DataChat LIVE! Episode 8: Transatlantic Data Privacy
Join digital marketing and analytics leaders for regular live discussions around data problem-solving, industry news, strategy, governance, technology, regulations, and more!
Topics included in this discussion are:
- Transatlantic data privacy regulations
- Differences in Consent Management Platform markets across the pond
- Best practices to stay compliant
Jeff Wheeler, a veteran in the privacy space, joins the Didomi North American leadership team to lead the development of consent and preference solutions that comply with US state as well as international data privacy regulations. Jeff has been instrumental in building Consent Management as well as Vendor and Data Discovery solutions for hundreds of enterprise and Fortune 500 customers during his time at Ghostery, Evidon, Crownpeak, and WireWheel, helping meet each of their unique needs. Jeff joins the team of Antonio Anguiano, Vice-President of Product at Didomi.
Mike Fong is the Sr. Manager of Product Go To Market at ObservePoint and assists in aligning the Product, Marketing, and Revenue teams on product strategy, value propositions, and promotion. Previously a Senior Consultant and Solutions Engineer on ObservePoint’s EMEA team in London, Mike has been integral in ensuring ObservePoint users are obtaining the highest quality of data from their marketing technologies. With over 10 years of experience in the analytics world, Mike is an expert when it comes to data analytics, SQL, problem solving, and spreading good vibes.
Cameron Cowan is the Sr. Director of Product Strategy & Marketing at ObservePoint and a veteran of the marketing analytics, digital advertising, and enterprise software industries. He plays an active role in product management, technical marketing, and GTM execution. Prior to his time at Strala, Cameron spent 13 years working for Adobe (via the Omniture acquisition), and gained experience in account management, consulting, and technical sales before establishing himself as a leader in product management, technical marketing, and business strategy. His career has included living overseas on multiple occasions and collaborating with marketers and technologists on four continents.
DataChat LIVE! Episode 8: Transatlantic Data Privacy
Jeff Wheeler, Head of Product, Didomi, Cameron Cowan, Sr. Director of Product Strategy, and Mike Fong, Sr. Manager of Product GTM, discuss transatlantic data privacy regulations, differences in CMP markets across the pond, and best practices to stay compliant.
Cameron Cowan: (00:06)
Hi everybody and welcome to another edition of Data Chat LIVE!. This is Cameron Cowen coming to you live from Pleasant Grove, Utah here at the ObservePoint headquarters with me as per our usual agreement is Mike Fong calling in from lovely London. Mike, how is it over in London?
Mike Fong: (00:24)
It's very London. It's very gray and rainy. It's threatening to have a shower, but I'm not a weatherman. It's great to be here again and also with our guest, Jeff.
Cameron Cowan: (00:36)
Yeah, we're excited today to have Jeff Wheeler join us. Jeff is a product manager over at our partner and friend Didomi. Jeff, why don't you say hello to the folks?
Jeff Wheeler: (00:46)
Hey guys. Nice to meet everyone. I'm actually just west of Cameron here in Eagle mountain, Utah. So happy to be here today.
Cameron Cowan: (00:54)
Yeah, it's exciting to have another local product manager in the privacy space, not too far, Jeff and I can get together for lunch and talk about all things data privacy. Now, Jeff I know that Didomi is fairly well known over on Mike's side of the world, over in Europe, but you guys are a bit of a new entrant here in North America. Why don't you tell the audience a little bit about Didomi, what you guys do and the evolution of the company as you've started to migrate across the Atlantic?
Jeff Wheeler: (01:20)
Sure, happy to. So as you said, Cameron Didomi is a French based, Paris based, consent and preference management platform. They've originally launched a building privacy centers in early 2017, just pre GDPR. And then over the years have developed into a consent and preference management platform. In the last six months, they've hired a North American based team, myself, a VP of sales, who's out of New York and a marketing lead. We're trying to really globalize the company and launch our consent preference expertise worldwide.
Cameron Cowan: (01:58)
Awesome, and I love to see more entrance into this market specifically. I think Europe's had a lot of love given the early arrival of GDPR, and we're a little bit lagging here in the US as far as our different state laws, but I love to see additional consent and data privacy technologies coming and making a big splash here in the US. I know we've got a couple of big ones. In fact, Mike, that's something we were chatting about on our last Data Chat LIVE!. We had just hot off the presses, done some research as far as market share. Why don't you pull some of that up? I have a couple questions for Jeff specifically as we looked at our customer base and some of the organizations we've worked with, obviously we saw a bit of a heavy end of the market as it were with One Trust and TrustArc predominantly owning the space here in North America, but seeing a lot more fragmentation as you'd expect a lot more business being spread out in Europe.
Cameron Cowan: (02:53)
I know you've had a chance to quickly look over this. Tell me, just give me your sense about where you see the consent and data privacy markets here in North America and how you see them different, from your experience with Adobe in Europe.
Jeff Wheeler: (03:05)
Yeah. I mean, it's a good question. I think what we've really seen, even this year, is just how quickly and constantly changing really the consent and preference market has been. I think it's very typical to see the players that you see up there in the European market, but what you see in the North American market is really the two main players. Even as recently as last Friday, when California released their pre-draft rulings on consent, it's really kind of changing the way that we need to look at it. I think you're even seeing that from other people in the market who are even starting to introduce their own platforms. So obviously, you're seeing the big players like you expect to see, but the idea of companies like Didomi coming in that are really specializing in consent and preferences is really going to start to, I think you're going to start to see a bigger impact than those in the market, because you can't just look at consent as cookie consent anymore.
Jeff Wheeler: (04:12)
There’s so much more to it and there's so much more that you need to be prepared for as each state requires certain requirements around consent and preference, but even what you're seeing in Europe is you're seeing certain regulators like, Italy and so forth and so on that are having very specific requirements and you can't just have consent be a checkbox anymore. It's just much more detailed, much more complex than that.
Cameron Cowan: (04:38)
Yeah. I love that. Oh, good. Mike,
Mike Fong: (04:41)
Jeff, we looked at this data just in preparation for this session and it's clear that there are the two big leaders, in both US and Europe, but we also see just a higher level of competition in Europe because obviously that market has existed for longer, over here. One interesting thing that you called out yesterday was actually that organizations are now getting to the point where they're actually switching between CMPs. We meant we noticed that, I think you've said yesterday that actually LiveRamp has started to wind down its CMP business. Is that correct? If I remember correctly?
Jeff Wheeler: (05:20)
Yeah, I want to say it was last year sometime, March or April, they announced that they were going to stop trying to support their own CMP. So I think you're seeing a couple things that are happening. You're seeing companies like that that are moving more to what they specialize in because I think they've realized that things are complex. And I think one thing that you're not able to see on the screen that's really important to highlight is, especially in the US in particular, I know we've seen a little bit in Europe is there's been this ongoing kind of idea of like trying to manage your own CMP and the conversations that I've had that we've had over the years whether I, or previous experience other CMPs is they don't realize the undertaking that that really entails.
Jeff Wheeler: (06:09)
And in the US in particular some of the uncertainty and ambiguity around what those laws mean just makes that more and more difficult to try to maintain, like what I've always called a homegrown CMP and so there's that and then I mean obviously once GDPR hit we were just passing the anniversary of GDPR, I think there was an initial, let's get something in place. And some of those initial contracts and some of those initial offerings are starting to expire and they're looking for alternatives to kind of better suit their needs because there's been a change, right. There's been the idea of moving away from dark patterns and where is your data stored, and many different factors that kind of come into play.
Mike Fong: (06:55)
Absolutely. And this is a maturity curve, right. We've seen, so basically, what GDPR is four years and eight days old now. So it's going to school, it's going to primary school, what we call here. The vendors in the space, the offerings in this space, they are maturing, it's a competitive market, whereas I'm sure you know more than anyone else of three of us, Jeff. So absolutely we do expect to see switching back and forth. We're seeing acquisitions as well. We know that some of the big players are acquiring their rivals and then obviously migrating those customers over. So regardless of which CMP anyone has gone for, there is work to be done on the maintenance side. There are legacy CMPs to be removed as we saw on our chart, and for me, it's almost the same old story. ObservePoint has been seeing tech like legacy technology stuck on a website because everyone didn't know to move away or everyone didn't know it was there to be there. So it's just another example of digital transformation on an ongoing basis that needs ongoing and regular QA to keep your website updated.
Cameron Cowan: (08:09)
I think I see a couple of waves, very distinct for the two different sides of the Atlantic in Europe. As you guys have mentioned, people are now to the end of those first set of contracts. They knew they had to get something out there, so they just slap something on the website in a lot of cases and for a lot of companies we've worked with, that's been a bad experience. May have worked good enough or close to good enough when they first implemented it, but over the course of the last two, three, four years things have fallen apart. The question now is, do I stay with what I implemented and just try to get it back to where I was and improve it or do I switch over to somebody that's maybe a little more focused on what I need as a business specifically?
Cameron Cowan: (08:44)
And that leads to the second wave, which is what we're seeing here in the United States, which is, we are now thinking, okay, we need to be more mature about consent and data privacy and we need to get caught up to our European counterparts. And so the we're at that first wave where it's like, just get something on the site, which is why I love the fact that did Didomi and others are really making push into this market because it's giving people a lot more choice than what they've had over the last couple of years and that actually leads me to something that's interesting about Didomi. Jeff, you've mentioned it a few times. You don't just say “consent management”, I've noticed almost every time you say, “consent and preference management.” Tell me a little bit about how Didomi’s thinking about how those two worlds come together and what you see as the unique proposition of Didomi focusing, not just on consent, but consent and preference.
Jeff Wheeler: (09:31)
No, it's a great question and I'm glad you picked up on that cause I do call it out very specifically. It's very easy to say you do cookie consent and I think that's what I've always kind of told people and I've said this actually on multiple webinars. If all you're doing is cookie consent, you're already behind the curve in compliance, whether it's in the US or Europe, whether it's the deprecation of third party cookies, in the the move to whatever technology is going to be you're probably already outta compliance because there's so many other technologies that happen on the site and when you start to think of it that way, and then you start to think of it more like a preference point of view, you're really taking the customer experience and taking the user experience into full account because there's cookie consent and there's compliance, which is like a legal perspective
Jeff Wheeler: (10:25)
And then you've got your preference management, which is a non-legal perspective, but they still kind of tell the overall picture of the user and what they want and how you can interact with them. And so from our point of view, really what you're talking about, the way I refer to it is like a unified consent profile. It could be a legal consent or a nonlegal consent, which could be a preference. Maybe a preference is a legal consent as well, right? There's multiple ways to look at it, but as being able to take that as a whole and tell the story to you using the Hey, we respect what you do. We respect your, your wishes and your requests, and then we're going to be able to serve you experiences based off what you want. And so it really kind of combines an overall user experience with both that legal and non legal consent.
Cameron Cowan: (11:06)
Yeah. I I love that and it starts to get a little bit closer to what I've known and done in a lot of my career, where you look at MarTech, and yet you have to have cookie consent from a legal perspective and also to then know what you can, and can't fire from a tag and a cookie perspective, but it's also about, how do I personalize those experiences? How do I deliver more relevant experiences through testing and personalization engines through the analytics data that I'm capturing and then storing in my DMP or my CDP. So I like the way you're talking about it. Yes, you check all the boxes you need to check legally, but you're starting to also create a broader ecosystem that helps inform a lot of the different parts of any company's MarTech stack.
Jeff Wheeler: (11:49)
Yeah, exactly. And I think one of the side benefits that I've seen from it, is there's always this underlying tone when you speak with a company or one of your customers that's trying to comply from a legal perspective. And there's always the same buyer and it's typically the marketer, right? And that marketer tends to have a natural fear of the privacy officer, because they don't want to upset the privacy officer. They're afraid of coming out of compliance. And when you talk to the privacy officer, they have the complete opposite opinion. They want to work with the marketer. They want to make sure that they're not affecting a bottom line, that they're not affecting a user experience. And what we've seen is when you start to combine this consent and preference together into one, it really kind of helps ease that tension between the two and it helps the privacy officer feel, Hey, we're compliant. We're respecting the wishes of our consumer and then it's given the marketer the flexibility to really complete that user experience that they're trying to achieve on our side.
Cameron Cowan: (12:48)
That's fantastic. The more we can do to bridge those two worlds of marketing and data privacy. I know that you and I were both at the IAPP event in DC, not that many weeks ago and that was a common theme that we heard, was that these two organizations, they both know they should be working together, but a lot of times they either are afraid to, or don't know how to. In some cases the marketers know they have a data privacy team, but they've never even heard their names and vice versa. So I love that anything that we can do and you can do as a business to bridge that gap is a good thing.
Mike Fong: (13:22)
There's also this fit for marketers is that the data privacy people are going to come and take away all the data and take away all their marketing opportunities. So just like anyone watching this, the privacy people, they're not bad people, they're there to protect your brand. They're there to protect your organization. They're not going to just take away your optimization data and leave you with no data and no people to market at.
Cameron Cowan: (13:45)
Yeah and Mike bringing you back in from a European perspective, one of the other things we've been keeping an eye on and talking about potentially taking away data is the ability to share data across continent. Part of our session today is all about what it looks like to do data privacy, not just in Europe or not just in America, but across the Atlantic. What are some of the trends that you're seeing there? And I know there's been some news recently about maybe some agreement happening. What's the status there?
Mike Fong: (14:13)
Well, let me show my screen again and bring up the official press release by the European Union. So this is about two months old, just over two months old, back towards the end of March, the EU and the Us. So that is, Ursula Ursula von der Leyen and Joe Biden just stepped out together and had a joint press conference. And in that press conference they announced an agreement in principle to again start trying to allow, to put together an official mechanism for data to be transferred across the Atlantic ocean. So say European customers' data could be processed by American companies in America, for example. And there has been some progress on that. So that press announcement originally was a 25th of March. Now there has been some progress and essentially the progress is they're still working on it.
Mike Fong: (15:10)
I'm not going to go into all the legalese. I'm definitely not someone that is going to be able to talk through this in a few minutes, but on the other side, right there, there are also other forces. So we know that there is an organization called, None Of Your Business, or NOYB. And they're on the other side, they really want to protect customers' rights and so they are really being very strict, running things by the book and putting in test cases to see how the data protection authorities in the EU are actually going to react to these test cases. And they've actually had an update there. So just to remind you of one of their test cases, there was an organization, it was a medical information website, and the NOYBs test case was put forward that they were using Google analytics.
Mike Fong: (16:07)
The Austrian data authorities sided with NOYB and they said that this website's use of Google Analytics was not up to scratch according to GDPR. Here is the publicly released English translated version of their decision and I'm just going to highlight a couple of passages. So the first bit here is just to say that Google and this website are essentially, this bit says that because Google, the second respondent is in America and it is an electronic communications service provider, it means they are under the jurisdiction of essentially the cloud act in the US. So the claim that European customer's data was not protected because the FBI or the CIA could demand Google to hand that data over. Now, that's never, apparently as far as I know, that's never actually happened. So even though the US authorities have the power to do that, they've never actually gone and done it.
Cameron Cowan (17:14)
But the concern is that they could, is that right?
Mike Fong: (17:15)
Exactly. Exactly. But last month there was an update and this is on the NOYB EU website. The Austrian data protection authority has updated, clarified, I should say. They have declared that Google's IP anonymization is a useless protection measure. You might know, or you might have seen Google Analytics users might have seen, I think it was a Google Analytic 4 blog post, or maybe an email, which came out saying, Google Analytics 4 is secure. We anonymize IP addresses. Well, the Austrian DPA says that's not good enough actually. Further, they've said that a risk based approach is also not appropriate because that's very subjective and when we say a risk based approach, I believe that's kind of vaguely legal lingo for saying use your common sense.
Mike Fong: (18:14)
So if your data is medical or personal, or to do with religion or gender, like that very sensitive stuff, then it's a higher risk. And if it's stuff that's of a less sensitive nature and it's lower risk Some organizations were arguing that this risk based approach would lead, how high or how or low your security measures were, but the Austrian DPA says actually, no. They rejected the notion of applying a risk based approach, and this just came out at the start of may. So there's still lots of work in progress. It's not going to be a quick angle. You've got NOYB on one side, really fighting the consumer's corner. And then you've got the EU and the US on the other side, trying to figure out a business friendly way so that data can be transferred back and forth.
Cameron Cowan: (19:05)
Oh Mike, I don't think you're giving our audience much comfort with some of these updates. I think there's still a lot to be concerned about.
Cameron Cowan: (19:15)
Jeff, I'd like to get your opinion on this. Obviously you've been in the data privacy space for a while, not just with consent, but broader when people think about how they should be handling data transfers, data storage, and where the data's being collected, any perspective on how you're thinking about this and the advice you'd give to customers.
Jeff Wheeler: (19:35)
Man, it's a loaded question. I mean what we're really getting set up for now is friends three at this point is what it feels like, to be honest with you. And I think there's a lot to kind of unpack there. The immediate advice, my immediate advice has always been, if you're worried about likelet's say, CMP, for instance. If you're worried about where your consent data is stored or where your data is stored, I would store it in the most data protective country in the world right now. And I think what we've typically seen is Germany and that's why I think you see a lot of these data providers that will store their records.
Jeff Wheeler: (20:15)
If they're using AWS, they're storing it in Frankfurt. But it's always an interesting topic because, I think, in our space in particular, people are looking for the immediate solution and they're not really considering like big picture, because if you're really worried about your data, are you really thinking about how did your data get there? How many servers worldwide is it taking to get there? Yeah. How soon will the US customer care about where their data is stored? Are they going to care if it's being stored in Europe or the US or whatnot. My immediate response is, choose where you want your data stored by, where you feel like it's most secure from a data privacy perspective, which my suggestion is typically Germany, because they're always really stripped about it, but I think we're going to see some pretty significant changes down the pipe around this.
Jeff Wheeler: (21:07)
And really what you're seeing is, in my opinion, the exact reason why we don't have a federal privacy law in the United States as well. It's part of the intelligence community. That's kind of preventing that from happening until that's figured out. We're just going to keep having the same conversation over and over again.
Cameron Cowan: (21:24)
Mike, I noticed you pulled something up and actually looks like, maybe the ObservePoint reporting tool. What are you showing to us here?
Mike Fong: (21:31)
So just on the topic of kind of where the data resides obviously one of the features that ObservePoint has as part of our privacy suite of functionality is the ability to actually resolve the final location of the IP address of each and every network request. So if there are customers out there, I'm sure you're customers watching, I'm sure you're aware of this feature, but if you are not, I just want to highlight that this really is a starting point or one of the starting points where customers can figure out where their data is being stored. Obviously if someone is downloading it on a USB stick and then taking a boat across the ocean, we can't help you control for that edge case, but any internet data transfer, we can track those for you.
Mike Fong: (22:21)
And that's a great starting point if you are trying to make sure your data is residing in Frankfurt, for example, or you're trying to make sure your data's residing in the US or Belgium or England. Wherever this is, something that's available to all our customers and is very, very relevant for this conversation. I'm also keeping an eye on the chat and we have a question from David Wartel. I hope I'm saying that right. The question is “US authorities never asked to get access to Australian data collected by Google. Will we really be aware if they were to ask for the data?”
Cameron Cowan: (22:59)
Yeah, I think that's an excellent question and I think that's part of the fear, quite honestly. You mentioned earlier that the rulings that we've seen aren't because something has happened, but because something could happen with those different agencies requesting data. If they did the request, I would hope we'd have transparency into that, but I'm not banking on that either. So I think the question is outstanding.
Mike Fong: (23:22)
I agree. I think, if as a consumer I can imagine that my data is stored everywhere and I can imagine that basically you receive spam, you receive all kinds of inbound marketing messages. No one's ever told me that someone's asked for my email address. I find it highly unlikely if authorities were to go to Google or SnowPlow or Adobe and demand an entire customer data set, I find it highly unlikely that I'd be notified.
Cameron Cowan: (23:54)
Yep. Looking back at the chat, the other thing that I saw pop up from Tyrone, talking about those geolocations and being able to map each network request. I do know that there's a number of our customers that will set up kind of a naughty list, like here's the countries. I know. I absolutely shouldn't be sending data to. For some companies it may be like Iran, North Korea and Russia. Those three places, I know they're bad. There's some other places that may pop up on that list that I want to review. So they'll set up rules that say, okay, in my consent preferences or in my consent categories, if I ever see these four countries, stop it automatically. Let me know and let me fix it, but I may see a longer list of, should I be sending data to Jamaica? Maybe, but that's a little bit surprising to me. So simply having that level of visibility is useful. Tyrone's question. And Mike, I'll ask you as the technical expert on the call. “Can we tell not only the network or the origin and the destination of that data for the network request itself, but any piggyback tags?”
Mike Fong: (24:55)
Absolutely. So I'm going to take liberties today and actually just show you the relevant report, just for Tyrone's benefit. Of course we're not, we're not plugging anything. It's purely because Tyrone asks so politely. We have a feature called Tag Initiators, which allows customers to see where and how any given network request or tag is initiated. So to answer your question directly, Tyrone, yes, we can tell if something is implemented directly, such as a tag like this one, right? This ad tag, hard coded, or if it's implemented via a tag management system. So here's the Google tag manager node, everything coming off the tree. And then we can see here, maybe we have what you might consider a piggybacking tag, because this is being loaded by something which is being loaded by something which is being loaded by something which is being loaded by GTM. So I hope that answers your question Tyrone. Plug over.
Cameron Cowan: (26:01)
Yeah, every one of those network requests has its own signature and information about it that we pull, and that includes the geo aspects of it. So not only can we tell you which countries your data are being sent to but we can tell you which requests those countries are associated with, which is great visibility. Mike, one other thing I wanted to ask. It occurred to me that a lot of our focus is on Europe and the EU and specifically as we talk about GDPR, but the country you're living in, the UK, has a little bit of an odd relationship right now after Brexit. You're no longer part of it, but you still follow some of that. Help us sort through where is the UK as far as data privacy and how aligned or not you are with the rest of Europe?
Mike Fong: (26:45)
We don't use the B word anymore.
Mike Fong: (26:50)
Just kidding. Where Britain is where the UK is right now is a strange place. We are officially, no longer beholden to the EU guidelines but they're still a very large market and right now British or UK's data laws are deemed to be or they've been certified as adequate by the EU. That is to say our data protection laws are good enough to be compatible with the EU. Therefore we can continue to do data transfers. Now, of course, that's the case. The day we left the EU, our data laws were essentially the same. So of course for adequate, but we now have the ability to diverge if we want and the government is, I was actually part of a feedback session with some of the team that are working on considering how and where divergence from those data laws would actually benefit the UK's economy, but it is a fine balancing act because you diverge too far, in terms of potentially lowering regulations.
Mike Fong: (27:56)
The EU can take away the adequacy judgment and then that would be quite bad because in theory, we couldn't transfer data to and from Europe anymore. But at the same time to realize the benefits of Brexit is to, in some instances, change the way. So can we change the way personal data is used or medical data is aggregated, or can we change the way, say, DNA information is accessed, so make a more open source so that we can develop new breeds of animals or better medical outcomes, right? So that's where the UK is in right now. It's trying to innovate around those data guidelines without falling foul and losing that authorization or that adequacy agreement.
Cameron Cowan: (28:41)
Yeah, I think it's something that's on the minds of everybody and countries across the world. We've been talking mostly about transatlantic, but just a number of weeks ago, the commerce department here in the United States announced new, let's see, what do they call it, CBPR forum. It's essentially the US and Canada along with South Korea, Taiwan, the Philippines, Singapore and Japan coming together and saying, we need to figure this out. We need to have a good framework to transfer data to be able to store data in each other's countries, but do it in a reliable way. And I think as we see the UK evolve and try to do it their own way, hopefully we can all get together and do it in such an appropriate way that we all feel comfortable. We have the right certifications, but still have the autonomy to do what's best for our citizenry and the responsibilities we have. All right. Well, looking at the time, we're right at the bottom of the hour. So I want to thank specifically Jeff Wheeler. Jeff, thanks for coming on, telling us about did Didomi. We're very excited for your future success as you guys branch out and grow here in North America. Love the opportunity to partner with you. So thank you for joining.
Jeff Wheeler: (29:45)
Yeah guys, appreciate it. Glad to be here anytime.
Cameron Cowan: (29:47)
And as always, thanks Mike Fong for giving us your perspective from the other side of the pond. For now, this is Cameron Cowan live from Pleasant Grove, Utah. Thanks for joining DataChat LIVE!, and we'll see you next time.
Mike Fong: (29:59)
Just one public service announcement. Anybody who happens to be in London next week, ObservePoint will be at the Digital Trust London conference at the PrivSec World Forum. So if you want to talk more about my political opinions, or you want to talk more about actual data privacy, do drop by our booth. Come and collect a pair of socks and I'll be looking forward to seeing anyone there.
Cameron Cowan: (30:21)
Thanks for that, Mike. Until next time.