Pixel Litigation, Ad Tech, and Digital Advertising Privacy With Alysa Hutnik

Intro 0:01

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels 0:22

Hi, Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.

Justin Daniels 0:35

Hello, I’m Justin Daniels. I am a shareholder and corporate m&a and tech transaction lawyer at the law firm Baker Donelson, advising companies in the deployment and scaling of technology. Since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cybersecurity risk. And when needed, I lead the legal cyber data breach response brigade.

Jodi Daniels 0:59

And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, ecommerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers to learn more, and to check out our best selling book Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com. My goodness, today, there is so much we could be talking about because we are recording on the Monday right after let’s see Maryland passed their privacy law and a new federal law was introduced. And there’s a solar eclipse today. But we’re gonna focus in on some really cool pixel litigation discussion. And to do that we brought the best of the best. So we have Alysa Hutnik, who is the chair of the privacy and information security practice at Kelly Drye. She is one of the nation’s leading ad tech attorneys active in the industry and well versed in the unique legal challenges faced by advertisers, publishers, ad tech and data focused companies. Alysa, welcome to the show. We’re so glad that you’re here.

Alysa Hutnik 2:19

Thanks for inviting me. I’m so glad to be here.

Justin Daniels 2:23

So tell us about your career journey to where you are now.

Alysa Hutnik 2:29

Sure. So I’ve been doing this gig for over 20 years, I started out being an online activity nerd, when the internet was really early and new. And I had the opportunity to do some of the early FTC investigations on then privacy and data security in the early 2000s. And it has been a wild roller coaster since then. But at all times there was just that real kind of hyper focus on the intersection of advertising practices and privacy.

Jodi Daniels 3:03

Well, as I shared, there is a lot happening in the privacy space with new laws being introduced all the time, as evident just this weekend. But there’s also some older laws that plaintiffs firms are using to go against companies, can you share? What are you seeing in the privacy litigation space, maybe give us a little bit of, you know, what are some of these laws and how they’re getting applied?

Alysa Hutnik 3:32

Sure, so the flavor of, and I’m gonna say the month because we get a new type of theory, maybe every other month or so. But pixel litigation has really focused on wiretap, or trap and trace or pen register, but all of these pretty old laws from another era, which when nobody had contemplated ad tech and the use of these laws as applied to ad tech, and the plain of spars theory is when companies are using certain types of ad tech, let’s say your pixels advertising pixels on your website. That is illegal, because you don’t have consent under these wiretap laws. And it’s curious, because we also have in many of these states, California being a prime example, that there’s actually a privacy law, right, the CCPA that says, you need an opt out, not an opt in when you were doing things that encompass things like ad tech, so you’ve got that inconsistency. But the courts at this point, this is a new-ish type of litigation, so we don’t have settled law. And the unfortunate thing is companies are in that bind of am I doing things to mitigate the risk of these wiretap? Or am I complying with state privacy law and there’s just not a really clear answer. Some of this really depends on the risk profile for the company.

Jodi Daniels 4:59

Are there any particular pixels that you’re finding? This is on? Is it all different? Is it all advertising? Is that all analytics? Sometimes companies say, Oh, well, I don’t have that kind. So I don’t have to worry about it.

Alysa Hutnik 5:14

So substantively, it really shouldn’t matter. Now, the flavor of the day with the plaintiffs bar is that they were really focusing on Meta’s pixel because they had a, they don’t like to write new complaints too often. So it was a lot easier to cut and paste with the Meta pixel. But we’ve seen lawsuits and demand letters, certainly focusing on a wide variety, Google Analytics, TikTok, I mean, you name it. And so I don’t think any company should think that they are totally out of the woods of receiving one of these demand letters, if they just happen to not be using Meta’s pixel.

Jodi Daniels 5:47

All right, everyone’s pixels weren’t included.

Justin Daniels 5:51

Alysa, I had a kind of a different follow up question, kind of, from my legal background, which is, you know, I had a court case where actually, I don’t really ever go to court. But I had a client who needed to go in and defended an injunction. And the other firm to try to get the injunction had to get around the fact we had a contract. And this was like a non-starter. Yet the judge was willing to listen, I’m like, why isn’t the judge sanctioning them for doing this? And so my question I wanted to ask you is, when we look at this pixel litigation, and I know we’re gonna talk about BPA and my data, my health is, do you sense that judges are just have a mindset of they’re willing to let stuff like this happen without either looking at it? Or maybe there’s a knowledge gap? It just seems to me, judges are permissive about things that I’m like, why aren’t they telling me this is ludicrous. This was a law from the 20th century, you have a feel for what you’re seeing with the judges themselves.

Alysa Hutnik 6:53

Now, it’s interesting. In some ways, there seems to be a bit of forum shopping, because we had some of the early iteration of these cases with session recording in the Northern District of California. And we did quite well actually, the judges kind of pushed back in. We then saw one of the key players, attorneys, pull the pull, pull the cases out there and move down to the Central District of California. So unfortunately, there is some form of shopping but I agree. I mean, I think while in particular the federal judges in California, they see a lot of technology-based cases, there has been some reticence to just immediately push back at least at a motion to dismiss space. And so we’re at that early era, and part of my practice has been marketing practices with TCPA. And for many they get like a shutter when they hear TCPA, because for a decade, that was the kind of the flavor of the day types of lawsuits being filed. And this, I think, has just replaced it. And it’s early enough where the judges, I think, are at least considering it, particularly when the facts vary for a lot of companies, their Terms of Use, whether they have a banner, what does the banner say is their consent is their implicit consent. So I think some of that is to be determined.

Justin Daniels 8:11

So Alysa, is it fair to say from what you’re saying is, you have judges out there that may have you know, they have used their people besides being judges that say, Hey, I’m a little concerned with all this stuff going on with company’s practices when it comes to people’s personal information. If I have to give the benefit of the doubt to the plaintiffs to get over summary judgment or motion to dismiss, I want to see things kind of play out because they may have personal concerns about that kind of thing. Do you see any of that? Or do you think I’m kind of maybe out there a little too far?

Alysa Hutnik 8:45

No, I don’t think you’re too far. I think most of this has been on the motion to dismiss phase. And a lot of these early cases really focused on health data, think of some of them kind of the more factual, salacious, salacious examples where maybe the court that might have influenced some of the decision making there.

Jodi Daniels 9:04

With all of this as a backdrop, how can companies protect themselves with these lawsuits?

Alysa Hutnik 9:13

Well, when I think for every company, then they need to weigh the pros and the cons, right? So advertising technology on your website is really important for a lot of companies to be able to find prospective customers, and they may get a demand letter, they may get an arbitration demand, and they have to think about what’s the cost of resolving one of these, whether it’s in a settlement, whether it’s in fighting versus the benefit that they are getting from use of the tax. Number two, if they are of the mindset, let’s go to the other end of the extreme where they really just want the bulletproof defense shield. Well these laws say that consent is a defense and so that what that means, though, in practice is very much like a European GDPR and that If none of these tags are firing on your website until a consumer consents, that has also a really big business impact to the company. And so where I am finding most companies are landing is they’re not quite ready to do that. But they’re exploring options in between as mitigation measures. So sometimes that’s very prominent, notice the cookie banners, which I would say go well beyond cookies at this point, and having a banner that has some pretty specific language in that. And so you at least have the argument that the consumer necessarily would have seen that disclosure and made a choice. Some companies put an eye on the privacy policy in that banner, some are putting that disclosure at the footer of the website, there’s no we don’t have that silver bullet answer in terms of what is enough. But those are some of the measures that companies are taking. The other is to look at their arbitration clause and determine whether there are some pre-process steps that can be added or should be added. And that also can be a helpful deterrent, just pushing the brakes a little bit on getting these demands.

Jodi Daniels 11:13

You mentioned before session replay cookies, and how there were some of those lawsuits and then they kind of got pushed down. What are you seeing around the country as session replay was one of the ones I knew a lot of people were trying to add specifically to banners and have that language, we use session replay cookies? And I’m just curious, are you still seeing? You know, for the companies who might use those ones, are we still seeing those types of lawsuits still? And if you’re seeing anyone still use that in the banner.

Alysa Hutnik 11:47

So we are still seeing some of those demand letters on session replay. But I would say the bulk of them now are on track and trace or Meta pixel still. But what I would say as a practical measure is what companies are doing. You can’t name all of these, and it actually becomes less material to name every specific type of technology or specific pixel. And I think it really focuses on what they are doing right as they’re recording their use for AI and coming up with a very crisp, but user friendly language, if you choose to do a banner having it that language in your banner that is mainly technology agnostic. So it’s not cookie specific, necessarily, because there’s plenty of things that are not cookie-based that so I would just be very intentional. If you’re using a ban or what language you’re using.

Justin Daniels 12:34

They’re very helpful advice. Thank you. So as ad tech continues to be a hot topic from privacy regulators and a key focus in privacy laws, what are the common missteps that you see companies making in this area?

Alysa Hutnik 12:49

Well, one, assume that it’s cookies only, you know, you put a cookie, bear it and you think that you have done it, or you engage a technology vendor that gives a little modal or banner. And you think that you are done with all of your obligations, because of just changes in the industry. And really what we would call the deprecation of third party cookies, meaning they’re going away very soon on Chrome. Companies, from an advertising perspective have really expanded well beyond cookies. And so there’s so much server to server side or identifier based advertising, digital advertising tactics used, that just getting factually your arms around what is happening, I couldn’t recommend more strongly to just do an ad tech one on one basics. And there’s a lot of free resources out there to do that, just to have kind of a line on common understandings and definitions around what is happening on the site. Because if you don’t fully understand what’s happening, it’s hard to come up with a fix, that’s going to be useful. So that’s number one. Number two is have developed those close relationships with a marketing team so that you can get your hands around where’s the top of the funnel in terms of when new tags and new technology appear on your site, because it’s a little bit of a whack a mole, if you’re focusing on a point in time. And yet you don’t have your arms around how new things are going to be added to the site to make sure that your solution is really addressing all of those evolving types of practices.

Jodi Daniels 14:19

There are a lot of people who are not very well versed in ad tech. And you mentioned there’s a couple really great resources, can you share maybe one or two that you tend to share with clients to help them get up to speed?

Alysa Hutnik 14:32

Sure. So the trade association for digital advertising there’s a few different ones IAB and NAI are two of them. And they have a lot of free resources on their website that are just explainers. And two, there are a lot of if you just look at your favorite search engine of choice and you do a bit of ad tech one on one. Honestly there’s just a ton of providers and the basics on that just getting your one on one level after As point there’s a lot of free resources that are very well established. The other thing is just looking a lot of law firms were doing one on ones, a lot of the privacy tech vendors are doing one on ones. So find who is your voice of choice. And there’s a pretty good chance in the privacy space. They’re providing some type of useful explainer.

Jodi Daniels 15:17

And you also mentioned cookie deprecation and server to server, I was having this conversation at the tail end of the privacy conference last week with some people, because I think there are some companies out there who think, Oh, I’ve done server to server. I’m good, I’m done. I don’t need — I don’t need banners. I don’t need disclosure, I don’t — they’re not thinking about the opt outs as well as much. And I’m just interested, what are you starting to see companies think about? Or what do you think they should think about when it comes to server to server?

Alysa Hutnik 15:49

So I always start with what problem am I trying to solve for? If the problem is I want things less visible to the plaintiffs bar than the server to server is, is a helpful aspect to that. But if your problem is I am subject to laws like the CCPA, my health, my data, these other laws, and there are some significant consequences. If I’m not complying with those laws, then I need to think more broadly. And I’ve handled a number of the investigations on these matters. And from the state regulator standpoint, when they ask about your practices, they are not limited to cookies. And so when you have to answer honestly and really think about, does your both privacy notice adequately explain your data practices? And then does your opt out effectively allow a consumer to opt out of the types of practices that the regulator’s for us that’s a sale that’s a share, that’s a targeted advertising. So you need your solution to be responsive? If you’re looking to address legal compliance.

Justin Daniels 16:49

Well said, Oh, for companies in the healthcare space, there is increased focus from the FTC. And now as you mentioned, the Washington My Health My Data Act, what I advise do you offer for companies who have been using the Mega pixel and participate in the ad tech ecosystem?

Alysa Hutnik 17:08

Well, I start with what kind of company is it? Right? There are those that are just straight down the middle in the very much health space where perhaps all of the products or services are health related? And they need to think about where is the line between when they’re subject to HIPAA, and which is not going to be for the most part covered by FTC, or my health, my data, but more commonly, what is what are all those practices that are squarely subject to those these newer developments. And so identifying what’s in scope is helpful. And then number two, what products or services are helpful, and then thinking about their website presence, and is Mega pixel, really a business critical component. And if so, then we’re looking at an opt in and thinking about why and the pros and cons. This is more than just, let’s say, the plaintiffs bar wiretapping. This is the FTC Now having done a number of enforcement cases, this is with Washington having a new private right of action. So it’s a different ballgame there and wanting to be pretty intentional about it. I think the harder part for companies is where a lot of their products or services are not really squarely in the health space, but some are. So you get into the vitamin space, you get into the diet and fitness space. And there’s a lot of hard questions. So if it’s Washington only, and they don’t really think that they’re going to be within the FTC sites, some of that may be just geofencing for their ad tech for Washington State, where their products or services really do raise the issues on a national scale that the FTC has talked about, then that’s where we’re really talking through what are the opt in considerations, with with the use of ad tags on their site?

Justin Daniels 18:55

Kind of had a follow up question for the two of you. Because when we started our conversation, you know, Jodi mentioned, wow, we have another Maryland law. Wow, we have a federal law. Now you have all that’s going on with artificial intelligence. And I’m just curious, from your perspective, how is the power of proliferation of all these new laws, and then you throw up AI on top of it, which impacts how these ad tech companies do their work? How does that complicate the advice that you give the issue spotting and what clients need to be now concerned about that? Maybe they weren’t thinking about it?

Alysa Hutnik 19:31

Sure. So there’s always a new flavor. And I think we just have to accept that the origins of privacy law are largely consumer protection. And in consumer protection, you’re looking at what is the consumer harm? What is the type of harm that these laws, whether it’s AI or you know, pick your technology of the moment? What kind of harm is there to the consumer, what kind of transparency notice and what kind of choice, that’s really how the regulators at the 50,000 foot level are going to approach it. So if you have that in mind, good judgment goes a long way. And ultimately thinking about this is a regulated space, we are long past the best practices. And so whether you’re using AI or LLM, thinking, knowing what data is being actually used for this. And if you had to extract data, remove data, or minimize the data, what does that look like? And really thinking through pressure testing some of those pros and cons and mitigation measures, because there’s definitely plenty out there. And it’s doing that privacy by design, right from the ground up as you’re launching new business initiatives.

Jodi Daniels 20:37

And you mentioned earlier, having some type of cookie review and getting to know your marketing teams, I just want to emphasize that it’s so important, these new types of technologies are coming on and hopefully off in a cookie lifecycle all the time. And it is very critical to understand what is actually happening. So I always say know, your data, and I include cookies and pixels and digital tech at the same time. With all of you’ve shared some amazing tips. And we always ask everyone, what is your favorite personal privacy tip that you might offer while you’re at a party?

Alysa Hutnik 21:17

Oh, goodness. So I often get everybody to hand me their phone at parties, they always say let me see your privacy settings. And usually, it’s location, right that I just have you start with location and so sensitive. So that’s often like my number one easy, quick tip. But number two, just the basics on their website, like I will tell you the regulator’s in 10 seconds or less, they can look at your website and have a decent sense of are you light, medium or heavy to know where you are from a legal landscape. And so just getting up to speed even modestly so on that I would start with that as the most important issue from a privacy risk exposure. Yeah, there’s plenty of other things to do. But that would be number one. Oh, yeah, we just have lots of nerdy privacy talks. What can I say for real? I’m a real fun person to have at parties.

Justin Daniels 22:07

Why we asked the question, you know, at least when you say geolocation, yesterday, I was on a phone call with my wife and I was like, I’m on my way home. And she’s like, No, you’re not, I just checked your location. You’ve just left where you’re at. And I’m thinking to myself, I’m gonna have to block your private. I don’t need to be surveilled by my spouse

Jodi Daniels 22:28

When you were supposed to be at that time and it is a safety measure.

Justin Daniels 22:34

I was very concerned of safety or surveillance audience, you be the judge. I vote that was just outright surveillance on my whereabouts opted in? Yes. And I may need to opt back out. Well, anyway, when you are not practicing privacy law and being the ad tech guru, what do you like to do for fun?

Alysa Hutnik 22:54

I love to exercise. I’ll be honest, I’m a big yogi. So lots of yoga that helps me destress from all of the privacy shenanigans, and just be outside. I’ve got two dogs in there. I love them. And we walk lots and lots of miles around DC.

Jodi Daniels 23:13

And Alysa, where can people connect with you to learn more and stay on top of all the privacy shenanigans that we’ve been talking about here today?

Alysa Hutnik 23:23

Sure. So I head up Kelly Dryes privacy practice group and about my bio, and we have a blog about access.com. I also post a lot on LinkedIn. So always happy to connect with folks on LinkedIn and share kind of our hub takes on all of the developments that happen day by day.

Jodi Daniels 23:39

Well at least so we’re very grateful that you came and shared what is happening in the pixel space ad tech, and all fun things privacy with us today. So thank you again.

Alysa Hutnik 23:49

Thanks for having me.

Outro 23:55

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.