Episode 11: Alysa Hutnik on CIPA lawsuits and the implications for privacy law - The Monopoly Report

Summary7 min read

Podcast Summary: Episode 11 – Elisa Hutnick on SEPA Lawsuits and the Implications for Privacy Law

The Monopoly Report, hosted by Ari Paparo, delves deep into the intricate world of antitrust issues affecting the global advertising economy. In Episode 11, released on December 18, 2024, Paparo engages in a comprehensive discussion with Elisa Hutnick, Partner and Chair of the Privacy Practice at Kelly, Dry & Warren. Elisa is renowned for her expertise in privacy within the ad tech sector and active involvement in industry associations such as the IAB and NAI. This episode centers on SEPA (the California Information Privacy Act) lawsuits and their broader implications for privacy law.

1. Historical Context of Wiretapping Laws

The conversation begins with a historical overview of wiretapping laws in the United States. Alan Chappell, the host, traces the origins of wiretapping back to the Civil War era, highlighting its evolution from intercepting telegraph messages to its use by the NYPD in the 1920s against bootleggers and organized crime. He further discusses the surveillance activities in the 1950s and 1960s, including the monitoring of Martin Luther King Jr., which led to increased scrutiny under the Fourth Amendment.

Notable Quote:
“The first examples of wiretapping go actually back to the Civil War... to eavesdrop on conversations.” – Alan Chappell [00:00]

2. Understanding SEPA and Its Impact on Ad Tech

Elisa Hutnick elucidates SEPA’s role in modern privacy law, emphasizing its stringent consent requirements. Unlike older wiretapping laws from the '60s to '80s, SEPA introduces significant monetary exposure for businesses that fail to comply. She explains how current ad targeting techniques, such as firing tags on websites (e.g., URL, IP addresses), can inadvertently violate SEPA, leading to hefty statutory damages.

Notable Quote:
“When I go to your website and those tags are firing on your site, you are intercepting... that is a wiretap violation under certain state laws.” – Elisa Hutnick [03:15]

3. The Rise of Private Right of Action in Privacy Lawsuits

Hutnick highlights the critical shift from government-only enforcement to the introduction of private rights of action. This change allows individuals to sue companies directly, leading to a surge in lawsuits. Over the past year, more than 200 lawsuits have been filed, with numbers rapidly approaching the thousands. This shift has been a game-changer, as businesses now face a flood of private litigations rather than relying solely on government oversight.

Notable Quote:
A private right of action means rap for business. And so what we've seen... approaching thousands.” – Elisa Hutnick [05:52]

4. Current Wave of SEPA and Wiretapping Lawsuits vs. Past Cases

Comparing the current lawsuits to historical cases like those against DoubleClick and PharmaTrack Atlas, Hutnick notes that past cases were primarily under federal laws such as the Wiretap Act and Stored Communications Act, which were interpreted narrowly by the courts. In contrast, the present wave leverages state-level SEPA claims, which vary significantly in their interpretations across different jurisdictions, notably within California.

Notable Quote:
“Those were brought primarily under the federal Wiretap act... today... we have state claims and we have particular states that are really hot button.” – Elisa Hutnick [07:23]

5. Geographic Focus: California and Beyond

While California remains the epicenter for SEPA-related litigation, other states with two-party consent laws are also seeing an uptick in lawsuits. States like Massachusetts, Arizona, and Florida are exploring various theories to find legal hooks, although success rates vary. The inconsistent rulings across different regions complicate the legal landscape for businesses operating nationally.

Notable Quote:
“California, I would say is by and large the hottest kind of part of where all the activity is happening.” – Elisa Hutnick [08:34]

6. Creativity of Class Action Litigants

Challenging the conventional, Hutnick remarks on the ingenuity and persistence of class action litigants. They have successfully repurposed existing laws, such as the Video Privacy Protection Act, to target ad tech companies by framing digital advertising practices as violations, showcasing their ability to adapt and exploit legal nuances.

Notable Quote:
“They were able to convince... that a video website is a videotape manufacturer under the video privacy Protection Act.” – Alan Chappell [09:49]

7. Implications for Ad Tech Practices

The discussion shifts to how wiretapping lawsuits affect ad tech operations. Hutnick explains that any website utilizing digital advertising or analytics tools—like retargeting pixels or Google Analytics—is at risk. She points out that flawed implementations, such as incorrect cookie banners that don’t comply with SEPA requirements, exacerbate legal vulnerabilities.

Notable Quote:
“It's really any website that has any kind of digital advertising or analytics...” – Elisa Hutnick [11:24]

8. Mitigation Strategies for Companies

To navigate the complex legal environment, Hutnick advises companies to adopt more intentional and precise consent mechanisms. This includes crafting clear privacy policies, ensuring affirmative user consent before activating tags, and fostering effective communication between legal, technical, and marketing teams. Such strategies are essential to mitigate the risk of costly litigation.

Notable Quote:
“If you're going to use a banner, be really intentional about what the language says and what the choices are.” – Elisa Hutnick [23:50]

9. The Oracle Case and Its Significance

Elisa discusses the Oracle case as a pivotal moment in the application of SEPA claims against data brokers. Oracle's extensive use of sensitive personal information, coupled with wiretap claims, led to a substantial settlement. This case underscores the heightened risks for companies dealing with sensitive data and the importance of robust privacy practices.

Notable Quote:
“There were pages and pages and pages in that complaint that really honed in on using just very sensitive personal information...” – Elisa Hutnick [14:29]

10. US vs. EU Consent Regimes

While comparing the US and EU approaches to consent, Hutnick opines that the US is unlikely to adopt an EU-style comprehensive consent framework. Instead, the US will continue with its patchwork of state laws, leading to varied and region-specific compliance requirements. This fragmented approach poses challenges for nationwide businesses striving for uniform compliance.

Notable Quote:
“I don't think we're going to see that because we have patchwork.” – Elisa Hutnick [18:24]

11. Future Outlook: Post-Third-Party Cookies

Discussing the future beyond third-party cookies, Hutnick anticipates that litigation will persist, adapting to new tracking technologies such as AI-based tools and APIs. Although removing cookies might complicate some legal claims, the continuous evolution of tracking methods will ensure that lawsuits remain a significant concern for ad tech companies.

Notable Quote:
“There's going to be another flavor. We are seeing it with chatbots, we see it with AI based technology on site.” – Elisa Hutnick [20:58]

12. Private Right of Action and CCPA Nuances

The conversation delves into the complexities of the California Consumer Privacy Act (CCPA) in relation to private rights of action. While CCPA provides some protections, inconsistent court rulings create uncertainty. Hutnick notes that companies often face conflicting interpretations of whether they qualify as service providers, further complicating legal defenses.

Notable Quote:
“We are not in the run stage to have clear lines.” – Elisa Hutnick [25:10]

13. Recent FTC Enforcement and Its Implications

Hutnick addresses recent enforcement actions by the Federal Trade Commission (FTC) against data brokers like Mobilewalla, focusing on the misuse of sensitive geolocation data. She emphasizes the FTC’s increasing focus on accountability and supply chain trust, highlighting that technical standards and diligent oversight will be crucial in meeting regulatory expectations.

Notable Quote:
“There is an emphasis on what is, what is reasonable diligence and then reasonable oversight and monitoring.” – Elisa Hutnick [27:08]

14. Tips for Avoiding SEPA and Wiretap Entanglements

To conclude, Hutnick offers practical advice for businesses aiming to steer clear of SEPA and wiretap-related lawsuits:

Clear Consent Language: Use precise and unambiguous language in consent banners.
Affirmative Consent: Ensure that user consent is obtained before activating any tracking tags.
Comprehensive Privacy Policies: Clearly outline data usage and sharing practices.
Legal-Arts-Tech Communication: Foster robust communication channels between legal, technical, and marketing departments to ensure compliance.
Arbitration Agreements: Incorporate arbitration agreements to mitigate the risk of mass class action lawsuits.

Notable Quote:
“There are ways to mitigate the risk of being an oracle in terms of facing those that really massive liability.” – Elisa Hutnick [24:57]

15. Conclusion

The episode wraps up with Hutnick expressing optimism about the industry's shift towards better privacy practices, albeit acknowledging the challenges ahead. She underscores the necessity for businesses to adapt proactively to the evolving legal landscape to protect themselves from significant financial and reputational damages.

16. Personal Insights: Elisa’s Hobbies

In a lighter moment, Elisa shares her passion for yoga, highlighting its role in maintaining her well-being amidst a demanding legal career. This personal touch underscores the importance of work-life balance, especially in high-stress professions.

Notable Quote:
“I'm a devoted yogi. I've been doing it... when I'm upside down, I can do a 10 minute head stand and that's my happy place.” – Elisa Hutnick [31:38]

Closing Thoughts

Episode 11 of The Monopoly Report offers an invaluable deep dive into the intersection of wiretapping laws and the ad tech industry, featuring expert insights from Elisa Hutnick. For businesses navigating the complex terrain of privacy laws, this episode serves as a crucial resource, highlighting the importance of proactive compliance and strategic mitigation to safeguard against burgeoning legal threats.

For more in-depth analyses and future discussions, subscribe to The Monopoly Report podcast on Spotify, Apple Podcasts, YouTube, or visit Monopoly Market tv.

Loading summary

Transcript53 lines

[00:00]
Alan Chappell
Foreign welcome to the Monopoly Report the Monopoly Report is dedicated to chronically analyzing the impact of antitrust and other regulations on the global advertising economy. This week's newsletter discusses a number of key ad targeting techniques and solutions currently being used in an attempt to get everyone on the same page for the date if and when third party cookies are deprecated in Chrome. We'll be focusing on this a bunch in 2025. If you are new to the Monopoly Report, you can subscribe to our weekly newsletter at Monopoly Market tv. And you can check out all the Monopoly report podcasts@monopolyreportpod.com I'm Alan Chappell. This week we've got Elisa Hutnick, who is the partner and chair of the privacy practice at the law firm Kelly, Dry and Warren. Elisa is super active in a whole bunch of industry associations within the IAB and in the NAI and is widely regarded as a thought leader when it comes to privacy in the ad tech space. So I'm super excited to have her on the pod. We're going to be talking about wiretapping laws and how they are impacting the ad space. Specifically, we'll be talking about sepa, the California Information Privacy Act. I really wanted to talk about this here because a good deal of our audience might be sleeping on sepa, even though, at least in my view, a SIPA lawsuit was one of the causes behind the demise of Oracle and their exit in the larger ad space. Welcome to the pod, Elisa. It's great to have you on.
[01:35]
Elisa Hutnick
I'm so glad to be here. Thanks for including me.
[01:37]
Alan Chappell
Well, thanks. I'm looking forward to a great discussion and I wanted to give everybody some background. So the broader topic here today is wiretapping and how that impacts the larger ad space. And so just by way of background, and I'm probably oversimplifying here a bit, but the first examples of wiretapping go actually back to the Civil War, where you literally had both sides were intercepting telegraph messages from each other in an attempt to get critical information. And so you fast forward a bit and the NYPD was using wiretaps into the 1920s and beyond, in part to go after the bootleggers and organized crime. As we get into the 1950s and 1960s, wiretaps were used to conduct surveillance on Martin Luther King Jr. And others. And and so somewhere along the way, U.S. courts had started asking, you know, whether wiretaps violated the Fourth Amendment protections against unreasonable search and seizure. Okay, so starting in the 1960s at both the state level and the federal level laws started to be enacted to address concerns over wiretapping. The idea that, you know, is it unfair for some party who is not, you know, the part of the conversation, is it fair for them to, to insert themselves in that conversation and to kind of eavesdrop? So generally speaking, those laws that were enacted required a consent for anybody seeking to intercept a communication. Okay, Lisa, so you know, what specifically is sepa, which is the California Information Privacy Act? And why in the world should anybody listening to this in the ad space, you know, be worried about any wiretapping law, most of which, you know, were created back in the 60s, 70s and 80s?
[03:16]
Elisa Hutnick
Well, they're worried about it because there's some really significant monetary exposure and, and they catch you by surprise. I might take your history and just to give it a context here, I was a really big fan of the Wire, that show on. On Max. I'm totally back to binging it again. But it's a really good, plain language example of what we're dealing with just in a different context. Right. You have somebody else, right? So some other person. In that case, it was law enforcement who wanted to get the phone numbers coming in and the phone numbers going out and the contents of that communication for their investigations. That was the concern that you raised historically on is there an expectation of privacy when you're on the phone with another person, perhaps in your home or somewhere else? And there are federal statute on that. And then there's a number of state statutes because states always like to add their checkerboard of, of nuance and fast forward to where from. If you're a business, you were concerned about which states have a two party consent requirement. And all that meant is you needed both sides of that communication to have affirmatively agreed. And I think all of us, anytime you call an airline, you have that ivr disclosure that says this call may be monitored for quality assurance purposes. That all makes sense. We're used to it in a phone context, but we have a very entrepreneurial, litigious environment in the US and creatively applying that context in the sense and so saying when I go to your website and those tags are firing on your site, you are intercepting. You are either capturing, think of the phone number context in the phones, but you are capturing information in that URL, IP address, IDs, or you're capturing that private communication of what is happening on that website between me and the company who is providing the website. And that is a wiretap violation under certain state laws. And the kicker there is of course why would plaintiffs bring that? It's because they want money. And there are statutory damages, which means how many times how many plaintiffs could be potentially injured by this. And that adds up to a lot of money. And so that, that is what we are seeing a massive wave of.
[05:38]
Alan Chappell
Okay, that's great. Background. Can you just. One other just housekeeping background item. Can you walk our audience through a private right of action? Because I think that's integrally involved here in these and these types of at least state level suits.
[05:52]
Elisa Hutnick
Sure. So a lot of the privacy laws that have been in the news, let's just say the last five years, they had no private right of action, which meant only the government could enforce a claim. But a private right of action means that Joe Schmo can hire a plaintiff's attorney and say sue that company. And just from a volume standpoint, government might exercise discretion. There's a resource issue as that who it's going to target. Private right of action means rap for business. Right. And so what we've seen in the last year are over 200 or so lawsuits filed. And then we're in the thousands. If we're talking about demand letters, those nasty gram letters you get that says pay us, you've violated the law as well as mass arbitration. So many companies in their terms of use, they don't want to go to court, they want to deal with it in arbitration. And so they've got that long text clause. But what a lot of plaintiff's attorneys have done is send you three boxes full of thousands and thousands of complaints and say, this is a mass arbitration demand. Pay me money. You have violated the rights of all of these individuals in these boxes.
[07:00]
Alan Chappell
Okay, so as I think about this and I started to see some of these state level, you know, sepa type wiretapping suits being filed in my brain and I've been in the dad space for a while now, I'm thinking, well, wait a minute, we've already litigated this. Weren't there cases against, you know, DoubleClick back in the day, 2000, PharmaTrack Atlas. And so why are these different?
[07:24]
Elisa Hutnick
So those were brought primarily under the federal Wiretap act and Stored Communications act, federal laws that were interpreted by the courts a more narrowly. And we generally see that today, while some of those federal claims are brought, those are not usually the ones that have staying power. The pain point here is that we have state claims and we have particular states that are really hot button decisions where you have a court, let's just say in one Part of California rule one way and courts in another part of California rule the other. And so that area of California reports are saying, I can see this getting, maybe there's a claim here and we'll let you continue to litigate. Well, that is what's happening. So then all the plaintiffs pulled their cases from that part where it was not getting much traction and refiled them in, in the part of the, the courts where they were entertaining that. And so this is about how much money you have to pay to litigate through the whole experience of litigation. And so once you get past what we'll call the early stage, the motion to dismiss, that is really scary for a lot of companies because it's a lot of money to pay lawyers to defend these claims for the long haul.
[08:29]
Alan Chappell
So is it just California or are there other states that have their own wiretapping laws?
[08:34]
Elisa Hutnick
So there absolutely are other states. The key are the states that have two party consent requirements, meaning it can't just be the business who's the publisher, who has the site up, that has to be provide the consent. It means both parties. But California, I would say is by and large the hottest kind of part of where all the activity is happening. We are seeing developments. So Massachusetts, there were certainly cases filed there, but you had courts rule the other way and say, no, no, we don't entertain this in the context of ad tech, but we are not just static on the kinds of theories that these attorneys are bringing. And so we see these new applications popping up in different states just to see is there a hook. We saw stuff in Arizona, we saw in Florida, there's another kind of technology session recording where you want to see what the consumer, what usually in the lead form context, how are they interacting with the lead form, what are they clicking on? Where, where is their mouse really staying for a bit? That session recording where a whole really kind of vertical of those cases and in Florida filed in particular and not getting as much traction. So you see, they really follow for wherever a court is willing to give a bit of a nod and then you see a ton more cases filed as a result.
[09:49]
Alan Chappell
Yeah. So one of the things that I always sort of marvel at is the level of creativity and perhaps aggressiveness of the class action litigants. And the example I always use, which is a little unrelated to this, but I think it's a good one, is, you know, they've been able to convince not just one, but almost every court in the land that a video website is a videotape manufacturer under the video privacy Protection Act, I mean, which is just in and of itself. And that's now accepted. You just think that's. It took a number of years to get there, but boy, are those guys persistent.
[10:23]
Elisa Hutnick
I'm shivering a little bit because that was. Yeah, it was a whole other. We have these buckets. And so the wiretapper won the videos. We had clients that were getting these lawsuits because they had a, a corporate equity video on their corporate site, but they had ad tags also firing on those. And they alleged. Right, yeah, that was a Video Privacy Protection act claim.
[10:43]
Alan Chappell
And so bringing it back to the Wiretap Act, I remember in Pennsylvania there was sort of a weird nuance to the law where there was a kind of an exception for law enforcement, which wasn't really part of the consent requirement. And, and the class action litigants were able to, to leverage that tiny crack so as to go after a couple of companies successfully on claims. And so. But let's bring this back, you know, to the ad space. I mean, how are these wiretapping suits really manifesting themselves? I mean, is this mostly like, you know, a website that's doing retargeting or, you know, analytics or working with the social platform and just doesn't have like a, like a cookie slider thing working properly?
[11:24]
Elisa Hutnick
Well, I would say it's really any website that has any kind of digital advertising or analytics, the plainest bar usually likes to recycle the same complaint. And so we saw a whole trove of they were all metapixel and then they were all TikTok Pixel and then you had some Google Analytics. So I mean, it's actually, I think, less the technology and more they'll just do a whole bunch that all follow the same theme. But no pixel goes unnoticed in that sense. And so we certainly. There's a long list of varieties that we've seen and everybody can tell that banners have flown up in the US Left and right. CCPA didn't require no US Privacy law. Conference of Privacy law requires a cookie banner. But because of Wiretap, we saw all sorts of banners pop up. And then you saw plaintiffs lawsuits filed because the banner implementation added more issues. Right. The language wasn't correct. It was an illusory choice in that you're offering some kind of choice and it didn't matter because tags were firing right away regardless. And so it's really required, I think, a much more nuanced strategy on how companies deal with this and also what amount of risk the company's willing to accept. And at the End of the day, because the silver bullet is consent under the wiretap, which unlike the privacy laws, you don't have a lovely statutory definition that says exactly what that consent has to mean. And so how companies are dealing with that, you have some options and options short of, let's just say a privacy type of consent because most companies in the US are not quite ready yet to go to the affirmative opt in before tags start firing on page.
[13:05]
Alan Chappell
So it's funny you bring up the CMP implementation issue because if you ever thought of a textbook example of why we need better communication as between legal, the tech side and the marketing side of almost any company, because I've seen a whole bunch of these and I've had companies come to me after they've already had a problem and inevitably it is because one of the three of those groups, the three legs to the proverbial stool, has not effectively communicated something to the others and it's causing real dollar amount damages now.
[13:40]
Elisa Hutnick
Yeah, no, I think that that's right. They're more often than not you have very sloppy cookie banner and I say cookies when we're so well beyond cookies. But, but that is you have old language slapped onto a website and it does not help your case.
[13:54]
Alan Chappell
I'd love your thoughts, you know, on what happened to Oracle. And I think there's, there's certainly a number of reasons why Oracle made the decision to, to effectively close down the, the Oracle marketing cloud. You know, as somebody who helped sell a couple of companies into Oracle over the years, I looked at that and I was, there's part of me that was a little sad, but I'm just curious, like there was a SEPA lawsuit pending on Oracle and I'm wondering if you have any thoughts as to like the impact or at least why were those cases relevant to Oracle's ultimate decision?
[14:30]
Elisa Hutnick
There was a SEPA certain lawsuit that went through so many rounds up and down, up and down with a, with this SEPA claim brought by privacy advocates. And at the end of the day they did settle that case for what is that, a hundred million or so. I actually think the hook there was a bit broader and you see that in other enforcements where the data broker industry with sensitive data is really so much at the core of that. And I see it in a lot of the wiretap lawsuits now where if you are dealing with sensitive personal information, that just puts a whole other risk element to it. And while certainly lots of companies without sensitive information are getting SIPA lawsuits, many of those I would say are still settling for fairly small dollar and the plaintiff's attorney doesn't come back to them. Where you have a website or you are a data broker where tons and tons of different types of very sensitive personal information and you have the wiretapping component to it, I just think that there's a whole other PR and risk element. You still have a judge who's a human who has to evaluate the set of facts. And sometimes optics can be motivating and going one way versus the other. And if you read the complaint in Oracle, I mean, there were pages and pages and pages in that complaint that really honed in on using just very sensitive personal information, medical information, ethnic, racial identity, political interests, along with precise geolocation information, have all of that and then package that up with a SEPA claim about wiretapping.
[16:05]
Alan Chappell
Yeah. In the back of my mind, I always wonder if, you know, Oracle might have been able to beat this ultimately. I know they certainly tried and took what, a year and a half. But there's a part of me that also wonders if at some point they just said, you know, what is this business worth it? And I have to sneak. That came into as part of the calculation.
[16:25]
Elisa Hutnick
Well, that's exactly it. I see across the industry, I mean, we're all seeing it, right? Data brokers in particular and those with sensitive information, if they are not looking to a durable strategy. I mean, there's just a lot of business tension on what was always done versus where the law is going and where the risk is going and what they need to be able to provide to sustain that type of business. And so I think we've seen some calculated decisions of if I have other verticals within my enterprise, maybe I should invest in those other verticals. I don't see a data broker industry going away, notwithstanding a lot of different new laws that are popping up. But I do see the practices changing a whole lot.
[17:06]
Alan Chappell
Yeah. And hopefully, and I say this as a strong advocate of the data driven advertising space, but hopefully we start to move away from certain activities which are a little bit more problematic. I mean, historically we've been able to say collectively, and sometimes you're in the room and we're saying these types of things. We're not what I'm saying, these types of things. You know, what's the harm? What's the harm? Like, you know, and. But now you've got, you know, demonstrated cases where you're outing priests or you're, you're checking the movements of government officials or, you know, people looking for reproductive care being and so you, these are clear examples of harm. And one of the things that I'm hopeful that we, that our industry gets maybe a little bit more serious about is trying to address these types of things.
[17:50]
Elisa Hutnick
Yeah, I mean it was an all you can eat buffet with a lot of nice to haves nods to privacy for a very, very long time. And we went from best practices to highly regulated and we're now in highly regulated land. And so it does mean there's a lot more pressure at showing on the supply chain that you're working with good actors and that we're, we're all working within the lines of what we've allowed the data to be used for.
[18:15]
Alan Chappell
So do you think these wiretap laws are effectively pushing the US closer to an EU style consent regime for things like tracking cookies, etc.
[18:25]
Elisa Hutnick
No, I don't think so. I really don't. Because I think we're going to see that's the easy answer. But if you don't have like the EU1 law that says everybody should do consent, we don't have that. We have patchwork. And people are not all on the same page not having the same conversation. And it's really hard to turn a switch across the nation when we don't have a clear common understanding of what the requirement is. And so I think there's going to be still a lot of risk based decisions on what one is going to do. I think we're moving towards how do you deal with sensitive information and requiring consent for sensitive information. I'm seeing most trying to get away from sensitive information. Are there other options and ways to do that? I see a lot of effort on, on trying to change the legislation in California and a few other places to make it more clear that it doesn't. The wiretap laws don't apply to ad tech. So I could almost see more investment in trying to have a more reasonable approach there. Think about California. They spent so much money setting up a privacy agency. They have the California Attorney General's office, they have reams of regulations and statutory language that all say opt out. So how can it be that this very old law suddenly flips that? And I think the legislature has something to say on that. Eventually I agree with you.
[19:45]
Alan Chappell
But I'm also going to take a little bit of a contrarian position that the delta between what's required and enforced in the EU and the de facto standard in the US is pretty narrow. Because at the end of the day, I mean, I do a lot of just rando research for my work, as I'm sure you do too. And like every website you go to has some flavor of a cmp. So. So whether or not I have to click, you know, yes in order for, you know, the, the site to, to move forward to me is a meaningless distinction because you're still kind of getting annoyed by these, these pop ups that I agree with.
[20:23]
Elisa Hutnick
I mean, and I think the enhanced transparency, yes, I think we are getting very close to that in the EU and that's being driven by a whole lot of other reasons. But there are critical business impacts when one flips to an opt in before taxpayer versus the opt out. And until everybody is doing it and it's a level playing field, I don't see too many raising their hand if they're not really required to do so. That is really, I think the pain point where we're at.
[20:48]
Alan Chappell
Yeah, I think that's fair. So let's say that third party cookies are deprecated tomorrow. Does that mean the end of these, you know, these wiretap lawsuits now?
[20:58]
Elisa Hutnick
I mean, so here's the thing. I think what is a constant, what, what must be true to be in the US is litigation is a profession. People make a living filing lawsuits. So it doesn't stop. I've been around, as you have long enough, where TCPA around texting and calling and robocalling was the big, big wave. And many of those same plaintiff's attorneys are the ones that are bringing these SEPA suits. So there's just going to be another flavor. We already see it with chatbots, we see it with AI based technology on site. We're certainly, I think the future, we're going to see more API based wiretapping claims. Right? Not, not the visibly apparent options, but certainly known common practices. So I just think it'll continue to evolve.
[21:44]
Alan Chappell
So I agree with that as well. Although one thing that, that is going to make bringing these cases a little bit more difficult in a post cookie world is that, you know, with cookies you kind of have a very clear sense, okay, a cookie was placed on this desktop and this date at this time. So once you remove that, it does sort of make the class action litigants work cut out for them a little bit more.
[22:06]
Elisa Hutnick
They have to work for it more. But you know, sometimes we're our worst enemies. Like when I think about the ad tech companies that I work with, sometimes there's some sloppy language on the marketing and sales side that talks about all the things that they can do and in their own words that can be used against them. And so to your point on there's never been a better time to make best buddies with between legal and marketing and and have some common language. So you just know what's the low hanging fruit to to not have with bells and whistles around it.
[22:39]
Alan Chappell
So I just came to mind so I'm going to share it that my favorite one of these cases that I've seen over the last year or two was there was a tax preparer website who had a couple of social media pixels and the class action litigants were able to make some flavor of a RICO statute for violating the tax code and a whole bunch of other things. And I don't know that it survived the motion to dismiss. But just the chutzpah for even bringing that together. You kind of on some level you have to applaud the creativity even if you don't like it.
[23:09]
Elisa Hutnick
I agree with that. And I can think of media stories, love the hook. And so I just think of all of these wiretap cases like the wave of different industries that are getting sued. Often what came before was some media story that said the nerve. Right. Of these companies using ad tech on these pages talking about xyz. And so you think about who's going to pay attention to me. And a lot of this now is so automated to highlight who is using tags in unique applications for purposes of these stories.
[23:42]
Alan Chappell
Okay, so let's bring this home. So what tips do you have for our listeners who want to avoid a SEPA or some other wiretapping entanglement?
[23:50]
Elisa Hutnick
Well to the point we were talking about earlier, if you're going to use a banner, be really intentional about what the language says and what the choices are. So I mentioned consent is not defined by wiretapping laws. And so think about what is enhanced transparency. Right. Really something really good language about what the user's conduct by continuing to use the site, what does that signal and signal consent to the privacy policy and the terms. Having that affirmative agreement to the privacy policy and the terms and ideally some information about it's recorded and being shared and we can have nice ways to say that. And I think you can do it in a pretty concise way that's really helpful even to have agreement to arbitration terms so that mitigates risk of the lawsuit and then having there are some lawful ways to have pre steps, pre process that somebody has to do before they file a mass arbitration claim against you. And there's ways to do that. Right? And there's ways not to do that. Right. But these are all layers to mitigate the risk of being an oracle in terms of facing those that really massive liability.
[24:57]
Alan Chappell
All great points. Now one other thing I've read a little bit is that if you're technically a service provider under CCPA that you're, your liability would be or your risk there would be significantly limited. Am I understanding that correctly?
[25:11]
Elisa Hutnick
Yes, for ccpa and we privacy lawyers wanted to lean on that heavily for the wiretap and unfortunately we just didn't get consistent rulings by courts on that front. We had some good cases, I had a colleague who really litigated a number of those and we got some positive rulings in the Northern district of California and then we got some opposite rulings in the Central district. So it's a helpful factor. We are seeing, I mentioned the AI flavor of cases. We are seeing a line of cases there where the service provider aspect didn't mean anything to them and they were back to well, is there capability for that service provider to use the data and for other purposes. So I just think we are in the early crawl walk stage and we are not in the run stage to have clear lines.
[26:00]
Alan Chappell
So it's funny in my view, and maybe I'm just being a pessimist this morning I see it's a rock hard place stage because. Because, well, firstly it's kind of difficult for an ad tech company to even qualify as a service provider given how they've limited all that. So. So query whether, you know, 90% of our listeners here could even be a service provider here. But then even if you qualify as one on the other side, what they're saying is it's like, well yeah, but we don't really trust that designation.
[26:28]
Elisa Hutnick
Correct. Well and let's be fair, there are many in the industry who have said I'm a service provider and meanwhile we're doing, you know, all sorts of things with the data across clients. So I think again back to the all you can eat buffet. We've got many doing lots of different things and we're all, you know, trying to figure our way.
[26:47]
Alan Chappell
I want to shift topics just a little bit. I'm sure you saw the recent FTC enforcement action against location data broker mobilewalla and I'm just curious to know your thoughts on the FTC's view that bid listening and how they're basically saying that auction data is being sensitive because that sort of ties into what we were just talking about in terms of having a consent standard.
[27:08]
Elisa Hutnick
Correct. So the FTC announced that enforcement along with others on data brokers and sensitive personal information I will just say was at the root the draw of the FTC looking at those companies precise geolocation information, creating audiences like we talked about Oracle and a lot of sensitive attributes. The bid listing, absolutely I think caught a lot of us, you know, really focusing in on that. On well, if the company is violating contract terms, the contract terms, you said you shouldn't do it if you're not the winner of the bid. Is that a violation of the FTC Act? And I think we have some, certainly some language that we can pull from. It's not a good practice. Violating contracts is not a good practice but that by itself is not an FTC violation. It's what kind of data are you talking about in that case there was really a focus on sensitive data location and I will just say that's going to continue even in the next administration. We had some opinions from going to be the future chair of the FTC and there was real concern on that point. So it's not a Democrat versus Republican thing. So I will say that. But maybe the more important the point not to miss is the trend line on accountability and supply chain trust. That's not going away. And we see that under the state law saying you need to know what your partners are doing and you need to ask questions and it can't just be at the front end, set it, forget it and not look back at it. There is an emphasis on what is, what is reasonable diligence and then reasonable quote unquote oversight and monitoring. And we don't have right now a well oiled by our approach to how to solve that. Right. There's going to have to be technical standards. I mean the think about brand safety like we have ways of testing that in a, in a pretty efficient way today and in services that provide that. I think we're going to get there. It's just going to be a painful road to get there.
[29:11]
Alan Chappell
So I agree with all that. The only thing I would add is that the thing that really concerned me about the mobile wallet settlement is that the language there is extremely restrictive and arguably you can only use the data to participate in a bid. I mean if you read that literally that means you can't use it for attribution or ad targeting or literally anything else. What happens when that gets pasted into somebody else's privacy law or regulatory order?
[29:38]
Elisa Hutnick
Yeah, so this is, it's a really interesting moment in time though because that enforcement came out right at the time that we are shifting to another administration that has other Policy priorities. And so one, there's a policy shift from. Is that really the stance of the FTC going forward? And I think there's some questions on that. You are right though, that certainly what the FTC does states can look at and we have seen. Right, at least taking some of those concepts and deploying them in their law. I think there's probably something in between and we've seen at least as an overall trend. Yes, for sensitive personal information, there is a lot more set of requirements and expectations around what you must do. I think if you're talking about just personal information, not sensitive, I don't see the FTC going forward and then over the next four years really embracing that theory.
[30:32]
Alan Chappell
Yeah, I would agree with that. I think this FTC is going to be fairly laissez faire on many of the, what I would call core privacy issues, perhaps even health, because I think they're returning to a what's the harm? Type of a standard. And I think that they see harm in terms of collecting sensitive points of interest. I think that they see less harm in terms of collecting that somebody's visited a cholesterol site or something like, like that, which seemed to be a, a focus of the Khan administration.
[31:02]
Elisa Hutnick
I agree with you. It's a focus of the Khan administration. I am, I'm a little concerned about reading some of the statements by the Republican commissioners that I, I don't think they were as concerned about collection and creating segments. There was a real focus on the sale. What happens and, and how does that sale look? And so I think, doesn't mean it can't happen. But I do think there are real questions about what are the terms, what are the diligence that's going to be a factor.
[31:27]
Alan Chappell
Yeah, no, I think that's fair. And so we're going to wrap there. But before we do, we have a practice here of just asking our honored guests about what their super secret hobby is. I'd love to hear yours.
[31:39]
Elisa Hutnick
My super secret hobby. I am a devoted yogi. I've been doing it, gosh, for 25 or so years. But I really love it. When I'm upside down, I can do a 10 minute head sand and that's my happy place.
[31:54]
Alan Chappell
If you ask me, yoga should be mandatory for every working lawyer.
[31:59]
Elisa Hutnick
Oh my gosh. Yes. Like I, my shoulders would be up to my ears at this point if I didn't do yoga. It's the, it's the gravity support that I need on that front. I 100% agree.
[32:11]
Alan Chappell
Yeah, absolutely. Because it's it's really changed my life. I've started maybe 15 years ago and it's absolutely wonderful to the extent for most lawyers that it can replace binge drinking, that would be a helpful thing.
[32:22]
Elisa Hutnick
Or at least somewhat right. Twist it out.
[32:27]
Alan Chappell
Alisa, this has been a great conversation. Thank you so much for coming on the pod.
[32:31]
Elisa Hutnick
Oh, thanks so much for inviting me. Really a pleasure.
[32:36]
Alan Chappell
That was a great conversation. I'm going to be taking a break for the rest of December unless there's breaking news when Judge Bricma publishes the judgment in the Google Ads antitrust trial. But we have a bunch of other fantastic guests coming up on the Monopoly Report podcast starting in January, for example, we'll have Jules Polinetzky and Doug Miller from the Future of Privacy forum who are going to share their thoughts around the regulatory implications of data clean rooms. Please subscribe to the show@monopolyreportpod.com or on Spotify, Apple, YouTube or wherever you listen to your podcasts.