Click for Full Transcript

Intro  0:01  

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.


Jodi Daniels  0:22  

I Jodi Daniels here I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant, and Certified Information Privacy professional providing practical privacy advice to overwhelmed companies.


Justin Daniels  0:38  

Hello, Justin Daniels here I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback, helping clients design and implement cyber plans as well as help them manage and recover from data breaches.


Jodi Daniels  0:55  

And this episode is brought to you by Hello, Pearl, coffee, Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SAS, ecommerce, and media services. In short, we use data privacy to transform the way companies do business. Together. We’re creating a future where there’s greater trust between companies and consumers. To learn more, visit Seems like basil agrees. Yes, basil, the dog decided to come join our conversation as he always does.


Justin Daniels  1:38  

Yes, Basil is on my bad list today. Not


Jodi Daniels  1:41  



Justin Daniels  1:44  

No. All right. Well, let’s, let’s focus on our guest. Yes, that’s a great idea. And then we’ll come back to basil.


Jodi Daniels  1:54  

He’s the poor dog.


Justin Daniels  1:56  

So we’re very excited today to have someone that Jodi and I have gotten to know through LinkedIn and other fields. And that is Roy Smith, who is a lifelong entrepreneur who created PrivacyCheq to help mobile games comply with us COPPA child privacy regulations in 2014. PrivacyCheq was the first to offer non cookie based consent management tools in 2016. And the company has built a reputation for innovation and user centric design. Hello, Roy.


Roy Smith  2:29  

Hi. What an intro.


Jodi Daniels  2:32  

Wow. We are excited to have you here. I have to say, Justin, when you said 2014 I haven’t heard anyone say 2000. And so long as we keep doing this 20. That’s all I can think about. I see.


Justin Daniels  2:47  

Roy. I apologize if my mispronunciation of that has led to any red core, as has been pointed out to me by my lovely co hosts


Roy Smith  2:55  

sounded fine to me.


Jodi Daniels  2:57  

It’s all good.


Roy Smith  2:58  

It’s a long time ago. I know that.


Jodi Daniels  3:00  

That’s the point. It’s just keeps going. I actually was looking at files this morning from let’s see. Now I have to say 2004 because it’d be weird to say 2004. Like, that doesn’t work. So anyways, I was looking at my computer for files that old which was a whole different ballgame. But Roy speaking of experience over the years, please tell us a little bit about your career before starting PrivacyCheq and, and how you got to where you are today.


Roy Smith  3:30  

Okay, I am a lifelong entrepreneur, I’m really not a privacy person. I’ve become a privacy person, as a result of a company that I started, didn’t intend to be a privacy person. But my background is I began to write code. When the IBM PC was originally introduced in 1981, I was actually working with a company that had an IBM PC before they were even released to the public. And we were writing a little pieces of code using the debugger. There was no programming languages or anything this is we’re gonna this is like sticks and bear skins and stuff. But as a result of that, I built a company which is called Turtlebeach systems. We originally started as a music software company, but we ended up creating some of the first sound cards for PCs. When PCs started to make sound in the early 90s. That company ended up being the number one provider of headphones for people who play fortnight and other games like that today. It’s now a publicly traded company literally started on my kitchen table in 85. So after that, I got involved with some incubators and various other things started another company that made mobile app development tools called App mobi. We sold that to Intel and 2013 And then I learned about this law in the US called COPPA, which is the Children’s Online Privacy Protection Act. And I knew from dealing with all the game publishers that this was going to be a big problem for them. COPPA was at that time, being strengthened to protect kids against all the crazy things that you can do when your kid is using a phone, you can use the GPS API and know where they are without them doing anything, you can capture video capture audio. And so COPPA was updated to address that. And I saw an opportunity to create a software toolkit that game publishers could use to make it much easier for them to comply with the law. And that’s how I got into the privacy game. That was in 2014. We initially started as age check, that was the original company name. But then when GDPR came along, and we realized that we had been building something that was going to be a lot bigger than just children under 13. In the US, we rebranded as PrivacyCheq, and we put out a GDPR product, we have a CCPA product. And we just focus on the area of transparency, which is giving people notices that they can understand and consent management, which is getting their preferences, storing them in a way that the entire enterprise can honor the wishes that the person is given. And also, as data is shared out to third, fourth and fifth parties, that those third, fourth or fifth parties can understand what the person’s preferences were, and can act on them.


Jodi Daniels  6:45  

Well, first, congratulations on starting all those companies and successful exits. That’s very exciting there.


Roy Smith  6:51  

There have been some failures, too. That’s typical. We won’t talk about it. But it’s tough. Like, I’m batting 1000.


Jodi Daniels  6:59  

Wow, we’re gonna celebrate the success here today. So kudos to you. And I know that Justin wants to dive on into one of my favorite subjects, which is all about cookies. Course I prefer that they do Lewton free chocolate chip.


Justin Daniels  7:13  

So you know what I think is interesting. And what Roy said, Is he got started in gaming. And when I think about blockchain, where Roy’s technology may also apply. That has been a huge use case. And so it’s interesting, Roy, any thoughts around just as an aside about how gaming is had an impact on not only privacy, but a lot of these new technologies? It seems like user adoption, is really linked to games, because I guess people just like playing them.


Roy Smith  7:41  

Yeah, I personally am not a computer gamer. But in the Turtlebeach days, the things that people were using sound cards for where to play games, like Counter Strike, and miss two as a popular game back in those days. And definitely the notion of gaming has really pushed a lot of technology, you know, the mobile games, or at that time in in 2014, there was a $25 billion industry and the Apple iPhone just was introduced in 2007. So within five years, it went from zero to 25 billion today. Mobile gaming is about a $55 billion industry. And it’s definitely bleeding, a lot of technology. And blockchain, as you mentioned, is certainly being brought along with that. Just interesting, but now


Justin Daniels  8:34  

we’ll go back to my favorite time, and we’re gonna talk about dessert. Yes. Oh, yeah. So Roy, as cookie based tracking fades away due to regulatory concerns. How do you see consent working in this? A post apocalyptic cookie future?


Roy Smith  8:53  

Yeah, we always called it the cookie pocalypse. Because, over the past two years, you know, the entire infrastructure that the ad world has built to play with cookies is been sort of shot holes in by Google and by the regulators. And it’s all sort of crumbling to the ground now. But the answer to your question, we build our software before this whole cookie thing happened. And we did it in a logical way, which was we created a database that holds what we regard as the central source of truth. So with our system, when somebody gives their consent, they’ll say yes, I’m willing to accept emails, no, don’t text me. No, don’t give my information to other people. That stuff is stored in one central source of truth in a database up in the cloud. And our program makes it easy for the enterprise to know that when they need to know that like if they’re going to do a mailing three weeks from now, they need to know if your consent is still valid, because you could have gone in a week from today, when you gave your consent. And you can revoke it. And if they just assume that they have your consent, because you gave it three weeks ago, that’s not, that doesn’t follow what the laws GDPR and CCPA, say. So you have to keep the person’s preferences in a place where everybody within the economy of the data, can get at it and know what those preferences are. And so cookies are the opposite of that. Because when I store, you come to my website, and I store your preferences within your computer. Tomorrow, I can’t know what those preferences work because you’re not connected anymore. Or it’s, even if you go to a website, and then you log in via your phone an hour later, to me, you’re a completely different person. So if you gave your consent on your desktop, I don’t know that when you’d log in on your phone, because the cookie is stored on your device. So it’s, it was never intended for what it’s been used for. And it’s from a data processing perspective, it was ridiculous, and we’re happy to see it go. But the end to answer your question, it has to be stored centrally, no different than financial information. You know, every company in the world has a general ledger that keeps track of their money. And there’s only one copy of it. There’s not 50 copies of it.


Jodi Daniels  11:23  

What are your thoughts we have? We’ve mentioned GDPR, that kind of got started on the cookie chain. And now we have CCPA, and an entire alphabet soup coming of different privacy laws. So what do you what do you think is like your crystal ball of what’s going to happen? And kind of tie that into this whole cookie conversation and where, where the industry is going to go and what privacy practitioners need to be thinking about?


Roy Smith  11:54  

I would just touch on one thing that you said in your question that GDPR and the cookie thing are tied together. That’s really not the way it happened. GDPR really didn’t say much about cookies. The ad guys said this GDPR is going to be horrible for us. Let’s let’s do something with cookies and act like we’re going to comply with it. So from my perspective, the whole cookie thing and GDPR was a complete boondoggle. It was a red herring. It wasn’t part of GDPR. I just


Jodi Daniels  12:25  

it really started back in IE privacy lands years before but no one did it the way it was supposed to be done. And so the average person kind of connects cookie banners. Yes. GDPR, because of


Roy Smith  12:41  

so annoyed by those stupid banners that come up. And it’s very difficult for you to go through and say I don’t want to give cookies. But yes, it was malicious compliance is what it was. Yeah,


Jodi Daniels  12:53  

I have all kinds of all kinds of terrible cookie experience stories, but we’re gonna push push those stories aside, squared away, are you privacy and are GDPR so let’s move to the sort of crystal ball where you think I’m what you hear is happening. And then you know, how your, your company is evolving to meet


Roy Smith  13:14  

those different needs. perspective of an enterprise you’re in the US. We are now moving toward a situation where you have a balkanized privacy regulatory world where, okay, well, if the person is in Colorado, I can do this, if they’re in California, I can do that. If they’re in Maine, I can do that. And this is the exact situation that the Europeans were when they decided to do GDPR because they had this extreme balkanization of privacy laws, and it was causing all kinds of problems for enterprises. Sadly, the reason why we’re in this condition in the US is because Congress has never acted to create a federal privacy regulation. And they’ve had they done that I don’t think the states would be making their own, you know, the whole CCPA thing that California McTaggart, Alastair MacTaggart creating CCPA was done because he was just angry at how much private data was being slung around with nobody really being called to task for it. So what is going to happen is, I believe, yes, it’s nice that they’re down there in DC, talking about a federal privacy regulation. I don’t believe that’s going to pass. You know, we have an election year. Just the way things work in DC, as I’ve learned in my eight years of paying attention to it, I don’t see that happening. So what’s going to happen is you’re going to continue to see more and more states having their own versions of privacy regulations. But if that if an enterprise has a footprint all over the United States I believe if they comply with CCPA, they’re going to be good to go. They’re not going to there’s not going to be an enforcement problem for them if they violate some small part of the Nevada, SB 220. In the way they operate, I think the regulator’s when they do start enforcing these laws, which we’re hoping that’s any day soon, the regulators are first going to look for companies that are just egregiously ignoring them or doing really horrible things. For example, tick tock, you know, or, well, I, there’s 1000 companies you can think of that are just not doing good things with privacy, I believe the regulators are first going to go there, they’re not going to go after a company that’s trying to do the right thing. But in this particular locale, what they’ve done over here for California doesn’t match. But if they do that, I mean, if that we get to a world that that happens. One of the functions of our software is to isolate the enterprise from all of these complexities. So we have the notion of a responsive compliance, where if you tell me the util our software, okay, well, this is within this jurisdiction, our software operates itself appropriately to that. So for example, within GDPR, each of the member states can pick the age of consent for a child. And the default is 13. But some states have chosen 14 and 15. So if you tell me, you’re operating in Spain, where the age of consent is 15, our software will then operate. If somebody tells us that they’re 13 years or 14 years old, our software operates as though that’s a child. But if that exact same session were to occur in the UK, where the age of consent is 13, the software treats that person as not a child. They’re not an adult. But there’s special treatment that’s done children. So to answer your question, this, this complexity is balkanized privacy world, actually will drive people to use software like ours, because we make it possible for them to, to integrate one thing and not have to worry, you know that then it becomes our job, when TCPA is updated, and it becomes CPRA. It’s our job to look at that and say, Well, what changes what do we have to change? Obviously, we tell our customers, if that requires a change on their part, but it might just require a change to our software. And it’s our job to, to manage that. That’s why you’re paying the maintenance fees. You mentioned something


Jodi Daniels  17:35  

we mentioned lots of really interesting things. One of them was around tick tock, and since the beginning of your company had origins in in children’s data and protecting children, and on the show, we have guests from time to time to really talk about also how to protect children. I’d love to hear from your point of view, and specifically, what you think tick tock is not doing well, so that we can help educate those those listening.


Roy Smith  18:03  

I hate to say it, but I don’t really feel that I can comment on that because I haven’t studied what tick tock actually does. I don’t have I’m not a tick tock user. I’m I’m aware that in the general public, they’re known to be people who are run fast and loose with data. Recently, I think it was announced that a lot of the data that Tiktok had is routinely shifted back to China. I remember reading that so I’m going to refrain from having any detail because I really don’t know enough about it. But generally speaking, for social media games, or media items like that, or games. COPPA is not a very good law. It’s not not written very well. It was written by people who didn’t understand technology. And furthermore, the ad networks were able to get a couple of really big loopholes put into COPPA and that’s why we really haven’t heard much about COPPA enforcement’s there’s there’s a part of COPPA that says if you don’t know that the kid that is running your your game as a kid, you don’t have to protect their privacy. So as Justin will know, as a lawyer, you’re a lawyer, right? A legend now I’m a recovering lawyer. I’ve heard that one too.


Justin Daniels  19:21  

Now I’m I’m a lawyer,


Jodi Daniels  19:23  

just one per family.


Roy Smith  19:24  

When you my largest pro bono client right here. Yeah, when you have a situation like that people will make it their business to not know that that’s a kid running they’re running their game because if they know that, then they have to treat them appropriately so COPPA and I really don’t have any detailed answer you on tick tock specifically, but certainly a lot of the games and the you know, Twitch you know, the the Amazon thing where people are watching incredible, incredible amounts of video but as an Non gamer blows me away that you can have somebody who There’ll be millions of people watching them play a game. But that’s, that’s twitch.


Jodi Daniels  20:09  

I’m not as familiar in the gaming world either. I did touch us as a kid. And that’s about all of the Super Mario Brothers with a little Blinky thing. Yeah, anything? Yeah, you would like Good bye, God. Sure. As you could tell, I’m, I’m not so keen on games. I don’t know much. Okay. So,


Justin Daniels  20:33  

Roy, obviously, as part of the rise of privacy, a lot of technology is being built around privacy. You’re a great example of that. What are your thoughts about how PrivacyCeq is helping solve privacy problems? And why don’t you talk a little bit more specifically about the problem that your product solves?


Roy Smith  20:53  

The change that has happened that it makes it possible or required for products like ours is, in the past, when there was a privacy law change, the response of enterprises would be to get a lawyer to rewrite or make some changes to the privacy policy, which would be down, you know, an eight page legal document that’s down in the footer of every web page. And these new laws, like GDPR, and CCPA, require operational changes that have to be done everywhere data is ingested, that’s a whole new thing. So if you look at a typical company’s website, as we do, they probably ingest data of 567 different places. And somebody from the IT department and somebody from the marketing department, and possibly somebody from the legal department is going to have to write the notice that goes up. But the marketing guys gonna have to figure out what colors they’re going to be, how’s it going to fit into the user flow, and the IT guy is going to actually have to integrate that stuff. That’s the difference. So these new privacy laws are actually requiring technical changes to be made to websites, to mobile apps. And that’s really, the function that we provide is we streamline and ease that process, through use of API’s and other things. But the hard work still has to be done at every data ingestion point.


Jodi Daniels  22:21  

It is certainly an operational piece. I love how you’re talked about that. Many might have thought and initially it was let’s just update the privacy. Notice. There’s still some people who think that today Yes,


Roy Smith  22:32  

fight that battle every day. And I sure you do, too.


Jodi Daniels  22:35  

I do. They just they want the just


Roy Smith  22:39  

the old days.


Justin Daniels  22:41  

You just wrote this gave the history of what created the opportunity for you to have your business, right.


Jodi Daniels  22:47  

It’s it’s sure it’s GDPR that


Justin Daniels  22:49  

Roy’s point took it from Hey, we need to do operational things like how do we? How do we access the data, right to be forgotten and CCPA? And that’s where, I guess Roy’s product comes in. And then what you know, people do work together. We do


Jodi Daniels  23:07  

companies need tools, companies need people to help interpret how best to set them up, how to use them how to keep it going. Because when a marketing person has a grand new plan of what to do, it has to connect with the software and the tools and make it all work together. You have to think about can I use this data? Should I use this data? How’s the tool set up? We want to start collecting children’s data. Now we didn’t before, why do I need to do or maybe we were only in one country. But now we’re going to expand and that might mean something different. So they need to all work.


Roy Smith  23:39  

cohesively. One of the things we’ve really focused on that I don’t think anybody or I’m aware of anyone else in the industry is focused on is everything we do we look at from the perspective of a user like, you know, my aunt, for example, what would my aunt think when she sees this? And how would my aunt navigate her way through this, while achieving the correct outcome? We have come up with these different privacy notice ideas, like for example, using the the paradigm of the food label, you know, that we all see on our package food, you know, we’ve adapted that and made it interactive so that it can work on a mobile device. And it can give somebody who takes the time to look for a privacy notice information rather than giant blocks of text that were written by lawyers that really literally nobody reads. Even the lawyers that I know don’t read this stuff. So by improving the user flow, the user experience of managing privacy. We hope to make our customers able to build much more trust with our customers. Rather than obfuscating things and showing them these horrible cookie banners that everybody just clicks through to get rid of. We try to make the tools that allow our customers to really make it work. Properly instead of get around it.


Jodi Daniels  25:03  

Yes, and I just have to interject and say anyone listening do not create a cookie banner where when the user wants to not accept your cookies, you send them to a place and then force them to try and actually opt into the cookies real life story that I had. It was terrible. Coffee story is not the coffee story.


Justin Daniels  25:23  

It’s not the smart bed story, not


Jodi Daniels  25:24  

the smart bed story. Website story. Okay, definitely.


Roy Smith  25:28  

We all have a list of of cookie banner, gaffes that we could probably make a website, Cookie banner


Jodi Daniels  25:39  

Let it be your next venture.


Justin Daniels  25:40  

I like the bumper sticker of malicious compliance. Yeah. So Roy, we always ask our guests this question is do you have a best privacy or security tip you’d like to share with our audience?


Roy Smith  25:53  

Yes, put two factor authentication on your mobile device. Also, I have two of them. I have one that has actually two. The second one is use a password manager. Because we as humans are terrible at creating passwords. And there’s wonderful software that will create uncrackable, you know 12 or 16, character passwords, and put them on all the sites I myself, I look the other day, I use Dashlane. I have over 400 passwords. And I couldn’t tell you any of them. But Dashlane keeps track of that. In between that and two factor authentication, I think you’re 85% of the way there to having a pretty good privacy stance.


Jodi Daniels  26:36  

And if your favorite,


Justin Daniels  26:38  

it is actually right, I took it one step further because I’m paranoid. So I do exactly what you do. But then I have another amount of password behind after that. So that I just typed that in that way. If someone were to get to my password manager, somehow they still couldn’t have the


Roy Smith  26:56  

password. Yeah, your password manager is password protected. Right? I was


Justin Daniels  27:02  

going further because I just thought that was a really good tip. So if somehow someone got your phone like, what if I misplaced my phone and somebody knows it and they’re able to look on my password?


Roy Smith  27:14  

Right? Well, the password manager itself has a ridiculous password that I do remember? Okay, so that’s what yeah, we’re saying the same thing here. And we’re in agreement.


Jodi Daniels  27:23  

Sorry, when you are not creating privacy companies and advocating for privacy technologies. What do you like to do for fun?


Roy Smith  27:32  

Well, as you can see, from my background, here, I am a musician. I’ve been a musician my whole life. I was actually a session guitar player in Philadelphia in the 80s. I played with Patti LaBelle and Grover Washington, Jr. and Dexter one Zell. And so I am, where I’m sitting, you can’t see it. But this is actually a recording studio, my recording consoles right here. This is my home office, which is where we’ve been working since COVID. Started so I’m much more of a musician than I am a privacy person.


Jodi Daniels  28:10  

I love it. I actually was a singer in high school. So I just think lots of Disney tunes with my kids, but it’s all good. Right? How can people learn more about you and PrivacyCheq? Where should we send them?


Roy Smith  28:26  

Well, probably the best place to go would be our LinkedIn page, or we have a Twitter PrivacyCheq. Our website is really you’re not going to learn that much about us. It’s more of a product site, if they actually want to learn more about what who we are and what we think I think if you looked at our LinkedIn page, that would give you a really good, you see some of the stuff we posted. Ironically, on LinkedIn, I post less about us and more about the industry, but on our page, or our website, it’s it’s all about us. It’s not about anybody else. I guess that’s what you’d expect. I think of it.


Jodi Daniels  29:05  

Well, we’re so grateful that you shared your story and all the great work that PrivacyCheq and your team members are doing here today. So thank you so much for joining.


Roy Smith  29:16  

Thanks for having me. It’s been a blast.


Outro  29:22  

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.

Privacy doesn’t have to be complicated.