**Jonathan:** July first is pretty big date coming up. A lot of things happening on that one day, and then also from what? Are we bummed about that? Are we not bummed about it? You know, we're gonna get your perspective.
**Alysa:** Sure. Well, you know, I feel like we're in different mile markers in our very long sprint marathon sprint marathon kinda continue go, but no stopping point really in the vicinity. So July first is a big date, big day for a few reasons. So we've got Florida that becomes effective, and I know some companies think, oh, I'm not within Florida's scope. But Florida has a consent requirement for sensitive personal information that is pretty broad. And there could also be trickle-down effects by the platforms that are subject to it and how those restrictions then play out in terms of users of those platforms. So I think that that's a notable one. We've got Texas becomes effective. And then we have — Vermont, sorry. Not Vermont. We're gonna get to Vermont. Oregon, I was thinking green. Oregon becomes effective. And Oregon has a unique requirement where you both have to notify about the right by consumers to ask about the specific third parties that you were selling personal information to, either about that person or just more broadly, but that list of specific third parties. And that's not one we've seen before. And so that becomes effective July first, and it'll be interesting to see — a, how many consumers make that request, and then how companies are interpreting that and the kinds of lists that they're providing. There's a trade secret exemption, but you'd have to actually support trade secret exemption for those entities that you might not list. So I think that that is an interesting thing to be mindful about. And then on the deadlines, California — of course, the law is already effective — but if you are a large company, essentially, with over ten million California residents' data, you have to post your updated CSR metrics — your privacy rights metrics in terms of how you've handled them for the prior calendar year. So that's always interesting, you know, if we have these benchmarks comparing year to year. What do those numbers look like for the large enterprise clients? I think a lot of folks are certainly gonna be monitoring for that.
**Jonathan:** Yeah. That's interesting. How on the Oregon thing — so it's not a disclosure you don't have to disclose it. You only disclose the parties you're working with or sending data to if somebody asks. Did I get that right?
**Alysa:** You you have to disclose that there is a right. Right? So that's in your privacy policy for Oregon residents. And then when an Oregon resident makes the request, then you have to disclose it in response to that particular request. You know, I — we've already seen media members make requests in the past under different state privacy rights. So I anticipate we might see some of that and then maybe some media coverage. So we shall see.
**Jonathan:** How deep do you go? Like, is it the first line of vendors, or what about when they've shared data on? You know, like, on a typical website, right, it's — there's ushers and there's collectors.
**Alysa:** Exactly — that is the key question of, like, how do you interpret that? How many degrees? It doesn't involve processors, so not your service providers. It's really those third parties that you're selling data to, using that very broad interpretation. So we'll we'll see. I mean, I think a lot — how many degrees downstream? Yep. That's a big question. I think there'll certainly be some comparisons among how different companies are treating that.
**Jonathan:** Wow. Let me make it Oregon. Now the California thing — one of the things I've been trying to know but haven't been able to find is how many people are opting out. Like, what percentage of the population is opting out? Is that even a good measure of that?
**Alysa:** Why — and so these disclosures are just in your own privacy policy for that company. Right? There's no central database. There's on the metrics, there's no — that I'm aware of, there's no one central source. Somebody would have to do that. Right? They'd have to look who are the companies that are most likely to be hitting that threshold of the ten million, and then canvassing and taking those metrics and posting them in one unified place. So I haven't seen that. It doesn't mean that it's not gonna happen. I can anticipate that we might see at least some coverage of that front. So it'll be interesting.
**Jonathan:** I agree with you. There is such an interest from the business community in what is the opt out rate. How big is it? Early on, IAB had done a survey, and it was less than five percent at that time, but there's more awareness. So I think — one, has that percentage gone up? Two, how are companies accounting for global privacy control within their opt out metrics, and is that reflected? So I think it'll be interesting even if it's not a perfect number. Like, has it gone up? Just, you know, as a bottom line.
**Alysa:** Yeah. That five percent was before we even started. Right.
**Jonathan:** Yeah. Yeah. You don't know. If you took your guess, would you say fifteen twenty?
**Alysa:** No. No. I think it's still under ten percent.
**Jonathan:** K. Good to know. Good to know. Yeah. And then to your point, you're measuring the unmeasurable. People have opted out already coming in. You're not gonna know. Or you could take the GPC signals, maybe you could see those.
**Alysa:** Well, I mean, that's the thing. If you're GPC and you're anonymous, we just have to recognize that signal. But the question is, how do you associate and persist it for a particular person so that it's considered a unique opt out as opposed to somebody coming on different browsers, different devices? You don't know that it's that same person if you just recognize it as anonymous. And that's — it's a question. Right? Do you identify who the person is to persist that throughout the environment? It's not seeing too many companies doing that.
**Jonathan:** Gotcha. You think the regulators would care about this number? As an indicator, it may be a power of health and they're gonna make money.
**Alysa:** Well, who's to say they don't? Right? Like, I — I think we were early on in the past past years, but it'll be interesting to see what the coverage is of the metrics that they see.
**Jonathan:** Gotcha. Thanks, Lisa. Well, July first looks pretty interesting. I don't know how that crept up on us like that. Tripped up on me. I'm sure you're all over it. So for one, actually, it was kinda fun watching that play out over the last, I guess, couple months. And I thought the private right of action — like, everybody knew that, hey. Look. This is maybe some kind of poison pill. It wasn't gonna happen with that. But then, you know, when they reached that compromise and it had a three month cure, it had a threshold of a hundred thousand Vermonters. I thought that was, like, a pretty cool compromise. And then even though it passed the house, there was a veto, obviously, and then couldn't override the veto. What do you think of that? I mean, do you think there was an APP piece that said this is a step back from privacy?
**Alysa:** I know there's opposition to private rights of action — good reasons not to have it. Like, what do you — what do you think about the whole settlement team? So I — I mean, I come at it from a very realist perspective in that we're still in such a crawl, walk phase where companies are just building the infrastructure. And as each state has something slightly different on how to interpret their law, that takes time and it takes resources. And so I think companies are are moving. Nobody that I work with is just saying, I'm not gonna address these new legal requirements. But unlike, I think, data security, which can be very specific and we've got certain standards that you have to meet, there's so much with privacy that is good judgment, and calibrating and really weighing. And I think if you throw a private right of action in the mix early on, there's just a lot of diverting resources to then defend suits. And I get that there's the business threshold in terms of small businesses, but what we see from other kinds of consumer privacy rights of action is it doesn't mean that the plaintiff's bar don't file those suits. And you might have the defense that, no. I'm not a business of the size that triggers this, but you're still paying legal fees to defend. You get those demand letters, and they're asking for money to settle, and you're still spending money to defend that. And I would just say in this crawl walk phase — and I have a bias — but in this crawl walk phase, I would rather those companies put the resources into building their programs, and that maybe start with here are the requirements. And then, you know, you can always amend legislation. A year or two years later, take a sense of where companies are. So it's not — you're not stopped from doing that. That is my perspective.
**Jonathan:** Yeah. That's cool. It's not an on-off switch or yes, no. Actually, it's a timing thing. We're super early in the maturity of privacy law of all that. And having that additional burden — I guess, of the plaintiff's bar and all that stuff while you're trying to figure stuff out — just I get it. This just feels like a little too much. I mean, they had a two-year kinda trial period for it, but still, you'd rather start in two years than start now while we're figuring it out. Right? Because it's still budget planning. I mean, you think about so much for privacy is data governance, and that infrastructure is not something you do in a quarter. Right? That is budget planning. That is a whole host of different vendors. It just realistically takes a lot of time to get that right.
**Alysa:** And so there's yes. We would love to snap our fingers and have companies have the most beautiful, thoughtful privacy programs. And I definitely appreciate the argument that, well, enforcement is the only way to really light the fire and make companies move faster, and there may be some truth to that. However, like, that money has to come from somewhere. And I just know how much of the resources — people power and technical power — being put into trying to stand this up in the first instance. I worry that if that money is going instead to pay off attorneys —
**Jonathan:** Yeah. Gotcha. When you think about the advertising ecosystem, the whole ad tech environment, that's a supertanker that needs to turn around on this stuff, that isn't gonna happen. Like, there's so many issues around, again, your resolution and flowing consent downstream, but just — I don't know if the industry is there ready to —
**Alysa:** They're not. Right? I mean, we're having technical specifications that took time to develop them. Now they have to be adopted. It takes time to both adopt and implement them. It again, you can't snap your fingers. Like, it is moving. Everybody wants it to move faster. I get that.
**Jonathan:** Yeah. Well, thanks, Lisa. I always appreciate the kind of practical perspective, keeping it real for us. So what about the other pieces of it? I mean, data minimization, the whole — like, you know, notice and choice start to feel like dirty words. Like, although it's kinda — that's some twenty seventeen stuff. So the data minimization pieces I thought in the Vermont law were cool. Do you think the world's moving that way?
**Alysa:** Yes. Hands down. Yes. Because before it was like, you put it in your privacy policy and you're good. And maybe if it was sensitive information, you get consent. I think that that was an old way of looking at it, and now you really have to justify. You have to justify that it is proportionate. It is compatible with what a consumer's expectations is. Meaning, you have to know why you're collecting the data and account for it. And so that's much more of a risk assessment. Like, that is — there's calibration involved as opposed to, like, the all-you-can-eat buffet of data. So I think that is a trend line that is moving one direction.
**Jonathan:** Does that work in the context of AI or the AI coming and — kind of I just I mean, just this morning, I was on the iPad and Apple said, hey. Your health data is gonna be synced now across your devices. I'm like, okay. So they got the health data. They got the wallet. I don't know if there's specific purposes aligned to that. It doesn't feel like it's a data minimization thing. Feels like it's let's collect all the data. We'll kinda figure out later what to do with all this. So, like, in the world of AI, it feels like, hey. You collect all the data, apply it to whatever you're trying to do in the model. I don't see how data minimization fits there — or am I thinking about it wrong?
**Alysa:** Well, I think there are a few different questions. One, we're early on AI, and so those are two different moving trains. And which one's moving faster versus, you know, against privacy? I don't know the answer to that. But I think it goes to what is the level of transparency and permissions around using data for AI? Do you need the personal information itself to power the AI, or is there a process in between powering AI? And maybe you do. Right? But then what is the use case, and what is the risk assessment on the use case? And then how do you anticipate and account for the foreseeable harms that could happen from using that AI. And I think we should also be just pretty thoughtful that we've already heard from regulators like the California Privacy Protection Agency on, well, what happens now if somebody makes a deletion request and you've used that — like, you still have at least the thought that might be that you have obligations when they opt out of that. So there's no free ticket.
**Jonathan:** Gotcha. Well, thanks, Alysa. I appreciate it. We don't have any editors on this anymore, so we can go as long as we want. I'm just kidding. Appreciate the time as always. Good to see you.
**Alysa:** Good to see you.
