Masters of Privacy

Cory Underwood is a Privacy and Data Analytics Engineer with a strong marketing data technology background and a good knowledge of both US and EU ePrivacy law. Cory supports the data privacy offerings of Atlanta-based Search Discovery (a data strategy and activation company), leveraging eight years of experience in privacy efforts and multiple privacy related certifications to enable clients to understand the impact of privacy changes.  With a combined thirteen years of experience in technology, Cory specializes in speaking and writing on his blog (cunderwood.dev) about upcoming privacy changes, allowing readers to take a proactive approach to compliance challenges. In our second interview with Cory we have looked for answers to the following questions:  What does it take for Digital Marketers to comply with State-level Privacy laws in California, Virginia, Colorado, and beyond? Will the US internet suffer the fate of European websites, annoying consumers with user-unfriendly consent pop-ups that mean little and cost millions? Why do some US websites insist on replicating the European ordeal if there are no opt-in requirements? What will be the side effects of large platforms adapting to the EU’s Digital Services Act in terms of transparency and return on investment for SMEs? Where will Topics API, the star framework of Chrome’s Privacy Sandbox fall in terms of consent requirements? References: Cory Underwood on LinkedIn Cory Underwood on X Cory Underwood’s blog Search Discovery: An audit of 500 sites for CCPA and Colorado Privacy Act compliance Global Privacy Control Sephora settlement CNIL’s considerations on the Privacy Sandbox and Topics API, July 2023 (FR) Apple’s Link Tracking Protection and other Privacy features in iOS 17 Meta’s Robyn (open framework for Media Mix Modeling) Apple’s Private Click Measurement specification for privacy-first optimization Masters of Privacy: Cory Underwood on Global Privacy Control and a GDPR-compliant Google Analytics (September 25th, 2022)   This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Katharine Jarmul is a privacy activist and data scientist focused on privacy and security in data science workflows. She’s a principal data scientist at Thoughtworks and has worked at various companies in the US and Germany before that. She is also a frequent keynote speaker at software and AI conferences. Katharine has recently published “Practical Data Privacy” (O’Reilly, 2023), in which she provides a deep dive of Privacy Enhancing Technologies (“PET”), including detailed answers to increasingly common questions: How can we actually anonymize data? How does federated learning work? Can we already leverage Homomorphic Encryption to run analysis or work with data even while it is encrypted? How can we compare and pick the most appropriate PETs? Can we use open source libraries? In our discussion: Can we bring Privacy Enhancing Technologies down to earth for smaller companies to understand and apply them on a regular basis? Are they otherwise the monopoly of Big Tech, and does this mean that a company like Meta ends up becoming the unlikely poster child for Privacy by Design? Can we really speak of a common ethical framework for AI or GenAI? How does a US/Western Europe ethical framework fit within African or Asian cultures? Can we break the convenience barrier when it comes to individual control? References: Katharine Jarmul, Practical Data Privacy (O’Reilly, 2023) Katharine Jarmul on LinkedIn Katharine Jarmul on X Ethics in eCommerce Summit Shoshana Zuboff, The Age of Surveillance Capitalism This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Attorney Jakob Plesner Mathiasen discusses the copyright implications of Generative AI, including challenges with fair use and copyright protection. He explores exemptions in European legislation, compares them with US fair use laws, and explores copyright exceptions for text and data mining. The podcast also delves into the challenges of copyright protection for generative AI and the role of streaming platforms in filtering out AI-generated rip-offs.

Data Protection Consultant Ito Onojeghuo discusses effective privacy notices, transparency requirements, tailoring language for different audiences, improving privacy notices through feedback loops, and challenges with call centers and customized privacy notices.

Have you spent the past three months isolated from the world? We are bringing you up to speed with a long list of updates and news at the intersection of marketing, data, privacy, and technology.  Visit this episode's blog post on Masters of Privacy for a long list of references and notes. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Nick Baskett is DPO at Holland & Barrett. He has a personal interest in ethics and philosophy, encryption and AI, and he once published a book on Data Protection Impact Assessments. He was also the founder of one of the early Cyber Security consultancies in the UK (Matta). With Nick we have discussed best practices around Data Protection Impact Assessments or Privacy Impact Assessments, including their management at scale in the context of privacy operations, as well as risk assessment efforts associated with Generative AI projects.   References: Nick Baskett on LinkedIn EDPB Guidelines on Data Protection Impact Assessments ICO: Data Protection Impact Assessments (guidelines and templates) ICO: Eight questions to ask ourselves in order to manage Generative AI   This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Catherine King is a content creator, moderator, enabler and instructor in the fields of data ethics and also the broader data and analytics space. She is currently global head of brand engagement at Orbition.  Catherine was recently a speaker at the Ethics in eCommerce Summit in London (put together by the Ethical Commerce Alliance) in which we coincided.  With her we have explored a more controversial and practical approach to data ethics, under the acceptance that morals reflect a particular stance in a wide range of really important social issues, rather than a universal truth applicable to all.  References: Orbition Group Catherine King on LinkedIn Ethical Commerce Alliance Courtnie Abercrombie: AI Truth and books Decoding Data Ethics to inspire concrete business decisions (Sergio Maldonado) This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

With Nina Müller, Ethical Commerce Alliance Director and host of the Ethical Allies podcast. __ Notes: A more comprehensive coverage of all relevant updates can be found on our blog. The topics below have been specifically addressed during this recording: GDPR fines reached a new record when the Irish DPA, following considerable pressure from the EDPB, issued a 1.2bn EUR fine to Meta for its inability to comply with the Schrems II CJEU doctrine. The company behind Facebook, Instagram, and WhatsApp was also asked to cease all data transfers to the US. It was made clear that there is no possible way to either rely on SCCs (already updated to their latest post-Schrems II version, and already complemented with additional safeguards that only stopped short of end-to-end encryption) or any of the available derogations. This leaves the upcoming EU-US Data Privacy Framework as the only way out of the current deadlock, which affects a vast majority of businesses operating in the European Union.   LinkedIn is expecting its own GDPR fine in Ireland. Microsoft has set aside $425m for the expected DPC blow, as the supervisor completes an investigation initiated in 2018. The Austrian supervisor sided with NOYB/Max Schrems and considered that a website had breached the GDPR through the inclusion of a Meta/Facebook pixel and Single Sign-On widget (resulting in a personal data transfer to the United States). It appears from the decision that isolating any of these two features would not have made a difference, and, as well explained by Jorge García Herrero (ES), this misses a few key technical details: Whereas the SSO will only result in a transfer of limited information from Meta to the website (ie. In the opposite direction), the Facebook pixel collects entirely new hits or “events” for existing users of the platform. Also, Meta was here considered a mere data processor despite the fact that the company seems to be in full control of the purposes and means of the processing (note: the EDPB Guidelines on targeting social media users make Meta a joint controller in the use of Facebook pixels for paid advertising scenarios). TikTok suffered additional blows on the basis of both the privacy risks entailed in the Chinese Government accessing personal information about US or EU citizens, and the ability of its secret algorithm to curate the specific content made available to said individuals, thus exerting an undesirable level of influence. While its US CEO, Shou Zi Chew, testified before Congress, The US Federal Government, as well as many others throughout Europe, forbid their own personnel the use of the app on their official devices. Montana announced fines for the Google Play and Apple iOS stores if the app was not hidden for Montana-based individuals by January 1st 2024. The EU Commission announced that it would stress-test Twitter’s ability to respond to disinformation in line with the upcoming Digital Services Act to ascertain whether it will already be at risk of breaching the new legal framework before it enters into force on August 25th. The company had announced its withdrawal from a voluntary code of conduct. Filtering out the robots on a given website (through the typical prompt that only a human should be able to respond to successfully) has just become more expensive. France’s CNIL issued an #ePrivacy fine to scooter company Citiscoot for its retrieval of device information in the use of Google reCAPTCHA (it was accompanied by a separate breach of the GDPR due to its excessive collection of geo-location data). For its part, the Finnish DPO ordered (FI) the Finnish Meteorological Institute to disable the same tool (Google reCAPTCHA) on the basis of the resulting EU-US data transfers in the current post-SchremsII scenario - in this case Google Analytics was also involved in this decision for the same reasons, and the Institute ending up removing both tools from its website as well as being asked to delete all of the historical data available.  CNIL issued a 380k EUR fine to pan-European medical advice service Doctissimo for various GDPR infringements as well as a breach of the ePrivacy Directive (responsible for 100k of the total amount) consisting in serving two advertising cookies after users have selected the Reject All option in the website’s consent banner.  FTC enforcement actions involving the use website/app user data for digital marketing purposes (healthcare, children): GoodRx, Betterhelp, Edmodo, Premom. The CNIL published the results of its own research on the use of cookies (assisted by CookieViz, an auditing tool developed internally, now open sourced) and the evolution of acceptance rates and third party cookie numbers over time. Other than a reminder of the 421 EUR piling up in cookie-related fines since 2020, the report contains interesting conclusions: 68% of French internet users consider that the information provided by the advertising ecosystem is insufficient or non-existent 39% are now rejecting all cookies, with 49% actively managing their consent preferences (analytics-related cookies are normally favored). The share of sites serving more than 6 third-party cookies dropped to 12% from 24%,  with 29% of all websites not serving any third-party cookies at all (vs. 20%) The IAB released TCF 2.2 on May 16th, finally removing the extremely confusing legitimate interest selectors for advertising and content personalization, replacing purposes and feature descriptions with a more user-friendly language, standardizing information about vendors, and providing a path for end users to withdraw their consent. CMPs are due to implement these changes by September 30th 2023. Following the TCF 2.2 announcement, Google has started reviewing and certifying Consent Management Platforms introducing new requirements under its Additional Consent Mode specification (important to remember that Consent Mode’s Ghost call is still considered in breach of ePrivacy unless consent is specifically requested). This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Adam Klee has an impressive resume in the AdTech world, having worked at Disney, Google, NBC, Twitter, Polar, or Spotify. He is the founder of Licorice, a platform that “gives consumers the privacy they want and publishers the data they need”. Adam’s passion for solving this problem comes from both his years developing new ways to help drive better yield for publishers, and his experience as a consumer, where he thinks privacy should come standard. We are covering: Why email-based identity solutions (as an alternative to cookies) are flawed What consumers expect in the media monetization trade-off (ad blockers!) Different degrees of control and convenience, and how consent banners are the opposite of both A formula to rely on other legal bases (such as the GDPR’s legitimate interest) when no individual deduplication is involved. References: Adam Klee on LinkedIn Licorice  Licorice featured on AdExchanger: Programmatic Vets Are Behind A Wave Of New Startups Built For A Privacy-First Web Topics API (Chrome Privacy Sandbox)   This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Eve-Christie Vermynck is a dual-admitted lawyer (civil law, common law) working at Skadden, Arps, Slate, Meagher & Flom. She advises clients on Cybersecurity, Privacy, IT/IP, blockchain and related topics. She is also a member of the Data Law Committee at The City of London Law Society. With Eve-Christie we are going to discuss the specific practical steps when it comes to dealing with personal data breaches in the UK or the EU. References: Eve-Christie Vermynck on LinkedIn Eve-Christie Vermynck’s full profile (Skadden) Twitter’s 2023 data breach Aftermath of the Royal Mail’s cyber-attack ICO’s guidance on personal data breaches  This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe