A

Hey everyone, it's Ari here. I want to let you know about our upcoming Market Live conference in New York on March 10th and 11th. Our live events last year were smashing successes with sold out standing room only crowds, amazing speakers and the best content you'll get in any setting in the advertising business. This year we've expanded to two days and over a thousand attendees, so it's the must attend event for the doers and thinkers in our business. You're going to learn something at this event. The speaker lineup has just been announced and it's really strong and we're just getting started. So we announced Sophia Kolushi, the CMO of Molson Coors Neil Vogel, the CEO of People Joanna o', Connell, the Chief Intelligence Officer at Omnicom Jeremiah Owang, the General Partner at Blitzscaling Ventures, he's an expert in AI and Lance Armstrong, the General Partner at Next Ventures. Get your tickets now. Early bird ends soon so your tickets are available at market, that's markitecturelive.com and we have special deals for brands, agencies and publishers while tickets last, so we're going to sell out. So you want to get your tickets. It's a two day event so plan ahead. But it's in New York, nice and easy to get to and we're looking forward to seeing you there.

B

Welcome to the Monopoly Report the Monopoly Report is dedicated to chronically and analyzing the impact of antitrust and other regulations on the global advertising economy. Hi, I'm Alan Chappelle. I'm a privacy and regulatory attorney and have worked with hundreds of digital media and ad tech companies over the years and taken over 30 of them to exits. I also publish a monthly regulatory outlook for digital media worldwide called the Chappelle Report. You can find a link to a sample copy of the Chappelle Report in the Show Notes. If you are new to the Monopoly Report, you can subscribe to our weekly newsletter@monopoly-report.com this week. My guest is Dr. Travis Hall. This is the State Director for the center of Democracy and Technology where he helps to champion, coordinate and strategize the CDT's policy initiatives at the state level. Prior to joining the CDT, Dr. Hall served as the Associate Administrator for the National Telecommunications and Information Administration's Office of Policy Analysis and Development. I'll leave a link to Travis's rather impressive bio in the Show Notes. I've had the pleasure of working with the CDT a bunch of times over the years, but my first interaction with them was back in 2005. It was a part of a multi stakeholder industry coalition that included Microsoft, aol, Yahoo, Google and Trusty, which is now called Trust Ark. The group was trying to set advertising and privacy standards in the adware space. And if you think the ad tech space is a wild west environment, the adware and trackware space back in 2005 was a cumble, completely wild scene. Someone should write a book. Maybe they can make it a prequel to Ari Papero's book Yield. Travis is working at the state level on behalf of the CDT as the great state privacy and AI patchwork of laws continues to develop. I've had a few state legislators on recently and wanted to get a better sense of what a good privacy law looks like from the perspective of an advocacy group like the cdt. And maybe we'll talk a bit more about the private right of action. So let's get to it. Hey Travis, thanks for coming on the pod. How are you?

C

I'm doing great. It's a little bit cold out, but you know what, that's the season cold in D.C. it's interesting. It used to get really seasonally cold in December. You know, I've been here for going on almost 30 years, but at this point in time, you know, we haven't had too many cold Decembers, but it started off like in the 20s this morning. So walking my kids to school, you kind of like have to bundle them up like the kid in the Christmas story in order to get them to school, you know, warm and toasty.

B

So literally one of the best decisions we have made, my wife and I, we've been together about 10 years. We moved into a place that is across the street from the local school.

C

I love that.

B

Is highly recommend.

C

And does it go all the way up to high school or. I mean ultimately they're going to have to like switch or do something else or.

B

Oh, we haven't thought that far ahead. Yeah, it only goes to like fifth or sixth grade. So yeah, that's it. And then, and then I don't know what happens.

C

Just move.

B

But by then you're gonna. They'll have invented teleportation, I'm pretty sure.

C

Maybe, maybe. You know, I am always surprised.

B

So help my audience understand what is the center for Democracy and Technology. And then how would you distinguish the CDT from advocacy groups like EPIC or EFF or the ACLU?

C

Sure. So CDT, the Center for Democracy and Technology is a 30 year old organization. We actually, this is our 30th year in existence dedicated to user rights. And you Know, we were born along with the Internet, I think, you know, you can kind of say, right, like, you know, the Internet, you know, or at least the commercial Internet was, was new, was rising out. And as were some of the problems and concerns. And so CDT was kind of born of that era and we've been fighting for user rights ever since. How do we compare to, you know, aclu, epic, some of these other folks? So Epic, I would say we are a bit broader than them. EPIC is primarily focused on privacy. They do have like, some, like a few other things that they work on, but they're primarily focused on privacy. We have kind of the suite of like digital rights that we work on. And to that measure, we are much smaller than aclu, Right? Like we are. We just really focus on digital rights. We don't get into some of those other fights and battles that they do. And interestingly, EFF and CDT actually were the same organization.

B

Really?

C

I did not know that it was the same organization. And there was a schism within the organization about playing an inside game in Washington D.C. working with companies and others, or the outside game staying on the west coast and litigating. And they actually had a fairly acrimonious split at the time. And EFF and CDT were born from that split. And we are now good friends. Right. Like we've kind of both, you know, like grown as organizations. We work together regularly. They have a Washington D.C. presence. We, you know, maybe are a bit less, you know, less of complete inside game at this point in time, but we actually kind of like have always been rowing in the same direction.

B

That's really interesting. I, I did not know that we had Cory Doctorow on and I know he had been involved with the EFF for, for a number of years. I don't think he was part of the split. He just seems like too nice a guy. That's just, that's just not his way. So one other just aside on the aclu and this gives me an opportunity to talk about this. The best piece of advocacy I think I have ever seen was the ACLU pizza video. Have you seen that?

C

I haven't seen the pizza video.

B

Oh, well, I'll put a link in the show notes. It is the absolute best piece of advocacy and boy, I mean, it was 20 something years ago that they, they published it and a lot of it has come true today. Really, really well done. So, okay, because we could sit here and talk and maybe waste people's time for another, for another 20 minutes, but.

C

History, it's all fine.

B

Right.

C

And it all comes back to us in some form or other.

B

So I want to talk about the great state privacy experiment because it's been a big focus here at the Monopoly Report. So I've had legislators Monique Priestley and James Moronian recently discuss their plans for their states, and each of them has gone into detail about the impact of lobbying efforts. So what's your role over at cdt? I mean, are you there to lobby on behalf of consumers, or is that just an overly simplistic way of viewing your role?

C

My role as Director for State Engagement is a new one for cdt. I am the inaugural director. It's a brand new team. And cdt, of course, has been doing work in the states for the past couple of years. And I mean, and probably in some form for the entirety of its existence, but not in kind of a concerted, like, really focused way. And for the most part, CDT has divided its work into like, you know, just, you know, structure is sometimes policy, right. It's divided its work into teams that are like, focused on issue areas. And so my team is a little bit unique in that I actually cover the entirety of, of CDT's portfolio, but focused on helping to ensure that that's focused on the states. So in terms of like the kind of the, a little bit of the, the balance between advocacy and think tank that you kind of have in these things, CDT overall is probably a little bit more on the think tank side than the advocacy side. Definitely advocates, but a little bit more on the think tank side, whereas my role is a little bit more advocate on behalf of that research on behalf of those equities. Interesting question about lobbying though. I mean, I actually spend, prior to my time now at CDT, I was at the Department of Commerce for 10 years at NTIA and I ran their policy shop. And so I'm used to being lobbying more so than actually being on this side of the thing. And for what it's worth, it is education, right? It is trying to ensure that interests and equities are properly represented in the policymaking process. And so what we do is our equities are users, right? Our equities are the people and the data subjects, the folks that both use and are affected by the use of these digital tools. And for what it's worth, like CDT, we still have some of that 90s tech optimism in us where we like these tools and think that they're useful and that they're great and, and they shouldn't hurt people, right? In There the people who use them shouldn't be hurt by them or your neighbors shouldn't be hurt because you're using them. Right. So we're there to help support lawmakers, to support the policymaking process, ensuring that like again, there's an understanding of how the technology actually works, what its actual effects are on people and what some of the unintended consequences of some of these policies could possibly be.

B

Okay, so you have a lot of experience being lobbied.

C

Yes.

B

What's in light of that? What's your approach trying to get the attention and confidence of state legislators? I mean, how do you approach those discussions? You know, particularly that you're probably outnumbered pretty significantly by, I'm going to use air quotes here, the industry lobby. So what's your approach there?

C

So I, I think that we have to our benefit, right, the fact that we are representing industry, definitely, like, again, like, and I'm not throwing shade here, right. Industry is representing its interests. Right. But it's the interest of certain businesses. We are representing users, which is constituents. Right. It's like we're representing all of these people who again like most, like I use the term users, but it's also the people who are, who have the knock on effects of the use of these technologies. So we kind of have their constituents, right. We are representing some of the interests, some of the rights of their constituents. And again like ensuring that the policies that they're crafting and thinking through actually are protecting their constituents from harm. And that's a compelling story. Right. And again, like we're there to help educate, right? Because oftentimes like you can, you know, we see in, for example, you know, the space of child protection, a desire to protect kids. And that's good and that's something that we share. But the ways in which that these policies are sometimes crafted actually puts these kids in more harm or harms them in other ways or harms marginalized communities or harms all of our ability to access speech. And so part of what we also bring to the table is we bring to the table technical expertise. We bring to the table a solid mission and also we bring to the table some of that nuance in terms of like, because we do, we do speak to companies. We are, we, we regularly interface with them and we have a lot of technical expertise to help support. And that's the thing that like, again, like as a politform or policymaker, you don't have that. You need that in order to understand like what the nuances of what you're doing and what the ultimate effects of what you're doing is going to have.

B

Okay, a couple of follow up questions because this has been a great overview. But okay, let's talk about consumers. Like how are you approaching the idea of quantifying consumer expectations when it comes to putting together a privacy law?

C

It's an interesting step. So quantification and speaking on behalf is like a slightly different thing, but it's an intro, but I'm going to tie it both together. Right. So quantification, right. Like how do you quantify expectations? Well, usually it's through things like polling and stuff like that. And you know, it's a little bit of an old saw in our circles about the privacy paradox that you pull people and everybody says, oh yes, I really care about privacy. But then you actually present them. You know, they, you actually watch what they do and they do like everybody clicks through the, the thing and doesn't read the privacy notice and doesn't like go in. Then you know, set all their settings to the maximal privacy or rather a small number of people do.

B

Right. Or they're going to like, you know, for 25 cents off a big Mac they'll give their like mom's Social Security number.

C

Exactly, exactly. And I think that this goes to, you know, are we trying to meet expectations? Are we trying to help educate and figure out like what people actually mean when they what. When they say that what they want. And are we also talking about, and this is more of a European approach than an American approach, but we're talking about the violations of actual rights. And to a certain extent, if we're talking about the violation of people's rights or actual harm, then there is a little bit of like, does it matter what they're, what they think they are expecting? Right. And there is, I feel like a strong gap between intuitive senses of privacy, which I think people are very, have very strong and like what actual experiences online are. Right. Everybody kind of knows you don't want grandma to see you drinking. Right. And you, and to a certain extent most platforms have some controls that allow you to ensure that the picture that you post of you drinking that you can make sure the grandma doesn't see it. Either you're not friends with grandma or you post that to private or you know, not to post that picture to the thing that you're friends with grandma on.

B

Right.

C

However, Mark Zuckerberg gets to see the picture like the, the company and all of this entire ecosystem gets to see the picture. And that's a little bit of an intuitive leap that's kind that. That people are starting to understand. And there are some very compelling stories about what. How that kind of starts to affect your ability to rent a house or your ability to get a job or your ability to, like, all these kind of different things where it actually has, like. Like what price you're paying for something, right? Where it has these kind of, like, knockdown effects that people are starting to see in their real lives, but have always kind of been there. And so that kind of takes it like, a little bit in the squishy sense of, like, yes, we need to move towards what people's reasonable expectations are and empower them as much as possible to make choices and not be totally paternalistic about stuff. But at the same time, there is some degree of the harms to rights, to livelihoods, to dignity that are happening that are not necessarily directly intuitive between the choices people are making immediately and what the knockdown effects are.

B

Yeah, that's fair. Okay, so first, an observation is like, every picture of my grandmother from my childhood, she had a cigarette going and a drink in one hand, but different.

C

Different story.

B

Different.

C

Different story.

B

Maybe.

C

Or maybe it's like, you don't want your kids to see something.

B

Yeah, no, fair enough. And. And so, and I struggle with some of this because on the one hand, it feels like, you know, the platforms know that people forget that those controls exist and that the default is open. On the other hand, I can tell you a lot of the platforms spend a fair amount of time trying to create these controls and trying to make them intuitive, and it's not easy. I think a lot of them could do a better job than they do. But I do want to at least acknowledge that there's some, you know, that there's work taking place.

C

So just a little bit of an analogy, and perhaps an unfair one, but a little bit of an analogy. It's a structural problem, right? Like, it's a structural problem, and individual choices are not necessarily going to solve a lot of the structural problems. Some of them, again, like, in terms of user empowerment, some of it, it's okay to have that kind of, like, fall on and empower users to make those kinds of choices. But some of the harms that we're seeing are more structural. You know, we're getting to where we're talking about, like, structures of food deserts and the way in which, you know, society is happening saying, oh, you just need to eat healthier. And like, yes, you should have the individual choice of what you eat, and you should be empowered to eat healthier. And there are some ways to store, you know, you can, you can make sure that, like, your fast food restaurant has a salad, but if the fast food restaurant is really the choice that everything kind of like you're structurally being pushed towards, yay, a salad. Right. There's a little bit of like, you know, again, like, I recognize that this is like a slightly unfair analogy, maybe in both directions, but just recognizing that some of these issues are larger structural problems in terms of, like, the mass collection, retention, and use of data that goes beyond, like, your, like, individual's ability to, to rationally, like, make choices about.

B

Yeah, I think that's a very valid point. I want to flip a little bit and get your take on what does a good state privacy law look like? And recognizing that most of my audience are in the digital media and in the ad space, and there's been, as you might know, a fair amount of focus on behavioral advertising and targeted ads and over the last 20 or so years. And it seems like the state laws are continuing to march down that path. But I would love to get your take. What is a good, you know, what are you looking for in a state law?

C

Sure. And I will say something that, you know, is probably not particularly popular with a lot of your audience, but I think is. Is the thing that CDT has been pushing.

B

Right.

C

And that is we've. We believe that a strong law needs strong debt, imitation. And you know, there's, there's of course, different ways to cut that cookie and, you know, different under, like, a colleague of mine who was at NIST always used to say, like, hated the use of the word strong because that's a subjective term as opposed to, like, actually talking about what you mean. But data minimization, that actually pushes entities and organizations to really only collect and use the information that they actually need to provide a service to do their business. And like, you know, we understand that information, like, people need to give information. If you want something shipped to you, you have to give your address. Right. Like, information is necessary for, like, you know, commerce to function and for some of these systems that aren't commerce to function as well. But right now what we have is we have a system that incentivizes the collection, retention, and use of the maximum amount of data. And that just simply creates, again, like, yes, advertising helps make the online digital ecosystem go around to a certain extent, but it also creates just this massive larger extra. Like, there's larger externalities in terms of the problems and harms that that creates. And data, data minimization is the tool that we see to getting towards that kind of, that problem and what I was talking about before, in terms of that kind of like structural issue, we also really do see that harm, that there are different harms depending on protected class and community. So having some degree of understanding of and focus on protection of civil rights and protections against discriminatory or biased use of data that harms marginalized communities is something that we continue to look for even though in the current political climate that's a little bit under threat. And then the last thing I would say is, and this goes into probably a future conversation that we'll have, but, but strong enforcement a law is great. If it doesn't get enforced, it doesn't mean anything.

B

So I want to put a pin on enforcement just for a second and maybe talk a bit about data minimization. I kind of agree with you and I would like to see data minimization. I wish the European Union had gone that route rather than what I've often characterized as a consent for anything and everything route, because I don't think that that solves the underlying set of challenges and I don't think it empowers consumers.

C

I would completely agree with that. I think one of the problems is that consent, it's a little bit of a black hole trap, right? Because you say okay, data minimization and it's like, okay, but we can't say companies can't collect anything. And then so it becomes okay, well then when can we say allow for that? And it's like, well, maybe if it's really necessary for the business or if somebody explicitly says that it's okay and it's like, oh, explicitly says it's okay. Oh, well, we're back at consent. And then like, and then all of a sudden that just opens up, like all the things that you were not supposed to collect. It becomes this like big gaping thing where it's either like necessary for the business or you're getting consent for it. And it's just, it is a hard trap to. I feel like the European Union tried to do data minimization, but it always swirls back to kind of a notice and consent.

B

They can't help themselves almost. It's, it's a, it's just a reflexive thing. And yeah, so, but, but with data minimization. So I would agree, I'm wary that data minimization becomes kind of a backdoor to consent, because I don't think that's helpful. But I want to acknowledge something and maybe you can help enlighten the. My audience. How do you approach enforcement around data minimization? Because it's, it's kind of still a little bit subjective. It's difficult to enforce because it involves getting companies to submit to almost a proctology exam in terms of just understanding exactly what's going on under the hood, which companies probably don't want, actually, I can say for a fact don't want. And so how do you really like. I get it as a concept, but I'm, I'm struggling with the. How do you bring it to practical fruition?

C

It is an excellent question. And unfortunately there is, there's a certain degree to which there needs to be some kind of medical review, to use your analogy, perhaps not a pro conc. Like at every single time you walk in and go for, you know, a proctology gym. But, you know, there does need to.

B

Be like, you would be a heck of a doctor. You've got a great bedside. I like it.

C

It is a little bit astounding, right? Where, you know, so what part of my professional history was back in 2018 when California passed its law? I was working, you know, at NTAA and for the Trump administration, the first round, and the Trump administration was trying to figure out what its policy needed to be right. And, and again, like, I had lots of people coming in, helping educate us and trying to think through things and, and the lack of understanding from businesses themselves of what data they held and how they managed their data and that, that was a talking point was kind of astounding. Right? If there's a little bit of like, well, maybe you do need to have some better inventories and understanding and control over the data that you're collecting. Understanding that oftentimes it's fast, it's rapid, it's real time. But for what it's worth, I agree with you about some of the concerns around like, you know, around gdpr. But one of the things it really did do is it actually professionalized the industry in terms of privacy. Right. It actually did have a lot of requirements that like, people actually needed to like, have CPOs and start doing data inventories and start understanding what they're even doing. So in terms of data minimization in the United States, that kind of practice that is potentially reviewable is a good thing and kind of is one of those things where it's like, well, yeah, maybe industry does need to have a better understanding of where it's getting its data, what data it controls and, you know, and what, and, and how it's leaking out or being used and to a certain extent like, and also making sure that they don't have data there they really don't need or shouldn't have.

B

So I completely agree with you. I think on the whole. And I'm going to get yelled at by somebody at some industry event pretty soon, but as a whole, I think GDPR has actually been helpful to the ad tech world, particularly the small to mid sized folks who tend to be my, you know, the folks that would call my constituency. Because I think that the two worst scenarios for small to mid size tech companies are a world where there is like an insurmountable bar of standards because it's just really hard to. It's either too complex or too difficult to meet that bar or where there's zero rules because that isn't helpful to that world either. Because it allows. Because both of those scenarios allow big tech to win.

C

You know, not for nothing, this is not we're talking about privacy. But quick shout out to the executive order that the administration signed yesterday. Not actually preempting states from doing laws on artificial intelligence, but threatening anyone who tries. So that's another place where they're trying where. Where what you're talking about is exactly right. Where a place where there is no rules does not actually benefit anyone like it really does.

B

No, I agree. I'm very curious to see how that executive order plays out. It's not clear to me which parts of it, if any, are actually constitutional in and of themselves. But that's I guess a separate podcast. I've got to have somebody in to maybe discuss that with me. But it'll certainly be fun and eventful and I guess that's what we signed up for, is privacy people in the tech space.

C

Indeed.

B

So I want to now turn to enforcement and it's interesting. I would definitely agree that the level of enforcement historically within the digital media space, you know, has, I don't know that one could really call it robust. I think the industry self reg programs were helpful up to a point, but we've now at the point where we've got what, 20 something states now I want to point out each of those states has at least one enforcement authority and some of them have been active and enthusiastic. And heck, California has got two separate enforcement authorities. So help my audience understand. Is that enough? And if it isn't enough, what is enough?

C

So just to point out, almost all of the enforcement authorities in those states are the attorneys general. Right. And the attorneys general. It'd be great if they're. If that was their thing. Right. It would be great from the civil society perspective, perhaps, not from your, from the company perspective. The reality is, is that they're responsible for enforcing all of the laws in the state. And are they super well resourced? I mean, not really. Not for all of the problems and all of the things that continue to be heaped on them. Right. Like, I don't want to throw any shade whatsoever at the attorneys general. Right. But you end up having a situation. Most of them are not super well resourced. And then you also just simply have the fact that you have different personalities and different. Like some attorneys generals might be really enthusiastic, some might not be, and some might be enthusiastic about really particular things. Texas has been really active. Right.

B

And California and Colorado, but in ways.

C

That are like, you know, but with different flavors of what it is. And if politics change. Right. Like California and Texas probably fairly stable in terms of party identification, but Colorado, not necessarily like that is regulatory uncertainty. And that also means that you have inconsistent enforcement, you know, across the board. But all that being said, just simply the big one is it's just the question of resources. And you know, to your point, like, no, we don't want proctology exams all the time, but if you have like the one doctor for the entire state, then that means that probably most, like there's only a few patients that they're going to focus on and everybody else is kind of left sester.

B

Okay, so what's the, you know, what's the alternative? And I, I'm, I'm fearing that we're going to get into the private right of action discussion because we were getting along so well up to this point.

C

Well, I mean, with the private right of action, I mean, I think that that's like, I think that that's part of it. Right. And let me just simply say that there is a cultural difference between us and Europe that where they tend to regulate through regulators and we tend to regulate through the courts. I mean, even the fact that like only California has like an agency that is the regulator and everywhere else it's the lawyer, like the state's lawyers, that's the quote, unquote, regulator over this stuff is through the courts. Right. And so again, to the point of whether or not there are sufficient resources, like that can be a thing. Like one of the things that I pushed for that never went anywhere for, like a federal bill would be that if we are going to be relying on the FTC and state attorneys general to do the enforcement of a federal preemptive bill, then the federal government should actually help fund those activities, you know, at that level, or the creation of agencies in order to do so. And so putting aside the private right of action for a second, like just straight up, like, do they have enough money to do this? Like, if you, if states are going to require these, the attorneys general to do this, do they have the funding for it to actually happen? And will. Is it sustaining right? Is it sustainable over time? The thing that is sustainable over time is to allow individuals and the courts to enforce against rights and for the courts to start developing precedent around what is and what's not like normal practice. And you know, organizationally we are supportive of a private right of action for that reason that it is the historically the way in which like actual regulatory change can happen. Personally, I would love it if this country did not rely on the courts as much and we had more like there was more happening in the legislators or more like openly democratic processes where these things could be kind of like determined and hashed out. But the truth is that that tends to be where things end up getting pushed.

B

Yeah, I mean, from my perspective, the big issue as I look at the private right of action is I look at VPPA and I look at sipa, and none of that is helping consumers. It's creating a huge distraction for the business community. It's not making the world an inch better. And so the challenge is I don't think the private right of action could even be on the table unless there were pretty significant reforms to how all of that works. And I don't know that that's even possible.

C

And so again, let me just put out there, you'll get yelled at by somebody for endorsing for your soft, nice words about gdpr. I'll probably get yelled at a little bit about what I'm about to, to say. But like, I'm sympathetic to the concerns, right? I'm definitely sympathetic to the concerns. It's just simply like in the current system, this is, this is the way in which like actual, the changes in company behavior, like, actually occurs. And we're seeing it a little bit in like, you know, in, in terms of bipa, right? Like the, the Illinois biometrics law where, you know, there's, there are laws on the books in different states around, around biometrics. But the only one that like, actually has forced companies to like, pull back or really change their behavior as far as I've seen, has been bitba. Right. And you know, and some of the more. And again, like, there's the vast majority of companies, in my opinion, like in, from my perspective, are good and are producing things that people want and you know, are engaging in commerce. And there are companies that are bad, right? There are companies that are doing bad things. And, and so having tools in the toolbox that allow individuals to actually, you know, stop some of those harms like BITPA has done for some companies. It's one of those things where, you know, I'm sympathetic, but at the same time, the track record of what the actual mechanisms are that force companies to step back from bad practices and actually punish bad actors has true, has like, historically been more a private right of action.

B

Fair enough. But I will say that a large part of that is that we haven't had a federal privacy law. And so you now have the states. Look, there are bad companies, but the majority of companies in the digital media space are trying to find ways to meet the bar set by the respective states. I don't want to completely discount the fact that the fact that most companies are trying to do or trying to make a good faith effort to meet that standard. Now that gets me back to like, what's enough enforcement? And I don't know either of us have an answer to that, but I would love to hear one if you have one.

C

How do you measure it is a good question that I don't have a, have a, have a pat answer for. How much is also one of those kind of like, is it strong or not kind of questions. I think that there are some indicators, right, like, are you actually seeing enforcement being brought? Are you actually seeing some changes to company behavior in response to the law that's being put in place? Right, like, and yeah, no, we haven't. Like I was, you know, like I said, I was a little bit in the trenches on some of the federal fights and we haven't been able to come to like, actually get a federal law. But I do think that in terms of the practices, the practice, practice, and again, like, this is where we might have some disagreement about what some of the good practices are, what some of the bad practices are. But in terms of like, what the, what the lawmakers are putting in place to like actually incentivize companies to not collect information that they don't need that can possibly be used to harm the people that like the, the, the people whose information was collected. If like used irresponsibly or leaked or sold. Right, if that starts changing because of enforcement. Right, like, that's the thing that I want. Like, I guess I'm not, I understand that we're in this policy space and we have to think through like what are the, like how much and how much money would be going to the attorneys general, or is it attorneys general versus you know, private right of action. But ultimately what, like the goal of this is to create the right incentive structure such that the guardrails are clear, they are there and you know, companies have a real reason not to step over them because again, if it's not enough. Right. There is a certain degree of if a company's large enough, and I'm not going to name names here, but if they're large enough and there's a lot of fraud that's going on, but whatever, fine. They get for that fraud is a whole lot less than the money that they're getting from the fraud. Like that's an incentive structure.

B

That's a fair point. I mean, and, and actually not one that's unique to this time. I mean for the last, there has been at times a culture even within the VC funded ad space where it's like, well, you know what, you can kind of skimp on this stuff and the risk of getting shut down is at X percent and the benefit of building your business through gray area practices and then getting bought is Y percent. All right, well you got to make sure that X percent is significantly higher than Y percent because otherwise it's just going to continue to happen.

A

Exactly.

B

That's a fair point. Okay, so it often feels like there's not a lot of common ground between the industry and advocates, although I think we found some today, which is always just really nice. It's a, it's a, it's a festivus miracle as they say. But, but I, I want to see if we can find some places where, where we agree when it comes to targeted ads. So pretend you're talking directly to my audience. Like what three things could they do that would make digital media pseudonymous ad targeting significantly better? And I'll use air quotes here for privacy or at least more palatable in your opinion.

C

Oh, pseudonymous, what does that mean? Does it actually mean that people cannot be re identified? Does it actually mean that if say a government agency purchases the information, they can't use that with minimal additional information in order to target individuals for adverse action? Like what is actually meant by pseudonymous? What tools are you putting in place and using in order to actually ensure that people cannot be re identified through that, through the information? And again, like are you collecting the information that you need to sell your widget? Right. Or are you collecting all the things, because it could be useful if you have like, you know, X number of connections, right? Or like, you know, like different kind of like, you know, the glory of it, right, is that you can have what my former colleague when I was at nyu, Solen Barocca, is called, like, you know, irrational, unreasonable connections. Right. Things that we as individuals would be able to say, okay, bought a pregnancy test and then you started to buy like little baby leggings, you're probably pregnant as opposed to you stopped buying fish, right? Like these kinds of connections that are irrational, that are great for advertising perhaps, but means that you have to collect everything. Are you actually just collecting the stuff that you need and actually deleting the rest? What does that kind of deletion mean? Are you minimizing the harm? Like the externalities of the harm? Like if you're collecting location data, are you collecting it around sensitive sites like abortion clinics or religious centers or things like that? Are you actually putting in place? And I know that, I know that some folks are working towards that, right? So it's not like these things don't already exist. Like, are you actually doing these things to minimize the harm of the practices that you're doing and not just simply collecting all the information? Because it's there, you can, and it might someday be useful.

B

So that was great. Thank you. What I'm hearing is the three sort of interrelated, but three clear concepts, identifiability and that. That becomes a little bit of a risk based approach. And. But so let's say we can get to something approximating the HIPAA de identification standard with pseudonymous data. I mean, does that get you. Because I don't think you can ever pull identifiability completely off the table. I just, I just don't think that's possible. So if you can get to the HIPAA level standard or somewhere close to that, does that get you to a place where you're more comfortable?

C

So again, let me just simply put out there that like CDT at times has supported very strong positions on targeted advertising. Right. So in terms of my level of comfort as opposed to an organizational position, it might be a little bit different, right?

B

Yeah, you're like the FTC commissioner. You speak on behalf of yourself and not necessarily entirely on the.

C

I mean, I'll just say simply say I'm a formal government official and it's a hard tick to get rid of. Actually, even just talking to the press or talking openly is a weird thing, man. But just simply to say that like that Certainly is a part of it and helps. So let me just be frank about what people, what civil, like what I understand civil society's concerns about targeted advertising to be right. And I think that there is a, there's a subsection of, of. Of civil society that, you know, legitimately just doesn't like advertising. Let's like say that that exists and bracket it a little bit. I think that the problem is, is that targeted advertising, and it's being eclipsed now by artificial intelligence. Right. But targeted advertising. Now, artificial intelligence is the reason that all of this information is being collected, stored and circulating. Because if you just have a business that's being like, I'm collecting your address in order to ship something to you that's like, again, like a fairly straightforward kind of transaction, and then they send you a mailer, okay, yes, I bought something from you, now you're sending me the mailer. Maybe there should be ways to opt out of that or whatever. But it's like, it's that thing. Targeted advertising is that kind of like, I hate to use this term, but I can't think of anything better. But it's like a little bit the original sin of how and why all this information is being collected. Now, of course, the reason is artificial intelligence and we have to train these data sets. So you can't possibly not have information.

B

To train the data sets.

C

Right. Or the models. But that's the reason why targeted advertising is that hook is because it is the hook for the circulation of mass amounts of information about people that is in fact being used and weaponized against them. So all of these things that I talked about, like the three things, the deidentification, the minimization.

B

I was thinking like a DPIA was sort of the. Yeah. Component of it.

C

Like all of those things are ways in which to mitigate the externalities of the harm of the data that's being collected. With data minimization being kind of like the core one. If you don't have it, you don't have it and it's not going to harm people. But those are all mitigations against which like, you know, there is a. There is a real tension and a societal tension of the benefits of targeted advertising and, you know, legitimately, like how it helps businesses and commerce versus what it represents and how it does require this collection and circulation of data.

B

So thank you for that and thank you for acknowledging. Well, that these things are hard and that there is a tension between the pluses and minuses of all this entails. I'll say. I'VE been in this space for 20 something years and I think there was a time where I was significantly more dismissive of the advocate's position when it comes to this and have come to realize that I was too dismissive and that was probably not the right approach. And we're starting to see, you know, some of the tinfoil hat type of accusations are starting to come home to roost as you, you know, you know, someone has been near an abortion clinic or, you know, you now have, you know, the two mobile operating systems platforms and they are now shutting down apps at the request of the government. Holy crow. Like so, you know, you guys were right is what I'm saying in a lot of respects.

C

And I wish we weren't right. And for what it's worth, I fought within the government for a long time against the types of, you know, overreach and the types of policies that continue to enable that through both parties. But it is unfortunately the case.

B

This has been a really fun conversation. I really appreciate you coming on Travis. Where can people find you and the CDT?

C

Yeah, so easycdt.org, i'm on the website, happy to on LinkedIn, on Bluesky and always happy to connect with folks and always happy to have open, frank conversations like this one.

B

Yeah. And the one thing, and I'm not really just trying to blow smoke, but going back 20 years, the CDT was the advocacy organization that you go to as the industry and have frank discussions. I'm not going to pretend that the industry always loved the outcome or even loved some of the responses, but engaging in that kind of process with smart people who are looking at things differently than you is an absolute gift. And I actually hope, as all of my friends in adtech who are now starting to get into the AI space, this is a fantastic resource and I hope more and more companies avail themselves of that.

C

And for what it's worth, that's what we still are. Right. Like we have not changed in that, that we are still open to and willing to work with anyone who wants to work on these issues and work towards, you know, a better world in terms of the use of these technologies and tools which are really cool, right. Which enable these kinds of conversations. It's awesome.

B

Well, fantastic. Travis hall, thank you so much for coming on.

C

Thank you.

B

That was a great conversation. The first a clarification I mentioned that the GDPR was helpful on some level to small to mid size ad tech companies, but I didn't say why it's been helpful. What I was getting at is that the GDPR forced companies to focus on data governance, to document their data flows, and to think through the ramifications of interoperability, which supports a lot of what Travis was talking about in terms of professionalizing privacy within the ad space. Second, while I respect the view that state AGs are law enforcement with multiple purviews, and therefore they are often not always best suited to be privacy regulators. Similarly, I understand that state privacy enforcement efforts are often under resourced, but I don't think you take one enforcement system that is broken and replace it with an even more broken court system via a private right of action. And I suspect that over time you'll see more and more states do a better job of funding their ags and or privacy regulators. Maybe not to the level of California, but I think there will be more money down the line. But we're still back to my initial question, and that is what constitutes enough enforcement? Third, when we start talking about making ads more palatable from the perspective of Travis and others in civil society, they tend to zero in on identifiability and certain practices like the collection and use of sensitive locations. I've been saying this for a while that if we could remove certain practices from the ad space, we'd be able to take the wind out of the sails of many of the advocacy groups. Food for thought. We have a bunch of other fantastic guests coming up in the Monopoly Report podcast. Over the next couple of weeks, I'll have Tom Kemp, the Executive Director of Cal Privacy, joining me on the podcast, where we'll be talking about the CCPA and the Delete Act. Please subscribe to the show at monopolyreportpod. Com or on Spotify, Apple, YouTube, or wherever you listen to your podcasts. And thanks for listening.