Click for Full Transcript

Intro 0:00

Welcome to the She Said Privacy/He Said Security Podcast, like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

 

Jodi Daniels 0:22

Hi, Jodi Daniels, here, I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified privacy professional providing practical privacy advice to overwhelmed companies.

 

Justin Daniels 0:35

Hi. I’m Justin Daniels, I am a shareholder and corporate M and A and tech transaction lawyer at the law firm, Baker Donelson, advising companies in the deployment and scaling of technology. Since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cybersecurity risk, and when needed, I lead the legal cyber data breach response brigade.

 

Jodi Daniels 1:00

This episode is brought to you by ding Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology e commerce, professional services and digital media. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there’s greater trust between companies and consumers to learn more and to check out our best selling book, Data Reimagined: Building Trust One Byte at a Time. Visit redcloveradvisors, com. I have figured out that your shirt today, Justin, which is a more bold color, not something you always typically wear, is bringing out the blue. Behind me in my background, I can see more of the blue, predominantly. That is what is happening. My eyes are playing tricks on me.

 

Justin Daniels 1:53

You were the one who told me the other shirt I bought needed to go.

 

Jodi Daniels 1:56

It’s true because you know what, it’s summer, people should be bold and colorful and bright. It just makes everyone happy. Speaking of happy, I’m really excited to bring today’s guest. We have Julie Rubash, who is the General Counsel and Chief Privacy Officer for Sourcepoint, the data privacy software company. Julie brings over 15 years of legal experience, both at law firms and as internal counsel in the media, technology and advertising sectors. Prior to Sourcepoint, Julie served as the VP of legal at advertising platform Nativo. She coordinates legal efforts for Sourcepoint and ensures that the product suite innovates and expands to meet the needs then I can’t even speak, to meet the demands. I made a new word created by the changing regulatory landscape, because it’s changing so rapidly that it is making me twist all my words. Hi Julie, welcome to our Salinas, also known as the podcast.

 

Julie Rubash 2:52

Hi Jodi, thank you for having me wonderful.

 

Jodi Daniels 2:54

All right, you take over, and maybe you won’t twist your words like I am.

 

Justin Daniels 2:58

Well in the preshow you said I was on —

 

Jodi Daniels 3:01

We’re obviously struggling today. It’s gonna be great.

 

Justin Daniels 3:06

All right, Julie, save us. Can you tell us about your career journey, please?

 

Julie Rubash 3:11

Yes. And I love telling my career story to privacy professionals, because it sort of tracks some major milestones in privacy law. So as I tell you the story of my career journey, you’ll get a little bit of privacy history along the way. So I started my career at a mid-sized law firm in Chicago, primarily providing legal support for healthcare technology companies, for example, companies that license software to hospitals to monitor patient vitals or to manage patient records. So obviously, privacy was a crucial element of that work, and then that was also at the time that two pretty important developments were happening in the privacy arena. First, states were passing security breach notification laws in domino style that is very similar to what we’re seeing today with comprehensive privacy laws. I often get flashbacks to having to put together the charts of secure security breach notification laws like we’re seeing today with the comprehensive laws. And the second thing going on was that the High Tech Act was passed, which a mother, among other changes provided for more stringent liability and enforcement for HIPAA established a federal breach notification requirement for health information and made business associates of healthcare providers subject to the same privacy and security rules as HIPAA covered entities. So as a junior attorney, it was a great time to hit the ground running in the healthcare, tech, privacy space. However, I did not stay in that space. I took a bit of a pivot after that, and took a job in house at Sears, supporting their online business unit. So. So now that was right after Sears was hit with an FTC consent order regarding their consumer tracking behaviors. Yeah, tracking occurred even back then, so I spent a lot of time in that position, working with the privacy director at Sears to ensure that none of our contracts or practices ran ran afoul of the consent order, and that we were, you know, tracking consumers or not tracking consumers in accordance with the consent order. This was also at the time that the TCPA or the Telephone Consumer Protection Act class actions were rampantly targeting companies over their text messaging practices, kind of similar to the VPPA and CIPA class actions that we’re seeing today. So getting those flashbacks again. So I was very involved in ensuring that our text message programs were compliant with the TC TCPA and the MMA guidelines. So from that job at Sears, I actually went reverse course and went back to law firm life, which meant many people thought it was crazy, but it was probably the best decision I could have made for my career, because it allowed me to gain experience across a lot of different types of companies and circumstances. So I worked for two different law firms over about a seven year period. I worked for Loeb and Loeb in their advanced media and technology group, and for Shepard Mullen in their entertainment technology and advertising group. And it was in these roles that I really dove into the advertising world, supporting ad agencies, ad tech companies and brands, and learning the differences between first party and third party data and concepts like measurement and attribution and frequency capping, coupled with learning the legal requirements under the FTCs online Behavioral Advertising guidelines and self regulatory guidelines coming from the NAI and the DAA, which were gaining increasing attention in this space at that time. So after about seven years in law firms, I went back in-house. I’ve done a lot of flip flopping in my career, I suppose, this time as the first and only attorney at an ad tech company Nativo. This was February, 2018 three months before GDPR went into effect, as everyone in the privacy space knows. So I really had to hit the ground running in that role and put the company’s GDP or GDPR compliance program together. Luckily, there was true cross functional buy in across the company on the importance of getting GDPR right, so we all banded together and got it done, or as much as you can get it, could get it done at that time, and we felt ready to support, you know, our company and our clients before the deadline, and then we did the same thing for CCPA. When CCPA came into effect, at that time, I had a little bit more of a runway, and I had hired an amazing junior attorney who helped me with a lot of the heavy lifting, so it wasn’t quite the same mad rush as GDPR, and as everyone who has done it before knows it’s much easier to do CCPA once you’ve already done GDPR. So that brings me to source point where I’ve been for just over three three years now, and the most rewarding part about my role at source point is that we’re a privacy tech company, so I’m not just responsible for finding privacy solutions for one company like Nativo or Sears, and I’m not just on isolated, reactive projects like at a law firm, But I get to be involved in brainstorming and designing privacy as tech solutions for all of our customers across jurisdictions and industries, and anticipating what tomorrow’s needs are going to be, along with our product team. So it’s honestly some of the most rewarding work I’ve ever done, but I’m really thankful for the experience I’ve had that has gotten me to this place.

 

Jodi Daniels 9:24

I really did enjoy the flashback to all the different activities, and I hope everyone listening remember Sears. Sears was such a wonderful story, and it makes me so sad that that brand is gone. I remember going with my dad, and we would go get all the tools. Were always Craftsman tools. I know we’re gonna talk about privacy, but when you mentioned Sears, that just brought back so many happy memories for me. Oh, good and well, so let’s talk about in your role you’re getting to help create this privacy tech, because there is a current del. To affect plethora of new regulations and requirements that companies have to deal with. What are the biggest mistakes right now you’re seeing companies make in the consent solution setup that they might have,

 

Julie Rubash 10:16

I think the biggest mistake some definitely, not all, but some companies make is to think that privacy is one size fits all. You know, thinking that you can take a solution off the shelf or copy and paste what other companies are doing, and think that will work in the same way for your company, too. In contrast, companies that really get the most out of their privacy programs. Know that a consent solution, as well as every other aspect of your privacy program, really needs to be tailored to each company’s specific needs and circumstances. So the right consent solution for a given situation depends on a lot of different factors that are specific to each company, including what your data use practices actually are. Obviously you can’t copy somebody else’s solution if you have completely different data use practices. But also like who they use, who your users are, what type of data is involved, what type of relationships you have with third parties, what laws might be triggered, what jurisdictions are you operating in, what your back end architecture looks like, what systems you’re you’re integrating with, and also softer factors like, how important is privacy to your brand image? You know, are you looking to do something beyond just check compliance boxes and really and be out there promoting your brand from a privacy perspective, how important is data use to your company and each type of data use? So companies that take the time that to work through all of these factors are the ones that ultimately get the best results from their consent solution, both in terms of compliance and in terms of alignment with their company goals and brand damage and some of the pieces that they also need to consider.

 

Jodi Daniels 12:02

And I’m sure you see this is across those jurisdictions. Do you do one approach, or do you do it by region? And then what do you do with the people like me and Justin in Georgia who have no rights? What do you do about us? Do you include us, or do you not include us? And it’s been interesting to see the company’s philosophies. All of those are the questions that have to get asked that’s very strategic and aligns with everything that you just shared about process and principles and brand, to connect all

 

Julie Rubash 12:33

of that together. Yeah, absolutely. It’s something that, again, varies across different companies, and it’s in each company takes a different approach, depending on what their needs are like. Some are perfectly fine just saying, you know what we’re going to do, the same solution across the entire nation, and that works for us. Others, you know, have a very, you know, specific needs in each jurisdiction, and it really makes sense for them to take a jurisdiction by jurisdiction approach and think through it more strategically.

 

Justin Daniels 13:07

So how does Sourcepoint help companies manage their consent obligations?

 

Julie Rubash 13:12

So in line with the idea that consent is not one size fits all, we place a lot of importance in providing an extremely flexible solution for our customers, which enables each company to really make it their own based on their own unique circumstances and goals. And this includes everything from the look and feel of the consent messages to the back end integrations and workflow preferences, all of which vary pretty significantly across our clients. If you look at various implementations across our consent solution across our clients, they’ll all look very different from each other and work very differently from each other. So given the complexity and variability of our solutions, we also pride ourselves in the level of service we provide to ensure our clients are aware of the options available to them and how to implement them, as well as to help our clients work through their unique circumstances and requirements. And even though consent solutions aren’t one size fits all, we can offer best practices based on what we’ve seen others do across our client base. And you know, perhaps there’s other clients who have been in similar circumstances and kind of help each client work through their needs.

 

Jodi Daniels 14:31

From that perspective as well, one of the big topic areas that I think some people think, oh, I need this consent solution now, but there’s this cookie list feature coming, so I won’t really need it anymore, it’s not really going to be relevant. And cookieless is a big discussion everywhere. What are the privacy risks that companies need to know as marketing teams are engaging in other methods, and I would just love for you to share maybe your thoughts on the universe of. Cookieless and what that means going forward. And I genuinely have heard people say, Oh, I don’t have to worry about it anymore. And I know that there are other tools and solutions that marketers are engaging with, and would love for you to share a little bit more about that.

 

Julie Rubash 15:16

Yeah, I think the biggest risk from new targeting methods or cookie alternatives is that we aren’t all speaking the same privacy language. And so what I mean by that is that, for the most part, you know, we’ve been having this cookie conversation for some time, and privacy professionals and technologists and all the stakeholders involved have kind of learned how to talk about cookies. You know, if they’ve been in the industry for a while, privacy professionals have a general understanding of how cookies work, and technologists have generally learned what data elements and activities involving cookies are going to be important to privacy professionals. But now with emerging targeting methods, I’ve noticed, and I imagine you’ve probably noticed this as well, the conversation is breaking down a little bit. There isn’t that, that same kind of, you know, we’ve had this conversation before. We know what questions to ask and what answers to provide. We’re kind of reinventing that conversation. And it’s increasingly, you know, increasingly easy, I would say, to lump all of these different methods together and to try to recreate that conversation. But really they’re all different, and you really have to ask the questions and dig in to truly understand what’s going on and to kind of recreate that conversation. Now, the role of the privacy engineer that we’re seeing more and more definitely helps in this regard, because ideally, that person understands both the law and the technology well enough to bridge the gaps in that conversation. But in any case, stakeholders looking to engage in new targeting methods need to be extra cautious and ask a lot of questions. You know one, one statement that I’ve heard a number of times is you can target ads just like cookies, but it’s completely anonymous and privacy safe. So if you hear those two statements together, I would say, be very skeptical, because chances are that one of those statements may not be entirely accurate. So you know, certain methods may provide more protection than others. And you know, I would say that, you know, a lot of these new tools can be very beneficial, provide extra protection, you know, prevent triggering certain legal requirements even. But I would recommend, really, you know, again, digging in and understanding exactly how each method works before blindly accepting their privacy promises.

 

Jodi Daniels 18:01

Julie, do you have a recommended, maybe a question or two that the privacy prayer who’s not really well versed in ad tech, and maybe they’re a company and they don’t have the right they don’t have privacy engineers that are ad tech focused. What might be some good questions to be able to help poke holes like you just said that, where the team says, oh, it’s anonymous. It’s okay. Move forward. What would you recommend to help that person dig deeper?

 

Julie Rubash 18:27

One question that I think is useful is to understand what, what the input and the outputs are. I think that that’s one area that kind of helps to dig in to, you know, if you understand, okay, what, where is it that you’re getting this data? What is the first set of data that you’re collecting, you know? And when you, when you finish with this process, what is the end purpose, and what is it used for, or what is the end product and what is it used for? That kind of helps you to see the full cycle. And if it doesn’t make sense how you can get from A to B, then there’s probably a missing link. Somewhere in there, if you’re still able to track, you know, specific users over time and across properties, chances are that someone, whether it’s you or someone else, has some way of identifying that user, that it’s the same user each time. Maybe it’s not their name and their email address or, you know, a device identifier, but there’s some method that they’re using to identify that person which is probably going to trigger privacy laws. So even if it’s not a traditional identifier that we’re used to working with, there’s probably one in there. So just understanding. What those inputs and the outputs are, can help you to dig in and identify what that is.

 

Justin Daniels 20:09

Thank you for sharing. So using your crystal ball for the future, do you have any thoughts you’d like to share on predictions of ad targeting and what companies should prepare for?

 

Julie Rubash 20:21

I think laws and regulations are increasingly making ad targeting, targeting more and more difficult, to be honest, which, from a consumer and a societal standpoint, is both a good thing and a bad bad thing. So I’m going to take it to extremes for a second, just for example purposes. But if ad targeting were completely banned or restricted to some degree that it is no longer commercially beneficial for either ad tag providers or advertisers, then advertisers will spend their advertising dollars elsewhere, assuming that there’s better alternatives to reaching consumers than direct by contextual advertising and from a consumer, consumer perspective, two things will happen if that happens. First, the privacy and other harms of ad targeting will presumably be resolved, although they may shift to other contexts. But at the same time, the baby will be thrown out with the bathwater any websites, apps and digital services that relied on advertising or revenue will either go out of business or find other ways to make money, the most obvious method being subscription models. So the concept of free content and free digital services will be over, and consumers will have to pay monthly subscriptions, or perhaps a bundled subscription, for every publication or digital service they want to access. And access to information will be restricted to those who can afford it, and digital services will likely be consolidated under larger companies that can afford the infrastructure costs of a subscription model. So now you know, what I just described is an extreme scenario, but I think that will happen to some degree in both Europe and the United States, and I think certain regulatory and legal actions that are, you know, pending or that are threatened, could push us further in that direction. For example, in Europe, if the pay or okay model that publishers rely on to offset revenue losses from consent requirements is further restricted or regulated, they could be forced to remove the okay option and only offer the Pay option, therefore eliminating access to those who can’t afford to pay. Similarly in the US, if California passes legislation, which is currently pending, requiring all browsers to support opt out preference signals like global privacy control, we could reach a tipping point where so many users are automatically opting out, the companies are either forced to find creative solutions to get them to opt in, or, you know, again, offering alternative models like subscription services, which I think we all agree, is not ideal. So these are just a couple of examples, but I think a number of ways in which we intentionally or inadvertently could get ourselves to that point. So perhaps the right solution is not to throw the baby out with the bathwater, and it said work to address the particular harms of ad targeting while at the same time exploring creative methods to give users more personalized brand specific control over their data and marketing preferences.

 

Justin Daniels 23:47

Well, doesn’t it seem like this discussion, Julie, you just articulated about subscription and ads will all come to a head, because with everything going on with artificial intelligence, they’re not going to keep giving AI away trying to build market share. But do you think, and I guess Jodi, you chime in too, is, won’t AI bring all of this to a head, because AI has its own issues, but if you’re just going to have free content, then we’re back to the ads. Or what are alternative revenue models? It sounds like, Julie, what you’re talking about is already kind of previewing that whole conversation.

 

Jodi Daniels 24:25

Well, I think from what you just said, Justin, there’s a lot of different parts. If I were to take, for example, a site that relies on ads, and if I just think about generative AI, and then I’m an AI tool that goes and uses all that information to help create the free content, then there wouldn’t be the free content anymore. If those sites don’t have the ads to be able to run those AI tools will also be defunct because of how they’re running, and one might argue how their future will succeed going forward. That’s a whole nother model. But if we just were to look at today, if it were to all shut down those tools that rely on that free. Content wouldn’t really work if that free content is ad revenue reliant.

 

Justin Daniels 25:06

So it sounds like, what were you going to say, Julie?

 

Julie Rubash 25:09

Yeah, I just, I completely agree. I think, you know, AI will certainly put, you know, a different spin on things. But I think the same essential problem remains that, you know, you can either fund your services with ad revenue or or through other methods. And you know, I guess we as a society need to decide, you know, do do we find the ad revenue model beneficial to be able to have access to free content and services or not,

 

Jodi Daniels 25:48

with so much happening and intersecting between marketing and privacy, and we don’t have a real crystal ball. What are you finding as the forward thinking companies doing right now? People listening, they really want to be ahead what might be one or two tips or actions that you’re seeing your forward thinking customers do that our listeners might be able to adopt as well.

 

Julie Rubash 26:13

I think forward thinking companies are getting more creative with merging marketing and privacy goals together, which really involves bringing the consumer into the conversation, building trust and providing clear and easy to exercise options. So one example of this is companies really embracing the privacy notice as a marketing touchpoint, not just a compliance tool. So it’s not just legal boilerplate that’s hidden away behind a footer link, but really a privacy forward brand forward message. We’re seeing companies really make it their own with a look and feel, language and styling that aligns with the company’s brand image and is designed to build their brand rather than, you know, again, check a compliance check box. Another thing companies are doing is providing consumers with more options. So companies are increasingly realizing that privacy doesn’t have to be binary. It doesn’t have to be all in or all out. And it’s not that surprising that consumers are sometimes turned off when presenting presented with that level of rigidity and ambiguity, so companies are increasingly exploring ways to give consumers more options, to enable the consumer to more actively control the use of their data in a way that is personal to the user and brand specific. For example, a user may be more comfortable with targeted marketing if they have a better understanding and control over what data goes into the algorithm and what methods are used to target them. So you know, I am female, I have young children, maybe a user might say, and I’m okay with your use of data to target email and text messages to me about women’s and children’s apparel, for example. Now this is much easier when you’re talking about zero party and first party data than than third party data, but I see user preferences as a viable path forward for even cross context advertising, particularly if the entire industry can get on board with it.

 

Jodi Daniels 28:24

I agree. It drives me crazy when there’s an unsubscribe and or manage my preferences and all I get is in or out. I actually might like your brand, but I want more choices than in or out, and I don’t want your emails 400 times a day exactly.

 

Justin Daniels 28:39

Particularly if you’re selling sandals for certain trips, and she’s trying to figure out multiple pairs that fit nicely.

 

Jodi Daniels 28:46

Yes, this is true. We’re gonna we’re gonna leave that conversation for another day, not talking about how many times UPS and FedEx have come to my house,

 

Justin Daniels 28:56

Julie, when you’re out and about talking to people, and maybe privacy comes up. What is your best personal privacy tip you’d like to offer if you were to party?

 

Julie Rubash 29:08

So I think that most people fall into extremes when it comes to their personal data privacy, at least based on the conversations I’ve had, most people are either overly cautious, avoiding the provision of their personal data at all costs, even sacrificing some of their own benefits. Or on the other extreme, they ignore the issue entirely, even if they have concerns, because it’s too much trouble to do anything about it. But I would actually suggest taking a middle ground. And this is what I suggest to friends and people at parties, although I don’t just talk about privacy at parties, but taking that middle ground. I think that there’s a way to control your data without too much effort and without sacrificing your own Enjoy. And benefits that can be derived from providing your personal data. And I think this is especially so as what I was just talking about, companies are getting more and more creative in giving users often options and bringing them into the conversation. So there’s really a lot of tools, increasingly, a lot of tools at a user’s disposal. So I suggest to people that they slow down just a little bit and kind of actively think about their digital activities, what data may result from them, how it could be used, and take appropriate actions, not all the time, but as appropriate based on the activity you’re engaging in. So for example, if you’re looking up recipes and shopping for lawn furniture for your upcoming backyard picnic, or perhaps maybe you’re looking for sandals, your your risk is probably pretty low, and so you might get some targeted ads for grilling tools or or sandals, and if you’re okay with that, it’s probably fine, and perhaps even in your interest, not to take any actions on those sites. But you know, if you’re engaging in more sensitive activities and providing more sensitive data, you may want to read the privacy notices and find out what your rights are with respect to that data, and exercise those rights according to your preferences. So the point is that, you know, more and more consumers have choices, and it’s in their interest to play an active role and decide how they do and they don’t want their data to be used, and it really, more and more doesn’t have to be an all or nothing decision.

 

Justin Daniels 31:44

Why is it lately, I’ve been getting so many ads on my phone for dresses and I don’t wear any.

 

Jodi Daniels 31:52

No, we’re not going to talk about household identifiers, head cross device targeting right this moment, next time, there might be a variety of shopping that is taking place in this house, but cross cross device and household identifiers, we’re gonna talk about that another time. We’re gonna move now into the fun and see when Julie is not talking about privacy. What does she like to do for fun?

 

Julie Rubash 32:19

I just love being outdoors. So most of my favorite activities involve getting outside and being active, whether it’s running, hiking, skiing, scuba diving, or going to the beach with my dogs. I’m pretty happy as long as it’s outside.

 

Jodi Daniels 32:37

So Julie, thank you so much for sharing all of these wonderful tips for both people and companies. If people listening would like to learn more and connect, where should they go?

 

Julie Rubash 32:51

To? Sourcepoint.com we have a blog on our website that keeps consumers updated, or keeps companies updated with developments in privacy law, so they can definitely go there for more information about us and privacy law in general.

 

Jodi Daniels 33:10

Wonderful. Well, thank you again, Julie for joining us. We really appreciate it.

 

Julie Rubash 33:15

Thank you for having me. It was fun.

 

Outro 33:22

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time you.

Privacy doesn’t have to be complicated.