A

This is adtech God and I command you to listen to this house ad. So if you're listening to this show, just know that you've really stumbled upon a giant network of content across advertising, marketing, media, publishing, and of course the people that work in this great advertising industry. So go to market, Check out all of our brands. We have multitude of shows from the Brand Forum, the Advertising Forum, the Monopoly Report, the Ad Tech God Pod, the Market, and more. We are bringing more podcasts to our network. We are consistently and constantly bringing on new shows. So check it out. Market or search for any of those brands in the app that you use to listen to this podcast. Enjoy the show and see you all soon.

B

Welcome to the Monopoly Report. The Monopoly Report is dedicated to chronicling and analyzing the impact of privacy, antitrust and other regulations on the global advertising economy. If you were new to the Monopoly Report, you can subscribe to our bi weekly newsletter@monopoly-report.com and you can check out all the Monopoly report podcasts@monopolyreportpod.com I'm Alan Chappelle. I am outside Counsel and fractional CPO to a bunch of tech companies and am the Principal Analyst and at the Chappelle Regulatory Insider, which is a monthly report that shares strategies and insights for digital media worldwide. You can find a link to a sample copy of the Chappelle Regulatory Insider in the show Notes Today I'm joined by Andrew Woods. Andrew is currently the General Counsel and Corporate Secretary at the SSP Pubmatic where he oversees the company's global corporate, commercial, intellectual property and legal affairs. Prior to joining Pubmatic, he served as a Director and Associate General Counsel at Twitter and prior to that as Corporate Counsel at the Demand side Platform Turn. Andrew holds a JD from Harvard and obtained his Bachelor's degree in History from ucla. Gotta respect. A history major turned lawyer. I've known Andrew for well over a decade and have been meaning to have him on the POD for a while. It's pretty clear to me that Pubmatic has taken a leadership role in ADTech's move into the agentic advertising space, so I'm excited to hear more about what it's like to be building privacy compliance in the agentic AI ad systems. Andrew also is pretty candid about how his legal team uses AI internally and he has some genuinely sharp things to say about what the future of in house legal work actually looks like. So let's get to it. Hey Andrew, thanks for coming on the pod. How are you?

C

I'm doing great, thank you for having me. I'm Very pleased to be here.

B

Where are we finding you today? And by your background, I'm getting the sense that we just might be in the same city.

C

I think so. I am. I'm visiting New York this week. I'm normally based out of the San Francisco Bay area, but I'm here in PubMatics New York office. Had an opportunity to get into the city. So excited to be back in one of America's great, great cities.

B

Well, I wish we had a better day for you here. It's a little crappy out but that's okay. That's okay because you're a lawyer, you're going to be working till 10pm anyway, right?

C

It's not that bad. What could be better than an opportunity to work on hard problems of good people?

B

I like your framing. So we met back in, I think it was 2014 when you were at turn the DSP. Walk us through how you found yourself in the ad space and what some of your initial reactions to the space were.

C

Yeah, you know, my journey was somewhat non traditional in that I had been a founder, I'm an attorney, but I was a. I had left sort of a core legal practice and had. Had started a startup with a couple of other folks. I was the third founder. They added to their team and sort of helped try and build out a company and ultimately like that didn't go the way that we had hoped. And I was.

B

What kind of company?

C

The company was called Skill and Games. It was a big data analytics company looking at yield optimization inside online poker rooms of all things, and was working to try and think about ways in order to maximize player dwell time or play time. So player sessions. So how can you help players have as much fun as they can, play as long as they can, and lose their money slowly, if at all? Since casinos make their money sort of on a volume game and poker versus like blackjack or something, you're playing against the house. There were certain parallels to sort of like the big data processing that I had been involved in. But it was a pretty fundamental shift in thinking about behavioral advertising, how RTB works, and all of the elements that go into sort of the programmatic ecosystem that we know and love.

B

And then you spent six or seven years at Twitter. Now is there anything you could share about your time at Twitter that isn't going to get both of us sued?

C

Twitter was a wonderful place. I was actually there for. Let me see, I started in 2015, left in August 22, just a couple of months before Elon took over. It was a Fascinating place to work always was a company that sort of punched above its weight from a cultural norm. But one of the things that was most interesting to me, and something that is deeply informed how I think about privacy and data use, was the duality of Twitter needing to play in sort of what I would call a hedge garden space where they wouldn't have the size of the leverage of a meta or a Google to operate as a pure walled garden. And interacting with the adworld while simultaneously being a platform that at the time was heavily populated with people who depended on anonymity in a very serious way for their safety. We had a lot of dissidents on the platform who were involved in things around the world where their identity being revealed would result in doors getting kicked in and people having real world consequences. And so thinking very hard about how we could generate the monetization that was important in keeping the platform open and operating and available, while at the same time being very careful to not expose somebody to those harms that were sort of contrary to the values that the platform had, has sort of informed and animated my thought process, moving on from there, starting from sort of a core concept of do no harm and trying to think about how you can capture the good things while in terms of monetization and all the sort of openness that that can promote while making sure that you protect against the downsides.

B

So I want to shift to Pubmatic because you guys sit at a kind of an interesting intersection. I mean, you're a public company, I think everybody here knows this, but you're a supply side platform. You're now a participant in an industry that is moving very quickly towards agentic AI. So what does a typical week look like for a GC who has to keep pace with all of those realities simultaneously?

C

Yeah, you know, it's such a funny question because every single week is different and yet every week is exactly the same. And like, when you think about, like, what's the same? The same is that the folks that I support across this team, the folks that my team supports, they always need the same three things, right? They need the correct legal answer. They need that answer as cheaply as possible in terms of both, like, cost and also like friction. Like, how hard is it for them to get to the answer? And. And they need the answer as close to instantly as possible. So like, every single week is just like relentlessly focused on trying to figure out and encouraging my team to try to figure out how we're going to deliver those things. And then like, what's different is like, this is going to sound so stupid, but when I took the role of general counsel, I didn't really appreciate the general part of it. You know, every single week it's like everything. So like, we might see, you know, the public company nature means that the calendar dictates things. We might be doing earnings prep and you know, script reviews and things like that on Monday and then doing a deep dive into agentic workflows for our agentic ads products on Tuesday and on, you know, Wednesday we might be looking at, you know, hard commercial deals or commercial escalations, privacy, you know, data maps, things like that. So the sort of cadence of the company and the, the nature of it can dictate some of what we do. And then it's always, you know, kind of in each of those settings really pushing hard to make sure that we're getting those right legal answers to people easily as we can for them, as fast as we can to them.

B

So at some point I want to talk to you about what it's like to negotiate the lease in the New York City building for. But, but I want to talk mostly about kind of privacy and regulatory stuff. And so, you know, as you look back at the last five years of privacy enforcement, you know, you've got the IABTCF rulings in Europe, you've got the FTC's increasing scrutiny of data brokers, and you've got Cal Privacy who has really just, you know, taken on the mantle as the core go to regulatory authority. And so what's the single biggest lesson you've taken from watching those proceedings that directly shapes how you advise pulmatics leadership today?

C

I don't want to retreat to cliches here, but really it's that hope is not a plan. Oh no, no.

B

Cliches are great. They're great memes.

C

I think that one of the things that I would say I have seen some folks across the industry occasionally give into the temptation that a little bit of sort of we value your privacy lip service and trying to keep your head down is a path towards success. And you're trying to know those folks are trying to play some sort of probabilistic game that I guess you're not going to get looked at. And at Pubmatic, you know, I, I simply don't think that that is realistic. Right. We, we operate globally, we operate across all those jurisdictions that you're talking about. We are subject to, you know, regulators and regulatory investigations. In any of those, you have all this sort of normal third party plaintiffs that you can think about, et cetera, et cetera. So we've always operated during my tenure here on the principle that we are going to expect at some point the know that somebody is going to scrutinize Pubmatic and that we need to structure our technical deployments and our data use accordingly. And you know, a lot of times privacy can be very complicated, but it's also, at least in my view, pretty simple. And the way I try and simplify that for my team is pretty straightforward. Like someday someone's going to come knock on our door and say, hey, what are you guys doing with all this data? And when we tell them, they will then say, why did you think you could do that? And if we have a good answer to that, we're going to be okay. And if we don't have a good answer, that it's not going to go good. And so the way that we approach sort of product development, data use, et cetera, et cetera, recognizing that, you know, we're a data broker sitting in the middle of lots and lots of personal data processing is we need to be confident that we can go out and show that we have a legitimate legal basis for processing the data, that we are in accordance with the relevant laws and the regions that we're operating in and making sure that we're prepared to show our work there.

B

And really key to that I'm inferring is you need to get the business people comfortable with being honest with you and so you have to build relationships with them. And I would love it if maybe you share a little bit about how you do that. Because my sense is that you, you and your team do that, do a really good job of that.

C

And I think there's a combination there of classic trust building, right? And that comes into being able to express that to your teammates, that you hear them, that you understand the business model, that you are not there as a hall monitor, you know, to slap wrists for the sake of slapping wrists, but then also to align them under like the principles underlying the privacy wrecks. Like why is it that users care about this? When people are going to visit our publishers, we websites and they are saying, hey look, I really like this content. I do want, you know, this publisher. I want the New York Times to stay in business. I want, you know, this person to continue to be able to bring us like these websites. I don't want the entire world just to be a dead Internet of AI generated articles being fed into me by other AI generated, you know, tools. I want to see this and like it's a pretty small price to pay for my synonymous data to be used and that. So I do accept, I consent, et cetera, et cetera. Okay, well what does that mean? What does the user consent to? Let's make sure that we are honoring the user's wishes, et cetera, et cetera. Because that's what you wouldn't want, right? And that's what a durable business is built on. And so trying to help make sure that the folks that we are working with understand where we are coming from and why it's important to the durability of our business that we are honoring, you know, the sign, the consent signals. We get, that we are participating, that when we, you know, when we get a DSR or an opt out, we're like moving on that promptly to make sure we're getting people the information they have, that we're disclosing what we're processing, that we're opting them out right away, that we are honoring that across the board because that, you know, sort of long term builds a business that is going to benefit us. That's like part of it. The other part of it is like making sure that folks that we show up for our folks internally where like, hey, listen, we understand the pressures you're under, we understand the shipping deadlines you're on. We are committed to making sure that you get that legal answer that I was talking about as close as we can to instantly make sure we're giving you the right answer. Making sure that it is easy for you to get it, that we will show up wherever you are, you want us, you know, you want to reach me on Slack, email, phone, you want me in the room, you don't want me in the room. Whatever you want, like, we're going to be here to make sure that we're delivering that to you as best we can.

B

So I want to shift to agentic because that's really kind of the hot thing. And we've had a couple, we had Tony Katzer on a couple of weeks ago. From a legal and compliance standpoint, when an AI agent is making real time decisions about where an ad runs and who sees it, who is actually responsible when something goes wrong.

C

Yeah, we've been thinking about this a lot as you may know. Like Pubmatic ran the first agent fully agent campaign with Butler till a couple of months ago. I'm pretty sure I'm contractually obligated to mention that every time I was at

B

the meetup in New York, I think where that was talked a Bunch and boy. I will tell you, the energy amongst the business community around that particular launch was pretty high. So well done.

C

Yeah, I think there's really something there. We've seen a ton of excitement about it, we're very proud of it. But also it means that we've had to think about these questions and practical terms in real world terms, not just sort of academically or theoretically. And you know why I keep coming down on this is that like, you know, I think the instinct sometimes people have when they encounter agentic everything or gentic anything really is to treat it as something that's kind of like unprecedented or new. And I understand that instinct, but I don't think that that's the case here. I think the liability framework here is more sort of familiar than people assume. And like the way I think about it is that agentic AI doesn't really create new categories of liability, it accelerates existing ones. So there's nothing from the legal point of view that is fundamentally different from an agentic campaign than a human one. The agentic one is simply happening at machine speed. So through pubmatics like activate platform sort of across programmatic advertising, we've always had like paradigms of self service advertising and managed service advertising. And in all of those scenarios you have an input coming from somebody who wants to fly to campaign and then you have an execution layer, a PubMatic or somebody like us who has to execute against it. And where they, you know, these things sometimes go astray, there is always a question of like, well whose mistake was it? Like where did the mistake come from? And so like did the platform execute it correctly? And when I think about that agentically it's like well, the party that deployed the agent that created that output is, is the one who should be responsible for it. So if you have in a human system an insertion order or a media brief that's provided that says hey, run a campaign for $100,000 and that, you know, gets run and then somebody calls up and says hey, we said $10,000. Like well we have, we have the docu we can show, we can show the logs that say you actually, you know, the thing said $100,000. Inversely, if they said 10,000 and somebody, you know, on our side fat fingered something to say 100,000, like that would be our responsibility. And those same paradigms work in sort of the agentic world. Where it gets more interesting I think is when the agent starts autonomously optimizing towards a result that nobody specifically directed. So if you have an agentic deployment that starts targeting an audience segment that raises like privacy or brand safety concerns or something like that. And that's where like system design starts to really matter. And you know, that comes back to the same framework I was talking about in privacy. Somebody's going to ask what did you do and why did you think you could do this? And you need to be able to answer that question. So you have to understand like which agent is like making the decision that is driving this behavior that was unanticipated and then why is that happening? And that's where I think just sort of logging, decisioning, trying to understand and record the decision prominence is going to be sort of foundational to how we build in both agentic and non agentic contexts. And, and that's why records are going to matter.

B

But really at the end of the day, that only really works if there's some audit component after the fact.

C

No, I think it would depend on like what you mean by the word audit component. Like the world that we are envisioning, right, Is a fairly simple logging of the instructions that are exchanged between the parties the same way we would record it if there was an instruction exchange between two human parties. And then to the extent possible, and there's like technical questions here we'll have to think about as we start building this out as scale as an industry. But like ideally I would want to be pushing us towards a place where you are generating and retaining logs that show the instructions. Hopefully capture the decisioning providence. Like what, what people, what decisioning or reasoning the the agentic deployment was pushing through and then capturing what data was accessed or used in order to make whatever the decision or whatever the output was that came off of it.

B

But in somewhere there you're going to need some flavor of like an input to say, you know, if there's five entities that help serve this ad or help had something to do with it. You had a data company, you had a measurement company, you had like there needs to be some like I would think I don't have risk scores or the right answer, but like something that allows that agent to say, you know, yes, we made a decision to go with vendor A versus vendor B because their privacy score or whatever you want to look at was higher.

C

I think that very well could be it. I mean anytime we start talking about like privacy scores or something like that, I start thinking about making sure that these tools are used thoughtfully and they don't become like a checkbox exercise. I'm constantly reminded of sort of like bond credit ratings before the global financial crisis of 2008, a whole bunch of AAA rated bonds that, you know, maybe ended up not being AAA quality. And so making sure that like when you have these sort of scoring things, they don't start substituting for judgment. So trying to think about how it is that we can thoughtfully integrate all of the different elements that you would generate. So whether it's compliance inputs in the form of like a privacy scoring that indicates like you want to use vendor A over vendor B or you know, optimization process, you know, A over B or whatever the case may be, whether it's self regulation and the sort of certification that can come through that, which I think can be useful and like where compliance audits might sit in the realm, I think all of these tools are useful inputs and one of the sort of great advantages or the great promise of these agentic deployments is where some of these things might be technically or economically infeasible to implement in a human generated system if you have the compute to do it. You can add in, at least theoretically a ton more of these compliance guardrails. And then when you layer that on top of the structural guardrails that we are familiar with and quite used to block list, geographic targeting restrictions, audience curation, all the sorts of compliance things, you start to see, okay, we might be in a position where you'll have really a much safer and more effective like programmatic advertising environment.

B

I get all the words that you're using, but it seems like a lot of that stuff hasn't really been built and everybody is sort of building and hoping that those things like, you know, materialize. And then, and then there's sort of the second, this separate question of like, you know, at what point do we just sort of blow everything up and start a lot of these processes over again in energetic world versus you know, do we kind of rely on the existing frameworks to, to, to move forward when you know, some of those frameworks are rather flawed and at times filled with grift. And so it's like, I'd be curious if like, I'm not asking you to, to, to vote, but like it would be really helpful to get a sense of what your thought process is as you're trying to grapple with those types of concepts.

C

Yeah, let me sort of take some of the points you made there in turn. So absolutely, these things are not built yet. I'm speaking hypothetically for, I mean we're only, you know, a handful of weeks away from ever like launching the first campaign and we have not yet stood up. Sort of industry wide agentic flows across the board. But as I think of it as an analog to sort of the human systems that exist today, supplemented by sort of the machine learning optimizations, et cetera, I think that what I'm trying to get at is not to paint a utopian future, but to suggest that we have a tool set that would make it easier to deploy sort of a more compliant regime at scale. And when I think about this, I don't want to be Pollyanna ish about the future and thinking that, oh, this is going to all go perfectly. I was around during the earlier days of behavioral advertising when I think we can all agree it didn't go perfectly. But the difference now and today is the context in which we're operating. We have the gdpr, we have Cal privacy, we have a ton, a very active set of regulators around the world. We have active litigations around the world. You have NGOs and consumer rights groups that are pushing. So all of this context that all of our companies are operating in means that it's not the same as when we were trying to figure out simultaneously the technology and the legal liability and the harms and the advantages. And lawyers like you and me were, you know, trying to figure that out while also running these businesses and like learning these things. Like now we have the regulations in place, we know what, you know, users expect or at least sort of the paradigms that regulators expect. And so that will create sort of the necessary leverage. I think that will force businesses to grapple with this as they move forward. And because of the agent capabilities, you will have the tools to do that. If you don't, you know, you run the risk of incurring a lot of liability really, really quickly as you start moving at machine speed.

B

So I was going to ask a question about it regarding whether you were more worried about overregulation or underregulation. And I'm feeling like the answer is that, you know, we're already pretty heavily regulated, so under regulation probably is off the table. Is that a fair way to look at it?

C

Well, I mean, I think the regulation ties to what I think are the core harms. Again, you know, sort of my understanding and kind of where my head's at when I look at at specifically ad tech is that the agentic deployments that are currently being looked at across the table are taking the existing workflows and moving them into more efficient agentic channels. And so maybe this answer would change if we start sort of fundamentally changing what it means to serve an ad in this case. I think that like some additional regulation is probably inevitable as we start to feel through where the unexpected things, things, you know, I mean, to borrow Rumsfeldian structure, we have our known knowns, our known unknowns, our unknown unknowns.

B

And you had to bring him up, huh? All right.

C

And so as you, as you look at that, I think there is some regulation. But like, I'm not particularly worried about over or under regulation. The thing I'm worried about is fragmentation. The biggest sort of challenge of privacy compliance is not how difficult it is to comply with the GDPR or CAL Privacy or Connecticut or Colorado or Vietnam's data privacy law or what have you. The problem is that there are so many different ones. So the closer that we can get to a world where we have clear and hopefully consistent rules, the better outcome that the industry and all of the different compliance professionals, et cetera, will be able to drive for the public as it's, hey, this is what we need to drive towards sort of comprehensively.

B

So how is PubMatic thinking about privacy by design?

C

Yeah, I think it's interesting. No, it's a phrase that gets thrown around a bunch and I don't want to be a broken record here, but we tend to think about this in the same way that we think about privacy in general, which is like, hey, someday somebody's going to knock on our door and say, what did you do with this data? And why do you think it was okay for us to do that? So we involve PubMatic Legal sort of in the product and design phase generally quite early. Our most senior member of our legal team is a full time Product and Privacy Council. She works very closely with our product team, spend a ton of time in the product design phase, working cross functionally with sort of the engineering product legal folks, all kind of answering that core question, which is like, why? Why do we think it's okay? What's our basis for doing this? And where we have the answer to that question? We then move to the next question which is like, okay, well we're confident we can do it, but do we need to sort of standard data minimalization questions like is this the least invasive way to achieve the goal that we're getting to, even if we have the consent from the user or we have a legal basis that we're confident in to process the data? So that's kind of where for us privacy design stops being like a buzzword or a philosophy and moves into like an engineering constraint, like an actual thing that we are using to inform product or go to market decisions. And that doesn't really change if we think about agentic frameworks. Right. Whether it's us working through whiteboarding with a product or engineering team or thinking about it in the form of instructions to an agent. That's kind of where the same process is. Just the scrutiny has to intensify dramatically when we're looking at agent performance.

B

It's great to hear an ad tech company talk earnestly about data minimization. It really isn't within the larger cultural DNA now, you know, GDPR and then now Maryland and I've lost count of the number of, you know, U.S. state laws that specifically mandate data minimization. Those have sort of forced our hand a bit. But even still, that isn't really. Usually you're talking to a privacy person in ad tech for well over an hour before they kind of get around to data minimization. Maybe they're mired in consents or something. But it's so important.

C

Yeah, I mean look, we process an enormous amount of data, but our data retentions, you know, less than 25 days are, you know, we're not building interest based profiles like we, we are like as a business, the way that we are trying to optimize is like focusing on yield optimization and we think about targeting, using consistency into sort of audiences and optimizing around those, those elements of the ad tech stack that we feel we have. Again, we have a really good, strong legal basis to process the data. And then thinking about how it is that you want to make sure that you're honoring the user's wishes at whatever scale we can, I think that that is something that the broader industry is continuing to come around on.

B

Yeah, I would agree with that. So if you can sit down with the ftc, Cal Privacy, the ico, we'll throw the canil in there because I am heading to Paris soon. As you know, the IAB tech lab, you put all those entities in the same room and design the compliance framework for agentic advertising from scratch. What are the two or three non negotiables that you'd insist on?

C

Well, I mean I try and take as common sense of it like an approach this as I can. And by that what I mean is like I'm trying not to reinvent the wheels. I keep saying like to me that these really are tight analogs to like the human systems that exist. So I think about like where would the gaps be in a human system? So I think like the non negotiables I'd want to drive the industry towards as a whole is sort of accountability mapping around. Let's thinking through the framework of like where we should assign or think about where the liability would sit along with the deployer of the agent. So there's a clear understanding that everyone's going to be responsible for their own agentic deployments and making sure that they have the incentives to build sort of the compliance structures, the guardrails, all the sorts of elements in there, both on like sort of the data provenance and data privacy side, but also in sort of the economic execution, campaign structuring, et cetera, et cetera. I'd like to, you know, think about logging and decision provenance in terms of ensuring that all parties maintain records that we were detailing, the instructions passed between the agents, similar to how we would handle like iOS or you know, campaign media briefs and things in a standard human thing. The ideas that I sometimes hear bandied about that I don't think would work as well is sort of mandated human in the loop processes for every transaction. I think that like raises, you know, sort of questions about scale and what I always refer to as sort of donut holing. Something where rather than achieving the value of some new thing you're doing, you're now going to eliminate that value by mandating the human in the loop things while simultaneously taking the net new risk of having agentic deployments in some components, but mandating that you have to have a human there in ways that may or may not be more effective than just a tightly designed and well constrained agent deployment. Then I would also think about like sometimes I hear about like sort of pre approval or licensing of AI systems as a solution that I've heard before about. I think that that does freeze innovation. I think it'll favor large incumbents who can absorb regulatory costs associated with that sort of regulates tools rather than outcomes.

B

I was curious because it's very clear based on your answer that those types of discussions are taking place within Pubmatic. What I wanted to know is where within the broader industry are these compliance and regulatory and privacy discussions pertaining to agentic taking place?

C

Yeah, you know, I think it's an ongoing process because the technology is being developed. So a lot of folks, you know, are working hard on building the capability to like sort of just process the agent campaigns and things like that, sort of whether it's, you know, like an integration with like a chatgpt or a cloud or something, or whether it's just, you know, the internal ability to deploy the agent capabilities. So a lot of companies are sort of in that sort of embryonic stage of the development. And what you're seeing is as companies sort of move down their development cycle. I'm hearing from my counterparts as folks are trying to figure out how do we want to think about this. I was talking to the General Counsel of Scope 3 A couple of months ago as he was like, hey, how should we be thinking about how we want to handle sort of the accountability mapping? And he and I were working through some of these elements and how we think about it. And the framework that I've laid out here I think makes a lot of sense to people and mirrors again the processes that we see in the human system. So you're able to remove some of that and then we have to start pressure testing like where's that going to break? Or at least when it does break, how are we going to tell whose agent did what? How are we going to capture sort of that decision data and making sure that we can log it? And that's an ongoing question. Eventually that's going to, I'm sure, result in some sort of an industry standard, but we're having to work on that as we go through it.

B

Got it. It sounds like it's more one off conversations. I think what needs to happen, and I'm not here to say who needs to own it, but I think these discussions do need a home. Whether that's somewhere within ADCP or within the tech lab or the NAI or some other organization. It feels like we're now ready to at least start having these discussions, maybe a little bit more formally. We'll see. Yeah.

C

And I think they are happening. I mean, the truth is that this is moving at a pace that I've never seen before. And that means that like even just keeping up, you know, my team, I get overwhelmed just trying to keep up with our own technical deployments and ensuring these conversations are happening internally and engaging sort of across the industry as a separate work stream. So I don't, I certainly don't want to leave anyone with the impression these, these conversations aren't happening. I know that PMATIC actively participates in the tech lab, that you know, that we're engaged there on the technical side and you know, we, we certainly have representations on legal side. And I think you may hear from the folks across Tony and the folks across the tech lab that they are actively thinking about, engage in these issues as well. So I certainly don't want to leave the impression that I'm the only person on the planet trying to poke through

B

this, you're solving it for everybody. Andrew, no pressure, buddy.

C

I would say that my wife would tell you to be very afraid if I'm the only person solving anything.

B

So one last question on agentic. So five years from now, do you think the ad tech industry is going to have gotten agentic AI compliance right through some combination of regulation and self regulation, technical standards, et cetera, et cetera, or do you think we're more heading towards a reckoning that looks more like the early days of behavioral targeting? And it seems like inferring from the previous answers, you're probably thinking it's closer to the former than the latter. But I would love it if you expanded.

C

Yeah, I think that's right. I would say that I am cautiously optimistic that it's going to be closer to getting it right than it is going to be to a Wild west sort of situation here. I don't know what the future is going to look like. I'm constantly reminded of this. I saw this interview with Jeff Bezos once where somebody was like, oh, what do you think the future is going to be? And he's like, I, I don't know. And he's like, it's too noisy. And they were like, well, you're Jeff Bezos. How do you not know? And there was some. And he said something along the lines of like, what I do know is that Amazon's customers are going to want their products. They're going to want them, you know, as fast they can get them, as cheap as they can get them. And he said if we focus on those constraints, then like, the technology will take care of itself, the feature will take care of itself. Those things will always be true. And you know, there's a version of that that I use for sort of internally with legal that I kind of referenced earlier. But I think this is also going to matter as I think about like, what advertisers and what advertising is going to need. I think advertisers are going to want to put the right ad in front of the right user at the moment of purchaser intent. I think customers are going to continue to expect that their data is handled lawfully. I think those are like truths that are always going to be true. I think those are constants. So I think if you're building to those constants, I think that you're going to be well positioned. And I think for the industry as a whole, as you start thinking about like, where are we going to be in five years, I think that those, those are going to be Sort of the economic constants in terms of like, what advertisers want that's going to drive people towards building there. And unlike the earlier days of behavioral advertising, we now have the regulatory infrastructure already that gets to the heart of, like, what are consumers going to expect? Well, you know, we have the state privacy laws, we have the gdpr, we have an active ftc. Even if no legislature passes another law from today, you know, the existing legal regimes provide real structure around the core ways that advertising can cause harm. And so that's like a fundamentally different starting point than we were in the early 2000s. I also referenced this. But, like, this is like what genuinely and maybe ironically gives me confidence is like, this time around we have a lot more technology. And the sort of agentic technology itself is a compliance tool. So, like, we now have the ability and the impetus to deploy agents that will supplement compliance teams with the ability to audit decision and provenance at scale that we can monitor data flows, et cetera, et cetera. And when you think about an industry where legal and compliance professionals make up less than the like, 1% of head count, you suddenly are going to have the ability to like, force multiply those people at, at real scale so that you'll be able to, you know, focus on capturing the good things and trying to minimize those things that are going to create problems and liability.

B

So one more question. How are you and your team using AI? So we're going to release this in April of 2026. Like, where are you guys right now?

C

Yeah, I mean, this is a question that's near and dear to my heart. As the folks on my team will tell you, we are using AI as aggressively as we possibly can. I have like, many thoughts on this, but, like, at an operational level, our privacy team has worked with our engineering team. They've built a couple of internal agents. So we have one called a privacy escalation connector, which automatically scans technical escalation tickets and our JIRA system against, you know, sort of privacy cables, label matching tickets and structured Slack alerts, things like that. So we now have like extended, like automated refueling view of all of the JIRA tickets, which is the gateway for product to build something. So if they want to build something that creates ticket, which assigns engineering, et cetera, et cetera, we now have automated agents crawling those to look for the types of things that do need, you know, additional legal or compliance review to make sure that we're coming back to that question of like, what are we doing in the data? Why do we think we can do it making sure that we have sort of 100% coverage there and we're not dependent upon somebody recognizing and calling out these items for, for legal, which you know, I feel pretty good with. But now I have an additional tool that can increase the scale and sort of the, you know, the coverage that we have. We have a legal intelligence agent that's embedded within our PubMatic brain which is our internal enterprise level AI access which

B

allows what does that do.

C

So it's a knowledge base assistant. So for anyone at PubMatic who has a question they can quickly find and understand sort of our legal documentation. So our MSAs, DPAs platform, policies, privacy frameworks. So it's coming back to that question, trying to deliver answers as close to instantly as we can. It has hard guardrails built into it. So it interpret and summarizes our documentation, but doesn't provide novel legal advice, but it allows people to not have to, you know, two years ago they had to send me an email and wait until I get to it and respond. Now they can be like hey, is this permitted etc. Etc. And they can give you a quick answer. It's pretty conservative. So it's still generates plenty of work for my team, but that's there. Our entire legal team has an AI co pilot. We use a couple of different commercially available AI tools that help the team make sure they're expansive in sort of their development growth. And then we vibe coded a bunch of things internally on the legal team. So like we have a, we've built a small bot or an agent or whatever you want to call it, a tool that will go through and from a peer group that had identified pull like the publicly available 10Ks and 10Qs and automatically create comparisons of those documents to ours to make sure that you know, we're staying abreast of sort of where our competitors are thinking about in terms of disclosures, risk factors, all these sorts of fun things. We do the same thing with privacy and commercial, publicly available commercial documents. Making sure that like we understand how our competitors are explaining things to their clients, making sure we're staying there and then you know, we've got it some internal tools. I built a feedback tool that provides 360 degree feedback on a budgetary basis. So if you give somebody a five in one category, you got to give them a one somewhere else. Helping people identify areas they can grow in. I built a, an AI cash register to calculate hourly costs of meetings which has, you know, people's hourly costs. That sort of ticks up as the meeting goes to make sure people understand the costs of endless meetings and things, things like that. And that's part of just operational and practical things. But I think the real impact here is still to come. I've asked every member of my team to reimagine the very basis of what it means to be an attorney and the very basis of what it means to be an in house lawyer. There's this quote, it's probably buck full, but for Henry Ford where he said, if you ask my customers what they want, they'll want faster horses. But they don't, you know, they want a Model T, they want something new. And I tell them all the time, you know, I want faster horses and I want the Model T. Like the faster horses is like we're going to replace workflows, redundant workflows with AI tools, but we also need to sort of fundamentally shift what we are doing. Last year, maybe two years ago, I told them the truth. I asked my team, I said, you know, how many of you think you're going to be doing your job sort of fundamentally the same way 10 years from now? Now, 10 years ago the job was a lot similar, right? Word, documents, redlining, things like that. No one on my team thought they were going to be doing the same job 10 years from now. I asked them five years, three years and kind of no one thought they were. And so what I told them is like, I don't know how to lead you through a transition other than telling you the truth. And the truth is that your jobs are dead. That's the bad news. We're all on the clock, all of us. The ways that we did our jobs before, those jobs are dead. The good news is you never wanted to do this job anyways. None of you went, none of you, when you were six years old were playing at home pretending to redline a force majeure clause. None of you went to law school because you wanted to spend your days debating nested definitions. You went to law school because you wanted to solve problems. And sort of the promise and the threat of AI is that it's going to eat 80ish, 90ish percent of the work, the clerical stuff, the work that we do, the promise is now we can focus on the parts of our jobs that are actually why we came to do this. We can figure out the ways to go, help people solve problems, to be creative and approaching it. But that's going to require us all to think about what we're doing and deploying these tools in net new way We've got to identify our Model Ts, right? And like, that is going to be the opportunity, a generational opportunity to define, like, what we're going to do for the rest of our lives. And I think that's really exciting.

B

Well, I'm hoping to get my band back together, but I like everything that you just said and I can just say my world has changed pretty dramatically just in the last 12 to 18 months. Although I've done everything I can probably for the last five years to extricate myself from, you know, working on liability clauses or even DPAs as much as I can. Because as a solo practitioner, like, I want to be out there solving problems and I want somebody else to be, you know, doing the X's and O's of like working through a DSR process or, or working through contracts. Now, I don't always get to do exactly what I want in every single engagement, but that's sort of what I'm shooting for. And so the AI tool fantastic for that kinds of stuff.

C

Yeah. And, you know, I think it's like, you know, I don't, I don't want to get overly philosophical here, but like the magic, you know, the magic of what you do when you are able to like really solve a client's problem when you're able to like say, hey, you know, I'm a, I'm a lawyer, or I think this really applies sort of across the board. I've developed some skill in this thing and now here's a thing and I can really help you solve it. That magic, that's what makes you feel like, man, I really earned my check today. And, and like, the possibility here is that you're going to be able to get rid of all the wood chopping stuff that is like a drag and be able to focus on those things that are truly human. And like, one of the, one of the things I keep telling people is like, you know, there's something magical that happens, you know, between people. You know, when you, you expose something about yourself and then somebody agrees. You feel seen, you know, you, you tell them about something you had and somebody expresses an interest in it. They, they, they say, oh, I had that same thing happen to me. And, and like that feeling of connection is uniquely human and it comes from a place of risk, Right? The risk that they might not like you, they might not agree with you, but the AI tools are always going to, they're always going to like you. They're always programmed to like you. Right? And so like that part that Human connection, the ability to hear what your client is saying, maybe to hear what your client's not saying, and be able to figure out how to apply that. That's always going to exist, right? That kind of the value that you're going to be able to think about things in a different dimension in something that your LLMs, you're not going to get as an input into their model. And so the teams, the companies that can leverage all of the value and the efficiencies from what these incredible agentic tools can do, and then combine that with the uniquely human capability to interact with other humans, hear them, see them, deliver a solution to them, those companies are going to win. And I'm pretty dedicated to trying to make sure this is one of those.

B

That's a fantastic way to end this. Andrew. Where can people find you or do you want to be found?

C

Well, no, I want to be found. I'm right here at PubMatic 24 7, just waiting.

B

But,

C

but in between, in, in between my time at PubMatic, when I'm not, not chasing my three boys around, I'm, I'm, I'm on LinkedIn, my DMs are open. I'm happy to hear from people. I would love to. Anyone who's interested in any of these things. To your point earlier, we're trying to figure these things out sort of across the industry. Some of the ideas I've articulated here is where we're at now. I'm sure this is going to evolve. While my ego is almost unbounded, I don't think I'm the only person on the planet with good ideas. So I would love to hear. If people hear any of this and they think this is like crazy wrong. Love that. If they think that, hey, this is great, let's build on it in this way. I'd love to hear that and people can reach me there.

B

Well, fantastic. Andrew woods at Pubmatic. Thanks so much for coming on.

C

Thanks so much, Alan. So great.

B

That was Andrew woods, general counsel at PubMatic. A few things that jump out at me. First, Andrew's framing of agentic liability is really strong. His core argument is that agentic AI doesn't create new legal categories, it accelerates existing ones. And I mostly agree with that. But I also think that agentic will create new waves for digital media companies to delude themselves into thinking that their data flows fall outside of the regulatory rule set. I know that sounds like a kind of a cynical argument, but that doesn't mean it isn't true. And I've seen this happen time and time again. Andrew said that the party that deploys the agent owns the output, and that's certainly a clean principle. But where it gets complicated Andrew did acknowledge this, but it gets complicated when an agent starts autonomously optimizing towards outcomes that nobody explicitly directed. That's where logging and decision provenance stop being the nice to haves and become the foundation of any defensible compliance program. But also, I just don't think we can underestimate the ad tech community's ability to game the system. Just look at all the bad targeting data out there, or the number of companies in this space that collect data for one purpose and then turn around and use it for a different purpose. Second, and this is sort of related, I appreciate Andrew's honesty about where the industry actually is right now. These compliance frameworks for agentic advertising just aren't built yet. There are certainly discussions happening inside companies like PubMatic and one off calls between general counsels and to some degree within organizations like the IAB Tech Lab, but they haven't really coalesced yet into industry wide standards. Andrew is right that these standards will come, but while it seems like Andrew and his team run a fairly type ship over at PubMatic, they aren't the ones I'm concerned about. AdTech seems to have a never ending supply of gray area pirates, and it will be the actions of those pirates that are used as justification for a rule set that favors the larger players. Third, I appreciate Andrew's point about the fragmentation of various privacy laws. The hardest part of privacy compliance in adtech isn't understanding the GDPR or CAL Privacy or CCPA in isolation. It's the sheer number of overlapping, inconsistent regulatory regimes across jurisdictions. And now we're laying agentic AI on top of all that. The compliance surface area is expanding faster than most legal teams can track it. Which is precisely why Andrew's point about AI as a compliance force multiplier matters so much. Finally, Andrew's message to his own legal team that their jobs as currently defined are effectively over and that this is actually good news. That struck me as one of the more honest things I've heard a general counsel say publicly. The wood chopping work is going away now. That's great for Andrew and his team, and it's pretty good for me too. But it sort of sidesteps the fact that there are a lot of lawyers and privacy pros out there who just want to chop wood. We're clearly in a period of rapid change, and if you're listening to this discussion and take only one thing away. It's this. It's going to be a challenging next couple of years for many, particularly legal and privacy pros who just a few years ago thought that their jobs and their career paths were completely safe. There is just so much going on and if you're feeling like you're falling behind, please reach out for help. You can Find me on LinkedIn. You can also reach out to my friend Doug Miller, who does this professionally because he's a fantastic coach for privacy and regulatory professionals. We've got a bunch of other fantastic guests coming up on the Monopoly Report podcast over the next few weeks. I'll have journalist turned entrepreneur John Battelle on the podcast sometime in April. We are hitting a new gear here at the Monopoly Report as we head into the spring of 2026. Please subscribe to the show@monopolyreportpod.com or on Spotify, Apple, YouTube, or wherever you listen to your podcasts. And thanks for listening. Some Follow the Noise Bloomberg Follows the Money Whether it's the funds fueling AI

C

or crypto's trillion dollar swings, there's a

B

money side to every story. Get the money side of the story.

C

Subscribe now@bloomberg.com.