B (3:04)

50 degrees, wow. Well, that's actually better than it is here in New York, I think. So you got that going for you and then you've got all the Laverne and Shirley nostalgia.

A (3:13)

Yeah, the place they filmed Happy Days is actually right.

B (3:16)

Oh, so it was Happy Days, but I thought Laverne and Shirley as well,

A (3:19)

they were a spin off sort of of the Happy Days success. Yeah.

B (3:23)

Okay. I'm sure the entire audience would like nothing more than to, to, to talk a little bit about Fonzie and Potsy, but let's, let's jump in. So what's your privacy origin story and how did you find your way into the privacy space?

A (3:36)

So, like any great stories, that starts at a bar, in my case in Milwaukee, Wisconsin. I met a guy in 1995 who founded a trade association for Internet and interactive television companies and was trying to explain to me what a trade association was. I was still in college at the time. And then a year later I find myself working for this guy in Washington D.C. and had to figure out how to register as a lobbyist for an industry that really didn't exist yet. And then fast forward a couple years and the association was acquired by the Direct Marketing Association. I took over and really started focusing on self regulatory initiatives at the time, like email marketing, which was very privacy centric and opt in consent and all the things we were trying to work on with best practices at the same time, still lobbying for, you know, the Can Spam act and preemption of state laws. And so I really got deep in this in the late 90s. So it's been. Been a long road.

B (4:31)

Wow.

A (4:31)

Yeah.

B (4:31)

You are a true og. Now I forget, who is it that founded aim?

A (4:36)

Yeah, the guy I met at the time was Peter Waldheim, who was a Washington D.C. kind of insider guy who are originally from Milwaukee. And then the other guy was Andy Cernovitz, who was more of the face of the organization, who was sort of the brilliant entrepreneur behind, you know, understanding the Internet and ITV and kind of where the industry was going.

B (4:53)

Right. And then he eventually went on and did what the Word of Mouth Marketing association or something like that. Right, yeah.

A (5:00)

Word of mouth, marketing association, like three or four other things.

B (5:03)

He's a serial entrepreneur. You know, when you know your, when you know your lane, I guess you just keep going there. I mean, Greg Stewart is sort of similar, right? I mean, with the IAB and then the mma.

A (5:13)

Yeah, totally.

B (5:14)

I want to jump in and talk about the ccpa. You know, it was started as a ballot initiative which was turned into a law, and then it was updated into CPRA as a separate ballot initiative. So the Cal Privacy team has had an almost unprecedented amount of power to write and rewrite the rule set. And how effective has Cal Privacy and the CPPA board been in terms of imposing their stamp on this rule set?

A (5:42)

I guess, I mean, I would first start by not dismissing the, the Attorney General's office who has been incredibly influential in enforcing ccpa, especially with their recent Disney action a week ago and Sephora and Doordash, like big brands AG has been going after. CPPA has got some other big brands behind it with Honda, Todd Snyder, Tracker Supply. But I think the reason we're talking primarily is really all the enforcement actions they've made against data brokers so far, at least a dozen that are really interesting from both a regulatory perspective and just sort of a precedent setting tone as far as what the CPPA is going to be doing for the next few years, both in the data broker space, but also in the broader privacy space.

B (6:24)

Right. And I didn't mean to diminish the role of the ag, but I was thinking more from a policy standpoint where the AG has got some influence. But that team of Alistair McTaggart and Mr. Kemp and, and a number of their colleagues seems to have really been able to impose a lot of their policy ideas into the debate here.

A (6:45)

Yeah, for sure. I mean, I think that it started really with the CCPA even before the CPRA ballot measure took place, which was like this loophole around this global privacy control, like opt out preference signals. Right. Which was sort of, I think intuitively included in ccba, but really wasn't clear. But then the AG came out and enforced with Sephora and then, you know, again they had started enforcing it, you know, through CPRA action. And then the regulations are now making it much more complicated, you know, with the CPA as far as like, you know, really what you can and can't do with your website to try and get notice and consent. Even if you see a global privacy control signal, you know, you can't like say, hey, do you really want us to stop using your data for for these purposes, it's really complicated. And the regulations around CCPA are so depth and intense, I would say, similar to kind of the breadth of GDPR and the regulatory power, especially now also with the Delete act as a secondary law that CPPA gets to enforce and issue regulations around really broadens their capability. And frankly, they're much more stronger, in my opinion, as far as enforcement goes than the FTC or any other regulatory body in the United States.

B (8:01)

And I mean, is that a good thing, a bad thing, or a mixed thing?

A (8:05)

It's hard to say good or bad. I mean, so far, you know, I would say 75% of the, both the combined, I think AG and CPPA actions have sort of hit on the money. Some of the key issues that really do need to be addressed in, you know, kind of common data misuse, I would say, whereas 25% are expanding, maybe interpretations of law that maybe aren't exactly on point. I think maybe with the legislative intent or maybe some of the fines were a little excessive. You know, there again, there's going to be those kinds of, like, potential overreach situations. But I think overall on the balance, I think they're hitting the right mark so far.

B (8:42)

Yeah, I would agree. I mean, I think to their credit, the, the enforcement has been fairly measured and they've sort of done what they said they were going to do. And there are, I don't feel like there's too many surprises. I think where, where they sort of move away from that conceptually is as they are trying to impose what I would call maybe new policies, even the, the pricing initiative. I think it's a debatable point whether that really fits squarely into the four corners of the statute.

A (9:11)

No, I mean, I think, you know, I was just at the California Lawyers association event last week where they were talking about this pricing issue and some of the really interesting questions of law that it raises and whether again, it is in scope today. I, I agree with you. I don't, I don't think it's on point. Same as, like, dark patterns and some of the other sorts of regulatory initiatives that I think we've seen in, you know, in the regs that are, again, sort of creating new law that, you know, we'll see how much they're enforced, but really sets a tone beyond, again, what we've seen from the FTC or other regulatory bodies in the U.S. yeah,

B (9:44)

and, and it's noteworthy, you know, they do have a fair amount of capability in terms of writing the rule set. You know, maybe the People of California did want them to, you know, go a little further and push the bounds. I, I think a lot of this is going to ultimately be tested.

A (10:00)

Yeah, I mean, I think the CPRA ballot measure was, you know, certainly a mandate in a way that, you know, we, I guess we've never seen in this country that California's do want privacy in a, in a pretty clear way and give that authority to, you know, the agency to really enforce or ag to enforce. And yeah, I mean, they're going to be setting the tone here for a long time to come.

B (10:20)

And, and look, I, I, I've asked Tom Kemp this directly. Like, I think there's also a debatable question around whether the mandate they were given is, has definitely hit the target of where they're going in terms of enforcement. And that sort of leads me to the data broker question because that term, you know, gets thrown around a lot. And now California has, you know, added their own specific legal definition. So I would love it if you would walk us through exactly how California is defining a data broker under CCPA and, and the Delete act. And you know, do those definitions diverge? What are some of the practical implications of those definitions?

A (10:59)

Again, the CCPA never really addressed or defined the data broker. That came through a separate legislative measure that was originally just a sort of a registration measure for data brokers similar to like Vermont already had on the books. Just to say, hey, we want to know who those, those companies are, we want to display them on our website, let consumers go opt out on their own, you know, as a transparency mechanism. That that was where it sort of, you know, came from. You know, the definition that was in that, you know, law was, was updated but not really changed with the California Delete act. And you know, SB362, ironically, that, or maybe not ironically, that is the law that Tom Kemp really, I don't know if he completely drafted it, but he definitely coassisted with its development and lobbied for it to be passed. And that law really gives the CPPA that broad authority to define data brokers in a much more expansive way. But again, the baseline definition, a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. And there are some intersections here between the Delete act and the CCPA in terms of, you know, a what is a business? You know, and so data brokers that are against small mom and pop businesses that really don't process like even 100,000 records a year don't reach 25 million revenue, don't have 50% of their, you know, business from, from sales or you know, don't get included as part of that. Although I think we know pretty much every data broker is going to meet those thresholds. You know, they're pretty, pretty nominal to do business in that space. But the definition of sale or share is also really key here because as we know kind of coming from the ad tech space, that sale especially is extremely broad, you know, the way it's interpreted. And so it doesn't really mean what it used to mean, which was, you know, hey, you're going to pay me for, you know, these leads, you're going to pay me for, you know, appending this demographic data as a specific monetary value. It's really sort of any consideration that might possibly be included as part of that definition of sale under CCPA is now applied to the delete act. And any companies that get engaged in those kind of monetary, non monetary consideration, sharing situations or disclosures or making available or any of the sorts of categories of sale that we've now come to know as really inclusive in that definition. So it's a pretty big deal. And then again, the regs that the CPPA has issued around the definition, including the direct relationship issue is really novel, I think in terms of people's thinking around, well, what does that really mean? What is a sort of a direct relationship now? Because it's not what I think a lot of companies understand it to mean.

B (13:43)

Yeah, well, and that's what I want to touch on a bit. So as we apply that definition and I guess you could, you need to include the sale or share definition with the data broker definition. But, but here's a question that I think trips up a lot of companies. If a business is collecting consumer data primarily to serve its own customers, like a retailer or a bank or a website publisher, does that automatically exclude them from data broker status? And where does that direct relationship exemption begin and end?

A (14:14)

It's going to get really tricky here and I guess I definitely encourage everybody to read the regulations that the CPPA issued really last year around what the changes they made to it are. I can read it to you if you'd like, but I guess I could tldr it to say there's an intent standard here that the individual must know really that they're sharing their information with that entity, which is super important because intent is somewhat subjective. But I guess the key point that they made was that the business does not have a direct relationship from the consumer simply because it collects the information directly. And that's really important in one really big context, which is ad tech. So we think of cookies as having a direct relationship between the cookie provider and the individual. But CPPA has made that clear. No, just because you're a third party cookie doesn't make you have a direct relationship. And that really kind of expands things significantly.

B (15:13)

Yeah. And let's, let's talk about the ad tech ecosystem. So, you know, if you're a dsp, a DMP or a data clean room, I think you had some really interesting comments a couple of weeks ago on clean rooms. I mean, I think those companies are sort of assuming that they're not selling data in the traditional sense. But how does California's broad definition of sale, which, which includes that type of sharing for cross country behavioral advertising, you know, how does that change the calculus here? It changes it significantly.

A (15:43)

And I think I just want to be like crystal clear on this point. Any business, especially in ad tech, can now be defined as a data broker. And it doesn't matter if your contract says you're a service provider, that's completely different. Like you may have all the best commercial terms in the world that say, I'm a service provider, I'm doing XYZ business purposes. But at the end of the day, if you're making available third party data and you're combining third party data and you're enabling a third party to monetize off that data somewhere else, even if you don't touch it, and even if it goes through a data clean room, you're still going to be responsible for being a data broker. Privacy by design through a clean room doesn't negate, especially for ad targeting, really doesn't negate the fact that you're monetizing an audience through another media platform. And so if you're doing that, you're packaging up audiences, you're combining audiences together and you're pushing that audience off to another media platform. The data that you did not collect yourself, that third party data that you're now monetizing through another platform is likely deemed a data broker activity. Now the data clean room itself, I think can still be an intermediate, can still be a service provider. But the companies that operate the clean room and merge that data together and monetize that data together on other platforms are definitely going to be in scope here, in my opinion. And it's hard to really get around that just because you have some sort of, you know, commercial terms that say you're not really selling or sharing the Data for that purpose.

B (17:10)

Right. Because if the output is some, some flavor of an inference and that inference somewhere downstream is attached to a UID like they're pretty clear that that's still personal data.

A (17:23)

It doesn't again, it's not going to stop the sale from that first party. Right. The first party retail media platform, the first party publishers, you know, they can still sell their data all they want and they're not going to be a data broker. It's just when they combine that data with other third party data, whether it is interest based data, whether it's transactional data, whether it's demographic data, that packaging of data that gets monetized on another platform, that's what really the, I think the CPPA is trying to regulate here.

B (17:52)

Got it, got it. So I'm curious about some of the more traditional data brokers like the axioms and experians of the world or some of the people data aggregators. It seems like they are the cleanest target of the Delete act. And I'm curious what your sense of overall compliance within that segment of the data broker space is currently.

A (18:15)

Yeah, I mean as I said, I kind of grew up in that space having gone to all the Direct Marketing association conferences for a decade and worked for Experian for 10 years and know all the relationships that they had. So I would say, you know, again, There are about 500 companies that are, that were registered in 25, I just heard last week. It's not many more right now it's only about 560 I think they said last week that are now registered. They haven't published it yet. But the vast majority of those are those DMA members. The companies who just know that they're data brokers, they've been in it forever. That's not the audience I think that we're talking about here generally that has, that the CPP has enforced against, you know, again, of those dozen or so enforcements, most of them were, you know, companies that were smaller businesses that were sort of trying to maybe evade the California obligations. One was a big company that just tried to, they just made a mistake in their renewal S and P Global. But I, I'm not so worried about the Experian axioms of the world, but rather that much, much broader long tail of tech businesses that, that use data, that supplement data, that make available data. Again, those are ad agencies as well. They're SaaS platforms, they're you know, kind of niche, you know, technology plays. I did a quick scan right before, you know, the end of the year, companies that may not be registered. And I found at least 100 in a matter of minutes just based on a few keywords that are kind of new sort of techniques that companies are using for data monetization. And I suspect again, there's going to be many, many enforcement actions to come this year.

B (19:49)

What's your sense of the publicly available data exemption? Because I've gotten the sense, so that might just be where my travels have taken me, but I do get the sense that that is a pretty significant number of companies who seem to be basing their position on the fact that a lot of, maybe not all, but a good chunk of their data fits into the publicly available data exemption.

A (20:11)

I mean, it's that last part that you just said that's the critical issue. Yeah, it's that it's not all their data.

B (20:18)

Right.

A (20:18)

And again, like if you're only trafficking true publicly, really public record data, I would just call it that not necessarily public available because a lot of companies will say, oh, LinkedIn data, LinkedIn data is publicly available there and we're just going to map it to an email address and sell it off to companies and, and that we're not a data broker because we're all LinkedIn. You know, like, no, of course they're going to be a data broker in that category, but really anytime, and the CPP has already said this in their enforcement action, anytime that a publicly available data aggregator creates inferences or maps additional data at points to that data or combines data together from different data sources, they're going to be a data broker, even if the vast majority of their data may have been public record data to begin with.

B (21:04)

I think that's a great point and I think that that's one that a lot of those companies seem to be missing. I don't know if they're ignoring it or they just don't know, but, but it does seem like it's not just one or two companies. So I'm curious with respect to some of the retail media networks and that's been like a pretty hot term over the last year or two within the larger ad space. Walmart perhaps being like the, you know, the pinnacle of that model. But like, how should those companies be thinking about whether or not they are tripping up some of these data broker rules?

A (21:36)

Yeah, I work with a couple of clients, big clients in that space and it is extremely difficult right now. It's like sort of a kind of like guardrails around the walled garden campaign data and potentially off site or off Platform media that they might be extending their advertiser audience, you know, to, to enable. Because that is, that is really tricky. If you, if you are enabling your, your, your sane retail walled garden, you know, data to be used, you know, to target on another media platform, you are running into this potential issue because you know, again, if you're using that advertiser data that says like, you know, we onboarded through a clean room or whatever Liveramp or whatever partner we're working with to map that first party data to this retail media data and then send it off to, you know, social media or some other platform for ad targeting, you're monetizing data you didn't collect yourself. And that is again, what we're talking about that the CPP is really trying to regulate here is that sort of that combination of third party data with first party data where that again is monetized somewhere else. So walled garden stuff, no worries. I don't think there's really any risk if you're ad targeting within your ecosystem, but outside the ecosystem is potentially problematic.

B (22:52)

What about some of the big tech companies or browsers or smart TV manufacturers or auto manufacturers? I mean, can one make a compelling case that these companies are or should be thought of as data brokers? I mean, you've got the Texas ag, who, who is, who's outlined for better or worse that, that a lot of data is leaving the smart TV space

A (23:15)

and the auto space. I think Texas also did an interesting. And the Allstate insurance example, I think, being a big one there. And I would focus for a second on the auto industry just, you know, having known a bit about kind of what goes on behind the scenes because there's been a tremendous amount of data sharing between the manufacturers and the dealers across dealerships across states. And you know, there's, there's a lot of, and again all sorts of third party data appended to that, you know, that sort of incestuous relationship between the manufacturers and the broker and the dealers and third party data providers to monetize that data to target ads to those individuals. I don't see how there aren't intersections there here that some of those entities are going to be data brokers in this regard. Again, smart TVs, again I put those and others still maybe in the wall of garden category. I'm not, you know, that some of them are trying to control their own ad ecosystem and maybe okay for the most part, but you know, again, they are licensing data as well. But some of those licensees of that data that are Packaging it up and monetizing it on other media platforms are potentially data brokers as well. I know, I know. And looking at the list, I know a couple of those companies that you're probably familiar with are registered already that are packaging up smart TV data and then monetizing it through other channels. But again, like, I don't see any industry that's really exempt here because the third party data industry, like the Experian and axioms of the world have their sort of, you know, breadth of customers that cross every single type of industry vertical. And anytime that third party data is used, if it is monetized somewhere else, like it just feels like it's going to be in scope here.

B (24:52)

Yeah, I would agree. It's going to be very interesting to see how that ultimately plays out, I would imagine, although I guess you can't really guarantee, you know, there's no guarantees in life. But I would imagine there will be a compliance warning of sorts, you know, sometime in, you know, Q1 or early Q2 before they start raining down lightning bolts. But that's just a guess.

A (25:12)

I mean, I think they're trying, they've been trying. I mean Tom is obvious. Tom Kemp is, you know, an excellent spokesperson who is a great hire for the organization. He's very completely agree, PR friendly and is getting out there and like with you, you know, and trying to make that, that case and. But there's only so much you can really do in the, in the industry before you really have to kind of drop the hammer. And you know, I think I just want to make sure that the talking point is here, you know, September of 2026, if you are not registered really by August 1st of 2026, in September, they're going to start enforcing against their drop mechanism which really has again, bankruptcy level enforcement, statutory penalties. This is not like what we've ever seen in the United States as far as the capability of a, of a regulatory body to enforce such a potential penalty that it could bankrupt even big public companies. We're talking, you know, hundreds of millions of dollars of fines that are just vanilla statutory penalties that you can't really challenge. It's not a consent decree. This is just, you know, we're just going to fine you. And that's just day one. Like it multiplies, right? So if you don't comply, so it's really billions, potentially trillions of dollars of fines that could calculate over the course of the rest of the year.

B (26:29)

It's almost a EU style fine structure combined with like a Lone Star Texas style enforcement mechanism. And it's going to be really interesting to see how that plays out. I want to shift gears for a second and talk a little bit about authorized agents. And so I accidentally, and I mean that in air quotes here, I signed up for an authorized agent service called Broker Busters. And the reason it was sort of accidentally, I was starting to see some requests come from them. So you like, you're naturally curious and you want to see, you know, who are these guys? And I started signing up and I hit the submit button, assuming that the next page would be a okay for 4.99 or 29.99amonth, you know, we're going to take care of this for you. Turns out it's a free service. So I hit the button and anybody out there that's getting requests from, from my email address, I'm really, really sorry. But, but on the other hand it's given me some pretty, pretty good insight into how companies are complying with this. So now, now with that filibuster, I've got a couple of questions for you. You know the, the, the Broker Busters is what they call an authorized agent service. And I'm curious of what your, you know, what's your sense of the authorized agent business, how it's developing, how helpful it is to, to, to consumers and its impact on the business community.

A (27:50)

I think it started out well intentioned again, you know, even before the CCPA with like the lifelocks again try and package up identity theft protection and other sorts of true consumer benefits by trying to, you know, do you know, data deletion and minimization, you know, but it's evolved into something that again like there's no real friction to build an open source, your free tool like Broker Busters and just start, you know, firing off requests. And the law, you know, CCPA in particular is not particularly rigorous as far as like what it means to be an authorized agent. You don't need a true power of attorney or something that would create some friction in that industry. You know, you just need to make it clear that you represent the individual. And having worked with, you know, quite a few data brokers who get significant volumes of these requests, they are not always accurate, I think is the best way to say it. They, you know, we've seen some sort of telephone book type requests come in and so these companies have had to implement really sort of key sort of friction points to validate the authentic, you know, authenticate these individuals are who they say they are and what, what they're trying to do. So I think there's a, you know, again, like, there's like a lot of ads for like delete me and Incogni. Like I hear it on my podcast, like maybe you have asked for that.

B (29:03)

I don't know.

A (29:03)

But like, you know, like they're, they're out there publicly, you know, going off on this. And they do serve a, I would say an intermediary purpose today to try and help with, you know, consumer privacy. However, with the California drop mechanism coming into effect in August, I don't see any value to them. In California, at least later this year, consumers can just sign up and that is the same thing as an authorized agent. The drop mechanism for Californians is an authorized agent. And processing all that data on our behalf, we're now seeing again lots of other states potentially following suit. Maybe you'll see some federal action know at some point that looks like the FTC Do Not Call act. But you know, again, these, these registered agents, I don't see them as being necessarily long lived as far as like a, you know, future business model.

B (29:52)

Yeah, it does seem like the writing's on the wall now. It may take 5, 7 years for all of the states or the federal government to, to make this a nationwide standard. So there's going to be a role for them. But most of them are focused on deletion requests. There's very few. I don't, I don't know that I've seen an access request or a correction request coming from them in part because I don't think it really lends the model doesn't really lend itself to that.

A (30:18)

I don't know if I call this an authorized agent, but I, you know, I have seen a particular plaintiff's law firm issuing access requests under the Shine the Light act, not even under the ccpa. You know, there's again, there's some novel legal theories around where that could interplay with litigation. But be on the lookout for those kinds of access requests. But because they technically are authorized agents, they're just coming from a law firm instead of a, you know, incogni type company.

B (30:44)

So I've got another question. And what's your sense of, you know, the 550 data brokers who by the way are all receiving these types of requests Because I think the first thing an authorized agent does is you, you know, you figure out who's listed on the California Data Broker Registry and then you just add all of them. What's your sense of the compliance level across that 550 companies yeah, I mean

A (31:09)

I can speak on, you know, for the ones I've worked with that you know, before we even register. You know, I've worked with quite a few before they register with California or the other states. I've made it crystal clear to them you must have your sort of data subject rights portal ready for scale, you know, because yeah, as you said like you flip the switch and all of a sudden you know, the floodgates turn on and you know, you better be able to respond in a statutory way, you know, to these requests and again split out again the opt out ones from deletions, you know, and less friction on opt out and you know, more friction on deletion and access and just how you do that. But yeah, it's a huge problem and you know, again I often prescribe, you know, don't do just like a privacy at email address if you're a data broker because you are going to get, you know, absolutely flooded with emails. You do need some sort of form, you need some sort of dropdown make sure like it's a human that you know, is able to respond to these requests and not just like make it available for bots and AI agents now to do on behalf of these third parties.

B (32:10)

So I'm just going to go under the assumption that someone who is working with you has thought a lot of this stuff through. But my experience in just getting back 550responses is that the level of compliance is just all over the map. The there are responses which just aren't really in clear English, let alone whether they comply with the statute. Like I could read through some of these responses and look, I do this for a living and I have no idea what they mean, what needs to happen, whether I need to click somewhere to, to double verify it. And I mean, you know, and, and some of that is that you know, it's often not the chief privacy officer who is dealing with, you know, these kind of operational issues. And so oftentimes I think that this is the exact area that that gets way under resourced and way under focused in not every but a lot of organizations. And that's a huge problem.

A (33:10)

It is a huge problem and it does take up a ton of time again usually for junior, you know, customer support people. And you know, you are in your right to push back on, you know, again the nonsensical requests or what don't seem accurate or don't really seem author at all. And again most importantly that they are operating within those states that even allow for those kinds of, you know, authorized agent requests because there are lots of states that currently don't require that or offer that as part of their, their laws. And so you know there is some sort of triage that, that does have to take place. But yeah, it's, it's unfortunate, you know, that they're getting flooded, but it's against now it's just part of the business of being a data broker.

B (33:49)

Yeah. Now I think that that's it and, and hopefully companies start pretty soon to, to get religion on this. But by the way, you know, you said the, the August 1st deadline. Do you have a better sense? Because I think you're really hyper focusing in this area. Do you have a sense of when testing is going to begin with the drop?

A (34:09)

Yeah, I think they said they're going to release the API specs.

B (34:13)

Really.

A (34:13)

And then she actually showed them last week at the event, like just a screenshot next month. So in March and I think testing will begin in April.

B (34:22)

Ah, okay. So that sounds like they're hopefully as funny as I'm off talking to people about this. You know, I don't want to say it's going to be a huge lift. I don't want to say it's going to be a light lift because I don't really know. And so I think it's, it's like until you get in there, you know whether this is going to be, you know, it's probably not going to be a thousand person hours, it's probably not going to be five. And setting this stuff up is something that hopefully companies have resourced for.

A (34:50)

I mean again I work with quite a few companies that are kind of

B (34:52)

all over the place.

A (34:53)

There's like the tech native companies that came up, you know, with sort of automation in mind from the beginning. And then there's like the old school ones that you know, kind of came from the old DMA days. Those companies I think are in deep development trouble I guess I would say over the next six months to get there and it could be thousand hours. Like it really is complex the what's required in the drop mechanism and I, you know, I am intimately familiar with what the requirements are and it is a non trivial for any company but certainly for those old school companies they are, they're going to be really scrambling I think up until the last minute to get this thing done and ready.

B (35:29)

Yeah, well that's just it. I can't wait to see the company who decides to vibe code their API integration and we'll see how that goes. Okay, so, so looking out three to five years. How does the data broker regulatory landscape look different than it does today? And really what I'm getting at. Is the delete Act a ceiling or is it a floor? And we're going to see more and

A (35:49)

more stuff, I think from a sort of a macro industry perspective, we're going to see contraction in this industry. I don't think there's a way for the sort of, the historical sort of long tail of small mom and pop businesses that have operated historically as data brokers to really survive, I think in light of, of what's coming. And again, you know, looking most forward to all the other states that have now raised their hand and said, yes, we want a drop mechanism as well. And it could be 50 states, you know, kind of similar to data security laws. Like, you know, it could easily become 50 states in five years very quickly.

B (36:24)

So.

A (36:24)

So I think the writing is sort of on the wall for, for companies that aren't capable of really. Right. You know, regulating themselves into a place that, you know, gives them some operational, I don't know, headway, because it's not going to be easy to be in that industry in five years. I just think it's going to be tricky for anyone. Now we'll see again, if federal law comes in, potentially preempts state law and changes the sort of the dynamic of what could be included in a deletion mechanism. But I'm very pessimistic. I don't see federal law coming in at all and certainly not preempting and removing all of these state initiatives.

B (37:02)

So.

A (37:02)

But again, I think it's going to be very clear very quickly that other states against New York and a number of other states have very publicly said they want this mechanism and it will. There's no, there's not going to be lobby. There's no lobbyist group. And I was like a lobbyist for this industry 30 years ago, but there's really no one left. Like the ANA doesn't lobby for them, IB really doesn't lobby for them. There's no friction for them to pass these laws. Not really. So I expect it to come to fruition.

B (37:29)

Yeah, I think that it's funny how we come full circle, but we need a direct marketing association 3.0 or something like that because I think a lot of these companies are going to have a whole bunch of compliance challenges and maybe they just all get great outside counsel like you. But I do think that that industry could use a voice. We'll see if one emerges.

A (37:52)

I mean, again, it could be the ieb, it could be the ana, they could definitely step up because I think they need to come to this realization that the data broke law, like delete act and all these other state laws really do impact their industry. Like they, they've always kind of looked the other way at data brokers just because like the bad rep or something like that. But now it's like squarely in their, in their core industry function and I just don't see how they can ignore that, you know, over the next couple years.

B (38:15)

So I, I've got one final question. This has been a fantastic discussion, Ben, and I really appreciate you joining me. So you had, had advised a whole bunch of companies across the, the spectrum on these types of issues. What is the single biggest ongoing misconception that you encounter? You know, what is it that, you know, the thing that when you hear it you kind of know a company is in trouble?

A (38:37)

I mean I've now seen this, I mean I said it five years ago, I think when the CCPA was coming out. So many against CEOs in particular of companies say we don't sell data. They're still saying it in 2026. And you go to their privacy policies and their privacy policies say it, we don't sell data. And they don't even have like that kind of a caveat statement for CCPA that's like, except for third party cookies, right? You know, some do, you know, and they try and sort of, you know, massage that language. But there's this sort of notion that, you know, that there's an integrity with a business that they're not going to monetize user data. And I think the most obvious example of that right now is OpenAI. And besides the fact that they degraded themselves from a nonprofit to a for profit separate issue. But like the same issue's happening with their ads product right now where you know, the most intimate consumer personal details of people are sharing with these tools and now they're monetizing their audience. But we're not monetizing what you're saying. Not yet. But come on, really, like, you know, is that really going to happen over the long term? So we hear these sort of sentiment statements again, I think Sam has said it, others have said it. OpenAI, we're not going to do this with your intent data or response data. But I think that's a really an open question. And as a privacy professional I'd be kind of yelling from the rafters like you need real privacy by design here and you need to be Transparent as hell about it. And you need to lock it down and the board, you know, needs to lock it down. Right? Like it's gotta, if you're gonna say what you're gonna say, you really gotta create some backing for that and not just expect that, you know, people are gonna hear it and, you know, hope for the best later.

B (40:27)

OpenAI is a really, really good example. So like all of the financial analysts are saying that they are in, you know, in some variation of near financial doom. They need to generate revenue and they're seeing the ads business as the way to do that. But like, just think about this in comparison to other, you know, tech companies or even media companies, like how quickly can you scale to 2 billion a quarter? You know, and because it took, you know, it took Google what, I don't know, seven or eight years, it took, you know, Netflix three or four years to get to 2 billion. And they had Peter Friggin Naylor working with them on the ads production. So OpenAI is going to try to do that. And in order to get there, they are going to be under tremendous pressure to move very quickly away from whatever promise they happen to make on February 1st of 2026. And that's going to be a huge challenge for them.

A (41:22)

I mean, again, going back to like the beginnings of my career about email marketing, right, and really setting sort of the tone for best practices in consent. Like what does it really mean to have a direct consumer relationship that is transparent and they're aware of what the company is doing with their data and how they want to be communicated with? And OpenAI can certainly implement these best practices for consent. Not again, cookie consent. Like we're saying, like nobody really understands what the hell is going on with cookie consent. But you do understand when you sign up for an email that you're going to get that email from that company and not like every third party on the planet, right? So OpenAI has an opportunity here, I think, to really look at privacy in a new way in a contextual relationship with what people are using the tool for. And they could really create personalized ad and targeted ads and again within their ecosystem. But it's gotta be based on this true one to one relationship because they have a one to one relationship already with the tools. So they should have a one to one relationship with the ads in a much more significant way that could again scale into multi billions. But it can't be based on anything we've ever seen in the ad tech ecosystem. It has to be something brand new that really keeps AI as the core privacy focus in that relationship. I think they can do it. I believe any company can really use privacy by design in a thoughtful way, an innovative way. I just don't have faith that they're doing it based on what I've heard and the way that they've been operating. And right maybe to your point, the desperation that may be taking place inside the company that that is never a good place to make decisions from and could lead to really bad results.

B (43:00)

Couldn't agree more. So Ben, where can my audience find you and learn more about your work?

A (43:07)

I post a lot on LinkedIn, so find me there. My website's inhouseprivacy.com and yeah, happy to engage.

B (43:15)

Well, fantastic. Thanks so much for coming on. Ladies and gentlemen, Ben Isaacson. Big round of applause. That was a great discussion. Ben is an old friend and was one of the people I reached out to when I was first starting up Chappelle and Associates. I am grateful to Ben and all the other privacy pros who were willing to give me 20 minutes of their time as I was just cutting my teeth in the privacy space. A few things I want to pull out from that conversation. First, the data broker definition. Ben made a point that I cannot stress enough. Having a contract that designates you as a service provider does not protect you from being classified as a data broker under California law. And also, if you are combining third party data with first party data and monetizing that combination on another platform, even through a clean room, even without directly touching the data yourself, you are potentially in scope of this rule. If your legal team hasn't walked through that analysis recently, that conversation needs to happen now. Second, the drop deletion mechanism in California API specs are expected in March. Testing is supposed to begin in April. August 1st is the hard deadline. And as Ben pointed out, there is no safe harbor for mistakes. For companies that grew up in the old direct marketing world and weren't necessarily built with all automation in mind, this is going to be a heavy lift. Third, the publicly available data exemption. This one keeps coming up and I keep seeing companies lean on it in ways that simply won't hold up the moment you append additional data points, create inferences, or combine sources. Even if the underlying data started out as a public record, the California regulators have already signaled that you lose that exemption. This is not a gray area anymore. And lastly, there's the OpenAI thread that we had at the end of our discussion, which I think represents sort of a perfect storm of regulatory and business challenges. OpenAI is under enormous financial pressure. The ads business is the obvious revenue lever, and the data they're sitting on is unlike anything any ad platform has ever had access to. We're not talking about browsing history or purchase signals. We're talking about the most intimate, unfiltered thoughts, things that people routinely share with an AI tool. Health concerns, relationship problems, financial anxieties, career doubts. So OpenAI has made reassuring noises about putting guardrails on how that data gets monetized. But as Ben points out, and as I'd echo, reassuring noises are not privacy by design, they are not board level commitments, and they tend to have a short shelf life when the revenue pressure gets real enough. Many, if not most, financial analysts are predicting that OpenAI will be under huge revenue pressures over the coming months. The pressure for OpenAI to adjust all of those early promises will be massive. And unlike Google, OpenAI doesn't have the benefit of 15 years to gradually inshidify its services. Ben actually made an optimistic case, and I want to give him credit for that. He argued that OpenAI has something many ad platforms don't have, which is a genuine one to one relationship with the user. If they build their ad products around that relationship with real transparency, they could create something that actually scales without burning down user trust. That's a real opportunity. Whether Sam Altman has the patience to leverage that opportunity, given all of the pressure, is a different question entirely. And that's the through line of this whole conversation. From the Delete act to clean rooms to data brokers to authorized agents to OpenAI, the question is always the same. Are you building something that you would be comfortable explaining to the person whose data you're using? If the answer is yes, you've got a shot. You've got a shot at building trust and at avoiding regulatory fire. If you found this episode useful, please share it. And just a reminder folks, we're just two guys talking. Nobody here is providing legal advice. Get your advice directly from your favorite privacy person or attorney. We've got a bunch of other fantastic guests coming up on the Monopoly Report podcast over the next few weeks. We'll have Tony Katzer from the IAB Tech Lab, Sheila Col, who spent years and years at Axiom and ipg. We've got some really smart people from some of the big tech companies talking about their new content marketplaces, and we've got a few representatives from state AG offices on to talk about enforcement. It's going to be a party here on the Monopoly Report as we head into the spring. Please subscribe to the show@monopolyreportpod.com or on Spotify, Apple, YouTube or wherever you listen to your podcasts. And thanks for listening.