From McPrivacy to Mastery: A Collaborative Approach To Building Strategic Privacy Programs

Intro 0:01

Welcome to the She Said Privacy/He Said Security Podcast, like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels 0:22

Hi, Jodi Daniels here. I’m the Founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.

Justin Daniels 0:36

Hello. I am Justin Daniels, I am a shareholder and corporate M&A tech transaction lawyer at the law firm Baker Donelson, advising companies in the deployment and scaling of technology. Since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cybersecurity risk. And when needed, I lead the legal cyber data breach response brigade.

Jodi Daniels 1:00

And this episode is brought to you by — where’s the ding? New ding today. Red Clover Advisors, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology e commerce, professional services and digital media. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there’s greater trust between companies and consumers to learn more and to check out our best-selling book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com. Well, hello. How are you today?

Justin Daniels 1:37

See that coffee you had this morning?

Jodi Daniels 1:40

It’s just, it’s such a pretty fall day. It’s actually fall here. It’s sunny outside. The leaves are changing. It’s crisp air, and it’s not 80 degrees.

Justin Daniels 1:47

Do I get credit for happy? Do I get credit for identifying that your shirt is new?

Jodi Daniels 1:53

Absolutely good attention to detail.

Justin Daniels 1:56

Well, because for our listeners, in other areas, my attention to detail seems to be lacking.

Jodi Daniels 2:02

Yes, in work, amazing attention to detail. I hear this is a common challenge amongst some people, all right. But today, today we are bringing on a long time privacy pro and friend of mine, and I’m so excited, we’re gonna have some fun, maybe even mixing privacy and music together, we have Alan Chapell, who is the president of The Chapell Group, and he has 20 years of experience as outside counsel and privacy advisor to VC funded ad tech and martech companies. He produces a really cool report called The Chapell Report, and it’s a monthly continuous information research tool that helps investors and compliance teams understand the key privacy, competition and regulatory training trends driving the advertising and media marketplace. So Alan, welcome to the show.

Alan Chapell 2:55

Well, thanks so much for having me and Justin, I feel your pain. I am often told by my wife and daughter that my head is in the moon. There’s a Spanish phrase that says your head is in the moon, meaning that I’m not paying attention to those important details, like, this is a new shirt, so I feel your pain, right?

Jodi Daniels 3:15

You have company. I know this makes you feel better.

Justin Daniels 3:18

Just as long as I know that I’m not insane within my bubble, I’ll have many, many challenges where my performance falls under optimal levels.

Jodi Daniels 3:30

Yes, in a performance report, we would call those areas of opportunity.

Justin Daniels 3:34

If only they were communicated that way.

Jodi Daniels 3:38

Alan, okay, we’re gonna come back to Alan.

Justin Daniels 3:40

Okay, so, Alan, why don’t you tell us about your career journey?

Alan Chapell 3:46

Sure. So, you know, it’s funny. I ended up taking a gig at a company called Jupiter research, which was sort of a competitor back to Gartner and Forrester. They were focusing on the burgeoning consumer and internet economy. This was 1997. I took this gig because I just wanted to have a full-time job while I was going to school, at law school, at Fordham at night. And so I was a Jupiter for about four and a half years, just during the time I was in law school. And then in December of 2000 as many may remember the internet as we knew it had burned to the ground, and so all of the big jobs of being a privacy lawyer were no longer really available. And in fact, I probably applied to several 100 law firms trying to, trying to get a gig, and nobody was hired. So I went in and did sales for a couple of years, which was really, really, I cannot emphasize this enough, a really bad decision from my part, because I’m not equipped for that. I don’t do tech sales, but I did it for a couple of years, and it became really clear to me that if I wanted to have a fulfilling and happy career, I need to figure something else out. And the thing I figured out was. Is based on a lot of fear and certainty and doubt coming from California, where California had this opt-in email marketing law. Saw that in 2003 and I said, wow, look at all of the fear and certainty and doubt being created in the email marketing space about this opt in privacy law. And so in 2000 and the end of 2003 I put out my shingle as a can of spam privacy attorney, which was kind of naive at the time, because it’s what I realized very quickly, was that that was a much smaller subset of a much larger set of challenges. And really, for the last 20 years, I’ve been out there, you know, working mostly with the, you know, VC funded companies, and building out privacy programs and helping companies get sold to the Oracles and the Salesforces and the Googles of the world.

Jodi Daniels 5:51

It’s so interesting about your sales experience, because I, I know some people — love or hate sales role, and it is a whole different universe of experience and challenges. And so good for you for early on identifying not the right place and finding what does make you happy.

Alan Chapell 6:12

Well, but also so thank you, but, but what? Also, what’s really fascinating from my perspective, there is that, had I not undergo on that sales step three years of doing sales, I don’t know that I would have been successful with Chapell and Associates, because Jodi, your author, you’re selling now you may or may not be able to sell, you know, compare, oh, my email marketing blast company is better than the competitors. I couldn’t do that. I just did — wasn’t boy, I can sell me though, and and so, but, and having that background was really, really helpful. So it’s kind of funny in life where you do something that’s probably kind of a dumb decision, and then it turns out that it was the smartest thing you could have done.

Jodi Daniels 6:53

Fair point. Now, you mentioned privacy programs and privacy programs, they’re complicated. They’re complex. We have a lot more requirements these days, and you have a thought about this idea of privacy and glass houses. So tell us a little bit more.

Alan Chapell 7:11

Well, I operate primarily in the digital media space, and the one thing that I would say is that everybody walks around pretending like they don’t live in this big glass house, and nonetheless, everybody does. Everybody wants you to focus on the one or two components of their privacy program that make them seemingly quote, unquote privacy safe. We’ve used privacy by design all those fun little buzzwords, but the reality for most companies is that there’s an underbelly there, where they’re, where they are exposed, because by nature, of how their model works. And that’s one of the things that I always try to like to think about. You know, when you’re interacting with almost any company, somewhere in there there’s an underbelly that nobody wants to talk about. Your job as a privacy professional is to figure out where that underbelly is, because if you’re representing them, you want to make sure you understand it so you can help to protect it.

Jodi Daniels 8:09

Alan, are there any hints to help people figure out how to find that underbelly?

Alan Chapell 8:14

Well, the one card is that if people like you, they’re gonna share stuff with you and one of the things that I think sometimes gets forgotten in privacy discussions is the likability factor. Richard Purcell is probably one of the most likable people I’ve ever met. I haven’t talked to him in a couple of years, but wow, what a great guy. He ended up being CPO of Microsoft, be a Richard Purcell to the extent that you can if somebody comes up to you with a hair brain or poorly thought through or even maybe sinister idea for making money, your job is not to be Kareem Abdul Jabbar and swap that into the back row. Your job is to take that, appreciate the thought that goes into it, and then maybe walk the person through so that they can see maybe where the logic gaps are, because that’s a very different approach than I think some privacy people take, which is again, to to, you know, waft the idea back into the into the fourth row.

Jodi Daniels 9:20

Makes a lot of sense. Relationships count everywhere.

Alan Chapell 9:25

I couldn’t agree more.

Jodi Daniels 9:26

Why are you looking at me with this strange look?

Justin Daniels 9:29

Because Alan was referring to Kareem Abdul Jabbar.

Jodi Daniels 9:32

Okay, and well, that’s what we have you for.

Justin Daniels 9:35

I was waiting to see if you knew who that was.

Jodi Daniels 9:37

That’s what you’re here for.

Justin Daniels 9:40

I’m sorry, Alan, I’m having a little fun at the co-host’s expense. So with what you’re talking about, Alan, with, you know, having ideas, how do you balance those with privacy obligations? And you know, what could companies be doing better to find that balance?

Alan Chapell 10:03

Well, I think that that the this whole thing is a bit of a negotiation as between the privacy person and the business team, and your job as a privacy person, particularly if you’re there outside counsel, is you’re there to protect them, and if you’re able to explain to them why this X, Y and Z is going to create liability for them, the chances of you being listened to or go up dramatically. And I think that’s sort of the balance and the core challenge of the and perhaps the chief complaint of the privacy person is that they tend not to be always listened to. I have fewer of those challenges, I think, as the outside counsel type, than I suspect some in-house folks do, because what ends up happening is that, you know, you keep saying the same thing, and business people have a tendency to tune you out. And since I have fewer interactions because I’m not sitting in the office and talking about the Mets, or I’m sorry, or the Braves and solid ground here, you know you’re not talking about the local sports team and not in the office every day. I kind of have a slightly different role.

Jodi Daniels 11:21

Alan, talk to us about The Chapell Report. How did it get started? What kind of information is within it?

Alan Chapell 11:27

Yeah, so, like, 12 years ago it came to me. So my model, by the way, is mostly, you know, a monthly retainer. Month you pay me X, and then I sort of own your privacy program. And over time, I tend to slide in as companies build, I tend to slide over from an owning to an advising, you know, type of a role, but coming in, I’m sort of there to own the privacy program. But if you think about this, from like 10, 12, 14 years ago, there were months that my clients weren’t hearing from me, and I thought, You know what? That’s not a great thing if you’re expecting them to continue to pay and so what I started doing was this monthly update, like, All right, what’s going on? You know? What’s going on with the voucher or the carry bill that’s being run through Congress, or what’s the European Union thinking about in terms of implied consent for cookies? I’m going way back there with some of this stuff. But little by little, this, this silly little, you know, two page update is morphed into, you know, a 30 to 40 page of text, because there is so much going on right now in the space. And what I’m hearing from, from, you know, CPOs and very senior privacy folks is like, you know, they need to spend, you know, half their time doing nothing but just evaluating, looking at what’s going on, trying to make sense of it, and then, and there just aren’t enough hours in the day. And one of the things that I’m trying to do with The Chapell Report is to tell you both the what and the why, and then also where I think the puck is going to go. The goal here is that, as you can be an asset to the Chief Privacy Officer of fill in the blank, so that they can bridge the gap between them taking what they think the rule set is and operationalizing that into their own specific circumstances. If I could do nothing but narrow that gap, then I think I’ve driven some value.

Jodi Daniels 13:25

And if people are interested in grabbing that report, how do they do that? Is that a description? Is that a newsletter? How do they find it?

Alan Chapell 13:32

So the free version is a newsletter that I write for a group called Market Texture Media. And I do a weekly on Wednesdays, you can go to markettexture.tv, and you can find the monopoly report, which talks about privacy, regulatory, big tech. So every Wednesday I put out a monthly, I’m sorry, every Wednesday I put out the free version, the larger version, which is like the 30 or 40 page thing, is a subscription, and it’s priced similarly to a forester vertical or a Gartner vertical. So it ain’t cheap, but if you really think through how much time it takes to hire somebody to put all this stuff together and then to make sense of it, if you’re running a digital media privacy team, I’m biased here, but I think it’s a bargain.

Jodi Daniels 14:20

I love it. Thank you.

Justin Daniels 14:24

So how are companies managing this growing list of privacy laws? Is it 19 or 22 Jodi, I’ve heard two different numbers lately.

Jodi Daniels 14:32

I’m gonna let Alan share his view first.

Alan Chapell 14:35

Okay. Well, you know, I think we’ve gotten off pretty easily. I’m gonna leave aside the State of Washington, because that’s its own little thing up there, but that might help my data. But other than that, if you look at most of these laws, there are some distinctions to be drawn, but generally speaking, it’s not that difficult to create a program around the current set of rules being put out there and so and you just adopt it, really, for the entirety of the US. I’m not here to say it’s easy, but boy, it could have been a lot harder, like, you know, what if one state just decided they were going full on and opt in, which, you know, isn’t out of the question, the one, one of the places that, for me, is really interesting about the state privacy laws is the the choice signal, the automated choice signal discussions, because there’s a couple of states that are getting really into the the anti preferencing stuff. So the idea is that if you’re a browser purveyor, and you turn on a signal that it can’t preference your other businesses, so you think about a browser that might, you know, just innocently have a deal with the search engine, where it’s sending search logs on street, downstream, either to the search engine or to an advertiser, right? Okay, you turn out a global privacy control okay. Is that transfer of data over to the search engine? Is that a sale? Probably a sale under California law, because they got a pretty broad law there. So, the point I’m trying to make here is that the state laws are starting to get really into the browser, the browser market, and the preferencing of different signals. And I think that’s an area that I don’t think a lot of folks have really been thinking through.

Jodi Daniels 16:35

Curious Allen, your little fortune teller ball, crystal ball here. Do you think, and you don’t have to pick the state, but do you think there will be a state that goes to an opt-in philosophy?

Alan Chapell 16:48

Well, arguably, Washington already has.

Jodi Daniels 16:51

Right, so I’ll rephrase at a comprehensive level. So kind of separate the unique health pieces.

Alan Chapell 16:59

You’re very tied with the word that you were unique, did a lot of work. I don’t know. Yeah, I think there’s a chance to — who do I think is going to be the lead. That’s a great one. You know, I can see a world where California went back, you know, bellied back up to the bar and try to go opt-in. You can make an argument that a lot of the regs that they’re putting together are creating a backdoor attempt at an opt in standard. By the way, one of the other things that I’d always thought would happen on the state level is some state would come out with something that is so crazy that it would create a groundswell for federal preemption. And it’s sort of interesting that that hasn’t happened yet. I thought the Montana TikTok ban was going to do it, to be honest with you, and that hasn’t happened yet.

Jodi Daniels 17:49

Yeah, interesting. All right, so speaking of TikTok, but not actually TikTok, so on other social media platforms, you talk about McPrivacy. What is McPrivacy?

Alan Chapell 18:03

It’s a term that I coined, actually, like, 20 years ago. It’s sort of an oversimplification of privacy, and I think that’s a real risk, certainly for the digital media world. But I think really, everywhere we’re in digital media, it’s sort of like, for years, it’s like, well, we don’t touch PII and we put icons on ads and we’re listed in the right opt out page. And, like, That’s it, dunk. And the reality is, you’re building a privacy program that’s maybe the start, but it’s certainly not the program. And I think that’s so this is sort of like, how do you get that message to the business community. And one of the things that I’ve been attempting to do anyway is to drive home that making privacy is actually advancing big tech, because big tech tells the rest of the marketplace, oh no, no. It’s going to be like this. We’re going to do a prompt for the Chrome browser. And everybody takes big tech at their word, at the face of what they’re saying, in part because of privacy, because they’re sort of like they don’t understand the subtlety of a lot of the stuff that’s being communicated, and it’s creating all kinds of challenges.

Jodi Daniels 19:17

I appreciate you sharing about make privacy. I do think people sometimes try and put kind of the rubber stamp, and, you know, here’s what I’ve done, and I’ve checked the box, and I move on and I keep going. Think that’s a little bit of this similar idea, and it’s, it’s really just so much more nuanced than that. And I’m, I’m kind of hopeful that companies realize, especially with this growing list of laws, they have to really look at the differences amongst all those laws and consumers are getting more savvy. I think the more laws and the more media attention and the more awareness campaigns that states are doing will help. It’ll take time, but it will educate the regular person who will demand a bit more. We certainly see it in the b2b space. It just will take a little bit of time, I think, to get to the consumer space.

Alan Chapell 20:02

Yeah, I would agree. And there’s, you know, there’s, there’s an entirely different level of sophistication even now, you know, you think about, you know, the teens and the tweens and folks who were in their, you know, early to mid 20s who have, like, now, been, you know, their entire life has been with, you know, cell phones or whatever, like we can still remember before time. A lot of those guys, those folks, can’t, and so there is a fair amount of additional sophistication, even with, you know, with the kids.

Jodi Daniels 20:31

I was recycling electronics at a local recycling electronics day, and I had a wireless phone, and my daughter said, what is that? She thought it was a remote. She started holding it. Look trying, yeah, that it’s fascinating to see where we are. Okay? Just means you’re old, it does it?

Alan Chapell 20:55

Yes, doesn’t like to hear that. Well, you both look fantastic.

Jodi Daniels 20:59

Thank you. You know he’s older, so we could keep going there, but we’re not decidedly older.

Justin Daniels 21:03

Yes. So when you are out and about, do you have a best privacy tip you’d like to share with our audience, given your many years of experience?

Alan Chapell 21:15

That’s a great question. I’m probably going to give a horribly unsatisfying answer, but, but here it is. I travel a lot, and if you’re going to work on your laptop while you’re on a plane, put a screen in front of it. For goodness sake. I am amazed at companies that are working through spreadsheets and stuff. I don’t look but it’s hard not to when you see, oh, wow, that’s you work at Google, huh?

Justin Daniels 21:44

Should I be shorting the stuff?

Jodi Daniels 21:47

That’s a good one. Alan, you know, sometimes the simple ones are the best. Now, when you are not advising on privacy, what do you like to do for fun?

Alan Chapell 21:57

So I’m a touring musician. I’ve put out seven albums under the name Chapell. I like to keep things simple. By the way, Chapell Associates, The Chapell Report, and Chapell is the name of my band. And I’ve been doing this for as long as I can remember. And for me, it’s kind of a nice, little interesting balance, like I am, so it’s funny. I met John Perry Barlow and had drinks with him a number of times, not because of the privacy side of things, but because John knows a whole bunch of musician friends of mine in or new trip. By the way, I should say we didn’t know who Kareem Abdul Jabbar is. Are you familiar with John?

Jodi Daniels 22:44

I might get an S on this pop culture trivia quiz.

Alan Chapell 22:49

So John is perhaps the most interesting person for me, personally, to have met, because John is two things about him. First he was the number two songwriter for The Grateful Dead and so he wrote a ton of their songs and was intricately involved in that movement. But He also founded a group called the Electronic Frontier Foundation. And so, you know, privacy and music are like chocolate and peanut butter to me. And so being able to, like, you know, have Drakes with him a couple of times over the years. Was just an absolute treat.

Jodi Daniels 23:24

If people would like to hear your songs, where can they find them?

Alan Chapell 23:29

You find me on Spotify, really, any of the major platforms. It’s under C, H, A, P, E, L, L, and it’s kind of funny, because Spotify search algorithm is not great, so you may have to do a little first of all, you’re gonna find Dave Chapell in there. Now you’re gonna find that Chapell Roan band in there somewhere. I think they’re Brooklyn-based, right? But if you look, you’re gonna find me. I’m an 80s and 90s influence singer-songwriter, and I’ve done tours with the Gin Blossoms, and with Everclear and with a bunch of other great bands. And that’s, to me, is, like the real fun thing is, is to be, yeah, is to be able to play, you know, once or twice a month, you know, a few in front of, you know, four or 500 people is, it’s a blast.

Jodi Daniels 24:20

Super fun. Alan, we’re so glad that you came and shared privacy, security screens and music all in one episode.

Alan Chapell 24:30

I checked as many of the boxes as I could. I’m really happy to be here.

Jodi Daniels 24:34

Absolutely. Now, if people would like to connect with you, where’s the best place for them to do that?

Alan Chapell 24:39

Oh, you can find me at C, H, A, P, E, L, L,@Gmail. So I and by the way, I can’t wait to get all the spam from having done that. But you can find me on LinkedIn and Bluesky and Twitter. I’m not that hard to find. My website is thisischapell.com which. I’ve given up on the pretense of separating my musical and legal careers, and so you can apply just about everything right there.

Jodi Daniels 25:07

I love it all in one well. Alan, thank you again. We’re really grateful that you joined us today.

Alan Chapell 25:13

Thank you so much for having me. It’s a great, great game to see you again. Jodi.

Outro 25:21

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.