Navigating Opt-Out Challenges and Strategies for Getting It Right 

Intro 0:01

welcome to the She Said Privacy/He Said Security podcast, like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st Century.

Jodi Daniels 0:21

Hi. Jodi Daniels, here, I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.

Justin Daniels 0:35

Hi, I am Justin Daniels, I am a shareholder and corporate M&A and tech transaction lawyer at the law firm, Baker Donelson, advising companies in the deployment and scaling of technology. Since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cyber security risk. And when needed, I lead the legal cyber data breach response brigade,

Jodi Daniels 0:59

and this episode is brought to you by no one can hear that. Red Clover Advisors, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology e commerce, professional services and digital media. In short, we use data privacy to transform the way companies do business together, we’re creating a future where there’s greater trust between companies and consumers to learn more and to check out our best selling book, Data Reimagined: Building Trust One Byte at a Time. Visit redcloveradvisors.com, well, hello, hello.

Justin Daniels 1:35

What’s up

Jodi Daniels 1:36

it is, bring your favorite stuffed animal to podcast day.

Justin Daniels 1:42

Yes, I see that you got that at the conference you were at.

Jodi Daniels 1:45

Well, actually, I’ve had this one for a while. So anyone listening, I have the Ketch meet opt opus on my microphone. So now you all have to go to YouTube to watch the actual clip of our little podcast, and I have mine in the happy direction, purple, and our guest is from Ketch but he must be really sad, because his is blue in the sad position, or

Maxwell Anderson 2:12

lacking or lacking attention to detail, which is consistent with the prequel to this particular podcast. I actually thought I was bringing it to the happy and No, no, today is a good day. I just mismanaged myopic list.

Jodi Daniels 2:24

Here it is all it is all good. So anyone curious at the next conference you were at, make sure you stop by the Ketch booth and grab yours, because they are super fun and awesome. All right. So today we have Max Anderson, who is a seasoned product executive with a proven track record of bringing successful technology products to market in the consumer privacy, data management and marketing space. Today, he’s the co founder and head of product at Ketch. And prior to Ketch, Max was the Director of Product Management at Krux. After joining Salesforce as part of the Krux acquisition, Max ran data privacy and consumer identity products at Salesforce, including the rollout of their industry leading GDPR solution set. Prior to Krux, Max was a product manager at IPG media brands, where he was responsible for multiple successful advertising measurement products. And if you’ve been in the ad tech space for a little while, you know that name Krux and such a strong background in the ad Teck space and privacy and Max, we’re so excited that you are here today.

Maxwell Anderson 3:28

I’m excited to be here, and I will tell you, I totally get the podcast thing. Now, you guys have the perfect voices for it. Just Right, right out the gate, I was like, I understand why you’re doing a podcast. This is great. It’s awesome to be here.

Jodi Daniels 3:41

That makes me so happy. Fun fact, I actually used to do announcements when used to have announcements in schools. I don’t know if they still have announcements, but,

Maxwell Anderson 3:50

oh yeah,

Jodi Daniels 3:51

in middle school, I got to do them, and I absolutely loved it. In the same in high school, and it brought me so much joy. I wish I could do announcements every day.

Maxwell Anderson 3:59

You have to go to the principal’s office. And, you know, like, set up. There was this

Jodi Daniels 4:04

like gadget thing, and you’d have to press down this little lever for it to speak into the way they, I guess, the kind of the movies, and it was always near the principal’s office. Yes,

Maxwell Anderson 4:15

I once did that, but not because I did it out since, all right,

Jodi Daniels 4:20

Justin, kick us off.

Justin Daniels 4:24

So Max, why don’t you tell us a little bit about your career journey?

Maxwell Anderson 4:29

Yeah, it’s, it’s a little nonsensical. I got my degree in Chinese literature, I guess, like many people who don’t know what they want to do in life, you just pick something random. And that was my that was my choice. And it was a long stint of being unemployed after school, as you can imagine, I kind of found my way into advertising. I worked as a media planner for a while. Got very curious about how people who are spending, you know, $100 million a year for advertisers actually, you know. Picked the ad slots that they would spend the money on, fell into the measurement and the sciences side of advertisement. How do you prove media efficacy? That slid me into something they call product management, building the technology that kind of does that and automates it. And from there, I met Tom and Vivek, who were running a company called Krux, relatively small at the time, ad tech company kind of focusing on that, and, yeah, split my way into Salesforce thereafter, and I think you already mentioned in the wind up, ended up at Ketch as a result. The ironic thing is, we really wanted to do this privacy thing in Salesforce, and we tried to pitch privacy cloud. We were unsuccessful in the pitch, and that was kind of the impetus to Ketch so in a nutshell, that’s that’s how I got here.

Jodi Daniels 5:47

And that’s so fascinating, because privacy is everywhere these days, and now we have enforcement, which, for some companies, they might not pay attention until there’s enforcement. And we’re seeing a lot of enforcement around consent and opt outs. And I’m curious, from your perspective, what are companies still getting wrong?

Maxwell Anderson 6:10

Yeah, I will say it’s taken, well, for my liking, way too long for enforcement to happen. But I understand that these things take, take time. I think the fundamental issue is still symptomatic of the way I think people have been treating this problem from the very beginning, when we started the company, I remember selling people like our whole conception was, this is a really hard data management challenge. A lot of this because of everything we did at Salesforce. We were, we were, you know, before acquire, we were AWS third largest customer, and when we kind of drew the stick of doing GDPR for the marketing cloud, the you know, you have look like modeling jobs, and you have segmentation jobs and all these data processing jobs that, you know, with a complex identity environment, right? Ad Teck doesn’t work in email addresses. It works on pseudonymous keys, whether cookies or maids or otherwise, that every single job had to have some kind of consent enforcement operation, and that was just a really hard problem for us to solve. It added 30% to our AWS processing Bill overnight when we turned it on. And so we thought, well, what’s, you know, what’s the infrastructure layer that you know, the market needs if everyone else is going to go have to do what we did? We got in the market at Ketch and, you know, everyone’s like, I need a cookie banner. And, of course, I remember E privacy, and I remember GDPR, and I get all that. But I think if you, if you still think about, you know, California do not sell as a cookie banner problem, you’re probably going to make some, some catastrophic mistakes in the implementation, because the enforcement certainly shows that the the aperture of the problem domain is a bit wider. So I do think that the biggest problem is there are still companies that show up. I need to do privacy compliance, and I’m going to go buy a cookie banner. I think that disposition is probably the biggest issue. It manifests as, you know, the pedestrian things like, Oh, you didn’t block this JavaScript tag from showing up on the website. Configuration issues, those are pretty common. The more obvious and significant ones, I think now are. You saw it in the Disney settlement incomplete opt outs. I’m sure we’ll unpack that later. And then the identity problem is, of course, massive. Maybe less discussed is, how do you handle flow down in a way that’s rational? I don’t think people are talking about that at 10 that a ton, but the obligation is there, making it so technically is extremely hard. And I don’t think companies are fully groping that quite yet. Those are kind of the big three.

Jodi Daniels 8:33

So many really good points and items, and we’re going to break them all down a little bit further. So maybe Justin get us started. You want to talk a little bit about identity management.

Justin Daniels 8:44

So Identity Management seems to be at the center of effective privacy programs. So why is it so critical for honoring consumer choices across devices and browsers?

Maxwell Anderson 8:55

So I mean, I’ve always felt like the privacy responsibility should be kind of human centric. And again, this is colored by my background. I spent the majority of my career building ad tech products that, you know, marketers obsess over consumer connections and engagement. And so even though the data may flow or be connected to some pseudonymous identifier at the device level, the objective for a marketing campaign is to be able to understand and communicate with an individual. So there is a precondition of this kind of identity management layer. And so, you know, colored by that, when we built Ketch, it was like, but of course, consumer choices should have, you know, the same expectation. I don’t know whether or not it’s important. It was a personal belief. I think that the regulations and enforcement now suggest it’s a requirement, which is a good thing. And you know, I think it’s a very hard problem to solve. Again, back to this kind of cookie banner disposition. If you think of privacy as a cookie banner problem, you’re not going to think about a person making a choice and a person. Person’s choice being persisted across all the devices that individual uses. But whether it’s important or not, you know, there’s a personal argument that I’ve made, and then, of course, there’s a regulatory requirement that I think people were sleeping on for quite some time, and now enforcement has made it clear that, you know, you’re going to get attention and scrutiny if you’re not figure this is a person level problem.

Jodi Daniels 10:22

We see a lot of companies come and say, I need to comply with fill in the blank law, and they think they need that cookie banner, and that’s, that’s all that they’re going to need. And they might not even need a cookie banner in the US, which is always pretty interesting. And you, you kind of hinted at banners and forms and identity, and a person. Often companies treat that cookie Banner as one thing, and then they treat I need a privacy rights web form as something different, and sometimes they kind of need to go together. In your mind, why is it important to connect them so it’s a complete and a full opt out experience. And how does that connect to being compliant?

Maxwell Anderson 11:07

Yeah, so I think when, when all these requirements came out, you know, you had cookie banners as an established, you know, product category in the privacy arena, and then the kind of implementation pattern of art for rights, for delete and access, was, you know, a form or an intake form. And when do not sell came out, you saw companies just kind of say, well, I’ve got a do not sell obligation, and I’ve got a cookie banner, so I’ll implement my do not sell in the same way I implement other rights and as enforcement scrutiny kind of increased the thing. And again, this is topical with with Disney, you know, not trying to pick on them. I think anybody who’s doing this, I look at every, every prospect I sell to has this problem. You implement, do not sell. You have this little form, and you submit it, and then you go back to the to the website where all the data collection happens, and you see, you know, Facebook or Tiktok or whatever, in scope, data collection activities happening on the site, and it’s not actually implicated or impacted by the form. The actual you know, how you implement this, whether through a form or a switch. I have opinions on that. I probably won’t waste everyone’s time talking about the nuance there, but the expectation is you take an action, and the sale is, you know, affected. And if you’re taking all of these requests through a form, and you go back to the site and Facebook is still firing, you have, you have failed. And because of most companies, what they do is they, they host that form on a different domain. So it’s imagine, you know, vendor, dot, company, name, Com, or privacy request. COMM, you implement that form, there’s no way for that vendor to talk to itself. And, you know, set the consent tool that actually controls Facebook or Tiktok or whomever from firing. There’s no way for that vendor to talk to themselves once they’ve kind of pulled the domain context out of the core domain that they’re operating the C, A, V on. And so whether, I guess the argument I’m making is it’s less about whether or not you do it through a form or you do it through a switch, I still think you should do it through a form, but it’s more about the fact that your ability to talk to the control system for, you know, add tags firing on the site needs to exist. So if you’re going to implement both sides of the of the pattern, the form needs to be able to talk to the CMP that controls the tag firing. And by and large, there isn’t a vendor that is supporting that. And that’s what you’re seeing in a lot of this enforcement is that they’re not able to talk to each other. And as a consequence, the opt out is in completely satisfied.

Jodi Daniels 13:43

I’m curious if I if I can push a little further, because you had some thoughts that you have strong belief of form versus switch, and at the same time, I kind of have some strong views, because sometimes people go to sites and I’ve never given them my name in my email, and I don’t want to fill out a form, because now they’d have my name in my email, and all they would have would be some type of pixeling experience. Can you expand a little bit about how companies might separate those kinds of experiences?

Maxwell Anderson 14:12

Yeah, that’s a good question, and I do think that there are certain cases where you could probably solve the do not sell problem in its entirety through a switch on what you know, what we call CMP, provided you’re not showing up with like a cookie banner, type language to satisfy your California obligations. I’ve heard a lot of people talk about, why are we asking about cookies? It’s a do not sell obligation. Let’s imagine you were able to author your your you know, your CMP to look and feel like California language, and you don’t have any data tethered to a pseudonymous identifier that’s linked to an email or a postal or what have you. Yes, I think you could absolutely implement this through a cmp. I think the challenge most companies who have that position is they do have. Your email address. Most companies have data tied to an email address they’re running all sorts of campaigns on. Maybe it’s email campaigns, maybe it’s data that they’re buying from a third party vendor that connects to an email address. I mean, having so much time and experience in marketing, I’m pretty confident when I say most companies you’re either buying data or have it directly connected to an individual’s email address, and they’re concurrently licensing tools that facilitate this cross device matching, or, you know, the connection of all this data across the person and their representative identifiers. And if I read the, you know, the Honda, or more, maybe more crisply put the Disney settlement correctly, where there’s an expectation of symmetry. If you’re doing this for the benefit of advertising, so too, should you do it for the benefit of opt outs? I think most companies are going to be closer and closer to the obligation of using this cross device mechanism. And so now, if we implement this only through a switch, unless you have that identity mechanism behind it to traverse some graph and get back to the you know data keyed off of the email address, you are going to be a little bit stuck in broadcasting the opt out to the set of identifiers that matter so the most effective and holistic way to get to all of the data that is connected to that individual is still through a form, in my humble opinion. Now, of course, there’s going to be a lot of people who disagree, and there’s going to be a lot of I think, time between now and when that is clear, but from the way I see it, I still think it’s the most effective and holistic way to get to all the data, to take it through the form. But your point remains valid, in my opinion, that there are going to be cases in companies where that can absolutely be a sufficient mechanism.

Jodi Daniels 16:51

I appreciate your sharing. Thank you.

Justin Daniels 16:54

So what are some commonly overlooked areas in consent and opt out management that could create real enforcement risk. I

Maxwell Anderson 17:03

mean, I think we’ve kind of been talking about them. I think the two biggest ones there’s probably the form connecting to the CMP, again, that’s more of a symptom of the fact that you haven’t actually implemented your opt outs in a way that holistically addressed the data. I think that’s the big one. Identity Management has, of course, been a big topic, and the last couple of settlements, I think that was overlooked. I think it’s probably being well addressed, or at least talked about today. I think in the identity arena, maybe the most it’s not talked about as much yet. But I do hear people say, Well, I only need to do this when they’re logged in, and I think that can be a trap. I don’t think that that’s the expectation. I think there’s a little I actually prepared this one for the company just the other day, but this is from the panel we were on. I hadn’t read this in a while, the breakout we were in at the IAB Jodi so from sling, it says for consumers who do not have a sling account, choose not to log into their Sling TV account or do not provide the necessary additional information, defendants shall treat the consumers opt out choices as a request for that browser or device and any consumer profile that defendants associate with that browser or device, including pseudonymous profiles. When I read that, I think that doesn’t, that doesn’t say that, Oh, because they’re not logged in, you don’t have to effectuate this, you know, in a cross device manner. I think it’s very easy to get from that requirement to even when an individual is not logged in, provided you have the mechanisms to associate it to that individual or there are synonymous identifiers you should and so I do think that there’s going to be this tendency for companies, when implementing cross device to say, well, it’s only when they’re logged in. I don’t necessarily read that or other things I’ve read to suggest that’s the requirement. But I am seeing that pattern, and I think it’s a trap. And then the last thing I would say is around flow downs. I don’t think people are talking about them a ton, but this idea that it’s sufficient to satisfy an opt out simply by stopping the future collection of data or setting of cookies, as a lot of people think that the problem exists only in that that that area, I think that’s a huge trap, because just imagine, 90% of companies on Earth, they use third party vendors to collect data on their behalf. That data leaves the browser or the device and goes into some server that that vendor manages on behalf of customer. And let’s not get too stuck in the business service provider nuance here. There’s certainly instances where that third party has that individual’s data, and it is used for cross context behavioral advertising. Now, when I opt out, some amount of that data is already in that server, and, yeah, you can stop collecting my data on a forward looking basis, but you’re still using the data that is in that particular system for the benefit of or for the, you know, ends of cross context behavioral. Advertising and nothing about your future data collection addresses that. And yeah, you could say, well, I sent an email to Facebook or I, you know, whatever, I sent a notification. I don’t think that that’s sufficient, because all of these tools have mechanisms that make it possible for you to actually effectuate that choice in those systems. And so to me, when I think about flow, get flow down, the requirement should be that you’re reaching into that system and affecting the way that that data is being processed, and ensuring that is not being processed for cross context behavioral advertising. And I don’t think anybody is doing a good job of that, and I don’t think many people are talking about it. I think that’s one of the biggest drops that will probably come out in the next six months in enforcement.

Jodi Daniels 20:45

Let’s use that Facebook like example, because I think I see companies doing a variety of different kinds of advertising, and I’m curious for your thoughts on what they could be doing to try and support it better. If I have my Pixel and I break the chain of forward data going to them. We already have that information that went to Facebook or pick your social media platform. It doesn’t really matter. They’re all the same. So now part of the challenge is can be a few things. One that social company already has my information, and it’s it’s still being used by other parties, potentially yourself as well. I might have sent additional personal information to that social let’s say I wish I wanted to do email lookups so you know, or look alike targeting, I might have sent my email and that information. And typically, I see companies. That’s where what we were talking about before, with the CMP and the web form. So if you if I break the chain, you should also break my email. So you should take me out of any of that look alike. Type targeting, how do you encourage or how or suggest companies actually go in to one of the social platforms where the social platform now has that data? I mean, it’s like beyond their one account of not being able to use it anymore. I think I have heard some companies trying and agree and say, this is part of the problem. How do I get it? And it’s social company, or pick any of the ad tech players. But that’s a really companies don’t have that full access all the way in to that third party company, and the reality of them taking billions of requests is not real either.

Maxwell Anderson 22:26

That is an awesome question, and I will, I’ll answer it in a couple of ways. It’s important to me that folks who are listening know this is not an intentional setup or plug, and I’ll address the catch of it all later. This is the hardest problem that we ever encountered in the build out of the company. When we did this at Salesforce, I remember saying, again, I’m not like a privacy guy by training. I’m an ad tech guy, and I spent a lot of my time with outside counsel, and by the way, the 10 folks that were working in privacy at Salesforce. So we had a deep bench, and we were trying to figure this out. Now this was GDPR days and purpose limitation was the obligation, but we as a processor had to facilitate our customers satisfying exactly this obligation, and so we stood up an API or an interface that any of our customers or their CMP vendors could call to exactly control that down to the level of look alike modeling or identity management, measurement, segmentation, we enumerated all of the discrete use cases that our platform would support, and we made interfaces available such that our customers could control the way that data was being processed. Now, much to my chagrin on this side of the experience, the vast majority of platforms do not provide privacy APIs or consent related activities. Many or most provide delete and access. But this other side is almost completely unaddressed. Now, the good news is most of these vendors, if you know how ad tech and martech systems work. They have other APIs that were meant for other purposes that you can kind of backward, contort into effectuating privacy outcomes. And so that’s kind of the path that we as a vendor have taken. Is making integrations that kind of three the six to the nine ball a way to effectuate a privacy obligation. But it is very hard. I’m not going to lie to you and suggest that this is a Happy Meal thing. It’s very, very hard to do for us to build an integration like that. It takes a day of programming, and it takes about five or six days of reverse engineering, how that product was worked, built and and figuring out the API’s that we can use to effectuate these goals. One of the things that I wrote in the there’s a recent request for comments from the cppa about, you know, what should be changed and the law to make this easier for everyone. One of the big points that I make in the Ketch comments is there isn’t enough scrutiny on vendors. If a vendor. Who is facilitating these use cases doesn’t provide, you know, requisite means for a customer to effectuate an opt out. They should be part of that investigation. You know, I don’t think it’s just, you know, Disney’s challenge or slang dish or Honda or tracker supply. I think it’s equally a challenge with the vendors that support those companies and processing data, and right now they’re not really being held to account. Because I don’t think people are talking about this problem. The lack of APIs is a huge challenge. And I think that, you know, step one, a company should be working with a vendor where they’re at least asking these questions. Step two, vendors should stop pretending like this problem is merely solved by blocking script tags and step three, enforcement agencies need to to make it clear that vendors are on the hook for making this possible

Jodi Daniels 25:53

with all that you have shared, and companies are thinking, oh my gosh, I look at all our these might be all the areas that I am deficient in, what would you recommend a company listening should go do first? What are the one or two items that they could take away from this conversation?

Maxwell Anderson 26:12

I mean, at least on the last topic. Of course, I believe I build software that solves this problem. But I think practically, let’s assume you know this is not, this isn’t a pitch. I think you should at least understand whether or not, when somebody opts out of sale or, you know, switches a dial beyond the basic controls of seizing data collection. What are you doing behind the scenes, not just in your databases and data platforms that your engineering team operates, but with your third parties. Do you have any controls for flowing down the obligation to your third party? Step one, understand whether or not you have this problem, and then step two, decide whether or not it’s risky enough for you to want to go and evaluate either having your teams write code to make those interfaces or finding a vendor that does the second thing I would do is I would really evaluate the cross device exposure you have, if you have a mobile app, if you do have people that log into your company, you should understand whether or not that works. If you opt out on a phone, does it work on your you know, your your computer, and if not, what you know, what are you going to do about it? I think a lot of vendors say that they support it. Maybe they do, maybe they don’t, but I think cross device as is a huge one. And the last thing I would absolutely look at is go to your web form opt out of sale, go back to your website after you opt out of sale, and look at whether or not there are still data collection events happening in the browser that could be understood as facilitating cross context behavioral advertising and address them as the three big things that I would look at.

Jodi Daniels 27:51

I appreciate you summarizing and sharing. Thank you.

Justin Daniels 27:56

So with all that you have learned around privacy, do you have a best personal privacy tip that you would like to share with our audience.

Maxwell Anderson 28:05

Oh, man, I’m, I’m a little disenchanted. That’s, that’s tough. I, I would say this is, this is what I say to my to my mother when she asked, which is, it’s a little sad. I tell her, Listen, the unfortunate truth that I see day in and day out is most companies are pretty, pretty terrible at doing privacy. It’s still relatively early, early paces. And I try to remind her that, you know, the good news is, most of the people who you know collect, store and process data, most of the business entities are well intentioned, right? The worst thing they’re trying to do with your data right now is sell you more shoes. And hopefully that’s a silver lining. But there’s, there’s nothing that I’m you know, particularly bullish about that the average practitioner can adopt that is going to make all of this easy. The other tip I page is somebody who is relatively paranoid. I said, Look, this whole drop thing in California seems like a cool way for you to at least minimize some of your data footprint leaking out in all these crazy ways. I think that’s really nice for those who are super privacy conscious. I recommend that. But I try to encourage folks to appreciate the fact that the majority of the data, the zeal to collect and process data from companies, is mostly in services selling more stuff. And you know, it’s not necessarily malicious actors going in, trying to contort it in ways that, you know, more the security concerns come from

Jodi Daniels 29:42

and when you are not building Ketch or talking about privacy all day long, what do you like to do for fun?

Maxwell Anderson 29:49

I love to cook. Love to cook. I like food. I like making food. I like to cook for people, you know, host parties. I mean, you know, I like when people are happier. On the table, enjoying food, having conversation that has nothing to do with work. That’s really important. People are really cool. They have awesome stories and opinions. And if you can get a collection of people around a great meal and enforce strictly a no work policy, it’s a pretty awesome human experience. So that’s a big favorite of mine,

Jodi Daniels 30:18

any particular cuisine

Maxwell Anderson 30:21

I love to cook Chinese food. Well, I love Chinese noodles. It’s the one thing I missed after I lived in China for a long time that you just, you know, believe it or not, in San Francisco, you just can’t, can’t buy a vow. I had a buddy of mine who I lived with when I was 17, living there. He He eventually went on to start five or six noodle restaurants, and after we sold trucks, I went back to China for a few months. Worked in this restaurant because I knew I would need to be able to make my own handful of noodles. So I like to pull noodles and for a dinner parties. Yeah,

Jodi Daniels 30:54

that’s really fun. All right. Well, Max, if people would like to learn more about you and Ketch where should they go?

Maxwell Anderson 31:01

Well, we have a website, but I’m relatively low key, so if you’re really that keen, you can email me my maxa@ketch.com, and I do read my email sometimes I’m a little slow, but I’m happy to respond to anybody who’s curious.

Jodi Daniels 31:14

Amazing. Well, we’re so grateful that you joined us today. Thank you so much.

Maxwell Anderson 31:18

Thank you. This has been great.

Outro 31:23

Thanks for listening to the She Said Privacy/He Said Security podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.