisa, how are you doing today?
Oh, just terrific. We are living the dream.
Always. Always. We have a few things on our radar today that we wanna walk through on today's episode of the huddle. One, Alisa and I have not had a chance to catch up on the Secure Data Act, the latest federal bill.
So we're gonna talk a little bit about her thoughts on that, practical advice to take away. Two, we wanna continue the discussion on this demand letter phenomenon, which is transitioning from less of a phenomenon and into more of just day to day privacy program management. So let's talk about the latest advice there. And then third, we wanna get into our just announced October US privacy settlement.
Let's not waste any time and dive right in. Alisa, I wanna start with talking about this Secure Data Act, which is, of course, the latest federal bill on the table relative to consumer data privacy. Certainly not the first. It may not be the last.
What is your take on what business leaders, privacy program leaders should should suss out from the noise of yet another bill? What's what's important for the brand of business out there?
So one, I wanna say fight the inclination to just ignore. Because I know most of us, we've got our plates are overfilled with so many other things. It's another federal privacy bill that you know in the back of your mind. Gosh.
It's not gonna go anywhere. Got look where we are on the calendar. Look what's happening, election year, whatnot. Here's the thing.
I think it's really important. It's less about is this bill gonna make it to the finish line and more about what are some of the elements in the bill that actually may have staying power whether we see it in a future iteration on the federal level or we start seeing some states adopt components of it. And that's really the part that I think is is maybe more important from a durable signal and preparation.
Got it. Okay. Are there specific things within that you think people should pay attention to?
Yes. Yes. So here's here's the where I think the noise will be. The noise will be that there's a huge carve out for targeted advertising because while it has rights about targeted advertising for pseudonymous data, you don't have to actually honor the rights with certain bells and whistles met.
Of course, that's gonna run right into a buzz saw. It already has received a ton of criticism around that. Yes. We get it. Okay? So that's one. We know it.
Put that to the side. There is a really interesting concept here that I think on the self regulatory compliance. Like, if you are certified, audited, the FTC would be managing it kind of like a COPPA safe harbor. So let's say a self regulatory program that is blessed as meeting one of these standards by the FTC that companies could audit third party auditor to that. And, essentially, that's a presumption of compliance. We've seen that in data security for quite some time.
Whether this makes it into the bill or not, I think businesses have been hungering for what is the short form that can tell my business partners, that can tell service providers and vice versa that you are compliant with certain components. And I really think that there is going to be more market demand and granularity around what can we be audited against and show that we're compliant. And if you put that up against California's risk assessment, you know, we have a lot more pressing testing pressure testing on compliance on privacy, and I just see a whole lot more in that direction. So
whether it ultimately makes it into a bill or you get a plus factor, whether from insurance carriers, whether from business partners, I think the time is coming not too far from now where we're gonna be auditing on privacy standards. Maybe not the whole program yet, certain component parts, maybe it's your digital advertising, maybe it's your consumer rights. Maybe it's your your risk assessments. I think that is coming sooner than a lot of businesses today are prepared for.
And so that's that's one thing I would just really keep my eye on.
That's interesting. So things like the risk assessments bit in Cal privacy from Cal privacy and then the spit in the secure data act are sort of good forcing functions to force privacy leaders to kind of report up what they're doing in a more business friendly format?
Yes. In real. Like, you actually have to do the homework as opposed to the Band Aid window dressing that, you know, I I always get this image of, like, my closet when I've shoved everything into it and closed it and saying, my room is clean. Don't look at my closet.
And I kinda feel, like, with the privacy programs, it's just there's a lot going on, and we are overworked, and we don't have enough resources. And so there's many aspects of privacy programs now that perhaps if you put a big bright light on, there may be some opportunity to improve. And I think this is a challenge for a lot of privacy professionals because at the same time, businesses, in some ways, are taking resources away. They need to make the case why no.
No.
If now more than ever, we really need to put our best foot forward on some of these things and have a sophisticated program. And I just the those lines are intersecting very soon where we're gonna have to do more than the fig leaf.
Yeah. Yeah. You know, speaking of the new CCPA amendments and Cal privacy, are are you seeing that happen in in reality? Yes.
Yes.
Oh, yes. So here's how I see it. AI. Everybody wants to be training their models, and they want the flexibility to say whatever I need to say in my privacy policy so I can use any kind of data I want in my ML and make it whatever I want.
Obviously, that's not the the easy answer there. But the very minimum is how do you start if you think you might trigger the automated decision making components of the rule? What is the transparency that you're already just starting to plant the seeds in? And I'm seeing that start to pop up in a number of privacy policies.
So I think that's really a twenty twenty six because you have to have the notice before you you put the right into place in twenty twenty seven. But, absolutely, thinking ahead, the risk assessments, really thinking about holistically.
Am I covering all the things that I need to for the risk assessments? So interesting times for sure.
Yeah. Got it. Okay. Great. So to wrap up on Secure Data Act, no dates or timelines to take away yet, but just a couple things to keep it top of mind.
Is that fair to say?
Couple things to keep it top of mind for sure. I mean, I think you've got some schism between consent, for kids and teens, like, to the parents. The the it's a very I think on the Republican side, having the parents be responsible for consent for under sixteen versus the the teen themselves. We'll see if that makes its way into some of the state privacy laws.
I could see that potentially in some of the red states. So something to see. But, yes, I don't think it's getting over the finish line. I think the elements are what we need to focus on and where that might pop up elsewhere.
Got it. Okay. Great. Let's move on to this other topic du jour, which is, of course, the continued demand letter onslaught to every brand in the business in the US.
I need your help, Alisa, debunking this issue that keeps coming up for Ketch. Right? Because many brands and businesses come to Ketch because they wanna shore up their website data collection. They're getting the demand letters.
They know their privacy posture is not quite right. And so they come to Ketch, and then they implement our consent management and banners. And then they say, I implemented you guys. I'm still getting demand letters.
So can you help me debunk this as to why that might still be happening? It's not necessarily related to, you know, you implemented a consent banner magic button. You're not gonna get demand letters anymore. What what would you say to those folks?
Right. Well, this is big business right now for the wiretap plane of spar. Essentially, it's an attack on the Internet and any kind of digital advertising and case law is all over the place. So, yes, the demand letters are gonna continue to be issued, and the lawsuits are continued to be filed, and mass arbitrations are continued to be compiled.
But what is maybe the constant threat in a lot of these filings and demand letters is they're super sloppy. You know, the allegations concern a whole bunch of things. And what ideally, you're doing is you're mitigating your risk. You're not having a language in a banner that is not helpful or a choice architecture in the banner that is not helpful.
Those drive settlement figures up. The back end, configuration of your tags, what does that look like? That's another area. Right?
If you somebody actually exercised a choice and you're not honoring it, that's another element that drives the monetary value of these demand letters up. You know, short of you're gonna scrub and remove all ad tech from your site. I don't see any businesses doing that. Are you going to move to a full opt in?
Nothing's firing until you get an opt in. Quite honestly, we don't see a whole lot of businesses going there. So, really, you're in risk mitigation land and wanting to make sure that you have cleaned up all of the unforced errors that can make very pricey, cases. And we've had a lot of luck, honestly, with EA making, a number of these matters go away where the facts clearly are not what the plaintiff's firm alleged, as well as just, like, negotiating the number to to cost a business.
It's a down it's a down number. And then I have some businesses that they are sick and tired, and they're gonna litigate or they're gonna arbitrate. So we we've got that camp as well. But I don't think we're in a place where these go away entirely.
Yeah. Well, and I think your point too stands. Because it's just such a cash grab, they are getting sloppy about the allegations. So you may have a reasonable defense. It's just that the letter is scary because it's alleging a lot of things.
But if you have a good setup from consent management, from tracker and tag management, you may have a credible thing to go back to.
Exactly. Exactly. It strengthens your argument.
Yeah. Exactly. The other question that comes up too, I think, as folks think about, okay. How do I prepare my website for this and put the appropriate notice in place so that I have that better kind of risk mitigation?
It it feels almost conflicting or tricky to manage with the existing notices people have in place for CCPA, for example, that CCPA has mandated.
So how how should businesses think about, you know, okay. Obviously, cookie banners aren't required in the US, but they may be using it to display notice for these US state privacy laws. Now I have to put some kind of notice in place for **** related reasons. Am I showing multiple notices to the consumer? Like, how do I reconcile these for for my for my visitor?
So the keyword you just said was reconcile. We don't wanna have a whole bunch of different notices.
Here's things you will hear from me. The cookie is dead. Stop using the word cookie. Okay?
Like, that's one way you can reconcile. The cookie is, like, crumbled and it's done and, like, put that word aside because it's such a subcomponent of state privacy law. Like, they're focusing on sale and share. And, certainly, the wiretap is tracking technologies.
That's the buzzword, tracking technologies. And we're not in EU, so no cookie. Just use the word tracking technologies. And then and then have the language that does no harm to your state privacy position while also supporting your wiretap defense.
You can do both. Less words. If you have a big old paragraph, you're not doing it right. There is a way to be nice and concise, not mention the word cookie, and meet both of those obligations.
Can you tell I have a I have a bit of a pet peeve here?
Alyssa, your passion tells me that you talk about this every single day.
I can tell you. Just a bit. And then the choice. Like, make sure like, are you do you even wanna provide a choice here, or is it by continuing to browse?
Right? They have their state privacy controls on the footer of the site. That's a good reminder. Is my do my state settings on that footer?
Are they working? Are they prominent? All those things. But I think the question is you have to reconcile, you have to harmonize, and you have to look at it from a consumer journey.
That's what the regulators are doing. But, honestly, that's what many of the plaintiffs far as it doing too. So think about it holistically. It's not more than one banner.
It's one banner. Just get it right.
I love it. Man, I I to me, cookie is dead. I just love it. And can I tell you, as a marketing leader at Ketch, this is, like, such a day to day challenge for us because we are shouting for the rooftops that Ketch is more than a cookie banner? But then from a marketing standpoint, like SEO, search terms on the web, everybody calls it a cookie banner, so we're calling it a cookie banner too.
It's it's the silly a one woman show to, like, kill the cookie. Not technology. Just the work.
Right. I love it. I absolutely love it. Great. Alright. Well, that's good practical advice. We're gonna keep watching that issue, of course, as time goes on, and and and we'll see about these demand letters.
We're just about out of time. Last thing I wanna, of course, touch on is that in the last week, we finally announced our save the date for the second annual US privacy summit in San Francisco. So so many of you joined us. I think we had at least one fifty, two hundred folks in, Convene San Francisco last October, and we received such resounding feedback about the program and the speakers and and the community that we decided to do it again.
So folks, save the date, October fifteenth. We are bringing, the privacy community back together in San Francisco at the same venue convene. Alyssa, I'm I'm so excited that we had such a positive, feedback that we get to do it again. How are you feeling about it?
Oh, I'm so excited. You know what I love the most is that it was the anticonference.
Every single panel was so substantive to the minute. It got real real fast. It wasn't a repeat of all the other conferences. It was not the fluff.
Like, you walked away having just really good content, but then it it was all those hallway conversations. It was the cocktail. It was the lunch. Obviously, it was so nice.
It was such a nice experience, but I think that community just it was it was so good. That was my favorite event of the whole year. I'm really looking forward to it.
Me too, folks. So please save the date. We are gonna be able to make this free to attendees again. So, truly, all you have to do is get yourself there, October fifteenth in San Francisco, and we will be teasing out speakers, sessions, and more to come over the next few months from the Ketch LinkedIn handle. So just follow us there, you'll see all the announcements leading up. That's it, and that's a wrap for today's privacy huddle. Alisa, thank you as always for joining me.
Good to see you. Bye.
