The Future of Ad Tech: Privacy-Savvy Strategies for Businesses

Intro 0:00

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels 0:22

Hey, Jodi Daniels, here, I’m the founder and CEO of Red Cover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.

Justin Daniels 0:35

Hi. I am Justin Daniels, I am a shareholder and corporate M&A and tech transaction lawyer at the law firm Baker Donelson, advising companies in the deployment and scaling of technology. Since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cybersecurity risk, and when needed, I lead the legal cyber data breach response brigade.

Jodi Daniels 0:58

And this episode is brought to you by where’s the ding? Ding. Red Clover Advisors, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, e-commerce, professional services and digital media. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there’s greater trust between companies and consumers to learn more and to check out our best-selling book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors com. I think you’re a little giddy because we’re recording during our lunchtime.

Justin Daniels 1:36

I am hungry, but more importantly, why were you scrolling the screen when I was reading my intro is that just to increase the degree of difficulty?

Jodi Daniels 1:45

Why shouldn’t I scroll on the screen?

Justin Daniels 1:46

While I was reading my intro?

Jodi Daniels 1:49

I don’t remember.

Justin Daniels 1:52

I want to recount on that. We’re going to check the tape. That was intentional infliction of, “make it difficult on my co host when he’s hungry.”

Jodi Daniels 1:59

I genuinely don’t remember doing that. I 100% don’t remember. So maybe I need some food because I’ve already forgotten, and now you have a case of the giggles. This is terrible. Okay, let’s, let’s get on with it. So today we have Darren Abernethy, who is an ad tech and data privacy attorney at Greenberg Traurig, and Darren enjoys nature, animal soccer and spending time with his wife and one year old son. So Darren, we’re so excited that you are here with us today. Welcome to the sillies.

Darren Abernethy 2:32

Thank you so much, good to be here. I’ve listened to the pod for a while now, and I love what you guys create, so it was a real treat when you reached out to chat. So thank you. I’m honored to be here.

Justin Daniels 2:40

Ah, see our Salinas is fun, yeah, infectious this episode, right?

Darren Abernethy 2:48

And I’m sorry, Justin, you don’t know your own intro. At this point, I’m gonna have to side with Jodi on this one. All right, you’re reading about yourself, literally.

Justin Daniels 2:56

Okay, you know, Darren, well, I can say as a guest, that was a wise thing to say, as well as a husband, but —

Darren Abernethy 3:03

I’m going to have to respectfully disagree, but the questions are going to be harder now, I’m sure. All right, it’s your turn.

Justin Daniels 3:12

All kidding aside. So Darren, tell us a little bit about your career journey to your role now.

Darren Abernethy 3:19

All right. Well, originally I began by wanting to be the ambassador to France but no one appointed me to that position after I graduated college. So despite all those French classes and having it as a second major, ended up sticking with the Poli Sci training. So I went to law school. I spent a summer with the IRS office of chief counsel, and that was great exposure. But tact wasn’t really my passion project, my calling. I did work a summer at a law firm while in Law School. Ended up going to that law firm, a great place called Mintz Levin in Washington, DC, and I was a telecommunications attorney to begin with. So dealt with cable companies and cell phone providers and licensors and wireless spectrum and network neutrality and things like that. And it was great. Did it for a number of years. And you know, there are aspects of it that are really exciting. There are aspects that maybe that are that I found less so, rate deregulation, things like that, but I really focused in on the sort of privacy areas that I thought this burgeoning field of data privacy that I thought was really interesting with some of the geolocation projects we did, or customer, proprietary network information, or things of this nature that really I just took a shine to, and more or less coincided. It wasn’t too long after this where you started to have Edward Snowden and things of that nature that just raised the idea of data privacy and cybersecurity to new levels. And so I made a pivot. After a number of years in private practice in Washington, DC, at a firm, I decided, in a sort of fit of manifest destiny, to move west, and I went to San. Francisco to get more hooked up in sort of the startup or Silicon Valley, or, you know, data privacy and big tech scene. And I ended up going in-house to a company then called Trustee, now TrustArc, first in the compliance role, and then a senior counsel there. And I, I loved that, because I was able to sort of the motto there was, you know, eat your own dog food. I think it was like, you build these solutions, these pricing technology solutions, and then we would use them to implement the company’s own privacy program using this solutions. And that way you could sort of AB test and iterate, learn and understand where customers are coming from. And for me, it was great because I got to take a key role with all the digital advertising tools and industry relationships that that particular vendor, big vendor, had. So that was great for me, and I did that for several years, and ended up, you know, got the itch to go back into private practice, and so I came back to Greenberg Traurig in San Francisco, and got to work with some amazing people, like Gretchen Ramos and Ian Ballin and David Zatuni and some others who are out there. And it’s been, I never looked back. It’s been a great experience ever since, since you asked.

Jodi Daniels 6:09

And you live in San Francisco, which is one of my favorite cities ever.

Darren Abernethy 6:15

There’s some great restaurants and some great views. I live across the bay in Oakland, but I get to work in SF and I look out on the bay every day, and it’s an anchoring thing to do.

Jodi Daniels 6:25

It is so lovely over there. Now we talk a lot about ad tech, sometimes on the show, Justin’s favorite topic. And out in the universe, private universe, we hear a lot of chatter on cookies and pixels and trackers. We also hear a lot about different alternatives. I was hoping you might be able to offer a few examples and what some of these options are and how companies are utilizing them.

Darren Abernethy 6:52

Certainly, I’d be happy to do so. And so, yes, there are lots of alternatives and things to think about here. Of course, this conversation doesn’t exist in a vacuum, as your listeners will no doubt recognize. You know, we’re moving. We’re just now kind of moving past this giant, much discussed scenario about deprecation of support for third party cookies in Chrome, the dominant web browser globally, where, you know, whereas we were thinking the last several years, third cross site, third party cookies were effectively going to go bye bye, and enjoying and enjoying their treatment with the Safari browser, and certainly in Mozilla Firefox and some other browsers out there, that’s how we were approaching things. Privacy sandbox. We can unpack those you know, in any detail if you’d like, but suffice to say, on July 24 it was kind of a well actually, not so much. Google announced that they’re going to go a different direction and no longer deprecate support for cross site third party cookies, but instead move to a new approach, and a quote, unquote updated approach that elevates user privacy. And instead of deprecating third party cookies, they’re going to introduce a new experience in Chrome. That quote lets people make an informed choice that applies across their web browsing, that they can adjust at an entire paraphrase on. So we’re still sort of waiting on what the details of what that looks like, and I think indeed the details of what that looks like will be rather consequential in terms of, does this effectively end up creating a slow road to deprecation of cross site third party cookies, or at least reducing the inventory out there of third party data derived from them that that advertisers and others can use, you know, or will it continue, you know, to sort of exist and people do both, you know. We’ll see so details forthcoming of what that new approach looks like. But for now, we know that Chrome will still have cookies, third party cookies, into 2025, and beyond. So you asked about some of the alternatives. There are a number of them. You know. How should people think of this? I think of it sort of as many arrows in your quiver of how to deal with these things that are gonna be dependent on the size of your company, whether you’re B2B versus B2C. You know your current tech stack, and you know overall, your sensitivity, yeah, the sensitivity data that you collect, whether you’re in a regulated industry. You know what privacy laws may apply to you. You know, depending on your eligibility under certain laws, there’s a lot of different factors that go into it. But if we’re to say, All right, what are some of the main alternatives to third party cookies, you know, I think we’ll start first and foremost with, not surprisingly, a first party data strategy, which is to say, you know, publishers and advertisers, they know a lot about their customers, granular likes and interests based on how they engage with the website or mobile app that those companies have. You know, what do they purchase? What time of day do they shop? You know, what is their you know, imprecise geolocation so you get an idea of their market, you know. And. Then there’s like, zero party, you know, data quizzes that people that a lot of companies put out there. Hey, you know, which Game of Thrones character are you the most like, answer these questions, you know? And it’s like, because you’ve got to know whether you’re like Tyrion or I’m dating myself with these references now, but the idea being that oftentimes you collect information about people through quizzes that they’re ostensibly answering, you know, things about themselves to match up with a character or whatever. But really you’re giving information about your interests and likes demographics as well. So I think first party data strategies are going to be you, you just you’ve got more content providers who are becoming sort of mini walled gardens where they require you to register your account before logging in, you know, as a sort of a condition of being able to access the site or app, you know. And why is that? Well, in part, because once somebody is authenticated, then you know, you know, it’s them, and you can then begin to ascribe potentially certain interests or just actions that they take within your platform to them, to infer interests. Yeah, and so that, that’s a big area we could go on but, but that is, that is, I think, you know, for companies that are in a position to do that, because not everybody has a strong first party presence, but if you do, you’re at a real advantage. And also, we should be clear for the avoidance of doubt, that even though third party cookies cross site, third party cookies used for advertising other purposes are, you know, sort of slowly going away. First party cookies are very much still viable in terms of what you do when you set the cookie on your web domain. You know, that’s that was not implicated even in the, you know, the Chrome discussions that we’ve been having the last few years. So that’s something that’s out there, and a lot of companies continue to use that in other areas, contextual advertising, which is to say, you know, showing ads based on the content of the website somebody is on. This has been historically, a very popular, you know, it has been around historically. But what’s different is that now it’s been sort of turbocharged contextual advertising with artificial intelligence, with machine learning, with natural language, you know, capability enhancements, image recognition, things of that nature to make it much more granular and nuanced than just, oh, sports website, you know, sports app like it’s much more detailed and sort of granular than that. CRM based advertising, customer relationship management, you know, being able to sort of take your customers email addresses or phone numbers, and potentially, without using cookies, upload certain of that information to certain platforms. You know, social media platforms otherwise, to then match your customers against their customers, to be able to against their user base, to see if there’s a match. Then you can show advertisements on that platform to your customers, or you could create lookalike audiences of people who are not your customers with a fit the same rough profile. That’s a non cookie alternative. Likewise, you’ve got, like with some of the social media platforms, there’s conversion APIs, so called copies, that are, again, not cookie based, but that allow sort of direct integration server to server. You know, I can go on. There’s clean rooms where you’re matching data sets from different folks. You’ve got the privacy sandbox remains a viable one that’s still going to be even though that’s no longer going to be the only the full replacement for third party cookies in Chrome, Google has announced they’re still going to be supporting the privacy sandbox, and you’ve got things like Topics API, where essentially third party ad tech platforms will be given a high level signal about a user’s likely interests, you likely topic interests of topic that can then be shown an ad. And it’s all done sort of basically on the browser, doing sort of computation on the browser to figure out what this browser views the most and then how to send a signal out that would allow others to send advertisements related to that interest, et cetera. So I’ll stop there. There’s more, I guess. The last one I didn’t mention, that I think is very prominent, is also universal identifiers. This idea of taking hashing an email address or a phone number and then being able to use that when somebody logs on multiple sites to be able to authenticate and know that it’s a common person without having their direct identifiable information. That’s indirect, but it’s a, you know, it’s a universal identifier that is at the heart of a lot of these solutions. Going forward, I’ll say that was a mouthful. I’m sorry. I’ll stop there, but a lot, as I said, lots of arrows in the quiver.

Jodi Daniels 14:29

There are definitely a lot of different options. Companies are trying to sort through it all marketing teams, which ones should I use? And then, of course, you have privacy and legal teams.

Darren Abernethy 14:39

Trying to figure it out, certainly.

Justin Daniels 14:41

So with all of the options that you just described, what questions should privacy teams and legal teams be asking these solution providers?

Darren Abernethy 14:51

You know, privacy and legal teams should, should first and foremost, look to maybe modernize their vendor assessments, because it’s, you know. It’s not your grandma’s vendor assessment world anymore. So you’ve got to be able to ask probing questions about how the new technologies out there work. You know, how do they address consumer privacy? How do the companies that you’re going to work with, your service providers, your vendors, you know, contractors, where? How do they see themselves fitting in, within potentially applicable, you know, state or international privacy law definitions, because these are the things that then are going to inform what contract provisions you have to have in place with them. Or, you know, allocation and responsibility among the entities. Sometimes it’s different. You know, if you’re selling to a you know what I mean, depends on what you’re doing, but if you’re selling to a third party, for instance, versus working with a service provider, different obligations would apply. And I think privacy and legal teams also have to be very prepared and up on training. You know, training staff to understand, you know, how to read vendor questionnaire answers, or how to separate the wheat from the chaff on a lot of this stuff, and how to complete, how to complete or update risk assessments and data protection impact assessments, you know, and working with companies like red clover advisors to come out there and think these things through and to understand what’s acceptable and where maybe you would, they would demand remediations of the other side or make changes internally themselves. You know, when to run legitimate interest assessments, you know, creating other internal records to justify your working with a new technology solution, you know, and a provider out there that maybe is somewhat of a matter of first instance for your company. So I think you know, these are all things that these are the questions they should be asking. How does it work? What do you do? What contracts are in place. How long have you been around? You know, how do you, you know, how do you solve this under these legal regimes? And also, I think internal teams should do AB testing, you know, just because you pick a solution that you think might fit for you, you know, if you test it out on different environments and it’s actually not getting you what you want, then maybe that’s enough to say, well, we’re going to tweak this, or we’re going to go a different direction. So you have to be, I always tell clients, you have to be prepared to walk away if something isn’t working, or if the juice isn’t worth the squeeze on what you would have to do on your end to allow for that relationship. So you just keep an open mind, see the information, and work with good advisors like yourselves, and go from there.

Justin Daniels 17:19

Oh, Darren, you said something interesting there in your answer, you mentioned contract clauses. And one thing I wanted to ask you is, with the situation that was recently in the news with CrowdStrike and Delta, the contract clauses that surrounded potential liability for, you know, a software update, we’re really in the forefront, and I was curious with all of the work that you’re doing with privacy and security, and, you know, around terms for these kinds of providers, but other ones is that starting to make an impact in what your clients are asking for, or concerns they have about how you protect against the liability, because you could have a problem with a cookie or Something that could have an unintended consequence, has that had any impact from what you’re seeing in your day-to-day work?

Darren Abernethy 18:07

I would say absolutely. You know, there just is, I mean, contracts, I think starting with GDPR, and then with CCPA and now the various state privacy laws we have in place. You know, it’s almost like if you’re up, if you’re if you’re operating without a contract in place with any of your partners, whether they’re vendors or, you know, just business partners, you’re really putting yourself, you know, you’re potentially exposing yourself to liability, even if, even in the absence of an applicable state privacy law. Because, you know, in most cases, if you don’t have a contract, it’s very hard to actually enforce something, or it becomes a, he said, she said, you know. And so, yes, I think every client I work with now, I mean, at some point in our conversations, we’re talking about contracts. And yes, you know, the role of advertising technology. I mean, I, the contracts I deal with often are focused on that, because you’re, you’re looking at, you know, with an advertiser negotiating with an ad agency who is then going to potentially negotiate on behalf of, you know, or try negotiate on behalf of the advertiser with a demand side platform, you know, etc, this whole alphabet soup of of the ad tech entities, and you know, you have to be on top of who is responsible for what, what definitions apply what types of entities you were dealing with, you have to really hone in on those things, because the ambiguity that sometimes exists can really create downstream problems, and we saw that in the examples that you mentioned. So yeah, it’s critical. And I recommend everybody annually, at least annually, to review your contract templates to see hey, has anything changed in the legal environment or our relationships such that we need to make updates to this at the time of the next renewal, or just on an annual basis? Or there’s different ways of doing that, but it’s a really important issue, and one that people should have top of mind, because regularly, I’ve had clients that get requests from a. Up. You know, the California Attorney General, for instance, the Colorado Attorney General say, Hey, I’d like to see your contracts. You know, if your position is that, you know, for instance, this is a service provider processor you’re working with. Let’s see the contracts in place that have the quote, unquote magic language that clarify that. And if you don’t have that, then maybe there’s an issue of deception. So, just as one example of where these things come up

Jodi Daniels 20:22

in the various options that you described earlier of how companies are utilizing the ad tech ecosystem, the compliance issues are still here around notice and opt out. So what should companies be thinking about in kind of our cookieless environment? Do I still have a cookie banner? How does the opt out work? Do I need to have something a little bit different in a notice, just a couple different examples?

Darren Abernethy 20:49

It’s a great question, you know, and one that we’re going to be continuing to look at, I think in the years ahead, I think everyone’s every company’s approach is going to be a little bit different. Again, based on its tech stack. It’s B to B versus B to C. Nature, general business model, volume of data collection, planned uses for it, things of this nature, but, but generally, I see all of this as an opportunity to engage with consumers, you know, have good relationships, to talk to them, to get permission, to notify them of what things are, you know, even, even in the absence of a privacy law apply, you know, it’s just a good practice, but you mentioned, you know, things like, hey, compliance with notice and opt outs, you know, Cookie banners. You know, I think in general, even in a, even in a it’s a great question like, hey, in a cookie list environment, you know, do you need to have a cookie banner? And maybe, maybe cookie banner will become a misnomer, because what you’re seeing now is even though these laws, generally speaking, do not prescribe cookie banners, sometimes they do just prescribe having, you know, providing a notice at the point of collection. And so a lot of companies use, effectively, Cookie banner to provide that notice and also to potentially get opt in consent, in some cases, for the use of third party trackers, whether they’re cookies or other scripts or things like that, because some of the laws say that if you get if somebody instructs you or deliberately asks you to share information or provide information to a third party, then it’s not a sale, and a sale requirements wouldn’t, wouldn’t attach, and things like that. And you also have, you know, you have with global privacy control, which is recognized formally in California and Colorado and sort of informally and some other states that allow for user enabled technical signals to be sent that request an opt out of the sale or sharing of their personal information. I think you’re, you know, I mean California incentivized friction, you know, the use of GPC global privacy control, which is just a browser based signal that says, hey, opt me out of the sale or sharing of my personal information with any third parties website receiving this signal that I’m going to through my browser. You have California just, I think, last week, it passed through the legislative houses to go to the governor a bill that says that will require browser, browser providers, you know, to build in support for basically that GPC. You know, it’s kind of like going back to the days of Do Not Track, which didn’t end up taking off because there was the absence of consensus on what signals should be used. And now we do have a consensus on singles views, at least under certain laws. And so California is unless the Governor vetoes it, or doesn’t sign or vetoes it in the next like two weeks, think less that’ll become a law. So you know, it’s these things are not going away. There just be different technologies that you’ll have to fit within the legal, legal requirements of these laws. I just think, you know, it’s, it’s something that we’re going to be looking at for each specific technology going forward, but so you don’t get caught in the minutia of it, big picture, you know, have conversations with your customers. Try to make things as logical and reasonable as possible. Don’t hide the ball. Don’t do secret uses of data. Be very mindful of dark patterns, because that’s not going away either. And what you’re seeing is a lot of state regulators and whatnot. They’re much more even though they don’t have a law on the books for this, they’re very inclined to use deception powers or UDAP statutes to enforce as well. So I would say, keep that in mind as you go forward.

Jodi Daniels 24:21

Well said, are you looking at me with Ranger?

Justin Daniels 24:26

Because I know exactly what Darren means now when he says dark patterns, indeed, you do. I’m excited about that.

Jodi Daniels 24:32

So happy. You’re so happy.

Justin Daniels 24:36

So you mentioned, as in your what you just said about some of these state laws, and all these state laws seem to be similar flavors, but not exactly the same. And so how do you recommend that companies think about the guidance from the New York ag and sell share considerations and modpa as it relates to alternatives? And then what? We up to now 19 states have privacy laws. Is that the number right now

Jodi Daniels 25:03

19 comprehensive privacy laws have been passed as of today. Pretty amazing.

Justin Daniels 25:11

I know I’m an in house counsel, and I’m thinking, Darren, I’ve got operations that are all over the country. How do I navigate these laws that are different and New York and California especially, are states that I have to watch out for, even if I haven’t mentioned Washington, my health, my my

Jodi Daniels 25:27

data, nope, that’s a whole different ball game. It’s not included in the 19 that’s a sectoral law. Oh,

Justin Daniels 25:31

I see, Oh, see, my mind is spinning now. So Darren thoughts,

Darren Abernethy 25:37

thankfully Jodi is there. Paul. Jodi is my first. Yeah. I mean, look, my first thought is on some level, yes, the walls are closing in, you know, but on the other, on the other hand, chill, take a deep breath. Chill, Justin it. Nothing is Everything’s cool, man, everything’s cool. All right, here’s what we’re gonna do, take a step back and look at the privacy program, figure out where, you know, where states, where certain state laws or international laws might apply, and that’s the level set from that to have a general understanding of, okay, like this is what, this is big picture, what I need to do. Because a lot of these laws, they have common elements, they have notice, they have potentially consent. They have, you know, high level security provisions. They have consumer rights. They have, you know, a lot of the same things that we’ve been dealing with for 4050, years, going back to the FIPS in the 70s. And so I think sometimes it’s very easy to get caught up in, oh my god, there’s this multiplicity of laws. They all have tentacles. You know what? I can’t do all everything right to everybody. I get that. So what I usually advise companies, you know, really, of all sizes. But in particular, the non, hyper mature companies that are publicly traded, and they’ve got 50 people looking at this is, let’s, let’s get the big things in place, the low lying fruit, the stuff that, you know, and I tell you this in a non pejorative way, a bureaucrat at a state AGs office, if they have a list of websites in front of them that they’re given to check out, let’s make sure that the things that they would look at are going to work here and so and that may vary. You may have to tweak things based on different states, because there’s amazing stuff you can do with reverse geo location. Reverse geo IP look up to kind of infer, not be sure, but infer a state someone’s coming from, et cetera. And you can tailor things in that way, in ways you couldn’t, you know, five or 10 years ago. So what I would say is, get the big stuff right. First, get your, you know, have a mechanism for receiving consumer privacy requests. I would say, have, you know, a privacy policy that articulates what it is you do and follow the golden rule of doing what you say you’re going to do and not doing things you don’t say you’re going to do that. You’d be surprised how far that will get you, you know, having, if you’re using third party cookies or trackers, while we still have the current system we have in place, you know, have a mechanism for for capturing either consent or allowing people to, you know, control their preferences in that regard. You know, have some trained staff. Have a good put a put a front face forward for people, where they can contact you with questions, etc. Make it as engaging as possible, like if you do those big things as part of your privacy program, then honestly, it ends up becoming tweets for different markets, rather than this, this impending sense of doom where you have to reinvent the wheel each time you don’t, you know, there’s gonna be a lot of reusable aspects of your privacy program. So yes, there are challenges. I mean, New York is issuing guidance, as you said, on cookies and trackers, in the absence of even having a comprehensive privacy law on the books that directly impacts how people can and should use trackers, you know, in relation to New York residents, but they’ve said that if you don’t do what we say, you know this could be part of our deception. You know you can be deceiving consumers, and that’s something that the Ag can enforce against. You’ve got Maryland coming out with a privacy law now that says that it basically restricts companies from collecting, processing, sharing sensitive data entirely, except where strictly necessary to provide or maintain a specific product or service requested by a consumer. That’s a very high bar, you know. So there are, there are new things that are happening, and we look at each one and advise as to if this really is meaningful in terms of the changes you need for your privacy program. But writ large, have the big stuff in place that we talked about, certainly, Dr redcloveradvisors, you know that? I know you have great materials out there that help outline these things, get that stuff in place, and then you can deal with the minutiae after but in most cases, with regulators, I’ve worked with, and I’ve been on a lot of investigations, it does count a lot that you have you’ve shown privacy proactivity, and you’ve taken steps in advance, you’ve done things don’t work with you on the rest if you’re if you’re off on detail.

Justin Daniels 29:44

Well, Darren, you said something interesting there. That brings to mind the following thought is you’ve been involved in investigations from state regulators. So what can you share with our audience? Particularly general counselors who listen to this, who’s never had that happen. So if you are investigated, or having a program to prepare if you were investigated, what have you learned practically when you’ve had to deal with those investigations? That could help inform how companies go about creating their program with the eye of hey, Attorney General from state, wherever may come in and audit us or have questions,

Darren Abernethy 30:25

yes, yeah, state and federal, because the Federal Trade Commission is very active in this space, too, in the last few years. For sure, you know, I would say a lot of, a lot of what I just said is, the more you can demonstrate privacy proactivity and show that you have, you’ve thought about it, you know, you you have vendor assessments to evaluate vendors, so that if the vendor has a breach, it can’t just be like, well, throw our hands up, you know, we picked them. They said they’d be fine, and they weren’t like, no. You need to have evaluated them. Need to have contracts that limit their activities. Need to have things in place. They need to notify you if they have an issue. That’s one example. You know, for other regulator matters, often it’s data breaches, but sometimes it’s just compliance with their new state privacy framework, and they’re trying to flex their muscles to say, you know, we are enforcing this. You’ve heard a lot come out of Texas. For instance, the Texas AG, saying, you know, hey, we are, you know, our new law came into effect in July 1 in Texas, and we’re not messing around. So, you know, I think what you get from being on a lot of investigations is often they are lengthy and deliberative process, and it’s a game of, you know, there’s some back and forth involved, but what you end up finding is, you know, they’re they generally don’t want to go after you if you do have reasonable practices, and there was like, a mistake, like you can work with them on that it’s when you don’t do anything and you don’t show your work where you have a problem. So have those contracts, have those, you know, steps you can say that you can point to have really good people within the company who are your chief information security officers and privacy Council. Have good outside advisors, etc. And you know, that’s usually you’re halfway to happy hour in that in that regard, well,

Justin Daniels 32:02

Darren, I think you just said it with with three words, because that’s what I know Jodi always says, is, it sounds to me like what you’re saying is, the key is, when the regulator comes in, you have to be able to show them, show your work, because I’ve seen enough companies where I’m like, well, where’s your documentation, or we’re going through a cyber compliance plan, stuff that I deal with, we have to be able to document everything we’re doing. Because if the regulator comes in, it could be the SEC it could be any of the ones that you named. Isn’t that what they’re looking for? It’s not what you say, it’s what you can document and show us in practice that you’re doing. Is that, in essence, what you’re meaning when you when you deal with the regulators, absolutely, because

Darren Abernethy 32:42

if it gets to that point, you don’t want to be creating the materials then, because that’s just in an implicit admission that we didn’t have it before, but we’re on it now. What they want to be able to show, even if there was a harm and you are at fault, what they want to be able to show is like, or what you want to be able to show is, look, it’s really been mitigated or moot at this point, because we do have all these things in place from, you know, from before, from after the event, and the harm has been in, the risk of harm has been really mitigated. And you want to be able to document, this is all the stuff we did up front. Here’s our ropas, here’s our assessments, here’s our here’s who we’re working with. Here’s the training we’ve had for employees. Here’s our contracts with, you know, others. Here’s our vendor questionnaires, things like that, and say, All right, this company is not, you know, half, half, you know what they something happened, but things always happen. That’s not, that’s not the question. That’s not like the the evaluation is whether something occurred. Things are always going to occur. It’s how prepared you were for it, and then how you mitigated the risk to people, and that generally in the same thing from a compliance standpoint, like maybe you missed one thing, but if your overall program is solid, and you you clearly are trying to, in good faith, solve for this, then that goes a long way.

Justin Daniels 33:54

And how do you see that playing out when you’ve seen fines or other kinds of penalties levied? Is there any way to quantify what that cost savings, because that’s what I tell people, at least, if you screw up and you have all this in place, you might get fine, but it’s a whole lot less than what might happen if you got BUPKIS and they’re like, You’ve done nothing, then they throw the the penalty book at you. That’s definitely

Darren Abernethy 34:16

right. You know, you save a lot in the long run by doing, you know, by the growing pains that you have to have upfront to get these things in place. And then once you have the big things in place that we’ve been talking about, then it’s a matter of tweaking, iterating, updating, but it’s not wholesale. So, you know, you you do have to invest upfront, but we’re talking about something that is critical for every single company, from their reputational standpoint, etc, from if you’re looking to be acquired, you know, if you’re, if you’re scaling up, want to be acquired like, these are the things that I can tell you. They are asked every day in mergers and acquisitions, in regulatory investigations, in a whole in a board of directors, you know, seeking outside investment, whatever it is like, this is just part and parcel of good business practice. Now is data privacy and security hygiene, and if you’re a company that doesn’t emphasize that, or doesn’t really care, doesn’t want to invest in it, you will be the outlier compared to your competitors, because a lot of people recognize this is, you know, this is a C suite top line issue that people need to be aware of. And, you know, be able to show your work on knowing

Jodi Daniels 35:21

what you know, especially when it comes to advertising and how companies use data. What is your best personal privacy tip that you might offer at a party or amongst your friends

Darren Abernethy 35:35

to check your apps at least annually? You know they often collect information even when they’re running in the background or you’ve long forgotten about them. So call it data minimization for yourself, but maybe on New Year’s Day or something, go through the list of all the mobile applications on your phone. If you don’t need it and you haven’t used it in six months, then maybe you can get rid of it, knowing you can always download it later, but it may be collecting information about you, and also, for that matter, check your settings. Because sometimes companies that don’t work with red clover, you know, advisors and others, they don’t, they don’t, they don’t always follow the best practices. Sometimes they’ll update your settings or like capabilities within the settings without telling you. So do check that out. Be, be aware of it as well. You You have to be in charge of your own privacy. So you know, even though companies are supposed to, you need to, it’s your life, it’s your privacy. So be aware of your settings and update those accordingly.

Jodi Daniels 36:27

I love deleting apps. It is so much fun. It’s really do, but I like to organize and clean. It’s kind of like cleaning your desk or spring cleaning. It’s so much fun. Totally recommend.

Justin Daniels 36:40

Wow, that’s exciting.

Jodi Daniels 36:41

It is exciting. You should try it sometime.

Justin Daniels 36:44

I do delete apps. It’s fun. Okay,

Darren Abernethy 36:47

he’s talking about eating appetizers. Yeah,

Jodi Daniels 36:49

I know.

Justin Daniels 36:52

Delete apps. So Darren, when you’re not advising companies on privacy, what do you like to do for fun?

Darren Abernethy 37:03

Visit national parks. My my wife and I took our one year old son to Yellowstone this month, or, I guess, last month. And that was just fantastic, seeing the hot springs and the mountains and the fields and the buff and the bison. And it was really cool. We’ve been now we have a national park passport, and I think this was our 21st national park, so we’re just ahead of comprehensive state privacy laws, but, but it’s getting close. So, so that’s where we are that I follow soccer, go arsenal and US Men’s National Team and some others and hard these days to avoid some of the political stuff going on as we have an elect of federal elections in two months. So, you know, keeping track of some of that and otherwise trying to get out nature and raise our little hatchling and hopefully live a good life.

Jodi Daniels 37:53

That sounds really nice. I have not been to Yellowstone on the list. One day we’ll get there. Yes. Well, Darren, we’re so glad that you came and shared all this amazing information with us. If people would like to connect and learn more, where should they go?

Darren Abernethy 38:06

They can find me on LinkedIn. Darren Abernethy, A, B, E, R, N, E, t, h, y, or the Greenberg Traurig websites, or our data privacy dish blog. And thank you again, Jodi and Justin for the courtesy you said, and having me, I really appreciate this was fun,

Jodi Daniels 38:23

our pleasure. Thank you so much.

Darren Abernethy 38:25

See you guys.

Outro 38:32

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn, see you next time.