Colleen
Good morning, Elisa. How are you today?
Alysa
Great. Good morning.
Colleen
Always a pleasure to be back for another virtual edition of the privacy huddle. I'm in a great mood this morning because spring is coming to Chicago. How about you? How's things going? Yes.
Alysa
We are seeing, like, just the start of the cherry blossoms, so I think by the end of this month, they're gonna be there.
Colleen
To that in a minute because I'm, like, so excited this year that the IIPP summit's gonna coincide with the cherry blossoms because it usually doesn't. It hasn't. Yes.
I know. So exciting. I wanna talk a lot little bit about IAPP, but let's start, of course, with this recent enforcement activity because as as everybody predicted, as you've been telling us, as as we've heard at our October privacy summit and at privacy state of the union in DC, it's coming, and it's here. And so we have a number of recent settlements from Texas, from CalF privacy, from the California attorney general. Alisa, what should privacy leaders be taking away from these recent settlements and applying to their own programs?
Alysa
So when I look at the recent Texas one, it is really focused on opt out compliance, honoring the opt out. The CalPrivacy one very much along those lines, the consumer experience, the quality of the consent process, is the banner, language clear? Things like the x on the banner, the choice architecture, any sort of barriers in the experience, and then are you actually honoring the choices on the back end? So think about GPC.
And so I think what I would say for business leaders, our take from this recent enforcement activity is use these as an opportunity internally as a pressure test. There probably have been some changes since you've done a review. There may be some new tech on your website, some new implementation, and treat these recent enforcements as an opportunity for a sprint review, potentially including some external pressure testing from the outside.
Do they comply the way that these enforcement examples are saying you need to comply?
Colleen
Yeah. So in a way, nothing too new, but just make sure you're going through all the bright paces relative to the opt out experience.
Alysa
Yeah. Which sounds simple, but opt out compliance, like, to actually do it the right way, it it can be pretty difficult and challenging, particularly depending on your tech stack and your teams and all the different, did you take the approach of your one business, but you've got multiple brands? Do you have distinct businesses? So, like, your data flows and really getting a sense of, like, how do these enforcements apply given my particular, place in the market?
Colleen
Yeah. And certainly some of the recent ones, it's been interesting because I think since, even the Honda enforcement early last year, we've been seeing a lot about the consumer experience on on-site, the experience that a consumer has on the website or in the app when they're trying to exercise their privacy choices. But with some of these new settlements, there's a clear signal that the regulators are also focused on the back end. So it's not just the consumer consent experience and the look and feel and the clarity. It's also are you honoring?
If the consumer exercises a choice, you need to do it on the back end. Can you just talk a little bit about the significance of that? Because that's another layer, right?
Alysa
For sure. And that's really been a building block in the enforcement because, again, the Honda one was about the front end, the user experience, the interaction, and then we go to the back end to what is happening once you collect information and you exercise the choice to opt out that you honor that.
Colleen
Yeah. And that tie, I think, to the what tech are you using for advertising and however sophisticated that is, well, you probably should be able to do that for privacy reasons too. I think that's really interesting that the regulators are connecting those dots because, as we all know, marketing teams are flying fast when it comes to connecting the dots to make sure we're advertising and personalizing. And so the idea of if you're sophisticated there, you should be sophisticated on privacy. I don't know that every brand is thinking in that way, that those things should be par, right, on par.
Alysa
No. But that it's an it's an aggravating factor in the way that the state AGs are looking at that because they look at it as you're monetizing data, but you didn't build up the compliance infrastructure to really match your monetization of the data. Whether you think that's accurate or not, that is how they look at it. So it really goes to, well, what does the compliance side look like, and do we have appropriate resources towards that?
Colleen
Yeah.
Now, of course, we continue to see California be one of the most active states.
Alysa
What are you noticing in terms of the differences between what, CPPA CalPrivacy is focused on enforcing versus what the California attorney general is focused on?
Well, there the overlap is still the opt out point we saw in dark patterns user experience.
CalPrivacy is also very much focused on data brokers under Tom Kemp's leadership, and they've got the delete act and the drop regs coming. So I think we're gonna see more and more data broker enforcement, but that's not to the exclusion of opt out. I would say we're gonna see more Honda, Todd Snyder, just some of those the Ford, like, those are the examples. I think the way that CalPrivacy has really prioritized different from California AG, where they are really looking at a beginning to an end, end to end.
How does the consumer experience your data practices?
Colleen
Yeah.
Alysa
And in terms of like, is the banner a pop up kind of covering up the right? Are there dark patterns? Is it clear? And that's where I think they kind of stand apart from some of the other state AGs because they're really looking at, as a consumer, how am I experiencing this?
And for a California AG, I think they're looking at similar things and probably a little bit more of the, are you sharing data with third parties? That type of consumer protection. So I would put some differences there.
Colleen
Yeah. Interesting. And I think the other thing too that's interesting to think about as we go into the spring conference season is to think about this kind of in alongside the concern with all the class action? Right? The SIPA, VIPA, wire stuff. I mean, these are obviously two realms that are both focused on front end data collection and privacy practices, but they're also different. And so how should brand leaders juggle these two things?
Well, one, never let an opportunity go by.
So if the SIPA is driving some urgency because you have a demand or a lawsuit,
Alysa
and so that helps with resources or attention by the business to to make some changes, I would leverage that.
But when you're thinking about executing, what's my solution to mitigate my SIPA risk or my VPPA risk with a banner? Don't do it to the detriment of your state privacy compliance. And so the execution really, really matters. That goes to the language you're using in your banner.
It goes to the choice presented. If there's a choice presented in the banner, it goes to what is that banner covering up? What is that banner interfering if somebody is trying to exercise their opt out? There's a lot of scenarios in which businesses in an effort to deal with the wiretap issue create other issues.
So the execution really, really matters. And I think what smart business leaders are doing is they're saying, oh, my wiretap solution is an opportunity. Let me address both. And so that's a really good mindset to go into that because there are some things that have been deployed that are not helpful to consumers and to the regulator perspective.
Colleen
It's so true. And I know, like, that's that this point was such a theme at our DC event last month. So many folks were on their journey to really figuring out how to reconcile the consent banner experience for visitors to do both, and it's not easy.
And I think it I think that's one of the areas there are a few practical areas I take away from these discussions where there's a real practical thing you can do and take away and and start to chip away at. One is the tag configuration. You know, checking on how do your tags fire? Because that's an objective test that you can take, and Ketch has a tag health check you can take from Ketch so you can just do a quick look at are these things synced to your consumers' choices, which may be a quick gut check for you on the health of your of your collection practices.
Alysa
One wait. Maybe I'll just add just a closer to that point. We have seen so much move movement by in house counsel.
And so privacy teams, privacy professionals, privacy compliance, privacy engineers, there is mobility. And then what is the institutional knowledge? Where do things leave? We haven't seen a whole bunch on the procedures, the checklist, the memorializing of here's our strategy, here's what we're doing here. And so you've just got a lot of new people need to learn the facts on the ground, and some of that delay can contribute to some of the these risk issues.
Colleen
I mean, it changes so quickly. I can't blame teams for not being able to keep tabs on what their marketing teams are doing or putting on-site. Very tricky. Yeah.
Alright. Well, thanks for the great advice on that topic, Alisa. Let's switch gears back to those cherry blossoms. Of course, we have to talk about IAPP coming at the end of this month, Global Privacy Summit in DC.
Kelly, Drey, and Ketch teams will be there on the ground. And I am so excited for this March thirtieth, the Monday night of the conference, dinner that we're putting together in the beautiful new Kelly Dry space featuring a fireside chat with, Kashif Chan from the New York or sorry, New Jersey, attorney general office. Alisa, tell us about why you wanted to spotlight him and and the state of New Jersey.
Alysa
Well, one thing we hear about clients when they become a target of investigation is usually like, I had I didn't know. I didn't know the state was having this was interpreting the law this way. How come we're getting singled out? How come they didn't put guidance in advance?
And I think New Jersey is just one I wanna put on the map. They you haven't heard headlines from New Jersey, but this AG office has been really engaged with privacy community. They've been at the conferences. They have been sending some signals of where they are focused, and so this is a great opportunity to hear from an AG office that is on the precipice. And Kashif is going to certainly let businesses know, hey. Here's what we're looking at, and that's you know, he's a deputy AG with a specialization in privacy and tech enforcement.
So New Jersey is one to kind of watch and follow, and I think it's a great proactive opportunity. Any time you can hear from a regulator who's not suing you, that's always a great opportunity to figure out, hey, where are you going so I can adjust my program and best practices.
Colleen
I love it. Outside of our event, I know you and I have been digging into the the main IAPP agenda as well. You know, there's some other sessions and other things happening that you feel like folks should keep their eye on as they attend the conference.
Alysa
Well, if there's a privacy conference or men or several, usually you hear the regulators drop an announcement. So I think, one, I'm looking for that, but also looking as soon as those become public, yes, we get the headline and the number, look at the practices and then compare the practices to your practices.
But we have there's the IAB, law and policy. We're gonna see some other states talk, Virginia. We're gonna see some Virginia AG office representation there. So that that's a state we just haven't heard a whole lot from. That's really interesting. So I would both focus on the enforcement headlines as well as just what are some of these, statements that the AG participants are making and take that back to the the business and risk, risk assessment.
Colleen
I love it. Well, folks, hopefully, we'll get to see many of you on the road this month. At least speaking for the Ketch team, we have a crazy busy March. We'll be next few weeks at the Consero chief privacy officer summit, IPP Global Privacy Summit, of course, the IAB public policy summit in DC that week as well. So should be a fun March. Alisa, thank you so much for joining us as always.
Alysa
Good to see you.
