IAPP Global Privacy Summit 2022 Recap

Determining the best privacy technology for your organization can be overwhelming. As Alyce director of data security and governance, Jeff Mayse notes, “it touches every system, and crosses all borders.” In other words, choosing, implementing, and maximizing the value of privacy technology for both external and internal stakeholders requires careful consideration, planning, thoughtful execution, and management.

Joining Mayse to examine How to Think About Buying Privacy Technology, is his colleague Andy Dale, General Counsel and CPO of Alyce and WireWheel’s Director of Product Marketing, Emily Schwartz. Held at the 2022 Summer Spokes Technology Conference (June 22-23), this wide-ranging discussion was moderated by Kevin Donahue, Sr. Director, Privacy Engineering at Ethos Privacy.

Identifying the privacy tech value for external stakeholders

Often, clients will say, ‘we have to do data subject rights (DSAR) so we’re going to look at some solutions.’ But, there’s a whole lot of elements to doing data subject rights from ingestion, validating, and finding their data, to tracking things.

It’s not just one big black box, it is an entire workflow needed to satisfy their users.

—Kevin Donahue, Ethos Privacy

It’s important, suggests Dale, “to understand what it is we’re trying to do – not from a technical perspective and not from a GDPR or CCPA perspective – but the business problem or solution that we’re trying to get to. That helps all your privacy champions around the business get context and understanding.

“Law and regulation don’t really move the needle as much as folks like us might think it would. Risk surface area doesn’t do that either. What does move the needle is customer sentiment. “I don’t think everybody starts there. There is a tendency to dive right into spreadsheets and data mapping.”

Identifying the privacy tech value for internal stakeholders

“It’s really hard” he continues, “to work towards a successful outcome if everyone’s not on the same page from that 30,000-foot view. What are you trying to do and what are the impacts? This includes the internal stakeholders as well.”

“If you neglect any aspect here – external or internal– you’re at risk of pain. This is one of the most complicated systems that you will implement at a company,” warns Mayse.

It touches every system. It crosses all borders. It has no domains. And it can quickly spiral out of control.

You need to consider your internal users, at least as carefully as your external users. And when we talk about implementation, it is easy for this to become a problem.

—Jeff Mayse, Alyce

Mayse insists, when you understand what that process is like for both internal and external stakeholders, and what that would look like with privacy technology versus without, it’s easier to sell internally.

“As time wears on, I think it’s going to become increasingly clear that there are internal stakeholders benefits [and this] needs to be part of the equation,” adds Schwartz.

Buyer be aware

You can sell into legal. You can sell into a separate privacy function. You can sell into privacy engineering, into InfoSec, into the CIO, and you can sell into the IT department. There are too many vectors, too many personas to think through.

It’s a good idea to encourage the buyer, once they’ve engaged in that cycle of learning about the software, to bring a lot of relevant stakeholders to the table.

—Andy Dale, Alyce

That includes stakeholders like business intelligence and analysts who “need to pull data out of the product and manipulated somewhere: it is truly everyone,” notes Schwartz.

“When you start talking to every team in the company, the magnitude of the problem can become overwhelming,” cautions Mayse. “So, it’s not only important to bring in internal stakeholders…and raise issues early, but also to constrain the problem. You have to eat the elephant one bite at a time.”

It is critical for buyers to have this awareness.

Accepting that sales call without knowing what it’s going to take to implement a solution and how to perform the initial step of the development lifecycle when you’re evaluating build v. buy – if you don’t have somebody functioning in a product management role it can be very difficult to get it accomplished.

—Jeff Mayse, Alyce

Interestingly, both Dale and Schwartz have found that when it comes to awareness, the learning curve is much steeper in larger organizations than it is in the small and midsized firms (SMBs).

At Alyce, a privacy technology consumer (and WireWheel customer), they think about what they need to do first, relates Dale. “What engineering work needs to be done here to make sure that we’re even in a position to buy privacy tech?

“The issue is always, what do we have to solve first? What is our workload to implement a solution? There’s this myth about technology in general: buy it, turn it on, and magically it just happens.”

Privacy tech success metrics

How do you define success?

Privacy people think of success as ‘I’ve deployed a tool to do something, because I want to do that thing.’ And it’s oftentimes somewhat divorced from other stakeholders, whether it’s engineering, marketing, infrastructure teams, or even the users themselves.”

—Kevin Donahue, Ethos Privacy

“It comes down to why you bought it in the first place,” says Mayse. “What you wanted to achieve. You went in with a problem – maybe an intangible – but you have a problem that you’ve defined.”

“How do you track that problem now? Do you have a process for DSAR ticketing details and following through on the fulfillment through all systems and tracking time? Simply deploying a solution isn’t ‘the solution.’”

Pointedly, Mayse asks, “How did you measure the problem? Presumably you had to get dollars for this and justify the spend. How did you sell it internally (this is an $X/year problem, or a $Y/year risk surface). You can track against that.”

“One of the big ones for Alyce has been ‘time of effort.’ If it took you so many days/hours/minutes to fulfill [DSAR] requests, what does that look like after you buy the service? How many are you able to accomplish with how many people working on them?”

Sometimes it is a little bit of trial and error.

With experience you start to realize what is truly important. It may also be things like how the privacy technology integrates into your stakeholders workflows and processes. Is it efficient for your team? At the end of the day, a lot of this is about managing risk.

—Emily Schwartz, WireWheel

“Look at this through a risk lens,” offers Schwartz. “What are the building blocks that contribute to an acceptable risk profile for your organization and measure those.”

Project managing privacy tech: it’s all about communication

“There’s a big language challenge between legal and engineering,” opines Dale, “particularly in the privacy world where we live in the grey. Engineers and product teams, want the requirements. What are the milestones? What do we need to deliver, and the metrics behind it?”

“It’s going to be a little bit of iteration, trial, test, and learn as we go. But clearly discussing how this is a grey area can increase velocity in these projects.”

“You need somebody who can help translate the legal principles,” says Mayse. To draw lines in the grey legal sand and say “‘on this side of the line we think this is a good faith effort that’s compliant with the law’ while knowing that legal decision may indeed change. This must be translated into something that an engineer can build, or a product manager can run.”

Having embedded privacy champions in a development team really helps. It becomes a bi-directional communication between privacy (or compliance or legal), and the engineering team. In this way, engineering can communicate what they need from privacy to work effectively.

—Emily Schwartz, WireWheel

Evaluating privacy technology

“One of the most beneficial things you can do is ask your peers what they’re using, what they’re doing, what’s working for them and what’s not,” proffers Schwartz. “If you’re working with an agency or a consulting group, ask what they’re implementing for their clients. It shows what’s working what’s not working.

“You can do all the research in the world and see all the demos in the world, but just word of mouth and referrals are very powerful.”

My superpower recommendation is – while maybe not in the first call – when it comes to the demo, and especially to the technical discussion, bring an engineer who will ask questions you didn’t think of asking.

Those questions will be necessary, because an engineer is going to immediately start thinking about how they would actually do this…You can have an engineer say, ‘we won’t build this, it’s not going to happen,’ and you want to know that.

—Jeff Mayse, Ethos Privacy

“There is a lot of the tech… a lot of it does the same stuff, so I would have a list of your top needs and priorities,” avers Dale. “But if you’re not attentive to it and if you don’t have a person that is going to learn and administrate it,” he cautions,  you’re going to get nothing out of it.

“It can be the best software in the world, but any system requires a lot of TLC to get the most out of it. So go in knowing that it’s going to be a system you need to spend time with. Otherwise, you just won’t adopt it and you won’t get value.

“You’ll turn off that software and you’ll try another one. And if you don’t change something, the same cycle will happen again.”

Watch the full session on-demand

Digital agencies often serve as the connective tissue between organizations and technology. And as data privacy regulations continue to expand and evolve, agencies will need to stay on top of how these regulations to continue to  responsibly, reliably, and effectively serve their clients.

Adweek reporter Trishla Ostwal’s sources tell her that “agencies are commonly being asked to address privacy in RFPs and clients are conducting data audits on potential agency partners. Clearly suggesting that privacy has become a deciding factor.” Her recent Adweek article notes that “media agencies are expanding their competencies and shifting away from leaning solely on legal teams” (Ostwal and Morley, 2022). ^[1]

To explore this transformation and its impact, Ostwal was joined by  President and Founder of website solutions company Digital Polygon, John Doyle and CPO of media agency UM, Arielle Garcia at the 2022 Summer Spokes Technology Conference (held June 22-23). The discussion, Implementing Consent: A Plan for Agencies was moderated by WireWheel VP of Marketing, Judy Gordan.

The industry perspective

Agencies are expanding their competencies and shifting away from leaning solely on legal teams. This traces back to GDPR, after which agencies invested (requiring investments in the millions) in building privacy departments.

—Trishla Ostwal, Adweek

“Some agencies have moved towards hiring data officers to keep up with all the privacy regulation changes,” notes Ostwal. “They have also gone on to build privacy task forces that span departments. Some collaborating with organizations like the IAB and others taking an inhouse approach and acquiring data companies.”

It comes down to client expectations, and “simultaneously, agencies are substituting for cookie deprecation with solutions such as data clean rooms. However, the industry is still in a nascent stage,” as it looks to develop that ‘one solution fits all’ approach.

The media company perspective

“That’s very much aligned to what we’re seeing on our side,” concurs Garcia.

“We have a privacy task force that spans all of our specialty units, and we collaborate with industry groups. The reason that we did all this (several years ago now) is because we knew that we needed to be there to support our clients.”

The reality of where agencies sit – and because there’s so much ambiguity in the law and different positions that everyone can take on the client side, the publisher side, the ad tech side, et al. –  is in this unique position of needing to play matchmaker. Understanding what the requirements, risk appetite, or interpretation that a brand is taking.

—Arielle Garcia, UM

“This has required us to really get into the weeds of understanding partner practice and a core reason we’ve started proactively having client privacy discussions,” she says.

“We created something called a client privacy primer dialogue that is now evolving into regular check-ins and being incorporated into quarterly business reviews because there’s so much change in this space.”

The development agency perspective

“There’s three key buckets that we’re seeing,” says Doyle:

1. Understanding where your data lives and how it’s used by different groups within your organization. It’s not just cookies. It’s not just web. It’s not just consent…it’s also how you use that data, how you pass it to subprocesses, and where it’s stored.
2. The facilitation of rights requests (such as DSARs) has to be compliant with all the new laws. And your website and applications facilitate implementation of these.
3. Managing, tracking, and integrating consent, and ensuring consent is distributed to downstream systems. It is critical to have a central source for that consent as a lot of enterprise ecosystems are distributed and there can be a lot of duplicate data.

Additionally, different departments (say sales and marketing) might not talk about how they’re using information differently and it requires deeper data mapping and understanding of your ecosystem so that you can map out how consent is collected.

It goes far beyond just cookie consent and whether or not I’m setting third-party pixels.

—John Doyle, Digital Polygon

“Like everyone else, we’re trying to stay up to date with a law, the client’s interpretation of those laws, and how we translate that into implementation.”

The questions behind the question

“It’s definitely a mixed bag,” opines Ostwal.

“To say that it’s only the demise of third-party cookies that’s driving conversation would be inaccurate.”

It’s also a lot to do with the regulatory proceedings and the agency folks are asking “what are the differences? While there is a 65% semblance amongst the state laws, the 35% difference can cost them a lot to comply with each State. California alone is an investment in the millions….

And if you don’t adhere to all the provisions, you risk a penalty, so it’s a lot of money at the end of the day.

—Trishla Ostwal, Adweek

“I think [everyone] just wants to get things right. But to get things right at such an early point” is a real challenge.

“Privacy has become a catch all to encompass everything,” opines Garcia. “Regulatory developments, third-party cookie deprecation – just ID deprecation – and its limited availability, scalability, and addressability in the future. We are infusing that privacy related thinking in everything we’re doing.”

As we evaluate partners and their identity solutions, we’re asking the question behind the question. Everyone says that their ID’s consented, that they honor rights and preferences.

It means nothing until you understand the details of what that actually looks like. That’s what we and the brands that we serve need in order to make an informed decision on what a durable and responsible solution looks like.

—Arielle Garcia, UM

“It is early to get it right, but you’re going to be closer to right if you’re erring on the side that aligns with regulatory trends (which are just a codification of consumer expectations of choice),” asserts Garcia.

“There are these really interesting operational challenges that we’re navigating,” she says. “And the important part of all of this is that we’re steering towards a place that aligns to consumer expectation. Otherwise, we’ll find ourselves in this whack-a-mole environment until we get there.”

Who’s in on these conversations?

Garcia wants everyone in on the conversation: marketing, technology, media, privacy, and legal.

In my experience everyone’s very focused on their first-party data assets and they’re not necessarily as well versed in what’s happening downstream. This is quite challenging and it’s a big emphasis for regulators.

What we’re really trying to do is break down those silos where they exist. The good news is, I’m increasingly seeing more of that happening organically.

—Arielle Garcia, UM

Doyle sees the legal team reaching out to marketing and asking “are you complying with these new regulations? Tell me what data you collect? Which third-party systems you use? How are that data used? Making sure there’s an understanding of what’s being done and communicating it with their audiences.”

Unsurprisingly, organization impacted by GDPR brought more people to the table earlier while those based in the U.S. “are not worrying about it yet (because legal hasn’t yet come and yelled at them). More likely than not it’s going to turn into the same type of firefighting situation that we saw with GDPR,” submits Doyle.

Avoiding whack-a-mole

“The first step is getting a team together that’s going to own privacy at your organization,” avers Doyle. And it should be cross functional so you can gain a full understanding of the impact.

Organizations also need to understand the cost of implementing piecemeal vs. globally vs. facing fines if they decide not to implement.

Depending on what your organization does and how much revenue you generate from these different means – and across different States – that answer will be different.

—John Doyle, Digital Polygon

“I’m always going to fight for a user-first mindset. Trust is an economy that’s going to continue to grow,” asserts Doyle. “Sometimes that conversation is harder to sell to marketing executives who have to hit numbers and getting everyone in the same room helps build that consensus.

Garcia suggests that as marketing works to figure out their first-party data path forward, there is an opportunity to mitigate friction and align workstreams to support tech decisions that can serve both means and ends.

A preference center can enable greater consumer insight and facilitate zero-party data collection: there are some really unique opportunities that start to surface.

When you have all of the right folks at the table and are putting a consumer lens on all of this from a consumer experience and trust…it makes this more of an investment than a compliance costs.

—Arielle Garcia, UM

Honing the value of trust

There is an early group of actors that look to make privacy a differentiator, says Garcia, “like the Apple approach. I think we are increasingly going to see more of this as the realization settles in that everyone wants to optimize their first-party data collection and utilization.”

Ostwal avers that “for agencies, brands, publishers, there’s just one question: How do we hone consumers trust?”

They’re also trying out new solutions like a customer data platform or data clean room, or sometimes combining the two as we’ve seen in recent partnerships. But there’s still a lot of questions:

How do we maximize zero-party data? First-party data? And what’s the difference between the two?

—Trishla Ostwal, Adweek

As WireWheel’s Gordon notes, “this may be easier for some brands than others. For example, Brands that have a direct relationship with consumers versus those that are B2B.”

The traditional macro-level advice is if you have the opportunity to collect first-party data, get the infrastructure in place to have a single view of the consumer and the ability to respect their preferences and orchestrate that downstream.

If you’re a consumer packaging group, for example, you’ll probably be more reliant on smart partnerships. But there are still ways to enhance the connection with consumers authentically and data does become a byproduct.”

For a lot of brands, investments are focused on making the switch from third-party to first-party data. The key opportunity is to make privacy, consent, and preference the foundation. Then build your first-party data on top of that so you already have the leverage in place to control how data are used with different applications.

—John Doyle, Digital Polygon

“For companies that aren’t using a ton of first-party data, regulations will increasingly, impose obligations with respect to rights requests. So, even if you don’t think you’re using first party-data, it’s worth doing that data mapping exercise to understand the processing on your behalf by your partners,” cautions Garcia.

“If you’re not using a lot of first-party data you’re unlikely to have as robust an infrastructure and so it’s never too early to start thinking about what investments may be needed.”

Watch the full session on-demand

^[1] Privacy Orgs Are Media Agencies’ Next Big Investment (paywall)

Customer loyalty programs are the backbone of many companies, but they come with a host of data privacy traps, particularly with regard to the new state regulations which have the collection and use of data to effectuate these programs squarely in their crosshairs.

For a discussion of loyalty program privacy risks and opportunities, Blueprint Data Strategy Director, Mark Milone, moderated a panel at the 2022 Summer Spokes Technology Conference (held June 22-23).

The Customer Loyalty, Privacy, and Data Governance panelists included Cooley Partner and Cyber Data Privacy Group Vice Chair, Dave Navetta; Bob Seiner, founder of KIK Consulting and Educational Services; and Global SVP Revenue of loyalty technology firm, Annex Cloud, Erin Raese.

Customer loyalty is a hot topic

A Forrester Stat: 89% of organizations are investing in personalization and loyalty is just a really great way to collect the data that you need and to build that relationship with your customer and to deliver personalization.

—Erin Raese, Annex Cloud

Customer loyalty is a much hotter topic now because organizations are looking to deliver more personalized experiences. Consumers want the businesses to know who they are, put their needs first, and to make their lives easier.

“I had a conversation with a grocer last week,” relates Raese, “who had several requirements: ‘Can you create a discount at point-of-sale? Can you create a discount by product? Can you do discounts by this…and by that…?

“Sure, but why? What about the customer experience? What kind of customer experience do you want to deliver?”

You probably have email addresses which is great – that allows you to give them the discounts they were looking for. But what if you knew that Mary was a vegetarian and a gourmet cook?

What kind of experience could you deliver to Mary?

—Erin Raese, Annex Cloud

“And what if you knew that Mary had a husband, who was on a keto diet and a daughter, who had peanut allergies,” continued Raese. “What kind of experience could you deliver then?”

“If you think about it, the grocer could serve up recipes that fit everybody’s dietary needs. Mary could come to their website. They could curate all the ingredients for all those different recipes, and Mary could go click, click, click…and put them in her shopping cart.”

Bumping up against privacy-related issues

“Here we start to bump into privacy laws which are very much in flux right now,” cautions Navetta.

The fundamental question here is – with the regulations as they are today and cookies starting to become less of a viable means to gather useful information– many marketers are starting to think of loyalty programs as another rich field for collecting data.

But, perhaps also, some of the goals of these programs are not loyalty at all but harvesting a lot of personal information for bigger picture revenue goals.

—Dave Navetta, Cooley

“We have to make sure we’re addressing that and balancing out the requirements around privacy laws.”

“A primary role of a data governance program is to manage that balancing act,” says Seiner. “Personalization is all about that customer data. Important considerations include ‘do customers know what data you’re collecting about them and how you’re using that data?’ Data governance can play a role in all of those things.”

The role of trust

It starts in trust, and then it’s really the company’s obligation to ensure that they respect that trust and are good stewards of the person’s data… It’s everything. Everybody walks into that experience looking for trust.

—Erin Raese, Annex Cloud

“The basis of loyalty tends to be a two-way dialogue. A two-way value exchange,” proffers Raese.

“There are terms or conditions, and they should be laid out so the customer knows – or should know – what they’re getting themselves into when they join. That they are going to give data and in return getting personalized experiences, recognition, or rewards in exchange.”

But “when you start to use data outside the parameters of those expectations: to collect data…to sell to a third-party…that starts to erode trust,” submits Navetta. “For the privacy conscious, understanding how the data is going to be used and who it is going to be transferred to are important. But it is also reflected in what regulators and legislators are ultimately requiring.”

Is it just for loyalty or some other purpose?

You’re not going to be loyal to somebody unless you trust them. This requires that customers have confidence in knowing how you’re going to handle the data. Collecting only that data you’re going to use is good, but oftentimes other data is collected along the way.”

—Bob Seiner, KIK Consulting

“You need to be able to explain what you’re going to collect, how you’re going to use it…and you have to have a strategy for communicating that back to the customer, avers Seiner.”

But, as Milone points out, “We don’t know all of the uses of the data generated at the point of collection. It could easily become a new use that wasn’t contemplated when it was collected from the customer.”

Where companies don’t have proper governance, we see that after the program has been running for some time, someone in marketing realizes how much data they have, how rich it is, and conceives of new ways to use the data.

And that’s when you get into legal trouble.

—Dave Navetta, Cooley

Selling, sharing, aggregating, and de-identifying data

“I think we’re going to start seeing companies gathering first-party data and zero-party data and wanting to supplement it with other data,” opines Navetta.

And that constitutes a sale of data under certain laws even though no money has been exchanged. This goes to transfers and under the CCPA, for example, you have to provide an opt-out.

In addition, the laws are starting to require purpose and use limitations as well, which goes to reasonable expectations of the consumer….and this is where transparency comes into play.

—Dave Navetta, Cooley

That said, “one way to get more flexibility is to normalize the data,” asserts Navetta. To aggregate or de-identify it so it’s no longer ‘personally identifiable,’ and consequently, no longer subject to these privacy laws.

“Do you lose some of the value? This is what you’re always struggling with: the richness in the personalization tends to go away once you strip out the identifying elements.”

Can there be too much transparency?

Hopefully you are using transparency to engender trust, but at what point does transparency become too transparent? You can articulate every conceivable use of the data…and inundate your customer with terms and conditions.

How do you advise a loyalty program to balance transparency with the information the customer actually needs to make a decision about joining a loyalty Program?

—Mark Milone, Blueprint

“Loyalty programs, and the use of data around them is becoming a much bigger issue than it was,” states Navetta, particularly due to cookie deprecation.

“The tendency is to be overly broad because, in the U.S. especially, if you’re notifying customers of data uses, you can use the data as stated without much trouble. Now, this new generation of regulations is starting to put more pressure around use limitations and may require an opt-in if you’re going to use information beyond expected uses.”

I think we’re still going to see broad and maybe overly complex notices to cover all bases, but over time – and as regulators start to clamp down – more precise notices that satisfy legal requirements but also engender trust.

—Dave Navetta, Cooley

What customer data, exactly?

“We look at it in three buckets,” says Raese:

1. The information that you give when you sign up for a program
2. Tracking your behavior when you’re making purchases or different types of interactions. A lot of the programs today will incent you to interact with the brand is (e.g., hashtag in social media, review writing, and award redemption), and
3. Progressive profiling. The attempt to get additional information through, for example, surveys about what customers enjoy.

In this context, it’s not necessarily the sensitivity of the data. It’s the big picture of the data. If you collect a lot of data, you start to learn a lot about people from a privacy perspective and that causes issues.

Regulators and legislators look at the aggregation of [PII], and the inferences and insights that companies can get as a result. There are potential privacy violations that arise in those instances.

—Dave Navetta, Cooley

“What we’re starting to see, is the laws around loyalty programs are making it more difficult for companies to be able to achieve what they want to achieve without having to jump through some compliance hoops.”

Balancing the value and risk of a loyalty program

“If you were going to stand up a cross-functional team to help deliver value from a customer loyalty perspective but mitigate the risks who do you think should be on that team,” asks Milone.

All the stakeholders in that data.

You don’t want to have a cast of thousands, but you want to make certain…the right people are involved at the right time for the right reason with the right data to make the right decision.

—Bob Seiner, KIK Consulting

Who has authority and accountability? The organization, not single individuals, explains Seiner. “A lot of organizations still use the term data owner because it’s been built into the language, but more organizations are starting to refer to these people as stewards of the data.”

“We’re seeing that for most of the organizations that are being successful with this, it is coming from the top and it’s throughout the organization,” seconds Raese.

Data governance is the execution and enforcement of authority over the management of data and data related assets. But how are you going to get to the point where you’re executing and enforcing authority over the data?

Start to involve stewardship, which is definitionally the formalization of accountability.

— Bob Seiner, KIK Consulting

Loyalty program best practices

• If you don’t really need the information, don’t collect it
• Respect the data and respect your customers
• Be aware that loyalty programs are on the radar of regulators right now and they are looking to make examples
• Be aware that the new privacy laws that are coming online surrounding this issue
• Understand the roadblocks you need to overcome
• Legal and audit departments are your friends! Work with them
• Partner with data governance to be sure you’re doing all the things you need to
• Be purposeful and intentional with data

Watch the full session on-demand

Listen to the session audio