The Paradigm of Adtech Privacy: Using Data Clean Rooms and Opt-In/Opt-Outs To Achieve Compliance

Intro  0:01

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels  0:21

Hi, Jodi Daniels here. I’m the Founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and Certified Information Privacy Professional, providing practical privacy advice to overwhelmed companies.

Justin Daniels  0:36

Hello, Justin Daniels here. I am a corporate M&A and Tech Transaction Partner at the law firm Baker Donelson. I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches. I’m not allowed to be lighthearted about those two words.

Jodi Daniels  1:02

It’s true much, much better. So this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, e-commerce, professional services and digital media. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there’s greater trust between companies and consumers. To learn more and to check out our best-selling book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com. Hello, what’s up? I don’t know what’s up with you.

Justin Daniels  1:02

I don’t know. I can see it’s Monday. And we’ve already had some foibles.

Jodi Daniels  1:51

Every call I’ve had this morning. Everyone is feeling it’s totally a case of the Mondays.

Justin Daniels  1:57

Alrighty then. Well, let’s pucker up and let’s get after it.

Jodi Daniels  2:00

Oh, I like it. Fun use of words. Okay. Well, today I’m really excited because we have Noga Rosenthal, who is the General Counsel and Chief Privacy Officer at Ampersand. And she is a seasoned private privacy and data ethics professional with a diverse background in the technology sector. With over 15 years of experience, she has established herself as a global privacy compliance expert. And she has a number of remarkable contributions. No girl was honored in June 2023, as a recipient of the ad monsters and AdExchanger top women in media and adtech awards. And we are so excited that you are here with us today. So welcome to the show.

Noga Rosenthal  2:40

Thank you, Jodi. Thank you, Justin. I’m excited to be here. And honored.

Jodi Daniels  2:46

Pucker up. We’re having fun.

Justin Daniels  2:50

I think the honor is all ours.

Jodi Daniels  2:53

All the honors are always ours. We love all of our guests love. Our guests are so much fun.

Justin Daniels  2:58

Really my co-host wasn’t such a pain. But with that… So, tell us a little bit about your career and how you got to where you are today.

Noga Rosenthal  3:12

I was also an M&A attorney. I then went to Southerby’s and did art auction law for three years, and then completely pivoted to the technology role, which is where I wanted to be. In that company, I was at 24/7 real media, which was a WPP company, which later on spun into Xaxis, which is also a tech company, adtech company and agency. And at my time there, I started doing just commercial contracts, really general business. But because I was an adtech 50% of what I was doing ended up being privacy. We had privacy laws coming after us. We had other companies doing things that made at tech not look great. We were trying to figure out how to move ahead, how could all of industry move ahead, and we were making up rules as we went along. And I actually I loved it. I loved making up, you know, working together trying to come up with ethical standards for the industry. And again, so I started 15 years ago, and now that whole world has just, you know, exploded, there’s so many more companies than there used to be. We were seven members of the network advertising initiative, for instance, then Google was a member Yahoo. Now there’s over 100 members at the network advertising initiative, which is again that that group that governs third parties. I know this is unsolicited. But I would I would say to anybody who’s looking to get into privacy, first of all, adtech is a great place to start because we have so many privacy issues. And too you have to be really fearless. And so starting my career there I just again, it’s not like a heavily regulated field at that time. It was something that we were making up as we went along. So it’s a great field to be in for people who don’t mind being in the gray. The network advertising initiative then pulled me in to be their VP of policy compliance. Then I went to Epsilon, which is a data marketing company. So all I did was privacy. And now I’m on Ampersand, which is a media and tech company based here in New York.

Jodi Daniels  5:24

I actually also got started in privacy via adtech, I was stalking people for cars at autotrader.com, trying to encourage you to buy one over the other. And, you know, I’ve also heard people say, if you can understand adtech and privacy, then, you know, that is an amazing foundation to help you understand the rest of privacy, because it is truly a very, some things are really black and white, but it feels more and more that everything is gray and interpretation. And which way is it going to go? Really appreciate the advice that you offered. Now, with that being said, privacy laws are making big waves in the adtech industry. It is causing all kinds of big questions to be asked. And so I’m curious from your vantage point, how are you seeing companies evolve, to still be able to identify customers utilize these tools, and be privacy friendly at the same time?

Noga Rosenthal  6:20

So what I would add to that question is, there’s not just laws, there’s also browsers or making changes. So Chrome, Safari have made changes. So there’s, there’s so many layers of pressure on the adtech industry that we need to keep in mind. And so I what I see a lot of that I think is really helpful is industry getting together and talking to each other, and learning from each other and learning how to, for instance, just be more transparent around what they’re doing their data collection, their use, working together to pass on, you know, yes, I got consent from the consumer or passing on opt outs, we all have to work together. And that’s what I’m hopeful for, for the industry is, you know, again, working within the Interactive Advertising Bureau working with a NAI to answer some of the pressures that we’re seeing under these laws. I think another one is the cleanroom. So the privacy enhancing technologies are another big area, I think we’re going to see a lot more coming out from, from adtech that I think will get passed on to other industries. But you’re seeing privacy tools built with an adtech that I think again, could get pushed out elsewhere.

Jodi Daniels  7:35

And I’m curious, are you seeing companies adopt maybe fewer tools? Are you seeing companies keep the same tools? Or are you seeing companies change the tools that they’re using?

Noga Rosenthal  7:49

And tools? You mean? You mean privacy tools or

Jodi Daniels  7:53

meaning adtech tool? So if before I had hundreds of companies I might have worked with nowadays are? Are you finding organizations are still working with many, many companies? Or have they lessened that and said, Well, given everything that’s happening, I’m only going to pick 20 companies, I’m gonna vet the more and I’m going to do something along those lines.

Noga Rosenthal  8:14

I think the bigger companies are able to do that they’re able to vet and say, okay, you know what, I’m just going to work with these two companies, I think that’s a much bigger struggle for smaller websites where they may need to have, you know, they may need a bunch of partners to fill the advertising inventory on their site. Whereas a bigger website, or will be called publisher doesn’t need to do that. So I think it’s going to depend on the company.

Jodi Daniels  8:40

I appreciate you sharing.

Justin Daniels  8:41

So as a chief privacy officer, what have you found to be successful to integrate privacy into the business?

Noga Rosenthal  8:48

So, you know, we talk about privacy champs all the time. For me, it’s definitely having partners within the business. So for instance, I might CISO at all my companies has been one of my closest friends, like we that’s just the nature of the relationship. When that relationship is broken, you have a problem. But again, my CISOs very close to me, then also engineering like I have a right hand person to explain. Jodi said it right, this is such a complicated industry. You need to have somebody who dumbs down the technology for you at times, and then just having people across the various departments. So HR knows we, you know, we did a training, we explain what privacy laws are coming out, we explain why we need to give our employees notice around their data, our data collection and use so having everybody help us with compliance is key because unfortunately, in the past, I’ve learned that I’ll bring something into compliance with GDPR and I never say 100% compliance but you know, towards compliance, and literally the next day, somebody brings us out of compliance. So if you don’t have the team trained to flag things for you, then that’s what’s going to keep happening.

Jodi Daniels  10:01

You mentioned training, I just delivered a training last week and it was so much fun people asked good questions. They appreciated it. How often do you find needing to work with the different departments? For example, you mentioned working with HR, do you have kind of informal meetings? Do you have formalized training? Do you do that by department? Or have you seen the idea and you mentioned privacy champs too. So some organizations will have formal people designated as a privacy champion, whether that’s part time or full time through the organization. And I’m just curious what you have experienced that has been successful. Sure.

Noga Rosenthal  10:39

So at Epsilon, because we were a bigger company, we did have a formal process, we did have formal people in charge. And Jodi, that took me two months for just one of my companies to assign people to be the privacy champs. Because what we did initially was we looked to the most senior person to be in charge. And we realized quickly, that was a mistake, because they had no idea what the nitty gritty details were. So we had to go a step lower. And that that’s a hard lesson to learn at times that people just go to the organizational tree and like, okay, so this is the person it’s not, you have to go do that interview and make sure you know, who should be in charge? We also did, we did training for everybody, both at Epsilon and Ampersand we have, you know, we had a module at epsilon, for instance, with Daniel Soloff, we we’ve licensed this tool, it was great. Here, we add an Ampersand, we just created our own training that everybody has to take. And then I do more customized training more frequently with my teams that are touching data, making data decisions. I’m seeing with HR, we trained everybody. And then we just have one person in charge that knows the details. That’s the privacy champ. And then just real quick, sorry, the other thing we do, we also do training for people. And I found this so helpful around their personal privacy and security, meaning how do you keep your bank account? Secure? How do you what should you do changing passwords, things like that, frequently, changing passwords frequently. Because what that what happens then is that translates to keeping our business networks and emails secure as well and private. And so they’re able to take those personal learnings and bring them into work.

Jodi Daniels  12:32

One of the training providers, I love they, I don’t know if they still do this, but at the time, they were giving, if the company signed up, the employees also got access to train their family members, for the exact reason you just shared which is, the more that you can help educate and protect the family than the more they understand privacy and security and they bring it into the workplace. And I love what you said about working with the different teams with some customized training. Because when for anyone listening, when you do that, the benefit is the HR person or team gets to ask all their special unique questions. And the marketing people get to ask all theirs in the product people and so on and so forth. That’s where you really can get for them to understand how this applies to them and their role, and that it’s not just the privacy or legal person’s job.

Noga Rosenthal  13:25

I would also add there that and I know this might sound a little unpopular now, when people are hybrid or fully remote. I do think it’s important to try to build those relationships in person. Especially in adtech, what I faced was my some of my business people were incredulous. Like they couldn’t believe where the law was going at the time. And I had to build trust with them. And I, it was more, it’s much, much easier to do that when you’re in person, and they get to know you. And they get to know the scope of your experience. And you could you know, bring in again, benchmarking from outside companies. But doing that in person was key because again, I think a lot of the changes that we’re seeing in adtech that have such big business impacts. They need to trust you that that business impact is in fact happening. And so again, just having that relationship is so key, that trust.

Jodi Daniels  14:20

Invest in the relationship.

Justin Daniels  14:22

Yes, indeed.So, it seems companies are struggling with how to manage opt in versus opt out sale and share requests. What can you share to help companies sort through these complexities? We know one big challenge is just how many opt out links will end up at the footer of a website.

Noga Rosenthal  14:43

Yeah, I just and I, you know, this is such a, I know, I know the laws are trying to do good. Right? They’re trying to consumers should have the ability to opt out they should be able to understand what data is being collected and how it’s being used. But now, I read We worry that the laws have gone a little too far, and that it’s going to be even more confusing for consumers. And so there are a lot of opt-outs, I want to see where companies are going to end up. But there’s an opt-out, you know, just a general opt out for targeted advertising, then there’s an opt-out for sensitive data. My question to you guys is, do you really think somebody opting out for one isn’t going to want to opt out for the other? Exactly? Yeah, I’m

Jodi Daniels  15:28

The average person doesn’t know any of them. So I’ve always struggled with, here’s this long list of hundreds of places collecting your data. You know what, I’m only going to pick number 34 and number 52.

Noga Rosenthal  15:43

have a clue. Yeah, they’re just gonna, they’re just gonna pick the ball. No, no. Yeah. And so just so you know, I mean, again, we, I feel that and I think this is the right way of doing it, when we see people opt out, we just opt them out of everything. The problem there is well, then a you’re making a decision on behalf of the consumer. Maybe that’s not fair. But also what’s the business impact? And does that does that make sense for your company? So that’s something really personal that you need to go back and look at. But again, I do where I think it is very confusing to consumers. I think the other big thing that’s confusing is I’m sitting here, right now I have three browsers on my laptop, I have Bing, I have Chrome, I have Firefox, I have to go to three different browsers to opt out. And I doubt consumers realize that that is just browser-centric. So that’s an excellent point. Yeah. And device, right, then I have like four devices, each device if I have to go off that. So it’s, it’s really, it’s really complicated even for me. So I can’t imagine how difficult it is for the typical consumer. Now,

Jodi Daniels  16:51

I know a lot of companies are trying to sort through literally, do I have a link for California? Do I have a link for Colorado? Do I have a link for all these others? What are you I’m just curious, what are you seeing amongst the various companies that you’re talking to? And maybe a direction that as a trend people are moving in?

Noga Rosenthal  17:10

So I have seen the separate privacy policies, the separate opt outs? Again? I definitely think it’s too confusing. I think we’re having one is fine. And you could explain that the supply so you know, all these states. Again, I would not do a separate privacy policy just for Virginia, I wouldn’t do a separate opt out again, just for Virginia, I think it’s too confusing.

Jodi Daniels  17:34

Well, thank you for sharing. Now, one of the things you mentioned earlier, whereas privacy enhancing technologies, or PETs, and I presented on this, and we had so much fun with PETs. We really should have just done a presentation on PETs, but we did. And you know, you also mentioned about data clean rooms. Can and many companies are like data clean rooms, it’s going to save marketing, it’s going to be wonderful. Can you share a little bit about how data clean rooms work? Why are they great? Or maybe why they won’t save marketing, we still need to do some other steps.

Noga Rosenthal  18:08

Okay, so, I do think they’re great. I think any privacy enhancing technology is wonderful. The idea that you could have your data sitting on your cloud and not have somebody else have access to the user level data, I think is great. I think it’s the move in the right direction, from a intellectual property concept is so so great. This is something that gets mixed up with privacy, a lot of times this idea that if I’m a big website, you’re not going to know which of my users are going to get an ad you don’t you don’t get to see my users. In other words, right, there’s no data leakage. That’s not a privacy issue. That’s more of an intellectual part. Like that’s my consumer. That’s my data that I don’t want going out. But having said that, I think what I don’t like what I’m seeing is people mixing up some of the issues, which is they think this is going to solve the cookie issue. So right third party cookies are going away. People are saying that cleanrooms are going to fix that. It’s not. It’s just, it’s just not that’s not it’s not related to this. I spent hours trying to figure out where and how was this going to fix the cookie issue. And then I realized, oh, people are complaining issues. So it’s not going to fix that, please know that you have to have an identity layer there. Whatever that identity layer is, if it’s IP addresses, if it’s connecting devices, whatever it is to the consumer based on IPs or another third party ID, you have to have that backbone still there. So that’s a separate issue. The other problem two is that it’s going to be siloed data. So you may have a cleanroom with one, one website, but not another. So what do you do? How do you how do you get those two If you’re running a campaign for I know, I’m trying to use company names, but if you’re running a campaign with Disney, you’re not going to be able to, then that’s one cleaner and right, then you’re gonna have another one with Amazon, then you’re gonna have another one with whomever discovery, so then you’re gonna have three clean rooms, and it’s, you’re gonna have a new problem now.

Jodi Daniels  20:19

Now we’re gonna have a technology on top of that, that’s on top of that, we’re gonna end up right back to where we were.

Noga Rosenthal  20:25

Exactly. So again, it solves some issues and not others. Again, I vote for any privacy enhancing technologies. But let’s see what else comes out in the, in the next year.

Justin Daniels  20:37

Thinking about what comes out in the next year that’s already here is we find almost every show now we talk to our guests about your thoughts around AI and privacy and security. So just would love to see your perspective on how your company is thinking about managing privacy risk when it comes to either tools you develop internally for AI, or you may purchase third party tools.

Noga Rosenthal  21:03

So we’re not at this time. You know, again, we have data scientists here we have AI to an extent here, but an AI in some form has been around for ages, what I’m struggling with more is, what are my employees doing with AI tools? Right, so are they taking HR data? For instance? You know, you’re using that as a prompt within chat GPT. You know, are they taking confidential rates, financial information, and putting it into chat GPT and other tools that are, you know, they they flat out, say, there’s human review. And I was I’m shocked at how many people smart people don’t realize that, that all these AI tools, say, hey, we have human review in here, your information may be used. And I don’t I don’t want my HR information getting out there or somebody reviewing it. So we really did struggle. You know, I don’t think it makes sense to completely ban it. And I don’t think that’s what people are doing. But this was one of the tougher policies that I had to put in place here and ampersand where I really, really struggled. And I even tried to use chat up for help, and it wasn’t very helpful. Like, again, the ship has sailed, I think all of us have to be leaning in is just making sure that you have people in the various departments helping you lean in and find the right tool. And I would say use an enterprise tool to help manage that. But Justin, it’s the ship has sailed, we have to all be leaning in and working with this just I think security and privacy’s job to look in and see what tools are people using and how are they using it?

Justin Daniels  22:48

Where do you think AI should sit in a company should be itself because I’m advising companies, and it’s a very much a committee approach, but without a single person who is actually responsible? You know, committee just doesn’t seem like that will work without someone being responsible.

Noga Rosenthal  23:04

So, so again, we did build the committee method to so we got a Compliance Committee, the Compliance Committee is me, the CTO, and our IT and security person, and we do we work well together. And we have we’ve made decisions as a group. And I think there, it’s very helpful to, you know, bounce ideas off of people. I haven’t seen anybody not use the committee methods. So I’m actually curious to hear from you. Have you seen anybody have one person being charged?

Justin Daniels  23:36

Not yet. Most of the approaches I’ve seen is committee, but then when you get down to putting together a budget, does it sit in? You know, it’s as I sit with legal does it sit with privacy security, that some of the other discussions that companies are having?

Noga Rosenthal  23:50

Well, I mean, the reality is, right, we have existing policies that already drive a lot of these decisions. So procurement, if legal wanted an AI tool, right, the it would hit my budget. But the question, can we use the AI tool? Again, we go back to this committee, because I would want my security person to come in and say, Okay, this is okay. From a security perspective, when it’s touching our systems. I would want privacy to chime in, obviously, what are the privacy implications? So I think it’s a committee but then it goes back to some of the old documents that we have policies again, we have in place so you’re not reinventing the wheel.

Justin Daniels  24:29

I guess what’s become clear to me in not just AI but other discussions that there is a clear alignment of interests in a lot of areas when it comes to data between privacy, security, and legal. Those three departments seem to be very much with common interests and values with data. And for a lot of companies. It’s like an aha moment. Oh, we are all allies. We need to work together. And that seems to be an approach I’m seeing pretty regularly.

Noga Rosenthal  24:57

Absolutely. I’m curious now to ask skew like, are you guys seeing? And this is what we’re doing. We’re approving a case by case use of AI. And I don’t know how much longer we could do that. But I’m wondering what you guys are seeing? Are you seeing that as well?

Justin Daniels  25:14

So I see that a lot. So then when I’m having some of these consults, I don’t know, if you’ve had a chance to take a look at the NIST AI risk management framework. So for my view, that’s right now the best thing out there for a holistic approach, that’s not a case by case because the governance aspect of it really requires that an organization figure out how do we prioritize this risk, how to what is our risk appetite for this and coming up with that, then once you do that, now you get into how different use cases might fit into your overall AI risk management standpoint.

Noga Rosenthal  25:51

I love that. And I’ll go look at that right after this. Again, we, I have to tell you, this has been very overwhelming with the AI and all the guidance coming out. So I think that’s another…

Justin Daniels  26:05

We’ll be happy to send you the AI presentation Jodi and I did last week, if it will further your understanding, because it was all about NIST.

Noga Rosenthal  26:15

Thank you, I would love that.

Jodi Daniels  26:16

I was gonna add, what I’m seeing is the combo. Some are still doing case by case, some are trying to create a policy where it’s not exactly case by case, however, very similar to privacy, where there’s privacy assessments. Now people are trying to do AI assessments, which would then come back to case-by-case. So imagine your committee, here’s some new idea that you have, you would run it through the AI assessment. And people are using the same privacy tools to be able to do that, in some cases, some of the software already has templates that are able to do or customize, and you’re able to do the same thing. So that’s where I’m seeing some of the companies go.

Noga Rosenthal  26:55

I love that. Thank you.

Jodi Daniels  26:59

Well, we ask everyone, because you know so much about privacy and security when you are out at a cocktail party or an event. Now with privacy friends, what is the best personal privacy or security tip that you would offer.

Noga Rosenthal  27:14

So from a security perspective, and I know this might sound strange, but putting a credit freeze and security freeze is essential. I’m friends with them, ma’am walk Meister over at MoPhO. And she had told me that early on in my career, like just make sure everybody in your family has that in place. And what that does is prevent fraud on your account, bank account, credit card, things like that, which everybody shouldn’t have, because our data is out there. Unfortunately, all our social security numbers are out there. So that’s one. For me, the bigger struggle that I’ve had personally is I have three kids and trying to keep up with the privacy and security. You know, just how to manage the apps that they’re using, has been really hard. I’m just on a personal note, my daughter who’s who at the time was 10 had somebody drop in inappropriate picture on her phone. While we were out on the street, she was on with me through AirDrop and I realized that she had AirDrop set set to everybody being able to send her pictures. And here I am, I’m a privacy person, this is my job. And I missed that. So just looking at your kids phones, talking to them, making sure that there’s settings on their device, their devices and their apps are set to the most private is just really important. It’s a scary world out there. And I That to me is the number one area that I’m really looking at.

Jodi Daniels  28:51

That’s a really great tip. And it is super scary as parents ourselves.

Justin Daniels  28:57

Yes, in our home, we believe in a full surveillance state when it comes to our children.

Noga Rosenthal  29:02

You know, Justin, I struggle with that, because I do want to give my kids privacy. Right. So I do want them to be able to feel comfortable around me. But again, another podcast. What do you do? I don’t know. I don’t know what the right line is here.

Jodi Daniels  29:19

We don’t actually have access to all of the information. So your statement makes it sound like we do and and we don’t. Yes, but we have monitoring tools that would flag an inappropriate thing, which is super different from I know everything that’s specifically on your phone. I couldn’t tell you every text that she sent unless I opened the phone, but it’s trying to create those boundaries and have apps and tools to monitor just like an organization would have a tool to monitor that was an inappropriate email or you shared confidential information in an email. The monitoring tools are going to be very similar.

Noga Rosenthal  29:58

You know tied to that, Jodi, you know talking about employee monitoring? I mean, one of the things that I always say is that if you tell your employees, hey, I need to keep my network secure, I will be monitoring you. I think that actually starts getting employees, mindful of like, okay, so there’s certain things I really shouldn’t be doing well, hopefully, that makes people think through and say, Oh, I shouldn’t be doing these things. I would say the same thing about kids, right? It’s the same thing I would take back and say, Hey, kids, I’m monitoring, you’re watching everything you’re doing. So maybe that’ll make them stop and think, oh, mom’s watching, maybe I shouldn’t do A, B and C.

Jodi Daniels  30:36

Conversations are critical or that’s you have to be able to talk to your kids and explain why this is a risk, why you’re doing it. And I like the approach that you’ve just shared. So thank you for sharing multiple tips.

Justin Daniels  30:52

So when you’re not serving as a CPO and thinking about all things, privacy, what do you like to do for fun?

Noga Rosenthal  31:01

I love food. I like going out and trying new things. So I know all the best ice cream places in New York City. If you ever head over here, I could definitely make a couple of recommendations. So that’s my favorite thing to do. And unfortunately, I think my husband and I have run out of places to go to so there’s nothing new here for us icecream wise. So we may need to leave New York City and try somewhere new. But that’s definitely one of my favorite things to do is food, try new restaurants, new foods, whether it’s a local Chinese food place, or we have a Himalayan place down the block from us, it’s we’re so lucky here in the city to be able to try new things. So that’s my favorite thing to do.

Jodi Daniels  31:44

That sounds delicious. If people would like to learn more about which ice cream places to go to are also about privacy. Where should we send them to connect and learn more?

Noga Rosenthal  31:57

I follow Eater, but I’m also on Google Maps. I look up Noga Rosenthal I, you could see I’ve reviewed a bunch of ice cream places you can start there.

Jodi Daniels  32:08

Super fun. Well, Noga, thank you so much for stopping by and sharing all of your great insight and wisdom. We really appreciate it.

Noga Rosenthal  32:15

Thank you guys.