A

Foreign.

B

Welcome to the Monopoly Report. The Monopoly Report is dedicated to chronicling and analyzing the impact of antitrust and other regulations on the global advertising economy. If you are new to the Monopoly Report, you can subscribe to our weekly newsletter@monopoly-report.com and you can check out all of the Monopoly Report podcasts @monopoly report pod.com I'm Alan Chappelle. This week my guest is Senator James Maroney from the great state of Connecticut. Senator Maroney was first elected to represent the 14th district, which is in Milford, in 2018, and he currently serves as the co chair of the General Law Committee. Recently, Senator Maroney was named to the Inaugural Leadership Council of the Future of Privacy Forum center for Artificial Intelligence Senator Maroney's work on tech legislation has been recognized nationally and I've included the Senator's full bio in the show notes. I'm excited to speak with the Senator because I want to find out more about the process involved in passing a state privacy law. I want to understand how Senator Moroney got involved in that process and how he navigated the waters of industry lobbying efforts. I also wanted to find out more about the issues or concerns that Connecticut is looking to address over the next year or two via a privacy or artificial intelligence law. And maybe I can get the Senator to give us a prediction on how the UConn Husky basketball teams will do this year. So let's get to it. Senator Maroney, thanks for coming on my pod. How are you?

A

Good day. Thanks for having me.

B

Good. How are things in the great state of Connecticut right now?

A

Right now it's a little rainy with the nor' easter that's coming up, but otherwise things are generally good. Excited for the start of college basketball season up here as the center of the basketball universe?

B

Absolutely. I think there's two big games today, if I'm remembering correctly, exhibition games today.

A

Yeah, I need to check in on those scores after. I won't be watching them live.

B

Yeah, I'm looking forward to watching tonight, so I'd love to get a little context. So what's your origin story here when it comes to privacy legislation? How did you come to take an interest in privacy?

A

Thank you very much. It's great, great question. I think, unfortunately, I don't have that exciting of an origin story. I wasn't bitten by a spider in a lab or any, anything like that. You know, what I say is some people come to the legislature passionate about an issue, and sometimes an issue finds them. And I think I'm the latter in this case, at least. The issue found me. I was shift on on the committee. Senator Duff had been passionate about trying to get Connecticut to pass. You know, after the CPRA had passed, he had put in CCPA first, I think, then cpra. But after California had passed gcpa, he had put in proposed legislation on privacy in Connecticut for a few years. And then it ended up coming to my committee one year. And so I really dug in and was interested. You know, it's something, you know, as far as tech is something I've been interested in. I was a small business owner, had made my own websites, worked, you know, always seeing how I could include tech in the process. I was a tutoring business. When iPads came out, we were using iPads to record our sessions and to tutor on them. And so I got very interested and I really just dug in. And then it took me three years to pass our privacy bill. It's so I've kind of stuck with it and fallen down that rabbit hole and I just haven't come out.

B

Well, Senator, you are certainly in good company because for many of us, we didn't land on privacy so much as privacy landed on us because just all of the impact and the number of things in our society that it touches on. So I'd be curious to understand a little bit better. You said it took three years to pass the Connecticut privacy bill. You know, what took so long?

A

Yeah, so the first year and it couldn't even get the bill voted out of committee. It definitely the most lobbied bill in the Connecticut legislature for all of those three years. And you know, fun fact, Connecticut charges sales tax on lobbying services. And so I like to say whenever I ran a task force meeting or held a call on Privacy, I generated $1,000 in sales tax revenue for the state of Connecticut. So for every, every hour I ran. But it was definitely a heavily lobbied issue. It's an issue that is difficult for legislators to understand. And so a lot of times people would go to my colleagues and say, well, one thing is we won't be able to fight the pandemic if this fall pass as well. That's not true. They did this. You know, they had these laws in effect in California and they did fine.

B

Well, we are really good at coming up with excuses. It's sort of like the dog ate my homework type of story. Except for, you know, now several, several years later. But you mentioned industry lobbying efforts and, you know, recognizing that they can have a pretty significant impact on some of the state level legislation. You know, what are some of the challenges that you faced coming up against some of those lobbying efforts that might have pushed back as you tried to craft the privacy law in Connecticut.

A

Yeah, as I said that, you know, the first time, and it was actually really going to be a very basic bill with just a task force and a privacy notice, and we couldn't even requiring a privacy notice, and we couldn't get that out of committee because they were able to turn some of my colleagues who had said they were going to vote yes to say they were going to vote no. But before the last day of our.

B

Committee meeting, I'm just curious, when you say it was just a require a privacy policy law, I mean, the FTC has basically required one for a decade and a half. So what was the objection? Or is there something here that I'm missing?

A

Yeah, no. I think it seems like a lot of times when you run bills that people say, well, I don't object to that, but it's a slippery slope. I know if you're going to do this next, you're going to do that. And I think that in the end, you know, we were willing to. And we hadn't drafted the new language yet. I had told people I was going to amend it to be a privacy policy with a task force to study, and then we just need to get the time to do that. And then they just did not. We didn't get the time to get that out of committee. The next year, we were able to get it out of committee, and then we were able to get the bill out of the Senate. It was part of the budget bill, so a larger bill. And then it was. The budget was amended in the House to strip that piece out because again, the heavy lobbying of people in the, in the House, some of them, from what I understand, some lobbyists that I refused to talk to them, which I did get FOI at one point, I think 1,000 pages of emails between myself and the people I refused to talk to. But. But there was a lesson, right? And then the next year, we ran the process. I just ran the working group that I had put in the law as if the law had passed and everything was done fairly publicly. We had a lot of meetings that were out in the open. And I also, you know, I learned to make sure that you had someone from the House who could verify all of the work that I was doing in case there was a question there. And Representative Arconti became my champion in the House and worked through everything with me. And it's one of those things you learn that it's not just getting it out of one. You know, you have to get it out of both the Senate and the House. So making sure you have champions in the other chamber is critical. So we definitely learned a lot from those two attempts. And then we got it through in the third year and out of a lot of work. And the nice thing was I think I was in a really good place. And then the ironic thing is that after that other year, the bill is arguably stronger than what we had passed that got stripped out of the House that time in that initially we did not require. We put the global privacy control as optional versus where we passed the actual law the next year through both houses. It was mandatory as of January 1st of 2025.

B

Well, not just that, but then Connecticut came back not once but twice after passing the initial bill to strengthen it. So there is something to the slippery slope argument, I guess you could say.

A

Yeah, I guess.

B

True. So you mentioned the global privacy control and you know, Connecticut is off the top of my head, you know, something like half the state privacy laws right now have some reference to either the global privacy control, which is a sort of the do not track 2.0, the idea that there's something within a browser that a user can just kind of turn on and that'll stop, you know, sales, share profiling, ad targeting. And so Connecticut has that. And which is interesting in and of itself. But what from my perspective, what's really interesting is that I believe there's sort of an anti preferencing measure in there too, where there was at least some consideration that the browser purveyor might have a competitive ad product and it was unfair or at least unwise for that browser purveyor to necessarily use the global privacy control as a wedge to preference their own ad services. And I'd love to know the backstory.

A

On that that, you know, a lot of the bill was passed in working with our AG's data privacy unit. And I believe that that had become one of their priorities. And Michelle Lukin, who is the head of that unit, as she said, you know, why that was important to her. I hate to speak for someone else, but, you know, what I've heard her say in our conversations is that it shouldn't be hard to exercise your right. And so we wanted to make sure that people could exercise, you know, their rights to opt out and make it a little easier for them to do so. And so that just came in, working closely with their office and the drafting and you know, again, over that extra year, we spent a Lot of time with, with industry. Right. I work closely with industry, but also with the AD's office and some advocate as well. You know, we worked with really well with Consumer Reports. Maureen Mahoney was at Consumer Reports at that time. She's now working for a California privacy agency. But we worked closely with some of the advocates through that process, which is great.

B

And you raise, I think an important point here that, that opt outs should not be difficult to enact. There's sort of a flip side of that which is that, you know, default settings, if you set things up so that a consent is required for everything. I would argue that that approach is much more of a European idea, although it seems to be making its way into the states. The consent approach is not necessarily the right approach either. And so, you know, how does one strike the balance? Yeah.

A

And that is right. How do you balance user experience with protecting people's rights and understanding, as you mentioned, like did it earlier on how privacy is taught a lot of us because it is part of everything. People don't realize how much data they're generating. So what is our obligation to protect people from what they don't know our potential. Not necessarily. If it's harm, it could lead to a harm we don't know. But if they don't understand how their data is being used, it is that everything is a balancing act. I feel it. It's try to balance and strike a balance between the various interests in there.

B

Yeah. And, and what, what sometimes doesn't get. It sort of gets acknowledged at a high level, but at the ground level it doesn't always get acknowledged that there's trade offs in play for just about every decision that one makes. And look, I, I tend to come at things from, from a more of a pro industry perspective, but I'm certainly on the side of consumers as compared to a number of others in the industry who it's just sort of like, well, let's make this as difficult as we can. Make things confusing, make things opaque. I just don't think that's good policy. And I want to shift topics a little bit. So the Connecticut State Privacy act, like many of the state laws, has a broad definition of personal data. I believe inferences derived from personal data even count as personal data. Connecticut's not the only state to do that. I think a number of them do that. But I'm curious, how does the concept of de identification, which is something that like a term that, you know, back in, back when I was focusing more on hipaa, the health privacy law, Like I get what DE identification means in that context, but I struggle with the way some of the state laws are crafted that I don't know where personal data ends and DE identified data begins. And I'm just curious if you know, you and, and your colleagues had wrestled with that conceptually.

A

You know, as we were crafting the original bill, there was definitely like we had to consider the DE identified, I guess, other privacy enhancing ways, anonymous data areas to be for the advertising and just making sure what should be exempt. We probably didn't end up doing as much as we should have to incentivize privacy enhancing measures. And that may be something I guess to look at. I guess when you talk about creating that experience like the user experience and having to click on accept all or reject all all the time, it definitely can detract from your experience and also just preventing as you mentioned, like other automatic things from happening. Right. Based on where you are automatic right there or other things to make it easier. So we didn't put as much, I guess, incentives in there to do other privacy enhancing methods as we probably could.

B

Yeah, and I think you hit the nail on the head with an overly broad definition of personal data which kind of makes sense because you want everything covered under the ambit of the law. But I think you're right in that debatable whether that incentivizes this, the, the business community to adopt privacy safe measures. Because if everything's personal data and it's still subject to the same rule set and there's no way to pull a data set outside of the rule set, the business community is just going to say, well I might as well collect as much data as I can. I mean, and so the, the beauty of, I think of this process is that you know, Connecticut may very well go back and, and you know, continue to update. And you know, this is going to be an iterative process at least until, until the federal government decides that they, that they want to take part in this in a meaningful way.

A

No, that's what I mean. We say we're, we're writing laws, we're not etching commandments and stone tablets. And you know, what are the other areas of cognizance for my committee is liquor. And we pass a liquor law every year and liquor is thousands of years old. So I think that we'll be back to modify these privacy law.

B

So I just remember from growing up in Connecticut, and I don't even know if these are still a thing there, but the 8pm can't buy beer law and then the Sunday can't buy beer law. I didn't know that other states operated differently. So when I moved to New York City and I found out, wait a minute, it's ten o' clock and I can get a six pack of whatever. Anyway, there's no question in there other than I hope eventually Connecticut has rolled some of that back.

A

Yeah, about 10 years ago. So a little late to the party, but.

B

Well, that's what I try to do. I want to take a strong stand on laws that have already passed 10 years ago. That's what we do here at the Monopoly report. Oh my goodness. But, but to, you know, you've mentioned that, you know, Connecticut has updated the privacy law a couple of times. What do you think is on the hit list? I'm not trying to commit you to anything, but like, what other things are you looking at right now? I mean, I would imagine I would be part of that, but is there anything else?

A

You know, I think after what happened in, in Minnesota last year where the legislators, Speaker Vous was killed in our home and other legislators were shot or he went to another legislator that I know to her house and she wasn't home and there's ring doorbell footage and you know, all of the information he compiled was from publicly available websites and data brokers. And so there is a lot of talk of states doing either some form of Daniel's Law, which is passed in New Jersey, likely in Connecticut. We're looking at the Delete act from California to see if there would be any way of moving towards the Delete Act. But I need to get updated because they have to build a mechanism and does it make sense for a small state to do that? Would it be possible to some way combined with them? So there's still a lot of thought that needs to go into that, but likely looking at a data broker registry and then the Delete act with a delayed implementation in Connecticut for next year, I would say I think there was, I just, you know, I read the bill so many times and then you have people look at it and edit it and then when it finally gets voted on, a lot of hands have touched it. And then I just realized there's some grammar things, not necessarily grammar, but the wording. We don't define sharing in there and there's a place where all of a sudden we brought in sharing for no good reason. So I think I may need to go do a little bit of cleanup if I'm opening the bill up anyway next year. But nothing major. You know, we did Some updates, as you mentioned, we went back, we did children's protections, we did consumer health data and then this last year we made some more significant updates. But a lot of those came with trying to tighten some of the exemptions. And that came out of the attorney general gives a report every year on enforcement. And so a lot of the complaints they received fall under one of the exemptions. So they had tried, we had tried to narrow some of those down. I think one thing we may go back at again next year is looking at the publicly available information definition. We tried to narrow that. We didn't end up doing that very much last year I know a new definition was passed in from Bird as part of their age appropriate design code which we may look at. But the other exemption we did tighten was the TLBA exemption. So we went to insurance and banking as regulated by the state. We were seeing in Texas there were car dealerships that had claimed the DLDA exemption and others because they had financing units. And we weren't intending that whole entity to be exempt.

B

That's a lot of stuff. There's, you know, but one thing that came out of that that I'd love to dive a little bit deeper on is I think you were saying that there has been some communication and maybe even high level coordination amongst different states. I thought that was primarily at the enforcement level, but it sounds like at the legislative level you guys are talking. Is that a fair statement?

A

Yeah, we still talk pretty regularly. I mean there's some other state legislators I talk with several times a week. But as far as a group, we had built a multi state AI policy working group where we had been meeting once or twice a month. You know our email list is over two hundred and 50 legislators, 48 out of the 50 states. We did meet again a week or two ago. We're going to get started back up and bringing in similar to how I ran my task forces or a lot of us do. Our task force we do two hour meeting like 30 minute blocks where we bring in different experts to talk on topics and looking at actually after this podcast to I have another meeting where we're going to try to lay out all of our upcoming meetings on AI. But as part of that we also are planning on having a meeting to look at the enforcement of the state privacy levels because really a state privacy law is the basis for any AI anything you're going to do with AI. And I think for any state my recommendation is usually do privacy first before you would look at doing something. Obviously now they're more specific like if you're. Because AI is so general. So if you're looking at self driving cars or other very specific but most things, I think it makes more sense to do a data privacy law first before doing AI regulation.

B

So I noticed that you were on some kind of an advisory board as it pertains to AI for the Future of Privacy Forum, folks. And just so you know, Jules Polinetzky is an old friend and a friend of this podcast. Same with Doug Miller. I'd be curious to hear more about what you see as your role within the Future of Privacy folks.

A

Yeah, so the Future Privacy Forum, first they convened our multi state working group. They were nonpartisan conveners. They didn't write policy though they helped us with organizing, getting the zooms together, helping us getting speakers. Unfortunately they came under some fire for that and so they're no longer serving as our nonpartisan convener. Which you know, again, I think it's shameful because we're legislators who are doing our due diligence. State legislators, we don't have huge staffs. Most of us have full time jobs doing something else. And we are all trying to work together to dig in, to avoid the feared patchwork and to try to coordinate definitions. And so we were working, you know, across party lines, across states to try to bring in experts and talk. But I'm also on there, you know, the advisory committee for the AI center and so that we just meet a couple times a year and they get to add, you know, they'll ask some questions and you'll get to provide some feedback. So yeah, I feel lucky to be able to sit in all those meetings and hear from different experts around the world.

B

Yeah, Jules does a great job dealing with very thorny issues in a way that generally rises above the political fray. But that doesn't mean he doesn't get shot at occasionally. And it sounds like there was a little kerfuffle there over that, which is unfortunate because those guys are doing some great work and it's good that you'll be able to leverage it.

A

Yeah, and we're going to continue and Princeton is now going to serve as our convener. The Institute for Tech Policy at Princeton.

B

Oh great.

A

Okay, so we'll continue the work and Future Privacy Forum is going to continue providing their great resources like they have the legislators and into companies and serving as a forum.

B

So when it comes to sensitive personal data, things like health, location, race, biometric, sexual interest, a number of states have started to move beyond a opt in consent Standard and have kind of crossed the threshold into an out and out prohibition. And I'm curious to understand what you see as the Connecticut approach to regulating sensitive data. You know, do you see Connecticut moving towards more of a prohibition or are you sort of feeling like you're pretty comfortable where things sit and maybe it's about expanding the definition of sensitive.

A

Yeah. And so we had expanded the definition as part of our update last year because we were the fifth state to pass our law and since almost 15 other states have passed law, so we looked at the definitions from a number of the other states and we, we felt we had to update ours. Right. And so that was one of the keys we were looking at, you know, initially to see whether we should consider like a data minimization or you know, to only collect sensitive data if it was strictly necessary. I guess the debate came down to it shouldn't be a choice. I guess if it's opt in, then should people be able to give their permission to have that data collected? So that's kind of where we ended up. We did tighten slightly like around the purposes, you know, using some of the rulemaking from Colorado and in California, but we didn't end up on a strict data minimization standard this last year.

B

From the perspective of most of my audience, which is the digital media space, so I'm probably oversimplifying maybe a bit, but the distinction between an opt in consent standard because most of them really aren't getting a consent for just about anything. So the distinction between opt in consent and prohibition is almost meaningless. Because from my perspective, I think opt in consent for things that are sensitive is probably the better route to go. Who's going to want to worry about the government being perhaps too paternalistic with, you know, prohibiting things? Now that might be different for children, then that's a different story. But for, you know, if somebody wants to agree to something, generally speaking, you know, as long as it's clear and they understand the terms. And I'm not trying to beat up on Maryland and some of the other states, but I'm just kind of sharing the, my, to the extent that, that there are other legislatures out there listening and, and taking cues from me, which may or may not be happening, but to the except that they are, I, I thought I would share that. So like many of the states, Connecticut requires companies to honor opt out requests from authorized agents. So companies that make requests on behalf of consumers. Do you see Connecticut as potentially looking to expand the types of requests from authorized agents that companies would need to Honor. Because I think right now it's mostly limited to opt out signals only on prospective right.

A

So an agent could opt you out of the sale of your data, opt you out of things going forward. I was a little nervous, you know, initially like to allow for an agent to access your other rights to delete your data or to get a copy of the data. I right now don't see us expanding beyond, you know, where, where we are because I didn't see if you'd opted out of the sale of your data or tracking for advertising. I felt that was an easier harm to come back from right. If it was done wrong, you know, wrongfully done by someone admits representative. And again they have to be commercially verified on this, you know that. But that was my thinking when we established which rights that an agent could exercise on your behalf.

B

So the challenge that I'm seeing within the authorized agent community, most of them are legitimately trying to serve a commercial interest of consumers who just don't understand all of these companies collecting data on them. That said, there's a decent sized portion of that industry that is making promises that they aren't clearly articulating. You know, they think their job is to send that request to as many different entities as they can and aren't really doing any due diligence on whether or not, you know, a company happens to fall into the category of data broker. There's all kinds of issues there that I, I've been privately encouraging that industry to figure out their own self reg because sooner or later some state or some AG is going to, is going to start to take issue with that and they've gotten a little bit of a reprieve around the click to cancel rule set because that doesn't seem like that's, that's going anywhere right now. But that would have been a big problem for a lot of these guys because it's often an amorphous value prop. So I'm encouraged to hear that that it doesn't seem like Connecticut is necessarily going to, going to be doubling down. I'm just sort of curious though, you know, outside of something like the Global Privacy Control know, how does an authorized agent even make a request when it comes to like an ad tech company who's mostly dealing with, you know, device data.

A

And one of the things, you know, in Connecticut we at least in our data privacy we have to kind of in the legislation write in everything we want because our AG doesn't have rulemaking ability. And so we can't write something in and let them Clarify later. So the actual mechanism, I'm not sure.

B

And I think the answer is like, I'm probably looking at this too myopically via the digital media space, because there are certainly plenty of companies who are in the identifiable personal data space who, an authorized agent could make these kind of requests on behalf of somebody in a way that makes sense. It's like, okay, my email address is Chappellemail. Like, okay, somebody can make a request on behalf of that. And that's easy enough. It's just a little harder to do with pseudonymous data. So bonus points for sticking through what is admittedly a poorly thought out question. So thank you. But you mentioned rulemaking, and I want to dive into that a little bit because thus far, and correct me, Colorado, California and New Jersey are the three states that currently have rulemaking. And thus far there's been mostly parity across the states in terms of the rule set. Not identical, but pretty close. Like, there aren't too many outliers, maybe other than the prohibition from Maryland in a couple of places. So I'm curious, how do you and your colleagues balance state action on privacy and AI with either commerce cost concerns or just general consistency across states? Is that a big concern?

A

I would say yes and no. So, yes, I think that, you know, one of the things you were always taught is people don't want the patchwork, right? The feared patchwork. And we do look to keep definitions consistent, but then everyone does tweet them. So we start with the goal. But, you know, there are lots of. Of groups. So, like, we're a lot of the legislators were part of the NCSL as the Cyber Security AI and Data Privacy Task force at least a few times a year. So. And then some of us are also part of the working group, you know, that multistate AI working group. But we also talk data privacy. So I think we're definitely more in touch with each other now than back when I initially started working on that and the whole thing started, I just reached out to Senator Rodriguez after I saw his bill got out of Colorado Senate. 35 to 0 hours, struggling to get it out. And he responded, probably biggest mistake in his life, regrets that day. So you get that change. If you could change one decision in your life, I never would have emailed the roadie. But we've become great friends. And, you know, as I say, misery loves companies. So we're trying to build more privacy legislators to all come together and share in this unique experience of working on the legislation. So we do, you know, I talk with lots of different legislators now. And there are lots of different forums where we're able to communicate with each other and try to stay on top of it. You know, obviously, you know, Future Privacy Forum puts out great reports. A lot of other groups put out great reports. NCSL puts out reports on all the legislation that's passed. And so that's usually the start is to look at what other states have done and then start from there.

B

Yeah, you can usually find the handiwork of Law A in Law B, C and D's initial drafts. There's stuff that gets pulled directly out of the GDPR in drafts that I've seen from different states. Because it's a great document. You got to start somewhere. And so you're like, let's borrow from there. And. And then. But the challenge then becomes the, you know, there's always a. A hidden comma or period or definition in there that doesn't belong that you've got to kind of figure out. All right, well, how do we include this into the thing that we're. That we're ultimately trying to create?

A

The one thing it's interesting, like at all, we all just copy each other. So the 1750ft. Right. For the precise geographic location, I think once they changed to 1650. But we were all sitting around like at a conference. So we did having, you know, a drink and we said, who came up with that? Like, I don't know. Why, why is it that way? I don't know. Just, just was, you know, it does.

B

Kind of make sense. Like it. You get what that is now? Okay, yeah. You. You're doing a geofence within this, you know, this proximity. Okay. Yeah, just an aside. An aside. After about 11 other asides over this entire interviews, a series of asides. So if the one thing that I think would increase the likelihood of a federal privacy law exponentially would be inconsistency across the states. Like crazy inconsistency across the states. Somebody has opt in for everything. Every. Somebody is opt out for everything. Somebody defines personal data as X and then somebody defines it as Y. That's the type of thing that I think would ultimately enforce or push the federal government to do what they did in 2004 when. Or 2003 when everybody's freaking out about a California opt in email law that in a month and a half Congress got the Can Spam act passed in response to that. And so I'm not saying that you should be aspiring to push the federal government.

A

So Alan told me that I have to pass a Law that's different than everyone else.

B

But it would sure, it would sure help us out. Because right now, you know, 20 states and counting is, it's great for the privacy lawyers. I don't know that it's great for consumers entirely and I don't know that it's great for businesses. That said, this isn't a problem of the state's making. You are stepping into a void and what you're doing is far better in most cases than the void, for whatever that's worth. But let's say hypothetically that the federal government awakens from its 25 year slumber and decides to pass a comprehensive federal privacy and AI law, but that it preempts the entirety of state level action on both privacy and AI. Is that a good thing or a bad thing in your view?

A

I think I'm going to give a lawyerly answer and say it depends. So it depends on is it a weak law or is it a stronger law? And I guess, and again, that's also in the eyes of the holder, I guess what's weak and what's strong. But I think that a number of us would agree that the federal action would, would ultimately be the best. I think our preference would be more to see a federal floor rather than a ceiling right. To set. Like, like with the minimum wage, there's a national minimum wage and states can go up higher, you know, but you know, there are certain baseline protections that as long as people had those critical protections that would at least feel that we contributed towards making that happen.

B

I think that's a great answer. And I still rack my brain trying to figure out when we're going to get to that point because I do think, I don't even think anybody disagrees that we're going to get to that point. The question is whether or not that's going to take a year or another, 10 or 15 years. Hopefully it's much closer to the former. But, but I guess we'll see. There's been some interesting incubation at the state level that I hope does not get entirely lost at the, at the federal level. But I would say that I, you know, not just in privacy or even in digital media, there's been a whole bunch of things and so hopefully the federal government is able to, is, is able to eventually get itself together to the point where they can push some things through. I think one of the things holding that back is the private right of action. I don't really know a good answer to that, but I will say that both sides Those pushing for a private right of action and the business community generally pushing against it are not always making consistent or honest arguments about it because you cannot look at what's going on with the Video Privacy Protection act and the California Information Privacy act and the amount of havoc that that is causing on the digital media space and not wonder if there's a better approach. On the other hand, I'm sorry I'm filibustering here, but I'm just going to go with it. On the other hand, I do think that it's valid to say outside of California at least that most states are not going to have the budget to adequately enforce their laws. And you know, you can't just like shrug your shoulders and say oh well to that either. And so hopefully at some point there can be a happy medium which allows at least some level of, of reasonable enforcement. I have not thrown a question in there. I'm just going to open it up and say, you know, what are your thoughts?

A

Yeah, I get the argument there's no rights without recourse. I just don't want to pass a bill that creates a new cottage industry of chasing after, especially if we were smaller companies for tic tac violations. So I think you're right, there has to be some at some point, hopefully we can figure out a way for that medium because you know, we saw with BIPA what happened with all of the lawsuits in Illinois. And so there was, you know, California, they, there are two chatbot laws this year did have private right of action for harm that are done. And so maybe that's the way or maybe you have to go towards allowing a certification before a lawsuit can go forward so that you don't have as many frivolous lawsuits. But you know, my thing is I'm, you know, I'm pragmatic and I hadn't seen many bills that were able to pass with, with the private right of action. And so it just, for me it has been a non starter. Although seeing the California, the chatbot laws, I think next year I am going to be running a chatbot bond. So I will start with something similar to what they have in there and we'll see where we end up. But it seems like right there are two poison pills, Federally preemption and private right of action. I think the last privacy bill they proposed had both poison pills in it. So we'll have to see where we end up going for. But I, I like the way you said that at some point we have to find a medium.

B

The last couple of Rounds with the federal privacy law were always kind of hilarious because you'd get something that is like you're at the two yard line, kind of like everybody agrees on everything else. And then, yeah, but we just got to figure out this private right of action and preemption issue. And then at that point, everybody throws up their hands again and walks away from the table. And we seem to have. It's been like the Charlie Brown and the football thing for a number of years over those two issues. We'll see. So, Senator Maroney, this has been an absolute pleasure. I really appreciate you coming on. I've got one more question for you, and it's a tough one. What will the combined record of the UConn basketball, men's and women's teams be this year?

A

I'll give you the combined losses. I think, I think between the two of them, they're going to lose four games. That's it. I don't know which four, but the men usually have a slump in January at some point, and then they come, they, they come on strong at the end. I'm excited. This is actually a good time to ask me that question because it's, this will be the first year I have both men's and women's seasons tickets in Hartford, so I've been a men's seasons ticket holder for a long time. This year I also got women's seasons tickets, so I split them with my brother.

B

Oh, that's fantastic. I, fortunately, they're playing it. They're playing at msg, I think, four or five times, not even including the tournament this year. So. Absolutely a boondoggle for anybody, any of the literally millions of UConn fans in New York City.

A

I will be, I'll be there November 28th. They're playing the University of Illinois. So if you're going, you can meet my son because we're going then. And November 15th, they're playing in Boston against BYU. Both are preseason top 10.

B

So, yeah, yeah, it's going to be a fun year.

A

Yeah, I'm excited, Senator.

B

I will be at that game. And so, yes, I would love to meet you and your son. This has been a fantastic discussion. I really appreciate you coming on. Senator James Maroney. Thank you.

A

Thank you so much for having me.

B

That was a great conversation. A few thoughts. First, if anyone thinks that state level politicians are not on top of the public policy issues around privacy, well, think again. I love that the senator is leveraging the Future of Privacy forum and the good people at Princeton to stay on top of all this stuff. Second, it's interesting to hear that the state legislators are working together and comparing notes. I love the backstory around how the legislators came up with a definition for precise location data, and it sounds like Connecticut is planning to borrow portions of the Delete act from California. In other words, we're going to see lots more cross pollination of ideas across the US States. Third, I was pleased to see the Senator recognize that there are risks associated with the practices of authorized agents. I still think that California has unleashed the concept of authorized agent on the marketplace without much regard for downside risk. And while most of the authorized agents are trying to serve a legitimate business purpose, some of them are not and it's just not helpful. And finally, I think that the Senator and I are generally aligned that we need to figure out enforcement of privacy laws, particularly for states that don't have the resources of California. Private right of action as currently construed isn't the answer, but status quo isn't necessarily the right call either. Someone needs to figure out those issues if we're ever going to see a federal privacy law. And if we want to move forward on all this, I think all sides need to start having more honest conversations with each other. We have a bunch of other fantastic guests coming up on the Monopoly Report podcast over the next few weeks. For example, I'll have Cory Doctorow in to discuss his latest book on inshidification, we'll have Doug Miller in to talk about career paths for privacy and regulatory pros. And I'll have a few big names from the U.S. federal government ranks coming on soon. Please subscribe to the show@monopolyreportpod.com or on Spotify, Apple, YouTube, or wherever you listen to your podcasts. And thanks for listening.

C

Thank you for listening to the marketecture podcast. New episodes come out every Friday, and an insightful vendor interview is published each Monday. You can subscribe to our library of hundreds of executive interviews at marketecture tv. You can also sign up for free for our weekly newsletter with my original strategic insights on the week's news at News Market tv. And if you're feeling social, we operate a vibrant Slack community that you can apply to join@adtechgod.com.