Subscribe
Share
Share
Embed
Claritas helps companies find customers. Through our podcasts we hope to help you better understand consumers, why they buy, and how they prefer to interact with you. We'll explore topics important to today's marketers so we can get you one step closer to your next customer.
Monique Ruiz 0:10
Hello and welcome to episode one of the 2023 season at the marketing insider, a podcast for marketers focused on finding and targeting their ideal customers at scale. I'm your host, Monique Ruiz, and I thank you for continuing to follow us on this journey to share what's happening across the marketing spectrum with various industries. From the innovations at Clara toss, the success we're seeing others achieve and the secrets to how they got to where they are. Plus a hard look at where there's still room for growth to make our marketing lives easier. To kick off the new season, we're revisiting the topic that always seems to pop up this time of year, causing a major shake up for go to market strategies. You've probably already guessed it, we're talking identity resolution and privacy regulations. As always to join me in this particular conversation is Clara toss his own Chief Technology Officer al gad. But later on, we'll be hearing from Teresa troester Focke, the CEO and founder of blue sky privacy, an operational privacy company that helps other companies understand their privacy compliance requirements and turn them into practical sustainable business processes. First step though, our welcome back to the marketing Insider.
Al Gadbut 1:28
Hey, Monique, what a real privilege to be able to kick off the year with you. That's, that's exciting. I think this is our third year. So this topic,
Monique Ruiz 1:36
yeah, yeah. So as a reminder, you're our Chief Technology Officer. So can you tell our listeners a little bit about what you're responsible for and kind of what your day to day looks like?
Al Gadbut 1:47
One of the hats that I have is I'm working with a small group of folks who are focusing on trends, both legal and technical, that impact privacy and policy that within the marketplace, it's changing how we deal with consumer information, new rights, new technical challenges that are coming up in in new browsers that are being created, and so on. We're tracking all of those things and, and looking at how that's impacting how we deliver products. So that we're a staying on the right side of the law and policy but but continuing to help our clients get the solutions that they need, but doing it in the right way.
Monique Ruiz 2:29
So diving right in if my math is correct, and it probably isn't, because this industry is so evolving, but there are at least five legislations like California CCPA that were passed and go into effect this year. Can you explain what those are? And at a high level, what they mean for marketers?
Al Gadbut 2:49
Yeah, there are there are five laws that have gone into effect at the state level, you really want to kind of look at this from a standpoint of CPRA, which is a California Privacy Rights Act. And that's an extension of CCPA, which was the California Consumer Privacy Act, which went into effect a couple of years ago, both of those laws, they established a set of rights for consumer, it set out a definition for what what represents personally identifiable information. And in those laws, they granted consumer has to live in the state of California, certain rights, the ability to get a report from anybody who is carrying consumer data in the state of California, it gives those consumers the right to opt out from their data being sold. It also gave them for the first time or right to have their data deleted. It's important to think about this. So these were all really powerful consumer rights. But they were rights that were predicated on a disclosure, it was important for any data company or anybody who holds consumer data to not disclose. And then it also provided in opportunity, or right for the consumer to determine what was done with that data. In other words, they can they can object as I said before, or requested deletion, they realized he needed to change CCPA to a certain extent. And that developed CPRA that has some additional modifications of CCPA, which made a lot of sense. It also developed a new class of personal information. It was the first one to really start calling out what they considered sensitive personal information, sensitive personal information, or includes things like health information, biometric information, specific financial information, actually knowing how much money is in your in your 401k and things of that nature and became more sensitive personal information. Aside from it, things that do impact us things like race, ethnicity, sexual orientation, religion, those are all sensitive personal information as well. And that became covered by CPRA. One of the interesting things that came out of that as well as creating this new class of personal info mention it started creating limitations or at least a definition, or requiring companies define or call out how long they were going to hold and maintain that that information, and to be able to justify why they were holding it for a period of time. Because up until then, there really wasn't anything that prevented a company from gathering information, and then holding it for years and years and years. And still, there's justification in some cases to do that. But when you're when you're in a technical world, where the storage space is cheap, I mean, terabytes or $1 a month, you're just holding on to that data became, you know, people feel well, why not? It is, well, you had to be able to justify it. And you had to have some sort of time limit is how long, you know, a lot of states let somebody like a California and New York or Massachusetts, or in some cases a Texas kind of take the lead. After it blows up, they see where the problems are, and then they create their own their own modified version of and then an interesting thing happened, it wasn't really about our industry. But it turned out that it definitely impacted our industry, the Virginia Legislature got together and they created the Virginia Consumer Privacy Act. But what Virginia did, which was really different is they said, Well, if you're going to use or you're going to have an SPI, you have to have an opt in from the consumer. So this is the first time within the US that a law was created, that now begins to start looking like what was going on in Europe, the GDPR, which is an opt in law. So thinking about this, up until this point, all laws were about notification, intent, and disclosure. Virginia is the first law in the US that requires an opt in. And then from there, Colorado, Connecticut, Utah. But while Utah is a little bit different than Connecticut, and in Colorado, followed suit, and they they developed laws that were very, very similar to Virginia almost verbatim. So those laws are now on the books. Suffice to say that the laws are breaking out now, on on two levels. One, it's either going to be like California, which is an opt in disclosure, with consumer rights, or law, like what's happening in Virginia, where it's all of the California law, but now carries a required opt in. And that's, that's a big difference.
Monique Ruiz 7:25
I was going to ask you about the sensitive personal information. But you've answered that as to what would fall under that. So let me skip ahead. You were talking about you know, we see those two main types of policies the opt in and opt out, do you believe that one is more restrictive than the other for a marketer? And why really two options anyways? I mean, is there a reason why some states actually chose that opt in when opt out originally with CCPA? Was that standard to begin with?
Al Gadbut 7:56
Well, it really, if you think about it, the opt in is following the European model of GDPR. And then GDPR supersedes or I shouldn't say super, it predates CCPA. And the feeling was that when when CCPA came out, which was the first major piece of legislation in the US, that it didn't go far enough, and that it should have mimicked what was going on in Europe, I think there's some value in opting in, you're providing additional rights to consumers. And is it right that you know, a consumer, if they go to their computer and pull up a search engine and look for the phone number to the local pizza place? You know, is it a fair exchange to get that phone number, but in exchange they're giving, they're giving up their age, their income, their how many children in the home, what they owe on their mortgage, whether they rent, what kind of car they drive, how their education is, you know, 3540 different pieces of information? Is that a fair exchange? A lot of people would argue that the answer is no. In this step towards getting disclosure, and the step towards opting in, is a we're moving towards more control for the consumer. And I think ultimately, that's not a bad thing. But it does impact us is as marketers, or as providers to the marketing ecosystem of information and data. We're gonna look back at this time, I believe and say, Oh, my God, I cannot believe all the information that was just sitting out there available for people to take advantage of. And it's really is kind of the wild wild west days of data. Some people would say it's the golden days of consumer data, but I wouldn't, I don't think so. There really is just there's no limits. And it's the amount of information that's out there is is crazy. The challenge today isn't how much data Can you can you attract and acquire within your overall database. The challenge is, you're awash in data. The challenge is being able to be smart with the data that you have, how to how to get through all of the mountain of data and find the gold nuggets that are in there that help you make better decisions with regard we're With regard to how you talk to your clients or your customers, and you look at some of the other solutions that are going on out there, and I know you wanted to talk a little bit about Google topics, and you know, there were things like, you know, Google had flocks before, which was, you know, birds of a feather flock together, but in flux is really standing for cohorts. And the idea was that you don't have to know everything about somebody, in order to sell them a golf club, you need to know a few things. And if you want to sell them a golf club, that you what you find is that people who buy a golf club, they tend to do a lot of other similar things. And what those are, I don't know, I'm not, I don't know, golf. But the idea is that if you look at people who do six things, similarly, you know, maybe they own a pet, maybe they own their own home, they drive a premium car, they have higher education, and these things can all be ascertained by the kinds of sites that you go to, and if in people who who do all of those things, they probably golf, there's a very high probability that they golf. And so therefore, this cohort of people, these are the people you know, across the entire internet, these are the people you want to make Golf Club offers to. Nice idea, I think that it was more marketing than than reality, because Google, again, sits on a mountain of information. And they weren't really disclosing exactly how they were doing it. And were they truly going away from cookies, and it wasn't clear. But this new idea of topics is a built in a capability within the Chrome browser, that now looks at sites that you go to and in supposedly judiciously picks out one or two words within the meta tags on the site that you go to, and hangs on to those, and then looks at, you know, a hierarchy or runs an algorithm against those meta tags that are captured from the site you go on to and then keeps a collection of three or four or five of those things, and builds a persona, a thin persona, about you that they feel as though is predictive. What that means to me, is Google's understanding that you don't need a mountain of information, it works to get a few pieces of information, if you're trying to sell a golf club, or whatever the thing is, you're trying to sell Google's understanding, they're under pressure to not carry all this information. companies who sell specific demographic information, they know a ton of stuff about you. And maybe that's not necessary, maybe that isn't as important to hold all of that information on you. I think that's personally I think that's a really good thing for clarity is because primary product that we sell being modeled consumers, segmented schemas, things like prism cycle connections, their personas that are amalgam of a variety of different inputs that build out a persona or a probability of what you may be, it may or may not be interesting, but it doesn't carry any specific information on somebody. So I think it positions Claritas really well into the future as compared to some of these other companies. And when you look at what companies like Google, to some extent, Facebook are beginning to do in terms of trying to move to a thinner set of data that they can use for targeting and finding that it can be as predictive or nearly as predictive, without being as invasive.
Monique Ruiz 13:31
And just to take a quick step back, if anybody listening isn't familiar with what Google topics is, I'll go ahead and link an article in the description box, Google did confirm that they're still planning to phase out cookies on Chrome by the end of 2024. So Google topics is one of their privacy sandbox tools that they're sort of testing ahead of that cookie deprecation. And that Clara toss, you've just mentioned it out. But we've always had solutions that didn't make us dependent on cookies. So that really wasn't a big concern to us. But I do actually want to ask you about identity graph technology. We've had conversations about identity graphs quite a few times, but it helps us connect that real world consumer data to their devices and digital behaviors, and it keeps privacy at its core, do these privacy laws reduce the efficacy of identity graphs at all? And are there any changes that have or will need to happen to the way in ID graph operates? Like how long data stored what data is stored? Even the way that they ingest data?
Al Gadbut 14:34
Yeah, that's a great question. The purpose the utility of a identity graph, is to be able to link a person or a persona or a device it does and these can all be separate things right? You can have a device it's not tied to a name and address. You don't know who that person is, but you know who that device is. And you know the behaviors associated with that device which can be predictive then it could be a persona, you know, that are looking at a device in a series are a series of devices that seem to be working together tied to the same user. You don't know who that is, but you now begin to build based on the series of devices, and maybe the kinds of of things they consume online, you begin to get an idea of what the likelihood is that that person might be interested in, in X, you know, some some widget, and you build out a persona of who that person is. And then there's specific information, like, I know that this is Monique rose, and I know what, what she does, I know where she lives, so on and so forth. So you've got three different levels of least of identity, most identity graphs, the purpose of them are to try to carry within a within a database structure of some sort, some type of linkage to the various places that somebody interacts online. So it's your mobile phone, it's your browser, it might be your email address, it might be the modems that you connect to the internet from both work and at home, maybe school, what have you, you have all of these various connecting points. So these are, these are more foundational kinds of things are not they're not, or infrastructure type of things, I should say, I think that's a better term. So you're looking at these various infrastructure components, as a way to, with higher confidence begin to say that this device, or this person, or this persona, is something that we can identify because it's come back over and over again. And then from there make decisions about what to market to them. When you look about a look at identity graph, in the context of these laws. These laws are really looking at personal information. In the case of CPRA, or the Virginia, Colorado, Connecticut type laws, sensitive personal information, the kinds of things that are being tracked, in most identity graphs, in terms of infrastructure piece, how to actually link these things together, don't qualify don't fall under sensitive personal information. They do you know, in the case of IP address, and email address, and things like that do fall under personal information. So it falls under laws like California CCPA. But currently, there's no law that requires opt in to carry things like email address or IP address. Now, under GDPR, in Europe, you do. And I think that that begins to get a little challenging, but you know, the things that we're tracking, don't fall under those laws, with exception of, of like I say, CCPA, where we have to disclose yes, we're we look at IP address, we'd look at email address, you know, we look at cell phones, cell phone number, cell phone ID, things of things of that nature, and be able to disclose that to the extent that we can. What's interesting is that if you come into a site, and you say, Well, what do you know about me? Well, we can only look at what we know about money group routes, we don't we can't say that what we know about the persona, or what we know of a device, you know, because those are two completely separate things that the device isn't asking us. And we don't know that the device, we don't know who's connected to that device. We don't know, if you can we tell you what we know about that device, it's probably not fair. It's one of the shortcomings, I believe, of CCPA and CPRA, where you have to provide reports, you're only getting the reports on the aspect of graph or identity that we know that we can tie to us specifically.
Monique Ruiz 18:31
I just have two more questions for you, Alan, one of them after hearing you talk. To me seems like it might not be as big of an issue as I originally thought. But I am interested to hear your thoughts. So there is that constant struggle of opposites when it comes to protecting consumer privacy versus reaching consumers with messaging that not only relevant to their wants, needs, but speaks to them as an individual, whether that's culturally and or lifestyle related. And with the privacy laws that are coming into effect or evolving. One use case that comes to mind would be reaching multicultural consumers with that messaging that in the appropriate language, for example, and if, if that falls under the SPI restrictions, you know, we've seen so many strides and being more inclusive with marketing as an industry at large but of course, there's still room for improvement. Does what's happening with privacy, potentially cause a step backwards?
Al Gadbut 19:32
Right? You know, I first of all, I would say no, okay, if there's laws that are coming about that say that that now recognize that your race, your ethnicity, your sexual orientation you know, some of these things, you know, your your biometric information your health ever. It's, it's that sensitive personal information, and rightfully so. I mean, I don't think there's anybody in their right mind who wouldn't think that that should be sensitive information and should be handled more carefully. Is it that important to know that you are Caucasian, Northern European, to to be able to sell you a car? You know, what we're seeing is the answer's no. If it gets down to the voice that you want to use, the technology is now there, you know, to be able to reach somebody with a with a standard offer and say, if you don't understand how we're talking to you then click here. And there's, you can see this in a browser and call it within the language preference that you that you speak or that you read, so that you can see what the offer is. And you can customize it from there. I think that if you have consumers who want to identify as African American or Hispanic or or Asian or Caucasian, what have you, if they if they specifically identify, there's nothing wrong with understanding that from a consumer. I also don't believe, I think as you've gathered from, from my comments, that a marketer needs to know everything there is to know about a person before they're selling them a golf club. So I think that these laws are ultimately good. Do they require the marketers to think a little bit more? Yeah. Are we going to have to wean marketers off of their desire to know everything about somebody before they market to them? Yeah. But that's part of our job. And it's part of their job. I think, ultimately, the consumer wins here. And I think that's a good thing.
Monique Ruiz 21:27
Yep. And there's nuances to everything.
Al Gadbut 21:29
It's about choice, right? It's it just let the consumer tell you, they'll tell you.
Monique Ruiz 21:33
Yeah, exactly. All right. So one more question for you. And I think this will be a nice kind of transition into my conversation with Theresa. But how does Clara toss prepare for each new privacy law? And how do we work with our partners to ensure that we're working with partners that are also compliant?
Al Gadbut 21:52
Right? So I mean, there's a number of things right, we have a group focus on these privacy laws, as they're as they're coming up, we work with people like Teresa, who helped us to understand what's happening in individual state houses. Beyond that we work within the industry, we've been participating in with what's called the industry working group, which is a group of data companies or analytic data analytics companies across the industry, there's probably 30 Various members. And it's pretty much a who's who of everybody in our overall ecosystem, are frenemies, if you will. And we meet on a regular basis to talk about these laws and how they're impacting what our interpretation of the law is, so that we can begin to react to the law. In the absence of feedback from the States, we get together and all of our chief privacy officer, our legal counsel, we talk with as an industry and trying to figure out in what's in the best interest of the consumer, how does, how can we make this work? And then we come together and set out a policy and then we floated back to the states and say, this is where we're, how we're interpreting, and this is what we're going to do. And I think that that's been pretty positive.
Monique Ruiz 23:04
Well, we'll have to keep an eye on things and see what happens. It keeps us employed. Exactly.
Al Gadbut 23:12
And I it'll be interesting to see, you know, maybe next year, before we get together again, on this topic, it'd be interesting to listen to listen to this podcast. Yeah, see what has changed going into next year? Because I would be, I'd be willing to bet you $1 that Google topics maybe no longer it's right. It's gonna they're gonna be on to something else, flashing the band. And we'll probably be much closer this time next year. To a to federal legislation,
Monique Ruiz 23:44
right. Yeah.
Al Gadbut 23:45
A lot more to talk about
Monique Ruiz 23:46
the next big thing to talk about. Thank you for joining me today and getting us up to speed on the sometimes confusing, but always evolving privacy landscape.
Al Gadbut 23:56
Yeah, well, thank you. There's been a real a real privilege to to kick off the year with you and always able to talk about a topic that I enjoy.
Monique Ruiz 24:05
We're gonna take a quick commercial break, but when we return, I'll be joined by the CEO and founder of blue sky privacy, so stick around. unrivaled accuracy, unmatched scale, privacy at its core, the Clara toss identity graph uses transformative technology and superior data science to connect your customers and prospects real world data to their devices and digital behavior with more accuracy and scale than anyone in the industry. To learn more, visit our website, www dot Clara toss.com. We're back from our commercial break and I'm now joined by Theresa truster. Fox, CEO and founder of blue sky privacy. Theresa Welcome to the marketing Insider.
Teresa Troester-Falk 25:00
Thank you. Good to be here.
Monique Ruiz 25:02
Well, we're happy to have you. So tell us a little bit about yourself. We're not often lucky enough to have the CEO of a company join us on the podcast. So I'd love to hear about your journey to get to where you are today.
Teresa Troester-Falk 25:14
Sure, well, first, I have been in this interesting world of privacy and data protection law for over 20 years, I'm a lawyer by profession, and kind of fell into this space in the early 2000s. working for a company called double click, and many who are listening, probably remember double click, but those were the days when privacy was kind of first being talked about outside of the regulated areas like health and finance, it was like, What are they doing? They're these things called banner ads. And there might be combining data with our activities offline. Oh, no, you know, all these, these practices that have become very common. So that's what I started in privacy law, I worked in house for large companies. For many years, I lead global privacy strategy for privacy software company. And three years ago, I started blue sky privacy and pulled together a team of privacy experts around the world, and to offer what I saw what was missing in this space, which was a company that could help businesses operationally comply with privacy laws. So there's a lot of privacy laws. Now. There's a lot of law firms and consultants that provide sort of high level lawyering type advice, but when it comes down to Okay, that's, that's what we know we have to do. But how do we do it? That's the role of blue sky privacy plays. So we like to think of ourselves as a more effective and efficient and complete approach to privacy compliance, because we're really focused on the operations what what do you have to do to comply? And and what do you have to show for those efforts?
Monique Ruiz 27:02
Right? Can you go into that a little bit more about how companies work with you guys? Like what are some of those challenges that they come to you to help them solve or navigate?
Teresa Troester-Falk 27:13
Sure, let's play something really practical. So almost all privacy laws, and many of them is state laws, all of them include individual rights, my right to access information that you have about me, a right to ask you to delete that information. Um, so let's just talk about access, if an individual were to make an access request to your company, sounds simple enough, you can create sort of the front end platform, go to my website, make a request here. But where does that request go? Who manages it? What data do we have on that? Can you know? Do you even know where it is? If we do, how do we pull it? How do we present it to the consumer? We've got to make sure we don't provide any confidential information? Who's responsible for all of that? How do we document it? How do we make we make sure that we stay in the timelines? That's one example of frankly, hundreds, but you know, several dozen that are really important requirements. And so that really detailed kind of work stream and workflow. And building helping the company build internally a process would be an example. So it's easy enough to develop a policy. But then how do we develop the operations around?
Monique Ruiz 28:30
Right, exactly. Okay, that makes sense. I've had out on the podcast for a few years now talking about this very topic. But what I still can't seem to wrap my head around is Was there some sort of catalyst that caused the surge in the privacy laws that we've seen over the past, you know, five years? Or does it just seem like we're seeing more put into law?
Teresa Troester-Falk 28:51
I don't think it's any one thing. And I think it's important to remember that the US has had a large focus on privacy. But we've done it sector by sector. We haven't had an omnibus Privacy Bill or the you know, the looming federal bill that governs all areas of privacy, we've said we care about a lot about health data and financial data in these areas where we can really identify risk. And that was our approach. So what were the factors that said, We've got to go beyond that approach? Well, there was the GDPR. And I was amazed, like, how many people who have regular jobs at large companies have heard about the GDPR because their company went through a massive compliance effort. There was the failure of Safe Harbor, which became the Privacy Shield, which was a way to transfer data from Europe to the US. So that sort of fell apart. There was all this pressure, wait, we need to get serious about this in the US and then California said we're not going to wait. We're going to start and so really can't California became the catalyst for, you know, many other states to take the matter in their own hands and not wait for a federal bill. So the GDPR, transatlantic issues, consumer advocates just more and more consumer awareness around privacy and information that companies are collecting about us and all congealed into this perfect, beautiful storm, to take our, you know, consumer privacy to the next level and really important ways.
Monique Ruiz 30:31
Yeah, there's something else that I'm a little confused on. It's just where do these rules and regulations start, who's putting forth the idea that consumers need more control over their data, and is the one or ones to actively push for laws to be put into place to turn that idea of consumer control over data into an actual reality?
Teresa Troester-Falk 30:52
Others may have different views, but it's not any one. One source, so you have kind of random things, if you will, if you look at how the California initiative started, it was one individual and listeners probably have heard this story or told many times about Alastair MacTaggart, he was one individual who said, Enough, I want to use the ballot measure initiative in California to get the whole ball rolling. There's some really strong and important consumer advocate groups who've been involved in this space for years Epic is one of them, who continually present reports and information to legislators. And so it can come from a lot of different sources. And I think that's interesting now is that in the past, my impression, is that it has mostly come from like consumer advocates and dividuals. industry hasn't so much been on board. It's been saying, Look, we're doing a pretty good job self regulating, we've got regulation and the important areas. But now we see an industry say, Okay, we got to figure this out. I know
Monique Ruiz 31:58
when laws are passed, are in the process of being passed data providers in the industry, like how we'll get involved in privacy experts, like yourself will get involved get together to discuss, you know, how do we interpret the law. But can you explain a little bit about the process for deciding what the pros and cons of proposed legislation are before they get to that point of being passed as law? How is the impact determined before there's that legal ramification for not following whatever the legislation is?
Teresa Troester-Falk 32:31
You think that can go a few different ways. But once a bill is introduced, it will involve, you know, a draft bill being presented, and then an opportunity for comment. It's there are a number of touch points at which interested individuals, industry experts, industry groups, can get involved and submit their concerns, their comments about you know, and all of that is weighed by the legislators, either the bill will die, or it will take into consideration all of that and say, Here's we, we've heard it all, we've assessed it. And this is what we are coming up
Monique Ruiz 33:08
with, that's comforting to know. So I did ask al the same question, but I'm just curious if your response will mirror his or if you have a different opinion, will we ever see a federal standard for privacy? Or will it continue to be up to individual states?
Teresa Troester-Falk 33:25
What do they all say?
Monique Ruiz 33:28
He thinks that there will be a federal standard at some point.
Teresa Troester-Falk 33:33
Okay, well, I'm going to vote no. I just think this is the elusive crystal ball. Right. Everybody is, you know, wondering about this. I boy, there are people who know way more about the legislative process than I who are hopeful. But I guess where I ended up on this is it doesn't matter. I really don't think it matters. If we look at breach laws, right? We do not have a federal breach. We have 50 state breach laws. And companies have figured it out. We do have a federal health law, HIPAA, but it leaves it open for the states to do more. It's a floor, not a ceiling. So, you know, we've had these hybrid approaches. And as much as it would be nice to have one law. Really, companies have been able to figure it out.
Monique Ruiz 34:26
Yeah, I didn't think of it that way with, you know, other areas of society where we don't have a federal standard, but that yeah, that makes sense. So well, I guess we'll have to see what happens. So none of us know the answer for sure. But it's interesting to get, you know, different perspectives on it.
Teresa Troester-Falk 34:42
Yeah, I'm gonna put a little money on that.
Monique Ruiz 34:47
So as we kind of wrap start to wrap up our conversation, I want to leave our listeners with some advice or action steps to take. So if a company has yet to properly prepare for the laws that went into effect on On January 1, or if they're not sure if they're compliant, have some questions, what would be your recommendations?
Teresa Troester-Falk 35:07
Okay, my recommendation is start addressing your gaps right away. So a lot of organizations, once they've heard about a law and just haven't paid much attention to it, or they're not sure they're compliant will spend a lot of time money and resource on an assessment. And unless you're, you know, super large company that needs to show that for, you know, reporting purposes. After all these years, I don't want to sound cynical, and I don't want to talk myself out of business, I'd say don't spend your time any resource on an assessment, to just report to you what you already know, if you have gaps, start if you know, you have gaps, and you have done nothing, start with the most important things first, and get those done before you create any more workstreams. And I would say those tend to be especially if you're you know, company that deals with consumers, all of the outward facing requirements. So your privacy notice, get to that right away, that's the piece that is available to the public. That's the piece that has to be right where you need your disclosures, you need to tell people, so make sure your privacy notice is up to date and addresses the requirements of the laws. If you're a company, again, that you know, has touchpoint with consumers, your individual rights, you know, would be the next area to address. And then actually, the most important thing, if you if you are doing sort of a risk assessment is to look at, you know, where's the most enforcement and it's 100% going to be California. In addition, there's a private right of action under the California law limited to breaches. So make sure your security that's the other area that often is not talked about as much along with privacy. But that's the one area that there's a private right of action associated with so start, you know, your security 100% Get that dialed in, right. Privacy to privacy notices your individual rights, those are great places to start and give a nod to like what are the regulators interested in? I mean, this the California State Ag just did a sweep on loyalty companies, for instance, that's an area that they really care about, and the financial incentives. So if you're in that space, you know, look and pay attention to what the AG is interested in.
Monique Ruiz 37:24
Tips. All right. What is the next big news in the world of privacy that marketers need to keep in the back of their mind? What effect will it have on their go to market processes? And how can they begin preparing now?
Teresa Troester-Falk 37:37
Well, it's just going to be more and more of the same. Right. So a Consumer Privacy Bill passed in the New Jersey Senate, there was a children's privacy bill passed in Virginia, new consumer privacy bills filed in New York, Rhode Island, Tennessee, Texas, Washington, new children's privacy bills in New Mexico. And so my passion in this space to supporting companies, it's is to say you cannot address all of these laws law, by law, by law, by law, well, if that's your approach, you will be worn out, you can't stay on top or ahead of it. So we are huge promoters putting in place a privacy compliance infrastructure. All the laws are foundationally based on either global OECD principles, privacy principles, the US Fair Information Privacy prison, they all more or less look the same. Yes, there are some differences. But if you get you know, 70% of it, right? You are in good stead for compliance with any new law. And yes, there will be some, you know, one offs and outlier issues that you need to address with but really look at putting in place an infrastructure that you can report on that you have evidence around, and you won't be panicked every time there's a new.
Monique Ruiz 39:01
Well, I think you've given our listeners a good amount of information to chew on including some education a list of steps to take action on and a future to do plan. But before I let you go, Teresa, please do let everyone know, where can they go to connect with you and blue sky privacy and feel free to share anything else new and exciting in your world that you you want to have a chance to plug?
Teresa Troester-Falk 39:25
Yes, if you're looking to learn more about us or reach out to us. Our website is fairly straightforward blue sky privacy.com. And we offer free 15 minute consultations. So blue sky privacy.com is where to find us.
Monique Ruiz 39:43
Perfect. And as always, we'll add some links in our description box to whatever we can. So check that out. And once again, Teresa, thank you for joining me on the marketing Insider. It was my pleasure. In addition to thanking today's guests of the podcast, I want to of course thank Those of you listening at home or on the go. If you've not already, please take a moment to follow the marketing insider so you never miss an episode. Rate us five stars on your podcast app of choice, our favorite being Spotify, and share us with a friend or colleague so we can keep the conversation going. And with that, we'll see you next time with a brand new episode. Bye now