**Jonathan:** Hey. I want you to talk about Oracle. That's pretty big news there. A hundred and fifteen million dollar settlement, getting out of the whole ad tech business. Blue Kai, which was, you know, third party data segments, DataLogix, which I think a big piece of it was data segments, but most of it — a lot of it was the grocery store loyalty cards. Just they're out of that completely. Wanna see what you thought about that. It was super interesting kinda reading through that where they talked about some of the creative ways that data was getting collected. One that caught my eye was the referral URL. The website they were coming from — that link had all this kinda juicy information in there, and they were picking that up somehow. And now, hey. This could have been billions if it went to court, and it's like it's not worth it.
**Alysa:** Well, it's really interesting for a whole lot of reasons. I think when they exited the business, we definitely were getting questions like, why do you think? What's the story behind that? And this is the answer to that story. They were facing quite a lot if they went through the whole litigation to its end. I wanna, like, maybe take a step back. You know, we talk about risk and who's enforcing, and we talk a lot about the California attorney general's office, CPPA, other state attorney generals, the FTC. If you look at the named plaintiffs in the Oracle suit, these are major privacy advocates. Johnny Ryan. I mean, these are just like people who are watching companies' practices and making a whole lot of complaints and looking for novel creative ways to get a hook in there. And the complaint — which I really encourage anybody who's in the business to just read the complaint because it is a narrative. It's really creative. Right? Like the whole premise is that to be a data broker is unlawful. Full stop. And that is just to be very clear — that's not the current state of today's law. But the legal hook in that complaint is a point that we have been talking about so often, but it's wiretapping. It was a CIPA claim. But the facts, the salacious facts — all the things you talked about — they threw in so many colorful details that adding it all together made for a pretty, you know, a damning set of facts that would not be great for the company, you know, to have that tested. And I think that there were enough in there that they had to really think as a business decision. Is this an area where our business really wants to grow? Right? They have other areas. They acquired Cerner. So I — I mean, I think it speaks more to, like, business decisions in terms of how you're gonna be in the space, but also creative — privacy advocates in terms of trying to find a hook. I think if they had not had the wiretapping hook, I imagine a decent amount of companies might have really pushed against it — is there a constitutional right to prevent companies from collecting data about you just by default? Right? Because we have rights to opt out. They had a lot of sensitive data, so that's a whole other story. But it's not as clear as to say that to be a data broker is unlawful, which is what I think a lot of the headlines were about.
**Jonathan:** Well, I mean, tell us about — I mean, you caught the wiretapping thing super early. So tell us about that. I was kinda surprised to see it in this as well. Like, what was the hook? Unpack it a little bit, if you wouldn't mind, Alysa. Like, how did they use wiretapping in this case?
**Alysa:** Sure. So just to kind of distill what we've been talking about, where companies are using different kinds of either ticks, pixels, or tags on page. Right? It's third party technology on the web that is firing and collecting information, but that's a third party in the middle. This is the plaintiff's theory — that I'm a consumer. I go to your site. There's this third party that is intercepting — that is essentially listening in on my communication. The communication being Internet engagement. That that is, I think, an open legal issue. The challenge for a lot of companies with resource considerations is that the law — we are in the early stages of where the courts are gonna settle out on that. We're still very much at the district court level. We don't have really clear appellate decisions that say, nope, that's not a real claim, or here's where you draw that line. And I think a lot of companies don't wanna roll the dice on how this district court — do I wanna fund this litigation straight through to exhaustion?
**Jonathan:** Gotcha. That's fascinating. And the image you painted of how you're sitting there on the Internet, you're engaging with some brand, and this third party tag or pixel is collecting this data on behalf of the brand maybe, but sometimes on behalf of someone else. That's the hook. That's awesome.
**Alysa:** That's the hook, but the Internet is public. I mean, that's the other — right? Like, do you have an expectation of privacy when you are on the Internet browsing a whole bunch of sites? And I think it's an open question because we talk about — well, is that different if it's sensitive related information that you're engaging with, and is there more responsibility by the publisher on that site? Like, these are open questions, but we have new privacy laws that have a viewpoint on exactly what you need to do. And I think the challenge with the wiretapping is — forget the viewpoint of privacy laws. It's binary. It's do you have consent or not?
**Jonathan:** Yeah. No. I'm with you. And this — it just comes back to this idea of what is a reasonable expectation of a consumer here? Like, if I'm on the Internet, do I expect technologies like the ones you're talking about to be doing their thing? If I'm on a social platform, do I expect that I'm the product, you know, because it's free. Look, these are, like, big questions that I think a lot of us got to the point where, like, yeah. Hey. Maybe that's where the Internet works. But it feels like also there's a little trend towards should it work that way.
**Alysa:** Well, in some ways, though, it's also like the toothpaste is out of the tube and you have entire economies built on that. And we don't have GDPR in the US. Right? We don't have a clear policy statement that says, here's how we're gonna square that. It's a lot of creative entrepreneurial, I think, attempts as well as individual patchwork state approaches, and it's messy.
**Jonathan:** I mean, this idea of picking up data from the referral URL — at some point that would have been creative genius. Like, there was someone in some room somewhere saying you said we should do that. Such a cool idea. And now that's twenty eighteen. Now, like, five years later, it's like, no.
**Alysa:** Right. Well, I think really quick — I think the takeaway there is we often hear clients ask — or the business clients ask the in-house clients — does a law say I can't do this? Where is the black letter law that says I cannot do this? And I think in consumer protection and privacy law, sometimes you have laws that say you can do X or you cannot do Y. But most of the time you are looking at what's around the corner and how is the policy going. How could it be applied, and really having to think about not what is today's set of restrictions, but how this might be interpreted. And there's a lot of good judgment that really guides responsible decision making.
**Jonathan:** Then does this mean generally that — I understand it's rhetoric and still kind of working through the courts — but the world is just moving to first party relationships with consumers and their data. Right? Like, is it fair to say that?
**Alysa:** Well, I think there's so much more value to it. I mean, the loss of signal has been something that we've talked about for a whole long time. Just even, right, Google's decision — yesterday's announcement that it's not gonna deprecate third party cookies. Details still a little sparse, but ultimately it will be a choice. I don't think that's a reason for marketers to, like, celebrate and give up all of their privacy plans because we're still gonna end up with less signal. Right? You're still gonna end up with — if consumers have one switch and it's really clear and really easy — you don't know how Google's gonna execute it, but we saw the impact of Apple's ATT. I think you're gonna end up with a lot less signal. And so the investment in the business strategy around those first party relationships, data collaborations where it's really clear to the user there's a value proposition — that is — we don't have scale with that right now, but that is the longer path that we are probably going to see outlast some of the turbulence that we're facing now.
**Jonathan:** Yeah. Gotcha. And so then if it's about first party relationships with consumers and it's about transparency and responsibility in collection, and then as you mentioned, the collaboration is the second party — basically exchanging first party data — and that's supposed to have a clear commission. There's a lot of investment in it, but we talked about this too. Like, know your lingo. Because we hear all of this, like, first party, second party, permission data, consented data. And you don't have to peel too much in there to realize — oh — not everybody does have the same interpretation of what that means or the same governance acumen, and how has that been applied to their practices related to the data that they're presenting?
**Jonathan:** And, Alysa, one of the things that we've been talking about lately is diligence and accountability. They're first class citizens in privacy. Right? But then as you and I talked about ages ago, that can be a contract. That's a review. That's an audit. But I feel like what also needs to become a first class citizen is technical control. And I just — I don't know how you do it without it. And so one of the things we've been fighting for at Ketch is how do you elevate that? This idea of privacy choices need to work through the system, need to be pushed downstream in a technical programmatic way rather than just relying on the contract. Look, we've talked a lot about it, but it's like — almost like you need, like, a SOC 2 style. Tell me exactly what I need to do with these controls. That I think would help a lot here.
**Alysa:** Right. I I think we get there. We need demand, and demand has to come from acknowledgment that that is in fact where we're at. And you kinda hear that with AI. Like, you can — yes. You want human level involvement, but how is that person gonna know whether there's bias based on just what they're seeing? Right? You need something more than that. And I think when it comes to privacy, you can't throw an army. Nobody has the resources to have an army to put against it. So once businesses realize — oh, that's not discretionary. Like, it's critical to my business survival and viability. Then I think you start seeing business people as opposed to just the legal side say, we need a better solution. But it's slow because this is all very much evolving real time. I mean, what more signal do you want than Oracle shutting down this whole business?
**Jonathan:** You know? Anyway, Alysa, thanks. I appreciate it. It's cool. I wasn't expecting this one to come. So, yeah, thanks a lot. Always an adventure. Yep. See you.
