Hello, I am Debra J. Farber. Welcome to The Shifting Privacy Left Podcast, where we talk about embedding privacy-by -design and default into the engineering function to prevent privacy harms to humans...and to prevent dystopia. Each week we'll bring you unique discussions with global privacy technologists and innovators working at the bleeding edge of privacy, research and emerging technologies, standards, business models and ecosystems.
On today's episode, we welcome Roy Smith, CEO and founder of Privacycheq, a privacy tech company that develops privacy-enhancing technologies (PETs) for mobile and web. And those PET's are used by publishers and manufacturers worldwide to comply with regulations that require people to have full understanding of and control over their personal data. Roy is an engineer turned privacy tech executive. He's got over 35 years of experience bringing new technologies to
market. He's also an audiophile and is a audio engineer on the side, and plays guitar. He's had his finger on the pulse of the ad tech space for close to a decade. And, I also want to disclose to our listeners that I've been working with Roy in his company for over a year as a member of Privacycheq's Advisory Board. In this episode, we discuss the myth that cookie banners are all your company needs to deploy for compliance with modern privacy
and data protection laws. We also talk about the tsunami of privacy regulation related to ad tech and the web and the problem of "consent fragmentation." We'll dive deeper into the W3C's new proposed Global Privacy Control specification (or "GPC") and how GPC lets users signal their desired privacy levels
just by browsing the web. And lastly, Roy shares his point of view regarding web privacy, and whether GPC is sufficient for signaling privacy preferences, the benefits to the ad tech industry, and some potential drawbacks. Enjoy the episode. Hi, Roy, welcome.
Thanks for having me.
Why don't you give us a quick background intro and discuss a little bit about why you founded Privacycheq.
Okay, I'm a lifetime entrepreneur. I'm not a privacy person. I got my start writing code for the IBM PC back in 1981, when it was introduced. So, I have gray hair, I've seen a lot of ups and downs in the tech biz. I started Privacycheq after I sold my last company in 2013. Because I was aware of a law in the U.S. called COPPA, which is the Children's Online Privacy Protection Act. And, I knew a lot about mobile games.
And I knew that they were doing a lot of stuff with privacy that was going to put them in the bullseye of the FTC with the COPPA law. So, we wanted to create a tool and sell it to game publishers, that would make it easier for them to comply with the COPPA law, which has a lot of complexity and back and forth. You have to identify the parent. The parent has to approve what's going to happen with the kids privacy. It's the kind of thing that game publishers absolutely do not
want to do. And, so I saw an opportunity to create this tool. We built that. And sadly, for us, the FTC didn't really enforce COPPA. But fortunately for us, GDPR came along, and then CCPA came along, and now the entire world wants to get consent to use private data before it is used. And, the tool that we built has quite a few use cases. So it's sort of like the classic startup thing where you start out trying to do "A," but through the course of time, you end up doing "B," and end up
at "C." Yeah.
And then the regulatory framework has changed over time as well, or at least the appetite by organizations to want a regulatory framework to set the rules, it seems. Do you want to unpack a little bit about what's happened? I guess over the years that you've been in charge of Privacycheq, because it's been, what, 7 years now?
Yeah, 7 or 8 years since 2013. So what has really happened is it's it's great to pass these privacy laws, and everybody who's a politician enjoys issuing press releases about how great they are; but, actually enforcing the privacy laws is a whole different story. The Federal Trade Commission essentially went to sleep after COPPA was revised in 2014 - didn't really do much in the way
of enforcement. We believe they did that because they were afraid of if they really went after, you know, a Facebook or a Microsoft or a big publisher, that they would lose - which in the world of the FTC that would be the worst possible thing. So rather than actually pursue any enforcement's, you know, they did a few little ones here and there against companies they knew would not protest and the same thing has happened with GDPR. You know, it was announced in 2016, to go into force in 2018.
Everybody had 2 years to get their stuff ready, including the regulators, but GDPR went into force in 2018 and nothing happened. No enforcement really happened until 2021, just 3 years later, and we kind of saw the same thing with CCPA, which went into force in 2000. The first enforcement of CCPA that really got people's attention just happened a couple months ago - was Sephora. That's part of what we're talking about
Oh, I really liked that. That really helps today. So, the general attitude has been, yeah, easy to pass privacy laws and let them sit out there and float - hard to enforce them. But eventually, they are beginning to be enforced. And so, we in our business kind of refer to this as a tsunami of privacy regulation that's coming ashore all over the world. crystallize the challenge, I think, with a great analogy for people to wrap their heads
around the concept. And so let's unpack the tsunami a little bit. There's been so much discussion over the years, ever since we've had the web, about privacy and cookies and tracking. It seems almost like there's been some ad tech market misinformation. Do you have thoughts on that?
Well, yeah, I mean, the the digital ad networks...the advertising business used to be what they would call "spray and pray," you know. I buy a bunch of ads on billboards. I don't know which ads are actually working. I just know that, you know, I'm getting enough response that it makes sense. There's a classical statement, "I know I'm wasting 50% of my ad budget; I still don't know which 50%." And digital marketing - the ability to target people and know what they're doing and track them was
an entirely new thing. And so that caused billions of dollars of investment into ad tech businesses that were tracking digital ads. Remember the old time when you would do link exchanges with people and when digital advertising first started, it was very simple.
But, when they realized that they could actually track people around the internet using cookies - which was never designed to do anything of the sort - that really sort of transformed the the ad tech business, and we had all these middlemen who were doing, essentially data mining, following people and saying, "Okay, you want to run an ad to 5000 people who are thinking of buying a grass clipper. You know, I got those people. Here's...give me $10,000," and
off we go. So, it's really a big data function, but they're using advertising as the monetization method. And that has been all over the world - advertising has been all over the world as the internet has sort of grown and taken over everything. And then, 'til this regulation happened, it was a completely wild west scenario you could...was whatever you wanted to do. If you could figure out a way to track somebody, go for it. There was
no regulation stopping you. So, it was bound to come to an end, and it just has taken a while for that to happen. But people are, you know, we all had that scenario where you go to a website, you're looking - "I want to buy a weed whacker." And, for the next couple of weeks, all you see are ads for weed whackers because you did a search for weed whacker on a
particular site. That stuff is creeping people out, and so it was only a matter of time until that's sort of flowed through and the regulator's started to say, "Hey, this is bad; this isn't good." You have...it's "surveillance capitalism" I believe was the term that was applied to this. And so, we're viewing now the global response to that. Everybody, all these countries, are making their version of GDPR. GDPR was
definitely the bellwether. When that passed in 2016, we were very surprised, but we were very happy. And so all over the world, countries are passing their version of GDPR, which generally have the same attitudes, which is you can't just take people's data without telling them. You have to explain to them and get their permission or give them an opt-out there. All these regulations really have very
similar aspects. So it's the pendulum response to the industry being in this wild west phase in 2010, where everything was tracked and nobody had knowledge of why they were being tracked. And now, the pendulum is swinging back.
That is a great overview. I think of kind of what's gone on over the last, you know, decade or two, and I guess, to follow up - did the ad tech GDPR like cookie myth distort the way that people perceive what was required for operational compliance? Because my understanding is even cookies are part of the ePrivacy Act in the EU, not even a big part of
GDPR, right? GDPR is about can you legally process that data, but it's not, you know, all the rules around...you know, web interactions seem to be under ePrivacy.
The guidances in the ad business are nothing if not resourceful. There was a initiative in 2009 to produce a signal within a browser, that would tell people "Do not track me." And, that was an attempt by some industry people to, in essence, put sort of a global thing that somebody could, if they were running on this browser, they could say, "Hey, when I'm using this browser, don't track me; I don't want to
be tracked." And, the ad guys recognize that this would be the end of their free surveillance system. And because there was no regulatory support for it, they were able to convince people, "Oh, this is...this will make it hurt things. It's kind of complex. It's hard, and it's bad." And, eventually, one by one, they convinced the browser manufacturers not to support it, and so it sort of died a horrible death. About the "cookie myth" - here's
my little diatribe on that. The ad guys - you know, when they saw GDPR - realized that, once again, there was something on the coming up, that was gonna step on their air hose. And, they probably realized that since GDPR had already been passed, there was no way they were going to get it turned away. So, they looked at what they would have to do in order to keep selling ads, and they
"Okay, well, we're gonna have to have this thing where we get people's permission to drop cookies and track them." And so they came up with the transparency and consent framework - TCF as we call it - but part of their program really was to sell all of the website owners that all you need to do to comply with GDPR is just put this little cookie banner in, and you're done. This is just, you know - this way you can keep selling ads, you can keep your revenues going, and you're fully
compliant with GDPR. It's everything you need to do; just buy this thing. Or, it's open source, you can get it for, you know, $50 a month or whatever. And, you'll be ad...you'll be able to run ads, and it'll be And, of course, all of the publishers who were in the great. European Union or had a footprint there, they wanted to hear a story that said, "Oh, this ugly, GDPR thing - this is an easy way for us to get away from it or not have to deal with it. Yes, please. I'll take it."
So you had a willing audience that wanted to believe, and you had a cynical performance artists that wanted to deceive. And that was really what they successfully did, telling everybody that a cookie banner was what you needed to comply with GDPR. And the fact of the matter is, the cookie itself is really not discussed in GDPR, as you say, it's part of the
ePrivacy Act. But secondly, even if it worked perfectly (which it does not) - even if it worked perfectly, a company that has just cookie banners would only be compliant with GDPR if the only way they gathered data was through web pages. And, no modern company only gathers data through web pages. I mean, lots of companies have mobile apps - many of them gather information through email telemarketing. They have IoT devices that maybe capture
information. They probably have physical locations where they are gathering information, like facial recognition, or even just video surveillance. So, the notion that a cookie banner is going to give you compliance with GDPR is what I call the myth: "the cookie banner myth." And, it was propagated by the ad world, and many enterprises bought it.
Indeed, I mean, this is this is definitely something I've been seeing for years. It's almost one of the reasons I've avoided doing much in the ad space, since...you know, this attempt at self-regulating that is obviously disingenuous. So, the EU ad industry had a guidance, right, then they have a tool that they said, "This is the way for anybody who's a member of ours to..."
Yeah, say...well, that's what The Transparency and Consent Framework was. They created an open sourced...a tool, which was called the TCF. And if you were in the ad business, you were encouraged to join this and get an ID number.
And they came up with this comedically stupid technology scheme that would allow them to know if you had given consent for ad network A to look at your cookies, but not ad network B. And it was a system called the DaisyBit, and anybody who has gone to a computer school or done basic, you know, computer science, would look at this and laugh at how ridiculously basic it is. But, that was their solution, and that was what they
sold. Nobody who's in the publishing business really cared how it worked or how stupid it was. It was they were being sold, "Hey, just buy this for $500 a month. Put it on your website and you'll be compliant with GDPR. So the tool itself was, you know, for anybody like us who looked at it from a technical standpoint the day it came out, we knew that it didn't really do what it was supposed to do. But, it took two and a half years before the regulator's finally called them out on it,
which that just happened. Maybe a year ago, the Belgian regulators said to the IAB, this is not...it doesn't comply. You're doing these seven things that are not part of GDPR. And then, in February, they actually formally censured them and said, "You have 6 months to fix this or otherwise we are going to start fining you 250,000 euros per month. The problem for that is that they open source this and there are 170 companies who make cookie banner solutions that are built on top of this
IAB / TCF technology. So, all of those people were subjected to the Belgian ruling as well. So, you essentially have - I don't know what the percentage is -but it's probably more than 50% of the companies that are trying to provide compliance for adtech that we're essentially told, "You're out of business in six months" in February of 2022. So, as they have done before, the IAB doubled-down. They said, "Oh, no. You the regulator are wrong about the law that you
yourself wrote. It's...you gotta give them credit for having chutzpah. But, they did that and, and now the case is going to the CJEU. So, in essence, they kicked the can down the
the six month period that they had to fix it expired in August. So, here we are in November. They still haven't fixed it. We're still waiting for a ruling. I mean, it's class...this is classic, you know, big enterprise versus government operational tactics. You just delay, deny...you know,
kick the can down the road. So that's where we are, but the future of the cookie banner system is extremely clouded because if none of this happened, Google declared that the third-party cookies are going away (it was supposed to originally go away in '22), but they keep pushing it back because of course the ad industry says, "Oh, no. We can't possibly change this. It will put us out of business." And, so they've successfully, you know, slow-walk that as well. But in the long run, third-party
cookies are dying. They don't help you provide true compliance with any privacy law. It was a myth and it's going to go away.
Thank you so much for the that background. I think that history there is really important to unpack why it's so important that, you know, there's a new specification. Let's unpack that a little for the audience here. According to the GPC website; again that is https://globalprivacycontrol.org. GPC lets users "signal their desired privacy" just by browsing, and so what does that mean exactly?
Well, a WC3 specification that provides a way to signal, through an http header or the DOM, a person's assertion of
prevent the sale of their data, the sharing of their data with third parties, and the use of their data for cross-site targeted advertising. The signal, it says, is equivalent to the Global Privacy Control that is mentioned in the regulation - the California Consumer Privacy Act (the CCPA).
The Global Privacy Control is the resurgance of the "Do Not Track" signal, It's exactly the same. It's a signal that a browser asserts that anybody with a website can check and see is this person asserting that signal with one line of code; and if they find that signal, they then are obligated to handle data appropriately based on what the user is specifying. So, it's really no different than, you know, websites have different graphic resolutions that they respond
to. If you look at a site on your phone, your phone tells the site, "Hey, I'm on a phone. You know, this is going to be a small screen that's vertically oriented." But, if you go on your desktop, your desktop will say, "Hey, this is a big screen." So, the website adjusts its operation based on that signal of what's the size of the screen. This is no different. It's a signal of what to do with privacy.
That makes a lot of sense, and it seems to apply here towards, you know, again, the W3C works on web protocols.
one that's the core DOM, one that's the XML DOM, and one that's the HTML DOM, but that's pretty much what it's limited to here and what we'll unpack in a little bit. But that's the core of what this new version of "Do Not Track" is and Do Not Track was pretty much never integrated into law and...back in 2009 time
period. It was kind of considered a failure because it never went anywhere; and, even when it was an optional specification, very few if any, you know, organizations, if anyone, ever respected that signal.
Well, most of the browser manufacturers also owned advertising business. So that was not in their best interest for DNT to be used. That was before Brave existed and DuckDuckGo. And privacy browsers didn't exist then.
Exactly. So why was it developed, right? What problems specifically does it solve for, right - at the legal level - that you need to have the standard align with? Well, you know - you may have noticed - the "Do Not Sell" an "Object to Processing" links are beginning to promulgate around the web from various companies trying to comply with privacy regulations that, you know - different state laws - or even,
you know, EU law. To opt out of websites that are selling or sharing, you know, personal information, you're going to need to click these links for every site you visit. And, that can be really, really onerous, right? Just kind of like how you have to click Terms of Conditions or, you know, agree to Privacy Policies for most of the sites that you visit. So, that gets cumbersome and can be pushed down to individuals to take responsibility each time for their privacy, right?
Well, that was really the goal of the advertising business, when they created the pop up banners was to make it so annoying, that when you go to every website, you have to click on these stupid banners to express your "do not track me." They wanted to make it so annoying that people would get fed up and say, "Hey, get rid of this law. This is stupid. I can't use the internet anymore," right? Fortunately, this time, that didn't work.
Agreed. I'm kind of shocked that it's actually gained traction. But I'm really pleasantly surprised that we're finally moving forward on an actual engineering capability that prevents the data collection if a person doesn't want to be tracked, right? Like that...it's by default, based on their choices. And so, that's actually a great point, like, how is it supposed to work
right? And, I really want to unpack this here so that I get your opinion because the way this specification is set up is that it separates it into two concepts - a "do not sell or share interaction" versus a "do not sell or share preference," and, they seem so similar to one another. Let's let's unpack them, and I want to get your thoughts on it.
So, a "do not sell or share interaction" is an interaction with a website in which the person is requesting that their data not be sold or shared with any party (other than the one that they intend to interact with), or to have data used for cross-site ad targeting (except
as permitted by law). And then, the definition of a "do not sell or share preference" is when a person requests that their data not be sold or shared - for instance by activating a GPC setting within their user agent (which is...it has its own definition as well).
A user agent is a euphemism for "web browser..."
Web browser...I was just gonna say, your settings that are representing you...as an agent of you almost or by using tools that default to similar settings. So, when set, this preference indicates, or is supposed to indicate, that the person expects to browse the web with a "do not sell or share interaction" by default. What are your thoughts on that - these two separate terms that
are being used? And why..why were they even... they sound so similar, so why do you think they've been defined this way? If I set my browser to say, "Everywhere I go, tell anybody
Yeah, you're you're reading this from the website of the W3C, which, you know, it's a regulatory organization and they like to write words. To me, these are both the same thing in practice, and with our software, it doesn't matter to us if the person clicked on the "do not share or sell my data" button or who wants to listen I'm not sharing my data." Then tomorrow, if they came to the website with a browser that asserted the GPC.
if I come back, and I don't click on the button, I have, in We do exactly the same thing with our software to remember the fact that they said that. And then the next time they show up if they...if we know who they are, if they're identified. If they're anonymous, the "do not sell admonishment, or their preference, only lasts as long as their session. And I think that's really the difference between these two things; the interaction (although they don't explicitly say it) is for this
session. So, if I'm on this browser today, and I press a button that says, "Do not sell my data," I'm definitely telling you don't sell my data that I'm giving you today. But, if I haven't told you who I am, and you're not dropping a cookie, tomorrow, if I come back under the same browser to the same website, you know, it's fair game. effect, done the same thing as
clicking the button. So, there is a persistence and a global aspect to using the preference (which would be the GPC) that does not exist when you're using the one by one interaction. And that's really, the lawmakers working on CCPA and CPRA...this is what they wanted to fix...is the problem that we have what's called "consent fatigue," where when this first started two years ago, every website you go up to - here's this pop up. "Oh, we want to do cookies, blah,
blah, blah." There's a giant green button saying, "Okay," and if you don't want to accept cookies, you had to dig down through two pages. Every website did that. Everybody complains, like, "God, that's so frustrating. I can't stand it." So, the regulators, in their infinite wisdom said, "Well, that's a problem. Let's...let's fix this by letting consumers express in a sort of a global way, 'I never want to share my data.' How can we do that." And, they came back to GPC.
You know, I think that's a really good summary that the these are basically two ways to deliver a signal to, you know, a back end - to the an organization - the first being through the link on the bottom of the page that's required by law under CCPA and other similar legislation. And that would be the interaction; that one-time asking to opt-out at the end or asking to opt-out or not to sell my, you know, my data. I'm thinking of those as, like, data
brokers, right? You're never going to...you're rarely going to a data broker's website...collecting data about you, but you want to be able to have that...you want to prevent them from using your personal data for sales purposes to other organizations who want to pay to understand things about you. So, that's one use case is this interaction where you go in and say, "Hey, stop doing that!" versus you're surfing the web, you've got a browser. The browser is acting as your user
agent. It has your preferences all listed in there. You go to a particular website. It respects your preferences. I think that's more of the interaction that people are typically a part of - your preferences there, do not sell or share preferences. But, this is just kind of how you take the...how you embed the legal requirement into the specification for opting out, especially if data brokers. Okay, so why don't we take a look a little bit about the
legal effects. You know, receiving a GPC signal may have some legal effects depending on factors like: where the individual who you're collecting data about lives, what state...what jurisdiction they're in (so where they live) of the individual sending the signal, the scope of the applicable law, as well as any separate agreements between, you know, the recipient of the
signal and the individual. So any sort of contracts that you have already agreed to share your data with organizations, then that would be part of the contract. So under CCPA, the GPC signal will be intended to communicate a "do not sell" request from a Global Privacy Control for that browser or device (or if known the
consumer). And then under, for example, the Colorado Privacy Act and the Connecticut data Privacy Act known as CPA and CDPA, the GPC signal will be intended to communicate a request to opt-out of both the sale of their personal info and the use of their personal info for targeted advertising. So it's not just online behavioral advertising, but targeted advertising. So that is actually a lot. You know, it's all advertising basically.
Think of how complex what you just said is, and that's only 3 States. Imagine, imagine in a couple years when we have 15 or 25 states, each of which have their own little take
And, I do believe that's what's going to happen. I on this. do not think there's going to be a federal privacy law anytime soon. I've been saying that for years.
Yeah, I agree with you that these days. In gridlock...it's gridlocked.
And it has nothing to do with the actual issues of
I think it'll work for what it's supposed to do, privacy. It's all about...outside of privacy. Like, should there be a right to sue? Should it cover, you know, which is to make it easier for consumers to express their government as well or just businesses. You know, who has liability or who should be covered by the law? Like all of preference without having to do it every time they go to a new those are the things that are keeping it gridlocked in Congress. But, I digress. I want
to know your thoughts. Do you think GPC will work, for instance? website. But, one of my goals is to make people understand that GPC is not a panacea and, in fact, it creates some new problems...or not necessarily problems, but people will think that they are doing one thing when they put a GPC on their browser, when in fact they are not. There's a massive amount of confusion that will be created by people who think, "Well, I started GPC, my privacy is now protected!"
So, are you saying because there'll be organizations that are just not respecting the signals? Or...
Let's assume that the enforcement agencies will go after them? I mean, one of the things in Bonta's press release was he was pounding the table saying, "We are coming after you!" You know, ww..."It's very easy for us to test this. All we have to do is go to your website and see if you respond to GPC. Very easy to find you. We're going to come and find you. We're going to enforce that." So, let's assume everybody
complied with it. When I am a consumer, and I don't know about privacy the way you and I do, and I learned about GPC, I think that when I put the Global Privacy Control on, I have protected my privacy when I go on the web. So, if I go on my Brave browser, and I go to Colgate Palmolive, and I have my GPC signal asserted, in my mind, I just told Colgate Palmolive to never sell my data. Did I? No. I told their website not to sell
my data on their website. If I then pick up my smartphone, and I have a Colgate Palmolive app, that app has no idea that I asserted my GPC on the website 20 minutes ago. So, when I picked up my smartphone and use the app, maybe the app takes a picture. Maybe it knows my global positioning -my GPS signal - because it wants to send me to a store. I didn't do anything that involves that phone. All I did was tell Colgate Palmolive when I come on a website, don't sell my data
that you get on the web. So, the the net effect of of GPC is it's like a super cookie banner, where it says, "For actions that are happening using this particular web browser, I assert this GPC signal, and you are then...you're duty bound to not sell the data that you get through this ingestion point (which is the website). But GPC does not pertain to, "I walk into a store and there's video surveillance or my face geometry is picked up when I did a KYC, on a...signing up for brokerage
account. The consumer will believe that by asserting GPC, they've solved the problem and life is good. When in fact, all they've done is solve a little problem, but the big privacy problem still exists. And I, in my opinion, that's more dangerous because a consumer thinks they've they've protected their privacy with GPC; there's a false sense of security. When, in fact, they've protected 5%-15% of their privacy.
It's a false sense of "privacy."
It even gets weirder because, let's say you come to my website with a Brave browser, GPC's inserted...asserted, but you don't log in. So I don't know who you are. So for the period that you're interacting with my website, I don't sell
your data for that session. If you come back tomorrow with a different browser or on a different device, that GPC signal may not be asserted, and now you're back to "I'm selling your data," but you thought because you came to my website with GPC, "Oh, everything's fixed!" So, there's all kinds of these edge cases where GPC in reality differs from what the user expects, and that's what I think is dangerous, where you have a user thinking they've done the right thing to protect
their privacy (and they have - to protect a small part of their privacy), but what the user thinks they've done and what they have really done are very
different things. We run into this a lot with...it's called "consent fragmentation"- where a company gathers data from people from a variety of data ingestion points and the user - let's say they got to your email; they use SendGrid - and you say, "I'm unsubscribing," from SendGrid, but a different division of the company uses SurveyMonkey and they don't know that you unsubscribe from emails from
that company. So two weeks later, you get a...an email from that company that came from SurveyMonkey, and you're like, "Wait a minute, I unsubscribed!" So the problem that's propagating this is when you have consent to do things or privacy preferences that are stored in multiple silos instead of in one central source of truth. And this gets into what we do
with our software. The whole Privacycheq model is built that we keep users preferences in one place where everybody inside the organization and everybody who's in the 3rd, 4th and 5th parties that the organization hires, can find out today - "I need to send an email to Debra Farber. Do I have permission?" "No. She revoked permission yesterday when she was talking to this other site. So, no emails for
Debra Farber today." That is what really has to happen for all of these privacy preferences to be honored on an operational basis.
That makes a lot of sense. You'd need some sort of unifying experience. I think this is actually a really good lesson. Anyone who's listening who works in consumer preferences, you know, works for that aspect of the organization where you...maybe you're building a preference center or you're building some sort of internal suppression lists and whatnot to respect privacy - is that the limitation here seems to be that, well, GPC is a great move forward for privacy...
We totally applaud it, but we cautiously remind everybody, that it is not a panacea and it doesn't fix many aspects....
..cconsumers are under will be under a false sense of privacy instead of security because this is really limited just to the web, and not all these other touch points.
And, it doesn't even cover the whole web because as you were numerating, the different areas of data collection, I'm even thinking like, you know, you put an event out on your web page, your Showcase page or Company page on LinkedIn, and you know, you get the information about people who are going to attend your event through that and get the signups through that. I mean, there's all these social media touch points, and you know, that extend beyond the boundaries that you control as
well. And so, this goes real far and wide, where any signals from GPC are not going to necessarily extend to all of your touch points. So, that's definitely something to think about.
That's why we often have a laugh when we see ads from our competitors saying, "Just add one button, and you'll have full compliance with GDPR or CCPA," or whatever it is,
it's like, Yes, I agree. That's what consumer or enterprises want, they want this all to go away, but in reality, the complexity of the amount of data that's being gathered and the complexity of the laws, I don't think it's possible for any enterprise to be 100% compliant with any of these laws, except if they don't gather any data at all. And there's no modern company that does that. The whole thing is a gradient of, "Am I completely non compliant? Or, am I 99% compliant? Or am I 70% compliant?
Well, to that point (I wasn't thinking of this before), but to that point, I do think that we are moving towards technologists thinking about how do we continue to do business in a way where we don't have to do a compliance "paper chase," we avoid that by not...maybe not collecting as much data or a lot of data or having it reside locally...
Privacy by design...totally love the concept. And, what it means is that the people who are designing these next -generation systems understand that privacy is now a key data point, just like financial data. It has to be retained and kept just like financial data. That's why you don't see enterprises having 15 different general ledger's, you know, that would be chaos, they wouldn't know who, where the
money came from. The privacy preferences and the data of the user itself is now just as valuable as their financial data, and it has to be built in.
Because when you design that way, you're designing on behalf of - what I'll call here - the "end user" as opposed to exploit them and sell their data to somebody else. Right?
Right, and so there will be bad actors that don't do that, of course.
But those seem to be the trends, and so I am seeing a trend in the market where there is this attempt to collect a lot less data. It's just not going to be the norm I don't think for quite a while, as there's needs to be a lot more market understanding by, you know, companies about...
Well, I think as there's more and more of these breaches and where the bad guys do the ransom thing of data, I think enterprises in general are going to realize, you know, why are we collecting all this data? It's just hanging around our neck. Do we ever do anything with this stuff that generates enough money to make it worth the risk? In general, and this will take 10 years, but I agree
with you. I think enterprises are going to pare down what they collect to only the very barest minimum because of the risk.
Absolutely. What advice do you have for the engineering teams, the product teams at companies today that have to deal with - I don't want to just say web privacy - but just, you know, have to think about incorporating a standard like this, and what's the best approach to consents and being able to reflect to your consumers that you care about privacy.
Well, I mean, too often these days privacy people get called in way after the fact...after the new system has been designed and it collects data in a certain way and all the databases have been built. And, they say, "How can we make this compliant? And, you know, the changes that are required
are huge. I would say, if I were designing new systems these days, I would make sure that I had a privacy person, an IAPP member, on my team that would at least consult on it and say, "Okay, yeah, you know, you got to do this, you have to do this...you need everybody's shoe size, you need everybody, for whatever you're doing. This data should be stored in in a single silo. And you have to have a way so that the user can express their preferences with that
easily. It's basically...it's the ethos of privacy by design. It's like, have the privacy person involved in the design not in the let's fix it three months later, you know, well, we'll patch it we'll we'll you know, we'll use the DaisyBit - this is the the IAB...the laughably stupid technology that they tried to use. But figure out the best way to solve the problem that you're solving. If it touches on user data, have a privacy person, part of the design - privacy by design. That's my advice.
How do you think GPC will work with COPPA where maybe children themselves can't make the decisions? It's their parents have to make opt in on their behalf? Is there any nuance there with respecting these signals for something other than CCPA...and, but for COPPA, for instance.
I don't think there's much interaction there between GPC and COPPA. The vast majority of COPPA exposure for companies is in apps and GPC has no purview within apps. You know, TikTok and, you know, video games, and so on and so forth. That's where COPPA is really an issue. I don't think there's too many websites anymore that are designed for kids because, you know, COPPA has really...perhaps the original intent of COPPA was to just keep enterprises from doing anything to involve kids.
The more interesting thing is that there's a move in DC to raise the age of COPPA from under 13 to under 18 and more interestingly, CPRA and CCPA do raise the age of what's considered an age of consent from 13 to 18. So, if you're a company that has interactivity with kids under 18, which is an awful lot of companies that have social media and games, you know, Twitch and YouTube and so on, so forth. There's a huge
audience in those ages. Those kids are now under the purview of these other laws, and not necessarily COPPA. So, I mean, it's very complex world because GPC has no meaning in a mobile app. That's that right? There is a huge issue because people think, "Well, I put GPC in my browser. Now I'm protecting my privacy." Well, you haven't protected your privacy when you're using a
mobile phone. That in my opinion is the biggest problem with GPC is that the user thinks they've solved their privacy, when in fact, they have not. And that's probably more dangerous than thinking that they have not solved their privacy issue. I keep going back to this this survey that was done maybe five years ago by Pew Research, a very respected research group.
And, they surveyed Americans about their privacy, and this makes me fall off my chair: 91% of Americans they surveyed felt that their privacy was out of control. And can you think of any survey that was ever done where you got a 91%? You know, is the sky blue? You know, 20% will say, "Oh, no, it's not really. It's sort of cloudy or whatever." 91% of Americans said their privacy was out of control! So, if somebody says,
"Oh, here's this GPC thing. Turn that on in your browser and now your privacy is back in control. So, there's a chance that those people will then stop worrying about their privacy and think that they've solved it and they haven't. That's...in my opinion, that's the big problem.
Right. So it sounds like there's really needed at the regulatory level or I should say, the regulatory body level like and the W3C as well, but combined with maybe like the California regulators here, to come up with a...to rollout campaign that educates consumers. The challenge is it's State-by-State, right, so who's necessarily...unless you're in California, you might not see the educational material.
Who's gonna make that campaign that says, "Yeah, GPC is great, but it doesn't really do it doesn't really work. There's nobody that's going to be behind that. The governor wants to say how great a guy he is for promoting this. You know, the W3C doesn't do advertising. The publishers aren't going to do it because they want people to think, "Oh, yeah, I've sold my privacy. Keep doing everything. The problem is, nobody's going to put that out into the world.
I do agree that it's not obvious, or it's maybe not part of the mandate of those orgs, but there have been 12 organizations that came together and are called, you know...the clarion call is out there now for other organizations to join in and help iterate on this. Because this is a Proposed standard...a specification.
Yeah, that's the interesting thing. This is not a finished...GPC is not a finished spec, and yet, we have the California Attorney General pounding the table and saying, Everybody needs to use this right now." That's, that's pretty unusual. In privacy land, usually it's the opposite. The spec is put out there and for two or three years nobody does anything.
Yeah, that's totally true. But I did want to get to the point that the some of the companies behind this
DuckDuckGo, Brave Consumer Reports, Washington Post, New York Times Protocol Labs. And so there's 12 all together; I don't have the list of all of them, but each of those companies do advertise around privacy and educate the
market. So, I'm hoping that they don't just say, you know, "GPC is the best thing since sliced bread, but go GPC super helpful to demonstrate your customers that you care about their privacy, but it's not a panacea, and here's where here's where it works and here's where...they're, you know...where it doesn't. It only works on the web, and like, I really hope they do that education of the market and that others choose to join in.
Because I do believe it's a it's a helpful piece of the data collection and sales problem, but like you said, you know, it doesn't cover everything. In fact, it only covers a small amount: just the web.
15%, 20%, something like that, yeah. Well, I think
Yeah, I have never seen that before. I'm hoping you're more optimistic than I am. I just don't see them running ads to say that their product...or their new thing is that maybe even listening to this podcast, some folks will - not perfect. over at those companies - will think about how much it will benefit them in the long term to be accurate in what GPC does and
Well, just the name of it is a misnomer. It's a what it doesn't do. global privacy control. Oh, I asserted the Global Privacy Control. I have now said, "I'm protecting my privacy. So, the name of it itself...
Yeah, it should be called like GPC for web. Right? So maybe then someone in the app space comes up with...
Well, Do Not Track was actually a better name. But...
I agree Do Not Track is exactly what it is. Do not track on the web, though. Right? But, it makes sense.
So we're fighting uphill against the very name of the thing.
It is a fascinating space we're in. Is it not?
It is. It is. Wow.
What's old is new again and such. It's been a pleasure having you discussing consent and web privacy and the new GPC specification. How may our listeners reach you, perhaps on Twitter or, you know, a personal website; and then, anything else you'd like to leave...you know, any words of wisdom you'd like to leave my listeners with?
I think I've put out way too many words of wisdom already, but people can reach me at our Privacycheq website. We have a webform there, and I'm also on LinkedIn. You can DM me there.
Thank you for joining us. Until next Tuesday, everyone, we'll be back with interesting content and another great guest. Thanks for joining us this week on Shifting Privacy Left. Make sure to visit our website shiftingprivacyleft.com where you can subscribe to updates so you'll never miss a show. While you're at it, if you've found this episode valuable, go ahead
and share it with a friend. And, if you're an engineer who cares passionately about privacy, check out Privado, the developer friendly privacy platform and sponsor of this show. To learn
Privado.ai. Be sure to tune in next Tuesday for a new episode. Bye for now.