An Interview With SafeGuard Privacy's Richy Glassberg and IAB/IAB Tech Lab's Michael Hahn
Published in partnership with SafeGuard Privacy
Earlier this year, the IAB, the primary digital advertising trade organization in the United States, announced The IAB Diligence Platform, powered by SafeGuard Privacy. The platform is intended to contain “a set of standardized privacy diligence questions that are specially designed for participants in the digital advertising industry” with questions specifically drafted for publishers to diligence SSPs, advertisers to diligence DSPs, SSPs to diligence DSPs, etc. Via email I interviewed SafeGuard Privacy’s Richy Glassberg and the IAB’s Michael Hahn to discuss the initiative and related issues.
1) First off, I think everyone knows Richy, or at least they should from my past interview with him and more than a few years helping to build the ad-supported internet in its earlier stages. Michael, for those who haven’t had the chance to meet you yet, as one of my favorite interviewers likes to start his questioning, “who are you?” and Richy, can you remind us about your background?
Michael Hahn: I’m an antitrust lawyer by training. I spent the first 15 years of my career trying to understand what drives businesses and the markets in which they operate. There were two markets that I found incredibly interesting: healthcare and digital advertising. Both have a complicated process for getting a product to market – healthcare because of the regulatory complexity and digital advertising because of the technological complexity.
When I joined the IAB and IAB Tech Lab as their general counsel, my goal was to pull the industry together to create practical solutions to common legal issues that member companies have difficulty solving alone. In doing that, I believe understanding the law is the easy part; learning the digital advertising data flows and business use cases is the hard part. I’m always learning from very talented lawyers, product leads and engineers.
Richy Glassberg: In 1995 I was the first head of sales for CNN.com. Then I helped co-found the IAB in 1996, creating three of the first critical industry standards for digital. I've been in digital ever since as a publisher, network, ad-tech and agency leader. My latest role is co-founder of SafeGuard Privacy.
2) Tell us about the relationship with the IAB and the IAB Diligence Platform? What does the partnership mean in practical terms for SafeGuard Privacy, for the IAB and for the industry more generally?
Richy Glassberg: Let’s start what it does for the industry, because that’s the most important thing. It establishes a standardized approach that ensures smart, auditable compliance. That saves time, it saves money, and it reduces risk. It’s better for everybody.
Michael Hahn: What IAB contributes is ensuring that the right privacy-related questions are being asked, specific to each digital advertising use case and vendor type. The IAB Privacy Implementation and Accountability Taskforce has invested months in crafting those standardized questions.
Richy Glassberg: Right, and then SafeGuard Privacy combines those privacy-related digital advertising questions with comprehensive privacy assessments built to the individual state laws and regulations.
Plus we’ve worked hard to build an automated Vendor Compliance Hub so that companies can complete the relevant IAB diligence questions and state law assessments once and share them multiple times securely on the platform, demonstrating their compliance as they engage with vendors.
Michael Hahn: Like Richy said, more than anything we want IAB members and everyone else to have a compliance solution that is standardized, that is reliable, and that works. That’s what this IAB Diligence Platform offers.
3) Like most analysts who like to think they understand how the industry works, I assumed that after we wrote about the problem last year, every marketer, media company, agency and ad tech company would by now be fully compliant with every privacy-related law by now, and would have figured out how to make compliance a seamless process on their own. Was I off?
Richy Glassberg: Yes, you were. The complexity of the regulations and the speed of change has made what seems simple, extraordinarily hard.
Companies want to do the right thing. Most are working at compliance. But nearly every company we meet either knows that they can be better or wants a more standardized, easier way to do it.
Everyone knows compliance is mandatory, but that’s not the same as saying that it’s easy.
Michael Hahn: Exactly. There are certain requirements that you either comply with or you don’t. You either have an opt-out or not when you “sell” personal information or otherwise engage in targeted advertising. But operationalizing privacy on the backend is a more complicated task and requires tremendous resources. So it is doable, but not easy to do. But our job as privacy lawyers is to ensure compliance. Many companies are doing a good job in that regard and those that do not provide the privacy compliance function with the requisite resources may be underpricing the enforcement risk.
Richy Glassberg: Look, it’s obvious that the Sephora and Doordash enforcement actions were just the beginning. Everyone should pay attention to what Ashkan Soltani, who is the Executive Director of the California Privacy Protection Agency said on stage at the IAB Tech Lab 10th anniversary summit this year. This is important, so let me read you the whole quote.
“Without accountability and due diligence, there’s not actually any effective enforcement or effective policy, right? And at the end of the day … nobody really wants a call from me or my head of enforcement … but when you do get that call, part of the law stipulates that, to the degree that you are, for example, sending data downstream, or you are essentially making consumer rights requests downstream, … the degree that you are not culpable if your downstream actor misuses the data or doesn’t honor consumer rights requests is based on the degree to which you’ve done due diligence. If you are just shooting blindly in the night and hoping for the best, and we learn that through our discovery, through our audit, that essentially reflects poorly on you and …provides a huge amount of liability on you, the business. And that’s built into the framework. I think that this is an important part of accountability.”
Here’s the bottom line. When regulators question whether you’re in compliance, “I guess so” is not the right answer.
That’s why our platform is auditable. It provides a clear record of your company’s compliance efforts. You can show every action you’ve taken, and prove that you’re done serious due diligence.
4) I’m not keeping track at home how many states have their own privacy laws. How many are we up to? Three or four? I’m sure they are all roughly the same though, right?
Michael Hahn: We’re now up to 19 generally applicable state privacy laws with varying effective dates. There certainly has been a lot of grumbling about the state privacy “patchwork”. Undoubtedly a single federal privacy law would be more efficient, but in the absence of that, the sky has not fallen with these state privacy laws. Businesses are still operating and consumer rights are being effectuated. As long as the overall privacy parameters remain the same (an opt out of sale and targeted advertising and certain rights such as access and deletion), compliance scalability can be accomplished by taking the highest common denominator across the privacy laws. That said, when the state privacy laws try to be distinctive in certain ways from other states, it does make efficiency and compliance more challenging.
Richy Glassberg: Michael captures the essence of the problem with the 19 states that have passed and how we can normalize the highest bar. That said, we are both concerned about how states are treating sensitive data. No two are alike. While there are similarities and differences between state laws, it’s complicated enough that we decided to publish a paper specifically about what is meant by “sensitive data”.
5) OK, getting more serious on my part, clearly the patchwork of state laws must make everything a little more complicated for every company in the business, even if they do have their ducks in a row. What can they do to make compliance easier and lower risk?
Richy Glassberg: The first big thing they need to do is establish a line item in the budget to ensure that it’s done right. You’d be surprised to learn how many companies simply don’t have a budget set aside for this. Compliance is not optional: it’s a cost of doing business, and it needs a budget.
The second big thing is to embrace a standardized, streamlined approach. This is not the kind of thing you can manage in an Excel spreadsheet. You’ll burn out your staff and still end up putting your company at risk. There’s no reason to do that when solutions like IAB Diligence Platform exist.
Michael Hahn: Privacy lawyers in companies have a lot of work cut out for them, which cuts at the intersection of the law, product and engineering.
At the IAB, we provide certain industry solutions to ease the state privacy compliance challenge. First, is the IAB Privacy Multi-State Privacy Agreement (MSPA), which creates a common set of privacy terms in compliance with the state privacy laws amongst the 1,300 signatories. We provide publishers and advertisers with the ability to choose a state by state approach or a “national approach” and use corresponding Global Privacy Platform (GPP) signals (a technical specification promulgated by the IAB Tech Lab) to communicate consumer privacy preferences.
Another change in the privacy laws is the requirement to conduct privacy diligence on partners to whom you disclose data. That is where the IAB Diligence Platform, powered by SafeGuard Privacy, comes in so parties in the digital ad ecosystem can conduct meaningful diligence of their partners based on actual business arrangements and data flows.
6) Looking at a recent illustration of a privacy-related legal enforcement, during the last week of April, the FTC announced it was fining Verizon, AT&T and T-Mobile $200 million for activities that occurred prior to 2020. Two questions follow from this news. First, what’s your opinion on where the boundaries are around the safe use of location based data? And second, if regulators or other governmental bodies look to fine companies for past violations when maybe the law wasn’t as clear as it could have been, or when business practices were still evolving, is there anything that a company who may not have been compliant in the past can do to minimize risks of major fines in the future?
Richy Glassberg: People should remember that location data can easily be used in ways that violate privacy. For example, law enforcement might force companies to reveal the identities of anyone who has been near an abortion clinic or searched for information about gender-affirming care online.
Michael Hahn: There are increasing enforcement actions against companies that sell or disclose geolocation data without consumer’s consent, particularly where that location data can be used by a recipient in an unrestricted manner and might reveal sensitive information about the consumer (e.g., visits to a place of worship or medical care). To minimize risks of fines, geolocation providers should ensure that they have a supplier diligence program to determine whether their data sources are obtaining customer consent for use of geolocation data by downstream recipients for specific enumerated purposes. Relatedly, geolocation providers should perform diligence on customers to ensure they are using the data in line with their contractual commitments. As regulators have stated in enforcement actions, these geolocation providers should be ready to terminate relationships with those that are not meeting these standards.
More broadly, geolocation providers should ensure that their brokered location data does not relate to sensitive locations; this can be tricky and time-consuming to implement in process but essential to avoiding potential regulatory action.
7) What other issues are you both paying close attention to in the world of privacy? And by extension, what should Madison and Wall readers be focused on in this space?
Michael Hahn: In addition to generally applicable state privacy laws, one needs to pay close attention to the regulations that are promulgated under some of those laws. Also, new laws impacting health data and children is an important focus area as well. On the latter topic of children, some states are moving the age of a “child” to 17 and under, as opposed to the traditional under 13 standard that has generally applied across states (or under 16 in specific contexts). In some cases, actual knowledge of whether the user is, say, 17 years old is not required for a company to fall under the law’s ambit, as seen in the many privacy laws aimed at social media companies.
Richy Glassberg: 100% agree with Michael on the kids' issues. We’re on the same page as Michael and IAB on this. That kind of thinking is just one of the reasons why we really value this partnership, and why we think it’s good for the industry. Also, we believe that companies have to pay close attention to their use of AI in their decision-making processes. You will see more regulations around general use of AI and that can hurt marketers if they don’t reexamine their uses of algorithms in their current programmatic practices. What once was legal, can change quickly.