Daniel B. Rosenzweig is the Founder and Principal Attorney at DBR Data Privacy Solutions, a boutique data privacy law firm. He advises clients on legal and technical compliance with data protection and privacy laws and counsels clients on the responsible use of AI, AdTech, and privacy-enhancing technologies. Dan’s legal practice is unique in that he also codes and develops technical solutions to enhance his legal services.
Here’s a glimpse of what you’ll learn:
- Dan Rosenzweig’s career journey in privacy and cybersecurity
- How companies can implement cookie banners on their sites
- What is a dark pattern?
- Alternatives to cookies and what companies should consider when using them
- Strategies for managing consumer opt-outs
- How Dan helps companies navigate AdTech tools while managing data broker challenges
- The importance of regularly auditing and testing consent management platforms on websites and mobile apps
- Dan’s personal consumer privacy tip
In this episode…
As the AdTech landscape evolves, companies are facing new challenges with cookie alternatives like server-side technologies and alternative IDs. While these new tools offer improved targeting capabilities, they also bring risk, especially when it comes to managing opt-outs and tracking user consent. To preserve consumer trust and drive revenue, businesses need to fully understand how these advanced technologies work while adhering to applicable privacy laws. So, how can companies stay compliant while leveraging these technologies?
Adopting alternative IDs, advanced matching, and server-side technologies offers new opportunities for businesses to enhance targeting while maintaining consumer trust. Still, companies need to carefully assess the risks and ensure proper implementation. Establishing a proper governance process, conducting regular audits and testing, maintaining transparency in privacy notices, and avoiding dark patterns are crucial steps for regulatory compliance and protecting consumer privacy.
In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels chat with Daniel Rosenzweig, Founder and Principal Attorney at DBR Data Privacy Solutions, about the challenges of balancing data privacy with AdTech solutions. Dan explains how businesses can implement these technologies without sacrificing consumer privacy by effectively managing consent platforms, auditing and testing technologies, and ensuring transparent data practices that align with regulations. He also emphasizes the importance of regular collaboration between legal, marketing, and technical teams to stay compliant with evolving regulations.
Resources Mentioned in this episode
- Jodi Daniels on LinkedIn
- Justin Daniels on LinkedIn
- Red Clover Advisors’ website
- Red Clover Advisors on LinkedIn
- Red Clover Advisors on Facebook
- Red Clover Advisors’ email: info@redcloveradvisors.com
- Data Reimagined: Building Trust One Byte at a Time by Jodi and Justin Daniels
- Dan Rosenzweig on LinkedIn
- Dan Rosenzweig’s email: dan@dbrdataprivacy.com
- DBR Data Privacy
Sponsor for this episode…
This episode is brought to you by Red Clover Advisors.
Red Clover Advisors uses data privacy to transform the way that companies do business together and create a future where there is greater trust between companies and consumers.
Founded by Jodi Daniels, Red Clover Advisors helps companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. They work with companies in a variety of fields, including technology, e-commerce, professional services, and digital media.
To learn more, and to check out their Wall Street Journal best-selling book, Data Reimagined: Building Trust One Byte At a Time, visit www.redcloveradvisors.com.
Intro 0:00
Welcome to the She Said Privacy/He Said Security Podcast, like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.
Jodi Daniels 0:22
Hi, Jodi Daniels, here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.
Justin Daniels 0:35
Hello. I am Justin Daniels, I am a shareholder and corporate M&A and tech transaction lawyer at the law firm Baker Donelson, advising companies in the deployment and scaling of technology, since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cybersecurity risk. And when needed, I lead the legal cyber data breach response brigade.
Jodi Daniels 0:58
The next episode is brought to you by — really? That was just awful. Okay, Red Clover Advisors, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, ecommerce, professional services and digital media. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there’s greater trust between companies and consumers to learn more and to check out our best-selling book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com. How are you doing today? It’s fall-like weather.
Justin Daniels 1:39
Yes, you actually spent all of seven minutes with me out on our enclosed porch enjoying the fall weather.
Jodi Daniels 1:45
I did? It was really quite lovely, but now we’re going to talk about some really fun digital advertising today, and we have Daniel Rosenzweig, who is founder and principal attorney at DBR data privacy solutions. He advises clients on legal and technical compliance with data protection and privacy laws, and counsels clients on the use of AI ad tech and privacy enhancing technologies. Daniel’s legal practice is unique in that he also codes and develops technical solutions to enhance his legal services. Dan, welcome to the show.
Dan Rosenzweig 2:20
Thanks for having me. Really excited to be here.
Jodi Daniels 2:23
That’s your turn.
Justin Daniels 2:25
Are you sure? Yes? Alrighty, then. So Dan, who was subjected to this banter prior to going on the show, how did you get where you are today?
Dan Rosenzweig 2:37
So I have been interested in technology for as long as I can remember, was also very interested in politics and wanting to get an opportunity to be on the hill. So where I went to law school, I wanted to use every resource I had at my disposal to just get on Capitol Hill. One of my friends at the time was at the Senate Committee on Homeland Security, and she had said to me, “Do you know anything about cybersecurity?” I said, “I do not, but I’d love to learn,” and ultimately got a position there, and that’s what threw me into it, and I fell in love with that ever since, and it’s been an incredible, incredible experience.
Jodi Daniels 3:15
Well, in our pre-show, we were kind of swapping funny weekend advertising stories, which I think might help set the stage for our discussion here today, I was visiting my parents recently, and I was looking at a couple interesting items that I was looking at, purchasing and researching, and then the next morning, my dad says, This is so fascinating. I got this advertisement. He clicked on Facebook. You guys have never heard of these before, and I thought, Oh, my goodness, they obviously had connected what I was looking for. I was on their WiFi to his device and his WiFi, and now he’s getting all of my ads. And you know, he doesn’t understand you are what? What’s happening here? Why am I getting these ads? This is so fascinating. Thankfully, it was a, it was an item that was okay, that it was, you know, he could, he could look at, but Dan, you were sharing kind of a similar story, and, and why are you giggling?
Justin Daniels 4:15
Because how can we not talk about, when I get the ads, it’s for all these different women’s fashion sites, and then I really talk to your teenage daughter, but then when I go and I make recommendations, I’m looked at like, I know nothing.
Jodi Daniels 4:26
You obviously didn’t get the right advertising to you.
Dan Rosenzweig 4:31
Well, it sounds like you now need to just, you know, overwhelm them with other advertisements. So you should be searching for whatever you’re interested in, yeah. And then we can —
Jodi Daniels 4:38
You know, but it also kind of showed a little bit of the inefficiency in my my mind, sorry, we have all these technical tools that we’re going to start talking about, and yet, device A, device B, connected by an IP in a house via WiFi automatically assumes those are the same and we should have the same advertising. So Dan, do you want to share your story a little bit?
Dan Rosenzweig 4:58
Yes. So a little even more moved. My cousin and my aunt were at my house this past weekend, and I am very interested in watches, so I was just, you know, doing my typical searching online, and, you know, typical Googling and things of that nature. And my aunt started getting advertisements for watches, which, again, makes sense, very similar to the story you just alluded to, and that she was connected to my WiFi. My cousin was not connected to my WiFi, and by the time my cousin and my aunt got back to their home, they were now connected to the same Wi Fi, and my cousin all of a sudden started getting advertisements for watches. So again, using that, you know, common denominator, uh, being the IP address. But it was interesting, again, that it was an IP address that wasn’t necessarily associated with his device at all. It was just later down the road that they found that connection.
Jodi Daniels 5:54
Yep. So in the land of targeted advertising, most people equate that with cookies, and then we have kind of the universe of cookie banners. And recently, I asked a number of different privacy attorneys, and it was fascinating to see the multitude of different answers. Some companies believe and privacy professionals believe these things are opt out. Some people believe it’s opt in. Some people believe no cookie banner. Some people believe a cookie banner. And companies are just confused on what it is that they’re supposed to be doing. Dan, from your standpoint, how should companies approach this and what should they be doing?
Dan Rosenzweig 6:38
Yeah, so it’s a great question. And I think ultimately, in a typical lawyerly answer, it always comes down to it depends and the context of which they’re using their technologies. So first and foremost, context is incredibly important as it pertains to what the goal is that the company is trying to accomplish, if we’re talking about advertising and ad tech traditionally, first off, there’s technology way beyond just cookies, which we’ll talk about. So the fact that it’s just called a cookie banner, and it pops up and talks about cookies that can become a problem if it doesn’t incorporate the other technologies that are going to be utilized, I think ultimately, because the US is typically, at least in the advertising space, typically an opt out regime, not withstanding some corner cases and exceptions, I typically would advise companies, depending on their risk posture and the technologies they’re using, not to use a cookie banner, really, because of other issues that can arise, like, for example, dark patterns, right? A lot of times, the cookie banners will push one way or the other. Another instance is whether or not it’s actually, you know, in coordination with other disclosures like do not sell page and privacy policies, and whether or not it’s accommodating other technologies, such as the IP address that we were just alluding to, and server side technologies and alternative IDs and all these other types of tech that are really, really important and considered personal information in certain contexts that just otherwise wouldn’t be covered off by a cookie banner. With all of that being said, and we’ll talk about this further if, ultimately, a company chooses to use a cookie banner that’s great and they want to be privacy conscious, just make sure you’re doing it correctly, right. Make sure you’re actually doing what it says it’s supposed to be doing. From a technical perspective, technical perspective, make sure you’re assuming that you know the website and app will behave differently. You know, apps typically outside of certain functions of the app don’t use cookies. So there are definitely considerations that if you’re going to use it, make sure you’re doing it correctly. And of course, this is just for the US. EU is a little different, and other jurisdictions where consent is typically required.
Jodi Daniels 8:41
I’m just going to do a little plug. You’re going to use a banner. Do not block the site, and they shouldn’t have to accept your cookies to get to the site I see all the time. Absolutely.
Justin Daniels 8:54
Dan, could you explain a little bit more, just for people like me who aren’t as conversant in the ad text. But what is the dark matter? See, I think of that in the dark pattern. I’m sorry. Thank you for correcting me. Jodi, could you explain to our audience what a dark pattern is and what the legal ramifications are from that?
Dan Rosenzweig 9:12
Sure, it’s essentially the concept of nudging the consumer to make a certain decision or convincing them to do something subtly, or maybe not even so subtly, maybe it’s very conspicuous. So for example, using the context of a cookie banner, the Accept button is large, conspicuous, different color, and the deny button, if there isn’t, if there even is a deny button, is small and doesn’t really scream to the consumer, click me, click me. And laws are continuing, and regulators are continuing to focus on this for various different reasons, and it’s been a big topic for regulators, and particularly the FTC and other state AGs.
Jodi Daniels 9:53
You mentioned a little bit that a lot of companies are focused on cookies, but there’s a whole nother universe of alternate IDs. Pixels trackers, all different kinds that are out there. Can you elaborate and share what some of these are and what companies need to be mindful of?
Dan Rosenzweig 10:06
Sure. So I’m sure everyone in the podcast, listeners as well as you know, both of you guys are aware that now Google has, you know, taken back the whole deprecation of third-party cookie statement. But regardless, you know, cookies are just one of many technologies, and they’re probably for various different reasons, going to be changing within the ecosystem, regardless of Google’s deprecation of third-party cookie announcement. So what does that mean companies are now starting to rely on alternative technologies, or technologies that have been around for quite some time, but are now getting a lot more, you know, runway and a lot more adoption in light of the alternative to cookies. So the most common one these days are literally what are called the turn it alternative IDs, which are simply just deterministic and probabilistic IDs that rely on, typically, an identifier that either is known to be associated with a user or reasonably known or volunteered by the consumer. For example, an email address, right? So they will provide their email address to the company, the company will then be able to generate, you know, an alphanumeric string, again, speaking high level here, that is then utilized for purposes of targeted advertising and other use cases. So that’s one very common, another one, which was briefly alluded to on previous podcasts I’ve listened to, which is awesome that it’s getting a lot more focused these days, are server side technologies. This is typically what’s considered or an example of this is a conversion API, also known as CAPI. Server side technologies are simply when the company, or in this instance, maybe the first party, is the intermediary between the consumer and the third party and the the first party company will simply just share data directly from their server to the, you know, advertising company server or third party for, you know, advertising purposes and other things of that nature. Another common one is what’s called advanced matching. This is kind of a combination of some of the others, and it integrates cookies and other types of technologies. But essentially, what it does is it goes on a web form, or looks for a web form, and will scrape, for lack of better word, data from that web form and then append it to someone’s profile and things of that nature, to then send them targeted advertising. The reason I bring up these, you know, these three in particular, is because these are distinct from cookies. Right? The cookie banner typically wouldn’t cover off these technologies, but for other bespoke configurations, but they certainly aren’t considered quote, unquote “cookies.” They work in conjunction with cookies sometimes, but they’re not, in and of itself, a cookie, and that’s an important distinction, because of opt outs and opt ins and how cookie banners typically operate. Again, it wouldn’t really pick up on these technologies.
Jodi Daniels 13:02
That is actually the exact worst question I wanted to bring up, which was opt-outs, if I’m utilizing any of these other technologies, Jodi as an individual user? Well, actually a different Jodi, because in Georgia, I have no rights, but moving to another state where I might have some companies still have to manage that with these different technologies. How do companies address the ability for a user to opt out?
Dan Rosenzweig 13:28
Yeah, so I think for one, CMPs are starting to do a pretty good job at understanding and really pushing and working with their customers, which again, are typically the first parties to understand and navigate the distinctions between these approaches and these technologies. But you are spot on that ultimately, a CMP is only as good as you guide them and as good as your business cases are. A lot of this will come down to what is the first party’s obligations and what are they trying to accomplish, and what technologies are they using? If they’re using alternative IDs, you know, you want to make sure that you have certain opt outs in place. So for example, there are some vendors in particular that have specific opt out provisions or technologies or configurations that first-party should be able to rely on. There are other instances where they have taken — vendors have taken or made public statements or representations, whether through contract or again, publicly on their website, that they will honor certain signals and treat it as an opt out for purposes. So for example, the IABs, GPP and other types of technologies, if they see that signal or ingest that signal, they will treat that user as being opted out. But you are spot on that the typical cookie, you know, configuration technologies that are used for quote, unquote opting out or even opting in, depending on what jurisdiction we’re talking about, wouldn’t typically cover these technologies.
Jodi Daniels 14:55
I just want to add that it’s really important when companies are looking at some. Of these different ID options that they’re really investigating that vendor and third party to help figure out how can they manage that ID. And a conversation that I had with a client, they were looking at a particular third party, and that third party had no good answer to how they were going to be able to manage the opt outs. So we got a long list of privacy friendly, privacy friendly, blah, blah, blah. And then when it came time to Okay, so what do you do when the user wants to opt out? They really didn’t have a good question.
Dan Rosenzweig 14:55
Yeah. So I would say there’s pretty much two and again, speaking kind of at a high level here. But there are typically, or at least most commonly, two approaches to this. Again, assuming your CMP can help you with this, or you have internal, you know, dev folks that can kind of help align this. So we have what’s called suppression, which essentially means you just turn off the hose, right? So if a user clicks opt out on your opt out page, you just turn off, you know, turn off any what are called, you know, network traffic calls or or the transmission of information to these various, you know, third parties for purposes of targeted advertising, sometimes that can be throwing the baby out with the bathwater, right? You’re probably turning off more than you need to, but that sometimes is the best case for some companies, depending on their risk posture. Another option, which is incredibly common, is sending out a signal, right? So, like the GPP signal from IAB or other types of signals. Some vendors, you know, Facebook is an example, Google, to an extent, they’ve, you know, taken positions with respect to IAB, but will have their own bespoke, you know, opt out signals. But essentially, what happens in the alternative ID context is a user will opt out, right? They’ll go on that first party website and click the opt out toggle, and then the third parties will receive a signal, literally, like it’s an actual signal that will indicate that this user has opted out. And that’s pretty much the two common ways to do it again. There’s definitely some nuance there. You don’t want to, you know, make sure that you, you’re working with your, you know, your internal stakeholders and others to kind of make sure it meets your business needs. Because the last thing I would say on this, and I’m sure we can talk about this further, is these configurations and Jodi, I know we’ve talked about this previously, are not just from a legal perspective. These can have real business implications, right? So think about publishers these days, publishers, in particular, big media companies, they heavily rely on advertising revenue, and there are certain instances where, you know their disclosures are adequate and everything is good to go, but they have misconfigured one of their technologies, right? And this can ultimately result in a big business loss, right? So maybe they’ve misconfigured their technology to treat users opted out by default because they were, you know, messing around or having to, you know, figure out these bespoke configurations for alternative IDs and others and treating users as opted out by default, right? I’ve worked with companies that have done that, and they lose a ton of money in ad revenue. And again, this isn’t just, this isn’t necessarily a problem from a legal perspective, right? They’re they’re complying, and they’re overly complying to instances where they have to, but at the end of the day, this is an instance where they don’t have to, and I think it’s important to weigh that against what your business is, right? And how are you operating your business, and what business goals and objectives do you have?
Jodi Daniels 18:15
Really well said, thank you, and I also really appreciate the two different opt-out examples. So thank you.
Justin Daniels 18:24
So Dan, while Jodi may talk about softballs, I want to throw a little knuckleball out there for the two of you. Or maybe Jodi could get rights if she lived in Colorado for half of the year. But QUESTION: So Dan, going back to your days where you were really interested in Capitol Hill. So obviously, on this podcast, you and Jodi and I have been discussing ad tech, with the broader implications being, how do you appropriately and legally advertise to people? But my question is how do you prioritize the importance of helping companies understand? How do you market to people with all of the kinds of data brokering that goes on? Because as a person who’s not as involved in ad tech, what concerns me is is I don’t even know where my data really goes through all these different brokers who sell my data to advertisers, and I’d love to get maybe both of your perspectives on how you prioritize when we talk about the ad tech stuff versus all of the data brokering that goes on with our data that I think most regular people just they don’t understand it.
Dan Rosenzweig 19:35
Yeah, so I think you’re, you’re right, and to be, you know, confused, concerned, etc, because there’s just so much going on behind the scenes that, you know, pretty much has become a bit complex and difficult to navigate. I think, from the data broker perspective, you know, regulators are catching on and legislators and they’re starting to specifically legislate for data brokers, right? We have data broker registration laws. You. Place. We have other instances where they have to, you know, have to offer, you know, certain specific rights and opt outs and deletion requests and things of that nature. And I think ultimately, you know, having consumers be made aware of what’s happening through a privacy policy or notice is incredibly important. I think ultimately, though, another side of this is what is the first party in this instance, because, as a reminder, the Data Broker wouldn’t be the first party, right? The Data Broker, by definition, is typically some entity that does not have a direct relationship with the consumer. The direct relationship here is typically the first party. They’re obtaining data and things of that nature, and it’s really where that first party has an obligation to make sure that they’re disclosing to consumers what their rights are, making sure they’re clear and transparent with respect to their data practices, and most importantly, not conflicting with what they’re actually stating. Right? So this goes back to what Jodi and I were saying before with the cookie banners. Is ultimately if you’re going to make certain representations from a technology perspective, and you don’t want to confuse the consumer. You need to make sure that what you’re stating is clear, concise, accurate, and actually in accordance with it your technology is doing to kind of help bridge that gap and messaging between how the business operates as well as how the consumer is interacting with the technologies on your website and app.
Jodi Daniels 21:23
So speaking of representations and how, if I choose to set one up, or if I how I’m managing my consent management platform from an opt out perspective, a lot of companies feel like, oh, I set it up. I’m good. Maybe I even tested it the first time, and then they go on their merry way. You and I both know things break new IDs and trackers are added. New pages are added. Websites are updated. We’re always talking about you need to have a review process. You need to have an audit in place. You need to have a pixel governance process. Do you even know when to put one of these pixels, trackers, IDs on the site. I’d love to hear from you. What do you think of how often companies should review what they have in place to make sure it’s working properly in any kind of process that they might want to think about for sites and mobile apps? I know we talked just a little bit about mobile apps, but they’re included too.
Dan Rosenzweig 22:19
First off, I’m glad you made that distinction, because it’s a big one, right? Mobile apps just technically behave and operate differently than websites, and I think a lot of what is discussed with respect to cookie banners and things of that nature, again, don’t necessarily apply to mobile apps, and arguably, more people are using their mobile apps and on their phone. Again, it’s an anecdote, but I know that a lot of people are on their phone as often as they are on their desktops, and it’s a really important consideration, I think, to your question, I think there are really a couple of things that can be done. First and foremost, from a process perspective, it’s really important to have a cadence of meetings between the internal stakeholders, right? You know, privacy, legal, marketing, product, etc, folks that have visibility into what’s happening, but distinct viewpoints that all have an impact on one another. I’ve noticed that actually, the larger the company, the larger the organization, the more problems they end up having from a data privacy perspective, because marketing is, you know, working on one thing, they don’t necessarily keep legal in the loop, because they don’t necessarily think they have to. They rely on the vendor’s representations. Oh, we’re going to introduce this privacy sake, safe tracker and all these different things. And before you know it, they take the point of view that we’re good to go. They introduce it as legal. Then comes in later, they’re like, wait, what’s going on? And then the product team comes in and they’re like, Wait, how do we fix this? And it’s just a bunch of stuff going on that ultimately raises to a level of concern with respect to, you know, privacy compliance, and that’s what these regulators are focused on, right? Like these laws were passed as a result of these technologies. So it’s really important that the stakeholders who have very important perspectives come together. And I typically recommend, depending on the size of the organization, you know, monthly or quarterly meetings, it can be a 10 minute meeting to say, hey, what’s on the agenda? What are we looking for? What technologies are we looking to operate? What are our business goals and things of that nature. The other side of it, and this is incredibly important, is technical testing and auditing, right? It’s really important to look under the hood to see what’s actually happening. There’s a bunch of different technologies that can be operated on a site where an app, a lot of technologies, integrate other technologies through third party code and third party SDKs and things of that nature, which leads to a bunch of different data that’s being collected and shared on apps and websites. And, you know, I’ve actually created and generated and developed my own technology that I work with clients on which does just that, right? It provides a digestible report of all of the data being collected. Shared on apps and websites, and then provides them remediations and root causes to come together and act as that translation layer so legal, marketing and Dev can come together and say, hey, look, you know, we’re collecting such and such data from such and such party, and we’re sharing, you know, hashed email with a bunch of different third parties. Is this intended? Do we have our privacy policies up to date? Is this, do we have our contractual obligations up to date and things of that nature? And it’s really, really important to have an understanding of what’s happening from a technical perspective, because that’s what regulators are doing too, right? Regularly, the New York State, you know, AG, came out with guidance a couple of weeks or a couple months ago at this point. You know, constantly, if you look at the regulator’s activity, it’s our company’s technology supporting what their statements are, and often they aren’t, and that’s just because there are a lot of cooks in the kitchen and organizations, and they really should come together and talk with one another and collaborate to really make sure that they’re, you know, doing what they need to do, to comply and also meet their business objectives.
Jodi Daniels 25:57
And I would add, in addition to regulators, customers are looking to especially in the B2B context, if, if you have an outdated privacy notice, your cookie, digital tracker scenario is kind of a mess, and I’m looking to do business with you, then those companies are evaluating, well, if you can’t do your privacy well for yourself, how do I believe that You’re going to do it well for me and I’ve had those conversations. So from a B2B perspective, I mean, I think everyone should, but especially those from a B2B, anyone can tell regulators too, but your customers,
Dan Rosenzweig 26:32
I would also add that’s related is that technology can be incredibly powerful as well, right? This isn’t always just a compliance exercise that you dot your i’s and cross your t’s, which is important, but again, this can provide some real business strength as well. So I vividly remember, you know, and it’s still ongoing, and it’s still happening with respect to, you know, the VPPA issues, right, the Video Privacy Protection Act and the utilize, the utilization of certain third party technologies that you know, allegedly violate the DVPA by virtue of sharing personal information in conjunction with video information to third parties. Now a lot of lawyers would tell companies, and this is true from a legal, pure legal perspective, a lot of lawyers would tell companies to just turn off these technologies. Are they becoming legally compliant? Arguably, yes. I mean, they’re pretty much removing all of the risk. But ultimately, particularly for media companies, for publishers, being told to turn off one of their core functions and technologies in order to meet their business objectives, can have a huge hit on revenue, like a huge hit on ad revenue and a huge hit on their bottom line. So that got me thinking, There’s got to be some sort of technology that can support this. So looking at technical development materials that are made public, you know, I was able to work with companies and figure out ways, okay, we can still use this technology, but we’re going to turn off, you know, the transmission of video information to these third parties, right? So you’re still getting to use it. And is it? Is it foolproof? No, but ultimately it’s, it’s a cost benefit analysis. What is your risk posture? What is your bottom line? What are your business objectives? Because ultimately, I’m finding, often, a lot of companies are given advice to just turn technologies off or turn them on, whole hog, right? There’s always some nuance. Technology is very, very powerful. You can, you can control which data is being sent to a lot of these third parties. It’s not a matter of just turning them on and off, you know, whole hog, because that can have a real implication, either over complying or under complying, and can also impact the business as well as the legal posture and risk posture.
Jodi Daniels 28:42
Yeah, that makes a lot of sense. And I’ve seen the same and not on the advertising side as well. A good evaluation makes a lot of sense.
Justin Daniels 28:51
So Dan, I’m going to ask you a very specific question. So when you’re out and you’re talking to someone like me who’s not as conversant as the two of you are with ad tech, what can I do as a consumer to protect my privacy better or be more aware when I’m online? Do you have a tip you might share with the audience from that particular perspective?
Dan Rosenzweig 29:11
Yeah, I think your perspective will come down to the particular brand and company that is most important to you. To me, it comes down to, is there a brand or company that I value and I visit every single day, and I’m okay with supporting their, you know, ad revenue model, and I’m okay with that, great, then that’s something where you can consider, and maybe you’re a little more, you know, friendly with with the type of data that you want to be providing them, again, assuming that this company is providing you adequate disclosures and giving you disclosures and giving you the choices that you rightfully deserve. There are some other companies that maybe you say, You know what, I don’t want any part of this. I don’t really like this. You can either, you know, configure the GPC signal, which we didn’t talk much about, but it’s essentially a system wide opt out on your on your browser, or you can go to that specific website yourself and opt out and issue a request to see what type of data they have on you and exercise those certain rights. I would say a lot of companies these days, particularly larger companies, are actually really trying to be privacy conscious here, and a lot of them are actually using certain laws as a baseline to kind of offer certain rights and choices to consumers, even if they don’t, uh, fall within the one of the the particular states that require it. I have a lot of you know, clients that are saying, You know what privacy is the future here. And I really want to help, you know, my consumers, and I think privacy being privacy friendly and privacy folk focused is a good business opportunity. And telling consumers, hey, fine, you’re not in California, you’re in Georgia, we’ll still, you know, work with you and provide you know, and if you give us an access request or a deletion request, we’ll honor that. But yeah, I think it comes down to what you as a consumer are comfortable doing.
Justin Daniels 30:52
I think you two should collaborate on one of those LinkedIn boards where you show people step-by-step how to opt out globally using your browser.
Jodi Daniels 31:02
We could, we probably forget that the average consumer does not know how to do all of that. And I see it all day long, with people just seeing these banners and not knowing, not knowing what to do. My dad, for example.
Dan Rosenzweig 31:16
Yeah, I think one thing an average consumer could do, and I know one of your guests had suggested this on a previous podcast, and I think it’s great — submit a request for the data they have on you and see what data they have in you. If you’re comfortable with that. Great if you’re not and it’s incorrect, you can ask them to correct it and ask them to delete it. Simply just go to the privacy policy, and it should be clear within the portion of the privacy policy, again, not the best thing, but if or the most user friendly. But if you are interested in this, there are ways to kind of navigate this.
Jodi Daniels 31:49
Moving forward now, and you are not advising on privacy and AI, which we did not have too much AI in this podcast, there is still just good old privacy. What do you like to do for fun?
Dan Rosenzweig 32:02
So I’m a recent father. My daughter is almost 10 months. It’s our first so whenever I can just go and hang out with her and do fun things, she’s now at the age where she’s really just a real personality, and I really like to swim, so she’s starting to swim with me, which has been really, really fun. So yeah, anytime that I have to hang with her, I take it well.
Jodi Daniels 32:26
We’re so glad that you joined us today to share all the amazing information that you did. And if people would like to connect and learn more, where can they go?
Dan Rosenzweig 32:35
Yeah, just always available on LinkedIn and shoot me a note. You can shoot me an email at dan@dbrdataprivacy.com, always looking to talk to folks about this stuff. It’s something I’m really excited about. And love, love the day-to-day job that I have. And thank you for having me.
Jodi Daniels 32:50
Absolutely. We’re so glad that you’re here. Thank you so much. Have a great one.
Dan Rosenzweig 32:54
Thanks, you too.
Outro 33:00
Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.
Privacy doesn’t have to be complicated.
As privacy experts passionate about trust, we help you define your goals and achieve them. We consider every factor of privacy that impacts your business so you can focus on what you do best.