Click for Full Transcript

Intro  0:01  

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels  0:22  

Hi, Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional, providing practical privacy advice to overwhelmed companies. Hello, Justin

Justin Daniels  0:38  

Daniels here I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber QB helping clients design and implement cyber plans as well as help them manage and recover from

Jodi Daniels  0:53  

data breaches. You’re really excited for data breach. And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SAS, ecommerce, media and professional services. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, visit And while there, be sure to grab your copy of our very exciting to say, best selling book, Data Reimagined: Building Trust One Bite at a Time. You’re ready for today’s episode?

Justin Daniels  1:46  

Yeah, I think so. See, I’m talking about data breaches. Because I was excited to have come up with the idea of the data breach highway when I spoke on Monday about our book.

Jodi Daniels  1:56  

It is very creative. Who knew that in Atlanta, you could have so many companies with data breaches truly alongside highway,

Justin Daniels  2:05  

city of Atlanta, Equifax and Colonial Pipeline, and that’s not even going around to 85 to Home Depot. Whoa, that was clever,

Jodi Daniels  2:14  

huh? All right. Well, we’ll have to save that for another episode. Today, we’re gonna dive in to one of my favorite topics, which is the intersection of marketing and privacy. And we have a really awesome special guest. We have Michael Hahn, who is the EVP and General Counsel at the IAB and the IAB Tech Lab. He leads the IB Legal Affairs Council with more than 350 attorneys on it. And he also leads the internal compliance efforts at IAB. So Michael, welcome to the show. Well, thank you both for having me. Are you laughing? Just laughing today selling I don’t know. It was too much of my birthday cake wasn’t.

Justin Daniels  2:51  

It might have been Yes, I did well, with the birthday this year. And do you do did gold stars? Yes. Five or 10 minutes of goodwill, at least Michael? Yep. But speaking of Michael, can you tell us a little bit about how your career evolved to where you are today? Sure.

Michael Hahn  3:12  

Well, like many others in the legal profession, could not have actually predicted that I’ve ended up where I am today. Coming out of law school, I had a joint degree and in law and a Master’s in Public Policy, and originally envisioned never practicing law, but actually being a Washington DC policy guru who just happened to have your law degree. And as life surprises you. I was working in government while I was in law school, and then poof, Al Gore lost the election. I ended up coming back home to New Jersey rather than staying in DC and went to work for a law firm that I stayed at for 17 years. And so I spent, really my career first focused on being an antitrust litigator and anti trust corporate counselor. And in doing so, I got my first exposure to the digital ad industry in 2006. And I want you to pause and think about that I had a case that began in 2006 and did not finish too well after I left my former firm Lowenstein Sandler, in 2017. So, neutrals for you. So it was, it was it was an interesting ride and you know, somewhere along the way, the IB became one of my clients and developed a really close synergistic relationship. And by 2017, I joined the IB and the IB We TechLab as their general counsel and quickly pivoted over to privacy seeing all the needs we have. And in many ways my my two areas of antitrust and privacy have now come to shore at the same time.

Jodi Daniels  5:18  

Thank you for sharing. I think that’s very telling how long it can go on for

Justin Daniels  5:25  

any trust is like admiralty law, it’s a very niche. There’s only a certain segment of the population who is well versed in the anti trust. Anyway, for those who aren’t familiar with the IAB can you help our audience understand who the IAB is, and its role in the digital advertising industry?

Michael Hahn  5:46  

Sure, so So the IAB is a trade association, composed of over 700 companies. And we represent the big tent of trade associations, the digital ad space. So if you look at the entire distribution chain, we cover all parts of it. So our members are publishers, they’re also the ad technology companies, whether they be the larger platforms like Google, Amazon, and Facebook, or the medium and smaller size, ad technology companies, we also have in our membership, both marketers and their agencies as well. So I like to think of what we try to do at the IAB is very much practical problem solving that requires all parts of the ecosystem to be at the table. You know, when you think about most trade associations, historically, they typically represent one slice of industry might represent the sellers might represent the buyers might represent the intermediaries, because they each have distinct interests. But one of the things that we see is incredibly complicated systemic challenges, privacy being the quintessential example of it, where we all need to be able to come together throughout a distribution chain, and find ways to cooperate to solve problems.

Jodi Daniels  7:12  

So I actually get to credit the IAB, for my first entry into privacy. Because it was before there were all these complex privacy laws that we’re going to talk about. And the digital advertising Alliance came along. And IAB’s position was to be a member, you had to comply. And therefore the company that I was at, we had to figure out what that meant. And to comply. That was my job. And I found it really interesting. And I dove in and I went to different seminars that I be had and really participated and learned as much as I could. So thank you, IAB for making that requirement. Now, I learned about privacy. But if we fast forward of more than a decade, we have a lot of different privacy laws. And it certainly has changed the landscape made it really complex. So can you share a little bit maybe how IAB be helps its members comply? What does IAB held, from an education standpoint, from a requirement or a tools perspective, if you could shed a little bit of light, that would be really helpful?

Michael Hahn  8:18  

Sure. So we do our work around privacy in really two different groups, which also have some overlap as well. So first, we have the IAB Legal Affairs Council, which consists of the 350 in house and partnering firms that that we collaborate with. And we very much look at our mission perhaps a little more distinctly than other traders say associations do. Many would say our job is to just educate. And that would involve bringing experts in bringing in law firms and sort of talking to your members and hoping that they absorb, we very much view our mission is problem solving around common legal challenges that we have as an industry, and that our education is understanding what those challenges are, and what the solution set is to to help address them. So in that regard, we undertake what I’ll call, you know, critical projects. Two years ago, we began a critical project where we looked at the privacy laws outside of the United States and Europe, over over 11 different jurisdictions. And we said, how did the digital How did the those privacy laws apply to the digital ad ecosystem, which is for those who have a global footprint is an incredible challenge to find the right lawyers who have, you know, both local knowledge of digital advertising knowledge. So we we partnered with With one trust, we partnered with Baker Hostetler and we also pulled together 100 lawyers from around the globe. And we put together this Compendium. And we sat down and working groups for well over here, drafting a 500 page document that goes through these 11 jurisdictions and explains how it applies. Second, we said, well, it’s not enough to do that, we got to begin to think about plumbing. What do I mean by plumbing? In digital advertising, we need to be able to communicate consumer privacy preferences that are collected in a manner of compliance with the law, and be able to communicate it out to the multiple companies that are involved in the distribution of a digital ad. And so one of the things we went in back and we did was figure out, how do we begin to roadmap the plumbing that would be needed to, to communicate these consumer privacy preferences around the globe, from a technology standpoint, as we move into, into the US, and we think about things like CCPA, and we look at the new five state privacy laws, we have ahead of us, we’re very much involved in putting together privacy frameworks on the IAB, Legal Affairs Council side of the house, on the Tech Lab side of the house, we have groups that are focused more on product and engineering. And those are the people who focus on the plumbing, what is it that we’re talking about setting, creating specifications that never companies can build to? So that you can actually pass all the signals along? Like, you know, what happens with an opt out? Right? How does an opt out get key from Europe to California, and now Virginia, and Utah and Colorado in a manner that’s distinct than meets the requirements of those laws. So it’s important to make sure that we’ve created the right scheme for the plumbing. And so we’re constantly collaborating between those two different groups, to try to lay that out. So that’s a lot of what we do. And then I try to think that we also try to wrap up this challenge with, with education, because there’s a distinct set of challenges that the digital ad ecosystem has, both from a technology standpoint, but also from a compliance standpoint. And so we’re constantly trying to talk about what those challenges are, what solutions, we can develop at the IAB to address those solutions, and what kinds of solutions you need to work with your own partners to figure out how to accomplish on your own as well. Well,

Jodi Daniels  12:41  

on behalf of all of your members, thank you so much for all of the work that you do. And I think it’s important, I’m glad you emphasized isn’t just education, that the problem solving, because they’re big problems. And we started how you know, I could be a small emerging company to a large company and still serve the same audience and have to have to tackle it. So we appreciate everything that you’re doing. If we pick one of those laws, our friends over in California, these CPAs, obviously creating a number of challenges for companies, especially about with their unique definition of the sale of data. So I was wondering if you could share a little bit about how the recent Sephora enforcement action is impacting the digital advertising ecosystem? Yeah, I think

Michael Hahn  13:30  

that Sephora becomes more of a wake up call, but really shouldn’t surprise anybody. In many ways, that was perhaps one of the most unsurprising decisions, we could have expected from a regulator because they’ve been signaling this direction for for quite some time. So I’m going to maybe answer this question by taking a step back from Sephora. And in talking about this concept of sale, which is obviously a key part of the Sephora decision. So the digital ad industry spent a good deal of time having significant debates in 2019 about what did it mean to sell personal information, and nobody liked it, no one like being designated as it with that terminology is I sell personal information. And so everyone tried to figure out how do I handle this from a marketing standpoint, in particular brands and to a certain extent publishers, but also how do I comply? And very much that gets to what does it mean? Does the sale include things like measurement and frequency capping the sale include things that happen, you know, after the the the the to self renters when there’s an exchange of personal information, what does consideration mean? And how, how narrow or loose is that defined. And so one of the things that we, we synergized on was that, after much debate between different parts of the ecosystem is that we were never going to agree on what it meant to sell, and that we’d have to hear from regulators on that. But one of the things we could agree on is what it meant to be a service provider, which is how we ended up creating our first IAB limited service provider agreement. And, as you know, service provider is an exception to sale. So fast forward now to Sephora, we have heard for the last two years, and increasingly broad view of sale coming from the regulator. We hear this than in conversations that companies are having with the Attorney General’s Office. We hear this and see it in some of the Case Summaries they’ve released. We also see the even from the cppa. If there are pre rulemaking meeting, we heard the executive director referred to measurement as being a sale. So you’ve got this really big broad construct, and it makes sense. There’s never a regulator who says I’m going to take a narrow view, it’s always going to be a broad view. So income Sephora, and everyone has been focused on GPC now. Obviously, the the Attorney General’s Office promulgated a regulation mandating the use of GPC there were previously released cases, they’re obviously deeply invested into into GPC. And we get the Sephora case.

Jodi Daniels  17:00  

So Michael, can I interject for just one moment, because some of our listeners might not be as familiar with wet GPCs. If you don’t mind, sharing a little bit of what that fancy acronym stands

Michael Hahn  17:11  

for sure GPC is, is global privacy control. And so the concept behind this is that consumers do not need to make an election or choose to opt out on each individual site that they go to the concept of GPC is that you can make a preference, whether it’s through the browser use or perhaps a plugin, and have that be essentially preset, and it’s like each time you visit a site, your opt out election would be triggered. So since the forum was not set up to accept the GPC signal, and so I’m sure that there are a number of folks in the digital ad industry who began to call up their consent management platforms and say, Please, please make sure that I can accept the GPC signal right away. But I think what was actually more important in the settlement documents and in the complaint was how they refer to the scope of sale. They refer to the scope of sale as being quite broad in nature. And that if you use I’m going to use some technical terms pixel web beacon SDK, and, and you know, in return, you’re getting, you know, some sort of, you know, analytics or measurement or whatever it is, even if you’re not paying for it, or otherwise, it constitutes a sale. And there were no carve outs for any particular purposes, the word carve outs for measurement or frequency capping or anything else. It was it was very broad in nature. So I tried to actually encourage folks to focus on that part of the Sephora case and not so much the GPC because the GPC point was truly obvious, given how much the regulator has invested into that concept.

Jodi Daniels  19:22  

Well, thank you for expanding, because I think what’s I’ve been finding, and in fact, just this week, had conversations with people who asked me was I surprised by the action? And I had the exact same answer that you did know it in signaling, but it also depends on who you asked, because some people that eminently disagree with the definition so those people were surprised because they liked their definition. And I do think that the GPC part was a surprise to some people because it it hadn’t been as clear exactly what to be doing and hadn’t been focused on I think as much and I definitely see companies scrambling, calling up content managers trying to figure out how to make it happen, for sure. Well, let’s switch gears a little bit. Oh, switching gears.

Justin Daniels  20:11  

Can you share more about the IABs recent announcement about its multi state privacy agreement? Or M S? P A, every industry has lots of acronyms, huh?

Michael Hahn  20:21  

Well, what will we do without an acronym. So we released for public comment, or IAB MSPA multistate privacy agreement, in an effort to solve the compliance challenge across the five different new state laws. And, you know, this gets back to my initial point of, we’re here to try to solve problems. And this was really an effort by our working group over the course of nearly a year, the work was very much premised on how we expected the regulatory landscape to continue to evolve. So we assumed that decisions like Sephora, were going to be coming our way, we assumed, at the beginning of this that things like measurement and frequency capping would likely be interpreted as a sale. And, and so all of these things, I’d say were important pieces of information that validated our approach, which is, let’s not get torn up in esoteric views about what constitutes the scope of the scope of sale, and trying to create niche defensible positions for individual companies, but rather, let’s lead from the front on on privacy. And let’s demonstrate to the regulator that we we see what they’re doing, we hear them, and that we are committed to creating a a means of compliance for the industry. And so what we’ve done with the MSPA is we said, we’re going to try to solve for a couple of really critical use cases that are going to be very challenging for companies to accomplish on their own. The first is, when the consumer opts out of the sale of their personal information. It likely includes measuring ads and frequency capping the the ads, that being the case, we need to have an answer to this. So those two things are not cross context, behavioral advertising, they’re not targeted advertising in the other states, but there’s still likely to be sales. So the way you typically address challenges like that is you try to create service provider relationships. And so one of the things that we’ve done is we create this large network of service provider relationships through the MSPA MSPA is a springing contract. What is that horrible lawyers term mean? Well, we have essentially a network of signatories. And the contractual privity, the relationship between the contractual relationship between the parties is triggered as it follows the data amongst the signatory. So if I land on a publishers website, my personal information is sent from a supply side platform to multiple demand side platforms. If that publisher says this has needs to be an MSP a covered transaction, there’s a technology signal that it flags, it means that only someone who’s a signatory can participate in that transaction. And that there are certain rules and we have the privacy rules in the MSPA that that try to set that up. And so in the context of of measurement and frequency capping, in frequency capping being the sort of thing to make sure that you don’t see an ad 50 times it caps out at whatever the number is that set by the advertiser three, four or five times, then we can still continue to do those things through this network of service provider relationships. Similarly, think of something like contextual advertising, right? Contextual advertising is something that typically involves less collection of personal information. But one of the important things to know is that when you use this real time bidding automated system for the delivery of a digital ad, that it requires the disclosure of the IP address. Well, that’s personal information. So if the consumer opts out, you can even deliver a contextual ad through through the real time bidding process. We go when we saw for this by again creating this network of of service providers in this spring MSPA contract. But that then brought us to our second big challenge, which is that service providers can no longer combine personal information any longer under CPRA. So one of the things that we, we add, and they can no longer engage in cross context behavioral advertising. But the combination point actually became the one that required us to take a step back and think and think about, you know, what are the what are the the policy goals of the law, as well as what are what is the exact language. And interestingly, if you look in CCPs language, it talks about the business, being able to concurrently jointly control the purpose and processing the jointly controlling the purpose of means of processing with another. That’s copied right out of GDPR. And so essentially, what we do is we do what you can do in GDPR, with respect to measurement of frequency capping an ad, which is to, to basically say that a publisher and an advertiser who are in this network can designate the advertisers measurement company, as their joint service provider to to measure. So if it’s helpful, I could give a real practical example.

Jodi Daniels  26:18  

Please do. That’d be great. Thank

Michael Hahn  26:19  

you, my goodness, because if I’m quoting, definitions out of the statute, I probably lost your audience. All right, so we’ll cut we’ll keep it real practical. So I’m a consumer, I’d go to a publishers website, I happen to be a runner. And, and so I am shown in ads for a major shoe company. And so I view that ad, and I click on the ad. So there’s a pixel in that ad, it’s a little piece of code. It collects that I saw the ad, I clicked on the ad and sends it to a measurement company, which was hired by the advertiser who served that ad. So but that’s actually sending my personal information from the publisher to, to the, to the, to the measurement company. Now, I’ve gone over to this, this shoe website. And they also have a pixel on their page that’s placed there by the measurement company. So that measurement company is the service providers to them. And there’s no problem then of taking my personal information that maybe I added, running sneakers to the cart, and I abandoned, they would send that information to the measurement company. What a measurement companies do they do measurement and attribution? How successful was that that ad that was served to Michael Hahn? Well, the challenge there is that measurement company they’ve got as their service provider, the personal information about the abandoned cart experience, but they need to combine it with the information that was sent from the publisher can’t do that anymore. Under CPR, you can’t combine personal information as a service provider. So what we’ve done with the MSPA is to reflect actually the reality of the situation, which is that publisher whose site I visited, and that advertiser whose site I also visited, they’re both designating the measurement company as their joint service provider, to specifically measure that ad on my behalf. So that it is a lawful combination, because it’s the same engagement. It’s not multiple engagements, and and basically combining information for different business purposes, which is really what the conservative that rule is about.

Jodi Daniels  28:41  

So thank you for sharing if I may, I won’t use any names. But there are some measurement companies that like to combine that data and add it with all the other data. So when it’d be just shoe company and shoe ad, but they might collect all of it to try and better understand who I am. Build profiles kind of around it, even though they might still be measurement. So can you share a little bit with were those types of companies or discussions included in this agreement? Or what happens in that scenario for the publisher to think about, would that still be constituted as a sale of data? Because those measurement companies might might be pushing it a little bit farther than what you just described?

Michael Hahn  29:30  

Sure. Well, there’s no circumstance in which a measurement company acting as a service provider could ever do any of those things that will be clearly unlawful. Now, if the if the consumer, it would also be unlawful to do that in the context of when the consumer opts out, as well. Can’t do that. You can’t add someone’s information to an identity graph that The company has when the consumer opts out, you can’t, as a service provider engage in cross context Behavioral Advertising any longer. So you can’t do that any longer. So then the question is, When can you do that? Well, you could do that when you don’t have a service provider relationship in place, and the consumer does not opt out. So that is, that is something we certainly allow for in the context of our agreement, provided you haven’t done you know, you’re not in the service provider relationship. And then the consumer has not opted out if it’s not a service provider relationship. But here’s where things actually get really tricky and complicated, in particular, for example, with the measurement companies, is that there’s a whole nother rule. You now need in California, if you are selling personal information, you need to have a contract in place with a third party to whom you sell personal information. And it has to have certain required language in that contract. That is an enormous challenge for the industry, one of which we’ve tried to address with the, with the MSPA. But what do I mean by that? I call this the untidy at the untidy ends of the digital ad distribution chain. There are any number of sales that happen in the distribution of a digital ad for which parties do not have a commercial contract in place. And a measurement company is a perfect example of this. So as I mentioned before, in that example, that measurement company that was engaged by the shoe company, the the measurement companies pixel is typically placed by the agency into what we call the ad creative into the ad that ultimately renders on the publishers website, that publisher is selling personal information that is my view data to to the measurement company that hired by advertiser, well, there’s never a contract between the advertisers measurement company, and the end the publisher. So what do we do to try to address this in our contract? Well, with this industry contract, it basically creates and fills these gaps, that if we’re all in this network of signatories, and the measurement companies, the signatory, and the and the publisher is a signatory. When that personal information is sent from the publisher to the advertisers measurement company as a sale of personal information, the the MSPA fills the gap with those terms, they would never normally have a contract with each other. And it’s tough to ever imagine a world where a measurement company that’s hired by an advertiser is going to now have a contract with the any number of websites where that ad might end up. It is continuing to

Jodi Daniels  33:13  

be complicated. It was complicated before. Now it is complicated after But Michael, thank you so much for doing a really nice job of laying it out clearly. So that an average person who is not knee deep in this technology could understand it. Like you. You resin, Justin you. Okay, so Michael,

Justin Daniels  33:40  

we like to ask all of our guests, what is your best privacy or security tip for the benefit of our listeners? My

Michael Hahn  33:48  

tip is to find great partners, find great, find great lawyers at our who are your outside counsel that will provide you terrific advice, find great privacy vendors who can provide you practical advice. I can’t tell you how many times I have conversations with with lawyers at significant law firms, and they’re still looking for cracks and crevices to find I’ll call it nuanced, really smart arguments for ways to find exceptions in the law. And that is probably not the place for you to the eggs. If you’re gonna put eggs in a basket. That’s probably not the basket you want to put yourself in. You know, as we look at privacy over the next five years, and so I think having great counselors to give you the law and also give you practical advice and help think about this Due to regulatory landscape is, is incredibly valuable. Now,

Jodi Daniels  35:06  

you gave us a hand before but when you are not solving for complex privacy challenges, what do you like to do for fun? Well,

Michael Hahn  35:16  

I spend most of my time as most people in my age bracket shuffling my kids to sporting events all over the New York, New Jersey, Pennsylvania area. So when I’m not doing privacy, and I’m not doing that, and I’m left with my 1% of time left in life, like to run, which I’ve been doing, oh, gosh, for 35 years. And so that is, that is my one thing that’s all mine.

Jodi Daniels  35:46  

See, you’re not the only one who has to drive people a couple of weeks ago, I was ready to buy Justin a chauffeur camp. Well, Michael, thank you so much for sharing all of this great knowledge today. If people want to learn more, where’s the best place for them to

Michael Hahn  36:04  

go? The best place to go is to And you’ll see on our homepage, more information about the MSPA. And I’m also always open and available to talk with folks. They can feel free to reach out to me at

Jodi Daniels  36:28  

Wonderful. Well, thank you again, we really appreciate it.

Michael Hahn  36:31  

Thank you

Outro  36:37  

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.

Privacy doesn’t have to be complicated.