Click for Full Transcript

Intro  0:01  

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels  0:21  

Hi, Jodi Daniels here, I’m the Founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and Certified Information Privacy professional, and I provide practical privacy advice to overwhelmed companies. Hello,

Justin Daniels  0:38  

Justin Daniels here. I am a technology attorney who is passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

Jodi Daniels  0:55  

And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws, and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SAS, e commerce, media agencies, and professional and financial services. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. So learn more, visit And here we are. We’re back together again. We just did this last night, right? If up?

Justin Daniels  1:36  

Yes, I’m vaguely remembering that from eight short hours.

Jodi Daniels  1:41  

I just thought we’d have the mic set up again, because it was so much fun. But today, we’re really excited because we have a very special guests. We do and who is our special guest. Our special guest is Odia Kagan. She is a Partner and Chair of GDPR Compliance and International Privacy Practice at Fox Rothschild, a US national law firm. She has advised more than 200 companies of varying industries and sizes and compliance with GDPR CCPA and other US data protection laws. And she holds not one, not two, but three law degrees. And five bar admission. Plus five, privacy certification. We have a lot of letters in this introduction. already. Yeah, it’s a delight to have you today. Welcome.

Odia Kagan  2:32  

Thank you. Nice to be here.

Jodi Daniels  2:34  

Well, in the Justin, you’re gonna help us get started. Sure. So Odia,

Justin Daniels  2:42  

as we always start off with our guests, talk to us a little bit about how your career evolved into your current position.

Odia Kagan  2:49  

So, um, you know, I think it was in lean in, right that Sheryl Sandberg said, you know, it’s it’s a jungle gym, not a ladder. So it’s been a bit of a jungle gym and not a ladder in that, you know, I started as you know, I’ve always actually wanted to be an attorney. Right. But like, legend has it that I decided I’d want to be an attorney when I was like three years old. And I actually never really wanted to be anything else. But the you know, it took me a little bit of figuring out that, you know, privacy was, you know, the spark joy in my heart kind of specialty. I started out doing corporate commercial stuff, I did some m&a, I did a lot of tech stuff back in and I’m Israeli, I started my career in Israel. And so I did a lot of tech, digital international stuff. And then, you know, and then kind of gravitated back into, you know, the tech lead back to the privacy. And so I’ve been focused on that for a good number of years. And I think that, you know, there is merit to the jungle gym. I think that a broad base knowledge is really helpful for attorneys to be good at what they do. Because, you know, even if you don’t know the answer, you know what you don’t know, and you can feel it. Also, having said that, I think you don’t need to set out to do a jungle gym. And if you can, like, Oh, this is like really what I want to do, like go for the ladder, you know, don’t like don’t do it that way. But it’s worked out well. For me.

Jodi Daniels  4:16  

I think it’s so interesting now that privacy is even feel that you can actually concentrate and major and it wasn’t when I was in school, there was no privacy class even or topic or consideration now that it can be an entire dedicated field with a degree I think is really freed. Now, let’s move on to one of Justin’s favorite topic, China to jump up and down when we move on to autonomous vehicle.

Justin Daniels  4:46  

I think you should pose the next question.

Jodi Daniels  4:49  

Well, I will but I just want you to curb the excitement. I know how excited you are about vehicles. But there is a big evolution of new technologies like autonomous vehicles, among others. And so how do you see data collection and privacy evolving in this area? Um,

Odia Kagan  5:10  

well, I think that there’s, I mean, the obvious thing with autonomous vehicles and similar technologies is that there’s a lot more data that is being collected and shared and processed. And some of it, you know, is is not apparent, and some of it people aren’t yet aware of, right, but it’s there, there’s a lot of data, cars, you know, collect and process and share a lot of data. Um, a chunk of that data is personal data, it actually also kind of there’s, you know, the definitions in Europe of personal data and under CCPA personal information and, you know, tied to a device and etc, right. But they at least there’s a considerable amount of that data that is personal, and therefore subject to data protection laws. And so basically, a lot more data. And that data needs to be used in a way that’s compliant, which that lends itself to, I mean, so far, you know, that sounds simple, right? But it’s the simple. I’ve kind of mentioned this dichotomy before, the fact that it’s simple doesn’t make it easy, right? So you have this data, and you have a transparency requirements. So you need to make it known to people in a way that people understand. What is the data? And where is it coming from? And what are you doing with it? And who are you sharing with? And, you know, we’ve seen enforcement actions, most recently, right, the WhatsApp case in Europe and the California Attorney General enforcement report that put the emphasis on transparency and clarity and saying things in ways that people understand. And that’s not easy, when you have a lot of different one systems in the car that are collecting data. Number two, a lot of stakeholders. So you have the manufacturer, but you also have and obviously, you have the driver, and you have a passenger, and you have another passenger, or maybe you have another driver, and you have like a, you know, like a pedestrian and things like that, right. And on top of that you also have third party providers, especially as cars are getting more complex in incorporating, you know, Android Auto and Android environment, incorporating input payment system incorporating third party applications. So there’s a lot of stakeholders and making the transparent one transparency, right, making it apparent what data is collected? And how and why and how’s it shared, and layering on top of that, the data protection requirements for control or consent, right, like in Europe, you need consent in connection with the car, because it’s been determined to be terminal equipment. So you need consent, just like with cookies. In CCPA, you have the concept of sale for certain transfers, and how do you operationalize the opt in? Or the opt out? And and how do you do the contracts? What are the relationships between them? Because you know, are they service providers, and you need agreements? So I think the short answer is a lot more data, plus a lot of law, a lot of data protection laws, and then you need to operationalize all that.

Jodi Daniels  8:20  

Well, that is a lot for people to be able to digest as just an individual right, one of my opting into and in my opting out of what am I consenting? Are there any that you see that are doing this? Well?

Odia Kagan  8:34 

I think that it’s I think that every I think that people are, I think that a lot of companies are working on it. I think that this concept of First of all, this concept of trying to translate that into something specific and understandable is kind of a I’m not gonna say a moving target. But I think that they require the threshold for what meets with the expectations of transparency are high, and it’s clear that they are high. Let’s go with that. Right. I don’t want to say like, Oh, we didn’t know about this, because we kind of I mean, we have the Transparency Report from the article 29 Working Party for a good number of years. But this wasn’t kind of, you know, common practice. I think that one other thing that I can add to my answer is that I think, besides the extra effort that needs to go into it, the data collect the mapping of the data, understanding the mapping of the data, understanding the functions and spelling out. Also, there’s I think importance for designing legal design, customer X, you know, customer experience, user experience, trying to, you know, figure out kind of new ways to present things, especially when you have, you know, small speed interfaces in the car or voice activated interfaces. I’ve seen a lot of good efforts and I think that there is you know, a lot of work that everybody He still needs to do it as this progresses.

Justin Daniels  10:04 

Kind of as a follow up on your idea about things being a bit of a moving target and how we operationalize all this. As we all know, we don’t have a federal privacy law. But how do you think privacy will involve? When we have vehicle sensors? And then the wireless communication? That’s really an FCC issue? The safety of the vehicles is the National Highway, Transportation Safety Administration, and then we’ve got CCPA, which is some state privacy law don’t really have anything on the federal level. To your point, how do we start to integrate these varying regulations where you have privacy and security as part of it, but not the only part that you have to put all these puzzle pieces together?

Odia Kagan  10:48  

Yeah, and I’d probably add, like, if you have the financing of the of the vehicle piece, then maybe you have the CFPB. And if you have insurance companies that maybe have insurance specific, like, it really depends on where the data is going. I think the one thing that I would the place where I hope it would go, is I really hope that the various authorities, agencies that are responsible for pieces of it will work together, when putting forth regulation, we’ve seen similar, you know, issues or problems or, you know, on the interplay, for example, in a different area, but like the interplay between AML, you know, AML, CFT regulations and the data protection laws, right in Europe. So you have like a packet of AML, you know, regulations proposed and the data protection bodies. Now, the European data protection supervisor and the European Data Protection Board have both said, hey, you know, this doesn’t match, you know, this, and this, and this, and this are missing, you need to work on it. And I think that it would be a good idea for cross agency collaboration on these not necessarily even in the, you know, putting forth new regulation in basically, kind of either like a guidance or clarification or whatever, on how this needs to work together. And also in the operation of each agency, right. Like, if the agencies that are responsible for safety or security, right, when they put for things, they need to consult with the privacy regulators to figure out that what they’re doing matches the privacy side, when you have a privacy specific regulation or a again, like road safety. And that requires the collection or the exchange of information that needs to also match up with privacy and security considerations. So I think like working together, it would be the ideal that I’m hoping we will have.

Jodi Daniels  12:52 

So like all families, everyone talks about who owns the data while you’re having a family drive. And it was just a couple weeks ago that we really weren’t, we bought a new car. And we started talking about location information, and the car knew where we were, and our phones knew where we were. And our daughter said, Well, what I don’t really want them to know where we are when we started on this whole fascinating discussion of who owns the data. So in your mind, when you’re working with companies, who do you think owns the data, we have the manufacturer, we have the dealer, we have need the individual. And then as a driver, as an individual owner of a car, what should I be concerned about? As it relates to my data?

Odia Kagan  13:39 

And just want to say that our you know, our conversations are always who gets the switch? And who gets the iPad, and it’s my turn, it’s my turn. So they don’t

Jodi Daniels  13:49  

get to switch? They’re just still stuck in the back. And we’re, yeah, we just yeah, they don’t get the switching? Yes. Yeah. Maybe when they’re older.

Odia Kagan  13:59  

So, um, I think so. Um, first of all, ownership of the data is an interesting concept that I think, you know, I see it a lot, and I see it in contracts. And I know that, you know, I’ve seen it in jest, and you probably have seen it a lot in contracts. So I think data protection laws are kind of not as concerned with ownership, but rather sort of more kind of rights and choice and control. I think that that the, all the data protection laws agree that it’s the people is the person’s data, it’s the the person has rights in the data. Okay, so that’s the beginning. Now, the question is, who else, you know, gets a piece of the data and how and the rights to do what with the data and like the interplay between that and I think so. So that’s really kind of you know, I’ve seen this discussion in the cookie context, right, like zero party data because it’s my party I’m it’s, the person And that’s my data. I think so the data is the person’s, um, what should the person be concerned with? And what should the other stakeholders be concerned with? I mean, again, I’ve said that before, but I think the first thing and this is kind of more maybe US based approach, but my first priority would be as a user, and as a, you know, consumer facing stakeholder in the mobile mobility space, be it the OEM or you know, when the infotainment providers or payment provider or whomever is that the individual understands what data is being collected? And why and where is it going after? Right. So I have the full picture. I think that’s the first priority, because they think that to a great extent, if I know what’s going on, that will help me make an educated decision. Now, is that the full picture? I think, even in the US, that’s not the full picture. Definitely in Europe, the approach is, okay, it’s not enough for you to say yes or no, we need to have a layer before that, that says is this, like, just or necessary or ethical in the first place for the company to even be collecting this information? And I think that there is room for that. And that I think we will see, not only do I think there’s room for that, um, CPRA. And the Virginia law and the Colorado law now have this kind of, you know, necessary fair and proportionate or necessary and proportionate analysis that you need to make ex ante in processing information. So it’s not like a free for all, like, you can just collect everything and kind of hope for the best. So I think there is a component in that. And that’s, I think, where, you know, regulators will weigh in on what are the guide? What’s the what are the parameters for what is the what are the limits for data collected? And then all the data collected? You know, what, how much choice? Do I need to give individuals? There is a beginning, you know, there’s a foundation of that the automotive innovators, right, they, the association, they there are the privacy, you know, there’s this privacy guidelines for the North American manufacturers that has these concepts of transparency and control in the scope of control. And I think that, you know, we hopefully will see clarity on that, for, you know, for the US, I mean, as well as for Europe, getting more clarity would be helpful for everybody.

Jodi Daniels  17:30  

Indeed, I think there’s a lot of confusion nowadays, everywhere.

Justin Daniels  17:35  

Yes, sometimes confused in my own house about where to put the trash,

Jodi Daniels  17:39  

you’re very confused over where to put the trash every week, that same thing? Well, so switching gears a little bit, let’s move to the marketing side of your specialties. And, you know, how our company is changing marketing tactics and reaction to what’s happening in the universe. Right now, we have technology companies who are saying no to cookies, you mentioned zero party data, which I’d love if you could explain zero party data, because I think that’s a new phrase that not everyone is using. So we’ll just love your your thoughts kind of overall on where we are in the universe, and how companies are reacting from a marketing standpoint, maybe a little bit how we got here?

Odia Kagan  18:26  

Well, so the how we got here is there is you know, Google had this, you know, plan to deprecate third party cookies. And that plan was in the works and companies were reacting to that plan. And that plan has now been postponed giving, you know, a little bit of a, you know, respite to companies and more time to prepare. What does this mean, I think so the third party cookie situation is part of kind of a more, you know, bigger concept of, you know, that’s endowed by, you know, people that don’t like it, I guess, mainly, surveillance advertising, right, or, you know, the concept of, you know, advertising which is based on very kind of targeted, granular information that is gathered from activity across devices and matching, etc. And there are, there’s a whole infrastructure in place that exchanges a huge amounts of information in real time in split in like a fraction of a fraction of a fraction of a second between, you know, 1000s of companies. So that’s sort of the backdrop, and there are there are, there is ongoing kind of enforcement and litigation in the EU about it there. You know, there’s investigation in the UK like on this whole industry, but basically so that’s the backdrop and the issue is okay, so if third party cookies go away, and third party cookies are a way for a company to leverage tools Have other companies in order to analyze and monetize and their own data and generate leads, etc. If you and, and so leveraging if you can’t do that anymore, okay? Then what can you do? So what you can do is you can use quote unquote, your own data. So what does your own data mean? It means data that you get directly from individuals. And so that is, has been called first party data, even though it’s not really first party, right, because the first party is me, the person, and then the sort of second party is the the entity that I’m directly sending into. So that’s why there’s the term zero party and first party, but basically, it’s, you have a direct relationship with the individual. So if you have a direct relationship with the individual, great, okay, by the way, great is parentheses great, but you still are subject to all the privacy laws, right, you need transparency, if you’re sharing the information, you also need to think about the sharing. But it makes it so that’s kind of one aspect is trying to move to this direct relationship. That, as I said, one doesn’t alleviate completely, the privacy issues maybe simplifies them. But it’s still, you know, an amount of work. The other issue, that’s the challenge with this is that companies have turned to third party cookies, and like, you know, third party, you know, tools, etc, not only because they were available, and they really like the targeting concept, but also from a modern, you know, economics, right, usually smaller parties need to rely, smaller companies need to rely on third parties. And so there’s also now if you’re a small company, and you want to rely on your own audience, well, how do you develop that audience, right, you like you, one people go to if you can, then you go, you have channels, you have YouTube, you have Instagram, you have, you know, things that you try to generate leads and create your own audience, that’s one option, I’m very much more difficult for smaller companies, I’m very difficult for companies that aren’t consumer facing by their nature. And then you supplement that with kind of, you know, collaborating on your, you know, with your, your information. So I’ve got my little, you know, 100, you know, followers or whatever, and you have your own you your to your 100, and then we’re going to collaborate, and then, you know, you again, have the sharing and the sharing needs to be accounted for, for privacy. So I think what are companies doing, companies are trying to figure out ways that don’t rely on third party cookies, for their deployment. Some of them still involve a lot of personal information, especially both the collection and the sharing. And then the other direction is trying to do marketing and advertising that isn’t based on personal information, for example, contextual advertising, that’s another direction.

Jodi Daniels  22:56  

I find it so interesting, we’re I feels like we’re going back there contextual advertising, because we started there. And then here’s all these great tools to help you make it more tailored. And now we’re going back in this other direction. So it’ll be very interesting to see how I think all this shakes up.

Justin Daniels  23:14 

So a lot of what’s motivating all of this interest in privacy, compliance is enforcement. And we’d love to get your thoughts about the initial enforcement efforts to date with CCPA. And what do you think that might mean for CPRA? That’s coming down the road.

Odia Kagan  23:32  

So I think, first of all, so there, as I mentioned, right, um, and there was a report that was issued by the California Attorney General for a year of enforcement, and the report is sort of an anonymized version of actual non compliance proceedings that the Attorney General initiated with companies and the takeaways that I have from it. Number one, I, you know, very much appreciated the transparency. And I think we need, you know, more of that and more guidance. And hopefully, that’s forthcoming from the California Privacy Protection Authority, that is kind of forming and got, you know, appointed the executive director a few days ago. I think the key point, the key points in there. First of all, it was very granular, right. There were very specific pieces. It wasn’t just big picture, egregious kind of breaches, there were very specific granular things, which is important to note, there was a big focus on do not sell the do not sell link, the analysis of sale, The operationalizing of the opt out, and, and consumer requests. So that’s important. And the other piece that I saw that was important is that there wasn’t a focus on transparency. You didn’t include the rights you didn’t include the right processes. You didn’t disclose the third party sharing it was very, it was basically guys like how you draft your privacy. Notice this is important and I’ve been telling telling clients that and I think This is kind of, you know, reinforces that point here in the US. And I mentioned the WhatsApp case, which really highlights, you know, the whole case revolves around transparency, and how to draft privacy notices. And that like nine digit fine consequences of privacy notices being not clear. So I think the combination of those things, especially since CPRA, and you asked that PPRA thing CPRA and the other laws, right CPA CPA, they borrow a lot of concepts from GDPR, they borrow them sometimes for beta, right, like the definition of consent is literally copy pasted some some terminology regarding, you know, data minimization, data retention, purpose, limitation, transparency, they’re borrowed from GDPR. And so I think that both of those things together, really highlight the importance of you No, understanding what’s going on, like, you need to understand what what you’re doing, and being transparent about it. And I think that, that is, that’s a point of focus that I would anticipate. And then the other points of focus regarding CPRA. Um, you know, I am, I am staying tuned to see, but I think that it would be into one thing that would be interesting to me to understand, is the how these concepts that are barred from GDPR are going to be applied in practice. One generally in to given the fact that, you know, they are kind of, you know, it’s like, it’s like, when you take those, you know, cells from one place and you like, you put them in, you know, in the in the lab, and like something else and see how it grows, right. So this, these concepts, and GDPR will be interesting to see how they develop against the, you know, CPRA and the other law ecosystems, which are different, which have the concept of sale, which have the, you know, kind of historic kind of us

Justin Daniels  26:56 

approach. Well, thank you, that was very interesting. But on more of a personal note, as we like to ask all of our guests, what is your best security tip?

Odia Kagan  27:11  

For consumers or for companies?

Justin Daniels  27:14  

Um, we’ll start with consumers. Um,

Odia Kagan  27:19  

that’s really bad. That’s really difficult saying, Yes, um, because it’s, um, you know, there, it’s, I would say that try to be mindful about what you’re doing and understanding that in the in your quest and rush for convenience. Ooh, this looks cool. Oh, this looks nice. Oh, this is a good function. I was talking to my husband, I’m not going to name name names, but he, like talked to me about some, some new product and explain what it would what it does. It’s like, oh, it’s really cool. I’m like, Are you serious? Like, you understand that it’s going to be doing this and this and this. And like, Yeah, but just when you tell it through, I’m like, really. So I think, you know, stopping and thinking about this, that’s not the end all and be all because we all you know, we all err on the side of clicking, I accept, because I really need to do this now. But I think kind of stopping and being mindful about it maybe is the tip that I can

Jodi Daniels  28:15  

give. Well, thank you. Now, I very much appreciate your energy, and I can certainly see the passion when it comes to talking about privacy. When you’re not talking about privacy, though, what do you like to do for fun. Um, so I,

Odia Kagan  28:34  

I have a kayak and I kayak on the river and near my house, and I do that, while I’m looking at I really like, you know, kind of kind of water front in the water and being on the water. And I do that while listening to podcasts or audio books, both of which I really love and I have the multitasking of it. Um, and I also really, like, I really like makeup. And you’re like, Sephora is like the happiest place that I can be at. And I could be you know, once my husband actually called me after four hours to see where I was, and I was getting to the checkout. Um, and I like face painting. So I do you know, like different face painting things like superheroes and things with my kids. So I like doing that.

Jodi Daniels  29:21  

Super fun. My mom loves before. And we I’m sitting next to a fellow kayaker who would like more kayaking capabilities, but we don’t have so many kayaking places here. Indeed. Well, Odia, It’s been a pleasure talking to you today. If people would like to learn more or connect with you, where is a good place for them to do that?

Odia Kagan  29:43  

I’m definitely on LinkedIn. I do a lot on LinkedIn. I’m happy to hear from people and and they post a lot of content if it’s interesting to you on this topic. So LinkedIn or you know, my Fox Rothschild bio has my contact information.

Jodi Daniels  29:55  

Well, wonderful. Thank you again for sharing all this great information. So with us today, we really appreciate it.

Odia Kagan  30:02  

Thank you very much. Thank you for having me.

Outro  30:07  

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.

Privacy doesn’t have to be complicated.