.png)
Serious Privacy
For those who are interested in the hottest field in a technology world. Whether you are a professional who wants to learn more about privacy, data protection, or cyber law or someone who just finds this fascinating, we have topics for you from data management to cybersecurity to social justice and data ethics and AI. In-depth information on serious privacy topics.
This podcast, hosted by Dr. K Royal, Paul Breitbarth and Ralph O'Brien, features open, unscripted discussions with global privacy professionals (those kitchen table or back porch conversations) where you hear the opinions and thoughts of those who are on the front lines working on the newest issues in handling personal data. Real information on your schedule - because the world needs serious privacy.
Follow us on BlueSky (@seriousprivacy.eu) or LinkedIn
Serious Privacy
Villains, Visions, and Val - Welcome 2025 (with Val Ilchenko)
On this week of Serious Privacy, Paul Breitbarth, Ralph O’Brien, and Dr. K Royal ring in the new year with Val Ilchenko, General Counsel and Chief Privacy Officer of TrustArc. No topic was off limits! We discussed the ghosts of Privacy past, now, and future. Tune in to hear all about it as we kick off the new year on #GlobalDataPrivacyday / #GlobalDataProtectionDay 2025!
Please follow and set to auto-downloads in your favorite podcast app - sharing is caring!
Powered by TrustArc
Seamlessly manage your privacy program, assess risks, and stay up to date on laws across the globe.
With TrustArc’s Privacy Studio and Governance Suite, you can automate cookie compliance, streamline data subject rights, and centralize your privacy tasks—all while reducing compliance costs. Visit TrustArc.com/serious-privacy.
If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us!
From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley
#heartofprivacy #europaulb #igrobrien #seriousprivacy #privacy #dataprotection #cybersecuritylaw #CPO #DPO #CISO
Please note this is largely an automated transcript. For accuracy, listen to the podcast.
[00:00:00] Paul: Welcome to 2025 and welcome to season six of the Serious Privacy Podcast. This is a new year and some things will be different. We have a new European Commission up and running with new laws on the horizon. The Digital Fairness Act, anyone? The United States has, of course, inaugurated Donald Trump as their 47th president.
We have also welcomed Delaware, Iowa, Nebraska, New Hampshire, and New Jersey to the data protection law family. But for us, the biggest change you've heard in our new intro, which is, of course, due to the fact that we are officially welcoming Ralph O'Brien as our third co-host. And on top of that, we also have a guest today.
Val Ilchenko is TrustArc’s General Counsel and Chief Privacy Officer and is joining us today to look ahead at 2025. What hasn't changed much is me. My name is still Paul Breitbart.
[00:00:51] K: I am still K Royal, and you are still welcomed to Serious Privacy. We do have a guest today, so he got to see me making faces at Paul and trying to crack him up, but Paul's been around me way too long now, it's not as easy to break him anymore.
[00:01:06] Paul: well, it's been five years, K, that we've been doing this. This is the start of season six. Maybe also good to clarify immediately, not all three of us will be on all of the episodes for a while every time of all of the episodes. Because one of the reasons why we added Ralph to the team is that you and I noticed last year that with life back in full swing and some housing and travel and all those kinds of issues, sometimes it's pretty impossible to record podcasts.
So with a slightly bigger team of hosts, we hope that we are able to give you weekly episodes as it should be. Welcome, Val back to Serious Privacy.
[00:01:44] Val: Thank you Thank you. Happy to be on and excited to officially be on. I mean, we've, I, you know, I've Paul, we've done a webinar before. Okay. We talked briefly at the what was it? The GPS and then yeah, yeah. Yeah. IAPP global privacy summit last year, but super excited to be on kind of one of the official you know serious privacy podcasts,
[00:02:03] K: Well, thank you. Thank you for joining us. We have a lot of fun here So with that, let's get to the unexpected question - which funny enough Val helped create the unexpected, the unexpected question today, which is Who's your favorite villain? And you can pick a villain from any universe. Marvel, DC, Disney, Star Wars, Star Trek, I don't care. I mean, we're all hearing Kahn echoing in our heads now. But who is your favorite villain?
[00:02:34] Paul: Who is echoing in your head?
[00:02:36] K: Kahn!
[00:02:38] Val: Star Wars, Star Trek, the Star Trek reference.
[00:02:40] Paul: No, sorry, blank face.
[00:02:43] Val: Oh, we're both, we're both blanking.
[00:02:44] Paul: I'm not very good at pop culture.
[00:02:46] Val: I'm okay though, but I'm still drawing a blank.
[00:02:49] K: Alright fans, y'all gotta educate these guys on Khan from Star Trek, I'm telling
[00:02:55] Val: What is Star Trek? I said Star Trek. Yeah.
[00:02:58] K: Yeah, you did, you did, you got Star Trek. So, that's fabulous. But, Lord have mercy.
[00:03:04] Val: I'm going to embarrass myself and admit that I only know Kong from the like new Star Trek movies and not the originals. So it's, you know, I only get partial points.
[00:03:13] K: There you go, alright, so who is your favorite villain?
[00:03:18] Val: So this one is a little, a little drawn out now. But there was this running joke on a show that also is pretty dated. So like in How I Met Your Mother, which was popular, I don't know, 15 years ago, there was this running joke about how Johnny Lawrence from the Karate Kid movies was secretly like a hero.
And, you know, Ralph Macchio was this bully and whatever. And it was always this kind of funny running gag, but then they introduced Cobra Kai eventually, I hope as a direct response to How I Met Your Mother. And so, you know, you got to root for Johnny Lawrence, especially since he's kind of become like the hero in, in the Cobra Kai show, which is ridiculous and cheesy and awesome if, if you like Karate Kid movies, if you've never seen the Karate Kid movies and you watch Cobra Kai in a vacuum, I don't know.
I don't know if people get it, but like the entire thing is just an homage to the Karate Kid movies. All three of them, actually. So Johnny Lawrence.
[00:04:16] K: So, Paul, your favorite villain. He's going to give me a real life.
[00:04:21] Paul: there's a few that spring to mind. One of them would be Raoul Silva. Now I'm looking at you to see whether that rings a bell.
Nope? Bond villain in Skyfall.
[00:04:32] K: Who? What's the name again?
[00:04:34] Paul: Raoul Silva, played by Javier Bardem. he was really, really good. And I really enjoyed that performance.
[00:04:41] K: Skyfall. He was the one that's teeth rotted away from the arsenic pill or whatever.
[00:04:47] Val: He was really good. He's a great actor.
[00:04:50] Paul: The Hannibal Lecter like type. so that, that's one I liked. Cruella de Vil, but then as played by Glenn Close in the live action 101 Dalmatians. She was really, really
[00:05:03] K: she was. He's awesome.
[00:05:04] Val: The Emma Stone version was, was I, you know, now that I have kids, I see all this stuff. So that one was pretty cool, actually.
[00:05:11] Paul: that one is still on my list to watch. So I haven't seen that one yet. But I have a soft spot for Glenn Close. And the third one, I'm not sure whether she qualifies as a villain but that would be Elphaba.
[00:05:26] K: Oh, yes. Yes. I am. I'm planning something around Elphaba as you can imagine, of course.
Oh, I love those. I love those. Okay, so here's the thing. I cosplay, people know. I actually am building a cosplay that is a, I love to do mashups. It's a mashup of Cruella DeVille and Harley Quinn in the last movie where she had the red formal dress on and was meeting with the The dictator or whatever.
So I am marrying Harley Quinn with Cruella DeVille. So I'm doing a Cruella Quinn or a Harley DeVille. I think it's going to be a Harley DeVille with the long black and white trench coat.
[00:06:05] Val: Well, I appreciate that it's not Wicked, because as good as those characters are, I have two young daughters, so Wicked, the movie, is always playing. It's all we listen to in the car. My daughter is now either coloring in her Disney Villain coloring book or her Wicked coloring book.
[00:06:19] K: Love it.
[00:06:20] Val: And my four year old, Only will dress as Elsa, Elphaba, or Glenda.
[00:06:26] K: Oh, yeah. My, my my three year old granddaughter is the same, everything. She's a princess until I bought her the Young Maleficent costume, so she still calls it a princess dress, but I've tried to explain to her as Maleficent. So I don't think anybody would need to guess my favorite villain is Maleficent. Only because I fell in love with the Angelina Jolie movies. I loved Maleficent before then, but probably before them would say the one that I dressed as the most was Cruella DeVille. When I would cosplay a villain and I've, I've cosplayed her several times until the Angelina Jolie movies came out with Maleficent.
[00:07:03] Val: I take it you've seen the Descendants movies then, too, right? Which have the young Maleficent?
[00:07:08] K: I've watched it once. I was, I have to say I was not a big fan, but it is the Descendants outfit that I bought for her. So I'm not a big fan of those. I tried, but didn't really hit the right mark for me for some reason, but I love the Wednesday movies. Does that count?
[00:07:26] Val: I don't think I've heard of those.
[00:07:27] K: Oh, the Wednesday girl from the Addams family.
[00:07:30] Val: Oh, the ones that, yeah, yeah, yeah, yeah, yeah,
[00:07:32] K: on Netflix. I think it is. I love those. Alright, let's actually get to some privacy, shall we, Paul?
[00:07:38] Paul: Well, I mean, the show is still called Serious Privacy and not Serious Villains, so Might be a, might be a good idea.
[00:07:45] K: it just got changed. I'm sorry. I'm the one making the stickers for the DC Summit. So, as you can imagine, I've already got one in process for Wicked.
[00:07:55] Paul: Vel, tell me, what, what do you make of the plans of the new villain in chief, sorry, the new US president? How will that impact privacy in the United States? In 2025,
[00:08:06] Val: Really good question, and I feel like There are so many hot takes. I mean, look, let's, let's start with, I'm going to start with a little optimism, optimism, because I like to be a glass half opener guy, right? I think that some of the stuff around Stargate and supporting more technology and innovation sounds really cool.
I mean, that, that initiative, Stargate's the initiative between Oracle and keep me honest here, folks, Oracle, open AI, and there's one more, right? Stargate, Oracle, who else is involved in that? anyways,
[00:08:40] Paul: one. Yeah.
[00:08:41] Val: yeah, and SoftBank, right? That's, that's the other group. So I think there's some really cool things happening, right?
I think there's some, you know, investment coming into innovation, which is great. I mean, I think you've kind of seen. But that was maybe coming a little bit with how some of the bigger tech companies have been aligning with the new administration. so I think that's the positive, right? Do I think the kind of yank first and then replace later approach that they're taking will work?
I don't know. I mean, you know, you could, you could, you know, I'm, I'm pretty diplomatic. So you'll probably get, get that through on the, for our listeners. I can understand why they'd want to do that to kind of open, open the innovation waves and then refine as we see. I mean, you know, typically more conservative GOP will do things like that, right?
They're, they're going to come down a little bit less hard on the tech sector in some regards. I think pro is that there's a possibility that with a more Republican controlled government and with kind of what we're seeing in tech, That there is an increased likelihood right now that we may get that federal bill that was hard to pass before just because of majority controls.
So that, that's, that's one aspect of it. Flip
[00:09:51] K: So we'll get some version, whether or not it's the version we all want is different, but we'll get some version.
[00:09:56] Val: yeah. And look, I mean, you could debate that too. Like, I don't know. I kind of, I kind of want there to be a ceiling and I know California and others don't want the ceiling. And I think that the problem with what we've seen in the past with these federal bills is that You know, it's either too much or not enough, right?
If you're in a blue street, like California with pretty mature, I mean, you could, depends what you ask, but pretty mature laws in privacy. They're going to say, we don't want something that doesn't give us kind of free reign to do more. And then you'll see other places that are like, why are you trying to control business?
Right. Let's say fair and all that stuff. But it would be nice to have a more uniform approach, kind of like GDPR. Although you could debate that too, because. Over time as GDPR has passed, like, there has certainly been more data protection authority activity and deviations. Really easy example of the deviations is like, you know, the canal versus ico, although ICO is now no longer part of the eu, but just an example, or the German data protection authority.
Others, they've all taken slightly different takes on like what are exclusions and exceptions to tracking technologies, you know, being strictly necessary and things like that. I know that's EPR a little bit too, and PCR, so look, there's, there's deviations, but I think that something that is a little bit more of a peanut butter approach could be useful in the us.
And there's a slightly better chance of it now than before. That's the pro. I think that if that doesn't happen, because lots of people don't think it'll happen I think that the flip side could be that the states will step in, and I think my kind of citation here is Dobbs, right? After the Supreme Court Dobbs decision, Washington My Health My Data came out, New York just passed their health bill like a minute ago, right?
Yeah, I think it was like a week ago or something like that. So I think that, you know, there's, there's things that will happen either way. Cause, cause, you know, Paul and Kate, people will definitely ask me. Does this mean that privacy is going to kind of lessen or deregulate? I think my kind of quick answer is like not a chance because either there will be more momentum on a federal bill, which you could debate, or, you know, states will try to pick up the slack and they will continue to create what we're living in today, which is all more fragmentation and one-upism.
But, you know people are getting more privacy today than they were yesterday. And so I think, you know, pound for pound, you know, it's either no change or, or there will be improvement in the space, either because of state reactions or because somewhere there may be the chance for at least change/ Increased, you know, federal privacy that will at least create some kind of baseline
[00:12:30] Paul: Yeah, I think I think you are right there. I do expect that there may be some form of legislation on the horizon, but probably something that is more business focus. Then fundamental rights focus. So it would once again probably be more an economic privacy bill that would be sent to the House and to the Senate than really fundamental rights legislation.
Like we've seen recent years when the state omnibus privacy laws, which did have a GDPR element, a fundamental rights element in them. And I do believe that that in part may very well be a concern.
[00:13:06] Val: any I mean, so you're probably right I guess like this is just a you know, we are we are navel gazing now looking into the wall, but like You know any chance that because because I think that's the most likely expected outcome, right? But I guess there's a little bit of a chance that this, the, the tech lobby informal or formal pushes for uniformity anyways, because they say, look, like, you know, we get that on the federal level, you know, you guys have a certain policy and it's more economically driven, et cetera, but meanwhile, we are, you know, I'm speaking kind of figuratively, but they might be saying something like we're getting crushed out there trying to deal with the fact that there's new state laws coming out every year.
I mean, you, you all mentioned a couple, but. The stat that I've been throwing around that I've mentioned to our board is there's a hundred percent increase in U. S. state laws in effect this year, as compared to all of 2020 and 2024 combined. If that blows my mind, and if people haven't noticed that, they should, because that means that everything from CCPA to now is going to be, is going to be matched just in this year in the U.S. Which means that like, you know, sure. Every company out there should be thinking about this, but big tech in particular is under a significantly higher onus to comply. I mean, we see that in Europe, they get. They get scrutinized more often. They get the good and the bad press more often. They get fined relatively speaking, more often than your, you know, mid market B2B SaaS company or whatever.
So, you know, there's just, there's a, I guess, question for you both, but is there, do you think there's a chance that the tech lobby will succeed in getting some momentum around the, Hey, this is going to make it easier for us to conduct business that instead of letting the States regulate, which is going to cause it to become really hard to kind of operate, you know,
[00:14:53] K: Oh, wow. I really hesitated on that one, didn't I?
So, It's a good question. So if, if we get a federal privacy law passed, given the majority now in both houses, it will be a Republican flavored. Privacy law, which is, which is fine but I do think that that means that there might be some arguments over some of the features that have stopped the laws from passing previously.
So do I think that big tech would be in favor of a federal privacy law that would preempt state privacy laws? Yes, I absolutely do think they would be in favor of that because the one thing most of them have in common is they are subject to the california law which none of them like because there's a private right of action should they have a breach and Everyone has a breach.
Let's just be honest. Everyone has a breach If you don't think you have a breach, then you just simply haven't found it yet Problem is, all of our data is out there somewhere anyway. So how can you possibly tell if a particular breach is the one that caused your harm when I, I dare anyone to, to challenge whether or not the dark web has any of their private data?
So I do believe big tech would be in favor of that. But here's the thing as Paul and I joked about last year, my predictions for 2024 sucked. I mean, sucked rotten goose green eggs. I figured the states were not going to pass laws and everybody was going to be focused on the election given the, the huge year that it, it, that part was true that it wound up being.
But this year, I don't know that I have your optimism there, Val. I don't, I don't know that I think the federal is going, are going to pass a privacy law that is sufficient. And you didn't say this part, to grant us adequacy under
GDPR.
[00:16:48] Paul: Oh, that will not, that will not happen. that, that you can forget.
[00:16:52] K: Are we going to get something passed?
There may be, but that would then be our fears realized, right? They would pass something that is so watered down and so weak, it's really meaningless. It's a law that could later be amended, but it may be really, really weak, which is worse than not having one at all,
[00:17:11] Val: Well, yeah, I was going to say, well, what about places where we don't have one at all, but you know, you answered that Paul thoughts
[00:17:18] Paul: yes, I agree with Kay and no, I do not agree with Kay because I am also not with you. Because I don't believe that big tech is gonna push for federal legislation. Big tech will push for deregulation, and we've already seen that happening in the run up to January 20th. The over inauguration of President Trump.
And we've seen it happen probably in, in recent days, there is there is a reason why the AI executive order was repealed that's in part because big tech doesn't like it. yeah, there is a reason why other tech laws or tech executive orders have been have been rescinded or why they're making changes or planning changes.
I don't believe that big tech will be pushing for for regulation. They will be pushing for more freedom. More freedom when it comes to misinformation, when it comes to what they call censure. Of information on their platforms. We've already seen that happening. But also in the in the transatlantic relationships.
I do believe that the next U. S. Government will be much more protectionist when it comes to the U. S. Big tech. Under that America first policy, and that is a concern when you look at it from the rest of the world perspective, because we have become so dependent for almost everything we do on U. S. Big tech that U.
S. Big tech being deregulated and then at the same time threatening it. Yeah. With trade sanctions as soon as other jurisdictions even think about regulating U. S. Big tech like then Vice President elect J. D. Vance did at the end of last year saying, well, if Europe wants to impose fines on U. S. Big tech, then we will impose tariffs or leave NATO. That is not just unfair politics, but that's also really scary from a transatlantic open society free trade perspective.
[00:19:16] K: they all heard my eyes roll at that one.
[00:19:18] Val: I mean, look, the, you're, you're probably right. And I think kind of 2 comments there. 1 you know, there's an interesting political article about that point, right? About how lawmakers are urging the commission to kind of resist pressure. So folks could check that out if they're looking for 1 viewpoint, at least.
I mean, look, you're right, and that does sound challenging. However, I think, you know, behind closed doors, this is hopefully useful for the readers, but behind closed doors, I think whenever anything has happened, including the fall of Privacy Shield or adequacy decisions or anything else like that, you know, you always hear that, like, while there are a lot of reasons and rationale and causes for this, you know, some of them are not always, you know, altruistic and about just, you know, Just rights of individuals and freedoms, and some of them do have to do with trade relationships, et cetera.
I mean, you can dispute that, and it's hearsay, and it's rumor, and it's stuff you hear behind closed doors. But, I mean, you know, there, people do argue that that is a part of it, and, you know, if you look at even how, how Privacy Shield fell, and the fact that the jurisdiction was that, so, this, the court couldn't look at some of the practices of, of the European member states, as far as I'm aware, who commented on it, opined on what was happening in the U.S., You know, you can see that there's, this thing is all nothing is black and white here, right? It's all nuanced.
[00:20:39] Paul: No, no, that's, that's certainly true. And we've seen that the data privacy framework at least lives to fight another day because it's one of the few executive orders, I guess, of the Biden government that was not rescinded. I was going through the list looking for 14086 and I saw. 82, 83, 84, 85, then 87.
It's like, the one that they skipped is, is this one. So that's a good thing. The privacy framework is still there. The, the transatlantic data flows are still are still continuing. And to some extent, The proof of the pudding will be in the eating, right?
[00:21:17] K: that's a good point. Coming from the American side of things, it's painful to hear. It's screamed into a microphone or whatever. And, and do we believe things are going to happen? So, but, I mean, we can look at some of the things that have happened in the first few days of the administration, so we're recording this just so y'all can put it in perspective on the 22nd.
Because this will come out on Data Privacy
[00:21:42] Paul: Data protection.
[00:21:44] K: Day of 2020 January 28th, 2025. So we will be a week behind, basically, of where we are now in saying, so anything else could be proposed in the next week. I just have to put that caveat out there. We're speaking at where we are right now. So, something could change this afternoon.
[00:22:02] Paul: crystal balls here.
[00:22:03] Val: Yeah, I mean, it's been staggering. I mean, it's, you know, really, how many people were expecting this flurry of, I mean, I know they've been promising it, but still, to kind of open up the newspaper or whatever you use for, for news, that, you know, these days, like, And I'll say newspaper figuratively because it was my iPad news app.
[00:22:21] K: Right, right.
[00:22:22] Val: and to kind of read about all that, it's been staggering. So I think that the velocity of change has been, it's pretty hard to crystal ball. I think everything now would be a hot take basically.
[00:22:33] K: Well, and think about this is our first episode since the end of 2024. So, there was the whole flurry of privacy enforcements here in the United States that was kind of like a, a, a rush to the goal line, right? It was a push, push, push, get this out, get this out, get this out. Before people no longer work there or before it's no longer a priority for the administration And that's not an insult.
Everybody knows that every change of administration are going to have different different priorities for that administration But in this case, I think they intuited that A lot of the enforcements might be stopped. Some of them we did see stopped after the election anyway, but seeing the flurry of enforcement and proposed changes to laws and even some of the executive orders that Biden pushed out, I mean, let's talk about the 28th amendment to the constitution, which is the Equal Rights Act.
It was, it was staggering to see the amount of movement that we saw come out of politics in the U. S. This year, leading up to the change or the transition in administrations. So. There was a lot that happened. We're not just covering the past week in privacy. We're covering like the past month in privacy.
And there was a lot that has happened in the past month. I personally, one of my favorites other than the 28th amendment, which I have to see where that is sitting now, supposedly it's ratified, but
[00:24:02] Paul: That would be the Equal Rights Amendment, right?
[00:24:05] K: yes, equal right, the ERA, equal rights amendment, exactly. Which we probably all thought was already part of the Constitution, but guess what people? It wasn't. It just took a long time to get ratified. So it's interesting to see that one, but otherwise my favorite one I think that came out was the flurry of enforcements by Texas.
I love to see the Texas Attorney General and how active his office is in enforcement on privacy, privacy in connected cars, privacy on breaches that have come through, privacy on just about everything else in the world. And a lot of them are under their biometric law, not necessarily their privacy.
But it's been really cool to see the amount of enforcement on that level. And now we've got other state laws that are going into effect this year. We'll start seeing more enforcement, I do believe, on a state level. So of all the privacy things that have happened, and yes, we have a lot in Europe that have come out well, and a lot are focused around AI.
What's your favorite?
[00:25:03] Val: that's a good question. I mean, look, it's, it's, it's funny. I think my, my perspective has changed a lot since I'm coming to TrustArk, which, you know,
[00:25:13] K: You're sitting a little close to the opera now, Val.
[00:25:15] Val: well, it's, it's the eye of the storm a little bit. I mean, I think that, you know, when I was at you know, I didn't do a quick intro, but for those of you who haven't heard me talk before, I was before coming to TrustArc, I was, I spent about eight years at a company called GoTo formally logged me in before that, I was at hardware software. And before that, I was at the U. S. Air Force on the DoD civilian side for a little bit. Particularly, I mean, that was a million years ago now. Particularly a progress and go to You know, I was thinking about B2B SaaS companies with a particular footprint, particular client base, et cetera, you know, and TrustArk.
I mean, you know, we have clients that are, you know, in a lot of ways, it's probably like what folks see at some of the bigger firms or consulting practices. Like we kind of have everybody with all of their issues. So I think that my perspective on what's the most fascinating has, has drastically changed.
And I think that I just see That, you know, everybody's fighting their own sort of privacy demons, whether that's trying to create that unified North star program or being worried about what's coming next. I mean, some of the laws that I found like intellectually fascinating have definitely been these healthcare laws.
You know, those of you who don't know, like last year was the law, the year of AI bills, education bills, children's bills, biometrics bills. And health, right? If I didn't say health already lots there, right? Lots and lots there. I think, especially with that GM decision, the FTC, we'll hear more and more about connected vehicles, like you said, with Texas, but the healthcare stuff was, was kind of fun because it, I mean, it was as, as a person hearing our clients, having to grapple with it, I had sympathies mostly, you know, it's challenging and there was ambiguity and you could argue that that ambiguity started with Sephora.
Because Sephora was about cosmetics, they kind of had a healthcare consideration, you know, when you're buying I'm assuming folks know who are listening, but if they don't, a couple of years back now, there was a famous California attorney general decision against Sephora for use of tracking technologies and, and, and how those were considered a sale of, of data.
[00:27:24] Paul: And one
[00:27:25] Val: You know, while I don't think it was as heavily covered, the sort of subtext there was, if somebody's buying, I don't know, a cream. That is for a specific gender. And, and, you know, it's an age control cream or whatever, you can glean some characteristics off of that. Right. And, you know, you think about those kinds of things and then what happened separately, but happened anyways, which was Dobbs, which was the Supreme Court decision that reversed Roe v. Wade, for those of you who aren't familiar, which was the federal bill about abortion there was this big flurry of other laws that came out like Washington, my health, my data. That were about tracking technologies. So, so Washington My Health and these other copycat laws or whatever you want to call them.
Didn't come out because of Sephora, but I think Sephora started the trend of thinking about tracking tech with relation to healthcare. And what happened next was, you know, we saw clients in the healthcare space come to us. I saw, I saw folks just in the privacy community otherwise. My health, my data was announced, right?
Whatever that was two years ago. Saying like, what does this really mean? You know, what are these consents mean? How are we supposed to do this practically, etc. And when I came to TrustArc, like we, we, we were thinking long and hard about like, What does this really mean? Like, what is the technology that we have to build to actually fulfill this requirement and fulfill it in a way that aligns with, you know, countless clients of ours who all have a different perspective themselves.
And so it was a really, you know, I, it was probably, and you know, Paul or Kate, you both worked at TrustArc at some point, so maybe, you know, But I assume in some ways it was a little bit like when TrustArk was first building its data inventory hub tool, like right at the advent of GDPR, when they were like, what is Europa supposed to look like in a technology pool?
Right? That's a really It's a, you know, heavy is the head, right? I mean, that's a big task to think about what it's supposed to do for, you know, hundreds or thousands of organizations. How is it supposed to look when, you know, you ask, you know, you could ask five privacy people what a law is supposed to do or mean or be implemented and they'll have 12 opinions,
[00:29:30] Paul: Yes, and it's a continuously moving target because the interpretations of the law change because of guidance from supervisory authority, because of enforcement before the courts because a scholar writes an article and says, Oh, no, but you see it wrong. It should be completely the, the, the other direction.
So that, that makes it really hard also to. to have a definitive view well in advance. Hey, this is what you should do. And then for a lot of these privacy and data protection laws, you can read them in the broader context of the global data protection industry, right? You already have over 50 years of data protection laws that exist with all their guidance, with all their application.
So it is not completely novel. But if you look now at the AI legislation, which all comes with all new kinds of terminology, whether you are a deployer or provider and risk assessments, you see it in the EU, AI, but also now in the Korea, AI, that was just adopted. Earlier this week and we'll enter into force a year from now.
You saw it in the US executive order that was now rescinded. That is much less in context because it is a completely new domain. The same with things like the digital service and digital market sector in European Union, and they enter into force very quickly. Often within a year. And I have the feeling it's scrambling for a lot of organizations similar to the scrambling that happened when China suddenly announced.
Oh, yeah, we have a privacy law and it applies 6 weeks from now. And that the Washington, my health, my data feels a lot like, like that, even though that has entered into force by now, and we have a bit more understanding. But it was like, okay, we have something and, oh, be aware, you should act now.
[00:31:23] Val: I'm going to, I'm going to poke fun at some, some people without like naming them, but I remember when when privacy shield fell and the European data protection board came out with their supplemental measures got, they, you know, I think for a lot of us who were there, we were like, Oh, relief, they have answers.
Right. But, but really like, frankly, those were tricky. For one, yeah, no, we didn't. For two, those were tricky. For three, I mean, you know, they were advisory at the day. They weren't mandatory. But for four, pretty much a minute after they came out, I remember getting inbounds from clients, right? A former job, whatever, being like, which, which, you know, do you have all these measures?
And I was like, are you kidding me? Or, or even like, I mean, we heard about transfer impact assessments, right? Like, I think the minute that it hit the press wire, that those were a thing that needed to happen. I remember getting like demands for TIAs and I was like, nobody has this yet.
[00:32:19] K: Right.
[00:32:20] Paul: It was announced five seconds ago. I can't write such a thing in five seconds.
[00:32:25] Val: right. And I think with AI, I mean, the EU act and some of these other bills are, are better, but but I think that like in some ways, you know, it's, it's kind of the same paradigm, which is like, this company is just starting to use this somewhat experimental technology they have, you know, for most of the company, some companies are doing insane things, right?
I mean, Well, I'm going to exclude like the IBMs of the world, you know, we're building things like Watson and they know about AI, but most of the companies out there who are using AI are like, they signed a com e commerce contract with open AI and they're using their stuff. Right. And when, when that's the case.
And you have a really sophisticated buyer. Cause this happened to a couple of years back, who was like, Hey, I'm going to give you a risk assessment. I need to know if you're training the model, I need you to guarantee that you're going to give me my data back. If I do this, blah, blah, blah. It's kind of hilarious because it's like, you're sophisticated enough to ask me these questions.
But you're not sophisticated enough to know that nobody can answer them yet, right? And that's, that's, there's a lot of that going on, right? And, and Washington My Health had a little bit of that too, which I have some experience with because I remember, sorry, this is a bit of a rant. But years ago, I remember the FTC came out with these really great, not FTC, FCC, Federal Communications Commission, which is the telecom regulator in the US.
They came out with some laws that were really good about 9 1 1, which is the emergency hotline. They were called, they were rules about being able to find somebody in a multi level building, dispatchable location laws, right? They were really good. They were about making sure that if Jane Doe is in a college campus, she and dials 911 from her dorm or where ever that you know, she's on floor four, to bring emergency services. But I remember when those laws came out. There were two. There was Carrie's Law and Rain Bombs Act, around that same time. I remember talking to outside counsel. And we were like, this was years back, right? I mean, this has been solved, but at the time it wasn't.
And outside counsel was, we were like, how do we do this? This technology doesn't really exist. It's pretty clunky to find dispatchable location. And so unfortunately, And at the time they were like, yeah, industry is going to have to figure it out. That's the goal, right? And I think that that's what I'm seeing with some of these other things like Washington My Health.
When it first came out, there were all these rules about what kind of consent is needed to do certain things. And for those of you that don't know, if you want to sell data or share data or collect data, you actually need three separate consents under Washington My Health. And for selling of data, which is not selling in the K gives Val 50 bucks for a piece of paper with information, but the CCPA definition more so what signature.
[00:35:06] K: A wet signature. is what kills me.
[00:35:08] Val: but what's it about tracking technologies on a
[00:35:12] K: Right.
[00:35:13] Paul: How do you put a wet signature in a tick box?
[00:35:16] K: Right.
[00:35:17] Val: you got to ruin your monitor. It's you got to replace your monitor afterwards. It's the whole thing,
[00:35:21] Paul: Just imagine President Trump taking a sharpie and autographing the screen of his laptop to give consent under the Washington My Health Act. Phil, I hate to shut down your rant, but we are out of time. So I would like to thank you for for joining us. People can find you on on LinkedIn, and they will probably be able to find you at the Global Privacy Summit this year if they want to continue that conversation.
So thank you very much for joining us.
[00:35:53] K: Yeah, that'll be a lot of fun.
