Ep.22 | How consumers can better protect their privacy online (Guest: Shannon Ralich)

Show Transcript

Hello and welcome to episode 22 of Privacy Laws, where I donata Stroink-Skillrud speak with amazing privacy professionals. And we have some laughs along the way as well. Today I’ll be speaking with privacy attorney Shannon Ralich about how we as consumers can protect our privacy.

Shannon is an innovative legal, AI and privacy executive, driving business growth through strategic management and transformative product development. Shannon is currently an advisory board member in the Privacy Bar section of the International association of Privacy Professionals, the regional chapter chair of the Carolinas at, Women in AI Governance, and the senior director Associate General Counsel of privacy and AI at JFrog.

So Shannon, thank you so much for joining me today. What made you interested in working in the field of privacy?

I like how you said, um, chaotic environments working on privacy policies, which is my job. An extremely chaotic environment of new legislation, changes to laws, new rules, guidance, enforcement actions. There’s so much going on and then you have to somehow combine that all into one document.

Absolutely. Um, you’ve also been a part of some really cool nonprofits in your career. Can you tell me a little bit about your volunteer work?

When I was a kid, we had a golden retriever and it was just the chillest dog of all time. Like he just hung out and just had a good time no matter what you were doing.

And.

And now I have two. I have a husky malamute and then I have another one that’s a German shepherd gray Pyrenees mix. Nowhere near as chill. Both of them are not chill at all.

They’re, they’re cute dogs for sure, but one of them is always barking and the other one is always screaming at you,

um, while working in privacy. Are you finding that more privacy attorneys need to learn more about AI as part of their job?

Mhm.

It’s interesting from what I’ve seen in the last few months is that, um, a lot of products are adapting AI where they weren’t before. And from my experience, I’ve seen a lot of things where AI is included now and there’s no option to turn it off. Even, um, which I think is kind of scary because you’re right, there’s a lot of privacy risks that come to that.

Maybe at least we should get an opt out feature.

So today we’re going to be talking about privacy for consumers. And I know we’re both privacy lawyers, but we’re consumers in our everyday lives as well. So I think this is a very important topic that a lot of people don’t necessarily know too much about. Um, you know, compared to previous years, so much more of our lives are happening online right now.

So what types of tools, technologies and actions are collecting personal data in our lives even when we might not know that that’s happen?

The smart refrigerators. That one really gets to me because I mean a part of it seems convenient, but why do I need a camera in my fridge to like tell me what’s in the fridge, what I’m running out of, what I need to buy. I mean, I can just look like I have eyes.

I don’t need that.

Mm. Um, yeah. And then your fridge needs the software updated and you can’t open it or you know, it seems like a lot of it. Yeah, so much of it is going to take away like basic critical thinking for a lot of people, I think. Um, what about collection of data?

You know, there are, there’s a lot of collection of data where we do realize that, you know, you put on the smartwatch or you submit your data on a website, but are there points in our lives where data is being collected that we don’t necessarily even realize it’s happening?

The incognito one really gets to me because I remember a couple years ago, you know, I would use incognito mode to for example, visit our company website just to see how things look for a consumer who hasn’t been on the site before. So I would go in incognito and then I would look and then I would X out of the page and then a couple days later I would start typing the domain again.

And then it would put pre filled the domain for me, um, or pre fill a certain page for me. And I’m like, this isn’t right. It’s not supposed to know this domain because I haven’t, it’s not supposed to pre fill it for me. And I remember telling my husband about this and he’s like, yeah, you’re just crazy.

Like there’s no way that they’re telling you it’s private. They’re not, you know, collecting this stuff. It’s incognito mode. And then of course the lawsuit comes out saying that incognito mode, they do actually still track you on it. So. So

yeah, it’s, it’s wild. Um, so when we’re going through these things, as data is being collected about us. What types of data are collected?

it’s, it’s pretty wild for sure. And I think most people assume, okay, I’m going to go online, I sort of know that some data is collected about me, but really what’s the harm, you know, of people having this data about me? So how could this data be used against us as consumers?

I think it’s scary how this data, you know, could be hacked as well. So like the ring doorbell, people can know when you go to work or when you come home or who’s at home and you hack into it. And I’ve seen um, reports of children’s monitors, um, being hacked to say nasty things to kids or people getting attacked in their homes.

And stalkers, um, can see where you are at any given time. Um, you know, and I think that a lot of it is, you know, especially in other countries, if you’re a certain religion or sexual orientation, um, the government could potentially use that against you as well. People have been jailed and accused of crimes based of the wrong AI identification.

Um, you know, it’s, it can get pretty scary pretty fast I think.

Yeah, exactly. So that definitely illustrates that if these things can be hacked, you know, then you’re, you’re kind of, you don’t have any more privacy anymore because that can be used against you. Um, so something that we all do on a regular basis, a daily basis, probably multiple times per day we’re visiting business websites, maybe we want to learn about somebody’s services or we want to buy something.

Um, as a consumer how can you quickly spot whether a website is privacy friendly?

What I like looking for is um, pre checked boxes. So if I’m looking for something on a website and I see a form and it’s pre check the box, send me sms, uh, text messaging or sign me up for email marketing, I’m not going to submit my data because I know they’re going to sign me up for it no matter what I select.

And you know, that’s a very basic tenet of consent and privacy by design is don’t pre check those boxes. So if they haven’t pre checked I know they probably don’t care about it too much.

Yeah, yeah, I love doing that. So I do like donata plus walmart@termageddon.com and if I’m getting emails from, I don’t know, Teemo, um, you know, and uh, not that I have not to like be calling Walmart out here because they haven’t done that but um, you know, then I know that they shared that information or they sold it with somebody they weren’t supposed to do it.

Um, so that’s a really great way to like very easily spot who did that.

Yep. So you just talked about cookie consents and being provided an actual, um, choice. So you know, when consumers go on a website and let’s say they are given an actual choice to accept or decline, which is not every website unfortunately. But should they be accepting or declining those cookies when they’re given that option?

Yeah, I m like doing that. I like accepting functional but not marketing or not accepting the advertising cookies. Especially on something where, you know, I already know what I want to buy and I don’t necessarily want to get ads for the same item for the rest of my life.

Um, but sometimes when I don’t know what I want to buy, I will, um, I will accept advertising cookies because I think that I’ll get like a discount or something. Like I’ll see an ad and get a discount. Maybe I’ll buy it then if I’m not sure right now.

Yeah, that’s a great trick for sure. So you know, this has happened to me a couple times and I know a few other people who it’s happened to. Um, so I go on a company’s website, I don’t submit my email, I don’t submit my contact information and I leave without purchasing anything.

And then about an hour later I get an email telling me about a sale the company is having on those products. How does that happen and what can we do to prevent that?

I think those IP intelligence tools is definitely one of the creepier technologies that companies are using right now because it’s so jarring. Right. Um, you know, as a consumer you do kind of, I mean you’re not paying super close attention usually, but you do kind of know, okay, I didn’t buy anything here and I didn’t sign up for anything here.

Where did they get my email from? And I wonder how much these tools cause privacy complaints or privacy inquiries and whether it’s truly really worth it. Because if I wanted to know about your sales, I would have signed up for your email marketing list. You know, I clearly didn’t do that, so I didn’t want that.

And then boom, I get the marketing anyway and I really hope that um, there’s legislation that, that stops that soon. Um, on the other hand, let’s say I do go to a website and I did submit my personal data or I signed up for their email marketing list or sign up for their text, but I’m just getting a ton of spam, right?

They’re constantly bugging me with sales and marketing and whatever else. How can consumers stop that?

I recently found a hack, so I get um, a ton of spam messages. So I own a business and 90% of the text messages that I get are from companies offering me loans or some kind of business services or something like that. And I’ve never signed up for any of this stuff.

So my favorite hack right now is to reply with, um, you know, they say, I’d love to discuss business loans with you. And I’ll say, I would love to discuss my privacy rights with you. And then I get a message saying that you have been, um, uh, manually opted out of receiving any more text messages from this company.

And that’s what I’ve been doing. And once I reply with that, I never hear back from them again. And I just discovered this a couple weeks ago, um, and it’s working really well.

yeah, yeah. I think the people spamming me haven’t even heard of glba, but you know, because they wouldn’t be spamming me in the first place. Uh, and they’re not from like actual legitimate financial institutions, I don’t think.

M thank you for having me.

Of course. Before I jump in, all these views and opinions expressed today are my personal opinions and don’t reflect the views of my employer. My journey into privacy began through cybersecurity. I’ve always been drawn to really complex problems. There’s something deeply satisfying about bringing clear, structured solutions to really chaotic environments.

And privacy and security are inherently intertwined. You simply can’t have effective privacy without very strong security foundations. So when the GDPR was introduced, expanding my practice into privacy felt like a very natural progression. The field combines technical challenges with real human impact, which keeps me engaged and motivated every day.

Yes, privacy never sleeps.

Or well, giving back has always been a core value for me. I co founded a STEM nonprofit focused on creating opportunities for high school girls to explore tech fields. Um, giving them an opportunity without any pressure or financial commitment of choosing a college major without any experience. It provides this safe environment for them to experiment and discover passions and just as valuable to learn what doesn’t resonate with them, um, career wise before they select their major.

More recently, my volunteer focus shifted to golden retrievers. I’m a proud dog, parent of two wonderful Goldens, and several years ago I joined the board for the Neuse River Golden Retriever Rescue, where I focus on fundraising and awareness initiatives supporting our rescue, rehab and adopt mission. There’s something magical about golden retrievers.

They immediately bring joy to everyone they meet. And supporting rescue efforts has been incredibly rewarding.

Oh, but I’m sure they’re very beautiful.

Oh no,

absolutely. Understanding emerging technologies, both their potential and limitations, is really essential. For privacy attorneys. AI requires a reinterpretation of traditional privacy frameworks, from data collection practices to, um, algorithmic transparency to decision making. And developing a foundational understanding of AI is increasingly critical for effective privacy programs. Whether you’re reviewing procurement agreements to purchase a new AI tool or you’re, uh, advising on a new product feature your client plans to launch, AI has created some very novel privacy risk

that is definitely a common theme for a lot of enterprises. They want control over the data in their tech stack, and so they want to be able to run, um, a full risk assessment before deciding whether to implement these technologies.

The digital footprint of our daily lives has expanded dramatically in recent years. Personal data is consistently being collected through our phones, smart home devices, wearables, social media platforms, web browsers, loyalty cards, vehicles, and apps. The expansion of Internet of things or IoT devices means that any connected device, from our doorbells to our smart refrigerators, to washer and dryers, to Voice assistants, They’re all data collection points.

M Not every solution is to solve a problem

or m it crashes.

While privacy notices disclose data collection practices, the reality is that many collection methods remain largely invisible to consumers. The majority of consumers are not sitting down to read privacy notices. The additional background tracking technologies, for example like cookies, pixels and device fingerprinting, follow online activities across websites without apparent indicators.

And for the record, no Incognito mode does not make you invisible on the Internet. So you have these collection points such as public uh, WI fi networks that can monitor your browsing activity and your location. You have same uh, with Bluetooth can monitor your location. You uh, can have mobile apps collecting uh, location data, contact information, usage patterns even when they’re not actively being in use.

Uh, data brokers then also aggregate information from multiple sources to create very detailed profiles without any direct consumer interaction.

That was actually one of my favorite privacy uh, day questions that I would always ask and give away a prize is to have a multiple choice answer of what Incognito mode actually does and what it doesn’t do. And that was really enlightening to see the answers because there is a broad range

that’s a long list but some beyond the basic identifiers like name and email address, mailing address, telephone number. You also have companies gathering browser information, search queries, purchase records, exercise. Habits, sleep patterns, social connections, emotional states, personal preferences, location, whether that’s specific or approximate, IP addresses, uh, content patterns, spending patterns, transaction histories, uh, device data, usage patterns and inferences.

This list just goes on and on. And that’s what’s so interesting is when you tie it back to how connected we are on a regular basis, then yes, there’s just more data to go around because almost everything you interact with on a day to day, minute by minute basis.

So think about how many times you pick up your phone every day and what you’re doing with it. Uh, think about how much data ah, you have produced in one day. It’s really shocking.

Uh, here’s the unfortunate reality that there are some harms that could occur. There could be uh, financial exploitation through discriminatory practices. Um, sometimes they’re called personalized pricing. There could be targeted scams or manipulative, um, marketing based on profiles. Hypothetically an airline for example could charge more to a business traveler than a leisure travel traveler because they know that a business would be paying for it.

Um, there could be examples of um, algorithmic discrimination which can affect social services, employment, housing, education and financial services. Personal uh, data collection can enable social engineering attacks and identity theft which we’ve seen a stark increase in over the last 10 to 15 years. And location data can enable physical tracking which there have been news stories about people um, being tracked.

And the uh, question of whether you have any actual privacy, whether it is online or in the real world.

Absolutely. Well as we said earlier, you really can’t have privacy without security.

great question. First I would start with utilizing a privacy friendly browser that helps to block trackers. Check if the site uses HTTPs encryption, so look for the little padlock in your browser. Uh, privacy friendly sites typically offer meaningful cookie choices and provide clear opt out methods. Presence of data, subject rights section in their privacy notice explaining how to delete your data or a self help tool within their administrative console.

Look to see how much personal data they’re collecting. Is it truly necessary for the purpose of your engagement with them? Do they make it simple and easy to then delete that ah, data later?

I know that there’s been a lot of discussion about web forms and I’ll just say in general, keep in mind that while you may need to complete a web form, there are some methodologies you can use to still protect your data. For example you uh, can use some of these more advanced feature sets of having a unique email address hide uh your email feature.

Uh, Google also allows you to Add uh, your Google email address and add a plus sign followed by any word and so you could tag this particular company, give them a unique email and then it allows you to be able to filter better in your box. But also you can see if they sell that later.

Absolutely m. It helps shine a light.

That’s really a personal choice. I think cookie choices should be made thoughtfully depending on how you’re going to use the site. Many sites offer granular cookie controls, so you can select to accept only the cookies you’re comfortable with in a particular category.

yes. There used to be that really famous trick of go shopping on the site, put a bunch of things in your cart and then walk away and wait for the coupon code to magically appear in your email box.

That likely happened through cookie based or device fingerprinting tracking combined with email matching. So if you’ve previously shared your email with that company, a business partner or a data broker, your browsing session can be connected to your email through cross site tracking tech. A uh, fun experiment then is when you provide that unique email address.

You can see then which company provided that email address to this other company, um, either sold it or shared it. Uh, that’s one methodology again, using that plus symbol and categorizing it. You can also use the hide my email function to create a randomly generated unique email address. And then you can also delete it at any time.

Which is great because at least then if you decide you no longer want the type of content that’s coming in, um, some people will go through the unsubscribe process. Sometimes the unsubscribe process fails and so you may be forced then to uh, actually remove that email address and prevent it from coming through anymore.

If you look at the email usually on the bottom, there’s either an unsubscribe option or a preference center of some type. So maybe you want to adjust the frequency of those emails. Maybe you’re still interested in seeing what’s new at that store, but you don’t need an email every day or you didn’t sign up for this and you don’t know why you’re getting them, then you can uh, unsubscribe from them.

For text messages you can reply stop, which typically triggers a automated unsubscribe. If these methods don’t work, you can contact their customer support directly and explicitly request removal from all marketing list for persistent problems. You can also use email filtering to create rules to delete or redirect those messages from particular senders automatically so they’re not clogging up your inbox.

Well I think in that example that’s because we have some great friends, privacy professionals within the financial industry that really focus on their uh, GLBA compliance and we thank them for it.

Um, so, you know, how do companies that you never interact with obtain our data?

I’ve seen people complain about this where, you know, they buy a ladder online and then next thing you know they’re seeing 30 ads for ladders as, as if they’re collecting ladders now. Just like, I already bought one, I don’t need 50 of these.

Um, we briefly touched on smart devices. You know, there’s, there’s a lot of these and there’s a lot of health wearables and anything from your washing machine to your watch to, you know, anything you could possibly want can be a smart device. Now before somebody buys a smart device, how can they learn about the privacy practices of that company or of that device?

m. I saw a smart toaster once and I’m just like, at what point do we just stop? You know? But um, I really like the privacy not included reports, especially their holiday editions, because that seems like the time where everybody’s buying smart devices for their family members. And you know, I remember years ago the 23andMe was included in those reports and saying, you know, probably not the best idea to buy this for somebody because you know what happens to that data?

And now we’re seeing that with their bankruptcy. If everybody’s very worried about their data getting sold or shared during that, the sale of the company.

I like it. Yeah. So, you know, let’s say we didn’t check this before and we bought something and the device is already in our house. How are there any kind of settings that we can use to protect our privacy? And how can we find more information about that?

I really like the idea of assigning a different WI FI network to your IoT devices. So at home our WI Fi, our regular WI Fi that we use for most things for, uh, this will make sense to fans of the Office, but We call it PP Halpert. Um, and then our IoT is IoT time.

So we do have separate WI fi for those things. And I remember when I bought my washing machine, it’s a quote unquote smart washing machine. So I could buy, uh, I could install an app and it basically pings my phone when the washing cycle is done. But I’m just like, I can just listen, like I can just hear it know and does the chime when it’s done and I could just listen for that.

I don’t really need an app for that. So I never connected it. But you could always disconnect it from WI Fi and delete the app, which can clear your data. So I mean, you could always disconnect stuff that you don’t really need to.

Yeah.

Yeah, it’s definitely more stuff that can break. Um,

They can do that in several different ways. And usually

one trick I’ve noticed is some um, consumers aren’t aware that on some sites if you go on and start completing a web form, they actually do receive that information without you submitting the form. So they could have a partially completed web form provided to them. They could have um, utilization of this tracking tech.

Other times they have lead generation services that just help provide, you know, a list of individuals that they may want to contact. Um, those toolings may not distinguish between um, a business or a consumer. And so you may still end up then on this other list even if you’re not the targeted an audience for that.

Um, so that can definitely happen. Most of it comes from this tracking uh, tech and ads. So you click an ad, you end up getting tracked across the Internet for that and then you end up receiving more ads that are focused around that style of content. I think there was a story going around for a while of someone that um, was shopping for their friend’s baby shower and they did not have a child.

But after they did that shopping they couldn’t escape all of the ads that were showing up everywhere. On their tv, on their computer, on their phone, for all this baby gear. And they were like what is happening here? And I think that is one illustration of in some ways it’s great because once they know what you’re looking for, they can make your efforts to find it very easy.

But at the same time if that you’ve completed that project and you don’t want to see that shopping effort anymore. Um, that cross site tracking can be quite challenging to then move on past um, onto your regular shopping habits.

They can research the manufacturer’s privacy reputation through consumer advocacy organizations such as the Consumer Reports, the Electronic Frontier, uh, Foundation and many others. They can also read the privacy notice and focus on what data is being collected and for what purpose. I’m also a big fan of Mozilla’s Privacy Not Included site, which um, really does a nice job of trying to simplify very complicated notices into a quick uh, gut reaction and simplification of some, some of the data collection practices.

You can also research online for news articles related to the manufacturer, which may make mentions of uh, privacy controversies or data breaches. Check if the manufacturer provides regular security updates in their help centers. So look for that and how long they commit to supporting your device, which is important.

That’s how a lot of data breaches have happened is people didn’t realize either that they were supposed to be updating the piece of hardware or that it was actually out of life, you know, end of life, out of the uh, update cycle. So look for uh, privacy certifications and compliance standards also like ISO certifications.

And I like that Mozilla’s Privacy Not Included site takes a very broad perspective of the coverage. So you’ll see children’s toys on there, you’ll see wearables, you’ll see uh, standard IoT devices, but also more creative things that you may not even stop to question in a moment, but you really should.

And so even just browsing it, I, I don’t know, maybe it’s the privacy geek in me. I just find it quite fascinating to read so well.

Sure. So if it’s already in your home, I would understand the technology. Does it have a microphone on it? Does it have a camera on it? Uh, hopefully you considered those things before you purchased it because ideally you wouldn’t purchase something that has a piece of hardware in it you don’t need.

And then consider does it use random identifiers on cloud servers? Is the data encrypted on the device itself and in the server that it’s syncing with so during transmission and then it’s storage on the server. These are things that you can usually find in FAQs and documentation that comes with the hardware.

Um, understanding once it’s home, number one thing, please do this. Please update the password to a Strong password. Not 1234, not your home address, not any of those things. Let’s make it strong, challenging letters, numbers, uh, and symbols. Let’s turn on multifactor authentication. Please set up separate, um, guest networks for smart devices to isolate them from your main network.

When you sign up, read the options. They do give some options that you can opt out of some of the tracking in there if you take a few moments to really read what they’re asking. And uh, I would always say when you’re doing device setup, don’t rush it. And if you have to keep start over, you know, you can reset the device and start all the way over from scratch and do it again.

It’s never too late to reconsider the options that you’ve set up. So think about limiting third party integrations. So everyone offers connection to something else that offers a connection to something else. Um, that just means you’re just sharing all of that data across to many other platforms and companies use, uh, your device controls to limit how much personal data usually comes with an app that then has another set of settings.

So consider that as well. Keep the app and the device firmware regularly updated and then once you decide you’re not using that device anymore, request that your data is deleted. And then delete your account. And remember, you can do everything right and hackers can still find a way. Security flaws are a way of life unfortunately.

And so just keep that in mind.

Nice.

Absolutely. And really consider whether the device needs to be connected when you go to purchase a device. Because you can save yourself a couple hundred dollars, especially on these major purchases of not having a smart or connected device. You think about how that, how that would function for the way that uh, this device works and your lifestyle.

And if you don’t need it, you could save yourself some money. Because keep in mind it’s more equipment, it’s more complication and it does add another layer of complexity that potentially could fail. So that’s something to, hmm.

you know, so when we go to like, let’s say a website or we wear a device or buy a device, a lot of consumers assume that that information that’s being collected, it’s just provided to that company and will not be shared or sold. Um, is there anything that consumers can do to protect that their information from the sharing and selling?

I think the number one thing they can do is really understand the ecosystem of the device. Some are inherently meant to function in a way that they’re going to share across. And usually there’s mention, especially when you get certain devices, like whether they’re going to share um, with your insurance companies or employers or your family members that are on your plan.

You uh, can find those options in the tooling and you can find mentions of that in their notices, really stop and take that into account. You’ll also see um, special biometric notices that will pop up that will explain if they’re sharing additional information that way. There um, are of course some companies that may use anonymized data for either research, um, marketing, product improvement.

Um, if that concerns you, you can um, reach out to them to discuss that further. Understand really what that means, uh, opt ah, out of it if possible or look for devices that avoid this.

Yeah. Just because you decline cookies on your phone, that doesn’t mean you decline them on your laptop. Um, you know, you can still be tracked. That’s a really great point. Well, Shannon, thanks so much for, um, talking to me about consumer privacy today. Um, definitely a very interesting and important topic, something that we run into all the time.

Absolutely. Thanks so much, Shannon. And to our listeners, uh, definitely make sure to subscribe so that you don’t miss our next episode.

But I think on the flip side of uh, protecting your personal data online, you know, when it devices are much more complicated than that nature because now you kind of have two layers, um, when you’re online, you can use privacy enhancing technologies, uh, like tracker blockers, VPNs, privacy focused browsers, uh, regularly assess your, uh, cookie options and what cookies you’re willing to accept and look at those browser settings because, uh, some sites are actually reading those and acknowledging and accepting those others are not.

So for those that are automatically reading them, you want to make sure that you are sending the signal that aligns with your, um, tolerance. And so consider those. And it varies per device. So from your computer to your phone to um, iPad or tablet, um, to your tv, they’re all going to have different settings and so you have to be diligent in doing them all.

We do. Thank you so much for having me. And uh, please, please, please, if you take nothing else away from this, turn on 2fa, make complicated passwords, have a unique network for these, uh, smart devices, and do a little bit of homework and talk to friends and family even about the devices and look at that manufacturer’s website because it could save you a lot of concern and grief in the end.

Thank you.