Click for Full Transcript

Intro  0:01  

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.


Jodi Daniels  0:21  

Hi, Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant, and a certified informational privacy professional, providing practical privacy advice to overwhelmed companies.


Justin Daniels  0:37  

Hi, Justin Daniels here I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as them help them manage and recover from data breaches.


Jodi Daniels  0:53  

Well rested over there.


Justin Daniels  0:56  

I know. I’m intimidated by you today.


Jodi Daniels  1:00  

Well, this episode is brought to you by remember what you do. All right. Red Clover Advisors, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SaaS, ecommerce, media agencies, professional and financial services. Can you make me stop laughing?


Justin Daniels  1:28  

Why it’s good to laugh. Laughter is releases all kinds of good points.


Jodi Daniels  1:37  

I finished my intro because these lovely audience members want to hear what we do. Okay, so we use data privacy to transform the way companies do business. And together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, visit That was the most humorous introduction I think I’ve had in quite some time.


Justin Daniels  2:00  

Maybe so did you have some laughing gas this morning? I don’t know about?


Jodi Daniels  2:04  

I don’t know. Okay. Well, today, I’m so excited to bring back of art not bring back but bring to the show. A longtime friend of mine in the industry, Ana Milicevic, who is principal and co founder of Sparrow Advisers. She lives in the in between of where different disciplines intersect, technology with media, consumer culture with data, globalisation with hyper local needs. This perspective gives her a unique ability to connect divergent concepts, distil them into actions and focus on the key themes that are the most relevant to you as her audience. Well, on that welcome to our ridiculous hilarious, we can see him together, talking straight out today.


Ana Milicevic  2:52  

This is probably the most fun anybody’s ever had talking about privacy. So it’s great to see you. And great to be here today. Oh, you. I’m just gonna have you do all of my intros from now on because that sounds fabulous. And it sounds much, much better than Hey, she’s a management consultant that helps companies solve all these gnarly, complex problems and things like that. So you’re hired, let’s, let’s go make magic


Jodi Daniels  3:18  

out of it. This sounds so much fun. Well, I know a little bit about your career, because we had the great fortune of working together, which is how we met and it actually was my start in the targeted advertising marketing universe. Before all these fun privacy laws were really here. Please share with our audience. Tell us more about your career and how you got where you are today?


Ana Milicevic  3:42  

Sure, well, when you look at it from this perspective, backwards is all kind of makes sense. But as I was going through it, maybe it made slightly less sense. One move to another, but I’m a technologist and a computer scientist by training. And, you know, I could have had a, an aha moment fairly early on in my career, understanding that I was always interested in different intersections of fields. So I kind of fashioned myself into product management roles before that was really a thing I’m talking about, you know, a couple of decades ago, when before it was a real discipline. I very foolishly started a company when I was still at university and my toes into entrepreneurialism, really, really early on, and then propelled a series of leadership roles, mostly in media and entertainment companies, usually around product strategy and how to kind of execute and build things. For the past decade. Plus, I’ve been very deep in the ad tech martec and commerce space, usually around data. I was the head of product for them next, which is the company where Jody and I met a long, long time ago. That was one of the first data management platforms that took this relatively amorphous concept of data In marketing and turnin modernized and created a vertical for it in digital advertising, the company was bought by Adobe, I spent some time at Adobe at tasked with going into software giants. And then kind of continued down the martec path, building a global services team for signal. And I did seven years ago now saw this gap in market on the consulting and really management consulting side where the bigger consultancies didn’t necessarily have very detailed expertise in these very rapidly evolving industries. And the companies that were operating in these rapidly evolving industries didn’t necessarily have the management experience to be able to scale and drive business growth predictably. And that’s when Sparrow was formed to address that challenge. And we seem to be doing a decent job editing how we’re, we’re seven years old, and have eight practices now and clients across the globe. So Well,


Jodi Daniels  6:03  

that’s certainly something to congratulate yourself for seven years is, is a very long time to be in this business and entrepreneurial space. So absolute kudos to you.


Ana Milicevic  6:13  

Thank you, thank you. It feels very wild to say it’s been seven years, it feels both very long. And somehow like, well, we just started yesterday, because it’s a you know, to me, it still feels like it’s a very young company. And we certainly operate in a very flexible, young way. But in reality, in the real timeline, a significant amount of time has passed.


Justin Daniels  6:35  

Well, why don’t we dive in and say, and ask you, what are your thoughts about this changing advertising landscape that Jodi loves so much?


Ana Milicevic  6:45  

It is, you know, it is changing, isn’t it? A lot of things have changed on the consumer side. And when you look at that, back at the history of advertising, it was evolving and moving pretty slowly for quite a while. And not a lot was happening in terms of new formats, new, new ways to message someone, until the internet. And really the massive acceleration that we’ve seen, that we’re experiencing now only started happening with smartphones and their proliferation. And so we’ve gone from being mostly connected to definitely being connected all the time. But advertising is has still operating under the assumptions made in the previous era that, you know, there are some times in your day when you’re not constantly connected. And we’re, you know, hyper exposed to all manner of digital advertising today, to the point where we were perhaps becoming oblivious as consumers to all different messages that we’re seeing. I think what, what I find really fascinating is how big of an industry we’ve built on top of a very, very inferior technology. So we’re now looking at third party cookies being sunset, slowly and then slightly quicker. But they’re, they’re practically becoming less and less useful day in and day out. And when you look at the initial intent of third party cookies, it was never to piggy back and entire 100 something 100 and $40 billion industry on its back. That’s just the US globally, about 340. I think, last numbers for the billion is a pretty big number. Um, you know, putting that on these teeny tiny little text files that live on your computer seems pretty nuts from from an infrastructure perspective, from a security perspective, from a you know, just how to build things perspective. And yet, you know, here we are. So part of me is in awe of the success of building something on such a porous foundation for so long. And part of me just can’t wait for these to go away so that we have something slightly better and so slightly more meant to the to be the vehicle for advertising.


Jodi Daniels  9:19  

So let’s talk about that next stage. So you have a lot of companies who are not as happy that third party cookies are going away because they’re used to what it offers them in and you are a business there is the ability to find new customers to understand and to analyse. Where do you think we’re headed? What What should we tell all of those brands? And what are you seeing smart companies do to get ready for that?


Ana Milicevic  9:44  

It’s really hard to change all four tires on your car while you’re going 85 miles down the highway. And that’s where a lot of the larger advertising companies that’s the situation that they’re they’re faced with because they have to continue advertising so that people would be aware of their products and would continue, you know, reliably generating revenue. But at the same time, they also need to change not just how they budget what they buy, but really more importantly, how they measure the efficacy of their advertising. And you know, to really understand what’s working for them versus what isn’t. And that’s a lot of change, even in companies that have a lot of resources, so there’s always this tug, and pull of, you know, hey, can we just keep the status quo for a little while longer, because changing all of this at once is going to be very, very challenging, and maybe we won’t be able to be successful immediately. Couple that with increasingly shrinking tenures of CMOs, they are the they have the shortest lifespan of anyone in the C suite, there just generally seems to be replaceable. And there’s, there’s not a lot one can do in an average cmo tenure, like you pretty much have time for one big project. And usually CMOs will opt for something that’s pretty splashy, like picking a different advertising agency rebranding something that’s visible, rather than, you know, something that’s more fundamental, like, hey, let’s re architect how we’re looking at going to market how we’re approaching our paid efforts. And like what we’re doing like, that’s not very, it’s a thankless job, kind of, even if you execute it really well, you’re unlikely to have that be beneficial to your career, and in the long term, certainly not within the same company. So all that to say is that there’s, there’s a lot of, you know, interest in moving beyond cookies, but the day to day reality of it is is very different that people have their existing day jobs and the KPIs that they had set out last year that they need to hit. And so there’s a bit of a disconnect between that timeline and the cookie timeline. On the plus side, most companies are at least aware of something needing to change and something needing to happen. On the slightly more negative side. They’re pretty reactive. They tend to listen to a lot of vendors, and don’t really have a POV of their own yet. And that’s certainly been something that we’ve seen in our own engagements is a increasing ask of, hey, you know, how should I approach the post cookie universe as opposed to you know, here’s these three vendors have called me they’re trying to sell me on this. And, you know, I’m gonna pick whoever I like the best. So, yeah, more more tactics and strategy still, but but looking up a little bit,


Justin Daniels  12:54  

I think. So what is a reasonable standard for privacy when we’re always connected? And always on now? They trade cryptocurrency 24/7 365?


Jodi Daniels  13:04  

Aren’t you happy? Higher NFT?


Justin Daniels  13:09  

Yes, maybe


Ana Milicevic  13:11  

good conversation for chief security officers, just to kind of keep them up at night, you want to freak them out? I think we’re dealing with the wrong construct. And I’m very disappointed that we’ve kind of settled on privacy as a concept, as opposed to data, data usage rights. And the reason. The reason I’m somewhat allergic to privacy is a term as it feels optional. It’s like a nice to have, it’s something that we enjoy as human beings. And we would like to continue enjoying it in digital realms, etc, versus data rights usage. That is rights, I think it’s more honest to the topic at hand, which means, you know, hey, if this is the data that you have about me, I’m okay. Using that to you know, give me a discount or similar but I’m not okay with you selling it to a life insurance agency or similar. And so there’s no agency, no consumer agency in the privacy conversation past, well, you can opt out and maybe one or it kind of, it’s very complicated in the US where I would argue that the biggest offenders are actually government organisations, if you can’t opt out of the DMV, selling your licence information to whoever they want to sell it to. And other kinds of, you know, things that are key fabric of life that that you have absolutely no say in and opting out. And so, I think that that distinction, the clearer we can make that distinction and make the consumer be an active participant, the better conversations and products and solutions we can have that that address privacy because otherwise is just for a lot of people, it just very amorphous and certainly doesn’t communicate the sense of urgency and importance that it should have.


Jodi Daniels  15:09  

Do you think? Or have you come across any organisations now need to mention by name just sort of, you know, examples where they are starting to focus more on the usage rights piece and a little bit less of the tactical privacy law one versus privacy law to?


Ana Milicevic  15:27  

Yeah, there are some very frail fairly early stage companies that are mostly experimenting with building value. So, you know, if you’ve, let’s say you’re, you know, large retail chain, and you want to collect my loyalty information, can you make the offer better to each individual consumer than just, you know, some blanket, like loyalty, one on one types of buffers that you have now? And it’s tricky, because with the levels of data that we’re dealing with now, till really big, big datasets, it’s very hard to come up with, Okay, well, this person’s data is worth this much, because the actual dollar value will be very, very tiny. But then, absurdly, the value of the entire data set for all consumers will be very, very high. And so I think there is, there’s definitely some innovation that can happen on that redistribution, because it’s, you know, right now, Google, Facebook and other platform friends own an overwhelming amount of information on users. And they’re really the only ones economically and commercially benefiting from it. And they’re not, they’re not, there’s no incentive to pass some of that benefit on to the client, the consumer, other than, you know, hey, you can use maps for free. Okay, but is there a paid tier where I don’t give you my data? Like, is that a choice I could make? Not really. So yeah, the very, very master, and I think is, is where we’re heading.


Justin Daniels  17:08  

Let’s change gears just a little bit and talk about as Jodi alluded to, there, now, what four states,


Jodi Daniels  17:14  

four states, but as we’re recording here today, the my childhood home state of Connecticut has passed at the Senate level, the Connecticut’s Privacy Act. So we’re waiting for the house to have it for them maybe.


Justin Daniels  17:31  

And, of course, the SEC has gotten involved on the cyber side. And so as you can tell, we have this piecemeal approach to privacy at a state level, federal level, all these breach notification laws that are keyed off of privacy concepts. And you know, we risk fracturing the market and creating some real compliance nightmares, particularly with companies that want to scale. Can you talk a little bit about your thoughts on this idea?


Ana Milicevic  18:00  

Yeah, I’m curious to hear from from both of you, and from your perspectives on who you think the governing body should be, who owns privacy and data regulation in the US because it seems to be super fractured right now. And I think we’re dealing with the the nightmare scenario, which is, every state has their own plan. And that risks fracturing the cohesive US market, which is what gave us internet commerce, digital advertising, but the size of the market was was key to unlocking all of these economic opportunities. And so now, if you take that very, very sizable, 330,000,030 5 million people market and fracture it into, you know, Rhode Island, and Connecticut and Wyoming with a couple of 100,000 people, that that is a very, very complex scenario to navigate both as you know, a vendor on the internet as a technology company as a consumer. And I do think that this, the just the weight of compliance, to be able to sell something in 50 states is just going to be needlessly tasking on on a lot of businesses. So I wish there was a federal level standard, kind of like what we’ve seen in Europe with GDPR. They have a common standard, then if you really, really want to modify it, you can, but at least some kind of baseline across the board would be really, really good to have and effectively because California lead it seems that in the US, that’s the standard that most everybody else is somewhat adapting to different levels. But I really think that you know, the 58 each state by itself is an absolute nightmare scenario and that will lose a lot of the competitive advantage that the market size has has a lot at us, without really, you know, putting much thought into it. Previously, it’s very different to try to, you know, sell something to even a wealthy country that only has three 4 million people versus 330 million consumers. You know, I don’t want to see


Jodi Daniels  20:19  

that. I get asked almost on every presentation, the federal versus state, well, we see a federal privacy law. And it’s always been an interesting answer, I think as more and more states pass, and then as more and more global privacy laws pass, I think that will start to really put pressure. And we’ll just have to see it. You know, there’s, there’s so many politics at play, to your question of who should own that, I really actually believe it should be a completely independent agency that should be created that should own the data pieces. Right. Now, it’s cobbled together and in different parts, you’re trying, we’ve seen it before, where it’s been attempted thought of even the Federal Trade Commission is trying to move more to rulemaking as opposed to its current notice and choice framework. But time will tell.


Ana Milicevic  21:11  

And I think another really interesting and potentially, doubly frustrating part here for me is that the focus seems to be on digitally originating data, and completely ignores offline data. And going back to, you know, talking about how the government’s health was one of the worst air quotes quoting here. But yeah, one of the worst offenders when it comes to personal data of citizens and its commercial uses you, I would hope that there would be some type of body who can actually represent citizens data needs across all different channels. But the bulk of the conversation right now is around digitally originating datasets. And I could never really understand why, you know, some publisher, knowing that you like sports and a rug, or articles about sports is somehow more of a privacy risk than somebody literally knowing where you live, and being able to, like send you stuff to your house, like that scenario is much more privacy invading to me personally than than anything on the internet. And I’m fascinated how, how all most of the privacy conversations are focusing on on digital digital use cases.


Jodi Daniels  22:28  

I think, from my perspective, the digital pieces, you have some players that pushed it too far. And those are the ones where all these laws tend to be reacting. And so because you’re able to gather significant datasets of massive volumes, and drill in pretty accurately, and also completely get it wrong, is a little bit of where that digital focus comes. I’m always telling people, you know what the offline file counts, too. So the cabinets and drawers that you have of 30 year old data? Yep. Yeah, that counts and facts. I know, we’re talking us at the moment. But I remember speaking to someone when GDPR first came out, and they were located in the UK, and they thought it was only a digital law. And they said, well, actually, we only have physical files. I said, Well, great. You just have to focus on those.


Ana Milicevic  23:19  

Yeah, good luck with that.


Jodi Daniels  23:22  

I know, I know. You have any thoughts on who should own


Justin Daniels  23:26  

my thoughts? I think it’s going to be a challenge to create another digital agency. Because with all of this data, sitting right beside it is now all the stuff that’s going on in web three. So now all that’s blowing up at the same time. And I wonder if the organization who doesn’t have the largest remit and I’m just throwing something out there is you alluded to Jodi, the FTC because they deal with broadly, the consequences, as opposed to tip is pretty narrow. gramm leach Bliley is pretty sectoral approach, the FTC has the more broader implications of unfair trade practices. But I hesitate to say on a because I watched from a security perspective, how the SEC and other regulators are having to fill the void because we don’t have any real cybersecurity standards. And it’s creating all kinds of challenges. So I don’t know what they’re gonna do. Because let’s be honest, global data is really a global issue. But there’s never going to be a un of data, but it’s really a global issue.


Ana Milicevic  24:31  

It is an and it’s one of those things again, where, you know, I think there’s leaders and there’s followers and because Europe was first to to put something together. That’s the kind of the standard that everybody else is evaluated against. And so we try to like, you know, if your national or state level privacy regulation is is like on what side of GDPR is it more restrictive? Is it less restrictive, is it you know, like What are its facets, but I think you bring up a good point, Justin. And that’s that, you know, there’s no security organization either. And I keep thinking about a couple of years ago, Denmark sent an ambassador at the Silicon Valley, like an actual Ambassador like you would send to to a country. And their rationale was, you know, for the state of Denmark, a good relationship with a Facebook and a Google. And one of those kinds of clearly non state actors, private companies, is perhaps more important in this day and age than Denmark’s relationship with a very faraway sovereign country with whom they don’t have a lot of trade going on, etc. But they still, because diplomacy is old schools don’t traditionally have a representative. And so so that got me thinking that if we could re architect the whole system from scratch, like, what would it look like? And would it be like this, you know, two point like, Would it be the UN data? But who, what, what is the ideal case scenario for this kind of regulation? And would we have a like a national level, data czar, somebody who, whose sole job it is to think about different uses of citizen data, whether that’s coming from offline channels from digital channels, or other channels, and you know, like, who’s who’s so remed, hopefully, with a budget of an actual organisation behind it would be to create products around the management of data at that level. So that’s my dream scenario. But to your point, I think we’re very, very far away from something like that. And it seems that between the FTT, the FCC, the DOJ in some cases, and the other three letter, a couple of other three letter organizations, they’re all just like passing a hot potato around, you know, not a lot of structure is happening around this.


Jodi Daniels  27:02  

That is absolutely happening. So with all that, you know, in the privacy world, the type of data that is collected what companies do with it, what is your personal privacy tip that you could offer the audience,


Ana Milicevic  27:17  

I’m very intentional about email sharing site, phone number sharing, and similar things like we don’t have a lot of unique identifiers, like our social security number of defaqto became one and the US through overuse. And because for the better part of the last 10 ish or so years, various companies have been asking us for our emails and our phone numbers. And we didn’t really think much about volunteering those, those now act as as connected keys for a lot of really, really gnarly PII, perhaps PII and anonymous data databases. And I always give the scenario of it’s a little bit dystopian, but imagine filling out a quiz. And you know, you’ve you enter your email and to get the results of the quiz and maybe the quizzes, just goofing off, and you’re like, oh, yeah, I smoke, like three packs a day or something like that. But that’s data gets shared with life insurer, or your health insurer who through their blackbox algorithms, of deciding who gets coverage or not 10 years down the road decides to deny your coverage, based on this one input that, you know, you you did an alert, you didn’t, you didn’t think a lot about it, there’s no scoring, there’s no none of that. And so I think, you know, having better hygiene, having unique phone numbers, if you have to live with somewhere having very unique email addresses as well. These are all things that perhaps sound a little bit paranoid, but they really aren’t. And they do require a higher mental load from consumers. But you don’t want to be in a position where you kind of discover that through a data breach, someone’s you know, being able to someone’s able to weaponize something against you or your family that is not necessarily an important piece of data. Wow, I did turn this into stone. I mean, it’s a


Jodi Daniels  29:27  

really interesting tip and a lot of people don’t fully understand how those are identifiers these days it’s very helpful to share thank you


Ana Milicevic  29:36  

and there’s nowhere to learn there’s like you know, no no one’s really teaching like good email hygiene or you know, good phone number hygiene or good cell phone number hydrogen, Justin I imagining you’ll have a point of view on this with you know, SIM card hacking attempts and things like that, which is a vector of attack in crypto and protect Killer, that, that, you know, these these things are usually you only become aware of them if you’ve been a victim somehow. And I wish there was more easily available education and best practices maybe through like, you know, maybe Gmail can start putting in product capabilities that would let you obscure your email addresses in similar Apple certainly taking that step and moving in that direction. But it all seems very underdeveloped compared to how develop the actual data collection across different companies is,


Justin Daniels  30:40  

I guess my couple cents on that is the problem with fixing some of the stuff with email. And what you’re talking about is people worship convenience. And to have to deal with multiple emails, multiple phone numbers, makes it really problematic to get people to want to do different things, because trying to remember all of that, or put it in a repository is just beyond what people want to do. And, you know, you bring up a really good point, because all of the stuff you talked about with crypto and the self sovereign and taking more responsibility, well, that means you have to step up. And if someone hacks your digital wallet, it’s automated. It’s gone. It’s done. There’s not much you can do. And so I don’t know if that will help. But in terms of understanding our privacy, I think the other challenge is, is younger people just have very different perspectives on what privacy means to them than people who have been around longer. It astounds me still what people would put on Social Media and Broadcast about themselves. I’d add date of birth to that, like on Facebook, people have their date of birth. Well, that’s one of the primary ways you can get someone’s PII pH i at the doctor’s office,


Ana Milicevic  31:57  

anyway. Yeah. So not not not to keep going down. dystopian path. Yeah. No. But it’s, it’s interesting, because something seemingly innocuous, as you know, sharing your phone number with somebody like I think it’s, if you share your phone number, and you only have one phone number that you’re sharing everywhere, that whoever is the weakest link in that entire chain, it could be you know, that dentist you saw seven, eight years ago, who, you know, that still has paper records or whatnot, and like, you know, you’ve gone to one appointment, and that’s it, but they still have key data on you if they get breached. Well, there there goes all of your data, too. And so I think it’s probably not healthy for the average consumer to think about these things, because you just kind of want to, you know, go hide some disconnect from the internet, which is also not not a not a possibility, or a healthy choice. I don’t think, Oh,


Justin Daniels  32:56  

I’m not gonna let my kids watch this episode, because now you give them another reason to not want to go to the dentist, they’re gonna say, Well, hey, that’s my privacy, and you’re the privacy people.


Jodi Daniels  33:06  

We don’t give them


Justin Daniels  33:08  

There you go. Very good. solution. So we always like to ask all of our guests, when you’re not out thinking critically about privacy, what do you like to do for fun? Oh, hopefully, I’m


Ana Milicevic  33:22  

not thinking about privacy all too often, although, I do tend to go around and take photos, especially when I’m in Europe. You know, those like, things you can put on your building not to get any junk mail there for real in Europe, like don’t actually get around versus in the US just could never be able to. This is gonna start sounding like a, like a dating show now. So like, I like long walks on the beach. I love to travel. I don’t like to be in the same place for very long. And so every chance I get I’m somewhere. He can imagine the past two years of the pandemic or 20. I don’t know how long it’s been very, very hard. But But yeah, that’s my, my, my hobby is being in different places.


Jodi Daniels  34:15  

Well, thank you so much for a really fun and fascinating discussion. If people want to connect with you, where’s the best place to send them?


Ana Milicevic  34:22, advisors with an E. And I’m also on Twitter as AEXM. And you know, all the usual suspects platforms were pretty easy


Jodi Daniels  34:34  

to find. Well, thank you so much. We really had such a fun episode talking with you today.


Outro  34:43  

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.

Privacy doesn’t have to be complicated.