Privacy as a Business Driver: How To Build Effective Programs

Intro 0:00

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels 0:21

Hi, Jodi Daniels, here, I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies. 

Justin Daniels 0:36

Hi, I am Justin Daniels, I am a shareholder and corporate M&A and Tech transaction lawyer at the law firm, Baker Donelson, advising companies in the deployment and scaling of technology. Since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cyber security risk. And when needed, I lead the legal cyber data breach response brigade.

Jodi Daniels 0:58

And this episode is brought to you by dude Red Clover Advisors, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology e commerce, professional services and digital media. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers to learn more and to check out our best-selling book, Data Reimagined: Building Trust One Byte at a Time. Visit redcloveradvisors.com it is hard to believe that we’re in December recording a podcast in 2024 how are we already in December?

Justin Daniels 1:39

How have we been doing this for four years?

Jodi Daniels 1:40

Because they’re having so much fun.

Justin Daniels 1:42

Okay, think she’s had three espressos this morning.

Jodi Daniels 1:47

I did not. I only had one cup of coffee. Call me. I’m just a happy person.

Justin Daniels 1:55

You’re chatty, Jodi.

Jodi Daniels 1:57

I am chatty. Okay, well, today we’re gonna be chatting. Oh, this is gonna be fun. This is gonna be like, gonna be like the 3j podcast, because we have Julia Shullman, who is the General Counsel and Chief Privacy Officer at Telly, the world’s first dual screen Smart TV, fully paid for by advertising prior to tele, Julia was General Counsel and Chief Privacy Officer at triple lift through its $1.4 billion acquisition by VISTA Equity Partners. She is recognized as an industry leader at the intersection of privacy, product, advertising, policy and strategy, and she is here to talk all about it with us today. So welcome to the 3j show.

Julia Shullman 2:41

Thank you for having me, Jodi and Justin.

Justin Daniels 2:46

Now that’s your turn. So Julia, I swear she must have had, like, serious espressos today.

Julia Shullman 2:56

I’m still working through my car.

Justin Daniels 2:58

Julia, whatever happy pill she took, I’d like to like — we need to market that anyway. Why don’t you tell us about your career journey?

Julia Shullman 3:07

Sure. So you know, as I thought about this one, there’s sort of two themes to my career. It’s been taking opportunities when presented, and then just trying to get as broad and diverse experience as possible. So Justin, I actually started my career as an M&A attorney at Latham during, actually, pre financial crisis back in the ‘00 so I saw a lot of crazy stuff, but didn’t think that that was for me. So I went in house, took whatever job I could get, given it was the financial crisis at the time, ended up in B2B, media and events, and from there, found myself at two different ad tech companies. So at app Nexus, which is now part of Microsoft, I had a number of different roles, product Council, and was handed the Privacy Officer role when head of privacy left. They needed someone to run the team that knew about the industry and understood products and services and the commercial interests at play in the industry. And then from there, I went over to triple lift, and that was a wild ride through the COVID crisis, and we sold the company pretty quickly thereafter, and I’ve now gone to an adjacent company in the space where we certainly focus a lot on advertising at tele but I’m also getting to work on manufacturing and hardware and intellectual property. So if you kind of look at my career over the last two decades, it’s been a lot of different things, but I think really just trying to take opportunities. As they’re presented to me, get diverse experience and work on big, broad, gnarly issues, kind of looking from top down, bottoms up.

Justin Daniels 4:51

So I kind of want to ask you a follow up question, because you talked about your initial part of your career that was. Been in M&A, and just now that you’re in house, you have this really specific privacy and ad tech background. Any thoughts for our audience around what that M&A experience, the kind of foundation that provided you as you got into these other GNA gnarly areas?

Julia Shullman 5:18

Yeah, those are two things that I always think about. I mean, one, I always come into a company and think about kind of, what are our goals? And I tend to go into early stage companies, so I’m always looking at the company through the lens of, what can I do on the legal side, of the compliance side and on privacy side to set the company up for success? And that’s not just from a legal perspective, but it’s also the narrative and how we think about marketing ourselves, and we think about exit opportunities. And then I think the second piece is, and you probably recognize this, working on M&A, you’re always working with a cross-functional team. You’re, oh, you’re kind of the you’re the ring leader, and you’re going out to all these specialists and ensuring is you’re either helping a company sell itself or looking to buy a company, that each of the different functions are working in tandem and really understand that bigger picture and understand each other’s issues to make it all work and make us have a good outcome. And on the legal side and on the privacy side, I mean, think about all the clients you guys work with. It’s not a siloed issue, and it’s not a siloed function. You are kind of quarterbacking technology, marketing, product, operational matters, boarding up to the board and talking to clients and ensuring the sales process works. So it’s a very complicated project with a lot of different pieces to it, and I think EME set me up for success on that front, just because I learned from a very early age and a very early start of my career that you couldn’t just kind of sit and work in a silo.

Justin Daniels 6:54

I just wanted to bring that up because I think an undervalued skill of general counsel is your ability to connect the dots. And it seems that your M&A background has really paved the way, and we’re going to talk a little bit more about that. For you to connect dots, be able to help cross functional teams, be able to issue spot and either handle it yourself or bring in the right people to resolve whatever that issue may be.

Julia Shullman 7:20

Yeah, absolutely.

Jodi Daniels 7:22

So you were handed this privacy team, and then from there, you’ve had the opportunity to be Chief Privacy Officer at multiple companies. What is your approach in this role in building a program, especially as you just shared, you know, a lot of early stage companies.

Julia Shullman 7:40

I think you’ll be shocked to hear that. I take a pretty practical and realistic perspective to it, and once again, I think maybe we’ll talk about this a bit later, but I really take a step back and look at who the players are at the company, and what the business model is, and the operational processes, the technology and the personalities at the table and figure out how to put a program in place that kind of works for the company’s risk tolerance, stage, maturity, potential growth and just how it actually operates. And that really differs company to company. And I will say, as an example, I worked at two different supply side platforms in the ad tech space that from the outside looked like, honestly, the same company, to the point where their founders had started at the same company, and they operated very differently under the hood, just in terms of processes, personalities and how they got things done. And so even at two almost identical companies to the industry, the privacy programs that I and my team put together were very different programs.

Jodi Daniels 8:47

Can you share an example, perhaps, where the personalities impacted how you might do something different?

Julia Shullman 8:54

Yeah. So, maybe two examples. You know, one was truly just communication and how the company managed larger initial cross functional projects and then kind of steady state. One company, you were constantly giving presentations, constantly putting together. Dax, they had one set of tooling that they used to track cross functional projects. And the other company, everything was asynchronous and everything was, you know, a bit frankly, siloed, team to team, and so we had to go out and use different tools across different teams versus at the other company. We used one set of tools, and one company spent a lot of time in meetings and talking face to face. Another company, frankly, we used a lot of like Google Docs, Slack and email, and that can be very different for different personalities in a room, and it can kind of be easier to get things done, sometimes on the privacy front and very challenging. And then the second one that you know might resonate with folks to get a bit more technical was actually how the product roadmap process worked and how engineering products. And subject matter expert product leaders, which I have always been on the privacy side, I’ve always kind of operated as both CPO and the privacy product manager, influenced the road map and how we actually put together product requirements.

Jodi Daniels 10:14

Thank you for sharing. So helpful. Would you stop laughing at me?

Jodi Daniels 10:22

I could talk like a robot instead. Would this be better? Is more monotone? A better approach for you?

Justin Daniels 10:27

Wow, you sound like a late night DJ.

Jodi Daniels 10:29

Oh, I have the cool mic. Maybe we could test it out.

Justin Daniels 10:32

So Julia wanted to maybe understand your perspective a little bit about how do you successfully balance the privacy and the business monetization goals around data.

Julia Shullman 10:50

Yeah, so this, this is also, you know, an interesting one. And I’ll say, and I’ll leave it groundwork for, and I’d said this previously, I ended up in privacy through the product counsel route. And so I had started looking at privacy through a product counsel lens, maybe as opposed to a policy or a privacy expert lens. So I had always been embedded with product teams and engineering teams and strategy teams thinking about the top level goals of the company, of the industry, how a company made money, and then, frankly, how all the other folks in the industry operated, used data and made money. So the way I think about it is, you know, what are your goals? How has the industry operated historically? What’s the history there from a monetization perspective, from a strategy and a privacy perspective, what is everyone else doing? And then figuring out based on that, and based on your company’s position in the industry, you know, what are your opportunities strategically around both collection, use, sharing of data and privacy and requirements as they’re going to be changing, and I’ll give an example of this. And I always look at this from an ad perspective. If you look at the advertising ecosystem, which I know you spend a lot of time working with clients in the space, you will probably not be shocked to think that all of us in the space have different strategic interests and different relationships with direct consumers and with each other, sort of based on our position in that ecosystem and how close we are to the consumer and how close we are to the actual ad dollars that are spent by marketers. And so if you look at people’s structural position and their strategic position in the ecosystem. They’re going to look at privacy requirements differently, and they’re probably going to try to interpret them differently to benefit them. For example, a DSP sort of sits the furthest away from a consumer, maybe doesn’t have direct relationships with them, and has to rely on a publisher, a supply side platform and a number of other platforms to share data all the way down to them is going to try to take an interpretation that you know they can access and use data, as long as there are contracts in place, and as long as a consumer is maybe not opted out, versus a publisher or someone who sits much closer up to the consumer and has a direct relationship and knows that they have these this valuable relationship is maybe going to try to interpret a lot to me. And you know, we should actually hold on to this data. We shouldn’t be sharing it more broadly. We should create a technology where that data needs to sit up with us and maybe we’ll share it, you know, with other folks in the ecosystem, in a more controlled manner, but it gives structural and strategic control to those companies that sit closer to the consumer. And I think an example of this, frankly, as is Google and what they’ve done with privacy sandbox, and then, you know, it’s what a lot of the bigger publishers have been doing around their first party data in the past couple years, as they’ve sort of looked strategically to take advantage of privacy regulations, as opposed to just like putting together a compliance checklist and checking a bunch of boxes off. And I see Jodi, you’re nodding. So you see this all the time.

Jodi Daniels 14:11

I’m sure I do. But Justin has a question.

Justin Daniels 14:13

Well, I guess Julia, the other thing I wanted to ask you was, you go into a lot of these earlier stage companies, and would love to get your perspective on how you sell business people, particular senior leadership. It may even be the board or their investors on why you need to have a privacy program, why you need to pay attention from it from the get go, because I still run into plenty of times when I’ve worked with some earlier stage companies, I will just get a privacy notice off the internet. It’ll be the same thing. I’m like guys, you’re in health care, so I’d love to get your perspective on how, how you fared, and what you do in that respect.

Julia Shullman 14:53

Yeah, no, it’s a great question. And, you know, comes up on every deal, every financing deal, every every exit you need. That I sell it across a couple of different different channels, and it sort of depends on the company and their business model and their strategy. But number one, I do look, you know, at strategic goals and opportunities again. If you’re in the ad tech space like this is truly strategic to your defensive and offensive moves in the ecosystem, you might not exist in a couple of years if you don’t think about the data that you get access to and how you operate, and you know your structural position needs to be your competitor. So that’s one thing. The second piece is, because most of these are early stage companies, they won’t have an exit at some point I need to raise capital. You know, I make it very clear that this is going to be a big item in diligence from anyone who’s looking at the company to invest or buy them. And to your point, Justin, you can’t just slap a random privacy notice up, because most law firms have gotten much more sophisticated about this, and they’re going to do their diligence and they’re going to raise a flag to companies that are looking at investing or buying you, either that you have a compliance issue, or, frankly, that your business model doesn’t work, and maybe you’re going to have to go dump all your data, and it’s not going to be as valuable an asset, or they’re just going to walk away. And then the third piece is or actually, there’s two other pieces. The third piece is sales. So how are you going to keep operating? Everyone has some kind of sales relationship that has data at play, and I find that it makes those sales processes go much smoother. If you have your app together, and you know your outward facing program makes sense, and then you also have your talking points, and you’ve educated your sales team on this, and then the last piece is PR, like no one wants to get a bad headline out there. You know, number one, they don’t want to have investigations, which is sort of the outlying major risk. But if it happens, no one wants to deal with that. And then I think just day to day, no one wants to be a company where anytime someone goes to Google them because they’re thinking about doing a partnership or buying their product or something, and a bad headline pops up about privacy, it’s just going to slow things down, or it’s going to make someone walk away. So all of those really make the board on down, kind of perk up and recognize that this is a foundational matter that you should invest in. Sorry from the start, because it’s going to hurt your ability to grow and it’s going to hurt your ability to exit.

Justin Daniels 17:18

Were you going to say something, Julia, I wanted to ask you one other thing that was of interest to me, when you talk about the privacy programs and getting the board on on board and senior leadership team, have you seen in your experience, or talk to other colleagues, instances where lack of a good privacy program or cybersecurity, for that matter, has either caused a major partner to walk away, or maybe change the purchase price at an exit, or maybe the hold back, or some material terms, because your privacy and security house was not in order.

Julia Shullman 17:49

Yes, I’ve either seen all of the above, or I’ve heard of all of the above. I think you know, the thing that I hear happens probably the most, and this is any issue that pops up in a financing or an M and A deal is you’re trying to move fast, right? Speed Kills deals. And so if you don’t have your house in order, and someone starts asking these questions, and you’re running around and you’re trying to clean stuff up, or you’re having to work with your counsel or your engineering team or product team to put responses together or figure out what you did wrong. You lose speed, and you lose time, and sometimes it just makes deals fall apart. Number one, because the market shifts so quickly these days, I think the second piece is I have definitely heard of companies seeing terms change on them. So either they’ve seen discounts again in the ad tech space, if an investor really gets smart and realizes that they haven’t been doing what they’re doing what they should have been doing, and there’s certainly a risk that they might not be able to use data that they have, or their systems might not actually operate the way that they need to do. They’ve definitely discounted the price, or they’ve put in a hold back. And then, you know, the last one is where someone I’ve really only seen this with, like cybersec issues, or truly bad, you know, ad tech issues, where an investor or a purchaser just understands that a company has completely missed the boat. They’ve just walked away from the deal entirely because they don’t want to touch it. So these are not just check the box compliance issues. They truly either can kill deals or impact purchase price or slow things down materially. I don’t know. I’ve seen them. You guys have.

Jodi Daniels 19:35

I mean, so I’ve seen that. I’ve seen sales for sure not be able to be closed because they don’t have what they have, what they need to in order or delayed. It’s a, oh, wait, now I actually have to go do x, y, z, so it there’s a little bit of a delay. And then I’ve also been talking to some firms where they appreciate they want to have their privacy ducks in order so that when they exit they won’t run into that. So they’re doing the preparation to ensure they’ll have a good exit, because if they didn’t, then everything that you just described would happen.

Julia Shullman 20:09

Yeah, and then I will say the other thing I’ve seen. And, you know, I don’t know, Justin, if you see this, maybe on larger transactions that you’re on the opposite side of, I have seen acquirers definitely engaged the wrong counsel to do diligence for them, and they’ve asked all the wrong questions, and that, you know, I’m not going to help you answer questions you didn’t ask. So sorry that you know you don’t understand the business that you’re investing in or you’re buying, but if you didn’t ask the question, like we’re not You’re certainly not bringing it up.

Jodi Daniels 20:40

I’ve seen that too. So how would you advise someone trying to set up a privacy program, or maybe they have one, but it’s, it could use some help. It’s middling. That was the word I was thinking of, thank you. And kind of tied to that is, I like what you said before around how your experiences product Council really helped your thinking from a product engineering strategy, business objective point of view with and then you’re adding in the privacy pieces. So many people who are trying to build privacy programs don’t have that knowledge there. I’ve learned a lot. I have a checklist now. I’m supposed to convince these people, they should pay attention to me. How do you — what would you offer and suggest to those types of people?

Julia Shullman 21:27

Yeah, a couple of things, you know. I think, first, you know, again, understand, take a step back and understand how your industry manages privacy, and what are folks doing, and how do they think about the requirements as it applies to your industry? Second is get to know like your engineering and your marketing teams and any of those cross functional leads that you’re going to have to partner with and work with, and probably get resources from, understand how they operate, understand their processes, their systems, and also, you know, really talk to them about the requirements, and don’t just don’t dictate to them, frankly, how they’re going to support those requirements. Partner with them on what the actual solution is. I’ve gotten, you know, gotten in trouble in the past from engineering leads, when I’ve tried to tell them how to do stuff right, you give them the requirements, and they turn around and talk to you about a couple solutions on how to manage those. And then, you know, think about a framework and get the right advisors on board. And I think, you know, you all have definitely raised awareness on this, and I’ve seen other folks starting to raise awareness on it as well. But sure, you need a good privacy attorney, but you also need someone who operationally knows how to put a privacy program in place and understands the technical issues and the operational issues that you’re going to deal with, because not many lawyers kind of are in operational gurus or technical gurus. We can’t all do it all, and so it takes a village, and if you just hire some big law firm to manage all this stuff with you, you’re probably going to spend a lot of money and not have a right program in place.

Jodi Daniels 23:17

Good advice. It is very much that balance. I really love what you talked about, because I think there’s room for both. And I often actually compare this to HR. There are HR attorneys and HR consultants both have to know HR laws, and both can do a variety of areas, and then they both also excel in particular areas. And so when we’re thinking about operationalizing, you have all these requirements, you have to understand product, or maybe you’re a service offering, you still have to understand what is the data that’s flowing? What are the tools? What are the systems, and then what? What are the compliance obligations? And how do you make that come to life? In my HR example, I can have a policy. Do I just, like, literally put it on a dusty shelf. Or do I have to do something in any of the steps, like in recruiting, or in onboarding, or in performance management, or in any of the parts, you have to have someone who knows how to make it work?

Julia Shullman 24:16

Yeah, yeah, and it’s really educating a company, I think that, and people understand this on the HR front these days, because it’s just been decades at this point and having more sophisticated HR programs. But if you hire in a privacy expert to a company like they’re not going to be able to do all of this by themselves, but they will quarterback that work. So a company needs to really understand and you as a privacy professional, need to ensure that you’re advocating for an education company, that it’s going to take a number of different resources, whether they’re in house or external.

Jodi Daniels 24:47

It’s a really interesting point of view, because I think a lot of people who hire privacy people think, Oh, the privacy person could do all the things except a privacy person literally can’t do anything without not. Knowledge from anyone else. They’re unable to even write a notice if you don’t understand what’s happening, and you have to understand what’s happening by talking to the people who are responsible for the product or the service or the marketing or the sales or the HR activities. Otherwise, I always say, many companies will ask us to help do that full service implementation for them, and we will, and I’ll say, but we still have to actually talk to the people, because otherwise I’m going to write Mickey Mouse. I don’t know what you’re doing. Someone has to be able to communicate. And whether you’re an internal privacy person, it’s the same thing. You have to be in tune with what happens today and then what happens tomorrow, when the business changes.

Julia Shullman 25:42

Totally, yeah. I mean, especially as an outside advisor, but even internally, you know, when I was bit more junior and took over privacy out of Nexus, you know, it was, it was early days, right? It was pre GDPR. This is kind of like the first wave of really putting more sophisticated programs in place, I think, at companies outside of healthcare and financial sector. And in non shocking news, I was given SMEs that were bit more junior, and I was, frankly, kind of siloed away from the engineering team at first, and I finally, just like pounded down our CEO’s door and was like, this is like waste of time. We’ve been cycling for months. You know, you’ve given me a bunch of product managers who are great and smart people, but they don’t actually know the details. They’re not in the code. They don’t actually know how we are using data and what we’re doing. They just know high level what’s going on. So kind of, let’s stop wasting time. And I ended up just sitting down for a day with our CTO, our chief architect, and all of our senior engineers, and really quickly being able to kind of spit out the answers that had taken months to get to.

Jodi Daniels 26:52

Magical when that happens.

Justin Daniels 26:55

Exactly. Wow. So what is your best personal privacy tip or security tip you’d like to share if you were at a party?

Julia Shullman 27:05

I don’t know if you all get asked this a lot, but I’m constantly asked whether our phones are listening to us at parties. As soon as someone’s like, “Oh, you’re in the ad tech space, you’re responsible for all these ads that follow us around, and you must know how, you know Meta and Google and everyone’s operating our phones are definitely listening to us, right? Like I was just talking about Cheetos, and I got shown a Cheetos ad, or I was, you know, talking about going on vacation, and I got shown a bunch of ads for TripAdvisor.” And I say, well, I can’t, you know, 100% tell you that your phones aren’t listening to you, because I don’t know everything that all of your apps are doing, but I’m pretty confident there, it’s not like Meta or these big companies listening to you instead. Do you understand how your search history is used by the various players across the ecosystem? And two, they don’t actually care who you are. You know, this is just a big machine behind the scenes that based on your search activity or based on what you looked at, is then funneling retargeting ads or other things at you. No one cares who you are. And I really don’t think anyone is listening to you, and if they are, it’s like some sketchy app that you downloaded and didn’t think about and so take those sketchy apps off your phone and enjoy the free content that you get online.

Jodi Daniels 28:28

We have another guest who reminds people their tip was to go through all those different apps and have, you know, an app cleaning day.

Julia Shullman 28:38

Yeah, not, it’s a good one. And I do it, you know, every once in a while, or I do pay attention to those random pop up notices that, you know, are designed for us to ignore them or click like, go away, accept and really understand what’s accessing my keyboard, or, you know, accessing my location data at all times. For an app that has nothing to do with like your location or keyboard,

Justin Daniels 29:01

I actually have a new tip that I thought of a new tip? Yes, so, Julie, I’d love your opinion on this. What would you think of the idea of for all of the employees of your company, the you know, your company would supply them and show them how to set up a password manager, and it would be free with the idea of you help employees set up a password manager now they can have long passwords that are more complex, and they won’t have the same password for multiple sites.

Julia Shullman 29:31

Yeah. I mean, I think it’s easy, as I would say, it’s a great tip, depending on how that password manager is making money and what they’re doing, you know, with all that, all the access that they have, but you know, if they’ve got another way of making money, and they’re not doing anything with your data.

Jodi Daniels 29:51

Great. When you are not advising on privacy, what do you like to do for fun?

Julia Shullman 29:56

So we were talking about this before we kick things off, but I live at the beach, so I. I’m an outdoors person, and that’s tennis, beach, paddle boarding, you name it. And then I am also a skier. So in the winter I do go west and try to get in a couple days, or when I’m lucky, a couple weeks on the slopes. And then finally, I’m a massive nerd, and so I read a lot — news junkie, kind of all newspapers across all party lines, and I read a lot of international stuff, just to make sure I’ve got every single point of view out there. And then it’s nonfiction and fiction.

Jodi Daniels 30:34

Well, I know Justin is very happy that you picked skiing west as opposed to in the Northeast because he calls those icy hills, and the West is, apparently, I’m not a skier. I just come along for the ride.

Julia Shullman 30:49

Yeah, East Coast team, Justin. I don’t, I don’t. It’s been years since I’ve done it. It’s a — I don’t think it’s worth it.

Jodi Daniels 30:58

Yeah, some agreement over here. Well, Julia, we’re so grateful that you came to join us today. If people would like to connect, where should they go?

Julia Shullman 31:04

I’m on LinkedIn, or I think LinkedIn is probably the best channel.

Jodi Daniels 31:10

Awesome. Well, Julia, thank you again. We really appreciate it.

Julia Shullman 31:13

Thank you. Thanks for the invite.

Outro 31:20

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.