Marketing Unf*cked

Collecting customer data is something businesses take for granted. It’s an expectation: if they can’t gather data on their customers’ behavior online, how else are brands meant to optimize their user journeys? Yet as legal battles between Google Analytics and European data protection authorities show no signs of slowing down, global businesses risk losing access to data on a massive market. They need to reconsider their compliance strategies — and quickly. The shifting landscape of data security is impacting marketers, businesses, and consumers, but are the changes benefiting anyone?

Show Notes

In this episode of Marketing Un*fucked, Siobhan and Russell talk to Cory Underwood, Analytics Engineer at Search Discovery, about all things privacy when it comes to marketing, legal, and analytics. Listen in as Cory shares his expert views on why brands can no longer collect data on everything and deal with compliance later, how data privacy goes beyond analytics teams to wreak havoc for marketing teams, and the rocky future of international data transfers.

In this episode:

The legal issues Google Analytics is facing in Europe will get worse before they get better.
What is the impact on consumers when their analytics data is accessible by a foreign government?
The issue extends beyond Google Analytics to become an issue of American businesses versus EU laws and regulations.
Data security becomes alarmingly complex when laws and regulations differ from state to state and country to country.
Will hefty fines for breaching GDPR encourage businesses to act to avoid being caught off guard?
Legal councils, marketers, and IT teams must share knowledge to protect businesses and customers.
Is it possible to be 100% compliant when privacy requirements evolve rapidly?
A lack of clear and unbiased materials explaining the situation and its implications prevents marketers from understanding rulings.
Are marketing agencies aware enough of privacy regulations to make effective decisions?
The challenge of retooling systems with entirely new architectures when the rules are constantly changing.
Could the cost of maintaining compliance see small businesses priced out of the market?
Will we see an increase in the number of businesses building compliance teams?
Businesses will need to weigh up the value of their data versus the potential risk.
How differing legal language and definitions between states and countries cause confusion.
Marketers need to move on from talking about third-party cookies and email open rates.

Resources:

Cory’s Blog

Cory on LinkedIn

Cory on Twitter

Creators & Guests

Host

Russell McAthy

Marketing Data Guy. CEO/CoFounder of Ringsidedata . Attribution Specialist. Forecaster. Speaker. Consultant. Entrepreneur.

Host

Siobhan Solberg

Bridging privacy & marketing. Optimization & measurement wizard. CIPM, CXL instructor,🎙Marketing Unf*cked. Winter swimmer.

What is Marketing Unf*cked?

The only actionable podcast to help you unfuck your marketing and run a business that gives a shit. Listen in on raw conversations with experts about ethics, privacy, and sustainability in marketing.

Siobhan: 00:10

And I think it's probably going to get worse before it gets better. Welcome to Marketing Unfucked, the only podcast that helps you unfuck your marketing by hosting conversations with all the badasses in the industry. We are your hosts, Siobhan and Russell. And today, we're joined by Corey Underwood. We're gonna talk all things privacy when it comes to marketing, legal, and analytics.

Siobhan: 00:31

Let's do

Corey: 00:32

do this.

Siobhan: 00:33

Thank you, Corey, for coming onto the show. I'm really excited about this conversation because we get to talk all things privacy. And I'm just gonna get right down to it from the beginning and ask you, what do you think about everything that's going on with Google Analytics in Europe right now?

Corey: 00:48

Hard to say because in some instances, I think it's going to be difficult because if you look at, for example, what Germany is doing and how some of the court cases out of Germany are like, yeah, you can't use the American owned provider. It's like, okay. But then Europe doesn't necessarily have the equivalent infrastructure in a lot of cases. And so what is that what like, what is the option for a European business? And then you have some of the data protection authorities being like, then we understand it's inconvenient, but economic impact is not in our purview.

Corey: 01:23

So we will just make the decision, and you can figure that out.

Russell: 01:28

And a lot of this comes down to terminology. Right? Because it's it's the American owned business is actually not necessarily the defining element. It's also where data is stored, where it flows through, and it's not always down to where the company is registered.

Corey: 01:47

Correct.

Russell: 01:47

That defines whether someone was winning a case on

Corey: 01:50

Right. In the in the case of the American scenario, America has the Cloud Act, which allows the US government to basically request copies of data regardless of where in the world it's stored, and that's one of the the basises that the, Scrums two decision was based around, which is why this is even a thing to begin with. So, like, they they invalidated the privacy shield, and so they were like, okay. Well, maybe the standard contract clauses will be sufficient. And then court cases later, you know, it's like, no.

Corey: 02:20

That's also not okay. So where does that leave you?

Russell: 02:25

Yeah.

Siobhan: 02:25

But where do we go with all that? Right? So we understand, like, we're all sitting here nodding our heads. Like, yeah. This isn't really working, or it won't work if it's gonna happen the way they say they wanna have to happen.

Siobhan: 02:36

So where do we go from there? Like, do you see a solution to the problem, or is it just a dead end?

Corey: 02:40

It's effectively a state level dispute between America and Europe. And I know they're working on the transatlantic data privacy framework. So I guess we'll have to see what happens with that, but I am not positive that that won't immediately be challenged either. So I don't know how many rounds of this we need to go through.

Russell: 03:01

And it's a by country basis in Europe as well. And then if anything, it's then a the legal teams that I speak to appetite for risk comes up pretty much every conversation, which is the internal legal counsel for said big brand. What appetite for risk do they have to win a legal battle with that country against the terminology used with the Cloud Act.

Corey: 03:28

Exactly. And if we look at, like, the the cases that I've gone through so far, those are some very well funded companies in some cases, and they're still getting hammered. So I don't I don't know, and I

Siobhan: 03:41

think it's probably going to get worse before it gets better. Because, I

Corey: 03:45

mean, the other alternative is on the American side, we could pass laws that restored, like, data adequacy status. Our midterms domestically are coming up, and then depending on which party gets control of both of the chambers might influence what that looks like for, like, the next several years.

Siobhan: 04:01

But then let's take that back a step, and let's talk about, you know, the end user, us, essentially. How is it actually affecting us, all of this? Right? Because we're all sort of in the field, so we hear a lot about it. And I'm sure we all have clients that come to us and say, okay.

Siobhan: 04:15

What do we do about this? But how does it affect the consumer? How does all of this mess long term help or not help?

Corey: 04:23

I have to question how many people are truly concerned about a foreign government reading their Google Analytics data. I mean, there are certain scenarios for sure where you would not want necessarily that data to to leave the geographic location from where it was collected. But, like, analytics data, I'm not quite sure would fit that.

Russell: 04:43

Well, I think just from a conversation I've had with a big multinational is where their their concern is that their revenue data, so which impacts stock market position in other stock markets outside of The US. So that is their main concern that's leading up to a shift in customer behavior. And if that business is doing well, someone from an external government could take a position for or against that business in a foreign stock exchange. That is niche, but can imagine the revenue being a non PII conversation because it isn't PII. That is a concern for organizations.

Corey: 05:31

Right. But it and I'm I'm gonna have the American view of this is, like, in America, if you're on the stock exchange, you have to file with the SEC. And so, theoretically, if you're being honest with everything, people have that information to a varying degree anyway.

Russell: 05:48

In in the American Stock Exchange, it is not the same for a company. Let's just take a company headquartered in Korea, South Korea, obviously. And if that company is headquartered in South Korea, they have Google Analytics or store data in GCP. Both of those scenarios, effectively, Google could be called on by the American government to pass information about secure financials or a multitude of other datasets that could benefit the American populace in a foreign stock exchange. Again, super

Corey: 06:31

Yeah. No. I get it. And, I mean, that is a real concern.

Russell: 06:34

The concern.

Corey: 06:35

I mean, I don't think that's an unfounded concern. I just have to wonder how likely it is.

Russell: 06:40

Yeah. And I don't think that's the conversations that we're having with brands at the moment who are being put off using Google Analytics because they're being put off using Google Analytics because of headlines on drama articles, not concerns about foreign stock exchanges in South Korea.

Corey: 06:59

Right. But everyone's focused on Google Analytics, but, really, it's an American services issue. And, like, Google Analytics gets a lot of the headlines, but if you actually, like, read the decisions that come through, it's not Google it's not a Google specific issue. It's like a American business versus the what the EU expects issue.

Russell: 07:20

Yeah. And do you think that his the the sort of Google Analytics has got the worst brunt of this because they have been incredibly slow to put the foundations in place when it comes to correctly hashing IPs, when it comes to the ability to remove data. All of their functionality has been slow, the stuff that a lot of other companies in this space have done in advance of those rulings. So I appreciate that, above all of this is the fact that if it's on any cloud server, you're kinda screwed in the first place. But a lot of the other fundamentals when it comes to storing any form of PII, when it comes to the ability to hash IPs or completely remove the concept of IP or PII from the system.

Russell: 08:12

GA has been slow or doesn't actually support it. That hasn't helped them, and therefore, the ruling probably wouldn't even have got to that point if they'd have done that in advance.

Corey: 08:22

I think that might be true to some extent, but I also have to I mean, that's the most common analytics platform. So just by sheer volume, they are a more interesting target because it it affects more people. So if your goal is to shift or, like, better protect data of European residents, like, they are a good candidate for that just because they capture more data of European residents.

Siobhan: 08:48

Yeah. But overall, I think, like, what's happening, right, is the whole landscape's changing with privacy, and it's it's really affecting all marketers and and a lot of consumers. And it's not just GA like you said. It's also not just analytics. It's not just the transfer of data.

Siobhan: 09:01

It's also all these, you know, then you have all the ePrivacy things and the consent pop ups. You've got so much going on, and then you have the cases in the states separately, California. So I still sometimes wanna question overall, is any of this actually helping us? And I think this is where I struggle with it. Right?

Siobhan: 09:19

Because, yes, I don't want my data anywhere. But at the same time is you've made my you know, the consumer pop ups, which has become they're harassing everyone on this, obviously, has become a hassle for anyone using them. Clients and marketers are worried that GA can't be used, but what can we use instead? Or they try to kind of find sneaky boots around it with server side setups, or they bring if they're large enough, they bring things in house. And then you've got these kind of rulings like the Sephora ruling where it's like, you're not allowed to sell, but were they really selling the do not sell thing?

Siobhan: 09:50

You know? So I'm still questioning kind of where this is all going. I know you're a huge advocate for privacy, and so am I. But at the same time, I feel like this is all being approached very kind of backwards. And and no matter how we read it, we can find all these issues everywhere.

Corey: 10:05

Right. So, globally, we're just seeing more regulation across the board. And in the states, we don't have a federal law unless it's very specific types of data. So, like, we have health data protections, but not with just general data. And I was having a conversation just the other day, and he was like, well, what is what do we have to do?

Corey: 10:25

And this is a national company. And I'm like, well, okay. So if we fast forward to next year, then you have six different scenarios. And he's like, that seems a little bit fuzzy. I'm like, well, yes, because you have five different state laws and all of the definitions are different, but then you have the other 45 states that don't have a state law.

Corey: 10:47

So your specific scenario will get potentially six different answers depending on what exactly we're discussing, and that's just within The United States. Then you added Europe, now we're at seven, and then you start adding on, like, other countries such as Brazil, and it just continues to increase in the complexity.

Siobhan: 11:06

So how do people handle it? I mean, do you have a suggestion, a solution, a process you're going through?

Corey: 11:13

In my experience, most people handle it badly if at all. But I think a couple things are starting to potentially change that. So out of the EU, we've been seeing more investigations get concluded with larger fines. So, theoretically, as enforcement continues to pick up, that should urge companies who may have been reluctant to finally act. In the state

Russell: 11:40

And what is the following for? Like, when in those for the people who are listening, like, what is the reason that those companies are getting fined? What is the the the sort of the specific element that is causing that business to end up being having to pay out?

Corey: 11:57

Usually, it's they're collecting or using data outside of one of the lawful bases that are afforded under GDPR. So the most common one that you see is consent. You know, we have consent to use your data for said purpose. And if they don't have that, do they fit one of the other five criteria? And if they don't, then they have no lawful basis for the processing.

Corey: 12:20

So that's a potential violation. And then one of the other ones that we've been seeing more in the news, this is the case with Google Analytics, is the international data transfers have a series of provisions that have to be met in order to for that data transfer to leave the EU bloc without having additional sign offs or consent layered on on the part of the user. And so in some cases, the con the company has been cited for sending the data internationally without all of the proper checks having been met.

Russell: 12:58

And that is a lot of the stuff that I know Google has been putting a lot of investment in to the sort of front end to tell the marketers, here is what we've put in place to try to resolve for this. So you have to select a server. You have to go through those sort of those loops as the marketer. But, ultimately, the marketer isn't the one who's gonna be paying the fine unless you've got a weird contract. The you basically have to set up an analytics package and then have that conversation with said analytics package to say, are you holding data in Europe for my European customers, And do you have the things, and I'm gonna say things with bunny ears here, in place that mean that it could hold up against scrutiny in a legal battle like your talk.

Corey: 13:55

And so most, I would venture, most IT teams or marketing teams do not have on their own sufficient knowledge to make those determinations. And so that involves, to your point earlier, involving legal counsel. And then often training said legal counsel to a sufficient point where they understand the technology, where they can make the assessment because often lawyers don't have the technical background to, like, review the architecture and be like, oh, well, that makes sense, and I understand totally how that works with the law. It's just not a

Russell: 14:31

Or or even to ask the right question in the first place. I think out of, like, the six large companies that we've signed in the last, I don't know, two months, One or two have asked the question, but we've told people that this is what you need to ask. But two two of those large companies, their legal counsel asked the specific question about where data is stored, how is data transferred, when it does potentially leave Europe, what things are in place. But that is for for large companies, that isn't a lot, and that should it should be six for six, not two

Siobhan: 15:10

for six. But I'm gonna interject here, I think, because, like, I've noticed a lot that it's not just legal counsel that's the problem. Right? And I've I talk about this a lot anyway. It's the fact that also that marketers or IT are completely oblivious to what's going on in privacy as well.

Siobhan: 15:24

So I feel like there needs to be a communication bridge there. Right? It's legal counsel, yes, needs to or, you know, the DPO, whatever, needs to get more on top of what their company is doing, what they need to ask for specific departments. And, yes, they need some training there, but that communication is two ways. And it is also marketing and IT's job to get more, like, versed in privacy and how it affects them because it affects a marketer very differently than it affects IT or an analytics team, a BI team, and various departments.

Siobhan: 15:54

So I hear a lot of marketers jump right on legal counsel and the DPO saying, oh, I can't stand them. I can't stand the privacy team. Now I'm both sides. Right? Because I and I I see this all the time.

Siobhan: 16:08

So I just sit there translating. It comes down to just talking the same language, and I think every aspect of a company needs to get better versed in privacy so that they can kind of grow this together and find a solution together. Because as long as it's siloed or we blame each other, there is no conversation to be had.

Corey: 16:25

I think the other issue is privacy is consistently evolving at a much faster rate than people realize. And so often companies approach it as, oh, I'm gonna make this single capital investment, and we're gonna do all the things, and then we're gonna be compliant forevermore. And that is not the reality.

Siobhan: 16:45

Definitely not.

Russell: 16:46

I've I've installed a cookie banner. Therefore, I my privacy is sorted till 2025. And you're like, cool. Firstly, that cookie banner is also breaking the law to start with because you haven't implemented it correctly. And secondly, that is not what privacy is.

Russell: 17:02

That is a completely different thing, completely different regulation. No.

Corey: 17:07

It's one aspect of, like, a whole privacy architecture. But we're starting to get to the point where, like, the regulation means computer systems need to be built specific ways to be functional with the different regulations, and that's a lot of effort to retool something that's already been built.

Russell: 17:26

And and I think there's one of the major issues for a marketer who isn't going to like, I appreciate both of you guys are way more aware of what's happening in privacy, and you keep on you read a lot of the articles that are put out there. But I don't think that the sort of most marketers are aware of where to find the information that's not biased. Because if you just read the change notes from Google Analytics, no shit is biased towards Google has done the most it could possibly do. We are now completely okay in every region. You're not.

Russell: 18:07

Secondly, I think the other thing is you can't a lot of marketers won't be able to read legal rulings and understand them because they're written by lawyers, and a lot of contracts are written and especially the rulings are written in a way that you just can't understand it. I can't understand most of them. So I think that there is definitely a lack of clear, this is what's happening, here are the implications, because the bit that's there that's wishy washy is, here are the implications for the brand I'm talking about at the moment, and that is incredibly custom to that business, their setup, their technology stacks, their privacy logic that they are allowed to use in the regions that they're targeting. And unless they've read Corey's blog posts over the last sort of five, six weeks, you probably don't know about half the stuff you've written about there because that's not been in the majority of marketing news. And it's also if it has been, it's been covered by someone who is probably favorable to a technology or another, whether that be the Adobes, the Googles, or the independents of the world.

Russell: 19:19

All of those have something they've got something to play for, whereas there's not many places you can find independent marketing written privacy updates. Or am I

Siobhan: 19:32

Other than Corey's blog.

Russell: 19:35

Other than Corey's

Corey: 19:37

It does seem to be a fairly rare topic.

Russell: 19:40

That is valid for every company in the world that sells to anyone in The United States or Europe. So we're basically covering probably 60 to 70% of global ecommerce revenue off the bat.

Corey: 19:54

Right. But if you, like, look at a lot of privacy compliance agencies, they don't talk about the marketing impact or, like, how you would need to adjust your marketing really at all. They're just looking at the compliance risk. And then if you go to a marketing agency, you're lucky if they're even aware of the privacy regulation stuff that might be impacting them.

Siobhan: 20:13

No. But then also if you talk to the client, if you understand privacy, they look at you like you've got two heads. Like, oh, we have that consent banner. That doesn't work. But and that's the that's the whole it's like, I feel like everyone is completely not on top of it, and everyone is not talking to each other, and that's, like, the problem.

Siobhan: 20:32

I just wanted to go back to you saying the retooling thing because why would you retool a system when it's constantly changing and you don't know what's coming up next?

Corey: 20:40

So a good example is several years ago, there was the desire to, like, localize all the data in one location. And maybe that's not viable because maybe said country that you were pulling data from now just means that it be stored in its own borders, so you have to, like, break that out and that so you're basically paying the cost twice, once to move it in, then you're making that same investment again to move it back out. And it can be very difficult to detangle something after you've you've integrated it. Additionally, just with all of the different things happening in the browser space with how cookies get handled, you're seeing stuff move from JavaScript to server based, and so that's a whole different architecture because if you have a high cache offset because you don't wanna buy server racks to, like, handle your website, so you're using something like CloudFlare or Akamai to handle 90% of your inbound traffic, but now you need to come back to a server to set the cookie, that is a substantially different architecture in terms of, like, hardware that you are would even be required to not crash under the server load potentially during, like, a Black Friday or major holiday shopping season.

Siobhan: 21:48

Yeah. I don't know. It's it's a hard it's a hard sell, isn't it?

Corey: 21:52

Right. Like, even Google Tag Manager server side, like, yeah, it's App Engine in GCP. But if you get a lot of traffic, you need a load balancer in front of it because you need it to auto scale. Otherwise, you're just not gonna get the data capture. And as it scales, there's a flexible cost there because they'll throw enough hardware at it to cover the the load, but you pay for that.

Siobhan: 22:15

And then the smaller businesses, like, get the brunt of it, and they can't handle that cost and they disappear. Right? And that's this is the issue I have

Russell: 22:22

with privacy. Possibility.

Siobhan: 22:24

Yeah. This is the problem I have with the I love privacy, but I have a problem with a little bit how it's, like, playing out.

Corey: 22:30

I did see an article the other day that estimated because The United States is so fragmented currently that as different states sign their own specific privacy laws, the cost to US businesses could exceed $1,000,000,000,000 over the next ten years.

Siobhan: 22:46

Why?

Corey: 22:47

For standing up would be you know, like maintaining compliance for all the different privacy regulations.

Russell: 22:51

Am I right that that's 10,000,000,000 a year then if I've done the zeros correct?

Siobhan: 22:59

I was not attempting that.

Russell: 23:01

Yeah. I'm always conscious of anything above a million, if I'm honest. But that is a ridiculous amount of money. Do you think that like, from a let's take a midsize business because I think small businesses like, most peep people are not gonna end up in core for small businesses, like the mom and pops. They're not the ones that they're going to be having to implement technology because someone else has been sued because it's kinda pointless because that company would not be the issue.

Russell: 23:34

I think the major issue is for the medium and large businesses who potentially have an agency, they spend sort of $5.06 figures a month on an agency. The agency doesn't understand privacy. And you've got an email marketing agency that wants to capture PII. You've got email addresses being thrown around in Google Sheets and Excel spreadsheets. That's a privacy nightmare that someone has to deal with.

Russell: 24:01

We've got audiences created through cookies, which is also how are you dealing with that from a privacy perspective. And then you have the data that's being captured from an analytics perspective within CRM systems, within DMPs, wherever they wanna be called next week, and then analytics. And analytics tends to talk about it the most because I think that the analytics team has always been data people, and therefore, they're very conscious that data and privacy are hand in hand. All of those other teams, data is part of what they do, but it's not everything. But they're the ones, if anything, that have more PII, have way more chance of having risk associated with them because customer information and customer details are going to be involved in that conversation.

Russell: 24:53

So is it that we need to be educating those other teams, the email marketers of the world, who being able to email someone is everything to them, and yet that is a major risk that needs to be mitigated. Is it an education process for, like, the analytics teams to those other marketers? Because they're not involved in these conversations at the moment in most businesses.

Corey: 25:21

I don't think it's necessarily an education thing to the marketing team because I think increasingly what we're gonna see is companies need to not task analytics with doing the explaining for that and explaining for that and having to build out compliance teams to handle all of that just because it's it's a lot to throw on an analytics team that maybe has no technical or even legal support. It's like, figure out how all your data is changing and why, you know, and help us fix it because you can clearly model that. Right? But you can't model something you don't understand. To your point, though, in at least in the American laws, a lot of them only kick in at certain thresholds, either revenue or, like, number of data subject wise.

Corey: 26:05

So it's not like the smaller shops have to worry about that, but, like, once you start hitting those thresholds, like, the compliance costs, like, escalate quickly. And what we're gonna start seeing next year is California requires risk assessments for several different kinds of activity that you have to submit, and then Colorado requires both risk assessments and cybersecurity assessments. California also requires cybersecurity assessments. Both of those are not defined as to what they necessarily involve, but if your company doesn't have a cybersecurity program, now you need one. And then we're gonna start seeing states such as Virginia require effectively data protection impact assessments for certain kinds of activities such as targeted advertising, as targeted advertising is defined by the state of Virginia, which may or may not be different than every other state because reasons.

Corey: 26:56

Yeah.

Siobhan: 26:56

And that's the other thing. Right?

Russell: 26:57

So you're gonna end up with the

Siobhan: 26:59

That's the other thing. Right? It's like it's like the Sephora's case. It's how do you read the law? What is it actually interpreted at?

Siobhan: 27:05

And then they settled because they were freaking out about how much it could cost. And and that's not a small company.

Corey: 27:12

Right. And so even though your fine was only $1,200,000, if the proposed settlement is agreed to, like, they have to build a compliance program and run that for two years and make reports to the state of California saying that periodically, we are continuously compliant, but a lot of different, you know, country a lot of different states and companies are probably gonna be like, oh, no. We we weren't aware. And so once the attorney generals per said states start looking at it, or in the case of California, they have a whole new, like, a whole new branch of government whose sole focus is looking at this, that is probably going to cause a spike in concern. The other thing to keep in mind is a lot of the American laws have, like, a the attorney general needs to notify you and give you x number of days to fix it before they bring you like, cite you for trial.

Corey: 28:05

California is removing that provision come January. Like, they don't they don't need to to warn you any longer.

Siobhan: 28:11

Yeah.

Corey: 28:12

And I think that's gonna catch a lot of people off guard.

Russell: 28:14

So when are you creating your new company that basically creates these reports for cybersecurity? Like, so many so many businesses popped up a few years ago when GDPR was, like, the buzzword where these legal firms that created out of nowhere with one person who was obviously a freelance lawyer basically wrote certificates to say that we are GDPR compliant now. We are we gonna see loads of those businesses pop up to go with specialists in the ability to create a certificate that covers this business for cybersecurity as per this definition. Are we gonna see those pop up in the next six

Corey: 28:58

I mean, it's definitely possible. If people think there's money there, then that's gonna be a thing that happens. But, like, I know globally

Russell: 29:05

Which there is money there, obviously, because as soon as you go, oh, it's a 1.2 mil fine to settle. Oh, okay. Well, if I spend $30 for a certificate, then I don't have to pay a fine.

Corey: 29:18

I would say, you know, necessarily you don't have to pay the fine. You might have a decreased risk of having to pay a fine because it's hard to

Russell: 29:25

Okay. You're basically a lawyer, but that type of response. Gonna be like,

Corey: 29:29

we guarantee this and we'll fight your legal battles for you because that is just insanity. No no company is gonna say that.

Russell: 29:35

But I think it's more it's the same with GDPR. Like, it was the wording has never been so specific that anyone could say I'm completely compliant because it turns down to the way that it is between the two lawyers in any legal battle. This is how we've taken this. Here is how we prove our side of this, and the other side does the same thing. And within any legal battle like that, it comes down to the definitions that are used and how you've taken on those definitions and whether you can prove that you've done the best that you could do to counter those from the other side as well.

Russell: 30:18

And I think that we're just gonna see the same thing that happened with GDPR happen again with this in The US and then how that is dealt with in Europe following that as well. Right.

Corey: 30:29

And so the other question becomes, how aggressively are the different attorney generals going to enforce it? Because, like, California's been had two years to trial it out. Like, the other four states are net new, so it's gonna be interesting. The other thing is California has, like, dedicated funding written into the law. They have the funding, whereas the attorney general has to pull enforcement out of, like, their collective funding that they use for all of things.

Russell: 30:57

And so does it come down to if there are enough cases won in other states, money will be moved to money will be shuffled around in future states that have this legislation. And then it also and this is down to watching loads of TV dramas. If the AG is up for reelection, that is also gonna play into their appetite to go for cases, events, big businesses.

Corey: 31:23

Probably. Probably all the things.

Russell: 31:26

Awesome.

Corey: 31:28

I mean, like Realized drama. You can divide your consent platform between, in The US example, like, six different scenarios, but why would you wanna bring on all the extra overhead? Like, is the data so important to you that you wanna have all that extra overhead where you can avoid it? I don't know.

Siobhan: 31:46

Yeah. It comes down to that conversation.

Corey: 31:48

Probably. But I I'm of the opinion that the simpler you can keep the the software system, the better it's probably gonna work.

Siobhan: 31:57

I guess it comes down to just people asking now. Right? Like, they have to risk they have to model their risk versus the value of their data. That's what it comes down to. Right?

Siobhan: 32:04

Like, decide how valuable is your data and how much risk am I willing to take for that value. And if they can fit that on the quadrant or whatever, however they wanna framework it, then that's gonna drive their decision.

Corey: 32:18

The interesting thing in The United States, though, is over the last couple of months, we've seen the Federal Trade Commission be like, yeah. We're gonna aggressively go after people who misrepresent what they do. So So for example, if your privacy policy says one thing and then your site does something else that is not the same thing that you just told the customer you're doing, they all cite you for deceptive trade practices and they will take you to court for that. And then in the case of Sephora, the California attorney general caught them in an enforcement sweep, which means that agency at least will be probably proactive in reviewing companies and looking for violation and not reliant solely on consumer complaints, which is a substantially different risk profile. Because one of them is like, well, what is the likelihood a customer is gonna actually type up a letter and send it to the attorney general versus what is the likelihood the attorney general's office is going to find me because they have nothing better to do on it Tuesday afternoon?

Siobhan: 33:13

And a

Russell: 33:14

lot of this will come to how many times they win versus how many times they lose. If they keep on going after businesses and ultimately lose, then you'll see that type of activity, one presumes, fall back a bit, and it will then just be on complaints. But if they keep on winning, then people need to be more and more concerned. My my my concern from a the conversations I have with brands is that they, historically, it was very much the we'll capture everything, and then we'll work out what we do with data. That's a generic statement that was kind of where businesses have been.

Russell: 33:52

Cloud is cheap, so we can dump everything in the cloud, and we'll deal with it later. And now the concern and the questions that I I hear that are happening is we don't know what we are allowed to store and what we're not. What constitutes something that we're not supposed to be storing for someone? And so there's an element of, well, we don't need that, so we're not gonna store it, which is probably the best route of this. But, also, there's questions on very, like, customer ID being one that comes up reasonably often.

Russell: 34:28

Well, that's a unique identifier. That's an identifier for a customer. Even though it's pseudo anonymous, well, what does that actually allow us to do under regulations in each European country and now each US state? Where does where does customer idea fall into this? People don't know, so they ask those questions.

Russell: 34:49

They're unaware of pseudo anonymous versus anonymous, and there are so many terms like that that are thrown around where people just don't understand. And I think that's fair that they don't understand.

Corey: 34:59

It it does not help that the definitions for a lot of those things change depending on what regulation you're looking at. So for example, California determines selling as the exchange of data between two companies for any benefit, and Virginia is the exchange of data between two companies for monetary.

Siobhan: 35:18

No. It's a really vague subject. Right? I mean, it's just it's just it's like you said, the whole conversation is just everything's always changing. I want to ask you one thing in closing.

Siobhan: 35:28

I want to see where do you see this all kind of going over the next month and, you know, year even? Where do you see us heading with all this?

Corey: 35:35

In The United States, we're kinda wrapping up the legislature season in the different states. I don't think anything else is going to be announced this year. Next year, we get to see if they if they bring back up the, the federal privacy law in the house. But depending on which parties prevail in the midterms, that may or may not even be a consideration. If that does not happen, we may see increased appetite of the states that have yet to pass privacy laws begin to do so because that is there's a number of states that have that in committee.

Corey: 36:14

So we'll see, but we definitely know that there's five states as of right now, and we know that the FTC has an increased enforcement appetite. In Europe, in between The United States, will the Transatlantic Data Partnership agreement be resolved? Will we have to even see a draft? I don't know. That will potentially dramatically change things.

Corey: 36:35

Then we saw just yesterday, the Brussels court refer the case of real time bidding to the high court in Europe. And so if that gets resolved one way or the other, that will dramatically transform marketing in Europe. And then we know the European data protection board is reviewing, cloud usage this year in a cross country effort. And so depending and they wanna look at cloud usage specifically in the context of, like, GDPR and such. So the findings of that report should be very interesting.

Corey: 37:12

And then we have, like, the rest of the world to look at. So it depends on how global your specific company is to either you don't care at all because you don't deal with enough data that it matters, or you care about all the things and you are probably under spending in compliance efforts because that is all about to go up.

Russell: 37:36

Well, that was an ultimately quite negative view of things. I think we should just share all the data and privacy doesn't exist anymore, which would solve all of these issues. And people should not care if you find out what your email address is. Just but spam everything. That would solve everything, Corey.

Russell: 37:56

I don't know why you'll be in Sunday. Did you actually read these legal Yeah.

Corey: 38:02

RFC for how cookies get handled, like, the Internet engineering task force. Like, when you actually read that specification, they're like there's a lot of diverging implementations of how third party cookies are handled, citing, like, WebKit blocks them and Chrome allows them and Firefox blocks them or restricts them to the domain. And they're like, and we see this getting worse before it gets better. So you should not assume that any cookie that you set is available anywhere else, and that would probably be best for you.

Siobhan: 38:36

Oh, I love it.

Russell: 38:37

What what blows my mind is the industry as a whole still talks about third party cookies that kind of work. Like, the amount of email marketing systems that still talk about open rates Yeah. And you're like, you know that doesn't work on iOS devices, guys. Like, when you talk about an open rate of an email being a percent, that's of a very small percent of your total, and you still talk about it like it's 2,006. It's just not that like that anymore.

Russell: 39:07

We've got a wrap up. Really enjoy the conversation, Corey. I think we could do another forty minutes, which we may do in the next season because by then, there's probably even more than forty minutes worth of content to talk about when that happens. So we'd love to have you back. In the meantime, where can people find you?

Russell: 39:26

Can you talk about your blog? Because that's the one of the places that they should definitely should go. And where they find you on socials and and the rest

Corey: 39:32

of the Internet. Sure. So my blog is cunderwood.dev, and I talk about mostly analytics, privacy, and optimization type things. So the topics vary between those things. And there's links on the blog that link to my Twitter and LinkedIn.

Corey: 39:50

I can also be found on the Measure Slack, which is measure. Chat, And I hang out in the data privacy channel, and I talk with all the people there about that thing. So any of those places.

Siobhan: 40:03

Great.

Russell: 40:03

Awesome. Well, thank you very much for coming on Marketing on Fart. And, if you want to listen to more episodes, we've just put up one with Janice, and there's a few more going up in the next few weeks as well. We were on Spotify. We're on, all of the other streaming platforms.

Russell: 40:22

Thank you very much, Corey. Thank you, John, and we'll speak to you all

Siobhan: 40:24

soon.

Why compliance should be your first thought, not an afterthought | Cory Underwood

Why compliance should be your first thought, not an afterthought | Cory UnderwoodWhy compliance should be your first thought, not an afterthought | Cory Underwood

More episodes

Why compliance should be your first thought, not an afterthought | Cory Underwood

Why compliance should be your first thought, not an afterthought | Cory Underwood

Chapters

Show Notes

Creators & Guests

What is Marketing Unf*cked?