Click for Full Transcript

Intro 0:01

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels 0:22

Hi, Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and Certified Information Privacy professional, providing practical privacy advice to overwhelmed companies.

Justin Daniels 0:36

Hello, Justin Daniels here, despite my Red Clover t-shirt, I am an equity partner at the law firm Baker Donelson, I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

Jodi Daniels 0:58

And this episode is brought to you by Red Clover Advisors, not everyone can see you pointing the shirt. Okay, if you’re listening, that’s what he’s trying to do. That’s the motive. We help companies to comply with data privacy laws, and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, ecommerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, and to check out our new best selling book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com. So I have a question. How come you wear a Red Clover shirt, but I have nothing that has Baker Donelson on it? That doesn’t seem very fair. This would be fun. We could like switch back.

Justin Daniels 1:50

Would you like an umbrella?

Jodi Daniels 1:52

I don’t want an umbrella. I have a really great umbrella at the privacy conference last week from some lovely people at BDO. If you ever want a really good umbrella, I don’t know.

Justin Daniels 2:01

I think your logo and colors are cooler.

Jodi Daniels 2:05

You have the same color.

Justin Daniels 2:07

Yeah, but it’s a name of a law firm. Do I probably have something like this

Jodi Daniels 2:12

law firm trained today because we have a really fabulous guest at a really lovely law firm. So I’m excited to bring Gary Kibel who is a partner in the digital media technology and privacy practice group at the law firm Davis+Gilbert. Gary advises ad tech companies, advertising agencies, publishers, brands and other commercial entities regarding interactive media, behavioral advertising, social media, programmatic media buying and other emerging products and services. He’s a certified informational privacy professional. And prior to becoming an attorney, he was an Information Systems Analyst in the investment banking division of Merrill Lynch. Well, Gary, welcome to the show.

Gary Kibel 2:53

Thanks very much for having me. And good afternoon. Good morning. Good evening, wherever you are, wherever you’re watching this.

Jodi Daniels 2:59

I love it. All right, you’re gonna kick us off? Absolutely.

Justin Daniels 3:04

So Gary, tell us about your career and how you got to where you are today.

Gary Kibel 3:09

Sure, so I think I’m kind of a privacy old timer. Because I’ve been in this, you know, gig for quite a long time. I’ve been dealing with digital media and privacy issues for well over 20 years. So kind of going back to the Stone Age of the industry where people weren’t thinking about data issues very much. As Jodi mentioned, I had a technology background, and I was a hands-on IT professional before and during law school. So I kind of had that experience of being in a server room late at night, thinking about where the data is actually physically located. And when I got into the legal profession, I started off as a corporate law associate. But those technology issues started coming up, and data started becoming more of an issue. So I think privacy went from 5% of my work to 50% of my work to probably 90% of my work these days. And if it’s possible to go over 100% I think that’s probably going to happen, the way things are happening in the privacy world these days.

Jodi Daniels 4:13

Gary, tell us how you made the switch from being in the server room to a corporate law job.

Gary Kibel 4:21

Well, I mean, if anyone has ever been in the IT world, I can tell you that I’ve never felt the level of frustration in law that I felt being in a server room at 2 a.m. Looking at the blue screen of death, and there’s just nothing you can do. You know, law, you can just keep arguing and talking and trying to find a way around it. Technology, you hit a brick wall and you’re just like, I don’t know, I don’t know why this server will not reboot, and quite frustrating. But I find the intellectual challenges of law, you know, much more interesting. And so I started off at a different law firm doing corporate work. I wanted to do something more interesting. I came across Davis+Gilbert and Davis+Gilbert IT’s been in the advertising and marketing law industry for well over 100 years. So, you know, we often say, you know, Dng represented old media when it was new media. So when I joined in 2001, digital was starting to become a bigger issue. I mean, literally the first day I walked in the office, I had a telematics agreements thing on my on my chair. And so I got involved in it right away. And the data issues really, at the outset, were there. And so I got to grow up with the industry. I mean, Davis+Gilbert incorporated, the Interactive Advertising Bureau, the IV. And you know, we were there really at the outset of the industry. And so it’s been a great journey over these 20 plus years, to see digital and privacy and ad tech, really boom into the industry. It

Jodi Daniels 5:46

is today. It’s so interesting. You said old media, new media, I haven’t heard those phrases. Since my days back at Cox Enterprises, when we would look at all the media that they had, I worked there as a financial statement auditor, they were my client, and then I actually worked there for almost a decade. So it’s so interesting to hear the new media and old media that’s just like what pops in my head, I used to have all the charts and see where it was all going. It’s fascinating. And here we are gathered here together. Well, we just came back from the IAPP Global Privacy Summit, which in our pre-show we were coining because someone I wish I could credit them. But I don’t remember who someone on LinkedIn has the brilliant way of explaining. It’s like the privacy high school reunion, which it truly is. And you did a really special ad tech workshop. And I was hoping for those of us who and all of our listeners who were not able to attend, maybe what are the one or two nuggets of the day that you hoped everyone walked away with, that you could share with everyone today?

Gary Kibel 6:47

Sure. So yeah, we did this three and a half hour ad tech privacy workshop, we had over 200 people in the room, it was a great session. And it was for people who were privacy professionals, but may not be and may not have great knowledge and ad tech and digital media. And I think the important takeaway from that three and a half hours is number one, you really need to understand how the tech works, because there are so many players involved in the ad tech ecosystem right now. So you can’t just take existing privacy knowledge and plop it right into the ad tech world without understanding how the industry works. And then the second thing is, once you have a good understanding of how the industry works, then you’re following the data flows, you know, what data is being shared with what parties and for what purpose. And then once you analyze that, then you can bring your privacy law compliance skills to bear and explain to a client or to your internal company, what controls we need to have in place? What disclosure do we need to make? What rights do we need to give a consumer what contracts we need to have in place to get to really have that base of understanding? And I guess that kind of builds on, you know, again, my technology background, since when I got out of law school and sort of practice as a lawyer and doing technology law, I had that technology background in the back of my head. So I was always thinking about the servers do the system, the data where it’s flowing, because that really helps you know, a lawyer translate that for the business people

Jodi Daniels 8:17

Or a newbie who maybe didn’t get to go to the workshop and doesn’t have access to that material, but they’re really interested in this. Are there any particular resources, you might recommend to get familiar with how the tech works?

Gary Kibel 8:32

Yeah, I mean, there are things online that we actually showed a couple of videos during our presentation that the IAB has put out, which shows data flows. And then I mean, you just subscribe to any newsletters these days in the industry. And you’ll read the stories about the types of companies in the industry. And then you’ll start to learn what is the DSP? What’s an SSP? What’s the DMP? You know, there’s so many acronyms in our industry, it’s kind of crazy. So it’s kind of getting into that industry getting comfortable with the language, so you can talk the talk with others in the space.

Jodi Daniels 9:06

Well wouldn’t be an industry without a set of acronyms. Exactly.

Gary Kibel 9:10

In this one, we can rival many other industries.

Justin Daniels 9:15

So companies that are often trying to find a one size fits all approach. So how can companies comply with the differing requirements? And also something that’s manageable? Because I think isn’t Indiana about to be state number seven, that’s about the sign of privacy law.

Jodi Daniels 9:32

I mean, it’s joining the seas, like all the letters just need to go, I guess Illinois has one that’s been around for a while now the state comprehensive one, but it’s kind of funny how the like, letters are joining together.

Gary Kibel 9:43

I know traveling all the sports analyses, you know, when it was three, it was you know, three peat and you know, then in the fifth one, you know, one for the thumb and like, I don’t even know what it is now, but it’s going to build and build and build. And you know, clients often say that it’s very confusing with all these different state comprehensive consumer privacy laws six that have been enacted so far, soon to be seven certainly more after that. Sometimes clients will say, well just tell me the strictest standard, and I’ll comply with that one — California, right. And no, that’s not always the answer, because the laws don’t line up very well with each other. So there’s not one strictest standard you can point to and say, I’ll just do that and ignore the others. There are variations between the laws, they have to kind of blend it all together. And in order to come up with the right compliance approach. And unfortunately, that does make it challenging for companies. But again, understanding what the company does, what type of data they’re processing, you might be able to set certain requirements aside because they’re not applicable. But you really just can’t say, oh, I’ll just do one state and make that work. And it’s one size fits all for everybody. So that’s why this area is just really complex and really challenging for businesses, and why everyone is screaming for a federal comprehensive privacy law, because the state by state approach is just getting crazy.

Jodi Daniels 11:02

I’m curious for your thoughts on a federal privacy law, not the over under if it’s going to happen. But a lot of people say I’m screaming for a law to try and remove some of this. But at the same time, if we look overseas to GDPR, while it’s consistent, you still have member states who make their own opinions, which makes it not exactly the same. You have different areas of this one use Google Analytics is okay, this one uses it’s not okay, this one wants cookies this way. This one doesn’t want cookies this way. So, in your opinion, do you think a federal law will mirror that or really could help solve the 50-state potential framework?

Gary Kibel 11:44

I think firstly, if the law preempts state laws that I think will help a great deal, there have been many privacy bills that have been proposed in Congress that don’t preempt state laws. And if they don’t preempt state laws, I mean, it makes things worse, instead of 50 standards, we’ll have 51 standards. So there’s got to be preemption. But the way that a bill like the ADP PA, which is the one that’s made it far, this in Congress, a lot of them work, they have certain carve outs, where states can still do their own thing. That’s the same thing happened when can spam was enacted 20 years ago, it preempted all the state commercial email laws, but had certain power valves to allow states to still regulate certain unfair and deceptive practices. So any federal law is not going to solve everything, there still will be some ability of states to regulate certain practices. But maybe it’ll get us 80% of the way there in terms of having one consistent approach.

Jodi Daniels 12:44

Since we’ve been talking about learning ad tech, the complexities of ad tech how privacy’s really hot, we can’t line up all these laws, it creates a lot of challenges these days, can you share maybe some of the big challenges that you’re hearing companies bring over and over and, and maybe a little bit of how companies can work through some of those?

Gary Kibel 13:05

Sure, I mean, and for those who are familiar with privacy, and these new laws, you know, they very loosely fall into three buckets, you know, the right to access your information and know what somebody has about you the right to delete your information, and then the right to opt out of the sale, or share or targeted advertising using your data. And it’s that third bucket that is the most challenging in this space. You know, if somebody reaches out to you and says, What personal information do you have about me, you can do it. If you have more complex systems, it’s harder to respond to that request. If you get thousands of those requests a day, it can be harder, but you can answer that question. Same with deletion. If someone says delete my information, sure, you can do that as well. But if the opt in outright, that gets very complex, and the reason it’s complex, is because when a publisher website has third party tracking pixels and tags on the site, the data transfers from that publisher site to those ad tech providers in the background are very likely going to be deemed a sale of personal information under California, and be used for targeted advertising. And giving the consumer the right to opt out of the use of the data in that manner is complex. And it requires using probably certain third party service providers to help you manage these opt outs. So when you explain to someone who’s not familiar with an industry about how these opt outs will work with pixels in the background, that’s when their eyes glaze over and realize, Wow, this is really a complex area that needs some help to solve.

Jodi Daniels 14:37

Understand, thank you.

Justin Daniels 14:38

So Gary, what happens from your perspective, when you layer the FTC on top of all of this? I think just in the last two weeks, there was the big find the telehealth company who was turning around and selling patient information in a context of a visit to people to sell them pills and whatnot. And so just can you share for our viewer and I know I’m adding another layer on to our complex cake. How the FTC part is like a federal overlay that is starting to really have an impact on how we might be advising clients when it comes to privacy issues.

Gary Kibel 15:08

Yeah, exactly. And then, you know, FTC situation has been there all along. So the FTC does not have a ton of tools in their belt. There are some sectoral laws like the Children’s Online Privacy Protection Act. And you know that the healthcare Breach Notification Rule you were just mentioning. And you know, Gramm-Leach-Bliley (GLB) for financial services, HIPAA for health care, but they don’t have an overarching privacy law to enforce. So what they enforce in the privacy space is often their general authority to regulate deceptive and unfair practices. And they are aggressive in that industry. So if you have a privacy policy that says, we don’t sell personal data, but you do sell it to a third party, they would argue that’s deception. If you collect personal information, and you have a breach of that information, they may argue that that’s an unfair practice. So that ability for the FCC to regulate deceptive and unfair practices is incredibly broad. They’ve used that power for decades, and they’ve applied it to many industries, you know, if you have a car commercial hit says the car goes zero to 60 in five seconds, but that’s not true. That’s deception. So they apply the deceptive and unfair practices ability to the data and ad tech and privacy industries. And it’s still there, they’re not going away. And even if states pass these new laws, the FCC is still not going away. So what we’ll bring it all together is if there is a federal law, and if it has a specific charge for the Federal Trade Commission about what you’re supposed to enforce, and what’s in your lane, versus what’s in their lane of other regulators.

Jodi Daniels 16:51

Very cookie banners are everywhere. Some might even say they’re kind of doing the opposite of what they were intended to do. And people are not paying attention. And in good cookie humor, fun. There’s all flavors of cookie banners that are out there as well. What are some of the common mistakes that you’re seeing companies make, you might have a long list of them. So you can just pick your top or top two, if you want to.

Gary Kibel 17:17

Yeah, and sticky with the jokes, you know, the cookie may be crumbling here. So there’s lots of issues with Cookie banners. I mean, this originated in the EU, not in the US, because in the EU, in order to place a cookie on someone’s device that’s, you know, a nonessential cookie, you need to have consent or some other legal basis to do so. That’s not the case in the US, we’re mostly still an opt-out world in the US. However, as we’ve discussed, you have all these additional rights that you need to give to a consumer and disclosures you need to make to a consumer. And so doing it with the help of a cookie banner is a common approach these days, it’s not the solution for everything because someone clicks, okay, and the cookie banner, and it goes away. So I think the common mistakes are thinking, the cookie banner solves everything I need to do in terms of compliance. And the second issue may be the language in the cookie banner, something to look at very closely. EU regulators have been really criticizing some of the language and cookie banners as not giving consumers enough disclosure and enough choices. So saying you’re slapping a cookie banner on your website is helpful, but it’s not the end of the story, there’s work that has to go into what that cookie banner says, and what that cookie banner does, and how it ties into all the other compliance features on your site.

Jodi Daniels 18:40

And I would add to that, many times people think I put the cookie banner up, I do all that hard work, I figure out what it needs to get, needs to say I put it up, I’m good. And then they forget about it. And the business is changing, they might be used, they might be placing new pixels, different pixels. We, we know that sometimes they just kind of creep in, and you need to be able to maintain that. So companies need to also be thinking about how I get it right to be to begin with. And also how do I maintain it, there has to be some type of regular cadence to keep it updated. Even if there’s no new law, just the current one, again, because there’s changes that happen. And I think that’s dependent on the company and how often they change things. Some publishers might need to do it monthly, some publishers might need to be every couple of minutes if there’s not too much actually happening.

Gary Kibel 19:33

Yeah, I mean, because privacy compliance is not you know, a one-time exercise, things evolve and things change. And the way you’re using data will evolve and the and the third parties and providers you’re working with are going to change. You know, sometimes I’ll look at, you know, a new client or the other side’s website, and I’ll see a privacy policy and the last updated date is, you know, 2018 and you say to them, really you haven’t changed anything about your business practices in five years? That’s probably not the case. So it’s really incumbent upon a company to revisit these disclosures revisit their policies at a minimum on an annual basis. But you know, better yet more than that. And certainly that every time they’re going to work with a new party, new provider and a new project to think, how does this impact my privacy program and the disclosures I previously made to people, because it’s evolving so quickly.

Justin Daniels 20:29

Gary, I was just curious, as a follow-up question with all of the ad tech, and you said at the outset, your practices like almost like 100% privacy. So when you’re on these engagements, how often do some of these privacy conversations you’re having bleed over into? Well, if I have these privacy issues, how am I securing the data? What am I worrying about what the data breach? I mean, when you say that you’re a privacy practitioner? Is there like some component of “Yeah, I’m gonna be spending time talking about the cybersecurity issues as well,” or, or is that? Or is there more of a compartmentalized approach? From your perspective?

Gary Kibel 21:05

Yeah, because we say privacy very generally. But it’s really privacy and data security. And sometimes they’re flip sides of the same coin. Because when we talk about privacy, we’re talking about the consumer facing issues that you’re dealing with and data collection. But it’s a very good point you brought up like that internal data security is so incredibly important. And that brings in a whole nother level of compliance. Because there are laws that require appropriate internal security, there are laws that require certain written policies. And then there’s certainly security breach notification laws that if there is suspected unauthorized access, you may have to go and tell the data subjects. So bringing in that data security component is certainly a part of this. And it’s important that people don’t overlook that as well. Once you take care of that consumer-facing aspects, you’ve got to look internally at what you’re doing there, because there could be just as much liability or greater liability if you do things wrong internally.

Jodi Daniels 22:05

We’ve talked a lot about how CCPA is really complex. And privacy overall, is really complex. And one of those pieces is the right to opt out. One of the newer rights is very specifically on cross-contextual opt-outs. Gary, can you talk a little bit about what that one is, and what companies need to be thinking of?

Gary Kibel 22:25

Sure. And the terms and the acronyms are all over the place. There’s CCBA, ova iba, you know, targeted advertising, they’re all kind of talking about the same practice. So California talks about cross contacts, behavioral advertising, which is what those was, the industry would generally just call behavioral advertising. And quite simply, it’s collecting data on one site or service to use that data in order to inform and serve targeted ads on an unaffiliated service. And that process context, behavioral advertising, is now deemed under the California law a share of personal information. If you give data to someone else to use for CCPA, it’s a share and someone has the right to opt out. So this is the right for someone to control how their personal data is being used to target ads, it’s not a right to opt out of advertising totally, you’re still gonna get advertising, but the advertising may not be tailored to you based upon personal information, or other data that’s been collected about you. So and again, going back to one of the things we said earlier, in order to give consumers the ability to opt out of that type of practice, you’re working with tags and pixels on the website, and cookies in the background and all these different providers in the ad tech ecosystem. So it’s complex to enable that. But all it does is enable someone to opt out of those targeted and personalized advertising, because the regulators think that those practices are creepy, and that consumers have the ability to opt out, I have much more of a pro business bent. You know, I think that data driven advertising is what enables so many free services online, and on our mobile devices, that it’s an incredibly positive practice. Because you couldn’t have three things think about on your phone, you’re using Waze to find out where you’re gonna go and Yelp to find out a good place to have lunch, and you know, on social media to connect with people, all these services are free. And they’re free for a reason. Why are they free, because they’re monetizing your data. But now we’re giving consumers the ability to opt out of monetizing their data in that way. And rightly or wrongly, this is a right and you have to find out a way to give the consumers that right to do so.

Jodi Daniels 24:43

One of the things I think that people find confusing, and I was hoping you might be able to offer some clarity is we just talked about cross contextual, but there’s also the sale of data. And so we have sale and we have share, is there anything that you can elaborate on a little bit to help someone who might be well which pixel is in the sales side and which might be in the cross contextual side?

Gary Kibel 25:04

Yeah, it’s getting more confusing with sale and share. And these are defined terms, we’re not just saying, you know, the the normal usage of those terms. And a sale is sharing personal information with another party for monetary or other valuable consideration. And we all thought that that included Behavioral Advertising under the California law under CCPA, when CPRA came out, they added a different term of share. And that was basically a subset of sale. So in shares just for cross contexts, behavioral advertising, so I guess the simple way to say it is that all shares are sales. But not all sales are shares. So a share when you’re sharing data for cross context, behavioral advertising, that is giving data to someone else for some valuable consideration. But you might be in the business of simply selling data, I am going to give you access to my CRM database for some other reason, it may not be for behavioral advertising, but that could still be a sale. So again, I think this is just my opinion, but I think the regulator’s would agree. All shares are sales, but not all sales are shares.

Jodi Daniels 26:17

With that in mind, I think it’s important, probably people who have the do not sell my personal information link might need to update that to be do not sell or share my personal information. If they’re engaging in this type of behavioral advertising. Would that be a fair assessment?

Gary Kibel 26:35

Yes, exactly. And just as we saw, when CCPA came out, that company’s website publishers, were slow to put up the links, or slow to put up the links with the correct wording, I think we’re gonna see that now going forward, we’re gonna see links that say, do not sell my personal information, when they should legally say, do not sell or share my personal information. But over time, I think companies will come around to doing it the right way. We’re all learning.

Justin Daniels 27:02

With so much privacy knowledge that you’ve gained over the years, what is the best privacy tip you’d give your friends at a cocktail party?

Gary Kibel 27:11

Well, you know, it’s yours to think about yourself, you know, how privacy-conscious are you? You know, are you uncomfortable with, you know, certain information of yours being shared online? If so, then go take a look at the privacy settings on your social media accounts. You know, are you concerned about the way that your email address is being used, maybe should have a second email address for online purchasing? It all depends about what your level of comfort is. For me, personally, when I engage with a service, I look at the privacy policy, I look at the tags and pixels on their site, and I try to get a sense is this a sophisticated player who’s in the industry and knows how to behave properly, and if they are uncomfortable giving them my data. But if I look at a company, and they don’t have very good disclosures, or they’re old and outdated, or there’s something else wrong, I’m uncomfortable working with them. And I may not work with them at all in my personal capacity, or I may be very careful what data I share with them. So it really depends upon what your concern and flavor it is. I mean, you know, there are some people who are, you know, freaking out about privacy right now. And then there are others who would gladly give up their social security number of event they got a $5 off coupon. So really depends upon what your sensitivity is.

Jodi Daniels 28:26

As a great example, when you’re not practicing law and giving privacy advice all day long, what do you like to do for fun?

Gary Kibel 28:36

Not practicing law. I mean, come on busy all the time. I mean, hey, as we all joke, and we’re lawyers, it’s 25 hours in a day to bill right. So, ya know, we’re busy, but definitely important to have your life outside of work. And, you know, I recently moved from New York to Florida, because, you know, it’s the law, you know, short Jewish lawyer, he got to move to Florida. But I like being outside and enjoying the great weather, and I’m gonna offer and I now live on a golf course, which is fantastic. So whenever I can I get out and hit the links, and just kind of, you know, zone out of work, put down the iPhone, and really enjoy being outside with friends or family.

Jodi Daniels 29:16

That does some very fun. And in Florida, you’ll now have many more days to be able to hit the course for sure. Gary, thank you so much for sharing all this very practical information. Where can people connect and learn more? Sorry for that

Gary Kibel 29:34

forgive my dog for barking in the background. My dog loves privacy? We’d like to ask. Yes, exactly. So you could find me on LinkedIn, Gary Kibel. Go to my firm’s website, DGlaw.com. Find me there. We have lots of great articles that we put out there you can read there as well. And then you can find me in the physical world because I show up at conferences and events as well. So always happy to connect with people.

Jodi Daniels 29:58

Awesome. Thank you so much, Gary. We really appreciate it.

Gary Kibel 30:03

Thanks. Thanks very much for having me. It’s great chatting with you guys.

Ouro 30:05

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.

Privacy doesn’t have to be complicated.