Ep. 5 | Why You Should Care About Privacy… Or Else (Guest: Rian Kinney)

Show Transcript

Hello, and welcome to the fifth episode of Privacy Lawls, where we will be discussing why we should care about privacy and the consequences of not caring. I’m your host, Donata Stroink-Skillrud, and I’m very excited to talk to our guest today, Rian Kinney. Rian Kinney is an attorney licensed in Florida and Texas, and is a CIPPE and a CIPM.

Rian is the founder of the Kinney Firm, where she advises Fortune 500 and C suite executives across industries. And a variety of privacy regulations, as well as e commerce issues affecting employee privacy, digital advertising, and regulatory compliance and risk mitigation. Rian is also the founder of eCommLegal, where she assists online businesses in navigating all things legal through pre-packaged, attorney-drafted, and approved DIY contracts.

Thank you so much for agreeing to be on the podcast today, Rian. It’s great to have you here. It was really wonderful to see you and hang out at WordCamp US. Can you please tell us a bit more about your career?

Yes. Thank you so much for having me. I’ve listened to all of your editions of Privacy Lawls and very excited to be one of your esteemed guests.

Honored to be here. Yes regarding my career I have been practicing in the area of privacy for over six years, and in that time have been speaking to both developers and attorneys nationally and internationally on the topic, as well as through my, my law firm providing compliance and privacy counsel to Companies of all sizes.

Yeah, we first met at WordCamp US and in St. Louis in 2019, which was really fun. I remember being really, really nervous to meet you because I’ve heard a lot of things about you that you’re, you know, one of the most well-known attorneys in WordPress. And I just remember being really scared to meet you and we did meet and it was awesome and we had so much fun.

And it’s so great to be able to call you a friend after all these years. I mean, the, the work that you do at Termageddon and the intense amount of, you know, tracking all of the privacy laws and the information that you put out just so much respect for everything that you do and, and the work that you do with it, even the ABA and, and the Bar Association level, you’re just only involved.

So again, happy to be here. Thank you. So what types of clients do you work with at the Kinney Firm? What types of problems do you help them solve? Yeah. I mean, the short answer is online businesses. I’ve worked with businesses of all sizes from freelancers to enterprises. And when I say enterprise, I mean, multi-billion dollar companies, global media, employee benefits across industries and both B2B and B2C consumer products companies.

So I assist with You know securing intellectual property rights like trademarks and copyright infringement domain disputes actually getting people’s web domain successfully Returned back to them But I think the work that I do that would be more, you know, the subject of today’s podcasts would be the work that I do providing outsourced general counsel and data protection officer services to these companies that need ongoing privacy and compliance advice.

Types of problems I, I help them solve, two-part question. You know I’ve worked with a global media company that needed privacy advice for an entertainment app that they were developing that was going to be geared toward children and launching on the Apple marketplace. And I have been more recently working with a global consumer company that needed assistance with vendor privacy impact assessments and CPRA audits for that became enforceable in July of this year to ensure that their consent manager actually does what it says it is supposed to be doing.

That’s a, that’s a tough job. I, I know from personal experience that when you look into cookie consent managers online. There’s like thousands of them, and from what I’ve seen, at least 50 percent of them are not compliant. You know, either not compliant with GDPR or not compliant with CPRA, so you have to be really, really careful about the cookie consent manager that you choose to make sure that you’re not choosing, you know, a placebo one or a not compliant one.

Yeah, I mean, and there’s, you know, a couple of, of different issues and factors, and, and the, the compliance aspect, I mean, any Any tool online that says that you’re 100 percent compliant or, or this, this, you know, solution gets you compliant is 100 percent a lie. I mean, we as privacy professionals know that, you know, compliance is multi phases, multi factors.

There’s no one, you know, digital solution to just get you compliant. But the other aspect is. You know, how easy they are to implement and the level of sophistication of the company and the customer that you’re, you’re serving. And, you know, there are cookie consent managers out there that really require a lot of development, developer configuration that really don’t, unless you’re, you have a Q& A, your, your customer, and this isn’t, This isn’t good for smaller to mid-sized businesses because they don’t have that staff.

They don’t have that capability. Then they, they flip the switches on this solution and don’t do the audit or the QA portion and don’t even know or realize that this tool that they’ve bought to become compliant is actually making them less compliant. And yeah, their, their privacy policy says they do or don’t do something that, That they’re breaching automatically.

Very, very true. That’s a great point. So eCommLegal, what types of clients do you work with there and what kind of problems do you help them solve? Yeah, I mean eCommLegal was really, you know, born out of the work that I’ve done with Kinney Firm and in the open source communities, including WordPress.

But really, you know, I saw a need that wasn’t being met by competitors that are, you know, the online legal forms that you can get that because they weren’t really speaking to again, online businesses, I mean, they may have a template for an independent contractor, but you’re not seeing that level of really lining out the types of services that a digital agency or hosting company would need.

And so that’s eCommLegal is really designed to meet the contracting needs of digital agencies companies selling goods online, SaaS companies, freelancers, hosting companies, and app developers at a fraction of the cost of what it would cost. to hire an attorney. I mean, we’re not talking tens of thousands of dollars.

We’re talking of hundreds to get contracts and forms that they can actually trust within the open source, which again is, is a different licensing animal than, you know, the proprietary. And it’s just really not accounted for in contracts competitors that I’ve seen. Absolutely. I mean, throughout my career, I’ve seen so many agencies who have.

You know, a contract that’s half a page or you know, they have a contract that says we guarantee compliance with all applicable laws when we build your website. Or, you know, we offer these warranties for the next 10 years. But that’s not fit for the purpose of website design, right? Like just the minor thing of screen sizes changing and that breaking the website or breaking how it looks like you shouldn’t be warranting things for that long.

And there’s, you know, it’s really important for agencies to have contracts that are specifically made for that industry because otherwise you’re just not protecting yourself. You’re not doing yourself any favors. And you’re probably not getting paid enough to guarantee that a website that you built is compliant with all applicable laws, right?

So making sure that you protect yourself is extremely important. I think contracts is definitely the first step to doing that Absolutely. I I mean i’m aware of you know The horror stories of the digital agencies that have that, you know, we’re warranting all Apple and then get hauled in too because The agencies are basically making themselves almost an insurer of their clients legal compliance, which is not their job.

And yeah, having the disclosures, the disclaimers, the proper warranties in there is everything that I aim to provide. Again, having an experienced tech attorney that understands open source that’s doing this yeah. I’m very successful and enjoying this aspect of eCommLegal good, I’m very happy to hear that.

So I know you work on a lot of cool stuff, but can you tell us just one interesting project that you’re currently working on in privacy? The most exciting project that I’m pumped about right now is I’ve been retained to build a privacy framework and program from the ground up for a company that is selling commercial and business insurance for small to mid sized businesses.

So, getting to meet with all of their internal stakeholders, their engineering department, security, GC and inform them, you know, do the, the work. Of mapping where they are, where they need to be, you know, advising where they need to be and breaking down the steps to get there. It’s been really exciting, especially amidst the CPRA enforcement and of course, you know, the privacy.

state by state privacy laws that are rolling out on almost a daily basis at this point. Yeah, speaking of daily basis yesterday, Delaware right, their new privacy law was passed. The governor finally signed it. It sat on his desk for like a month and I had to keep on refreshing the government website page.

But yeah, the, the state patchwork is just There’s never a boring day, I guess I’ll put it that way. Yeah. I think this is the only privacy podcast that I’ve heard that really is the ins and outs of what it’s like. It’s refresh, not only re refreshing the, the state and national laws like, like we’re looking for our bar exam results.

We’re like, refresh. How is my life going to change today? Right? Right? I’m like, why aren’t you just signing this? Just sign it. We all know you’re going to sign it, but then I keep on having to refresh the page. So yeah, it’s, it’s awful. But so what was your first ever introduction to privacy? What did you learn?

Yeah. Back in 2017, I was advising a multimillion dollar digital agency that served enterprise clients and noticed that they didn’t have a privacy policy, which led me down the rabbit hole of, you know, who needs a privacy policy when and where to discover everyone needs a privacy policy if they’re collecting personal information which is as little as, a name and or an email address so really everyone which then led me to GDPR and the fact that it was coming out and or not coming out, but going to be enforceable within a couple of months.

So I’m signing up for like, as a, a rabbit hole that I went down, signing up for the IAPP, CIPPE and CIPM courses. Then, and then finding out about WordCamp EU that was going to be in Serbia that had a GDPR for developers workshop and a woman named Heather Heather Burns that was doing a policy discussion, so I volunteered to be a workshop assistant to fly over to the EU to learn more about the GDPR, what it was, and how it would impact people ahead of it becoming enforcement, and what did I learn?

Wow, what did I not learn? No I think the most the most wonderful thing that I learned being in Serbia and being a part of that workshop was the fundamental fundamentally different approaches to privacy that the EU and the US take that difference between regulation and governmental, you know, body oversight versus litigation.

Thank and, and almost having a reactionary deterrent of, Hey, it’s going to cost you money if you don’t do this, versus everyone has privacy as a fundamental human right. Yeah, I think that’s a very great point is in the EU, they’re very much like looking forward as to what the issues are going to be.

Taking the time to, like, research, talk to everyone, write these laws, and here, very much like, this one bad thing happened to this one person, so we need to write a privacy law about it. It’s very reactionary, it’s very fast, it’s very confusing, and not uniform throughout the states, and that’s how we ended up with some of these laws, because some of these were written over seven days, and now the rest of the states are following the same model, same laws.

It’s like well, maybe let’s take a step back for a minute and make sure that we can make this more uniform Make this more easy, but you know, I don’t know if we’re allowed to talk about reactionary Like I said, I flew to serbia because I thought You know the us would have to follow suit or do something to align with the gdpr And I was imagining two to three years down the road you know, I’m going to be at the forefront and like, I mean, in November like three months later, California had the CCP, I was blown away by the speed in which it was enacted.

And I mean, all of these subsequent state rights or, or state laws have seemed reactionary. And again, I mean, the fact that the, even the definitions of Data breaches and or the threshold amount of how many citizens of the state have to be impacted. I mean, it is just a lot to track and keep up with.

On the good news side, we privacy professionals have job security for a really long time to come. Very true, very true. We definitely have job security. So let’s get into the main interview. And we’re going to talk about why should you care about privacy? So my first question to you is… What does privacy mean to you?

Yeah I mean, again, as a fangirl of privacy lols I think I can confidently say that you will agree with me that privacy is about transparency and choice. Ultimately… I should have the right as a you know, an individual to know what I’m sharing, what’s being collected, and choose the companies that I want to share that data with, interact with, or not and how it’s used, and be able to withdraw that consent at any time for any reason if, if I no longer agree with or align to the privacy practices that they’re implementing.

Thank you. Conducting. So as a privacy lawyer, why do you care about privacy? Yeah. As a privacy lawyer, I think it, the, the, the legal aspect of it is the, the fact that without privacy rights and this, these regulations what can happen negatively, whether it’s to me or, or any consumer. When their data is consolidated without their knowledge and consent and upholding those rights and informing consumers about what their rights are.

I mean, all of that is important to me. And the technology, the, the interesting aspect of, you know, what gets me really excited about privacy is… The law is one thing and how you enforce it, but, but the technological implication of how this gets done, and as technology continues to innovate, like, this is going to be a constant.

I mean, as we’re seeing with AI and VR, privacy rights are something on a piece of paper, and you’ve gone through the history of privacy, but it continues to evolve, and it always will as technology does. So… That’s why I care about privacy. And as an individual, do you look at privacy differently than the privacy attorney side?

So so I was doing work with one of the one of my clients and they were saying, you know the senior privacy counsel was like, I don’t really worry about, you know, the, the impact that this is going to have to marketing about, you know, the opt in opt out because no one reads those things or does it.

And I’m like, Yeah, I’m the one. You know those, the consent banners that say, like, select your cookies? I do, every time. It’s so confusing. I it, and yeah, I mean, why would I share for analytical purposes, you know, data? I mean necessary cookies are necessary. Go for it. But functional and analytical, well I turn them off.

I read the Privacy Policies and Notices and, you know, as we continue to discuss this, there’s a lot of applications and things that I’ve looked at and learned and, and companies that I’ve chosen not to, to work with based on their privacy practices. So, yeah, I think I’m a little different. I’m sure anyone listening to this podcast is.

It’s probably in our boat of, yeah, we read them and we, and we slide the little toggle. Yeah, same here. It’s interesting though, like working as a privacy lawyer, working in this space and working with people who know that you’re a privacy lawyer, but then they still violate your privacy. So I had an experience not too long ago where I had to book a Calendly meeting for someone to record a podcast.

So I wasn’t interested in their services. I mean, they had great services, but they just weren’t for me. And the sole purpose as to why I provided my information was to register make an appointment for this podcast recording. And I remember at 3 a. m. the next day, and I didn’t sign up for text messages or anything else.

At 3 a. m. the next day, I get a text message that wakes me up in the middle of the night and says, get ready for this podcast where we talk about privacy with privacy attorney Donata And I’m like, wait, you’re texting me without my permission about a podcast that I’m on about privacy. Like how does this make sense?

Like I never signed up for this. So I think being a privacy lawyer, maybe we’re more cognizant of these things. But I think most people would get annoyed by that, right? Would get annoyed by getting text messages in the middle of the night. Yeah, on a basic fundamental level. I mean my example with that is I introduced a very large data protection company to WordPress and advocated for them you know, sponsoring WordCamp US.

They did so, and then scraped the attendee list and sent out all these blast emails to the WordPress Well, that’s one way to alienate people and let them know you don’t stand behind your products. Yeah, I know who that is, but I won’t say. But yeah, that’s, that’s insane. That’s absolutely insane. That’s such, like, the completely wrong way to approach that, I think.

Yeah. But I think throughout my life, I’m working in privacy. You know, I’ve heard a lot of people say, I don’t have anything to hide, so I don’t really worry about privacy. What is your opinion on that? Yeah, it it reminds me of a parable slash poem. I don’t even know how to pronounce the man’s name.

It’s Martin Niemöller. But, you know, first they came, the socialists, and I didn’t speak out because I wasn’t a socialist. Then they came for the trade unionists, and I didn’t speak out because I wasn’t a trade unionist. And fill in the blank for anything you identify with or do not identify with. And if we don’t stand up for the privacy rights of each other, and others, at the end of the day, we won’t have any privacy rights left.

And again, you know, as an attorney, we’re speaking out about these things, and we’re advocating for them, and we’re enforcing them, because they matter, and without them… Yeah, things can get very bad. I have a great example here, too. So let’s say you don’t have anything to hide, right? You’re not doing anything wrong.

You know, let’s see what I get, but like, I’m sorry, I’m sorry to interrupt, but like, you’re not doing anything wrong. But People can, can find, there are people out there that don’t like certain political groups, that don’t like certain religions. That’s not doing anything wrong, it’s just who you are that, anyway, I’m sorry, what were you saying?

I was gonna say, you know, you’re driving to the grocery store, right? And you have your cell phone on you, and there’s a robbery at that store. And you’re at that store. And the government collects the cell phone location and says, Rian was at the store. So she must have been part of the robbery, right? You weren’t part of it But the government knows that you were there And they know that you drove to, to home right after.

So what’s to say you didn’t bring the cash to your house. Right. And you could be really innocent person and be caught up in this kind of stuff or, you know, facial recognition misidentifies you or misidentify someone else’s you, and all of a sudden, you know, you have to pay thousands of dollars in legal fees to explain why facial recognition doesn’t work on certain people, you know, so it can get you into a lot of trouble, even if you’re not doing anything wrong at all.

You know, so I, I think, yeah. Based only on who you are or where you, where you are, yeah. Yeah, so we kind of talked about a couple of these things, but can you give us a few more everyday examples of how we’re affected by lack of privacy or intrusions into our privacy? I mean, yes. I mean, yeah. So one of the talks that I gave for, for attorneys in Florida was Grammarly.

They didn’t bother to read the terms and conditions of Grammarly, but to, in order to provide you know, grammar information, it has to actually scan the document, which for lawyers is a confidential document and what Grammarly can do and who they can share it with after performing that scan yeah, it actually violates our attorney professional responsibilities and ethics.

Similarly, similarly, IOT the Internet of Things and that cute little Alexa that you may have on your desk to play you music or the watch you’re wearing. There have been different jurisdictions that have said that the open microphone That is clearly listening in and has recorded in many instances, name a big tech company.

They have, you know, an issue with a data protection authority somewhere. That not only is it violate the consumer standards, but it’s actually violating attorney and privacy professionals. Re confidentiality responsibilities. So yeah, absolutely. . Yeah, that’s, that’s why we don’t have many connected devices in our home.

I, I remember my husband Hans bought a smart outlet and it was from somewhere in China, and he takes it out, takes out the instructions, and turns out it has to connect to your wifi. And it is, you know, a very shady looking device. It’s not from a known company, and I’m just like, you know what, nope, we’re not doing this, we’re throwing this out.

I also have a washing machine that can be a quote unquote smart washing machine that can connect to an app. They can let you know when your load is done and honestly I just listen to the sound and I can hear it and unless it’s switching out the laundry from the washer to the dryer for me, I don’t really need an app.

You know what I mean? So a lot of it is, is about being very careful about what kind of devices you bring into your home, what you allow to connect to your networks and things like that because. There can be really bad things that happen, you know, a couple years ago, there were reports of you know, this little baby cams or, or any cams or whatever, and somebody hacked into them and started talking to their baby, you know, or started showing their face to their baby, you know, there’s nothing more creepy than that.

So yeah, it’s, it’s, it’s kind of crazy. Yeah, I mean on a separate podcast we can go into the like the fringe and all of the craziness, but yeah I’m familiar with like all of the wacko what people can do when they access your phone, you know, the hacking that can take place to your personal devices is terrifying.

Another aspect of this, so, you know, I’ve heard a lot of people say, including Hans that they don’t care if advertisers get their information because they like relevant ads. Do you think there’s any issues with that? Oh, yeah. Sure, it’s nice when the, the ads are relevant, but you know, that’s the kind of the white hat application of them you collecting, compiling your data and using it in a way that you would want them to but the problem is when, you know, they collect, compile and process your data in a way that you’re not aware of.

And ways that you don’t want them to, like election tampering, or biased and discriminatory profiling and surveillance. Like you, your example with the robbery at the store. That geolocation can, can cause problems and exclude people from participating and even financial, you know, decisions based on their spending or their purchasing habits.

So… Yeah when you truly understand that it’s, it’s not advertisers just providing you with nice relevant ads of things you want to see, but their ability to compile all of that data to create a personality profile on you. And be able to predict your behavior and then actually influence your behavior with the words they use and, and how they market that product to you.

That could be pretty terrifying if you’re paying attention. Yeah, I I have all my ad settings turned off, and I get the most irrelevant ads of all time, which I personally enjoy because they’re really funny. I’ve gotten ads for men’s underwear that included very, very graphic descriptions of the aspects and functionality of that underwear, which I think is just really funny.

But yeah, advertisers can sell your data. They can give it to the government. You know, they can do a lot of things that you might not think that they do. I feel like you should consider making that a permanent part of your Privacy Lawls podcast is like Donata’s irrelevant ad of the day. Because I would tune in for that.

I mean, I got an ad the other day for like a $300 manual toothbrush. I’m like, who do you think I am? Like I would never buy something like that. But it’s, it’s great. Some of them are really, really descriptive about problems that other genders face that I personally don’t but it was really funny.

I, I think that a lot of people are stuck on the days of ten years ago so where privacy was really not a big deal. So they think that consumers or website visitors don’t really care about privacy. So that they don’t care what information you’re collecting or whether you have a privacy policy or cookie consent banner.

Is that still true today? I mean, that’s not at all what I’m seeing with the data and statistics that I, you know, see on a daily basis and consumer, I mean, these large companies hire me to meet this need for their privacy compliance because consumers are more savvy and concerned about privacy than ever and they’re more familiar with their rights.

So being able to actually, you know, perform and respond to data subject access requests is incredibly important. But I think the other aspect of it, too, that these, you know, companies are investing in their compliance is, sure, the average data breach costs roughly four and a half million dollars.

But for some of these global companies making hundreds of millions and billions of dollars, it’s, that’s not the largest cost. It’s not monetary, it’s the lack of the long term erosion of consumer trust and their brand equity. You know, we’ve, we can all name names of companies that have, have undergone this and, and that we will never buy from again because of a data breach that they’ve had or how they handled or reacted.

So yeah, I, I think privacy is a huge issue and a driver for consumer purchases at this point. Yeah, or they won’t use the features of your products that are part of the selling point. Great example, not to go back to my washing machine again, but it is from Samsung, which was recently subject to a data breach.

And I saw that and I was like, Oh, good thing I never connected that to my wifi. Good thing I never connected that to any of my personal information and I never will. But for the people for who that app or that connection is a selling point. They’re not going to buy from that company because they think their data is going to be breached because it was breached in the past.

So they might buy it from somebody else or they might just not use that feature, which can be a selling point for some people. And again, I mean, the, the IOT and the fact that lawyers are unplugging their, their speakers and or not buying them or having them in their, in their office anymore. Same thing.

If, if Companies are not compliant with the laws and transparent about their business practices and who they’re sharing the data with. Consumers are using that as a reason to choose their competitors. Mm hmm. Exactly. So let’s talk about some interesting studies. So the first study was from the Office of the Australian Information Commissioner.

So they found that 90 percent of Australians have a clear understanding of why they should protect their personal information. And 82 percent of Australians care enough about protecting their personal information to do something about it. What are your thoughts on that? I mean, that’s consistent with you know, what we just talked about, and the fact that, I mean, 90%, 82%, these are not insignificant numbers of a population that really cares and is invested in how companies handle and treat their information.

Yeah. And 32 percent of respondents have switched from one company to another due to privacy practices. And then the government of Canada study that found that seven in ten Canadians have refused to provide personal information to a company over privacy worries. And I think this is interesting for us working in tech and working with these companies who, you know, they have a contact form, right?

Or they have an email newsletter subscription form. And it looks like some people are not willing to input their information if they’re worried about their privacy there. Yeah absolutely. For me, the, the comedy 23andMe was something that, you know, everyone, it was coming out and everyone was doing it and I don’t remember the price of the kit, like, I think it was 199 or 99 at the time and I just, as a privacy attorney, I was like, no, absolutely not, like, I don’t, I don’t, I just, I just said no.

And then the, you know, the breach came out and the fact that they weren’t being transparent because, I mean, even at 99 for a genetic testing kit and, and honestly, there’s a company called Forward, I don’t know if you’ve seen it, it’s a, a health company that it’s a subscription based and, and they’re looking to kind of modernize healthcare and it’s really cool and they kept offering me, testing, like, and I said, no, I don’t want it.

I don’t want it. And the, the, the app tries to give it to, like, I got on the phone with the customer. I’m like, do you know why your company is trying to push this genetic testing so much? Like, and why I don’t want it so much because you’ve, this company has already shared data behind the scenes. Like you’re making money off of, but that is a real life example of.

The price of the service isn’t much, but they’re desperately trying to get your data because that is valuable and has money for that company. The other, I mean, personally the, the company breach that, I mean, impacted me was, I mean, how many people are using health trackers and, and apps and sharing their data.

And I’ve read the privacy policy in the terms of use and felt Somewhat secure with how they were sharing my data and the company flow was sharing information with governmental companies and regulators and in light of, you know, the different legal issues that we have going on in the country surrounding reproductive https: otter.

ai As your, you know, menstruation or, you know, monthly cycle can be shared with. The government, without your knowledge or consent, is, again, terrifying. Yeah, it is absolutely terrifying. I’ve been you know, since 23andMe have come out you know, I’ve been really, really interested to see what my genetic makeup is, but I won’t.

My brother did his, so I don’t know if they can extrapolate based on our sibling status. But my brother came back and was like, Yeah, we have the gene where, where we we get bit by mosquitoes a lot. I’m like, glad you took that test and shared that data for the both of us, Dave. Yeah, didn’t they find, like, the Golden State Killer or Serial Killer through one of these databases where they found a relative of theirs?

You know, so you’re not just getting your genetics tested. You’re not just sharing that with the government. But you’re also, like, unknowingly snitching on your relatives as well. Yeah. You know, so I’m going to avoid it until a company comes out that does not share your data with anyone at all. Not only make sure that you avoid it, but actively campaign around the holidays and birthdays with your family to make sure that they don’t do it.

Well, I don’t have any siblings so, yeah, so I don’t have anything to worry about and I don’t think my grandparents are going to be genetically tested either because they don’t care at this point, so I think

I’m safe. I I just have to talk to my brother. I mean, he’s just giving my genetic materi no, I’m kidding. Well, I, I think that kind of wraps up the studies with a few research that found that 52 appr 52 percent of Americans will not use products or services that they believe have privacy issues. So that’s half.

And so we’re not the only ones. The privacy professionals are not the only ones who refuse to share their data or use certain services. This is a big thing with regular consumers as well. But let’s go into the Cambridge Analytica scandal. So for a lot of us, you know, it was really the first time, or one of the first times, that consumers realized the consequences of providing their personal information to companies online.

It seems like this… This realization caused a lot of consumers to fight for privacy rights, which in turn caused the privacy laws to come out as well. Can you tell us a bit more about the Cambridge Analytica scandal and its consequences? Yeah if anyone hasn’t watched the great documentary on Netflix, I highly recommend it.

It really breaks down everything and details everything that happened far better than I can in the time allotted. David Carroll, a media professor, had to sue Cambridge Analytica for over a year in the UK to obtain disclosure of data that the company had collected on him. It was in 2018 that that happened, so it was at a time where the GDPR existed, but he wasn’t located in or a citizen of, not not that he has to be a citizen, but in the UK.

So, you know, he didn’t have the same rights and had to sue for it and through this process discovered that this company had over 5, 000 data points on every U. S. voter and was actively selling this information to one political party in the U. S. versus another to impact the presidential election and then Carol Cadwalader.

An investigative journalist for the Guardian investigated Cambridge Analytica’s ties and, and came out with a journalistic piece that she was considered for the Pulitzer Prize for, for Cambridge Analytica’s ties to U. S. political party and Brexit and really came down to the fact that Facebook was sharing information with Cambridge Analytica And it so the Cambridge Analytica produced an app and it wasn’t just sharing the information of the person that actually consented to and and opted into the app, but their entire friend network was being sourced to create these profiles to impact a presidential election in the democratic process.

Yeah, it was a huge thing, and I think it still is a huge thing. And what’s interesting is through reading privacy laws and reading hearings for privacy laws, it’s brought up very, very frequently. So there’s two things that usually legislators, at least in the U. S., will bring up. So one is the calculator app that collected people’s location.

It’s interesting that actually ended up in multiple privacy laws in the preamble and two is Cambridge Analytica. And that seemed to really open up everybody’s eyes about. What it means when i’m using these services when they get access to my data and the things that they can do with it Because it’s not just like oh you fill out a survey and they tell you what kind of harry potter character you are that information is actually used for To influence people’s opinions on things and I think with brexit as well.

There are studies done that Most of the people or a lot of the people that voted for Brexit didn’t even know what Brexit was or what its consequences were they just saw these posts on Facebook and these ads on Facebook saying Oh, we need to lead the EU and they personally a personally tailored targeted campaign to their behavioral interests and their drivers and motivators To push them in the direction that the person controlling the data wanted them to move in.

Yeah. Yeah It’s, it’s crazy. It’s absolutely wild. I mean, the, the documentary goes into the fact that this level of data science, you know, is actually considered a form of torture or abuse in certain countries. That it, again, it’s this targeted, personally tailored, based on your psychology, motivators and fears to, to drive you to a desired outcome.

That you, at that point, really don’t have any knowledge or control over. Right, because you’re not talking to a person that’s trying to manipulate you, right? So, when you talk face-to-face with somebody who’s trying to manipulate you, you can pick up on those cues. But this is just something that shows up on your feed.

And you have no idea the reams and reams and reams of data and science that go into creating these posts. And, and you think it’s, it’s true stuff. You’re like, oh, well I resonate with that. That means Facebook understands me, but… Particularly when you’re being shown the news and you don’t realize that it’s curated based on your profile.

I mean, again, we’re talking about this after Cambridge, post Cambridge Analytica, so we know this now. So I’ve all, you know, anyone listening is like, well, yeah, we know that, but we didn’t then. And that’s the thing. So yeah. So what are some of your favorite resources to learn more about privacy? Not to pander to my, my favorite podcasters, but Termageddon honestly is one of my favorite resources for privacy related information just because it keeps up on a daily basis and is clicking refresh a thousand times to find out if the governor actually signed the bill.

But for, for up to the minute US tracking and progression, I, I enjoy Termageddon. Osano is an incredible company that provides a host of, of services as far as, you know, content management, DSAR responses, but really helps companies integrate privacy into the, and they do a really great job of providing entertaining privacy-related news.

They have a newsletter. But I’m never bored reading what they have to say and their careful, you know, analysis of what’s going on and what I need to remain on top of. And of course, the IAPP, I’m sure you know, anyone that’s listening to privacy lulz is familiar with the International Association of Privacy Professionals who has tremendous resources for global, you know, litigation and tracking and what we need to know and stay on top of.

Yeah, absolutely. I really like their news section, which kind of compiles privacy news from a lot of different sources. So you don’t have to spend hours and hours on 30 different websites. So I really enjoy that, that portion of the IPP as well as like the certifications and the community aspect as well.

Yeah. So knowing that consumers do actually care about their privacy, how can companies make sure that their customers and prospects know that they care about their privacy as well? Well I mean, invest the time and resources necessary to map their, you know, data collection and processes. I mean, on a public facing level, the privacy policy cookie consent managers and the things you know, that the public sees is fantastic.

Obviously the, having clear and accurate data subjects rights requests in their privacy policy. And, and making it clear, we care about your rights and you can contact us about them at any time and making that process, you know, clear and understandable for the consumer is the best way, but also the flip side of that is the internal aspect and making sure that their employees, everyone at the organization is aware of what privacy is.

From a compliance standpoint, anyone listening feels my pain. It’s one thing to have the policy, but the people actually have to know about it and understand it on an internal level. So, you know, yeah, employee privacy policies and education and training are the best way to have a comprehensive privacy program to let the customers and prospects.

It trickles down, it shines through your employees when they know and care. To your customers that you know and care. Yeah, absolutely. If I can add one thing here you know, if somebody does reach it, reach out to you about a privacy question. You know, don’t send them an email back that says read our privacy policy.

Here’s the link like give them an actual answer you know explain the things that you’re actually doing And if your sales and support staff aren’t trained enough to answer those questions forward them on to the privacy lawyer on your staff or the, or the general counsel you know, don’t get people to run around.

Don’t tell them, I’ll read the privacy policy when they ask like a substantive question. I’ve definitely run into those situations before and it’s very frustrating because as a privacy lawyer, I did read it. The reason why I’m reaching out to you is because your privacy policy did not adequately explain you know, what I was trying to find.

So I, I think having that. Kind of having real responses to consumers, I think, is very important regarding privacy. And again, I mean, the resources that we talked about, you know, IAPP professionals, people listening to this podcast, there are ample trained people that you can outsource. If you have a small organization and you don’t have a budget to bring someone in house, there are people that can answer privacy questions in a human way and build your brand.

You know while you’re scaling. Yeah, absolutely. Well, Rian, thank you so much for speaking with me today about privacy. Really appreciate your time, really appreciate your insights. It’s always great to see you. And for anyone listening, make sure to subscribe so you do not miss our next episode. Thank you so much, Donata.

Have a wonderful day.