Click for Full Transcript

Intro 0:01

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels 0:21

Hi, Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional, providing practical privacy advice to overwhelmed companies.

Justin Daniels 0:37

Hi, Justin Daniels here. I am a corporate m&a partner at the law firm Baker Donelson.

Jodi Daniels 0:44

Yay. Why am I saying yay?

Justin Daniels 0:48

Because it appears because I don’t always say it when we do this that people think that I am a actual employee of Red Clover. I am not but I assure you, I work for Red Clover, just not in official capacity.

Jodi Daniels 1:04

Now what else do you do? Next or finish introducing here you guys see,

Justin Daniels 1:08

I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

Jodi Daniels 1:25

And this episode is brought to you by Red Clover Advisors. We help companies comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, e-commerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business. Together. We’re creating a future where there’s greater trust between companies and consumers to learn more and to check out our new best selling book Data Reimagined: Building Trust One Byte at a Time, visit We are off to a really silly start here today. Yes, we are. I think we need it. We need it. It’s only Tuesday.

Justin Daniels 2:09

I know but there’s just a lot going on. And I think a little levity is always a good thing.

Jodi Daniels 2:15

There is an our spring break that was only two weeks ago feels like it was three months ago. I think we need another but today we’re not going on vacation. Today we’re going to talk about all cool things privacy because we have Arlo Gilbert, who is the co-founder and CEO of Osano, the leading data privacy platform for simplifying privacy compliance. And you know here at Red Clover, we like to simplify privacy. Gilbert is an Austin native. He is a high growth leader with more than 20 years of experience in building companies and industries ranging from payment processing and telecommunications, to digital health and enterprise software. He has an established track record of conceiving original product ideas, validating demand, building awesome teams, raising capital and providing excellent returns to investors. And we are excited that you are here today.

Arlo Gilbert 3:06

Thank you very much. I’m delighted to be here.

Jodi Daniels 3:11

Welcome to the silliness,

Justin Daniels 3:13

where the mayhem.

Jodi Daniels 3:15

silliness, mayhem, silliness, I win your turn.

Justin Daniels 3:20

So, Arlo, welcome aboard for today’s mayhem. As we like to learn more, talk to us a little bit about how your career has evolved to your current position.

Arlo Gilbert 3:35

Sure, yeah, absolutely. Well, as you mentioned, I am the CEO, and co-founder at Osano. And sounds like we share a lot of common interests and simplifying things. In terms of my career, you know, pretty, pretty stereotypical, in fact, I would say, in some ways, even a cliche. You know, my background is late 90s. I was I was headed in your direction. I was on my way, adjusting to being an attorney and studying for my LSAT at the University of Texas. And I ended up I ended up with a long story that I won’t tell today, but I ended up with about 25 laptops, shipped to my house, inadvertently by a Korean manufacturer, and could not get them to take them back. And so eventually, I sold those on ubit a precursor to eBay and use the funds from that, that sale of laptops to build my very first company. And thank goodness for the internet. I did not become an attorney. No, no, no shade towards anybody who’s an attorney. But I think that would not be a place that would make me very happy in the long run. So I built my first payment company was payment processing affiliate marketing platform back in late 90s. If y’all remember Nobody really knew what we’re doing yet online. And so my lack of experience, in many ways, was very helpful. Because I didn’t have any preconceived notions about how things should be done. I built that company sold that in 2009, I built a telecommunications company named I call. We were a telecommunications provider, free iPhone. So I was just a cool first letter, like E trade. And so ran that for a number of years. So that 2012 And And then since then, I built a couple more businesses, most recently, Mark Cuban, the Dallas Mavericks at Shark Tank, had backed my prior company, which we ended up selling TA Associates in 2018. And while we were building that company, we were just like, man, there’s a lot of stuff happening in privacy. And so the long story short, is that I am a serial entrepreneur, right? I think I joke with my wife, I think that is the only job where the word serial as a prefix is a good thing. Everything else you can do serial is not good.

Jodi Daniels 6:18

I would tend to agree with you. So what did you notice in the privacy field that sparked your interest to start Osano? And how has all of that experience in SAS really helped you with what you’re building here

Arlo Gilbert 6:36

today? Yeah, good question. So if you if you go back in time, not to date myself. But if you go back to the late 90s, early 2000s, everything lived in a single stack, right? You had a, you had a server rack in a data center somewhere that you controlled as the business owner and all your data sat there. And so if you wanted to exchange information with a business partner, inevitably, it was, you know, emailing a spreadsheet, or something along those lines back and forth. And I look back now with a bit of embarrassment at probably the quantity and lack of consent, in the data that we were sharing back then, you know, it was not uncommon to email around lists of credit card payment information between partners and payment processors. So, you know, I have a lot of experience with trading data and kind of being on the dark side of that equation. And and then, you know, through the years, as I build companies, I’m a technologist at heart. And so as we built companies, I watched this proliferation of cloud sharing embedded widgets. And I never really understood how we expected anybody to ever reclaim and gain control back of their data. And the analogy that kind of woke me up was I heard somebody make a joke that data’s data sharing is a little bit like a sneeze in that once it gets out, you can never get it back in. Right. And so that was a kind of a first first thought that I had that was in 2015-2016. And, and then when we sold our last company in 2018, we were doing vendor management, right? So large enterprise, Procurement Solutions and super boring stuff. But what we started having a lot of our customers asked us about was GDPR, right? Are you GDPR compliant? can you assist us with GDPR compliance, which really stood out to me as a wildly crazy ask and signified to me that most companies out there really didn’t know what they were doing? Because if they were asking me for GDPR advice, and I had to go Google GDPR, then then they were probably in bad shape. So as we started seeing more and more of these requests coming through about privacy related questions, I realized that this was an interesting opportunity to do something positive for society. And, you know, potentially make a little bit of money at the same time. But, you know, our, our real takeaway from that was that there was this slow drum of privacy beating, right, it was kind of like you heard about GDPR, every so often started increasing. We started seeing more in the news cycles started seeing the Apple and Facebook and the Equifax drama. And it just became evident. This was a a titanic shift in the way that the internet and data were going to be handled, and how it was going to impact business and consumers. And like any good entrepreneur, I wanted to be part of the hot new thing. So that was The inspiration for getting involved in privacy really was just a lot of experience of being on the dark side, and a lot of experience of having customers and, and friends asking me about data privacy.

Jodi Daniels 10:13

And privacy is on the upswing, and it’s cool and hot. Sometimes. I never make fun is the Look at me. Yeah.

Justin Daniels 10:24

So, you know, looking back on your career, how has your prior SaaS experience shaped? How you are deploying and developing this latest SaaS privacy product offering?

Arlo Gilbert 10:38

I mean, every single startup is, is a lesson, you tend to learn a lot more from the failed ones than you do from the ones that do really well. I think that’s, I think that’s a Bill Gates quote, you know, success is a horrible teacher. But, you know, I would say that the, the things that we really learned in the process of building prior companies, you know, we privacy by design, right, this was something that was not talked a lot of talked about a lot. But good architecture actually generally supports good privacy. And so if you can assemble your systems in a logical and scalable manner, your odds are pretty good that you’re setting yourself up for success in terms of privacy, because it usually means things like you’re not using emails as your as your primary identifier for individuals. There’s just a lot of pieces, the puzzle there. But, you know, in terms of my prior SaaS experience, I think the biggest thing that we really took away was that the bar for business software is extraordinarily low in terms of usability, and lovability. And there’s never been a category I’ve seen where that’s more true than in privacy. So many of the products that are out there are, are just painful to use. And so you know, what we really learned was, build something that you want to use, build something that feels intuitive to people who aren’t experts. And the odds are pretty good that successful follow when we look at Canva figma has been great examples of that.

Jodi Daniels 12:23

The Privacy markets changing really quickly. And you know, since you’ve been started, it’s your product has also evolved and changed. Can you share a little bit about how Osano is helping companies today? Manage privacy? What does the product look like today?

Arlo Gilbert 12:40

Yeah, absolutely. So Osano started out. We had some theories about vendor risk and vendor data as being something really interesting we wanted to build. And however, we did acquire an open source cookie pop up product, back in 2018, right after we formed the company. And by virtue of that, we found ourselves with a lot of people coming to us asking about whether we sold a commercial cookie pop up. And so, you know, we quickly pivoted because product market fit as we all know, is one of the biggest things that puts a startup out of business is a lack a lack of product market fit. And so when you do find people asking you for a feature or a capability early on in the in the company journey, it’s a good clue that you should probably do what they want. So that I tell you this, because we had the this vendor risk data set with teams of attorneys who review privacy policies and cookie policies and GDPR statements and GPAs and they review them and then we have an ontology 163 data points that we look at as being best practices in regards to disclosure, security, you know, consent, all sorts of different pieces of the puzzle there. And while we were building that, we then stumbled upon the cookie pop up, and and that ended up being fortuitous, because it turns out that virtually every company in the entire world starts their privacy journey with the cookie pop up, right though love it, hate it. You know, it’s definitely a polarizing subject, the Yes, I accept cookies button. Many people are annoyed by it. Some people feel like it does something really positive for consumer disclosure. But But ultimately, Osano sells a product suite. So think of us as being the tool box that can help privacy professionals or business executives to build a privacy program from scratch from cookie pop ups to rights management, to doing internal assessments to assessing vendors to connecting to data sources and doing data discovery. from soup to nuts. We really have every capability that you need. It all started with that cookie pop up and has grown from

Jodi Daniels 14:59

Arrow. Keys are love or hate. I personally prefer chocolate chip these days.

Justin Daniels 15:09

So, you know, Arlo, you said something interesting about the bar being pretty low for adoption of various types of SaaS or other technology products. I still encounter on a regular basis when people want to do business with my clients, particularly startups. Their thought about privacy and security continues to be that it’s an afterthought. It’s not a core design feature of the technology. But where I’m heading with this with you is, I’d love to kind of flip the coin a little bit and ask you, in your experience, when you’re talking to businesses, what is the biggest obstacle to adoption of your platform when you’re talking to five?

Arlo Gilbert 15:56

I think our platform is pretty representative of the general privacy industry, right? Because we make a lot of different features. And so, you know, we tend to catch customers at the beginning of the journey, the middle of the journey, as well as you know, when they’re jumping ship from another provider. And, you know, the biggest obstacles that you encounter, there are, there’s the startup issue, and then there’s the privacy issue. And those are really kind of two independent pieces. So in the beginning, the hardest part was just getting people to trust us and try us because we were an unknown quantity, we were a brand new company with that much reputation. And we didn’t have a client roster. Good point two, that’s always hard. But every startup in the world has to deal with that. So clearly, it’s something that can be overcome. The biggest obstacle, though, what I would say, would 100% be a lack of knowledge and understanding about privacy, and the why behind it. And and then candidly, a lack of incentive to make privacy a core piece of the puzzle at any business, right. And y’all been around the block. So I mean, we saw what in, you know, 2018, for example, right? The biggest multinational companies in the world, sure, they were building out privacy programs. But aside from that, you go talk to a consulting shop in Oklahoma, they view that as being a very European thing, right? They kind of bury their heads. And so the biggest challenge was always about motivating people and creating some sense of urgency and highlighting how this could be a good thing for their business, by creating the carrot and the stick. Thankfully, that’s changed lately. And now we see so many finds, you know, from Sephora to the Googles, you know, around the globe. In the C suite, general counsel’s at firms. This is becoming now really top of mind in terms of risk mitigation. So it used to be the biggest obstacle. But now, that has shifted a little bit.

Justin Daniels 18:15

So I wanted to ask you a follow up question. Because, as you said, at one point, you thought about going to law school and thankfully, your your career went down a really cool path with the being a positive serial entrepreneur. So I wanted to use that to frame up this question is reading between the lines of how you just answered the last question, this little thing called CCPA. And another five states have passed privacy laws has obviously been good about making it become more top of mind. And so what I wanted to understand a little bit from your perspective is how do you view the privacy laws from a perspective of, hey, they’re helpful to my privacy business, but then you might be as an on your entrepreneur side, say, You know what, the more of these laws that we have, I almost feel like it stifles innovation, because if 50 states have a privacy law, that’s a lot of different things to comply with. So I’d love to get the different parts of the Arlo Privacy/He entrepreneur brain versus the Arlo serial entrepreneur who most innovation is kind of stifling, or legal regulation is stifling. I’m sorry. Yeah. I mean,

Arlo Gilbert 19:25

look, the Internet has become a regulated industry. I mean, full stop. It is up there now finance, oil and gas, you know, it’s it is regulated. We’re just seeing the beginning of that. So, you know, when you when you think about these patchwork of state laws, for my business, candidly, that is actually positive, right, the more complex and challenging that it is to comply with regulations, the more that having software in place that can To help to kind of mitigate that risk is a positive thing. From a social good, one of the things about Osano that that I didn’t mention up front is that we are a B Corp. So we’re a public benefit Corp as an entity, and we are a certified D labs Corporation. Right. So like, Patagonia, lots of these kind of crunchy, Birkenstock Birkenstock wearing type of companies. And the reason that I say that is because a big piece of why we built this business was around the idea of doing something positive for the world, right? I don’t know enough about climate change, I don’t know enough about clean water or education to be impactful, their data privacy is a place that could be impactful. And I do think that in terms of innovation, you probably see a lot more lawyering happening at companies in terms of, you know, data shares, we have seen a huge upswing. Companies that want to consolidate on a single platform to mitigate risk, again, a positive thing for Osano, because we make many products, but the point solution, pendulum swings, we swing it back a bit. And I think that can be a negative thing for innovation. But in terms of privacy, innovation, I feel like the the fines, the patchwork of laws, all of these things, although they may stifle some innovation, I think that a great idea. And entrepreneurs who are passionate about building and solving problems are going to find ways to do those within the bounds of what’s legal and Okay. And what we’re really going to see is a reduction in these kind of fly by night business ideas where the only business value they have is buying and selling data, right that data exhaust. So I’m optimistic. Arlo,

Jodi Daniels 21:56

as we were just talking about how the adoption of privacy and for some companies that are really large, they’ve been doing it now for a while for other smaller companies, they’re just getting started. I know in our business, we see a number of different functions who kind of quote unquote, own privacy. And I’m curious, who do you come across most often are some of the more common players of who’s paying attention to privacy in organizations today?

Arlo Gilbert 22:24

Yeah, I mean, if you if you ask that you start at the kind of the very top of the of the pyramid and you say, you know, what kinds of organizations are most concerned about privacy, right, these tend to be organizations that have a lot of public facing brand, or they’ve got a well known brand. So they’ve got exposure and risk, and they recognize that they are likely targets for, you know, Attorney General’s private rights of action, you know, regulators in Europe. And those companies are pretty clearly the companies that are driving the vast majority of the buying and innovation in privacy right now. And that is now starting to trickle down in to other kinds of organizations. And that affects who the buyer is pretty substantially. So at really large enterprises, and we’re talking fortune 500, which think about 15% of the Fortune 500 are some customers. at that scale of organization, you tend to have large compliance teams, right. So we’ve got some large insurers, for example, and large banks that are customers, and they have web compliance teams with 10 to 20. People that do nothing but web property data privacy compliance. When you go down, mark it right. And that all usually reports into the Cisco in some regard, at least it’s coming out of Cisco budget, oftentimes, we see the privacy teams reporting in there, when you go down below the fortune 500 is when things start getting scattered, right, and you start seeing some person who is in operations, and you know, they got they got handed privacy almost in a punitive way, like, hey, hear, have fun with this one. So they are then suddenly responsible for both procuring software, finding consultants, engaging with attorneys, and at the same time, just trying to figure out what they’re supposed to be doing right there. You’re like, we joke about entrepreneurship. They’re trying to build the airplane while they’re in mid flight, right? And they hope that they can get the Privacy/He engine put together before the plane hits the ground. So very, very wide swath once you go below the large enterprises, we see marketing, we see legal getting involved. We see a lot of security in it, folks. But of course near and dear to our heart BPOS Chief Privacy officers and but not a lot of companies have those stuff.

Jodi Daniels 25:03

Thank you for sharing always helpful to see what others are identifying in the industry.

Justin Daniels 25:09

So as we talked in the very allude to having our broadcast today, we talked a little bit about artificial intelligence and part of your offering, in particular, you know, you’re going to collect a lot of data and see a lot of different privacy programs, practices and data collection. As someone who is always looking kind of towards the future, you have any initial thoughts about Hi, how AI is going to improve your offering, and just how it might be helpful to the privacy industry in general? Yeah, I

Arlo Gilbert 25:42

mean, I’m a big fan of AI. And we have actually had some AI in our products for a couple of years. One of the things that our product does is we connect to one of our one of our core capabilities is connecting to data sources, like maybe your Salesforce, or we’re connecting into your Marketo. And we’re scanning those those SaaS offerings to identify references to Justin references to Jodi and references to, you know, their cars and their VIN numbers and their social security numbers and their IMEI numbers on their phones. And so, we have a lot of pattern recognition that is going through and getting context from documents and yields and applications, to identify people, and then to surface that in risk mitigation and rights management workflows. So that’s how we already use the AI. The the ways that I’m really excited about AI for the future of Osano is that we’ve built this proprietary data data set. So I mentioned we have this ontology of 163 points that we look at as being the primary factors that define a good privacy program versus a bad one. But the approach that we took to doing this, you know, we go out and read every compliance document that a company publishes, right, candidly, it’s it’s human attorneys in the United States bar certified who are going and spending their days reading documents, and then doing the virtual equivalent of using a yellow highlighter on those documents. And then explaining how they interpreted those documents and how they mapped to our best practices ontology. So if you look at this corpus of data, this ontology, and then this massive archive, we have, basically every compliance document that any company has published in the last five years, these are the foundations for building some pretty cool AI that can analyze privacy policies really effectively, and can identify risk really effectively purely by reading documents. So we do expect that in the next year, we’ll start introducing additional AI capabilities of the tool, although our hope is that it will be transparent to customers in that they won’t feel like oh, you know, Osano put an AI badge on something so they could charge more money. This is really actually about being able to do a better job for our customers. Any thoughts? And man,

Justin Daniels 28:15

I think we’re in the top of the first inning learning about this stuff, I think one of the interesting issues will be what kind of data gets put into the software, at least with our Lowe’s tool, he has the data from all of his company, customers, but the challenge will be you’re gonna have to deep aggregate that data because you have massive issues of confidentiality or potential privacy issues, if it’s somehow be able to be identified with a customer. And that’s information that’s not supposed to be put onto a tool. And then I’m also reading that most website Terms and Conditions have statements that say, Hey, for AI purposes, you’re not supposed to scrape our website. So in essence, you don’t have their permission to start scraping the website. But I think for Arlo if I put on my Arlo hat, really interesting obligate ramifications for having very discreet datasets that are very privacy specific, because that’s the industry that both he and you are in.

Arlo Gilbert 29:17

And your point about aggregated data is is super, super spot on. Right? I mean, the the challenges that we read about with some of the big AI programs out there are data was used in compiling that language model. Do you own part of that language model? Right? Should you be compensated? Is it your data anymore? And there’s there are a lot of deep questions.

Justin Daniels 29:42

You know, I’m glad that you brought that up. Arlo because I did the global rollout for a large company where they bought an AI tool in the Human Resources space. And one of the issues we got into in the contract was as I said, Look, you have to de aggregate the data but if some threat actor comes in and he can he or she can re aggregate that or identify people in that data. I was like that’s called a data breach, and you need to be liable for that. And what I’m saying is, you have to think very differently in these deals now because privacy and security and what’s going on with the data plays such a key role. And the typical in your industry, SaaS or other kinds of boilerplate. It doesn’t deal with it. This is all new stuff.

Jodi Daniels 30:24

Yeah. Well, Arlo with everything that you know, in the privacy space, we always like to ask everyone, what is your best personal privacy tip?

Arlo Gilbert 30:36

My best personal privacy tip would be the on those on those dinosaur websites that still ask you personal questions, like, you know, what was your favorite book when you were a kid? And, you know, if you had to eat one food for the rest of your life, what would it be? My privacy tip? Is that both the is that the answer is 100% of the time a randomly generated string, but I store my password manager. Because I feel like those questions are a treasure trove for hackers who want to learn a lot about me or for, for the companies who want to learn about me, right? It’s, it’s posited as a security mechanism. But boy, that’s interesting information to have about all of your users.

Jodi Daniels 31:23

Very good point.

Justin Daniels 31:24

So the next time I get asked Who is your best friend growing up, I’m gonna say it was Arlo Gilbert. Know, Arlo, when you’re not blazing the path and the new sauce product and the privacy industry, what do you like to do just to have fun?

Arlo Gilbert 31:46

Well, you know, my investors, I hope they’re not listening, because I do occasionally take a few minutes off from work. And when I do, I would say that my wife and I are both fanatical, crossword puzzle errs. So you’ll find me every day and The New York Times doing the mini crossword and the spelling bee and the Wordle and all of those things. And it’s a it’s a healthy combat that we’ve gotten our relationship. So you know, at the end of the day, we can sit down and usually me, I’m usually the one that’s doing the groveling as my wife completely decimates me in all of those games. But that would be my my biggest hobby would be word games.

Jodi Daniels 32:29

That’s really fun. Well, we’ve enjoyed the conversation tremendously. Thank you so much. If people would like to learn more and connect, where should they go?

Arlo Gilbert 32:38

Just head over to That’s And one of our amazing team members will be there waiting in chat to help you out and answer any questions if you have them.

Jodi Daniels 32:50

Well, thank you again, like I said, we really appreciate you sharing your perspective.

Arlo Gilbert 32:55

Jodi, Justin, thanks for having me on.

Outro 33:02

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.

Privacy doesn’t have to be complicated.