On this week of Serious Privacy, Paul Breitbarth of Catawiki and Dr. K Royal of Crawford & Company host Alan Chapell of Chapell and Associates. Alan serves as outside counsel and chief privacy officer to digital media companies, and since 2003, has advised well over two hundred different companies. He has his own consultancy, his own newsletter, the Chapell Report, and is also making some funky music - on . Spotify. Join us as we dive into cookies, ads, google analytics, and more.
If you have comments or questions, find us on LinkedIn and IG @seriousprivacy @podcastprivacy @euroPaulB @heartofprivacy and email podcast@seriousprivacy.eu. Rate and Review us!
Proudly sponsored by TrustArc. Learn more about NymityAI at https://trustarc.com/nymityai-beta/
#heartofprivacy #europaulb #seriousprivacy #privacy #dataprotection #cybersecuritylaw #CPO #DPO #CISO
On this week of Serious Privacy, Paul Breitbarth of Catawiki and Dr. K Royal of Crawford & Company host Alan Chapell of Chapell and Associates. Alan serves as outside counsel and chief privacy officer to digital media companies, and since 2003, has advised well over two hundred different companies. He has his own consultancy, his own newsletter, the Chapell Report, and is also making some funky music - on . Spotify. Join us as we dive into cookies, ads, google analytics, and more.
If you have comments or questions, find us on LinkedIn and IG @seriousprivacy @podcastprivacy @euroPaulB @heartofprivacy and email podcast@seriousprivacy.eu. Rate and Review us!
Proudly sponsored by TrustArc. Learn more about NymityAI at https://trustarc.com/nymityai-beta/
#heartofprivacy #europaulb #seriousprivacy #privacy #dataprotection #cybersecuritylaw #CPO #DPO #CISO
Please note that this is largely an automated transcript. For accuracy, listen to the audio.
[00:00:11] Paul Breitbarth: This week, we dive into the wonderful world of privacy and data protection with Alan Chapell. Alan serves as outside counsel and chief privacy officer to digital media companies, and since 2003, he has advised well over 200 different companies. He has his own consultancy, Chapell and Associates, his own newsletter, The Chapell Report, and is also making some funky music.
You'll find a link to his Spotify in the show notes. Apart from his consultancy and musical work, Alan is also chairman of the board and long term board member at the U. S. Network Advertising Initiative. So we look forward to speak to him today about online advertising, but also everything that separates Europe and America.
My name is Paul Breitbarth
[00:00:52] K Royal: And I'm K Royal and welcome to Serious Privacy. So Alan, thank you so much for joining. We really appreciate it. As we were talking about scheduling this event, I know that we recommended going and listening to some podcasts if you weren't already a fan, and I'm sure you were already a raving fan. But, That means, you know, the unexpected question is coming, right?
[00:01:14] Alan Chapell: That's what keeps it fun. So thanks for having me on.
[00:01:18] K Royal: Let's, see. Ooh. What day in your life would you like to relive?
[00:01:26] Alan Chapell: Wow.
[00:01:28] K Royal: Would you prefer to live it or live?
[00:01:30] Alan Chapell: So Well, I'll tell you this. So I was in college, and my band was invited to play a concert with a band called 10, 000 Maniacs. We had 8, 000 people in the crowd. It went over really, really well, and it was an absolute highlight for me. So that's what came to mind, and that was a pretty fun day, on
[00:01:56] K Royal: I bet. I bet. Oh my God. That sounds amazing. Paul, top that one.
[00:02:02] Paul Breitbarth: No, I can't. I'm thinking school plays and things like that. But I'm not sure whether it is a specific day, but I would probably go back to my university exchange here in Bordeaux, France just to relive one of those days and, and, you know, Be an exchange student again because that was a really great year good people around but there are also so many memories from those days already, already gone I won't comment whether that had anything to do with alcohol or not
[00:02:32] K Royal: I won't ask the question if you don't answer it. Okay. For me, gosh, there's so many going around in my head.
I would have to say, you know what? There's so many going around in my head, but I'm going to say the day that I married Tim. We've been married for a little over 22 years now. He's my third husband.
I think I'll keep him around for a little bit, but it wasn't just that. It was the fact that it was one week before law school. We went to Vegas and get married cause we were looking for somewhere that was fun and nearby and not too expensive. We had family that tuned in online, listened to us. that went with their in person cracking jokes about rednecks.
We're hoping the family online didn't hear them. my daughters were at it, and there is this wonderful picture we have, and I'll post it on LinkedIn when I post it, that when the minister had us turn and face each other, Both girls took one step out and leaned over to see the picture. It's, it's fabulous.
And then none of the friends that went with us took the kids for the honeymoon night. So, I mean, all across the board, it was just such a wonderful day.
And apparently Tim says I was late because they sit in the limo to pick you up when they want you. And they were running four hours behind. So he was there at the chapel waiting on me.
And to this day he accuses me of being late to my own wedding. argument for that one. Well, thank you for one thing.
[00:03:52] Alan Chapell: my wife is now going to want to have a word with me after she listens to this.
[00:03:56] K Royal: Well, mine was everything around the wedding too, not just the wedding. So yeah. Tell her you didn't have two daughters that stepped out and did the thing, right?
I'm trying, Alan. I'm trying. It's not working. Well, let's dive into originally. I mean, you have a fabulous background. How did you get into privacy?
[00:04:16] Alan Chapell: So, there's a couple of events in one's life where something happens and it really just. A wedding opening up for a great band a day in Bordeaux, drinking what I can only assume is fantastic.
[00:04:31] K Royal: Yeah.
[00:04:32] Alan Chapell: so for me, the thing that, that really perked the back of my brain I was working at a direct marketing company in Stanford, Connecticut in the mid nineties, and we had gotten a project from a very big bank. where they wanted to do like what they used to call a mail merge type of a program when they wanted to send a letter to their best customers. Okay. So the bank sends over to our little direct marketing shop, a list of their customers on magnetic tape, because this is way pre internet. Now they didn't just send, all they needed to send was the names, the address.
Dresses, maybe the telephone numbers. Well, we got that, but we also got bank account balance,
[00:05:11] K Royal: Oh, my
[00:05:12] Alan Chapell: account number, social security number, every single thing that the bank knew about their most wealthy customers in Westchester and Fairfield counties.
[00:05:22] K Royal: still
[00:05:22] Alan Chapell: We got,
I am sure it is still sitting in the basement of this direct marketing company somewhere.
By the way, no password protection, no, like, no, you know, mechanism if it fell off the truck. And, and that moment, as I, as I looked through that, I thought, wait a minute, this can't be. Be right. There's got to be a law. Yeah, there's got to be a law that would stop this. Well, turns out there wasn't. There really wasn't even a law that would require the notification of a breach in in the U.
S. At least until what? 10 years later. And, and that really got me thinking. And, and, you know, at the time I, I was sort of juggling a music career with working at this direct marketing company. Eventually I went to law school and studied human rights law and European union law. And then eventually saw an opportunity in privacy because I, I, I was working in the email space and saw the can spam law.
[00:06:24] K Royal: Yeah.
[00:06:25] Alan Chapell: And, and all the fear, uncertainty and doubt, not just around can spam, but the California law, it all goes back to California folks,
[00:06:33] K Royal: back to California.
[00:06:34] Alan Chapell: the California law, because it was opt in. And, you know we United States folks look at opt in rather suspiciously. And the business community was freaking out. It was ultimately preempted by canned spam, but that at that point I said, well, there is really an opportunity here and I put out my shingle as a canned spam lawyer which, which was sort of naive.
[00:06:56] K Royal: When was this? Set us in the timing.
Okay, I graduated law school in 2004. Okay.
[00:07:04] Alan Chapell: Yeah. Yeah. So, so we were just about the same time. I graduated a couple of years earlier but we were in a little bit of a meltdown period for, for, for at least the digital media component of things in the early 2000s. I treaded water after law school because none of the law firms were hiring.
Nobody wanted me. So I, I did sales for a couple of years and then, and I was selling email marketing services and saw that all that crazy fear, uncertainty, and doubt around can't spam and the California law. And I, it was probably a little naive at first to put out your shingle around can't spam. But what I did realize pretty quickly was that this was a much, It was a symptom of a much larger set of business challenges.
And so that's when Chappelle and Associates was was founded. So it's been 20 years, took a while to get my first customer. But but eventually, you know, managed to, you know, managed to build a, a nice a nice little book of business.
[00:08:00] K Royal: Now you probably have too many that need your services.
[00:08:04] Alan Chapell: There does seem to be no shortage of companies who are looking for for guidance. You know, for better or worse, the U. S. has been governed by self regulatory codes up until fairly recently. And that's where the any I think comes in. But, but, but increasingly now with all these state laws and you've got platform policies, there's just so much going on right now that it's really difficult, you know you know, my, my core customer used to be, you know, venture company venture capital funded ad tech and MarTech companies, and, and I still work with a bunch of those, but now the, you know, the Coca Cola's of the world need to understand this digital advertising space.
And and because partly to mitigate risk, but also partly to, you know, how do we do a better job than Pepsi's do it? How do we use the data, the, the exhaust from, from our activities and how do we use that to drive, to drive value or to drive relevance or to bring down costs or, or what, what have you. So boy, every time I think the space can't get any bigger, I, I, I hold my breath and, and then it seems to, seems to double.
Yeah, well, and now, now there's an AI component to everything. And so
[00:09:14] Paul Breitbarth: Absolutely. So have you always considered that you wanted to be out there on your own or have you also been tempted to go in house and be part of the bigger family in a bigger company?
[00:09:28] Alan Chapell: it's a great question. So for me, I didn't really have a choice initially. Like I said, I worked full time during law school. I went at night in Fordham and worked full time. So that, and the reason I did that is I, it was very important. to me that whatever I decided to do is not going to be dictated by how much money I needed to make.
And if you end up with 100 or 200 grand and in law school costs then that'd sort of make some decisions for you. And so, but by working full time, I thought, well, I'll just be this like an internet lawyer in some way. But what ended up happening is I got out of law school in December of 2000, just as the digital media world had effectively burned to the ground.
[00:10:11] K Royal: That's when I went to law school because I was working as an international market analyst for a fabulous semiconductor company working on gen 2 Cellphones and the market crashed and so I was like, you know what? Maybe law school doesn't sound so bad after all
[00:10:26] Alan Chapell: that was a great choice and, and, and timed well, my, my timing wasn't great. And so when I got out of law school, I must've reached out to 200 different New York City law firms and nobody was hiring. So I went and did sales for a little bit. And then when, when I went out on my own, I just, I just thought, well, let's just try this.
Let's see what happens. Let's see if you can build a, you know, build a platform and, and people like Trevor Hughes, who everybody knows from the IAPP were really, really helpful to me in a whole bunch of ways and help me, help me build that platform. So to answer your question, I, I, once I Have the opportunity to be out on my own and making my own decisions The idea of going in house just didn't seem nearly as fun and interesting to me Not to say that there aren't great challenges and and rewards to being in house but for me I I love that.
I get to deal with a whole bunch of different challenges every day and then and and I can do it on my own remotely. We, we travel, you know, my wife and I spend half our time in New York and half our time in the Bay area. And we'll be in, heck, we'll be in Italy next week or the week after next. And I can work from there.
Sometimes you don't have that level of flexibility in house. And so for me as a, as a still touring musician, it's just great to be able to to be able to have that level of flexibility.
[00:11:50] Paul Breitbarth: So how do you get into the nitty gritty of a company? I've been in house data protection counsel now for just over two years. Before that I was mainly on the outside, not even as a consultant, but just as somebody telling others what perfection would look like. And now for the past two years, I actually need to do my work in house for one company, but I also realized that it was,
well, it's that, but it's also pretty hard to find out every single thing that is going on in the organization to be able to give them advice and I'm in house, I'm there.
Twice a week in the office the other days online, I regularly meet with all the relevant teams. And even then it's hard to stay up to date on what is happening across the organization.
[00:12:35] K Royal: it is.
[00:12:36] Paul Breitbarth: How do you do that as an outsider?
[00:12:39] Alan Chapell: It's a huge challenge. It's something that I, I still grapple with the, the, there's a couple of things that, that make it a little bit more manageable for me. I generally deal with a defined industry that I've now been part of for two decades where I sort of know the players. And so I, I also. I'm a sole practitioner, so I work with people who I like and who pay their bills on time and who I don't have to take a shower when I leave their offices.
And that's really, really important to
[00:13:10] K Royal: That's a great baseline criteria. I like it. I shook their hand. It didn't feel like I needed to sanitize
[00:13:17] Alan Chapell: Yeah. You, you don't all of a sudden start smelling sulfur or whatever.
so for me I, I've gotten pretty good over the years to know if A CTO is BS-ing me. I'm not going to say that my, you know, I, I like to think of myself as my cousin Vinny, where, where there's a certain skill set to knowing if somebody is not being completely forthright.
And, and since I see the same type of data flows, consistently over, well, a number of decades, my, my ability to, to know if things are on the up and up while not perfect. And certainly an area that I still struggle with. For me, that makes it a little bit, a little bit easier.
[00:13:58] K Royal: Nice.
I do know that in house it is, it is quite challenging to stay up. And I tell people, you know, when you're trusted by your colleagues in house, when you get Teams messages or Slack messages that says, Hey, you need to come to room 302 and you walk in and nobody is surprised that you're there, even though you weren't invited.
That's when
[00:14:19] Paul Breitbarth: that's a good thing.
[00:14:21] K Royal: Absolutely. Are people just stopping by your desk and say, Hey, can I pick your brain for a minute?
well, and so many things you overhear, they talk about losing that water cooler conversation over the COVID years because everything is now before COVID BC and after COVID. Totally different meaning now to BC and AC, but they talk about losing those water cooler conversations of getting to know people.
It's not just that it's hearing things as you walk past a meeting room or the executives are walking past, you know, where you're standing or your office or whatever I hear and been like, Oh, Wait, we're doing what? Oh, let's talk about that kind of thing. But it is really hard to get the right people in the company to talk to.
Yeah, it's, it's, it's constantly
[00:15:09] Alan Chapell: The, the other thing that is somewhat helpful, not entirely because, but, but for the, for the smallish companies that I'm dealing with, oftentimes there's really only three to five people in the whole company that really know what's going on. And so you, you kind of have to make friends with those people or at least convince them that you're the real deal. And
[00:15:32] K Royal: personified. They can talk to you and you're actually there to help. Yeah.
[00:15:36] Alan Chapell: Yeah. And, and that's still a challenge.
[00:15:38] K Royal: I, I agree with that.
[00:15:39] Alan Chapell: and, and you can suss out really quickly that, okay and not to pick on any job function, but you know, that the CEO is fully on board. The CTO is not.
The head of product is sort of on board. And so you need to figure out some of the politics around that. And that can be, that can certainly be challenging.
[00:15:57] K Royal: And that's critical for anyone, especially someone in a compliance related role where you're trying to get people to abide by laws they don't necessarily want to abide by is to figure out who your supporters and detractors are and what kind of influence level those supporters and detractors have. So I think that is critical, but let's actually dive in into the nitty gritty of advertising.
So I'm not going to ask you a nitty gritty question. What's the biggest thing on your mind. What's the biggest challenge that you're seeing? Because Paul and I probably have our own ideas of the biggest challenges and issues that we're seeing, but I'd like to hear it from your perspective.
[00:16:33] Alan Chapell: Well the first is that addressability seems to be going away. So some of it is the deprecation of the third party cookie. Mobile ad IDs seem to be being deprecated. So the question is, is like, you know, you've built an industry mostly on the back of being able to say with some level of confidence that, that, that that, that you're able to measure.
That you're able to target, that you have some level of accountability that hadn't really existed in other forms of media, you know, previous to the last 20 years. So that, that in and of itself is a, is a huge challenge.
[00:17:11] K Royal: right,
[00:17:12] Alan Chapell: I, I think that then, then there's the second set of challenges, which is, you know, The, the definition of personal data or personal information because, I recognize that regulators and, and lawmakers, their primary focus is to make sure that everything is covered under the scope of their law, but by defining personal data.
So broadly, you're creating a downstream impact on the marketplace. There, there was a time in privacy circles where de identification was a well recognized and well worn privacy enhancing technology or technique. And, but, but, and it works in HIPAA. I mean, you've now got, decade and a half of experience, at least under HIPAA, where, okay, if you do this to the dataset and you promise not to re identify, you can do almost whatever you want and you can derive some value from the dataset.
Okay. Well, what if There's a such an overlap between the definition of de identified and the definition of personal data so that you have a bit of a Schrodinger's cat issue where a data set can be simultaneously de identified and personal data. So, Is it subject to the rule set or is it not? And that's one of the things that we're all kind of grappling with.
Interestingly, in, in, in my opinion, the, the European Union seems to be backing away a little bit from the definition of, of a overly broad definition of personal data. If you look at some of the, the general court decisions, well, well, but they're focusing on identifiability. Where we're in the U. S.
The focus seems to be more on linkage to a device and identifiability. When the linkage to a device component of of the definition really renders almost any data set personal information.
[00:19:09] Paul Breitbarth: Yeah,
I don't think that the Linking to a device has ended up before the highest courts in Europe so far. You are right that if you look at The reasonably likely criterion to re identify information there. The court has taken a slight step back while at the same time also becoming more critical for example if you Look at profiling also pushing some of the the responsibilities a bit further down the line, more towards basically the data processor instead of the data controller, that is the Shufa case that we discussed a couple of weeks ago in our profiling episode.
But it is, it, I think in part what you describe the Schrodinger SCAT issue with the identification is true, but that's also because, because our technology has become. So much more powerful to help with the re identification and data sets have become so much bigger so that it is easier to, to match what, what is out there.
I think that also plays a major role in, in the shift that you, that you describe.
[00:20:15] K Royal: Yeah. And here in the U. S., they're starting to, in these 15 state laws that we have now they're starting to require policies and procedures around de identification. That you have written processes that you don't keep a linkable form of the data that you do this, that you do that. And trying to explain to companies that are handling your data and they're like, well, we're not going to retain your data.
We de identify it. It's aggregated. Therefore by default, it's not personal data. Like, well, let me see your policies and your processes around de identification and aggregation. That way I can tell that you're following the U. S. laws that specifically require these policies to be in place and the EU concept that requires the process to be in place.
And they're like, oh, well, I'm sorry, under the law it's not de identified unless you have these written protocols.
And they're sitting there going, Oh, like, I'm sorry, under the law, that's what it says. I mean, I'm sorry. They also told me they, they only believe DPAs are for Europe. And I'm like,
[00:21:18] Paul Breitbarth: you mean there is a law? Yeah. I'm like, you want me to pull it out of the DPA and drop it into the body of the contract? That way it's still not a DPA for the U. S. But here's a note people, if you don't realize you need a DPA for U. S. data or for countries outside Europe, you need a DPA. Sorry, there are specific rules you gotta follow and contracts that need to be in place.
[00:21:41] K Royal: But there's one of them. But speaking of processors then and contracts, so give us your opinion on the whole Google Analytics, what is it, G, G4 they're doing now or something? Is that working? Is it not working? Is it useful? Is it not useful?
[00:21:55] Alan Chapell: I, you know, it's funny because I'm, I'm, I'm find myself often being really critical of Google when it comes to the digital advertising space. And I think there's, there's certainly a, a discussion to be had around the, the deprecation of third party cookies and the privacy sandbox tools, particularly, you know, given that we're all pretty clear that Google's footprint post third party cookie is going to remain at like 98
percent of what it was. That said, I, I kind of feel for them here because they can't win for trying, particularly, particularly in the, you know, in the, you know when you have a regular saying that, you know, well, if, if, if an IP address is, is being transferred, then then for all intents and purposes, you know, you, it's, it's either illegal or you need to go through a hundred different steps.
So as to perhaps not. Be distinguishing an IP address from a credit card number or a government ID. To me, I, I just don't think that makes sense.
[00:22:58] Paul Breitbarth: Yeah, I do agree with that to a, to a large extent. I think our data protection authorities and with our, I mean, the European data protection authorities, should do a better job in explaining why they make such an issue on certain data types like an IP address, which may not be the most intrusive piece of personal data, especially if it's if it's not the full IP address, but only part of it,
and explain why it is this is their biggest focus for so many years already.
Also bearing in mind that we still do want to advocate the free flow of personal data and that most data protection authorities are not in favor of full data localization and also understand that that doesn't work in a digital globalized economy that we have today.
but their actions and their words do not always match.
[00:23:52] Alan Chapell: Well, but, but in fairness to EU regulators, I mean, their job effectively is to be the conscience of of the, the European legal Like, they're the ones it's their job to say, Hey, this is a problem. And if anything, their job is to be a more draconian to have a higher bar. Most regulators need to operate that way.
The problem for. EU data that the supervisor authorities is that they were handed a little bit of a, of a bad ham sandwich when it comes to GDPR and the interplay between the privacy directive. GDPR is a brilliantly crafted document. All kudos in the world. Unfortunately, the interplay between the GDPR and the e privacy directive has created just an odd enforcement scenario where regulators are wary of going after local publishers for placement of cookies.
For whatever reason, that seems to be the case. I mean, they're really mostly talking about, you know, compliance sweeps or, or, or what have you. It's not because they don't care about it. It's just that they reckon they don't, well, they just don't want to go after their local publishers. They'll be happily go after Google or Meta or Yahoo as a publisher.
But, but historically the number of e privacy compliance efforts or enforcement efforts is, is certainly not high when it comes to European punishments.
[00:25:20] K Royal: knowledge cause they're not always public about them.
[00:25:24] Alan Chapell: That, that's fair. That, that's fair.
[00:25:26] Paul Breitbarth: Also true and the the privacy issue is still with our member states The privacy issue is still with the member states with the countries that refuse to adopt a new e privacy law because Of the lobby of the publishers and the advertising companies
[00:25:42] Alan Chapell: and, and that's fair, but that's, that's not on the regulators, that's on the politicians, have, have for whatever reason decided not to do that, and it's made, it's, it's sort of made well, it's made compliance challenging. It's, it's made it difficult to say what's the right thing and it's forced regulators into what I would argue or I would characterize as bizarre legal arguments like that, you know, the DCF string that doesn't have an IP address is personal data.
[00:26:14] K Royal: some of those bizarre characterizations. That
[00:26:17] Paul Breitbarth: We did and it and it would be nice if also on those points we would just get some You more guidance, not just saying you cannot do this, but here is how you could do certain things. And that is the part that is,
[00:26:31] K Royal: is, what would
[00:26:32] Paul Breitbarth: yeah. And that is the part that I think is still missing.
[00:26:35] Alan Chapell: well, also This is sort of like my, my definition of personal information, perhaps being too broad. If you're going to say that a contextual ad requires a consent, you are effectively telling the marketplace, well, why bother doing a contextual ad? You might as well, you know, gin up and get as much data as you can and do as much targeting as you can, because if you need a consent for anything, you might as well get as much data as you can.
[00:27:05] K Royal: It's a good way. Well, not, maybe not a good way, but an understandable way of responding to that. If you have to get consent, get what data you can. But on the other hand, get what data you think is useful for the purpose and all that good stuff. A lot of arguments to make over there. So what do you recommend then for companies in this crazy cookie, no cookie, targeted profiling, opting out of everything global privacy control on your browsers?
What, what's, what's your recommendations?
[00:27:33] Alan Chapell: Well, my recommendation is that you, you need to really understand your data flows. And I know that sounds like, you know, privacy one on one stuff.
[00:27:42] K Royal: It is, But I don't think most people are hearing it, but,
[00:27:46] Alan Chapell: Yeah,
[00:27:48] K Royal: say it louder for those in the back.
[00:27:49] Alan Chapell: it, it's still a, it's still a core challenge for, for a number of different companies because, and then, and then the second thing is that.
Partners again, another privacy one on one thing, but boy, I'm on calls. And what happens particularly in the digital media space is there's new, some new fangled thing that comes on the market and, and, and everybody can come up with a justification for why the privacy rules don't apply. The current one is clean rooms.
There's this notion that. That you put all of this incredibly sensitive data into, into a clean room. And then there's an output of a synthetic ID or something like that. And, and, and some will argue that, well, because you're using this clean room, then, then you don't have to worry so much about about the privacy rule set and, and look, I'm.
[00:28:38] K Royal: that being in the law.
[00:28:39] Alan Chapell: Well, and I'm not hating on clean rooms. I mean, there's something to be said for using them as a as a pet. But, but the notion that, you know, doing X or Y removes you entirely from the privacy rule set should be a sentiment that is viewed with some skepticism that unfortunately, at least on the business side within digital media is often applauded and not evaluated.
[00:29:04] K Royal: right.
[00:29:06] Paul Breitbarth: Fully, fully true indeed. Oh no, but here you don't process personal data. Yes, you are, because you are actually putting it somewhere to safeguard and you are doing things with it. So you are doing things to
[00:29:18] K Royal: it.
[00:29:19] Paul Breitbarth: you use it. So that means that the law applies.
[00:29:22] K Royal: Even before GDPR that passed, I mean, Paul, correct me on this, but even before GDPR passed, Spain had a decision under Directive 95 that even anonymizing the data qualifies as processing the data because you're doing something to it. You can't just anonymize it and assume you can keep it. You're processing it.
Your clients still have to give you permission to anonymize the data. I've carried that sentiment through all of it. Cause I mean, people don't understand that doing anything with or
[00:29:52] Paul Breitbarth: No.
[00:29:53] K Royal: from the data is processing it.
[00:29:55] Paul Breitbarth: Sometimes the law is just written to more, too much difficult in, in, in, in too much difficult way, because basically what the law should say, processing personal data is everything you do with a data set from the moment you get the data until and including you getting rid of it.
[00:30:12] K Royal: Deleting data is processing it because you're doing
[00:30:15] Paul Breitbarth: Yes.
[00:30:15] K Royal: to the data, but okay.
[00:30:17] Alan Chapell: There's also a philosophical challenge. So every regulator in the history of regulators will tell the marketplace that you need to enforce to a seven or an eight, hoping that they can internally enforce to a four or a five. Because there's usually you want to have, because they want to have slam dunks, right?
It's but one of the challenges is if you consistently say the standard is a 10, people will stop listening to you.
and I think that's an inherent challenge to well, to regulators in certain
[00:30:55] K Royal: Well, and frankly I think that was a philosophy applied to the don't use Google analytics.
Or, or, or Google cookies or Google advertiser or whatever it is. Don't, don't use any of it because Google is a file of the European Union. And most people couldn't, most companies couldn't listen to that. They couldn't hear it.
So just that hard, bright line that says, thou shalt not, maybe the 11th commandment. I don't know of tracking personal data. They said, no, we, we, we can't do that. We're going to have to use Google and hope no one catches us.
[00:31:29] Alan Chapell: And then that becomes another challenge. And this isn't just a European challenge, but if, if, if, you know, three quarters to, to nine tenths of the marketplace are willfully out of compliance, then, then you may have a challenge with the rule set that you're
[00:31:45] K Royal: Yeah,
it is. Yeah. It's not easy. There's no doubt about that. I know Paul and I, when we were at the Nordic privacy arena, one of the things that came up there was a practitioner becoming a regulator. versus a regulator becoming a practitioner and how much more broad of experience it brings once a regulator has been a practitioner and what they understand about what really happens out there in the business world and things to take into account doesn't mean that companies should be allowed to operate willy nilly just because that's practical.
What it means is the regulators can now understand the challenges that the businesses are facing on a very practical level as opposed to sitting in an ivory tower and not understanding how business operates. So I think it really is bringing a change to the perspectives. It seemed to me for me, but it's not every regulator out there,
[00:32:35] Paul Breitbarth: Very true.
[00:32:37] Alan Chapell: Yeah.
[00:32:38] K Royal: there's still a challenge. There's still Very much a challenge,
[00:32:41] Paul Breitbarth: So Ellen, before we wrap up, I do want to get to your music as well, because it's rare that we have performing musicians also on the podcast.
Does any of all of this influence your music or is it just completely separate roles?
[00:32:56] Alan Chapell: keep them pretty separate, but, but there's, there's definitely a fair amount of bleed over there. There just has to be, you know, the, the so I, I, as part of my business, write a 20 to 30 page report on everything going on in the data driven advertising world when it comes to privacy competition and AI.
If you subscribe to that report, the number of music references in every single magazine are pretty high. I'll have three or four really, really good ones. The one I'm currently working on has a reference to the cartoon show Rick and Morty. And, and, I'm, I'm, And the reason I'm explaining it this way is that it's really difficult, my, my music, of course, privacy, because I'm very passionate about it, bleeds into my music.
There's a song called Ride off of an album called Penultimate that, that really is about privacy and or the end of it.
[00:33:48] K Royal: Yeah.
[00:33:49] Alan Chapell: And so it's really hard not to have a fair amount of bleed between your, your, your, your two lives.
[00:33:55] K Royal: Agreed.
[00:33:57] Paul Breitbarth: Well,
[00:33:58] K Royal: sorry, privacy, privacy. I want to have some privacy. I'm sorry. I'm not a singer. And I will acknowledge that out loud, but yeah.
[00:34:09] Alan Chapell: But, but brilliant, Olivia, do John reference that well played my friend. Well
[00:34:17] Paul Breitbarth: true. So on that high note, we'll wrap up another episode of Serious Privacy. If you liked the episodes, was a little too high of a join the conversation on LinkedIn, find us under @SeriousPrivacy. You'll find K on social media as @HeartofPrivacy, or maybe also as Olivia Newton John too, I don't know. You'll find me as @EuroPaulB.
And all references to Alan, including to his music, are in the show notes. Alan, thank you so much for joining us until next week.
Thanks for having me.
[00:34:37] K Royal: Bye y'all.