US Privacy Legislation, The Global Privacy Control & SKAN4.0 with Cory Underwood - EP018
Our first returning guest on the podcast! Cory Underwood joins me to discuss privacy legislation in the United States, the Global Privacy Control initiative and how that ties in with California’s CCPA and Apple’s SKAdNetwork 4.0 update and it’s implications on mobile marketing.
Cory is an Analytics Engineer at Search Discovery and very active on LinkedIn, Twitter, and MeasureSlack where he shares his knowledge on these topics. You should also follow his blog cunderwood.dev for regular updates on these topics.
Links mentioned in the podcast:
- Cory’s first Life after GDPR episode
- Cory’s blog post about Global Privacy Control
- Cory’s blog post about the upcoming Colorado Privacy Regulation
- Cory’s blog post about the Sephora case
- Apple’s SKAdNetwork developer docs
- Great podcast about SKAdNetwork 4.0 by Mobile Dev Memo
Make sure you follow the show:
- Follow LifeAfterGDPR on Twitter and on LinkedIn
- Follow the host Rick Dronkers on Twitter & LinkedIn.
- Subscribe to the show on Apple Podcast or Spotify or wherever you listen to podcasts by searching for "Life after GDPR"
- If you’d rather get notified by email, subscribe for updates via the lifeaftergdpr.eu website
If you want to help us out, please share the link to this episode page with anyone you think might be interested in learning about Digital Marketing in a Post-GDPR world.
Talk to you next week!
-Rick Dronkers
https://lifeaftergdpr.eu/episode-018/
Transcription Disclaimer PLEASE NOTE LEGAL CONDITIONS: Data to Value B.V. owns the copyright in and to all content in and transcripts of the Life aFTEr GDPR Podcast, with all rights reserved, as well as the right of publicity.
WHAT YOU’RE WELCOME TO DO: You are welcome to share the below transcript (up to 500 words but not more) in media articles, on your personal website, in a non-commercial article or blog post (e.g., Medi), and/or on a personal social media account for non-commercial purposes, provided that you include attribution to “Life After GDPR” and link back to the https://lifeafterGDPR.eu URL. For the sake of clarity, media outlets with advertising models are permitted to use excerpts from the transcript per the above.
WHAT IS NOT ALLOWED: No one is authorized to copy any portion of the podcast content or use the Life after GDPR Podcast name, image or ness for any commercial purpose or use, including without limitation inclusion in any books, e-books, book smaries or synopses, or on a commercial website or social media site (e.g., Facebook, Twitter, Instagram, etc.) that offers or promotes your or another’s products or services without written explicit consent to do so.
Transcripts are based on our best efforts but will contain typos and errors. Enjoy.
[MUSIC SOUND EFFECT BEGINS AND FADES]
[00:00:00] Rick Dronkers:
[00:00:02] Hey everybody. Thank you for tuning into the Life after GDPR podcast, where we discuss digital marketing in a post GDPR world. Today's episode is a special one because it's our first returning guest, Cory Underwood joins me to discuss us privacy legislation. The Global Privacy Control signal and how that is underneath a lot of US privacy legislation. We discussed Apple's new SCAN4.0 and the impacts on mobile marketing and mobile attribution.
[00:00:33] Corey helps me out of my dream that technology might solve all of this and why that is probably not going to happen. At least not in the near future. I learned a lot. Especially, since I'm not based in the US it's really interesting to see what they are developing over there and Corey is on top of all of that. So without any further ado, here's the episode with Corey Underwood.
[00:00:57] Corey Underwood, welcome back to Life After GDPR. You are the first return guest of the podcast.
[00:01:04] Cory Underwood: Thank you so much for having me back. Looking forward it.
[00:01:07] Rick Dronkers: Yeah, we have a lot to discuss so, for the people that don't know you yet you are one of those, one of those people who's active online reading through everything that gets published relating to privacy, especially in the measure slack. You are very active sharing your thoughts and also sharing on your own blog.
[00:01:27] And in our first podcast together, we already covered a lot of topics on privacy regulation in the us, what it might look like the if effects of itp all these technical changes. And even though we recorded our first podcast in March of this year, I think we could already feel three extra podcasts right now.
[00:01:49] Cory Underwood: Life remains interesting in the privacy space. Definitely. A lot of things to think about as we move through the year and go into next.
[00:01:58] Rick Dronkers: I wanna talk to you about a couple of topics. I probably think we should start out with GPC. You wrote a great blog post about GPC, basically outlining your thoughts and where it's at right now. And I've seen a lot of questions from a lot of people about what is GPC and how could it be relevant and actually I also am not that up to date on it, so I figured since you wrote such an elaborate blog post on, it's probably best to just have you explain it to me in your words.
[00:02:29] Cory Underwood: The GPC is the Global Privacy Control, and it is a specification that details how a web browser can communicate that a user has opted out of data collect. Effectively, in the specification it outlines two different ways of doing that. You can either inspect a JavaScript property and so if you ha want to like craft tag manager rules around looking at that signal, you can reference that.
[00:02:59] There's also a server header that gets set. So if you needed to do something with a server endpoint, it could read and determine the status that way. Where this is notable and different from the previous do not track configuration back in the 2010s is the California Attorney General has said this is a valid opt-out mechanic underneath the California Privacy law and in the case with Sephora, that was settled, I'm not sure if the settlement is finaled. One of the things that they were cited on was not responding to or honoring the Global Privacy Control for opting out of data collection.
[00:03:46] Unlike the Do Not Track specification, which nobody decided to follow, because there was no reason to, the Global Privacy Control actually has the force of law, at least within the state of California.
[00:04:00] The other thing to note is because it's like this universal opt out preference signal other states that have privacy laws coming up, while it may not be in the initial enforcement over 2024 and 2025, they're gonna implement their own standards, which may mirror California as in regards to the signal. At least within the United States, It is likely that California will take the lead, the other states will follow California just for the sake of making things easier on businesses. And the Global Privacy Control will become the standard that sites will have to honor, at least domestically within the states. Now, whether or not that's gonna be sufficient for privacy regulation in other countries, I don't know, but that's kind of like the direction that we're seeing, at least here across the pond.
[00:04:55] Rick Dronkers: LIke you mentioned, do not track. think it was elderly who said in the first podcast, should have taken the do not track options seriously. And then we might not have been in, in the situation where we're at right now. If we just respected the do not track setting in all these browsers and we actually didn't track. Maybe all these privacy regulations wouldn't be necessary but yet, here we are. And this one is actually enforceable, at least now by California. So that's a main difference. Is it also different from a technical point of view? So is it something that a consumer, so a website visitor or user configures in their browser or on their operating system?
[00:05:38] Cory Underwood: It's within the browser, so currently it's an option in Firefox DuckDuckGo and Brave also support it. But it's not in Edge, Chrome or Safari at this time. Notably though California is amending their privacy law currently and they're going through rule making. The rule making draft devotes like five or six pages to how sites need to look at the Global Privacy Control and what they need to do in response when they see it.
[00:06:12] Rick Dronkers: It's fair to say that they're taking it pretty seriously as a method to enforce.
[00:06:18] Cory Underwood: Correct. And the thing that the Attorney General has said is consent management on its own isn't sufficient because if you look at it, say you have the Global Privacy Control and you see that and the tag manager finds the variable and it's like, Oh, I shouldn't fire these tags. Okay, that stops the collection, but that doesn't do anything to the data that you've already collected. And because it's an opt-out of processing signal, you also need some other mechanism for turning off the processing for any data that you may have already collected.
[00:06:51] Rick Dronkers: This part always confuses me because once I get the signal to stop collecting the data, how can I then collect the data that tells me to stop processing the data? Or can I only collect the data that tells me to stop processing it?
[00:07:08] Cory Underwood: It's part of that same signal, you can use that data for propagating back through history and like notifying any service providers, et cetera, that you need to stop doing that. But then you have the technical architecture issue of you don't obviously want to do that on every page because if someone goes through like 30 something pages of your website, you don't want to kick off that process 30 times cause that would get expensive.
[00:07:32] Rick Dronkers: So there you have to store that they opted out, which is basically collecting data about them again.
[00:07:38] Cory Underwood: But it's at least that's allowable underneath the draft regulation. You have to maintain enough data that you can say that you're not gonna do anything with it. But it's interesting because the law doesn't, if you read the specification for the signal, it covers that use case. It's like you can effectively do like denial of service yourself with high enough volume, right? Like there's no control there, so you need to build one, but it's not in the specification like, so it's up to the site to figure that out. But in the guidance of the Attorney General, it's like stopping collection is good, but it doesn't go far enough. So any, like off the shelf solution needs to cover both use cases going forward and looking back through history.
[00:08:29] Rick Dronkers: Who is responsible for developing GPC?
[00:08:34] Cory Underwood: Believe it's a, you have to look at their website. I believe it's a standards group.
[00:08:40] Rick Dronkers: Okay. So it's a non-profit initiative kind of thing.
[00:08:45] Cory Underwood: Let me see here. If we're looking at the full spec, there's from Brave, DuckDuckGo, Consumer Reports to Washington Post. IT's a series of editors. There's like a GitHub repo that you can go and look at, pull requests and open issues and make subject work, et cetera. Yeah.
[00:09:06] Rick Dronkers: It's not owned by the government. It is an open source initiative by by the names you just named. Like these are companies that have like privacy as their USB sort of or at least some of them.
[00:09:19] Cory Underwood: Pretty much because it's not a specific company, it's more along the lines of the W3C and how, I don't think it's actually an official effort underneath that, but I'm saying it's being developed along those lines. Right.
[00:09:34] Rick Dronkers: Because the fact that legislation is being based upon I was thinking two things. So the one thing that came up with me is like, under the GDPR, I feel like this is missing. Sort of it's all open to interpretation on how to do it. And then eventually you'll have to basically figure out if you're doing correctly by going through the whole process.
[00:09:56] And then hopefully you don't get sued or you know, like it turns out well. So a signal would be nice. Just a simple on, off switch, so to say. But then again, I do understand like the technical complexity of building that and maintaining that, and if the government itself would do that, or government or Europe in our case. That also yeah, brings certain issues. But then this group they also have their it could be a conflict of interest, so to say.
[00:10:23] Cory Underwood: The universal preference signal actually in elected a lot of the regulation. It doesn't call out the GPC specifically, but the Attorney General said the GPC qualifies as an example of this. So it's not, it doesn't mention the in the regulation by name. However, a lot of the different regulations that have clauses about universal preference signals have very specific requirements over the type of entity that maintains the signal for it to be even up for consideration.
[00:10:55] Rick Dronkers: So actually GPC is basically the current best example of what the law specifies, but they could switch it out in the future as long as it matches the spec that was listed out in the law.
[00:11:10] Cory Underwood: Correct.
[00:11:11] Rick Dronkers: Okay, gotcha. That makes more sense. I do feel that if this is done properly, it would make life easier on businesses. If this spec, if there's like a technical suite to work with, sort of, which, where you can basically tie all your tools to, it does make life easier for businesses to be compliant.
[00:11:34] Cory Underwood: Correct. At least within the states, California and Colorado, they have their own regulations that were defined by the relevant supervisory body. And those are much more prescriptive than what we've seen out of Europe with the GDPR. So it's like very clear like, here is how you do that and that's what you're gonna be judged by.
[00:11:58] Rick Dronkers: For, From the business side of things, I think like that's a good thing. Like there's so much questioning around the interpretation of personal data to start with, that as an example. So and how to implement basically all these concepts in Europe that I feel like a more prescriptive approach might not actually be a bad thing, but it will be interesting to see how this rolls out. So California, this is already currently active, right? And Sephora basically got fined.
[00:12:29] Cory Underwood: So in 2020, the law went into effect, right? So the CCPA and then in the summer of 2021, The Attorney General issued a press release that said the Global Privacy Control is an example of the opt out signal underneath the CCPA. You need to follow it, but if you built your site around the initial rollout ending, you didn't touch it since you are probably not in compliance.
[00:12:57] Rick Dronkers: The early movers that did their best to be compliant, Might have to do some extra work to... [Laughs]
[00:13:02] Cory Underwood: Indeed.
[00:13:04] Rick Dronkers: So next states that are also gonna roll this out in the US or that are rolling out privacy regulation based on GPC.
[00:13:13] Cory Underwood: They haven't decided on their standard yet for the Universal preference signal, it could be GPCs simply because California is already using it. But I know that Colorado and Connecticut both have clauses that go into effect in either 24 or 25.
[00:13:30] Rick Dronkers: A Little bit of time left, but it's inching closely.
[00:13:33] Cory Underwood: In the United States, a lot of the different privacy laws have different cutoffs. So certain clauses become inactive at certain points and certain clauses become active at certain points. The universal preference signal, just because it's so much more complex, is an example of something that has a delayed start.
[00:13:52] There are examples of what that looks like as far as becoming deactive. I know that for example, in January, California no longer needs to give you a warning before they file for a motion. Cause like their cure period where they send you the letter and you have like X number of days to fix it like that that has been repealed. Underneath the New Amendment. And then I know that in 2024, Connecticut repeals their 60 day cure period in December of 31st of that year. So while Connecticut starts this summer up in 2023, then you have like 18 months really to kind of get your house in order before like the 60 day warning that you're not compliant goes away. It's dangerous and strongly not recommended for anyone to rely on that cure period being present. they should probably just take it more seriously to begin with.
[00:14:58] Rick Dronkers: I feel like the Sephora fine woke some people up right?
[00:15:03] Cory Underwood: It definitely caused a lot of conversation to happen. It definitely did. Because the big thing that was kind of an open question around California's law when it was initial, initially rolled out, was what the definition of sale of data is. And a lot of lawyers took that as to be, we got paid actual cash for sharing data with somebody.
[00:15:29] And the attorney general has made it clear it's cash or other valuable consideration, so it's more broad. So if you're getting any sort of benefit from sharing the data, then that probably applies to you. That is not universal amongst all the states though, two of the state privacy laws going into effect in 23 actually still have the monetary compensation clause. It's gonna be challenging for businesses to come up with like a unified view of things.
[00:15:57] Rick Dronkers: So one of the benefits compared to the GDPR is like basing it on some sort of signal, like we just mentioned, Like for instance, what the, what GPC could be. But then one of the downsides is handling how different states will have a different take on these things. How would you handle that, like from a technical point of view? If you sell to the entire United States, you gotta do IP look up and basically change your tech infrastructure, or you're gonna go with the strictest regulation as like a blanket approach for all.
[00:16:33] Cory Underwood: It could go either way. I kind of worry that we're gonna end up in a situation similar to how insurance works in the United States, where like you get your insurance statement and then like there's four pages at the end of it and it's like if you're in this state, here's all the additional clauses that apply to you, or here's your additional rights under the state of Massachusetts, for example. We could actually see it go that way.
[00:16:59] I don't necessarily advise that if it can be avoided, just cuz it increases all of the overhead and the complexity of like the entire compliance. I would advise for sake of saving costs in time, [laughs] standardizing on whatever the strictest one is that meets the, broadest amount of use cases. Like only build something custom if you need it, essentially.
[00:17:25] Rick Dronkers: In your opinion, what is currently the state with the strictest privacy regulation or will be in the near future?
[00:17:31] Cory Underwood: varies actually. California has the most prescriptive set of regulations, but Colorado probably has the strictest view on what a data protection assessment looks like.
[00:17:45] Rick Dronkers: So it would still be, and it depends. [Laughs] We still have to do a mix and match.
[00:17:51] Cory Underwood: Fine structure is different too. So like in California for an unintentional violation, it's currently at $2,500. For intentional, it's $7,500. Other states just start at 7$,500. Colorado starts at $20,000.
[00:18:08] Rick Dronkers: Hmm.
[00:18:09] Cory Underwood: Like your fine structure in the risk varies dramatically between the states.
[00:18:15] Rick Dronkers: Yeah. And there will also, of course, influence the decisions companies will make on that. Is there a push for a federal or a nation you know, a nationwide privacy regulation that would make your life easier?
[00:18:29] Cory Underwood: There is. So there was a bill that made it out of committee and went up for a floor vote in the house, but it didn't get a floor vote prior to session ending. So it has bipartisan support. So both like conservatives and more liberal facing folks say that this is the, probably the way to go. California is rejecting it because the law is preemptive, so it would override California's laws, and it's not as strong as California's laws. So even though it's stronger than the data privacy law in like 49 other states, California's saying that they don't want it to overrule theirs. So rather than be a ceiling, they wanted to be a floor.
[00:19:20] Rick Dronkers: I do get that if you've been working on it yourself, [laughs] but like from a business point of view would be nice if you could have a, I think a lot of us businesses operate across states and this is really a hassle if you have to, especially if you're a small business, if you have to make that work would be nice if it was just one set of rules to play everywhere.
[00:19:42] Cory Underwood: But even if that was the case, in a lot of the existing data privacy law, there's cutouts for a. It's your personal data and it has to be treated this way, unless it's health data, in which case, like the health HIPA might apply, right? Or they're under 13, then COPA may apply, or it's like all these different things. So it's still contextual, even in the United States, even within the state of California, because if there's a more specific law in place for how that specific kind of data has to be handled, that takes presidence.
[00:20:17] Rick Dronkers: This is something that over the talks I've had with people like, it's becoming more clear to me that the conflict of technology and legislation, like leg legislation is. created after the fact to regulate something that we feel as a society is be going in the wrong direction if we don't regulate it. And then often technology is actually built to get us to a next step. So they're like conflicting in the way they work where technology tries to build forward to solve something. And legislation always tries to work backward based on things that already happen. And I feel like it's so hard to make them work together well.
[00:21:05] Cory Underwood: I would say that's probably true. Cause you don't necessarily know you need rules around it until like you see what goes wrong with it.
[00:21:12] Rick Dronkers: Yeah. Which makes sense, right? So, and I'm not saying legislation is not good in the sense of course we need as a society, we grow, we figure out new stuff and then suddenly we've build something, we're like, ah, maybe we need a set of rules around that before we start abusing it, so that part totally makes sense to me. But then from a technical point of view like, the, actually put it in, into practice, right? Those set of rules, that's usually where it really becomes so difficult, especially for companies that do not have dedicated they cannot allocate that kind of resources to it, to solve those issues.
[00:21:53] Cory Underwood: Back 20 years ago, there was no real major laws around the web, for example. But now web developers need to be aware of like accessibility laws of privacy laws in some cases, they have to be aware of having specific things such as like unsubscribe links in different regions. Check boxes either checked or not checked based off what exactly it is those things are doing, but just become a much more complex profess.
[00:22:27] Rick Dronkers: And it all needs to be interconnected also, all those things you just described, like now. So basically having an unsubscribe box. Okay, we you know, we kind of fix that because every email tool now has it integrated, right? Like usually what we end up doing is we turn it into software and then everybody can use it and then that's just the barrier of entry. So to say, like every tool has that.
[00:22:47] But now with these regulations, what we're actually saying, Oh yeah. If somebody now unsubscribed over there, then in all your systems everywhere, [laughs] you know, we wanna update that user and unsubscribe them and send them all the data you got about them and tell them that you deleted it.
[00:23:04] Like, yeah, which like from a technical point of view of view here, [laughs] that you're like, okay you know, we got some work cut out for us.
[00:23:12] Cory Underwood: And I think this is the downside that you see of having like a bunch of external third party services, right? They have their specific API interfaces and like that's what they do and that's all they do. And so as things have to come through and you have to propagate that out to like all of the different places you may have sent the data, all of those different companies have to build their own architecture for how to handle that.
[00:23:37] And some of them are more [laughs] forward thinking than others in that regard. And there's a lot of vendors out there today that still don't have any plans that they publicly announced for how they're gonna comply with a lot of this stuff. And even on a technical level, there's a lot of vendors that sell software packages that use cookies that are impacted by like intelligent tracking prevention and that's been in place for years and they still haven't fixed their product to handle that use case yet.
[00:24:08] So it's difficult for a company that doesn't have a technical team I think just because things are changing really quickly. But that doesn't mean that your particular vendor set is optimal going forward. But if you have no one to review it and tell you, you might not know that you need to change, even though staying with that vendor may ultimately increase your liability.
[00:24:34] Rick Dronkers: Yeah. Well, And I think the argument from um, the, let's call it the privacy side of things would be like, Yeah. And then they'll get fined and then people will wake up and they'll you know, they'll, It's a process, right? Like the, I see that as well. Like it is a multi-year, probably multi decade process, but I feel like the, it's also a case of technical depth, we have built systems upon systems, upon systems, and now these regulations go through all of them. They don't just touch the top layer of what we've built in the last year. They touch everything that everything was built on from the ground up. Which also means that in order to really comply you actually need to re-envision a lot of what has been built from the ground up as well.
[00:25:20] Cory Underwood: I agree, and I think, like enterprise data warehouse teams are coming to grips with this currently because a lot of the new laws coming into effect have like data retention periods. It's not enough that you're gonna, people in the youth, they used to stand up at data warehouse and they'd be like, It's a pend only, like nothing ever gets deleted and like that doesn't fly in, in the new world. What does that look like for company?
[00:25:43] Rick Dronkers: I do feel like something like GPC and I haven't invested enough time in it to actually understand it thoroughly, but a universal signal on the client side. Which is actively enforced is probably the way to go compared to other solutions we've seen so far. Because it's the only, it is the only actual place where, what this is all about, which is personal data, which is about the data subject, right?
[00:26:13] It's the only place they can actually actively control. They can set the signal there like, no, I do not track. But then enforce do not track, right? No, I don't want to be tracked. And using that signal throughout the tech stack could be the building block of something that skills. If you know that this signal is always the, the starting point of whatever you're gonna do down the line, that feels like a good starting point to have like a standard for that.
[00:26:40] Cory Underwood: I think, so the California law is a little bit weird in how it handles it. So for example, if you have the signal running, you need to stop sending data and opt them out of the sale or processing of their data for any third party that the site is communicating with. But that is a very specific legal context underneath the California law.
[00:27:07] Essentially you are gonna send data to a company, you have to have a contract to do that. Depending on the terms of your contract and the purpose for sending the data, they may qualify as like a service provider or processor. You can continue to send data to your services provider slash processor, even in the face of the opt out signal because of the different restrictions in those contracts. However, you cannot designate another company as a service provider, if they're doing things like remarketing, and that actually says that in the regulations under that, those scenarios, they're a third party.
[00:27:49] So then the GPC signal applies to them, and you have to stop sending data to third parties. So there's like a specific legal context for any vendor classifications that you have. And if the regulations are adopted, as is the service that other company is providing to, you may force them into one bucket or the other. But then there's actual legitimate contractual obligations for both scenarios that have to be spelled out. And that's not something that I think a lot of people are loo king at today, but that's a pretty common feature amongst the United States Privacy Laws going into effect. But that means maybe you don't just add a tag to your site without doing sort of like any sort of due diligence. I'm just saying that might be a good plan going forward.
[00:28:41] Rick Dronkers: I think that's probably a good plan going forward everywhere, right? [laughs] Just stop adding randomly JavaScript to your websites. That's a call to everybody listening to this podcast.
[00:28:51] Do you think it's naive of me to think that envision a solution that is purely technical where the signal from, so the setting in the client browser, client device, mobile phone, glasses, whatever we figure out in the future, right? Don't care. The signal from that device will inform it all downstream. Like we, we build the entire data processing environment downstream and the enforcement of all of that based on that signal.
[00:29:23] I feel like this is the way forward is I feel all these contracts, although I get, that's how the legal world works. The internet is so big, you're not gonna be able to enforce it all. You need more lawyers than people on earth to enforce it all. it never made a lot of sense to me to rely on those contracts. So my feeling is why if we have technology can make something a one or a zero, right? And it can enforce it. Why don't we, why don't we enforce the technology to change, to respect the do not track signal or the GPC signal, or the whatever signal we figure out next.
[00:30:01] Cory Underwood: And I think what's difficult is a lot of the signals in place with like the browser, for example, serve double duty. It's not just delivering the experience, it's been co-opted by the advertising industry to like deliver advertising, that's why we have issues in like Europe with. GDPR and like IP addresses for example.
[00:30:29] Rick Dronkers: So how the internet works, [laughs] unfortunately.
[00:30:31] Cory Underwood: Right? Yeah. So I mean at some point you, you need to have the data transferred because otherwise you're not gonna get a page back when you type in the url. The issue that I see is regulation really tries to like differentiate between proper uses of something and improper uses of something. But I mean, the fact is like you still need the IP address to get the information back you're classified it as personal data, but I still need to process it 100% of the time to serve the webpages.
[00:31:01] It's hard when things get classified certain ways, but they're required in like nearly a hundred percent of use cases. And it's just some of those use cases might be less desirable than others. But we can't not have the, we can't not have an IP address cause we still need a way of getting the, communicate the data from A to B.
[00:31:20] I kind of wonder, like over, you assume the GPC as a standard gets rolled out, vendors will eventually develop support for it, Probably, especially if they start getting hit with fines. But it's not just the way the, [sigh] regulation is faced is essentially if you include a tag on your website, you're liable and underneath the California law there's different things that you have to do, like assessments of your vendors otherwise you can't use the legal defense. While I thought they were doing everything properly, they're like, you can't say that you thought they were doing everything properly unless you're validating that they're doing everything properly, at least every so often.
[00:32:06] I don't know. I think it's gonna be rough. It would be good for it to do that, but there's a lot of software that's been built and refactoring all of that to look at different signals is not a minor undertaking. And some of the stuff has been in place like 20, 30 years, and chances of people at the company, even knowing how those systems work any longer. Probably fairly low outside of like some die hard, you know, I'm gonna work here the rest of my life plate folks.
[00:32:39] Rick Dronkers: Get some people out of retirement. Dust, dust of their urogramming books.
[00:32:45] Cory Underwood: It's super expensive and it's very time consuming. And then you really need someone, Cause a lot of the laws nowadays have like security requirements in them too, right? So you really need like a security engineer when you're going through and rebuilding all these systems. And you probably want a privacy engineer, at least someone who understands the privacy space in enough detail that they can flag, Hey, maybe we shouldn't do that way before you build it, because it's cheaper to fix it in design than it is after it's like in production.
[00:33:20] Rick Dronkers: So I think maybe what I started out with, my vision, that's never gonna happen in the sense of there's too much legacy. But then I think the next best thing, Is privacy by design and by default, right? So if new technology that gets built does get built with these things in mind, then give it another 30 years [laughs] you know, until all the old stuff is deprecated. And then, and then we're at a, at a better spot. Right.
[00:33:48] Cory Underwood: And I think anything new being the standards, applying to anything new is important cuz otherwise we're never gonna get out of the situation we're in. It's a long tail, probably heavily supported by enforcement action to get legacy companies or companies with like a legacy architecture to update.
[00:34:06] Rick Dronkers: Yeah.
[00:34:07] Cory Underwood: Because it's hard to sell that to like an executive team, right? Like why do we need to rebuild the website or the entire infrastructure of the whole back and like, why do we need to do that? that's what the regulation says we need to do. We will look at that when we get sued. Is like the often, is often the case, but Sephora settlement is not just the fine.
[00:34:31] Sephora has to fix all the issues and Sephora has to stand up and maintain a privacy program for two years and make periodic reports to the state of California on how they're still being compliant. the fine's only a part of that, but like the investigation and like standing up the systems and the, the compliance and the transparency and stuff that's super
[00:34:57] Rick Dronkers: Yeah and expensive.
[00:34:59] Cory Underwood: So it's like you can do it on your time or you can do it when the government says you need to do it, but then that's on their time
[00:35:07] Rick Dronkers: Yeah. Cause I can imagine that the amount of consultants that Sephora's gonna have to hire to, to get this done is also, that's also not gonna be cheap. So the price tag is definitely bigger than and that's a good signal to give.
[00:35:22] the things you just mentioned. I didn't know that. But I think that's even better than the, in the initial fine, like the fine grabs a headline that's good, But then basically giving them a house arrest [laughs] you know, of two years and, you know, making them come back and better themselves. That's probably more important than the initial fine.
[00:35:38] Cory Underwood: The FTC, so the Federal Trade Commission in the United States Hit Twitter with 150 million fine a couple months ago because they discovered that they were using two factor authentication phone numbers as a key for targeted advertising delivery. And so they were telling users, Hey, give us this number.
[00:36:03] We're only gonna use it for two factor authentication. And then they were using for marketing.
[00:36:07] Rick Dronkers: Nice growth hack.
[00:36:08] Cory Underwood: And so the FTC, the FTC was like you violated our previous order. So now the fines higher.
[00:36:15] Rick Dronkers: You understand how it happened, right? There's some ambitious growth hacker that's like, Hey, I, we could just pick this up, hash it, send it to Facebook, match it, grab those users, remark them. Easy win. But yeah, that tho those are the practices that we don't wanna do anymore.
[00:36:30] So um, yeah, it's good that they get fined for that. Let's shift gears a little bit. Let's talk about Apple's latest developments. Apple has been promoting uh, privacy as a USP for a couple of years now. I think in our first podcast together we touched upon a lot of ITP and some ATT stuff, and now Apple has, I feel, given a little bit back or improved upon their, the way people can do attribution in this case with for app installs, right? What they call the, the scan or SKAd network.
[00:37:07] Cory Underwood: Right. So they released on October 24th. So it's like early november here, so maybe two weeks ago now their 4.0 version of this, and two things really help advertisers here. So first is like, support from multiple conversions. They can get up to three post backs for who installed the campaign, like the app from a campaign.
[00:37:31] And then they also have SKAd network for web ads. So attribute web advertising that directs to the app store product pages. And so if you are trying to figure out like, is your advertising working for app installs and what that return on investment is, they're helping you get to that number easier than they have done previously.
[00:37:56] Rick Dronkers: So previously you could send a post back, so a signal back to your attribution software, but you could only send one.
[00:38:04] Cory Underwood: Correct.
[00:38:05] Rick Dronkers: So the issue for a lot of app developers was, okay, we could send something that the app was installed, but probably somewhere in the, let's say you have a game, right? Somewhere in the game, you want people to upgrade to the paid tier of the game or something like that. And then maybe once they're in that, you wanna upgrade them again. So there's a couple of key moments in the life cycle which you wanna attribute back to your original acquisition campaign. And they could only report on them like in aggregate, but not tied back to the campaign. They would only have one post back that would tie it back to the campaign, and now they have three.
[00:38:43] Cory Underwood: And there's like a series of priority on like what conversions within the network look like. Cause usually you get like the highest quality ones back in because like if you said 20, it's all, I'm gonna give you a subset of those, right? But it still has a lot of the same issues that data's not real time anymore. There's a delay and if there's nothing, like if the source data can, can't be significantly anonymized, like you're probably not gonna get it. It's a privacy first design.
[00:39:17] They did give you more tools and you do have more capacity for doing identification and particularly like web to app identification. And all of that reporting, but I mean, like it's not plug and play. You're still doing quite a bit of development effort to get there even if you're working with like an advertiser network. They're doing the work then as you build out ads or whatnot, you may have to supply more information or configuration settings to get that to work like you did.
[00:39:50] Rick Dronkers: I feel like the mobile attribution space already was more complicated, like to begin with, you would always have some something like apps flyer or you know, some adjust or one of those tools Implemented and I feel like the, probably a lot of the heavy lifting is gonna be on their end on your, on your ad tech partner, so to say. But it's definitely not plug and play.
[00:40:11] Cory Underwood: If you were to go into Apple's documentation on it, like it is developer documentation, like it's not directed at marketers. the benefits can be realized by marketers, But the documentation is not at all written for them.
[00:40:24] Rick Dronkers: Yeah, there's a little bit of a gap to bridge there, I feel. I wanna get back to two things you said. So there's a delay I'm interested in the technology because I feel like what we're seeing here could also be implemented perhaps in other systems, on web attribution in the future. So Apple has a delay, which is randomized, right? Because Cuz basically the reason why they have a delay is because if you would have a immediate, unique hit times, you know, it could help you identify a user and thus privacy would not be preserved. So they have like a randomized timer right, in which they will actually give you the event.
[00:41:04] And then there's a threshold for sending it back, which is a little bit like in Google Analytics, where you can only get a, an audience segment if you have more than, I don't know what it is, 500 or a thousand users. So basically to hide in the crowd, right? So you need X amount of users x amount of unique events grouped together so that they are no longer, you're no longer basically able to stitch them back to a single user.
[00:41:28] Cory Underwood: Correct. So I believe that the look back window is somewhere between 24 and 48 hours. But then specific kinds of events have different cutoffs, if you want to know if the ad network presented, they store kit rendered ad they have 30, the user has 30 days to install the app. But if the, you're not trying to tie it back to a campaign, then you can get a post back for 60 days.
[00:41:53] So there's like different time windows on how long you can get certain kinds of signals. But the total delay from the final conversion update to receiving a post back is somewhere between 24 and 48 hours. So if you're looking for like that real time, I need to modify something multiple times within a day this is not gonna get you there.
[00:42:17] Rick Dronkers: No, that's gone basically.
[00:42:19] Cory Underwood: Much like, you know, the Google ads and Facebook look back windows for advertising like it used to be 60, 90 days and now it's like not. It's 30 or less.
[00:42:30] Rick Dronkers: That's a new reality. [Laughs]
[00:42:31] Cory Underwood: The long look back windows are probably a thing of the past in most cases.
[00:42:35] Rick Dronkers: The 4.0 version does give a bit more, which I was interested, like that triggered me. I don't do a lot for our clients about mobile attribution. But I do follow along because I do think the space is interesting and I feel like, a lot that happens there might actually also be rolled out to web.
[00:42:56] The only issue is, you know, enforcement, like for Apple, it's easier to enforce on iOS, whereas with Safari have a smaller market share on web. So it's, harder to get there, to make whatever they do in industry standard, so to say. But the fact that they gave more, does signal that they are working together with looking at like, okay, we wanna preserve privacy, you're still not gonna be able to tie this back to a unique user. So we're preserving user privacy, but we are gonna give you marketers better signals to optimize your ad campaigns, which I feel is also gonna be a win for the user, right? Because it's not useful to the company to show a relevant ad and it's also not useful to a consumer to see I relevant ads. So there's a win-win on that side. Do you have a high hopes for like 5.0, 6.0, 7.0, but like that they will continue to move in that direction that will continue to become better?
[00:43:49] Cory Underwood: I think that they're gonna continue working. Because it's in their interest to, to support it, right? Cause like if people can't tell their advertising's causing their apps to be installed, like then they're probably not gonna do the advertising. And that ultimately remains less money for Apple in a lot of cases. What is notable though, is the different versions of the SK ad network, they get signed to different iOS versions, for example, while SKAd network is in version four, if someone's still on like iOS 15, like they can't leverage it because it needs functionality in iOS 16.1. So they can develop the network faster than people upgrade.
[00:44:30] Rick Dronkers: Which is also a hassle for the ad tech cuz they have to support multiple. [Laughs]
[00:44:34] Cory Underwood: Multiple versions of like, cuz I mean, if you're only getting one post back that's different than three. So [Laughs].
[00:44:41] Rick Dronkers: Yeah. So you have to, you have to make a decision. Like if you're not on iOS 16.1, then we only go for the most important post back and otherwise we're gonna spread it across those three post backs. And yeah, I think it's also super interesting because you only unlock these levels of post backs after you have enough volume, there's like a threshold to meet. it also really becomes a game of you, your campaigns need to be of a certain size in order to actually make full usage of those posts. So it also kind of incentivize them to make their campaigns touch more volume, so to say, because otherwise you know, you wouldn't unlock the functionalities basically that you would want for that. So it's a fun game to see. How this will will play out between mobile advertisers and in this case, Apple.
[00:45:33] Cory Underwood: Correct. The mobile app space is super complicated they have a lot of documentation on what that looks like and the different time windows that different data becomes available in. And I can understand that marketing may not be happy with those windows, but that is what we have to work with. I think it's just getting everyone on the same page and I think this is gonna be the biggest challenge for marketing agencies is what you were able to do in like the late 2010s and what you were able to do today is completely different. And that will even be more different next year as different privacy regulations starts to get layered in.
[00:46:17] So if you're a media agency, your attribution is probably getting worse and now you have additional hoops to jump through to activate on data audiences. Those companies have to evolve or they're going to be left out because a lot of the laws that are going into effect in the states, those contracts that you set up actually require the vendor that the contract is with to be compliant with that regulation, even if otherwise, they wouldn't have to be. If you're a California company and you hire a media agency because you as a company have to comply with the CCPA, they have to comply with the CCPA in regards to any data they handle on your behalf.
[00:47:00] Rick Dronkers: That's gonna be important for both the. Agencies and the clients to take into account.
[00:47:08] Cory Underwood: Right? It's not just a client issue as agencies. You're going to have to make adjustments either in your contracts or how you handle data or both.
[00:47:20] Rick Dronkers: I think we wanted to touch upon one more thing before we before we end. So you mentioned that there's a difference between measuring and activating data and how that will change for companies in the US over the next year.
[00:47:34] Cory Underwood: Sure. So several of the different privacy regulations state that targeted advertising does not include activities such as like campaign attribution or measurement. If that's the case, you can have the pixel on your site. You don't need to say, I need to, can I have consent? You can send the data to those places as long as you have the appropriate agreements without getting express user consent. The issue is a lot of those same laws have conditions where if you start to activate on that data to like handle advertising based off behavioral information or affinity, et cetera, on websites other than your own, you probably need express consent for that.
[00:48:19] Now, technically it's the same pixel, it's just doing both things, right? So if you start requiring express consent because you want to activate on that data, now people have the opportunity to opt out of the reporting side of it. So that's gonna have to be a thing that companies have to think through.
[00:48:39] Rick Dronkers: Let's take an example. I have a Google Ads pixel on my web shop. On the conversion it fires that there's transaction. This is allowed, right?
[00:48:49] Cory Underwood: Right. So like under this Virginia's law, you can do this without needing express consent.
[00:48:53] Rick Dronkers: But Google uses the signal it gets on my transaction pixel for smart bidding, would that be activation or not or maybe? [Laughs]
[00:49:05] Cory Underwood: You would probably need to talk with a lawyer, but I would be inclined to think yes. And as soon as it switches from reporting to activation, that's when you start needing consent under some of these laws. But it also, some of the laws classify targeted advertising as a high risk activity. And so if you're gonna engage in targeted advertising, now you need data protection assessments.
[00:49:32] So you need your lawyer to go through. And work with your privacy people to figure out things such as like where's the data stored and what could go wrong if unauthorized people get access to it, and what is the potential harm to consumers? what is all the mitigating strategies that we can put into place and which ones do we put in place?
[00:49:52] And all of those things prior to the collection starting. So it's not as simple as the marketing agency being like, Hey, here's a tag. I need you to do install on the website, and then the developer going and doing that. Now there's actual legitimate business processes that need to be stood up as far as it needs to at least go through a privacy review if you're sending data to a third party.
[00:50:18] Rick Dronkers: I think we touched upon that. I think in the end that's a good thing, right? That we start to create those processes and start to think about. But I think that it is gonna have a big impact, like especially the example I just gave to you. Like all advertising platforms are moving towards some form of black box, smart bidding based upon their pixel.
[00:50:38] So if that counts as activating data, then they might wanna reintroduce the old simple measurement pixel that doesn't do any smart billing because that will be allowed to be implement without specific consent and it's just really good for companies to be aware of this, that this change is coming because every trend points towards data activation and that's logical cause we don't just wanna collect data, we wanna activate it, we wanna create value with that data. but it's good to keep that in mind that if you wanna steer away from GDPR, like cookie banners everywhere, you probably wanna have separate systems for measure pure measurement and activation of data.
[00:51:20] Cory Underwood: But I think the big thing that's gonna hit American companies is, a lot of them don't have consent banners cuz they don't sell to California potentially. And so they don't need them and except now they do potentially need them because as the different states come online, if you meet the applicability thresholds for that state, now you have a bunch of additional overhead in regards to how you collect and handle data use. And that likely means that you need to stand up a consent framework and all of the stuff that comes with that. And that's gonna be new for a lot of organizations.
[00:52:03] Rick Dronkers: Welcome to Europe, guys. Welcome to the consent banner, how that we're in. [Laughs]
[00:52:08] Cory Underwood: Yeah. It's not as strict as Europe because a lot it seems to apply when you're starting to do that activation across other websites that you don't own, whereas in Europe it's like all the cases even on the websites you do own.
[00:52:23] Rick Dronkers: Yeah. And even if you just measure.
[00:52:25] Cory Underwood: Yeah. It's not as strict, but it's gonna, we're basically gonna see, I predict the same issues that we've seen with Europe and like getting all, all the businesses on the same page. And it's gonna depend, I think largely on how aggressive the different Attorney Generals are in enforcement. But it is notable that California has their own agency who's like sole purpose in existence is to monitor and enforce California's privacy law. So one would assume that they would be more proactive than not. And I think that's another good call out is Sephora got caught in an enforcement sweep. The attorney general was actually going out and like testing sites to see if they were compliant proactively. And you don't see that so much in Europe.
[00:53:18] Rick Dronkers: No, I've, I think everything here is based upon complaints, right? Which is why none of your business proactively filed complaints everywhere. So that's definitely interesting that they're actively chasing in the US.
[00:53:33] Cory Underwood: It's a different risk threshold, right? It's like we know they're doing sweeps because they filed court cases saying that they were doing sweeps. So it's not. I can do what I want until someone cares enough to complain, and then the Attorney General cares enough to file a motion. It's the Attorney General may just decide to review your site and then decide to send you a letter. [Laughs]
[00:54:02] Rick Dronkers: In Europe, there's a lot of voices saying that enforcement of GDPR has not been done well enough or has not scared enough companies into complying. Maybe in the US we're gonna see the results of, taking that other approach and being really, tight on regulation and enforcing it. You can definitely see the states that took it more seriously because three of the states are more consumer friendly, and two of the states are more business friendly. But as a company that sells nationally, You probably are gonna act as soon as the first cases come through, regardless of where they're at.
[00:54:40] Yeah. From a risk perspective, that's probably
[00:54:43] Cory Underwood: smart to take that approach.
[00:54:45] I was gonna say, that does mean though, that you're running outta time. We're at the time of recording you're two months out from 23 and that's when California in Virginia go into effect. And you're eight months out from July and that's from Colorado and Connecticut go into effect.
[00:55:00] Rick Dronkers: There's not a lot of time left.
[00:55:02] Cory Underwood: Nope. [Laughs] Not a lot of time. And agencies that specialize in like data privacy work.
[00:55:09] Rick Dronkers: They're booked.
[00:55:10] Cory Underwood: Gonna be harder to hire. The closure we get to those deadlines. [Laughs]
[00:55:15] Rick Dronkers: For the foreseeable future, I think lawyers that specialize in privacy regulation and just privacy professionals in general [laughs] have job security. I hope we could still fix it with technology. Technology like we discussed earlier, but I'm not so sure, at least for the foreseeable future, we'll go down this path. It looks like. Any other things you are, you're working on right now, things you wanna share, blog posts coming up, or what's the main thing on your mind right now as we close off the podcast?
[00:55:46] Cory Underwood: Biden did sign an executive order to tentatively restore data transfers between the United States and Europe, and we're waiting on Europe's response to that. either in the New Year, companies are gonna have a lot of stuff to celebrate, or we're gonna face a new reality where that's probably not gonna be as quick of a fix. And even if it was to be accepted, there's no guarantee that it's not gonna survive court challenges. So like we're gonna, It's a big unknown currently and I don't feel we're likely to have that resolved before mid 2023.
[00:56:20] Rick Dronkers: Because I've, I think they're expecting Europe to respond in March, something like that.
[00:56:25] Cory Underwood: Yeah, early spring.
[00:56:27] Rick Dronkers: And you wanna make a bet live on the podcast. What do you think is gonna happen?
[00:56:31] Cory Underwood: I think Europe may be inclined to accept it and I think it will immediately be challenged in court.
[00:56:36] Rick Dronkers: Me too. A hundred percent. I feel like the lobbying going on by big tech is probably enough to make Europe accept it, and then it's gonna be following court, probably by none of your business. And then we'll be recording another podcast again.
[00:56:54] Cory Underwood: Laughs] that is probably what I think will happen.
[00:56:56] Rick Dronkers: Yeah. Unfortunately, we're gonna continue in this limbo. Where can people find you online? Where should they follow you?
[00:57:03] Cory Underwood: The best place to get in touch with me is probably either the measure slack and you can join through measure.chat or on my website cunderwood.dev.
[00:57:15] Rick Dronkers: We'll link to the articles we discussed as well. Thanks for sharing your knowledge again and coming back on the podcast. Hopefully we can make this a trilogy someday.
[00:57:27] Cory Underwood: Definitely would be happy to continue talking privacy stuff with you.
[00:57:31] [MUSIC SOUND EFFECT BEGINS AND FADES]