From Data Collection to Consumer Trust: How Retailers Adapt to Evolving Privacy and Security Laws

Intro 0:00

Welcome to the She Said Privacy/He Said Security Podcast, like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels 0:22

Hi, Jodi Daniels, here, I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies. Hi.

Justin Daniels 0:36

I am Justin Daniels, I am a shareholder and corporate M&A and tech transaction lawyer at the law firm, Baker Donelson, advising companies in the development and scaling of technology. Since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cybersecurity risk. And when needed, I lead the legal cyber data breach response brigade.

Jodi Daniels 1:00

And this episode is brought to you by ding Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology e commerce, professional services and digital media. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there’s greater trust between companies and consumers to learn more and to check out our best selling book Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors com. This is our first podcast recording since our vacation, and I’m all confused. I was trying to share screens instead of pressing the record button, I had to remember how to plug in our mics. Anyone listening? If you remember what it’s like to come back from vacation, maybe that’s you. Maybe you’re catching up while you’re on vacation, we are right there with you.

Justin Daniels 1:53

Yes, we won’t delve into all of the personal information it was collected about us on the cruise ship.

Jodi Daniels 1:59

No, but it was fun, because as a good privacy person, and what many others, of course, do on their vacation when you’re traveling, you look for all the differences. I liked getting off and when we were in Italy and seeing the huge screen that talked all about my personal information, how it was being collected, or when you would go to any gelato or restaurant shop, you could see their cookies and their privacy notice. I found that fun and exciting.

Justin Daniels 2:26

And whichever guest wants to find us on LinkedIn, and guess how many gelato shops we went to, there’ll be a free gift waiting for you.

Jodi Daniels 2:34

There’s not enough gelato anyway.

Justin Daniels 2:37

Well, we have a great guest today, and I would like to introduce her, and it is Lexi Lutz, who is currently the senior corporate counsel at Nordstrom, where she advises the company on all things related to privacy, cybersecurity and AI from a legal perspective. Prior to Nordstrom, Lexi worked for a large, national hotel brand and an international food service company. Lexi, how are you today?

Lexi Lutz 3:04

Yes, hi Justin and Jodi, thank you so much for having me. I’m thrilled to be here with y’all today.

Jodi Daniels 3:09

Well, we are excited to have you, and we also really love Nordstrom, so let’s get started like we do all the time, which is, help us understand a little bit about your career evolution to where you are today?

Lexi Lutz 3:22

Yes, absolutely. So I started out working at a law firm, but full transparency, I knew early on, even in law school, that I wanted to be in house. I had interned both in house at a law firm, extern for a judge, and it was very apparent that in house is really where I wanted to be. I loved being a part of a company and a cohesive team and being able to see from the beginning to end the company achieve its goal. So I did work at a small firm for a year, doing mostly IP and some business litigation, and then when opportunity presented itself, I switched over to a food service company where I focused primarily on employment law. Was there for a couple years, and then I had an opportunity to become more of a generalist at a hotel company. So I was there for five years, and I focused on employment was a big part of it, but this was around the time that the CCPA became effective, so I was kind of the bottom man on the totem pole. And they said, Who wants to take privacy? I raised my hand and absolutely fell in love with it, which is why I’m talking to you today. And then the opportunity for Nordstrom opened up, because I was kind of a Jill of all trades at my previous role, I kind of, I don’t want to say, stunted my growth, but it didn’t really give me the ability to delve into privacy as much as I wanted. So being able to really focus on it in a full time role was more what I was looking for. So that’s exactly what Nordstrom was offering, and it just had been a company I’ve admired pretty much since I can remember. So I was thrilled for the opportunity as a shopper.

Jodi Daniels 5:08

I admire Nordstrom as well. Anyone learning to try and figure out customer service. You definitely should follow and pay attention to what Nordstrom does, a plus.

Justin Daniels 5:20

And Jodi, it’s tough. I am one of those who don’t get big customer service. Yes, I noticed you give your own personal counsel. Low marks for responsiveness.

Jodi Daniels 5:30

Depends on the day.

Justin Daniels 5:32

So Lexi with a lot of your background in retail, and retailers are on the forefront of data collection and marketing to people I get my Nordstrom emails as well as others. Um, can you talk to us a little bit about how have retail privacy programs evolved in the last several years with the proliferation of so many state privacy laws?

Lexi Lutz 5:53

Yes, absolutely, that’s a great question. Yeah, I’m pretty sure now we’re at around 19 state privacy laws. I could be more or less one or two off. But, yeah, I mean, it’s definitely a huge issue, because the way that data looks now, from a business to consumer collection perspective, is completely different than it looked just a few years ago. So I think, you know, the best way for retailers to approach it at this point is, I think a lot of decisions need to be made about what kind of approach do retailers want to take. And obviously that’s all going to depend on how large the company is, how many resources they have, you know, whether or not they operate in certain states that have maybe more strict laws versus other states. So, you know, I think there are decisions to be made about, do you want to go state by state? Do you want to go kind of a more comprehensive approach, where you pick the, you know, the strictest law, and then take that interpretation and have it apply to all the states that have laws now that we’re almost half the states, and doesn’t seem like the federal law is going anywhere at this point. So yeah, I think there just have, there have to be decisions that have to be made, and you have to identify kind of who those stakeholders are that need to make those decisions, and then obviously be transparent with your consumers and your customers about what data is being collected, what’s being shared, who has access to it, whether it’s being sold and you know exactly what it’s being used for.

Jodi Daniels 7:30

Lexi, what departments do you find tend to be part of those conversations?

Lexi Lutz 7:36

Yes. So typically, in any pretty, any retail you’re going to have marketing be a part of it. Um, and Jodi, I know that you are passionate about marketing, so, um, yeah. So definitely marketing. Um, the technology team, really, anything that touches technology, is going to have some type of data, whether you know, it might not be personal information, but it might be company confidential information integrated into it, and definitely, honestly, even litigation as well, because that has to deal with a lot of the company confidential information, a lot of times personal information. And then lastly, a big one of my kind of, quote, unquote internal clients is employment, because there you have not only personal information, but also sometimes medical information, because you’re dealing with workers comp, you’re dealing with, you know, health benefits, things like that.

Jodi Daniels 8:32

I like that. You emphasize the litigation piece. I think that’s an area that a lot of people might forget could have personal information. So thank you for adding that. This morning I got an email from a software company about their sub processor list. And nowadays, with so many privacy laws, people are starting to pay much closer attention to third parties and the third party vendor. So from your perspective, how do you think the new privacy laws have impacted diligence and the contractual requirements when companies are working with these third parties, because those third parties might need access to the Personal Information?

Lexi Lutz 9:14

Yes, yeah. I mean, a lot of the requirements that are coming out in these privacy laws even the kind of ones that are quote-unquote considered “less consumer friendly” or “more business friendly.” Do you have these requirements for ensuring that contractual obligations between a vendor and a, you know, and a customer also apply to subprocessors and so frankly, for companies, I think it’s a little bit irritating, because, like any new compliance or law is that you have to change your operations. Help can be a little bit a, you know, a sore point or a pain on the side. But as far as. From a consumer perspective, I actually think it’s great. I think that a lot of times, companies, prior to these laws being in place, maybe didn’t do as much due diligence, or weren’t as concerned maybe about the information and where the information that they were collecting was going, not to say that they didn’t care. But a lot of times, if you are contracting with a well known company, it could be that, oh well, their reputation speaks for itself. We’re sure that their data is fine, and then come to five, there’s a breach, and, you know, all heck breaks loose. So I think, I think it’s great. And as far as you know, what company companies and retail companies specifically should do with respect to those third party contracts is just understand that these laws are really just ensuring that back to the customer trust, right? It all goes back to customer trust. And okay, the customer is trusting you with this information, whether that’s because you’re Nordstrom, and you know, everyone knows that Nordstrom has great customer service, or maybe it’s because you’re just a large retail company that people know your name, so they assume that their data is safe, but when it comes to the third party, they might they’re not necessarily consenting to hand that information over to them, so you need to make sure that you maintain as much control over that information as you can, which is why you need to ensure that that those contractual obligations flow down to not only the processors of that information, but also the sub processors. One analogy that I think about often, and I guess that’s because I worked at a hotel company for five years, but when you check into a hotel and you put a security deposit down, and it’s just your name on the room, but then you have a friend come visit you, right? And then your friend breaks the lamp, and you can’t just point the finger at your friend and say, well, it’s their fault. They’re liable for that, because the hotel entrusted you with the room with the lamp. And you know, you can’t just expect that to automatically for the liability to shift just because it was something that your friend did. So obviously, probably you wouldn’t have to enter into a contract with your friend who came to your hotel room. But that’s just kind of the analogy that I think of, is that you can’t just automatically shift the burden. You need to make sure that whoever is in control of the information, and if it’s being passed along that you are, you fully understand where the information’s going, what is being done with it, and the proper controls are in place. And then, if there were a breach, kind of where does the liability shift to?

Justin Daniels 12:57

You know, when I hear Lexi talk about a hotel, and I think about data, I think of Hotel California. When it comes to your data, you might be able to check out, but your data never leaves.

Jodi Daniels 13:08

I can see another song coming.

Justin Daniels 13:10

It could, so Lexi, as we, as you talk to in your intro, you have to deal with privacy stuff, but you also have to deal with cybersecurity stuff. And last December, a new law came on the cyber landscape from the SEC which deals with public companies of all stripes. And I would love to get your perspective on how from a retailer’s perspective, you know, all the different retailers you might have to comply. How does the SEC cyber rules start to change the kinds of security requirements that retailers may pass on to their third party vendors, and how has it changed your expectations for how they’re going to secure such data? Because now a third party data breach, if it’s material, could require the publicly traded company to have to report to the SEC?

Lexi Lutz 14:02

Yes. So from my perspective, it all just goes back to the control that I was just talking about with respect to the SEC requirements. Obviously, hopefully vendors should know that if they have a publicly traded company that they are doing business with that, there’s probably going to be higher expectations, as far as you know, not only due diligence, but also just general security requirements by that vendor. And honestly, I mean, again, this is another thing that is probably annoying for companies. I think it’s good, and with respect to vendors, it seems like, you know, a lot of times they just kind of agree to whatever the customer wants, but now that there are going to be stricter requirements, for example, specific information that needs to be provided. And that the company will likely want to pass along to the SEC, or at least provide it to whoever is preparing the form to provide to the government to essentially report if there is a data breach. I think you know, that’s probably more a burden on the third parties just to make sure that they understand what happens if there is, if there is a breach, but, yeah, I mean, as far as for the for the retail company, as as the retail company, you know, I think I would suggest just ensuring that all contracts are up to date, that all the relevant information that would be required if there is a breach, so that you can promptly investigate it, just be readily available, and if there are any vendors who are you’re having issues with, or filling out the form, or completing what you need to complete, or getting the certifications that you’re requiring to maybe rethink that obviously, You know, try to be as flexible as you can. But you know, it is the SEC role is not. It’s nothing to be taken lightly. And I know we haven’t seen much case law on it yet, so it’s difficult to kind of see how it’s going to play out in the long run. But, you know, I think probably just err on the side of taking as many precautions as you can with your third parties, and just having a comprehensive approach and holding everyone to the same standard.

Justin Daniels 16:31

That’s interesting. Lexi because two initial thoughts I have around the SEC law with what we’ve seen is number one, publicly traded companies, even if they’re not sure if it’s material, they’re tending to err on the side of disclosure. But in another maybe unintended consequence with especially with the prosecution of the Uber CISO, I think publicly traded companies are going to have a harder time getting chief information security officers to take the job in light of the SEC Rule and where some of the prosecutions have gone?

Lexi Lutz 17:04

Yes, yeah, no, I, I completely agree. I think that it kind of leaves companies, and especially CISOs, in a little bit of a rock and a hard place, because, you know, you want to be as transparent as possible. But then, if your CISO is now potentially being personally held viable. You know, I feel like there’s going to be a lot of internal conflicts in order to determine, kind of, okay, what are we defining as material? And if we’re, if we’re the SEC playing Monday morning quarterback, and we find out about this, is this something that we’re going to look back at and say, Oh, that’s something they should have reported. So I feel like it’s kind of a vicious cycle at this point. SCC kind of put everyone in a bit of a harder position than planned.

Jodi Daniels 17:52

Well, switching gears to the third leg of all the pieces that you focus on, privacy, security and AI. I’d love to hear, how do you think retailers are thinking about incorporating AI from the consumer experience on a website or in a store?

Lexi Lutz 18:12

Yes. So anytime I think about AI and retail, are you all familiar with the movie Clueless?

Jodi Daniels 18:21

So the very first thing, hold on, I have to ask, are you familiar with the movie? Clueless?

Justin Daniels 18:26

I’m familiar with it.

Lexi Lutz 18:28

All right, very odd. Yes. 90s topic, Alicia Silverstone, yes. So I, I kind of think when I go to AI and retail the very first scene, I think it’s like in the opening credits, maybe when she’s picking out her outfit for school, and she picks out her iconic kind of yellow plaid outfit, and she has this very 90s kind of Macintosh computer, and it’s kind of sorting through her closet, and then it matches the two outfits, and, Like, it has, like a matte green and then she goes and gets it, um, that that is, like my I remember when I was younger watching that and just being so enthralled, like, I wish my closet had something like that. Not that my closet is anywhere near the size of Alicia Silverstone in that movie, but I think it comes down to, really the main things are personalized customer experiences and also just general assistance and efficiency. So first going to kind of the personalized customer experiences. Jodi, I’d love to hear from you that you think Nordstrom has great customer service. That’s something that you know, even with AI coming into play, I don’t foresee Nordstrom, or really any retail company, sacrificing their customer service, as far as from a human perspective, because there are certain things that you definitely need. Humans for so, you know, example would be opinions on how does this look, or how is this supposed to fit on my body, you know, in human touch, and, you know, helping someone zip up their dress, or, you know, things like that. But as far as personalization, you know, from a digital perspective, there are ways in order to look at customers. For example, purchase history, search history, where AI can be definitely beneficial to say, “Okay, this is what this person likes. This is what this person has purchased in the past.” We see their behavior. We see their preferences, and you know, it makes that personalization a little bit easier. You know, I don’t think this isn’t anything necessarily new, but I think, you know, there are opportunities to personalize things even more. If someone is searching for an outfit to eat gelato in Italy in June. Um, you know, what kind of outfit would that be? Um, so, just a little more personalized, a little more specific, and, you know, the ability to kind of leverage the data that we already have on individuals based on their purchase history, but then also tailoring it to product suggestions that the person would appreciate, and then hopefully buy. And then the other part is efficiency. You know, again, a lot of people think, well, AI might take the human aspect out of customer service. Frankly, there are some questions that customers just wanted to answer. Where’s my package? That could be something AI could just help to say, okay, we can track it, instead of having a human go on and enter, you know, whatever the order number, and trying to make that more efficient so that the humans can be utilized for those more creative, strategic tasks that humans honestly are going to be more useful for and then also more helpful for.

Jodi Daniels 22:14

Yeah, right now I would really like a human on two retailers who have promised packages and they are not here. They are days behind. My favorite one is where the email says it’s delivered, and then it says, well, it could say delivered, even if it isn’t delivered, and you have to wait three days before you’re allowed to complain. That’s a fun retailer right now. But I digress. I look forward to the opportunity to be able to say, I’m looking for this. Find me this kind of dress for this kind of occasion, and then poof, it comes. And you kind of have that on a website where you can pick, I’m a guest at a wedding, and it will give it to you, but you still have to kind of sort. I’m excited for the day where I can just speak, and then poof, it’s here. I’m going to be excited about that. And then I want the human to be able to help sort through it all.

Justin Daniels 23:01

That’s the combination? AI shopper plus, yes, human person.

Jodi Daniels 23:06

Yes, that’s what I want. Okay.

Justin Daniels 23:09

Well, Lexi. Do you have a best privacy or security tip you’d like to share with our audience?

Lexi Lutz 23:18

Yes. So I have a couple. My first one is, I know that a lot of people get really bogged down with emails, marketing emails, things like that. So, and I don’t do this myself, but I’ve heard people do it, and I don’t know if someone has shared this as a tip before, but my first one is if you can have a different email for shopping, for really anything that you use for shopping online, and that way that can reduce the amount of potential marketing emails in your email. That one I think I might try to start utilizing because I did hear someone talk about it the other day, and then my other one, actually, Jodi, I got your the red clover advisors newsletter earlier, and it was talking about how the Ico, The Information Commissioner’s Office came out with a guidance regarding what really matters in a privacy policy, or do they matter at all? All of us three here agree that privacy policies, of course, matter, but I would guess that the majority of the population don’t really care if they get an email saying we’ve updated our terms automatically goes to the trash, or it’s just ignored, disregarded completely. So I think you know. So I was reading that article that you know you sent in your newsletter, and then that was published by the ICO. And I think if you are a consumer, and you. You have a million things to do. You get something that says we’ve updated the terms to our privacy policy. If you have 60 seconds, click on it and just go down to information being collected and why they’re collecting it, whether they’re selling it or sharing it, like I feel like even just knowing that information will at least and it might not change whether you use the product or not. A lot of us don’t really have a choice, for example, like on our phones Apple’s terms, like we can’t just reject it and then we don’t have a phone. But there are certain there are certain companies where you don’t, maybe necessarily have to use that company if they aren’t handling your data in the way that you want to, or if they’re collecting more information than you feel comfortable with, or sharing it with maybe a third party that you don’t feel comfortable with them sharing it with. Like I said, there’s a lot of information in the privacy policy that maybe consumers don’t care about, even though it’s required by law to be in there. But I think if you’re a consumer and you really don’t care about privacy policies or privacy notices, please just figure out what is actually being collected, especially if it’s like, maybe it’s not a retail company, but especially if it’s like a health device or app or something that contains, you know, more sensitive information, just to give you edification of information of you that is out there, and then also give you consumer choice. Maybe you don’t feel comfortable with that, and just taking kind of 60 seconds do like a control find on your phone or your computer, if you’re looking at it from the screen, and just do a search of collection, and it should be there. And I feel like that would at least give people a peace of mind, knowing what is out there, versus just, you know, putting your head in the sand and ignoring what information is being collected about you and what, what’s being done with it, who it’s being shared with, etc.

Jodi Daniels 26:57

Those are excellent tips. And thank you, Oslo, for following the newsletter. That particular newsletter was a LinkedIn newsletter today. I thought it was a really cool story. Now. Lexi, when you are not advising on privacy, security or AI, what do you like to do for fun?

Lexi Lutz 27:13

Yeah, so I like to say that law school kind of stole all my hobbies because I was so immersed in it. So, you know, a lot of, I mean, I think work is fun, but a lot of reading and writing, because that’s kind of what I do already, but I like to do it personally as well. And then this summer and last summer too, I’ve been very intentionally focused on tennis and golf. I used to play tennis when I was younger, and then dropped it. Golf I had never really played, but I’ve been trying. I’ve taken a handful of lessons, but this summer, I’ve been very intentional about it. Doesn’t help how hot it is, because I feel like I’m outside for five minutes and I’m already, like, breaking a sweat, but, but, yeah, so those and then I also love volunteering. I’m pretty active with the American Heart Association here in Charlotte, and then also the International Association of privacy professionals in Charlotte. Really enjoy giving that to the community. And then I also recently started, just in my free time, not in like a professional capacity or anything, educating seniors so in like retirement communities and assisted living homes, on just very, very basic education on how to protect themselves digitally. Because I know that a lot of these senior citizens have people that really care about them, and probably already just know how to navigate the online atmosphere. But unfortunately, I feel like a lot of the seniors, maybe they don’t bring it up to the people who care about them or the people that care about them, just assume that they’re not being exposed to these kind of things because maybe they’re not as active online. But I know that when my grandmother lived in Charlotte, she actually lived in one of the assisted living communities that I’ve spoken at, and had conversations with the folks about it. You know, she had had stuff come up that I was just like, well, you really didn’t have to respond to that email, or you really didn’t have to click on that link, if you just kind of knew the basics of, you know, not only phishing and scams and things like that, but also just like, what’s a cookie? Like, they don’t know what a cookie is. So I do that sometimes in my free time, just because I’m, I’m a little bit of of a freak, but I also love giving back to the community, and selfishly, I just really like hanging out with senior citizens, because I feel like they have just great stories and great life advice that I can’t really find anywhere else. Yeah.

Jodi Daniels 30:00

That is true, but I really love what you just shared. Imagine if every privacy pro spent one hour a year, how many people that could impact? And then if they did it twice a year, what would happen? I love that idea. Thank you so much for doing that.

Lexi Lutz 30:20

Yes, and I’m happy to share any of my materials. If anyone is feeling philanthropic.

Jodi Daniels 30:25

I really, really, really, I have some thoughts on how we can try and spread the goodness that you’re doing here. So thank you and Lexi, if people would like to connect with you, where should they go?

Lexi Lutz 30:37

Yes, you can find me on LinkedIn.

Jodi Daniels 30:40

Wonderful. Well, Lexi, thank you so much for coming today and sharing more about privacy, security and AI in the retail space, and also how we can all educate the seniors in our community.

Lexi Lutz 30:51

Yes, thank you. This was such a great conversation. I’m honored to have been a guest on y’all podcast. And yeah, looking forward to listening to more episodes.

Jodi Daniels 31:02

Thank you again.

Lexi Lutz 31:03

Thanks y’all.

Outro 31:09

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.