Ep. 30 | Navigating privacy regulations as a data broker (Guest: Zane Witherspoon)

Show Transcript

[00:00:00] Hello and welcome to episode 29 of Privacy Lawls where I Donata Stroink-Skillrud speak with amazing privacy professionals. And we have some laughs along the way as well. Today I’ll be speaking with Zane Witherspoon about data broker, uh, regulations. Zane is a certified information privacy professional, a technologist and serial entrepreneur with 10 years of experience building tools to help people own their data.

Zane is the founder and CEO of Superset, which provides a suite of privacy tools, including privacy inbox automation. Data, broker registrations and data mapping. He previously founded Dispatch Labs, a blockchain technology company for data ownership that grew to 25 employees and Fathom Privacy, a data portability company that was acquired by Delphia Technologies.

So saying, thanks so much for joining me today. Thank you so much. What a wonderful, sweet introduction. Um, so what inspired you to [00:01:00] start Superset?

Superset has a little bit of a weird founding story. Uh, I’ve been working in consumer data for 10 years on the side of consumers. I feel like I need to specify sometimes. Um, and I’ve been watching as the regulation in the space has grown and grown. GDPR and CCPA, the right to data portability unlocked, basically it was a key to the walled gardens of the tech oligopoly.

Facebook, Google, Amazon. We finally had a way to know what data they had about us and even access it and find new interesting use cases for it. And that was the foundation of my last business fathom. Uh, we ended up getting acquired by a hedge fund Del Technologies, which had a really cool sort of data to dollars equation of data contributors can move over their shopping, their browsing, their activity data into this hedge fund.

The hedge fund then gets [00:02:00] an edge to be able to make good investments and they can return shares, the hedge fund to the data contributors. So it was a really cool, uh, data monetization opportunity outside of the typical, you know, sell it to advertisers again. Yeah. Uh, after the acquisition, Delphi came to me and said, Hey.

We’ve got some money set aside for a data rights initiative to give consumers confidence that we’re handling their data appropriately. Would you like to take that and turn it into a new business? And so without very much, uh, without really any, um, planning, without much of an idea about what the problem was going to be, just knew that it had to do something with enforcing data rights and helping consumers with their data.

Got some very mission-driven pre-seed capital in the door. And I started doing some exploring. I brushed up on the new state laws that had been coming out and what really caught my attention was the delete act in [00:03:00] California. How many data brokers had not registered? And, sorry, this is already a long-winded answer and I’m finally getting to your, into answering your question, but, uh.

At the time there was about 400 registered and there’s, uh, experts estimate four to 5,000 data brokers in the world. I wondered why 90% of them had not registered, so that kind of inspired me to see like, you know, maybe they’re having trouble with it. Maybe they don’t realize that they need to. I had a lot of calls with a lot of them and realized that for the most part, I’d say about 80 20 were just unaware of these laws and another 20%.

I just didn’t wanna follow them. I can talk on that too. Uh, but that was really kind of the initiation of the problem statement of like, all right, there’s a lot of greenfield here for. Businesses that are newly regulated for the first time to get some help, make it easy to help them follow these laws.

Yeah, it’s very interesting, you [00:04:00] know, with me working in compliance as well, of how many businesses are not aware of the requirements that apply to them. And I, I think it really depends on the size of the business, right? Like when you’re a small business, you’re really focusing on your customers, on your products.

On the services that you offer. You know, as a business owner, you wear 20 different hats and you’re doing 20,000 different things per day. And you know, when you’re a compliance professional and you’re like, Hey, there’s some stuff that that applies to you that you need to comply with, um, they’re always pretty blindsided by that if they haven’t heard about it before.

Um, but I guess a good part of enforcement is that more and more businesses are becoming aware of their, um, obligations, uh, and, and looking, are looking for help on how to meet those obligations. So it’s, it’s always a good opportunity for, for compliance professionals, most def, most definitely. Uh, I’ve heard the phrase something about, uh, the law.

The wheel of law moves slowly, but it [00:05:00] grinds fine. Yeah, it grinds exceedingly fine. Yeah, that, that’s very true. Um, you know, a lot of people for like criminal convictions and things know that really well, um, in the sense of, you know, it might take you a while to get caught. It might take a while for them to prove it.

Um, but it, it takes, takes a minute to get to the end result, but eventually things get sorted out, um, for sure. Um. Yeah. Are you getting a lot of questions about like, should I do this, should I do that? Of course, yeah. Yeah. I always wanna treat us like privacy lawyers. Yeah. Everybody in compliance gets that question, should I be doing this?

Or what is legal? What is illegal? And you know, uh, a lot of businesses, it’s interesting ’cause you look online and a lot of. SAR we’re 100% GDPR compliant. And you look at their privacy policy and it’s like they’ve never heard of GDPR requirements. Right? Yeah. Which is why I’ll always see that as a red flag.

You know, if I’m doing vendor due diligence and I go onto a [00:06:00] company’s website and they tell me they’re a hundred percent GDPR compliant, I’m like, okay, I guess we’re gonna see, uh, because now you have my attention. Um. You know, outside of work, um, you’re also the president of the Palooza Foundation for the arts.

Mm-hmm. Can you tell us a little bit about what the foundation does? Yeah, absolutely. Uh, we are a 5 0 1 C3 nonprofit based in New York that showcases and exhibits artists, talent and um, community in the New York City area. We’ve been throwing creative events for many years, and so we finally organized ourselves enough to turn it into a full on nonprofit, uh, where we throw events that showcase important social causes.

Uh, we had a really great event a couple years ago during the WGA writers strike where we threw a, uh, we threw an event that was a sort of theatrical fairytale version of [00:07:00] the writer’s strike. Hmm. And so it was, uh, the premise of Evil King had invented Magic Mirror, GPT and was threatening to put all of the fairytale characters out of business.

And so we had these, uh, we hired. Writers that were out of work from the strike and, uh, actors and local artists. And we had sort of like a scene, musical act, scene, musical act, sort of premise. Um, had been very immersive where the, uh, fairytale, the Disney princesses were out there like picketing with the audience, giving them signs to walk around.

And eventually the evil king gets beheaded by a drag executioner. Uh, wow. But we throw a lot of these, uh, a lot of these events around the city and it’s, it’s a really fun, creative outlet. That’s awesome. That, that’s really cool to do something like that. I’m sure it helps a lot of people too and, uh, you know, evolve, which is awesome.

Yeah. The most fun part is like when I have friends who, when they talk about how they met each [00:08:00] other, they’re able to reference some of the pools, events that we’ve thrown. Nice. It’s really great to see the community come together. That’s awesome. Um, as somebody who’s a privacy professional as well as an entrepreneur.

Do you have any advice that you would give to other privacy pros that want to start their own privacy tech companies? Hmm.

Give yourself a lot of runway because like, uh, the law that turns slowly, so do compliance teams oftentimes, um, it’s not a fast sales cycle and you gotta kind of brace for that. It’s, it’s a lot of arguing, uh, not arguing, but, you know, showing the benefits of prevention versus cure. Mm-hmm. Uh. I think everybody who’s sold in this space knows that it’s like number seven on everybody’s priority list until the day when it suddenly becomes number one, and they need it solved very quickly.

And so it’s a matter of just being out there, being prepared for those [00:09:00] opportunities. And, uh, it’s a lot of relationship building at the end of the day. You’re selling trust most of the time that you are able to solve this problem for them, and especially when it’s such a high integrity, high importance problem that.

Relationships really matter a lot, is what I’m finding. I I totally agree with that. I mean, for us, we, we have customers asking all the time or, or prospects, what are the consequences of me not doing this? Um, you know, what are the chances that I’ll get fined or sued for this? Or what are the fine amounts, you know?

And, and you have to tell them like, look, it’s not just about the fines, it’s also about the trust with your customers. Um, you know, people who visit. Websites are looking for this stuff now and are not willing to buy from companies that don’t respect their privacy. So it, it’s a lot about like the carrot and the stick, where the stick is, the fines and, and the lawsuits versus the carrot is, is building trust with your, with your customers and prospects.

For sure. Yeah. And shout out Cal [00:10:00] privacy for really cranking out the enforcement actions on data brokers recently because that’s, that’s free advertising for us. You know, I’ve, I’ve a lot of. Customers that point to their competitors and say, well, they’re not registered. Oh my gosh. And they do the same thing as us.

And then I’m able to point them to like, well actually these other four competitors of yours have already been fined for not, uh, for not registering. So just ’cause they’ve gotten away with it doesn’t necessarily mean that everybody’s got Yep, everybody’s going to, for sure. We get that a lot too. Like, my competitors don’t do this or.

You know, my competitors haven’t been fined or sued, so that means that I’m good and I’m just like, I would not assume that, you know, it’s obviously up to use business owner to figure out your own privacy risk, but just because this one particular competitor hasn’t gotten into trouble. Doesn’t mean that others won’t or that you won’t, you know, it’s, it’s, do you wanna roll that dice or not?

Um, yeah, it, it’s definitely tricky. Um, so getting into our main topic for today, um, data broker [00:11:00] regulations. Um. So what types of businesses could be considered data brokers and therefore be subject to these regulations? Yeah. The definition of data broker that’s made its way into law, I think is pretty different from the idea of data broker that a lot of us have in our heads, uh, at least like the collective consciousness.

Uh, it’s very broadly defined. A data broker is a company, I’m going to paraphrase here ’cause the different states have a little bit different requirements, but generally speaking, they’re companies that are collecting and selling slash sharing third party data as in about consumers that they do not have a direct relationship with.

Um, selling and sharing is also very broadly defined as any transfer of data for some exchange of value. Uh, that definition, I, I heard from someone at Consumer Reports, uh, that they’re partially responsible for such a broad [00:12:00] definition. ’cause they really wanted to make sure they were able to capture something like Facebook that, uh, exchange data for something other than money.

If you exchange it for ad space, that’s an exchange for value, something like that. Um, so it’s, it’s a pretty broad definition and it’s getting broader as California recently expanded. Uh, clarified that if you have first party data from consumers and you mix in third party data and then you sell or share it, that is considered third party data.

Then that third party data kind of takes over if you mix the two. From a consumer perspective, I personally don’t love these definitions. Um, from like a privacy lawyer perspective, it makes sense. But really if you think about it, if you take Joe off the street and you give him a privacy policy that says, we are going to sell, sell your personal data, he’s going to assume that you’re gonna take.

Your customer list, sell it to a data broker for $500. He’s not going to assume that this includes Facebook advertising or [00:13:00] Google Analytics. Same thing like do not share my personal information ops people out of targeted ads. In many circumstances regularly, people don’t, don’t understand that. They think it’s just sharing personal information with any third party for any reason.

There’s no way in their minds that they would connect that to targeted ads. Um, so this seems like very much a lawyer’s definition instead of a definition that will actually help consumers because this is not how they see it. Yeah, and the fact that, um, the biggest data brokers out there, in my opinion.

Are oftentimes they have the first party connection. It’s like, uh, uh, the example Robinhood, you know, they don’t charge any fees for trading because they’re selling your trading data to hedge funds. They’re collecting all this data about you that you’ve given them. Um, and that actually, you know, has, in some cases, you know, the, the GameStop incident.

Turned [00:14:00] into, you know, harm for those consumers that were contributing that data. ’cause they’re getting outbid, uh, by the people Yeah. That they’re trading this data with. So it’s, it’s, I think not conclusive, uh, not totally inclusive of like the ways that could benefit consumers. In practice, though, the legal definition I think kind of turns into three buckets.

There’s the ad tech companies. That are collecting usually pseudo anonymous identifiers, but still qualify, uh, marketing tech companies, which are generally like lead lists, B2B or B2C. You know, find people who are interested in washing machines or make a certain price threshold in this zip code. Um, here’s their home address so you can go mail them things.

Uh, and then the people search sites. Which fair? That one. That one. I’m glad that one got caught in the, uh, definition because as we’ve seen from so many high profile political, uh, assassinations, honestly, that can cause some real danger for consumers for sure. Yeah. [00:15:00] So what problems do these data broker laws aim to solve?

Yeah, the. C-C-P-A-G-D-P-R-C-P-R-A, most of the other state laws give consumers the right to have their data deleted amongst with many others, but they don’t tell you where that data is. And so there’s this knowledge problem Yeah. Of like, great, I have this right. What do I do with it? And it really does backfill a pretty important gap there in consumer, uh, safety of creating a publicly accessible registry of places where you don’t know where your data already is.

So the mission of it is a great idea. Consumers that really want to be offline, um, have their data cleared, let them know who has it. That’s the fundamental problem of what these laws are addressing. Yeah. Um, so in terms of the, um. In terms of the consumer portion of it, so let’s say I’m a [00:16:00] consumer in California, so I have this right to have my data deleted.

I, I go to the website, I look up all the data brokers and the, that have registered with the state. What do I do then? Do I have to email every single one of them and say, Hey, delete my data? Is that the case? Yeah, yeah. Basically right now, um, there are companies popping up. To help consumers with this process.

Uh, consumer Reports has their own application permission slip. Some of the biggest ones are delete me and OPT three, uh, mine that are getting consumers to sign up and then they do that emailing on their behalf. There’s a pretty wide range of how effective these tools are, as well as their price points.

Um, but yeah, that’s basically how it’s working today. Uh, the. General data relationship is defined at least legally between a consumer and a business. And so there’s not only every consumer to every [00:17:00] business that you need to sort of track. There’s also every right between every consumer and every business.

And the fact that this is happening over email primarily is. Crazy. It is not sustainable. This is, I think, one of the biggest challenges in the rights space today. There’s way too many relationships, way too much data out there to be effectively for, for email to be the mechanism for these rights forever.

Um, I know some companies and some standards bodies have started to look at what a protocol might look like for exercising these rights for us to sort of start to unify and standardize against, I think my whole business exists. Because of the lack of that standard, because these are, it’s so unruly and unwieldy to manage all of these rights and all of these relationships via email that until we have a computer readable format, it’s gonna be a struggle to comply for businesses and consumers alike.

I, I think from the consumer perspective, it’s, it’s pretty much impossible [00:18:00] because look, like I’m a lawyer, I reside in Illinois, so I don’t have these rights at all. Let’s say I were to move to a state that does provide me these rights. I have to look up this list. I have to know that I have this right.

Then I have to figure out which of these companies potentially has my data. Then I have to spend, I don’t know, probably weeks emailing everybody on this list. And if they don’t reply to me confirming that they deleted my data, then I have to track them down, file a, a, a complaint with the state agency or attorney general or whoever.

Try to manage all of those complaints, and in the meantime, all my data is still being sold by half of these companies, and it’s also still being sold by a bunch of companies who are not subject to these requirements. I would say that, you know, in practice in the United States, this right doesn’t exist because of the amount of time and effort that it would take to exercise this.

Right. You know, [00:19:00] in, in Europe they, it’s opt in. So it makes way more sense. I can actually say, okay, I do want you to sell my data, which I’m not sure anybody would do that. Um, but I would’ve to say, okay, I want you to sell my data, and I would know who the company is. I opted in, and then I can opt out. So I can have like a list of the companies that I engaged with.

In the US it’s just kind of whatever, you know, things are just happening and, and nobody has any control over it. So it, it’s kind of a messed up system, I would say. I talk to people in Europe, uh, about our business and they’re like, you have data rights in America. And I’m like, Hey man, you have no idea.

We’re regulating things you don’t even have over there. Yeah, it’s getting complicated. Um, and, and the, the opt-in versus opt out, you know, fundamentally is very different, very different. Framework. Sure. Uh, there’s a lot of philosophical and, um, political debates on which is better. Uh, the opt-in isn’t without [00:20:00] its challenges either.

Uh, there’s things like. Self-driving cars are functionally illegal in Europe because it processes images of people’s faces as it’s driving down the street. And unless you can’t get everybody to sign off on that all the time, so there’s, there’s some trade-offs that I think do unlock more innovation for America.

We’re still, very much as you’re agreeing, uh, as I agree with you, lacking on the ability to execute on those rights in America. I am optimistic because it’s gotten a lot better. Over the past five years, I think we’re on a pretty decent trajectory. Uh, I do go down to DC every April and try to lobby for a federal bill would be great so we can all get rights would be really nice.

Oh my gosh, I would save me so many headaches. Yep. And that’s another one that comes up with, uh. Customers a lot, and they’re like, well, look who’s leading the country right now. We’re not gonna have to enforce rights in these states anytime soon. I, I remind them that actually, like the two biggest enforcers of privacy [00:21:00] laws right now are California and Texas.

Texas. Yeah. It’s wild. They’re, I very unexpected. I did not have that on my Bingo card. I, to be honest, I didn’t either. Uh, I grew up in Texas and so there’s a little bit of like. I don’t know, just like wanting to be tough, uh, don’t mess with Texas sort of attitude that I think that they take some pride in.

Um, but it is a bipartisan issue. Yeah. It’s, there’s disagreements on the finer points like, uh, the private right of action and preemption is usually the two things that block the federal law for moving forward. Yeah. Um. Yeah, the rights in America are, we’ll, we’ll, I hope we get there we’re, it’s getting better that, especially seeing that list populated from the now 500.

It’s already grown a lot since we started, but we’re still a ways away from the 4,000 if you are. Really in need of privacy. Then there are higher tier services that do a lot of that follow up for you. They’ve got really great [00:22:00] systems that make sure and double check on these data brokers to make sure that data is not available online.

Yeah. Which is unfortunately expensive. It’s kind of only accessible to people in positions of power CEOs, people in high risk, um, jobs. But at least now that is kind of possible in a way that it wasn’t five, 10 years ago. That’s true. We are moving forward at a, at a snail pace, but we’re moving forward. So looking at this from the data broker’s perspective, what is the process of registering look like for a data broker?

The registrations are, uh, often a very similar form to being a registered electrician or plumber. And a lot of these websites, depending on which state and which department in that state is running these registrations. Uh, but overall it’s a comparable process where they require some information about the business, about the owners.

Um, they make some of that information public to consumers, and you end [00:23:00] up on a list. Long story short, in today, the four states are California, Texas, Vermont, and Oregon. I believe there are seven states considering similar legislation with their own registries. Another one where federal would be really nice to have at some point, you know?

’cause this is, yeah, just one, one place. Getting especially unruly with all these registrations. Um, and the state fees that you have to pay every year, uh, vary. California is the highest at $6,000 a year. Oregon is technically 600 a year, but they’ve got a bunch of extra fees in there. If you have a DBA or if you need to register with the Secretary of State, you need to get a registered agent, so that one, so that one ends up coming closer to 900.

Um, Vermont is only 100. Texas is 300. The dates themselves are a little confusing. Um, California is due in January, but it looks backwards. You’re supposed to report on your activities in the previous year. [00:24:00] Uh, so if you were a data broker at any point in 2025, you should be registering now in January, 2026.

Uh, Oregon is due in December every year. Vermont is due in January every year, and Texas lets you register anytime throughout the year as soon as you start data broker, broker activities, and you have 12 calendar months to before you need to renew. So that one’s kind of off cycle. It’s, it’s. Already complicated and it’s going to get a lot more complicated as these roll out.

Yeah, that’s, and that’s just the registration step. Yeah, that’s, I have beef with the dates on PRI privacy laws because like for example, response for privacy rights requests, some states are 30 days, other days. Other states are 45 days, then you can extend it by an additional 90 days, additional 60 days.

And when it comes to like writing a privacy policy that combines all these laws together, it’s like, which date [00:25:00] is it? You know? And so it ends up being, we’ll respond to you within 30 to 45 days. We may extend this by 60 to 90 days depending on, and it’s like, come on guys, like at least get the numbers the same.

Like we know you’re basically copying and paste. These laws and you’re just changing enough stuff to make it look like you didn’t copy each other’s homework stuff, changing the numbers and the dates. You know, like at least keep those the same, so can keep things consistent. Well, I think the worst offender of this by far is, uh, another Pseudo Data Broker’s Law, Daniel’s Law out of New Jersey.

Uh. This is for anybody not familiar, a privacy law that specifically applies to people in government in New Jersey. If you’re a judge, police officer, law enforcement of some kind, uh, named after a very tragic story of a criminal showing up to a judge’s house, shooting their partner and killing their teenage son, Daniel.

Hence the name, [00:26:00] uh, Daniel’s Law has. A private right of action. So affected individual can sue and their time to respond is only 10 days before you have to execute the right. Yeah. Um, now. In response to that. Uh, and sort of touching on what comes next for data brokers, after you register, you end up on this list and then those emails start flooding in, usually very few of them from consumers themselves.

A vast majority, I think by by our numbers, it’s about 98% of the emails that you then receive are from these authorized agents. These delete mes, permission slips that consumers signed up for, and they’re executing rights on the consumer’s behalf. Uh. There’s one out of New Jersey that is particularly litigious.

Uh, last year they sued about 144 companies. Wow. Wow. Most of these companies were totally caught off guard by this 10 day requirement. It’s just so much shorter than the other [00:27:00] states that they really got a very strong case on them. Very fast. Yeah, that’s, we see a similar thing with the California Invasion of Privacy Act, where there’s one particular litigant.

Who is suing anybody and everybody under the sun, no matter the size of business, no matter the type of business. Um, and it is, in a way, it’s very predatory. Like if you read the lawsuits, you know, they say things like, you know, defendant is running a surveillance network, like the small business that sells, like patches, patches your coat is, you know, running CIA level surveillance.

Like, no, they’re not, you know. They just have like analytics on their site, like a very basic instance of it. Um, and it, it’s hard on businesses to, to go through that because you know, a lot of them are trying to do the right thing. Maybe they weren’t aware of the requirements, maybe they didn’t fully understand what they were doing.

And a lot of this seems pretty predatory at a certain [00:28:00] point, you know? Um, I understand like healthcare data or children’s data or financial data, but not like. I went to this website and stayed on it for two seconds. That’s not a surveillance network. Um, yeah, there’s been some funny rulings from judges along the lines for CIPA in particular about, uh, this law was written so long ago.

It’s, the language is nearly impossible to figure out how it applies to modern technology or something like that. And the judge, the, the judge’s words, I do think the. Uh, top three biggest risks I usually outline for our clients. Um, in my opinion, you know, it’s, I think it’s subjective and, you know, consult a real lawyer, not me.

Um, but the registrations themselves, the, uh, new Jersey’s Daniels law. And the cipa Yeah. Are the ones where we’re seeing the most enforcement activity for, you know, my subset of data brokers, at least in the US for sure. Um, so I guess talking about that in that vein, um, what are the [00:29:00] consequences of failure to register?

Let’s say I’m a data broker and I just don’t register. What can happen? The fines have been embarrassingly light so far, but that’s changing. Uh, I think. Oregon, Texas, Vermont, their fines are about $10,000 a year each. Which, okay, you know, it’s something. But for a lot of companies, the back of the napkin, napkin, math, math that they, that they end up doing doesn’t quite add up.

California, uh, it’s $250 a day, so that comes close to 70,000 a year for non registering. And I believe the statute of limitations there is five years of fines could add up. But, uh, there was recently an amendment to the DELETE Act. Uh, now, uh, once drop goes live and drop is worth the discussion in and of itself, California is kind of stepping into that authorized agent game themselves, uh, where [00:30:00] consumers can go directly to the state of California.

If you are a California resident, you can sign up and instead of pushing these data deletion requests and opt out requests to the data brokers like the existing authorized agents are doing, now, the data brokers are required to go to the drop system and pull those requests. And the fines are going up significantly from, instead of $250 a day of noncompliance, $250 per day per data subject in drop for noncompliance.

Hmm. That means that the 7,000 a year, 70,000 a year, um, is times the number of people who end up signing for drop. I don’t know if we have those numbers yet ’cause it’s only been live for consumers for 16 days, but even if it’s just a couple thousand, that can easily hit the seven figure fines, um, before the end of the year.

I, I think we’re gonna see our first seven figure data broker fine before the end of 2026. I think there’s probably gonna be one, and I think that it’s going to be. Just, uh, I don’t wanna say like a show [00:31:00] of force, but like a, Hey, just so everybody knows, this is what the fines are now before next year’s registration season.

Yep. Like you’ve been warned, somebody else has gotten fined for this. Look at how much trouble you could be in. You better register. Yeah, you better use the system. Yeah. Yeah. You’ll, you’ll notice that the enforcement tends to uptick right before the registration season. It’s like, Hey, there’s a little news flash for everybody.

There’s little reminders that we’re we’re coming. We’re coming for sure. Yeah. Um, do you anticipate more states proposing and passing laws that specifically target data brokers? Yeah. Yeah. I don’t have the list handy right now, but, uh, most recent report I saw was there’s seven that are currently considering seven other states.

Uh, uh, not too sure what the status, uh, is on each of those, but it’s definitely something that we’re keeping an eye out for. Okay. What about like smaller data brokers? Do you think that they will exit the [00:32:00] market because of the cost of compliance and, and the complexity of compliance requirements? It depends how small, I guess.

Um, what. I’ve seen more of is, you know, and this kind of comes to like an interesting challenge for our business in pricing, because the small data brokers are getting just as many deletion requests as the big ones. Mm-hmm. It’s based on like the number of consumers. They don’t, they’ve got the same level of, uh, requirements and registration.

And I’ve, uh, spoken toal privacy, I’ve spoken at a lot of their events about, um, their hearings, about doing more dynamic pricing based on the size of the business. It’s not fair that in my opinion, Google only pays $6,000 and meanwhile, the smallest marketing tech business that’s helping, you know, local landscapers market to their community are paying the same exact amount.

Um, what I have seen is companies where the data broker business is sort of like a secondary line of work, if it’s a secondary business for them. [00:33:00] A lot of them have been winding those down. They’re like, you know, this was never our main thing anyway. We had, we’re making some money from it, but now it’s just too much hassle.

Yeah. The ones that are dedicated to it, they’re. Just eating the cost from what I see. Yeah. And I’m gonna bet that this is, you know, just like GDPR and CPA, that this is gonna create more jobs in the compliance sector. Um, because as these regulations get more complex, you’re gonna have to hire somebody, um, you know, in house or you’re gonna have to hire a company to help you with this.

Um, so. I, I guess part of, uh, one small silver lining of all of this is that it, it does compliance job. So I was joking there somewhere, I can’t remember it, about like, uh, the point of the law is to make lawyers money, something like that. Yeah. Unfortunately, that’s how it works. Sometimes, you know, a lot of these laws aim to.

Or say they aim to protect consumers. But you know, when it comes to the actual application and practice, consumers are [00:34:00] just lost. Um, you know, and, and the benefits that they should be receiving under these laws, they’re just not getting, because they don’t know of their rights. They don’t know how to exercise those rights or they don’t have the time.

So, um, that’s the unfortunate truth with a lot of this. Yeah. And I, as part of the CIPP certification, part of the curriculum there is understanding how consumers operate a little bit and they bucket them into the privacy absolutist, the privacy pragmatists, and then the privacy, I forget the word, but they don’t care so much about privacy.

Yeah. Um, I definitely consider myself in the pragmatist bucket, uh, but. I think right now these laws are kind of just servicing the privacy absolutists, the ones that are willing to go out of their way to put in a bunch of work to try to get their data deleted from a small subset of the people that have their data and that’s worth it for them.

Yeah. Yeah. I, I think for a lot of consumers. You become a privacy absolutist when something really bad happens, [00:35:00] you know, where normally you just kind of continue with your life. You, you do what you need to do, and then somebody really, truly violates your privacy. Like you’re getting spam calls at three in the morning, which I’ve, I’ve gotten, and you’re just like, come on, like this has got to stop.

And then you just kind of crash out and, and end up just emailing everybody to delete your data. Yep. Yep. I, and that’s good. It’s objectively a good thing that people can do that now. Yeah. So if you were talking to a data broker today, what should they be doing to prepare for these compliance requirements?

Yeah, so if you haven’t registered step one, do that. Um, but step two would be sort of brace for impact is what I warn everybody. Uh, once you end up on that list of data brokers, you get a lot more scrutiny. So make sure that you’re checking all the other boxes that you need to check. A lot of ’em are, I don’t wanna [00:36:00] say one off, but, uh, maybe like once a year.

Things like updating your privacy policy, making sure that you’ve got your practices in place, doing whatever impact assessments you need to do. Then also the operationalization of the privacy program because there’s a lot of stuff that’s not set and forget, but you just need to do it indefinitely.

Specifically these opt-out requests. Um, data brokers uniquely get tens of thousands, sometimes hundreds of thousands of these data deletion requests, emails a year, and it is just way more than a person can do. Yeah, big companies have sort of shored that to their customer service teams and just having them copy and paste the information into whatever web form they like to use, but getting some sort of system in place.

You know, I, we’ve superset built out a AI tool to be able to process these requests, extract the data properly, and format it in a way that you can process it automatically, [00:37:00] which. I think is the best way. I’m obviously very biased, but to be able to automate wherever possible and still ensure that everybody’s getting access to their rights is a win-win.

Yeah. But the scrutiny will come. Uh, there’s also. New requirements coming out for universal opt-out mechanisms as well, and having some sort of source for updates on these kinds of things, whether that’s your lawyer, whether you’re subscribed to privacy newsletters, all of these are important. Yeah. One of the things that we’ve done in our company, and we’re not a data broker and we don’t get a lot of requests, so I don’t know how helpful this is.

Um, but we have procedures, so like we have checklists. Okay. If somebody asks you to delete your data, this is where. We keep data, this is all the places yet to go into to delete it. And obviously that’s a manual process for us because we get like two of these per year maybe. Um, and then we also have different templated responses that you would fill in.

So if somebody [00:38:00] asked for access to data and they didn’t verify their identity, this is a templated response. If they asked for deletion and you deleted it, here’s the template of response. Or if they asked for correction, here’s the template of response. So you have all that ready so you don’t have to scramble, because once you get that request, like you said, there’s only a certain amount of days in which you can respond.

So the more stuff that you can have in place before you get that request so that you can adjust those templates as needed. Um. And change them based on the circumstances, but at least you have something to work off of so that you’re not just, you know, you get the request and you’re just staring at a blank page and you have no idea where the data is and you have no idea what to do.

Um, that’s definitely a good place to start. Um, so apart from this AI tool, um, how does your company’s super superset help data brokers meet their compliance obligations? To be honest, that is where. At least the 80 20, probably more than that of the value of Superset comes in [00:39:00] is these really high volume DSR recipients.

Like I said, we started with the registrations, that was sort of their first line of business, and very quickly our customers started telling us like, Hey, we’re getting flooded. Is there, what should we do? And that sort of inspired us to build out this new technology. Uh, you know, I don’t think that AI is gonna take all of our jobs, but it is really good at extracting information from bodies of texts.

That is one thing that LLMs really, really exceed at, and that’s what’s needed in the case of handling data, subject requests, especially the ones that come in via email, like the recipients of, uh, registrants of data brokers are so, I mean. I’ve seen the time cut down from literally full-time, 40 hours a week to less than an hour managing the ones that slip through the cracks.

Wow, that’s amazing. Yeah. It’s, it’s night and day [00:40:00] difference. Uh, if you don’t already have that offshore team of like dozens of people to manage this. Mm-hmm. Uh. We also, you know, generally it’s not that we do services, but help our clients stay aware of what changes are happening, changes in laws, what counts as sensitive data, what can and can’t be collected across different states as that popped up, uh, like Maryland and Oregon, geolocation data that’s non-con consented isn’t allowed to be sold and shared anymore.

So we try to provide updates as things go, and we’re gonna be building out the drop integration as well. Um, California’s drop system is going to have a very particular way of sharing data and everybody’s kind of wondering like, how are they going to create this list of people who’ve opted out and share it with data brokers?

When are, is that those people that you wanna share lists of data with? You know, um, and so what they’ve sort of decided on is like you tell them what identifiers you need. [00:41:00] And they send you formatted and hashed versions of those identifiers in a particular sort of algorithmic way, which is going to be a pain.

It essentially means that data brokers are going to need to format and hash every single row in all of their tables, everywhere that they’ve collected, personally identifiable information, at least these unique identifiers like mobile advertising id, email address, phone number, first name, last name, and several other types of, uh.

Of data like that. So it’s gonna be a pretty big procedure for these companies to get compliant, and they still haven’t quite released the full technical specs. Of what it’s going to take. They’ve released this algorithm, which is a good start, but we still don’t know how to actually connect, read, write.

Um, that’ll come 24 hours before implementation. I’ve been relatively impressed with the Cal Privacy team that they have delivered the uh. Consumer facing side on [00:42:00] time, and they even seemed to be ready pretty well before the j, the January 1st deadline. And in the, in their defense, they also had these deadlines set by, uh, legislation.

They didn’t get to set these themselves. Yeah, that’s true. So I am, yeah, I’ve, I’ve been relatively impressed. I think that they’re doing a good job given the tough requirements that they have been given. Yeah. A lot of developers are not gonna be happy with having to change all those tables. I’m sure that’s gonna be a terrible, terrible couple weeks for them.

Yeah, I am. I’m, you know, I’m still not totally convinced on the total value add of the drop system. Yeah. In the privacy world in general, there’s already a lot of solutions for non Californians that do the same thing. Um. I support the, uh, stronger enforcement penalties that came outta this amendment. But overall, I think that there’s probably higher value to things that, um, the state of California could be working on in terms [00:43:00] of protecting privacy.

Yeah, I guess we’ll see how, we’ll see how it goes once it, uh, it’s implemented. Um, so final question for you. Where can listeners learn more about you and your company? Yeah, absolutely. Uh, we’re available@trustsuperset.com. The application is available for anybody to sign up, try it out for themselves. You can forward over some of your example emails and see how it processes.

Uh, I’m also available on LinkedIn at Zane with Spoon on every platform. I’d make it my phone number if they’d let me.

Awesome. Yeah, that sounds great. Um, cool. So thank you so much. Yeah. Thanks so much for, for being here today and sharing your insights with us. Definitely a new frontier for a lot of businesses and a lot of new requirements to, to keep up with. Um, so I appreciate you sharing this information with us today.

Yep. Hopefully we can get this distributed so everybody knows what [00:44:00] they need to do, uh, for their own business and for the consumers. Absolutely. Um, and for our listeners, make sure to subscribe to Privacy Laws, um, so that you don’t miss their next episode.