29 Building Trust Through Privacy and Security - Jodi Daniels Nov 3 2022

Erik Martinez: [00:00:00] Welcome to today's episode of the Digital Velocity Podcast. I'm Erik Martinez from Blue Tangerine.

Tim Curtis: And I'm Tim Curtis from CohereOne.

Erik Martinez: Today's guest is Jodi Daniels. Jodi is the founder and CEO of Red Clover Advisors, a boutique privacy consulting agency, and co-host of She Said Privacy/He Said Security podcast. Jodi is a national keynote speaker and co-author of Data Reimagined: Building Trust One Data Byte at a Time.

Jodi works with businesses to help them better understand and stay compliant with ever-changing regulations and [00:01:00] privacy impacts to marketing and much more. Jodi understands the challenges of building and managing a business or a brand, and when it comes to compliance, you don't know what you don't know. So she works to simplify privacy laws so that you can get back to doing what you love. Welcome to the show, Jodi.

Jodi Daniels: Well, thank you. I'm so excited to be here.

Erik Martinez: Yeah, we're excited to have you. It's not necessarily the funnest topic in the world for people, but it's an incredibly important topic in our society today.

Tim Curtis: One of the most important.

Erik Martinez: And the sea seems to be changing every single day. Jodi, before we get into the meat and potatoes, can you just tell us a little bit about your journey into privacy?

Jodi Daniels: Sure. So, I started my career as a CPA at Deloitte doing financial statement audits. A lot of that work was understanding a business from a financial standpoint. It has some interesting connections to where I am right now because now I'm understanding businesses from a privacy perspective. So, it's same processes, but [00:02:00] instead of financial controls, I focus on privacy.

And in between all of those multiple decades, I did some strategy work and marketing work, and the connection to privacy really came when I built a behaviorally targeted ad network at Autotrader.com. So, I stalked you for cars and served you cool ads when you left our site and checked the weather, and did other things.

That was when the online advertising industry really came together. They had formed the Digital Advertising Alliance to try and prevent government legislation. So, I kind of joke, it lasted 10 years before the legislation came, but that was my piece. My role was trying to figure out what is this new Digital Advertising Alliance thing and the AdChoices button.

From there, no one was really paying attention to privacy full-time in our company. I was looking for something new. I created the privacy role, built a privacy program, went to another large organization, was the digital privacy expert there, and then decided to open my own business to really be able to help [00:03:00] companies understand what these laws are, for companies who don't have anyone on their privacy team, or maybe they've one or two people, but they know that they have to solve for privacy. So, that's how I got here.

Tim Curtis: Tell us a little about your book. Is it T minus four days until your book comes out?

Jodi Daniels: It is, it's exciting. It's still kind of hard to believe. I have a book. I have to make sure I get the title right now.

Erik Martinez: It's a long title.

Jodi Daniels: It is. Well, you know, you have the title and then you have the subtitle but it's Data Reimagined: Building Trust One Byte at a Time. The idea is really, it's designed for a business professional who is not well versed in privacy and security, or maybe they are, but the rest of their team is not, or the people that they have to get budget from doesn't quite get it. It's for that person to understand why this matters so much. Why it's not just a regulation, but how it can build trust with your customers. How important protecting the data that you have is so [00:04:00] that you're not suffering from a data breach or some type of incident, which ultimately also leads to a loss of trust from your customers, from your employees.

So, we try and explain the basic principles of both the privacy side and security side, and we do it in a fun way. It's not a crazy technical read. It's actually fun with some interesting stories throughout to, again, to help the average business person understand why it's so important, with some tactical things and tactical steps that companies can take right away.

Erik Martinez: Maybe to give a little preview. What would one of those things be?

Jodi Daniels: So, my co-author is my husband, Justin Daniels. We do not work together. He is an attorney at a law firm called Baker Donelson. He jokes, he says, we should have a t-shirt that has, know your data because my big thing is, everyone needs to know your data. We have an entire chapter on data inventories, which talks all about [00:05:00] how to do that.

Why is understanding the data you have in a company so important and what can companies do to keep up with it? The CliffNotes version here is take stock. Let's just pick marketing. Understand the kinds of data that your marketing activities are going through. What kind of CRM do you have? Email service provider? Do you do customer surveys? Webinars, for example.

Those are probably different tools for each one of those activities. Do you download them to Google Drive, to Dropbox, to Excel? Do you share them with outside agencies? I just named four processes and it could go to dozens of places just from those four simple processes, and helping companies, understand you are responsible for every place it goes and every person who touches it.

This is a true story. We had a company and we helped them with their data. They had it in five CRMs because they didn't like the first couple, and certain people liked their own and they never moved from one platform to the other. You've now [00:06:00] just replicated your risk five times on both the privacy and security side.

So, there's actually cost benefit to figuring this out and realizing maybe you don't need five. At the same time, you're going to help understand what data you have. That's going to help you figure out what you actually have to do under privacy laws. That's going to help you figure out what you have to secure, and should you even be using it in the first place? What do customers expect?

Erik Martinez: It's very interesting that you say that. As I was reading through some of your material and prep for this conversation, it got me thinking about some of the things we do. I work in digital marketing, but I grew up in direct mail. One of the things in the direct mail is, in order to get a postcard or a flyer or a catalog out the door, you get this list of names and addresses that sometimes has email addresses. It has phone numbers, and a lot of times those are emailed across to a printer [00:07:00] who then takes that and processes it and gets it out the door, and I'm just sitting there going, I know the last time I did that was just a couple of days ago. I emailed a list, one of my clients' lists, to a data processor to do their piece of it, and none of it's secure.

It's a really interesting point. So, one of the things I know you like to talk about is what do marketers need to know about privacy. What are those key critical components? I know that in your book and in some of the conversations I've heard on your podcast and things, you guys talk about trust a lot.

Jodi Daniels: We do.

Erik Martinez: Can you talk about those two elements? What do marketers need to know and how does that relate to trust?

Jodi Daniels: Absolutely. Well, there's a variety of different places it shows up. So, actually, let's use the example that you just mentioned with direct marketing. So, if I go to the website, I believe that no one might know who I am. I'm an average person. I go to the site I'm browsing, and then [00:08:00] interestingly, I get in the mail, a catalog or a coupon or flyer that says 40% off the thing that I was just looking at. That is now what is starting to happen from a marketing standpoint.

I wasn't logged in, I wasn't a current customer, and somehow there's been a connection between my online activity and my offline activity. For some people, they don't like that. They felt like that's an invasion. I just went online. I thought I was on my own, and now you're connecting my online and offline activities. The story I often like to say is, imagine someone left behind you all day and they noted what kind of car you had, and what you had at the coffee house, and then where you went to work, and what you ordered to eat, and what you bought on your mobile phone, and what you listened to, and you can keep taking that story.

Well, at the second place, you'd probably turn around and tell that person to stop taking notes and go away and you're stalking, but that's exactly what happens online. What marketers need to understand is people don't like that in the [00:09:00] offline world and they don't really like it in the online world. Now, people do want personalized information. So, how can you give them the personalized information in a way that they expect? The more data that you can get from me, the more I'm going to give you that's accurate if I trust you.

How many people have filled in their size, their kids, their family, their pets, their income, their cars, their whatever questions, to try and get to know them better, wrong? A lot of people. Why? Because I don't know who you are and you're gonna use the data in some way that I don't trust. But we actually want that data so that I can better serve you a relevant message.

If we establish that trust at the beginning. How can we do that? Well, let's use language. Let's explain why I want to use this information and how I won't use the information. Let's let that person understand, if you give this to me, I will give you better materials. You get something valuable for it. That's some of the ways that you can [00:10:00] start to continue to build that trust.

Some of the others is where you have multiple brands. If I signed up for Brand A and I'm starting to get information on Brand B. Okay, well, maybe if I knew that that happened. I know that Old Navy and Gap are connected. That's reasonable to me, but we have a lot of brands that it's not so reasonable. Or how much? Are you sharing all of my activity together, all of my habits? Those are pieces that I'm not trusting what is happening here.

So, for me, marketers need to understand what their customers want, who their demographic is, what's valuable to them, and it differs a little bit on the kind of thing that you're selling. If it's health or financial or an IoT device. That's really different potentially that I'm selling you a shirt. How big your company is and where you are in the world also will impact what the people are thinking.

If I could leave a marketer with anything, it would be to know your data and be transparent, and honestly, that's the whole point of all these privacy laws. We have a whole bunch of laws 'cause a bunch of people didn't do what they were [00:11:00] supposed to. They used data in bad ways. Now there's a bunch of rules. So, you say what you do in a privacy notice. That's the fancy version of how I'm transparent. The short version is language on the page to help me make sure that I feel comfortable to give you that information and then know what data you're using and collecting and make sure you actually need it.

Tim Curtis: And give the option to decline.

Jodi Daniels: Give me my options. Exactly. That's the third privacy principle is really about choices. Let me have choices. Let me decide, I don't want that message anymore. I'm sure everyone here has received an email they have never heard of from the person and on the third email, when you get the do you hate me and why are you ignoring me, or they just schedule a meeting. No, where's my control here about what's going to happen to me?

People want to make those choices. I think that's the other piece that can establish trust and actually keep people in the environment is choices and preferences. Maybe I don't want to hear [00:12:00] everything about your brand. I want to hear just the slice that's relevant for me. Do you give me that choice? Otherwise, I might just unsubscribe from everything 'cause I'm mad at you.

Tim Curtis: Which does happen. I think when we're talking about those mistakes that marketers make. I think, if you look historically at the process, you know, yes. Have there been laws on the books? There have been laws on the books, but there have also been sort of a gray space in which people operated or they claim to operate.

Brands that weren't paying enough attention to the details, weren't disclosing, Hey, this is how we're using the data that you provide to us. They weren't doing it in a common language so that people could understand. If they used it, they hid it within a much larger context of pages and pages of legalese that yes, they're clicking consent, but they don't understand.

So, you've honored the letter of the law, but you've not honored their spirit of the law. So, it feels to me that that's where marketers, I mean I work with a bunch of them, but that's where marketers have sort of historically missed the [00:13:00] boat, is they've not opted to covering what I would call is just the basic, are you honoring the letter and the spirit? If you honor the letter and the spirit, you're gonna be in a much better place. Am I crazy? Is that what you're seeing too?

Jodi Daniels: Yeah. No, you're not crazy. I came back from speaking at a conference recently and was with a variety of marketers, and it was really fascinating because one, I was so excited to have so many people interested in privacy. I just had like a celebration, and the other was also, how many people still believed, we were talking about targeted advertising, the ability to opt-out, the need to opt-in certain jurisdictions, and the philosophy is, well, but it's just targeted ads. I mean, it's just ads.

Because those marketers understand the ecosystem, they want the personalized ads. The piece that's missing from that is it's a massive ecosystem. It's not just Company and Technology A to Technology B to deliver that ad. It's hundreds of companies in between who are collecting all that information. Remember my [00:14:00] stalking story? They'd be collecting all that information and selling it to all different kinds of people.

So, now you have information that's getting created into other profiles that's being used for other purposes, and that's not what Jodi, who went to Site A, expected. I went to Site A to browse, not for you to manage every single click that I had. Not just for your own benefits so you figured out, I really like red things over blue things, but that other people now are figuring out oh, I like red things in blue things.

So, all that information is being used in a way that's not consistent with the user's expectations. That creates a loss of trust, and the rules are here now to try and put in place that specificity of the law, but again, you have to go with the spirit. It's not trying to hide, and I always advise companies, what do your customers expect? Are they going to expect this? Would that be okay with them? I hope that when people start to really put the customer [00:15:00] first, they'll realize that the marketing activities that they're doing will yield better results.

Tim Curtis: Yeah. Like you, I'm pulled into a lot of privacy conversations. I go speak on it and brought into a lot of client board rooms, both virtually and in-person, to discuss privacy issues. What's really interesting is that some of the misconceptions around privacy, you have some brands, and there's more than you would believe, are actually shutting down marketing because they're so fearful of the law, and they're not understanding that when you put the right structures in place, structures again, and language that honor, again, the letter and the intent of the law, that you can operate within the law and still be successful and profitable. Fear, or an overarching concern about unintended consequences of the laws, are really preventing them. So, what's your encouragement to people who are shutting down and putting themselves in a perilous position because they're so fearful of it?

Jodi Daniels: Yeah, I never like to hear when businesses are [00:16:00] turning off regions or changing or not doing certain things that very well might be fully capable if they had a privacy strategy. To me, it's no different than any other marketing activity. You need a strategy first. You need to understand what are these privacy laws and what does that mean for you, the company.

With that, then you can work towards the tactics. Do you have to have consent first? Okay, get consent. Do you not need consent and you're able to collect, maybe you collected 20 data points before. Now you can collect five. Okay. Those five still might be really valuable. Let's figure out what you might need to do to get the other 15 if those were super valuable.

So, there's a lot that you can still do. It wasn't designed to shut down marketing. It was designed to change how marketing was done so that it is a customer-first approach as opposed to a company-first approach, and that's the difference. Now, that is a big shift and like all change, that's why there's an [00:17:00] entire profession of change management people because people don't like to change. It's just one more evolution.

I bet if marketers went back and you look at the evolution from radio to tv, or I guess we had newspapers, right? So, newspapers to radio to TV to online, all of that was a big change. You had lots of people who didn't want to do that. We're still here with that privacy piece. So, there's no need to completely shut it down without really having reviewed what the activity is in the lens of privacy. A lot of times there's a way to work through, and still be able to accomplish the goals that the organization was trying to do.

Tim Curtis: Within that, you have to expect, and while you can operate within the law, you have to expect that the way in which you operate and things that you have traditionally done will change as a result of an industry that is being put in a position to basically act [00:18:00] better and to align with expectations that consumers have.

I'll give you an example. We had a guest on a previous episode and we talked about the impact of privacy and the Apple intelligent tracking prevention and shutting down the cookies and how it moved Facebook from a targeting tool to no longer a targeting tool, but now a branding tool. That has a huge, massive impact on businesses.

There are entire businesses out there, tens of thousands of them, that built their business on Facebook advertising. As a result of the changes in privacy, that era has ended. The wild west that so many advertisers enjoyed is gone, and we're now in a place where there's a sheriff in town now, and so we're having to change our behaviors. But yeah, we're doing things to help bring some of that under control, and rightly so, but you have to be prepared to operate in a different paradigm.

Jodi Daniels: That is absolutely true. You have [00:19:00] technologies that are changing the way things are happening. One could argue the reason behind why Apple did that. We're not gonna do that today, but if you go back to the concept of trying to put the customer first, that's really a big part of that change. The ability for me to opt-in, that's giving me the control. The ability for me to have those settings, that's again, the user having the control.

At the end, what are marketers trying to do? Marketers are trying to get people to buy stuff. So, the goal is to get the message in front of the right people, and so while we had Facebook advertising and maybe it was the right people, there were a whole bunch of bots. There were a whole bunch of other things that were not right with it.

For every marketer that was a part of that. All their data as an individual is out all over the place. Some people don't care, but they might care when they really understand where all of that data [00:20:00] is. So, that you have obviously this entire kind of advertising piece and the targeted ads and all the ad tech that makes this all up, but even just old fashion to email strategy with a privacy lens will hopefully move people more towards preference centers.

Actually, if you have a smaller list with the right people on the list, my open rates might be higher. Which means more email might get delivered. My open rates are gonna be higher, which means I'm gonna have more people interested in the actual item and convert, or continue to remember the brand and over time be able to refer or convert.

So, we have this ad tech piece, but we also have all the other forms of marketing. We have on the website. How are we asking people for information? That's marketing. I even see privacy listed now as a feature, especially in technology. It'll say, here's all the great solutions, you know, all the great features and how we're gonna solve every problem, and [00:21:00] also, here's our privacy and security measures. It's a feature that's happening.

Erik Martinez: Just pivoting a little bit to the technology side of this. I work with a fair number of companies that have what I would like to describe as ancient systems connected to newer systems, which are connected to even newer systems, and none of them except maybe the most recent platforms, have some of these tools and controls. So, how would you advise businesses to deal with that particular issue? Because I may have a legacy ERP that dates itself back to the 1980s, and I have web technology that maybe is 5, 6, 7 years old. How do we start bringing some of these things together?

Jodi Daniels: Well, for the really old ERP system, it might be time to start your internal budgeting campaign because the reality is you might not be [00:22:00] able to fully stay on some of those legacy systems as long as you want to. Or the other option is going to be finding some of the privacy technologies that can sit on top or kind of in between to be able to help facilitate some of the needs. Or you're going to have a lot of manual activities, which means you'll have more people that we'll have to do them.

Let's take an individual rights request. Hopefully, people know what that is, but under all these different privacy laws, there's options. We've been talking about choices. Well, some of those could be the right to delete, the right to access, the right to restrict processing, the right to opt-out.

So, if Jodi comes along and I don't like your brand. So, you've sent me content. I'm mad at you. Something has happened. That's when people are gonna exercise their rights. They're mad. Something didn't happen that was favorable to them. So, I come along and I say, I want you to delete my information. You have to know where all that data is.

Remember earlier I said, you really need to know your data? You really need to know your data. [00:23:00] Where is it? If it's in that legacy ERP system, do I know how to get it out of there? I have to be able to hit the delete key. If you can't hit the delete key, you actually can't comply with the law. There are tools in between that can help facilitate that request. So, Jodi makes the request. It looks automated and fancy with software in the beginning, and now you have a big manual effort behind that to actually go and find and hit the delete key.

Other times, there are technologies that can maybe the system is able to handle API calls. I've seen automation with Jira and ServiceNow and Zendesk and some like interesting kind of Band-Aid solutions to try and be able to reach out to some of those legacy systems kind of until they can create the right strategy and bring in honestly a more modern version.

That's some of the ways that I've seen people be able to tackle it because again, I have to be able to honor those rights in this particular situation. Or if Jodi's in the EU or Canada and I have to opt into the email, you have to figure out how you can capture that [00:24:00] consent. The burden of proof is on you, the company, not me, the person. So, whatever API spaghetti way of getting that consent is going to need to happen.

Erik Martinez: Yeah, it's interesting that you say that 'cause was working with a client just a couple weeks ago and a delete request came across. They have a fairly ancient ERP system, so this is a real scenario. The IT department has done a pretty good job of scripting out a process for removing the PII, removing phone numbers, removing email addresses, names, and addresses. You know, making it the company address so that everybody knows this was a delete request.

Then they said, Hey, we just got this delete request. Do we need to do anything else? I'm like, Okay, well, what about your email marketing platform? What about the text messaging platform? Just like you said, know where your data is. There are five or six external systems that are [00:25:00] not connected in any way, shape, or form to each other. Somebody had to manually go through, find that information, and scrub it, so to speak. So, it is a real issue, but it can be done. It just depends on how automated you can make it. If it's a more modern system or more manual when you get older.

Changing tracks. Again I got a question. I had a client come to me. They do some business with a really large data processor in the country. The data processor was doing a compliance review of their policies and said, Hey, you guys need to update your privacy policy on your website. They said You are not naming us in your privacy policy. I, as a marketer and a business person, have a question here.

If I have a data sharing agreement with another company, that company is doing some processing to provide a service. They're now telling me, Hey, you need to tell [00:26:00] everybody in the world that we are now the ones handling the processing. I kind of have an issue with that. Not that I don't want to tell the individual customer. If the customer calls and says, Hey, what are you doing with the data? No problem. They reach out, gonna share that information to the best of our ability. What's your stance on all of a sudden my marketing ecosystem partners, my tech stack to a certain extent, are now requiring me to tell everybody about my tech stack? I don't necessarily want my competitors to know what my tech stack is.

Jodi Daniels: Well, for companies that are processors, it's a requirement to actually have a subprocessor list that says, Here are all the subprocessors. So, if you're a processor, that is something that would need to take place. The large social media giants, the large analytics companies, all have for years demanded in their terms that they are listed with their particular opt-outs. [00:27:00] I have seen a couple other large players in the ad tech ecosystem also require that they are listed.

I actually just talked to a company the other day about their privacy policy and they said yes, we had to update it because we had to comply with one of their partners. That was a requirement for them. You will start to see some more of those requirements, I think. We don't wanna use names here. It kind of depends on the specific situation and the role that player is in what their involvement is in this situation to determine if they could demand to have that stated or not.

If you think about the idea of a privacy notice isn't to have hundreds of companies listed, 'cause that's not meaningful, again for the end customer. Let's think of our customer. It's not meaningful, but we do need to have the right disclosures so that I understand what is actually happening and I can process my opt-outs. So, if it would have to go through you [00:28:00] to go to them, that's a potential. I the customer just need to make sure that I can easily opt-out of that processing. Without knowing all of the fine details, kind of the best answer that I can offer. I hate to go with the it depends. It's a little bit of it depends. For anyone listening, the processors are required to have a subprocessor list under GDPR.

Erik Martinez: In this particular case, it's a retailer sharing data with a data processor who makes money on processing that information. I understand it's evolving. You know, as a marketer, I'm concerned that, you know, if I put out my tech stack, my competitors know exactly who I'm working with. Oh, they may know in 50% of the cases anyways, but they may not know exactly what our little secret sauce is. So, there's a balance there, I feel, between protecting the consumer, which is absolutely a priority, and maintaining some control over the processes that you use or the ecosystem that you're [00:29:00] using to accomplish whatever you're trying to accomplish as a business.

Jodi Daniels: That is an incredibly fair point. If you know any of the other customers that this particular company works with, you could always go and see how have they handled that request, and then you might know if that's a negotiation point or not. There is a movement towards transparency. At the same time, you have company proprietary processes and that's where privacy, the business, and legal all have to meet together to figure out what the right path is.

Tim Curtis: That has not been worked out yet. Some of the methodology that is employed actually becomes intellectual property and is therefore protected under IP laws, and so what you have is you have IP laws and privacy laws, which are cruising towards a confrontation, and so part of, I think, what has to happen is you have to consider, as a business owner, changing your process in order to better [00:30:00] align a privacy, but also to set yourself up better to protect the areas that are confidential, that in disclosure, would not necessarily have an impact on a consumer.

It's really not meaningful to a consumer, but it could be very meaningful to a competitor or someone in this space. We have done some of that ourselves, and have taken painstaking steps over the years to really make sure that we position ourselves to be above any of the privacy concerns that have existed, but to just full transparency all the way through, and I think that's where the management sort of aspect comes in where you have to really examine. It's going to be interesting when we get some of the first case law in terms of what's gonna take precedent those two, IP and privacy.

Erik Martinez: Well, let's segue right into laws. We're now up to five states, if I'm recalling correctly, that have laws on the books [00:31:00] or about to be enacted.

Jodi Daniels: Five by the end of 2023.

Erik Martinez: Who are those states? Everybody knows about California and CCPA, right, and now there's CPRA coming and that's an expansion or clarification maybe of some of the stuff that came out in CCPA, but I know Colorado and Connecticut and a few other states.

What are the key differences that you're seeing between these various state laws? Because I think those are the areas that start making us, the marketing community, really nervous, right? How do we stay in compliance with this and stay in compliance with that when there's differences between all these laws?

Jodi Daniels: Well, it is going to be complex. That's just the first thing. Let's talk about what some of those are. So, CCPA is the current California Consumer Privacy Act, and it's basically an amendment, which is CPRA, that is making it an update, an upgrade, if you will, and that will be effective in [00:32:00] January. It will make it closer to GDPR. It's still not an opt-in kind of philosophy. So, if we think about some of the marketing pieces, but it has a lot more stringent situations. Then we have Virginia that's coming in January, as well, of 2023. Colorado and Connecticut in July, and Utah by the end of the year. So, let's talk about some of the differences and similarities.

California is very focused on the sale and sharing of data to third parties. We just had the first CCPA enforcement action, which is Sephora for $1.2 million. Any marketer listening that uses ad technology, like that targeted advertising that we had an entire discussion on, and using third-party analytics. Under CCPA, ad tech equals sale of data. That is the interpretation. That is what the first CCPA enforcement action has told us. You might not agree and that's fine, but the Attorney General doesn't agree with you and [00:33:00] you will be fined.

So, the very first thing to understand is that is the only law that has that big of a focus on the ad tech part specific to sale and sharing of data, and there's a long list of things that you have to do. All the states talk about sale of data, but like the full, I've actually sold data. So, anyone here who actually takes their list and sells it to other people, that will affect you. Anyone here who buys data, it could affect you downstream because your list could get smaller over time as people figure this out and opt-out.

Virginia really cares about opt-out of targeted advertising, so they really have a big focus on that. Many of the states, so California, Virginia, Colorado, kind of signaled that they all want global privacy control. So, anyone listening who's not familiar with global privacy control now is a really good time to go learn a little bit more about that and identify a plan because the first enforcement action, CCPA also called Sephora out for not complying [00:34:00] with global privacy control, and the other states have all indicated we want a universal opt-out signal. They're all kind of leaning towards what California's gonna do. They haven't finalized everything, but they're kind of leaning to what California will do.

The other common theme is around business purpose. You want to collect my data. You want to do what with it? So, do you actually need all of my data, or do you just need some of my data? If you just need some of my data, then you shouldn't collect all that you want to because you have to have a business purpose. This is kind of akin to GDPR's philosophy of a legal basis, but we don't have six legal bases here. We just have a business purpose. Again, going back to know your data and that data inventory.

The other really big theme is sensitive data, and this is where it differs a little. So, you have sensitive information, which a lot of people listening might think [00:35:00] that's health and financial data, and that is true in California, but the definition of special category data in the EU, which was race, religion, philosophical, health information, biometric information, all of that is considered sensitive data now under almost all of the states here.

Precise geolocation is also considered a sensitive data field, and the Federal Trade Commission has indicated that precise geolocation is also a sensitive data field, but what makes this a little bit more complex is the states differ in how that's treated. Some states are opt-in and some states are opt-out. So, most companies are going to pick the most conservative and probably just picked opt-in for everyone, which would make sense because again, the Federal Trade Commission believes precise to your location, as does Apple and other platforms, believe that It should be opt-in. So those are some of the differences.

The idea of individual rights is [00:36:00] consistent across all of them, but they don't perfectly line up. They're all a little bit different. We have lots of charts when we do privacy assessments and reviews and audits for companies, and when we show people these charts, they're all like, aah, this is totally different. They're all a little bit unique.

The last piece that California specializes in, which is different, is financial incentives and loyalty programs. If you offer 10% off, that's a financial incentive and you need to make sure you have it properly disclosed and captured, and if you do some kind of loyalty program, California also has a bunch of specific rules around that. So, California is still the leader. Virginia's considered a little bit more of a business-friendly state. Colorado includes nonprofits. California includes B2B and employees. Connecticut's kind of following Colorado and a little bit of Virginia, and by the time you get to Utah, if you did all four other states, you should be in a pretty decent place.

Tim Curtis: Should cover the [00:37:00] waterfront there.

Jodi Daniels: It should.

Tim Curtis: I remember when GDPR first came out, the concept of data minimalization was one that was sort of new in terms of concepts here in the States. That to me was something that took a little bit of a mindset shift for folks, and you know, what information do you need, and you see on a lot of these sites now, you see all cookies, basic cookies, or some other terminology of the cookie language. So, it allows for functionality, but it cuts down on some of the other tracking that sort of gets into a little bit more concerning.

So, it's a really good point, and I think we're watching GDPR and I know I've got European ties and we do a lot of business in Europe with European companies, and we certainly get a flavor of what GDPR has done, where they've missed the mark, and where they're looking at possibly doing some amendments because there have been, as with any law, there's unintended consequences that really weren't foreseen.

Jodi Daniels: Yep, and now if I think about some of the data minimization and data purpose, lots of companies want to collect birthdate. [00:38:00] So, do you collect the birthdate right away? Some of my fun stories as I've gone to many coffee shops paid with a certain payment provider. I'll let them remain nameless, and the very first email sequence I get is, Hi, can we have your birthday? Like, within an hour, within a day. It's the very first email, multiple situations. You haven't earned my trust for me to give you my birthday. I need to warm up a little bit, but if I am gonna give you my birthday, do you want the month? Do you want the month and day? Do you need the whole year? Do you really need to know how old I am so you can just give me my free coffee?

Tim Curtis: Exactly.

Jodi Daniels: Those are the kinds of things that people need to think about. Am I gonna give you accurate data? Maybe not 'cause I don't trust you. How have we warmed up here? What was the right cadence? When should you have sent me that message? What is the actual data you really need to accomplish what you're trying to accomplish? You're just trying to get a little bit of information about me and get me to come in and get more coffee and buy more stuff and be happy with you, you don't necessarily need my age. Some people might say, No, I need the age, so I have the demographic. I'd argue, do you [00:39:00] really need that information? Like, how important is that gonna be? That is that balance between trust and data and what you really need to have.

Erik Martinez: Totally makes sense. So, getting close to our time here, just a couple more questions. Pivoting to kind of roles in an organization. What roles in the organization should be responsible for privacy? And I know this probably spreads out across multiple departments, but in your experience, is it more effective to have a chief privacy person within the organization, and at what size organization should you have that role?

Jodi Daniels: A mature privacy program is going to have a privacy leader. That privacy leader can certainly be a chief title. In terms of the right size company, it's probably where privacy issues are showing up every day. The company has a lot of data. They have a high volume of data subject access requests, or those privacy rights requests. [00:40:00] They have a lot of different vendors and different campaigns, different products. There's enough for a full-time person to be doing, and that's when they likely need someone dedicated. At the same time, if the direction of the company is very data heavy, then you need to make sure that you have someone who is paying attention to it at a full-time basis.

Every company should have someone paying attention to privacy. If it's a part-time person, okay. If you outsource that, we are the fractional privacy team for a number of companies. Even when we are that fractional team, I still have a center point for someone in the company who owns it. That really is whoever believes in privacy. Sometimes it shows up in marketing, in compliance, in the C-suite. It's kind of whoever has the passion for this as an important business initiative, and that's who tends to own it.

What I really believe, and you'll see more of, is this idea of privacy champions, privacy storytellers, someone who's going to be able to explain [00:41:00] why privacy is so important, because not everyone understands it yet. We have to keep telling the stories, keep telling the wins, explain how it impacts their job in a way that will resonate with them so that they'll accept that privacy piece.

The other piece that I would say, and it actually ties back Erik, to your question of the differences in the laws around this thing called privacy impact assessments. Think of it as a fancy word for asking privacy-related questions when you run a new marketing campaign. Are you collecting precise geolocation? Are you collecting my full birthdate, for example? Or no, you're just collecting my name. Maybe just my email. It's a new vendor. All those kinds of questions.

Those are required under the different state laws and in Virginia, for example, required for targeted advertising. Which will be new, I think, for many marketers. So, marketers have to understand that. They have to know they have to be able to fill it out to work with whoever is going to be reviewing that [00:42:00] information and the person reviewing should be the person who's responsible for privacy. Who's the one keeping up with all the laws? Which is a lot. They keep changing all the time, and who's going to be that person? It's again, whoever is gonna own and feels a sense of responsibility to privacy. Even if it's outsourced, someone still has to be the internal conduit to making that work.

Erik Martinez: Sure. That totally makes sense.

Tim Curtis: Can't ever fully step away from it. Period.

Jodi Daniels: You cannot fully step away from it. No. You can outsource the operational tactics and the strategy, but someone still has to be the linchpin to explain it to the executive team and to the other team members of, here's what this means for you.

Erik Martinez: Well, Jodi, thank you so much for your time and the information. I think we could probably keep talking about this ad nauseam. It is a fascinating subject 'cause it's an evolving profession and experience for all of our target audience. So, this has been a lot of fun. [00:43:00] Any last thoughts or advice that you'd like to leave our audience today?

Jodi Daniels: Sure. You mentioned privacy. It's growing. It's a really fascinating topic. It affects all of us personally. Every single time we buy something, we get in our car with hundreds of data points collecting information. Any IoT, anything. Any wifi, anything. Data's being collected everywhere. So, I mentioned multiple times, think from the lens of a customer. I would invite you to think of the lens as yourself in your role. How would you feel with this activity? Then do the grandma test. How would grandma feel in that situation? From there you can layer on the tactics from privacy laws.

Right now there's still an opportunity for companies to be ahead of the competition and make it a competitive edge. Pretty soon it's going to be an expectation from everybody regardless of the law. Like, Jodi in Georgia, who has no privacy law covering me. [00:44:00] There's gonna be lots of me’s who expect it 'cause they don't know the difference. They see it for other companies, they're gonna expect it here. So, there's an advantage, there's an opportunity, and then we're gonna move to the expectation side and why not get started now, so that your company is prepared and has a strong foundation to keep going forward?

Tim Curtis: Making it an advantage. Absolutely. Well, thanks again for coming on today. For those of you listening, be sure to check out her book because, by the time this comes out, it will have just released. It is Data Reimagined: Building Trust One Data Byte at a Time. So again, use that as a competitive advantage. Learn about this subject, be prepared, and you'll find yourself in a good position. Thanks again, Jodi. My name is Tim Curtis from Cohere One.

Erik Martinez: And I'm Erik Martinez from Blue Tangerine.