Al Saikali is a Partner at Shook, Hardy & Bacon, LLP, where he founded and serves as chair of the law firm’s privacy and data security practice. In his role, he directs breach response efforts, represents companies in litigation, and counsels organizations on the various laws governing sensitive information. Under Al’s leadership, Legal 500 has named Shook, Hardy & Bacon a Top Cyber Law Firm. He has also been ranked by Chambers USA as a national leader in privacy and data security law for four consecutive years.
Here’s a glimpse of what you’ll learn:
- Al Saikali talks about his legal career and how he developed a privacy and data security program
- How Al’s litigation background influences his approach to privacy and cybersecurity
- The evolution and current state of Florida’s privacy laws
- What are the common privacy litigation cases, and how can companies mitigate risks?
- Which privacy laws are impacting class action lawsuits
- Avoiding class action lawsuits with pop-up disclosures
- Al explains the importance of collaborating with internal and external stakeholders to comply with privacy laws
- Personal privacy tips for data protection
In this episode…
As advertising technology evolves, many websites are embedded with pixels that gather and transmit user information to third parties, and class action lawsuits regarding wiretapping and information sharing are being filed at an increasing rate. So how can you avoid such lawsuits and reduce risks?
According to Al Saikali, class action lawsuits often transpire due to a lack of communication between internal departments and external stakeholders. There’s a significant knowledge barrier between marketing, IT, and law, so transparent education is crucial in identifying privacy breaches. When you understand how this technology functions, you can implement privacy controls to limit information sharing. Al also suggests placing pop-up disclosures and consent notices on your website and acquiring cyber insurance to protect against risks.
Shook, Hardy & Bacon’s Partner Al Saikali joins Jodi and Justin Daniels on this episode of She Said Privacy/He Said Security to discuss the emergence of class action lawsuits for website pixels. Al also explains the evolution and current state of Florida’s privacy laws, the common types of privacy litigation cases, and how to mitigate risks associated with class action lawsuits.
Resources Mentioned in this episode
- Jodi Daniels on LinkedIn
- Justin Daniels on LinkedIn
- Red Clover Advisors’ website
- Red Clover Advisors on LinkedIn
- Red Clover Advisors on Facebook
- Red Clover Advisors’ email: info@redcloveradvisors.com
- Data Reimagined: Building Trust One Byte at a Time by Jodi and Justin Daniels
- Al Saikali on LinkedIn
- Al Saikali on Twitter
- Shook, Hardy & Bacon
- Privacy & Data Security Law Journal
Sponsor for this episode…
This episode is brought to you by Red Clover Advisors.
Red Clover Advisors uses data privacy to transform the way that companies do business together and create a future where there is greater trust between companies and consumers.
Founded by Jodi Daniels, Red Clover Advisors helps companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. They work with companies in a variety of fields, including technology, ecommerce, professional services, and digital media.
To learn more, and to check out their Wall Street Journal best selling book, Data Reimagined: Building Trust One Bite At a Time, visit www.redcloveradvisors.com.
Intro 0:01
Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate and sometimes quarrel about how privacy and security impact business in the 21st century.
Jodi Daniels 0:21
Hi Jodi Daniels here, I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and Certified Information Privacy professional providing practical privacy advice to overwhelmed companies.
Justin Daniels 0:36
Hello, Justin Daniels here. I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.
Jodi Daniels 0:53
And this episode is brought to you by Red Clover Advisors, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, e-commerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, and check out our new best selling book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com ready for some fun. I use are you we’re still wearing the big crazy. So anyone who’s watching can see our strange shirt situation you got going
Justin Daniels 1:41
on here? I don’t understand. You wear hoodies all the time.
Jodi Daniels 1:45
It says if you have like a massive scarf thing around your neck. Wow.
Justin Daniels 1:50
I’m very warm. I’m yearning to go back to Colorado.
Jodi Daniels 1:53
I see. Yes. Well, back from spring break back to the real world. We’re gonna have a good discussion. Because today we have Al Saikali, who chairs the privacy and cybersecurity practice at the law firm of Shook, Hardy & Bacon. For the last six years Chambers USA has recognized Al as a nationwide leading practitioner and privacy and data security law. And under his leadership, he was named the law three or Shook was named the Law 360 Practice Group of the year for privacy and cybersecurity and Legal 500 has named Shook a top cyber law firm for the last five years in a row. So congratulations on all those amazing accomplishments. And we’re really delighted that you’re here with us today.
Al Saikali 2:35
Thank you, Jodi. And thank you, Justin. Great, great to be here.
Jodi Daniels 2:40
It’s really fun, because we’ve had all kinds of LinkedIn conversations. And it’s always nice to see people you know, outside of the social media world.
Al Saikali 2:49
Yes. Yeah, that’s right. Right. In fact, you know, to IPP, you and I met it had to been about 10 years ago as one of those five minute mixers that I think they still do it at the I think they do. Right. So this is a lesson to everybody attending the IPP five minute mixers, because you never know you meet somebody and then you still are in connection with them. 10 years later, so
Jodi Daniels 3:13
yeah, exactly.
Al Saikali 3:13
Thank you for inviting me to be part of the show.
Justin Daniels 3:17
Are you laughing? This reminds me of he could have said, you go out to a Wednesday night drinking club, you never know who you’ll meet.
Jodi Daniels 3:26
You’re gonna have to explain that story. You can’t just leave that one night,
Justin Daniels 3:29
I guess for the benefit of Al our audience. Jodi and I met one night on a rainy night where you typically wouldn’t go out to a drinking club where we really don’t frequent. And I guess to your point Al what you were saying is, I went somewhere I didn’t anticipate much happening. I kind of went on a lark and you meet the person who turns out to be your wife. So there you go.
Jodi Daniels 3:53
It’s champ. But in the spirit of if anyone’s ever done like speed dating kind of things, the speed networking and IPP. It’s really well done, because you do you get just a couple minutes to meet a whole bunch of people. And then you can stay in touch with them and have a podcast and have a conversation.
Justin Daniels 4:11
Yeah, well, let’s get back to our regular schedule regular scheduled programming. So Al, can you tell us about your career and how you got to where you are today? Sure. So
Al Saikali 4:22
I’ve been practicing law now for 24 years. I started as a judicial law clerk and began my career as an appellate lawyer focusing primarily on product liability issues. And then I joined Shook in 2005. And for about five years, continued working in the area of product liability litigation, but really focused on all levels trial and appellate. And then as I came up for partner, that was when I started to make the transition into privacy and cybersecurity. I’d always been interested in technology ever since I was a little kid, and it was just something that continued to interest So I started doing research on different areas of the law that were out there that are new or novel and could have a strong future because honestly, everybody in my firm was doing product liability litigation. And I kind of also saw from the business perspective of if you’re gonna become a new partner, why is someone going to hire you versus someone else who’s been doing this for 20 or 30 years, like you got to find a niche that really works and that you’re interested in, that’s going to sustain your career in long term. So I started a blog, which is still going today, I don’t write as much as I should, but it’s still going today. The and I speak, I started speaking, and just writing and trying to get my name out there and learning about privacy and cybersecurity. And then the big sort of bump in my, my development in the area came in around 2012 or so where there was a small company that had a data breach, that was a very significant data breach that impacted about 300,000 people. And they came to me and said, you know, we need your help. And I, you know, I quickly realized there was no way that they were going to be able to afford our big law firm breaks to be able to do that kind of work. And so I sort of negotiated a deal that is almost allowed us to do the matter for pro bono. But as a result of that, I got experience sending notices to all 50 States and to the 80s and working with ag inquiries and developing templates and models and things that I could use in the future. And then by chance within the next few months after that, we started getting inquiries from existing clients saying Do you have anybody that does privacy and cybersecurity law, because our typical firm just doesn’t have anyone yet this was back early, even before the Target breach, I think. And, and so we started getting hiring, hire more that way, as well and started to slowly grow. And it grew from me to a team now of 34 lawyers in different offices throughout the country. So yeah, that’s a little bit about my background.
Justin Daniels 7:07
So Al actually want to ask you a follow up. Question for maybe our legal listeners is, you and I are both cybersecurity practitioners. But by trade, I’m a transactional lawyer, and you are a litigator. And I’d love if you could share with our audience a little bit about how that litigation background influences how you approach cybersecurity and privacy issues.
Al Saikali 7:29
Yeah, no, that’s a great point, Justin. I mean, I think about it when I when I, when I’m handling an IR matter, I’m very much always thinking about where is this going to end up in litigation? Like what are the factors that plaintiff’s lawyer is going to look to as part of the incident because you want to obviously, try to mitigate the likelihood that there will be a class action lawsuit, which is getting increasingly more difficult these days, because the the bar for filing a class action lawsuit is just getting lower and lower. Now we’re starting to see them following data breaches that impact this view is 1000. People. You know, but But thinking with the litigation mindset, you’re always thinking about, you know, what, what, what should we be saying in these notices to make sure that they’re accurate? Because you don’t want to create a potential negligent misrepresentation or fraud claim? What should we be doing in terms of providing credit monitoring or not? Because you’re thinking about that in terms of the standing or harm arguments that we raised in litigation, you’re thinking about the class size, because that’s also a factor. So it’s been very helpful to the IRS, IRS side of our practice, I think.
Jodi Daniels 8:39
Now, you’re located in Florida. And Florida is in the news a lot for a variety of different reasons. But we’re going to talk about privacy. And you always do a wonderful job of summarizing what has been introduced what some of the big issues are in Florida as it relates to the different privacy laws that have been introduced over time. I was hoping maybe you could share a little bit about what are some of the issues? Why hasn’t it passed before which many people thought it was going to is hanging on by a thread or some people could say by a chat, we went all the way back?
Justin Daniels 9:17
Where we can say it’s hanging on by the privacy, rights of private action?
Jodi Daniels 9:23
Where can I let Al share with us a little bit
Justin Daniels 9:28
being taken away?
Jodi Daniels 9:30
And where are we might be going.
Al Saikali 9:32
So there have been a couple of attempts in years past to pass a more comprehensive privacy law here in Florida. And for those who are not familiar with Florida politics, it is a pretty much super majority of Republican state now across the board, which has been a big shift over the last decade or so. But it’s a strong shift. I mean, the Republicans are gutting the governor’s house, they own the house of rubber senators and the Senate in our in our state legislature. So as a result of that, the the it’s been very difficult to pass a comprehensive privacy law that has a private right of action, for example, to Justin point which would allow individuals to file more and more lawsuits. But it’s been an it’s been an interesting dynamic, because it’s privacy is not an area that really cuts like Republican Democrat as much as it used to. Right because, and I hate to kind of use the over-generalizations, but it used to be the case that, you know, the Democrats been very pro-consumer were very much in favor of a comprehensive privacy law and still are, the Republicans, typically being more pro business would oppose many of the requirements, the comprehensive privacy laws would put, you know, on, on potential businesses claiming that they create significant costs. And, and so they there was a lot of opposition, but within the Republican Party, now, there’s been much more of a, a call it a fracture, but there’s this divide between sort of the very populist movement and the pro-business side. And so the populist movement is very much in favor of these kinds of, of laws. But even within there, they’re still I don’t think entirely on board with the private right of action. So the private right of action had been a big problem in, in, in years past. And it I think, it really came down to the leadership in the House, and the leadership in the Senate, there was an individual who was leading the House who was very much on board with a strong privacy law that would allow for private rights of action. And he wanted to be able to, I think, also use that after leaving his position in the House to in going into private practice. The Senate side, though, they’re much more traditional here in Florida, and they were a more pro-business. So it never really got through the Senate, this year, could be a very different story, because the bills that are before the Florida legislature this year are very focused on big tech companies. I mean, the scope in terms of how it defines what a controller is, essentially any company that earns more than a billion dollars, and either provides targeted advertising services, or, you know, manufactures smart phones, or smart speakers, or contracts for the manufacturing, as you can tell, they’re going after Meta, Apple, Google, like the really big tech. And I have not been involved in the effort this year, as I have in years past, because I’m not a fan of what is happening. I don’t think that this is the way you go about developing a privacy policy is using it, essentially, for political purposes to target some specific companies. The law does not have a private right of action built into it. But the legislation doesn’t have that private right of action built into it. But because it’s very focused on a few companies, there’s a very good chance it would it will pass because in years past, you’ve had these the lobbying arm of smaller and midsize businesses that were opposing it. So we will we will see, you know, the session ends, I think mid-April. So we’ll see if this if this comes about, but it’s certainly something that I think has a very good chance of passing legislation.
Jodi Daniels 13:16
With that being said, Do you anticipate or have you heard anything about any other privacy laws coming that might, you know, affect the all the other companies that are out there? Or you think at this point, just just Al’s view, that it really is going to be the likelihood is this big this bill for the really big companies? And maybe it’s due to years, where there’ll be something that kind of addresses the masses? Yes,
Al Saikali 13:42
I think it’s the latter. I think this year, it’s just going to be the bill that focuses on big companies. But my concern is, if this passes, it essentially will turn into a tax, you know, because there’ll be a lot of enforcement actions, and that will seek millions of dollars. And then the cost of using Google and Meta and those services for advertising that a lot of small businesses enjoy and really like, that’s going to go up because the cost will just get passed down to them. I think you know it and you’re just one minor tweak away from applying this law to other businesses, you just have to change the definition of controller a little bit. But in terms of what else we could see, we could see changes to the FSCA, which is the Florida, Florida State equivalent of the TCPA. It’s like our little TCPA act. And there have been a significant number of class action lawsuits filed in the last year or so due to some changes to that law. So we could see some corrections there. I’m also hearing rumors about the legislature addressing what’s going on with wiretap claims, because there’s just so many of these wiretap lawsuits now in the privacy space that they’re talking about, do we need to change the wiretap law the FSCA here in Florida to make to make it clearer that these sorts of losses It should not proceed. So that would be something else to watch as well. But the first one is the one I think is most likely to pass.
Jodi Daniels 15:06
In that vein, I know we were going to talk about, there’s so much happening with class action lawsuits. I’d love to dive in a little bit more on the kind of Florida version of TCPA. And the wiretapping piece, if you can share, maybe what you’re seeing in this feature bill are really what are a little bit of the details of the types of cases that you’re seeing and what companies should be doing and thinking about?
Al Saikali 15:31
Yeah, so the the the wiretap claims are, I think, the hottest area of privacy litigation right now. And these are usually arising from the use of certain advertising technology and websites. So let’s say I’m a company typically, it’s a healthcare company, that is often a target, but it can be any anyone that uses you know, videos in a web in a website, for sure. But if I’m a company, and I use pixels in my website, or if I use session replay in my website, and that results in the sharing of my information with a third party, for example, when you know, the wave, let’s say, let’s take pixels, for example, the way that pixel technology works is when I sign up for Facebook, I am told by Facebook that we are going to give you a put a cookie in your browser. And that cookie is going to track where you go around the internet. And the reason for that is so that when you come back to Facebook, you will see targeted advertisements for the places that you visited. And that information is shared with us by you, as a result of the cookie that is placed in your browser. And so as I go travel around the internet, I you know, and one could one, one that one can many are arguing that people don’t read those sorts of notices, right. So it just happens and they go on about and some could argue, well, that notice may not be enough. But regardless, that’s what that’s what happens. So then when I go to a website that has what’s called a pixel, or met the Meta pixel built into it, that might, my browser sees that and says, Okay, I now have to send information about this, visit over to Facebook, and it will send information like my Facebook ID, and the header information for the website, things like the URL that I’m visiting. And sometimes, depending on how the pixel is configured, it can send information about things that I typed into the website, like getting the forms and things like that. And so there have been a number of lawsuits. Now they’re claiming that there hasn’t been a sufficient disclosure by the website about the use of the pixel. And so the website is causing information to be shared with Facebook, about the individual. And this becomes particularly problematic for health care providers. Because, you know, under HIPAA, if you’re going to share a PHA with a third party, you need to make sure that there’s a business associate agreement in place. And so a lot of these lawsuits are against two kinds of entities. One are the health care providers, where the argument there is that because the pixel sometimes is even in the portal, the patient portal, but it’s just maybe elsewhere on the site, it is shared PHSI with Facebook, about me, and if there wasn’t a business associate agreement in place, and I didn’t give them authorization to do it. So I’m considering that a breach and I’m going to sue you now. And I’m suing for a violation of the wiretap law, because there’s an interception of my communication with you by a third party. And now as a result of that, I’m entitled to $1,000 in damages, and each person should get $1,000 so that everyone who visited your website should get $1,000. And so that’s basically what these websites with these lawsuits are alleging, and they’re in the new phase, right? These are lat last three to six months is really where we started, see these things pop up. But they are I mean, we’re seeing two or three new ones getting filed almost every day. You know, they could end up being like the new HIPAA, except it’s just nationwide. The other I talked about it being in two scenarios. The second scenario where we see it, though not as much is with the VPPA context. And there’s the Video Privacy Protection Act context, companies will sometimes put pixels in videos. And as a result of putting the pixel in the video, it could potentially share information about the video or what I watched the kind of video that I watched, again, with the third party that’s the allegation being made by the plaintiffs in these cases. And the VPPA prohibits the sharing of video watching habits within third party without consent. So to your question, Jodi, about okay, so then how do companies try to mitigate this risk, or what should they be doing? I think a big problem is that the what the lawyers in the companies are talking to the marketing people on the company’s behalf of our clients didn’t even know they were using pixels, right? They don’t know what it does. They didn’t know anything about it. And it’s only now that they’re starting to learn more and research into how it works. So number one, I think is having that conversation to figure that out. And then number two is what are the privacy controls that are existed? Because with pixel technology, there are privacy controls, there are ways you can limit what potentially gets shared. So thinking about how are we maximizing those? And do we are we sharing the minimum necessary with the third-party? You know, I think the third thing is thinking about, you know, from a litigation standpoint, do we need to have like an arbitration provision potentially in place? Do we need to be thinking about getting cyber insurance, something that will cover the cost of these sorts of lawsuits as they as they pop up? So for sure, but the other big thing too, is disclosure, right? Disclosure and consent, put something on the website, like a pop up, when you go to the website in the marketing department hate that, but a pop up that says, we use technology that may share information about your visit with our site with third parties to learn more, go to our privacy, notice, and then have a link to that. But it has to be the pop up, you can’t just rely on it being on the privacy notice at the bottom because courts have held that the recording in session replay or the use of the pixel has happened the moment that you hit the website, so you’ve got to have that pop up. Right away. So those are a few tips, I guess, in terms of what we were telling clients to try to mitigate some of those risks.
Justin Daniels 21:19
So I kind of have an interesting question, as a follow-up, you just triggered something in my mind, which is with the proliferation of these lawsuits, kind of using existing laws that are now being applied in new ways. And given that, you know, Republicans are typically pro-business, could you talk a little bit about what the potential implications could be because lawsuits sometimes drive new laws? And perversely, it sounds like if we continue to have a rise in these kinds of wiretapping or VPPA claims, could that not be a an impetus to see more privacy laws and as a response to this type of litigation?
Al Saikali 21:58
You could, you could like you could, you know, I mean, we see the congressional hearings, the US Congressional hearings, right, like, there’s this anti-big tech attitude that pervades Congress, through gone and both parties. So there might be some legislation that’s passed that is very targeted in that way, the same way that Florida is trying to go about doing something like that now, so we could see more of these laws being passed. I think on the other side, you’re though you’re also seeing a recognition by legislatures and leaders that maybe with this is going too far. And one of the examples of that recently is at the tip of decision out of the Illinois Supreme Court that allows individuals to sue, you know, $1,000 per violation and has now or $5,000, if it’s intentional, but his now the Supreme Court has held that, that you measure that based on the number of times a person provides, for example, a scan. So when you check in to work, when you take a lunch break, when you come back, when you go home four times in one day, that’s $4,000, for that one day, multiplied by the number of days you’ve worked there. Like it’s just insane levels of damages that will bankrupt companies. And I think some, you know, there’s been, I think, a fairly strong reaction, like that’s not the right result, either. So there has to be this like middle ground, like, what’s it going to be if there is going to be a private right of action? How do we, you know, how do we how do we make sure that the, there’s not some bankrupting type damages as as a result of that, because of the statutory damage? And so maybe a middle ground is requiring some proof of harm in order to be able to pursue the statutory damages, though, then that raises the question of, well, what does that mean? Like what is harm? Right? Like, how do you define that, especially in the privacy context? Right, and that’s a big discussion. So yeah.
Jodi Daniels 23:55
Al, you mentioned having the popup disclosure. And I wanted to ask, in your mind, is it enough to have just the disclosure? And, you know, there’s kind of the opt in versus opt out approach, meaning Can I have the disclosure, the cookie still fires? And then if I say reject, then you won’t fire me anymore? Or is it doesn’t need to be in these types of situations. The banner that allows me to accept in the cookie only fires when I hit accept.
Al Saikali 24:29
So I think for now, having the disclosure there is going to be enough to avoid most of the rounds of lawsuits that we’re seeing because I think right now the plane is they’re just picketing the plane as far as picking up low hanging fruit of companies that have nothing there at all. Usually not even a privacy notice on their site. But I but what you’re hitting on Jodi goes to what I think is the future wave like the next six months to two years of lawsuits we’re gonna see, which is how well our companies can fine with what they’re saying they’re doing with respect to cookies and giving users control over that. So for example, when I visit a site and I have, you know, my GPC like you’re sitting, I’m sending signals to the, to the website saying, don’t track me, don’t give me I don’t want any cookies don’t share my information. A lot of companies are ignoring that. Similarly, even with the cookie banners. And when there’s granular options that you can pick, I want these kinds of cookies, but not these kinds of cookies. Companies are sometimes ignoring that too. It’s not like an automatic thing where it’s done. It’s just automatically deployed. So what I think will be the next wave will be these negligent misrepresentation, fraud, consumer deception, deceptive, trade practice type claims that will come about arguing, look, you told me you weren’t going to collect my information or share it, you told me you were not going to install cookies on my browser, but you did. And that is a violation of these laws. So you’re gonna start seeing those lawsuits too. And that’s a whole other world of hurt. So it’s, I guess the underlying point or takeaway for listeners, I think, is making sure that what you’re saying you’re doing on the website is actually happening as people visited.
Jodi Daniels 26:11
It’ll be interesting to really see what happens because as we all know, the acceptance of those cookies, so if it really moves into a future of, you can only have it fire, if I hit “accept,” there’s going to be three people left. And so then the technology doesn’t, doesn’t work, which maybe is the goal. Well, the goal is probably just to get a lot of money from the people who are filing lawsuits. Or maybe they really do have a mission, and they don’t genuinely like the technology. But it will be fairly interesting, I think, to see where that goes. Because we’ve seen what has happened to the ad tech industry in GDPR. Right? The levels of consent are are very small.
Al Saikali 26:47
Yep, absolutely. Very true. That’s very true.
Jodi Daniels 26:51
You were very eager — destined to ask the question, and I made you wait.
Justin Daniels 26:55
I guess. I guess the other thing I wanted to get your perspective on Al is, you know, you just said, you know, a lot of companies, you can have a privacy policy, but if you don’t comply with it, you opened yourself up to this litigation, you also made a very good point about how marketing and legal don’t talk. But it sounds like in order to really have a privacy policy and do what you say you’re going to do. Not only do these two folks have to talk, but now you got to add it because they’re the ones who technically have to do it. And, you know, what are your thoughts around that? Because you know, that all three of those parties speak very different languages. And now they have to come together as a cross functional team.
Al Saikali 27:39
That’s exactly right, Justin. And, and I would even throw one more in there, which is your third-party website developers, right? A lot of companies don’t actually develop these websites themselves, they hire third parties to do that. So you do have to bring everyone to the table. And you know, it’s an I guess, in many ways, it goes beyond, we’ve been talking about the website as an example. But it also it provides another example of why you want to bring HR into the conversation with privacy, because they’re obviously handling and dealing with a lot of personal information about employees, and maybe thinking of rolling out certain technology or doing certain things that might impact that personal information. So there, there should be, you know, all the stakeholders at the table together. And, you know, one of the things that we’ve been doing with clients is having quarterly meetings with their legal folks. And they will invite other stakeholders to that call, just to give them an update of here’s some trends, we’re seeing some things that are happening out there. And that will trigger the conversation of hey, you know what, you know, we’re talking about session replay here, but we like to use session replay to get consent for TCPA type actions. And so we’ve been using it a different way. But in light of this conversation, maybe we need to think about whether we have sufficient disclosures, like so having at least setting a you know, a quarterly call to talk about these kinds of things and get everybody familiar with with these trends, I think is pretty important. So
Jodi Daniels 29:05
what are you seeing as it relates to chat bot class action suits, right? There’s a lot of websites that will have a little chat vendor that pops up on the website, so I can talk to them at all hours of the day. And it’s my understanding that you’re seeing similar class action suits with that technology.
Al Saikali 29:24
Yes, it’s the same sort of thing. They’re all what their wiretap claims. And the argument there is when Al visits the website, and that third that chat bot pops up, it’s being provided by a third party, but I don’t know it’s a third party. So as I type in, in communications to the website, the company behind the website, I’m in fact that information is actually being shared with the third party chat bots service provider, but I’m not aware of it because there’s never been a disclosure so there is essentially an interception of my electronic communications. And it’s not disclosed to me it’s surreptitious and And therefore, I get $1,000 bucks for finding that and calling it out. Right. And everybody else does to that use it. And so that’s been going on now in Florida, we were able to obtain some pretty good decisions from federal courts to that’s not really what the wiretap law was meant to do. Also, you know, is this really a device or content under the statute, and there’s some sort of technical arguments that were made that were successful, but that’s not the case everywhere. California, the defendants are having a really hard time out there. And there are two plaintiffs firms, they’re they’re just going about sending out demand letters to every every company doing business, alleging that there, there’s technology on their website that violates the CBOE, which is the California wiretap law, and, you know, looking for a quick payout in order to go away. And so, you know, the litigation continues. But yeah, that’s another way in which the wiretap laws are being used as the use of this chatbot technology.
Justin Daniels 31:05
So Al, knowing what you do, and all of your years practicing in the privacy and security area, if we were hanging out at Miami Beach, in South Beach, what kind of best privacy tip would you offer to me as we’re hanging out drinking a tequila on South Beach?
Al Saikali 31:28
Well, one of my first mentors in privacy, Chris Wolf would probably be there, because he is he, he loves coming to Miami Beach and enjoying it. And so I think, you know, I think, look, it’s one of the things I tell my family members is don’t share so much of your personal information, don’t overshare, you know, and you have to assume that when you share it with a company, that third, that company, probably going to end up sharing it with other people, and then you lose control over it. So assume that whatever you give someone that then gets given to other people as well. And one of the ways this comes up a lot is, you know, cell phone numbers, like you go everywhere, and somebody needs your cell phone number, you know, I parked the car, you know, and then the valet guy is like, I need your cell phone number, you know, you go to a restaurant, like I need your cell phone number in order to text you when this is ready, like all it is, is cell phone numbers here. And then people wondering why they’re getting calls all day long. You know, from numbers, they don’t recognize, they’re given a number out to everybody. So you know, you could create a different number or you could change the digit whatever you’re going to do. That’s one area that it’s something that I certainly may or may not have done over time. But yeah, that’s something else that I like a little practical pointer is watch out for giving out too much information.
Justin Daniels 32:45
Al am I going to have to depose you now over what numbers you’ve been giving out?
Al Saikali 32:49
Somebody out there with one digit different from mine is getting a whole lot of phone calls?
Jodi Daniels 32:54
Well, they’re gonna be happy because then they’re getting your table.
Al Saikali 32:57
Right? That’s true.
Jodi Daniels 32:59
So, so Al, you’re now working on all things privacy. What do you like to do for fun?
Al Saikali 33:07
Um, well, people just kind of venturing out and watching TV. You know, the weather’s here. The weather here in Florida is pretty good. So we enjoy our pool. Almost year-round. But ya know, I’ve been watching. Let’s see these days of watch. You know, what I’ve been really hooked on is a fantastic show is Drive to Survive on Netflix, which I was never a Formula One fan. I could care less about it. Didn’t know anything about it. But this show I like went through five seasons in like three or four weeks like it was it fantastic. That’s a good one. I just finished The Last of Us. You know, this weekend? I watched that one. Yeah, like kind of kind of watching TV. We’re like, oh, I will say that. I’m trying to do a much better job this year reading for fun. I don’t do enough of that. I haven’t done enough of that. So this year, I’m starting I went to like the New York Times bestseller list for last year. Like okay, let me work through some of these. Let me read through some of these books like think that’d be picking them. Right, right. Like there’s probably so so I started I will tell you, I got a fantastic one that I found. It’s called Trust. And it’s a guide written by an author named Hernan Diaz, and is fantastic. So if anyone’s looking for a good book to read, I would highly recommend that one’s very good.
Jodi Daniels 34:25
Thank you for sharing, where would be a great place to connect with you if people want to learn more. And in volume
Al Saikali 34:31
of LinkedIn, I post a lot there on LinkedIn. So feel free to reach out make a friend request. The also my blog, I’m trying to write more I don’t do it as often as they should. You know, that’s the privacyanddatasecuritylawjournal.com And, you know, maybe on Twitter a little bit but we also send out alerts so if anybody wants to learn more about developments in the law, just shoot me an email I will add your name to the to the list that we have here at Shook. And ya know I look forward to meeting more people in the privacy community always at the conferences is you know Jodi or go to the IPP and, and net diligence and some of these others so, yeah.
Jodi Daniels 35:20
Well Al, thank you so much. We really enjoyed the conversation.
Justin Daniels 35:24
Thank you for having me. I appreciate it.
Outro 35:31
Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.
Privacy doesn’t have to be complicated.
As privacy experts passionate about trust, we help you define your goals and achieve them. We consider every factor of privacy that impacts your business so you can focus on what you do best.