Colleen
Hi, everyone. My name is Colleen Barry. I lead marketing at Ketch, and welcome to another episode of the Privacy Huddle. This is our weekly series where we talk about tips, news, trends, headlines, best practices, and many more things related to the data privacy industry. In today's episode, I'm joined by one of my regulars, one of my favorite guests, our cofounder and head of product at Ketch, Maxwell Anderson. Max, say hi to the audience.
Max
Hello, everyone.
Colleen
So Max is on today because I wanted to spend an episode talking about the demand letter phenomenon. It continues to be the number one request we have these days, whether it is customers, prospects, folks visiting catch dot com and asking us to help with their privacy program. It's just the number one topic of how are you dealing with this? How are you advising we deal with this? What tech can we have? Have Max on so we can break this down a little bit and talk about just the latest and greatest for how teams are responding to this continued trend. Max, have you ever talked to a brand that has not received a demand letter?
Max
Not that anyone has, you know, admitted openly. There's a little bit of I suppose it's it's private. They're a little bit sheepish.
Colleen
You're right.
Max
They are sheepish when they first start to talk about Understandably so, but I think, you know, we've seen this at conferences.
Colleen
Right?
Max
Yes.
Colleen
Who's perceives a man letter?
Max
Everyone's kinda like They start slow. Who else is gonna admit with me?
Colleen
Yes.
Max
And then like inevitably seventy, eighty percent of the room is raising their hand. Yeah. Pretty widespread at this point. Happens constantly. And this is such an interesting topic for us at Ketch, I think, because people come to us asking for help in responding to these letters. But the reality is that while technology can, of course, be a big part of the posture and the risk mitigation and management of how you think about a response, that this first and foremost has to be a legal guidance and counsel kind of question when you get one.
Colleen
Yeah.
Max
I think that's certainly as a software builder, important that everyone remembers I'm a software builder less a lawyer. It's hard because it does feel like while there are certainly technical solutions to the problem, it's very much a legal issue maybe more so than complying with CCPA or some other privacy law because the nature of the arguments being made are somewhat outside the bounds of the way that, you know, CEPA was originally contemplated or what it was meant to originally address. And so there's a lot of legal judo that seems to happen around this topic that is squarely outside the software vendor category. And at the same time, we have to show up and build tools that address the issue. Of course, we do that. But it's I think for everyone listening, I think if you're a privacy pro and this is happening to you, you definitely want outside counsel because there's gonna be a lot of things that happen which are just not specific.
Colleen
Yeah. Absolutely. And so, of course, this starts with that privacy counsel, outside counsel, whoever is your legal expert. And folks, we have past episodes speaking with a few experts on this topic, so please look at the archives. But with Max today, I'm hoping we can dig into privacy software you can have in place to just help be ready or prepared to bring some evidence or demonstrate what you have together when you get the letter. So, Max, take us through what you're seeing.
Max
Sure. Well, I think maybe even before the letter, the observation that we've made and the way that plaintiff's attorneys seem to be showing up and filing letters. But people are making money on this, and it's not always the motivation of, you know, protecting privacy. It does seem like it's a money making vehicle. And for that reason, if you're a plaintiff's attorney, you're gonna target companies that make it really easy to settle. And so those tend to look like companies that have taken none of the steps that we'll talk about to at least manage their risk. I think a lot of customers that we speak to are just trying to stay in the top twenty five percent of companies so that the bottom seventy five or whatever that percentage is, are the ones that are getting the letters, right? I think if you're a plaintiff's attorney and you're using this to make money, it's going to be more expensive and difficult to target a company that has more of these practices in place, it's gonna be to target a company who's just not as up to speed. Way on the right, there's obviously an option to just take an opt in consent approach in California. That's certainly an option. It's not one that's most favorable, but that is certainly one way that that a company can go. That comes with a lot of business risk in the sense that you are, as a privacy person, trying to manage the obligations that you have under the law, but also still run your business on data. And so I know that a lot of people we speak to are caught in that tension, and so you're always trying to take a risk based approach and do what's right for the business while also maintaining compliance. Then, of course, there's the other radical side of the spectrum where you do literally nothing. Right? You comply with CCPA, you're almost certainly gonna be in that that bottom twenty five percent of companies because that's right picking for a plaintiff's attorney to send you a demand letter targeting CEPA. The middle ground is more interesting. So all the way to the left, mean all you're doing is your CCPA requirements and you're not putting any notices or changing language relative to You've got a footer link that says do not sell or share my personal information and you offer people, you know, opt out of sale rights and, you know, Bob's your uncle. But what seems to be happening in CECO is people are getting demand letters because digital, you know, tracking or, you know, wiretaps are happening on the website by virtue of using Adobe Analytics, for example. And so that middle ground is kinda where the optionality comes in. I don't see anybody really trying to take the off in consent model. I do see a lot of people still just complying with the middle ground that seems interesting to me. And what we saw first was people would just put a disclosure. And the disclosure basically contorting the cookie banner to just be kind of a notice vehicle.
Colleen
Yeah.
Max
That seems to be less effective now because as I understand it, a lot of people in this situation, the plaintiff's attorney would argue that it's not meaningful consent.
Colleen
If you start collecting so quickly, they can't possibly read.
Max
That's right. The data collection, the way CMPs work, by and large, the data is going to be collected because behind the screen, it's an opt out paradigm. So, yeah, you serve a notice, but you don't necessarily connect that notice to the tag firing behavior in a time based way. So one kind of tick up that we've seen companies start to try doing is basically creating some time separation between the notice and the actual data collection. So plaintiff's attorney would argue, well, hold on. Yeah. You gave a notice, but there was no reasonable time for the individual to even read or understand or acknowledge or consent because data was collected ten milliseconds before the notice showed up on the screen or the data was collected two seconds after and no human can read it that speed. That sort of stuff seems to happen. So getting a time buffer ten, fifteen seconds between when you actually produce this notice and when the data collection occurs seems to be one of the popular strategies that companies are implementing. So you're still taking an opt out approach. You're just waiting a few extra seconds so they read.
Colleen
That's right. That's right.
Max
There's some cleverness in how you do that, but creating time separation is a big one. And then, of course, this gets back to the legal judo, like, what is meaningful consent? And did somebody need to take an action? Do they need to click a button? So you'll also see companies put time delays and force interaction on the actual notice as a way to boost their argument that it was meaningful consent. And then, of course, one tick over to the right is I'm actually going to require them to flip a switch, opt in, and click save at the detriment of data collection. And so those are kind of the spectrum of options that we see companies exploring. And really, it's a risk based approach, and then it's also just a what is the legal argument that's gonna be made? That's all work for outside counsel or inside counsel, the litigation team. That's not really where software shows up per se. And it is still the case that even if you're doing everything to the right side, maybe just short of opt in consent, you're still probably gonna get a letter.
Colleen
Yeah.
Max
And then it's up to the your legal team to figure out how you're gonna combat this. And certainly, sometimes we've heard of companies settling as a strategy. It seems like this very much isn't figured out, but those seem to be the options on the software provider side that companies can avail themselves of.
Colleen
Yes. Okay. So a few different models in terms of just how are you actually collecting that initial consent or giving notice. So that's proactive. Those
Max
kinds things. You got the letter.
Colleen
Yes. Exactly. Then you're gonna get it, which as Nick said, what we're hearing is that it frankly doesn't necessarily matter how robust your notice and consent collection is. This is often just a game of just breadth for these plaintiffs' attorneys. Not only are they targeting as many companies as they can, but in some cases, the accusations may not be entirely grounded in facts because they're truly, in some cases, trying to prey on privacy leaders or brand teams that don't know what they don't know. And so they're they're scaring teams into settling because they simply can't figure it out. So on that side of things, when you get the letter, can you talk about how to maybe go about fact checking?
Max
So one thing that we've seen customers be successful in deploying is basically good in auditing. So if you can actually show, right, we're talking about time delay. This is ironic, but you can think of this in a way like a session replay. It's not exactly like that, but there is a way to go about demonstrating, hey, this event happened on this date. The system created this many seconds of delay. The individual clicked this button as a result or after that, you know, let's say click the button or the time delay, then these tags fired. Right? You can actually take snapshots of every interaction with the kind of privacy interface and log and store those things such that if you're in some sort of a dispute, you do have evidence to show, hey, for the last however many months we've been implementing this, like, I can prove to you that this is what happens every single time. Yeah. As opposed to the plaintiff's attorney going onto your website and downloading a HAR file and then using that as a way to prove, hey. You did it wrong this one time. We'll come back to that in a minute. But even if they were right in that one instance and there was some anomalous implementation with the CMP or the Internet was acting like, these things can happen. Sure. But if you can demonstrate a six month backlog of, no, this does work, I would imagine it makes it a little bit harder for a plaintiff attorney to win. And, again, I would also it stands to reason to me, a non lawyer, that you've just made the job so much harder for those arguing that you're doing the wrong thing. And if it is the case, as we've been advised, that this is a spray and pray approach, well, then the juice is less worth the squeeze for the plaintiff's attorney. Think auditability is a really, really, really good way to enhance your odds of getting out on the other side in an effective way. The other interesting thing, you know, mentioned HAR files. A lot of times, maybe not a lot, but it does happen that the plaintiff's attorney will produce a HAR file, and then, of course, that scares people who don't deal with, you know, technology that much. Oh my god. What do I do?
Colleen
Well, I was just gonna say, I have to jump in as a marketer. Can you explain what a HAR file is? And excuse me to the lawyers watching. Maybe you all know, but I don't. So please reply back.
Max
Yeah. A HAR file is basically a snapshot of everything that happens in your browser when you're going to visit a website. Right? It's HTTP archive. So when you're in developer tools
Colleen
Nerdy.
Max
Which is a yeah. Exactly. Which is a setting in your browser, F twelve for those who use Chrome. What you'll see is when you go to a website, you'll be able to see cookies that get set, the network requests that are made, the data that's being collected, a bunch of diagnostics and nerdy stuff. But a lot of that information can be exported from your browser in the form of a HTTP archive file, HAR file. And a lot of times, we'll see that that is what is being submitted along with the demand letter. This is the proof. And there have been many cases where the HAR file doesn't actually stand or show the proof that they're claiming in the text itself. Right. And that's more probably a Bush League implementation of one of these situations, but a lot of people are doing it. So one step is just to be able to fact check that. And a lot of privacy froze. Like, asked me what it means. I I can assume that if I gave you one of these files, it wouldn't make a ton of sense nor would Correct. A big body of legal text to me even though I read English. Right? It's just it's not your subject matter expertise, and then you're off trying to get some technical expert at hundreds and hundreds of dollars an hour. And there are tools that can help you actually replay what is happening in a HAR file. It's a little bit more visually friendly, and it will help you draw correspondence between what's written in the document or claim and what their proof was. And so that's definitely step one. Can you actually substantiate what's written and the proof that's given? I've been stunned at the number of times that a claim is made and the HAR file doesn't actually back that claim out. Wow. So that's an awesome starting point. And from there, we're back to some of the auditability that's certainly useful, right, in this anomalous moment where they can prove through this HAR file that you were doing the wrong thing, having a long history of doing the right thing, to me, it stands to reason is somewhat helpful. Those are the two kind of once you get a demand letter, what do you do? And then, of course, I think this is still a very legal centric issue. Right? I can't stress that enough. It is bizarre to me that when I talk to privacy pros, it's this bizarre new phenomenon that the law is being pointed at something it wasn't really intended to. It didn't contemplate, and now we're just figuring it out. Because of that, it does seem like a very good practice to enroll outside counsel who is familiar with some of the tactics that are being employed to make these claims and settle.
Colleen
Makes sense. I wanna come back to the granularity. So when you talk about the HAR files as well as what these plaintiff attorneys are getting at, it sounds like they're really looking broad and deep into the data collection on a site. And so I guess putting this in the context of tools that a privacy pro or program typically has access to, I think when we think about what's happening on the site from a tracker standpoint, most folks have or maybe think of, well, I have my cookie scanner or my cookie management. What you're talking about sounds more robust than maybe what is typically the little sidecar in your cookie banner tool or your CMP. Is that fair to say?
Max
Hundred percent. I mean, this is yet another instance of what I have perceived to be in privacy for a long time as an unfortunately terrible disposition that privacy law can be solved with a cookie banner. It's just not the case. Who cares if the cookie that was set on the browser by way, that's not data collection. The cookie gets stored in the browser and then go to a third party. This is about the data that's being transmitted to a third party. Right. And even more problematic is it's about when it happened relative to what notice was given and the sequencing between those two things. There's a lot of nuance in order of operations and data being collected, not cookies being set. And so if you have a cookie scanner, I I think that's wonderful. And I I mean, really, I'm not saying it's not part of the problem, but it's just it's child's play compared to what's actually happening on the front lines of privacy. Consistent or similarly with that, I would also say tooling that helps you understand the nature of the data that you're collecting in the browser is super, super important. These demand letters and the claims, it seems like the price goes up when the nature of the data is more sensitive. And if you don't have a handle on the nature of the data that's being transferred to these third parties, you may be in more jeopardy or you might have a bigger problem on your hands than you might think. So even a priority standing of your website to understand, again, the sequencing between notices and the data collection that happens, understanding the nature of the data is super important because if it's sensitive, the asking price is going to be significantly higher. All of those things are tools that do exist, and they help at least mitigate some of these issues and certainly help defend you when and if they show up on your doorstep. And they are going to show up most likely.
Colleen
Well, Max, thank you so much for breaking down these technical concepts and potential strategies for us. Really appreciate your time as always.
Max
Thank you.
Colleen
Folks, this is not gonna be our last episode on this topic. I guarantee it. So please leave some comments if there's specific angles or a guest you want us to speak with on this continuing challenge. And we will see you next time on the next episode of the privacy huddle.
