Privacy, Please!

Tom Nixon (00:03.918)

Welcome back everyone to bull horns and bullseyes. Curtis today’s episode is brought to you by the letter C. Do you know why?

letter C. C’s in my name. Is it brought to you by me? Nope.

C is for cookie.

Cookie. Cookie Monster? Yeah.

Tom Nixon (00:29.39)
Yes. We are going to talk about the evil big bad cookie monster today. It’s also C stands for California. It stands for CCPA stands for all sorts of things. it does stand for certified. You’re out rock. Got that out of the way, but, what are we really here to talk about? Curtis, this is something I’ve seen you talking about with clients more and more frequently these days.

Yes, we’re going to talk about cookies and privacy. It’s been a concern with a number of clients recently. think the clients that fell under GDPR and CCPA, you know, about two years ago jumped on the bandwagon. But now we have some of our small business clients who are starting to see that this is becoming more and more of a concern and want to make sure that we have some of their questions.

addressed and maybe some resources that they could reach out to and get some more information. So we’re going to bring on Amy Baddeley onto the show from Varnum Law. Varnum is one of the larger law firms here in Michigan, about 200 attorneys, I think, on staff. Amy came recommended to us as somebody who really knows this area well, specializing in data privacy and cybersecurity.

all of those types of matters. And so really excited to have you on the show, Amy.

Great to be here. Thank you for having me.

Curtis Hays (01:56.438)
Yeah. So we had an incident with a client earlier this year, if I could start with this, we put, so they came to us, let’s see, about a year and a half ago with some website needs. And we saw they had a cookie banner on the website already. just a pop-up. When I audited what it was doing, it was just a pop-up. Whether you clicked accept or reject,

you know, what actually happened with cookies behind the scenes wasn’t configured and they thought they were protected just simply by having the notice. So we have a process now where we audit the cookies that are firing. We get that all set up in Tag Manager and then we use, you know, there’s a few different third party, you know, technology providers out there that can handle the cookie authorization process and handle the banner as well as what’s really important is the

the sort of audit log that happens on the backend of if somebody actually hit accept or reject. But we implemented a policy. had their legal team review that policy. It was implemented. And then about a year later, they got faced with a suit from somebody in California, not thinking they fell under CCPA. But in sort of a indirect way, seasonal employees,

They hit that threshold, whatever that threshold for CCPA is, and now they were faced with this lawsuit. They ended up not having to litigate. I don’t even think, I think they were all fine and good. It was somebody who was out trying to fish and find companies that they could target. And I think this is sort of happening. These like, I call them ambulance chasers in the PI world, but there’s these privacy chasers now who are trying to sue companies who aren’t compliant.

to make a little buck. And so that was, think that was kind of scary for the client. Thankfully we were protected. But now here, I probably only have 20 % of my clients with websites who I would say are fully implemented the way that they should be. And the rest are just sort of punting the ball down the road and saying, nah, there’s not a Michigan law yet and there’s no federal law yet. So do I really need to do this? Because I’m gonna lose analytics data.

Curtis Hays (04:21.794)
I’m gonna, it’s just cumbersome for people to do, do I really, and there’s gonna be costs associated with it. So do I really need to do this? Do they Amy?

Yes, they do. Yeah, for several reasons. so the scope of what I would like to discuss today is kind of, you know, we have a few different buckets at play here. The first bucket is kind of this overarching privacy bucket. And that encompasses things like cookies and privacy policies and having the right links on your website footer.

having the right kind of internal processes too, not just what’s outward facing, but internal to your company. So one element of that is kind of the cookie side. So the cookie thing fits under the privacy thing, if that makes sense. So both are important. We always start our clients with that high level assessment of what even applies to you. So that’s where we always start with our clients is talking about what applies because

We wanna be tailoring things really specifically. And to your point, it’s not as clear as it may seem. If you’re a Michigan company, you think, well, no Michigan law, I’ve checked the box, I’m done. It doesn’t quite work that way. So I’m gonna give you three reasons why it’s a good idea to kind of do that assessment and then we’ll talk about what those thresholds even are. So the three reasons that I think are really important to consider.

You know, back in the day in 2018 when this stuff was brand new, regulators said, we get it. It’s new. You’re figuring it out. You’re reading the rules. You’re trying to figure out how it all applies. We’re going to give you a cure period. We’re going to give you even kind of an informal. They just didn’t really, regulators didn’t really enforce these things right out of the gate, out of respect for the fact that this was all new and we were all catching up. Those days are in the rear view mirror.

Amy Baddley (06:22.382)
Unfortunately, for a lot of our clients, they’re caught a little off guard because they’ve gotten used to that more passive regulatory dynamic. And we’re seeing a lot more enforcement from privacy regulators, especially if your company is in a more highly regulated area already, things like healthcare, financial services. But I would even include advertising in that too, because privacy does get really specific around

how you’re disclosing data for the purposes of advertising and marketing in some situations. So, you know, I think that is an area where gone are the days where you can kind of sit back and think, well, nobody’s gonna come after me because if you are subject to these laws, someone may come knocking now. A second reason is increasingly it’s becoming the, you know, this is what’s expected of you as a company to contract with other companies.

If you want to be a vendor to another company, I’m seeing more and more where maybe a small startup is coming to me saying, well, I’m not subject to the CCPA, but this is a great opportunity for me to partner with this much larger entity, but they won’t even come to the table unless I’m CCPA compliant. And so that’s another example of how it may kind of surprise you that you’re kind of in the ambit here of

of when you need to comply with these if you just want to be in the marketplace. And then third, this is just becoming the state of play and what consumers expect. So I think all three of those reasons are becoming more and more true day by day, month by month. So I think it’s important to keep a pulse on all three of those dynamics because they are all three shifting and they’re all three shifting in the same direction.

As a fourth reason and really to your point, we are seeing outside of kind of the regulatory environment where a regulator says, hey, you have violated this law. We’re seeing a lot of litigation on the cookie side. And that’s where things get expensive. So the cookie framework is a little bit different in that there are some elements to privacy laws that speak to cookie.

Amy Baddley (08:43.374)
collection and use and the cookie banner say, but really that can fall under a federal privacy law or really a federal law that’s being kind of retrofitted into a privacy world. So we have things like the, it’s called VPPA is one example of this. It’s a federal law that was enacted in the, I believe 80s to regulate how

someone’s video records, you you go to Blockbuster and what I rent is no one else’s business and it’s illegal to produce that. It’s hard to believe, but this law has been retrofitted in a way that is implicated by a company’s use of cookies on their website. It’s a federal law, so not California specific, and it has a private right of action. So that’s when you say these ambulance chasers in the privacy world are coming.

It’s through laws like this where it has a private right of action, meaning a private person can sue and every single person who says, you know, my information was collected, even though I said deny on the cookie banner, my information was still collected. Every single person could come to you with a separate lawsuit with big money attached. You know, we’re seeing an average settlement of $20,000 each settlement that’s per user.

So to your point of why should someone invest? There really is, you you have the regulatory threat, you have the business risk, but you also have this litigation risk that’s really special right now in that it could be big dollars if enough people come to you, you know, 20,000 each settlement, that’s going to add up quick. So that’s why you invest on the front end because you can do it for less than $20,000 and knock them all out.

Right.

Amy Baddley (10:35.658)
So I think it’s important to kind of call out these thresholds of how do we know what privacy laws apply? Obviously that federal cookie related law, that’s gonna apply to everybody. When we’re looking at California, how do you know if you have to comply with the California privacy law? There are three triggers. One is a minimum annual revenue of $25 million. The second one is you have to be…

generating at least half of your income through selling personal data or sharing it for targeted advertising. And then the third one is collecting the personal data of a hundred thousand people from California. So those are the three triggers we look for.

They only have to meet one of three. They only have to one of those three. Yeah. Right.

So even if you’re a small business, say your annual revenue is $3 million, but you’re getting half of your revenue by targeted advertising, you got to comply. So that’s California, but user beware because it is not just California anymore. We have 19 different state privacy laws at play now. And if you think, right, legislatures, we’re going to make it easy on you, you’d be wrong. They said, you know, every single state.

sets a different threshold for when you have to comply with it. Now it’s pretty standard that a lot of these laws have a lot of significant overlap. And one of them is generally you do need to collect the personal data of a hundred thousand people from that particular state, but it’s not always that way. Texas and Nebraska, for example, unless you’re a small business, if you collect the personal data of even one person from either of those states, you have to comply with that state’s law.

Amy Baddley (12:23.436)
So these things are shifting, they’re a little bit less consistent than you might hope. And so it’s really important to kind of find a good partner who can walk you through this, especially if you’re a company that doesn’t need to comply today, but keeping your pulse on the industry and as you scale, you may be tripping these compliance wires without realizing it.

If you would both just for a moment, I imagine most people are still in the either the wait and see or it doesn’t apply to me type of mindset, right? And as you suggested and demonstrated, we’re not in that environment anymore. But I think for most of the lay person, right? Who doesn’t do it either of you do. A cookie notice is something that pops up for half a second before I get on with my business of my website. It doesn’t pertain to me.

As a business owner, I, yeah, I asked somebody, we have a cookie notice. So I think we’re good there, right? Most people do not understand what is happening on a website. When you say collected data, you know, most people would say their website collects no data, but we don’t have any way we could sign up for anything. We’re good. Explain why this is so pervasive. We’re talking about every website collects data of some sort. So just explain the basics for the lay person out there is like, I’ve already tuned this out, but I, or I’m about to tune this out.

It’s me to stay because I don’t think people fully get the gravity of the situation.

Before you say anything, Amy, I’ll add to that, that the one customer story I was sharing, their marketing team, because it was a suggestion from LinkedIn to add the LinkedIn pixel on the website, that’s what the person came after them to try to get, right? So they weren’t really doing advertising even with it. was really like a LinkedIn rep who was like, you should get the pixel on the website so that we can do remarketing if you want to do advertising in the future.

Curtis Hays (14:15.608)
but they weren’t really even using it. So, you know, again, they were, they ended up still being protected and everything was configured properly. But, you this is where understanding each individual cookie that’s on your website and its purpose, and then even declaring those cookies. So you have transparency to the users that if they want to go and see what it is that’s on the website or what it is they’re agreeing to, you need to be transparent about that as well. And,

know, thankfully there’s these tools out here that can make it easy and it doesn’t have to cost a lot. I think that’s the difference in $20,000 per user fine versus maybe, you know, $25 a month for a tool. Some of the cheaper ones are that plus maybe an implementation fee. That’s pretty low compared. And I do advise because we’re not going to tell you how your business should comply. We say, you know, talk to your general counsel or find an attorney that will do this for you because

the documentation, the privacy policy, the terms of use, cookie declaration, like all of this needs to match the way that it’s all configured.

Yeah, that’s right. Yeah, so to Tom’s point at a high level, well, and I should say, I always hope that if I just say cookie often enough, people will keep tuning in because like, what a great word. I think that is like, that draws me in. Let’s just keep talking cookies. That’s what we’re calling legal compliance.

We call Curtis the Cookie Monster for this very Hello.

Amy Baddley (15:44.622)
That’s a lot. Full legal name change. That’s right.

There you go. The Cookie Monster blue. His eyes are as as they normally are. Continuing. Why is this more pervasive than people give a credit for?

Yeah, yeah. So almost everyone who has a website is collecting personal information. That’s like where we start. So personal information is a really broad term legally, and it means really any information that, you know, reasonably is associated with a specific individual or household. So we’re talking about really anything that can be like linked to a person. So it’s broad. that includes privacy laws are pretty consistent on this. That includes things like your

IP address, I should say a consumer’s IP address, device information, website usage, all of that good stuff that are all that information that’s collected by cookies to help you know all of those analytics details, know, conversion rates, what’s working, how are people using your website, all that really rich information is flowing from personal data,

And it’s even tricky if you think it’s kind of de identified or, you know, I really don’t know who it’s associated with de identification under privacy laws is a legal term and you may not actually be satisfying the legal term of de identification. And so you may think, well, this is anonymous, but it’s not actually satisfying that that carve out.

Amy Baddley (17:17.772)
So it may still be considered personal data for the sake of complying with these laws. So again, another great reason to talk to your attorneys so that you’re getting that really technical legal information and you’re not just going, I don’t know, it feels like I don’t really know who this is about, so I’m sure it’s fine. That’s not the right approach here. So when we talk, so now we’ve got the framework of what personal data is, most websites, almost every website is collecting it.

even if you’re doing just Google Analytics, unless you’ve got certain controls activated, that could still be personal data. Cookie banners are really important to get right because there is that high litigation risk and settlement risk. So a couple notes on cookie banners. To Curtis’s point, having the banner is just the starting place. It needs to work. So if you say,

You know, if you give people the opportunity to accept all cookies or reject all cookies, that better make a difference which button I press. Second thought is, at least in California and in other state laws, there is a specific restriction against what’s called a dark pattern. And a dark pattern means you are making it easier to accept all cookies than to reject.

So if on the cookie banner, it says, you know, your options are accept all or click my privacy choices. That’s a dark pattern. If you’re making it harder to find or you have to click more buttons to opt out dark pattern. So that’s something that I think I see that all the time when I’m online, that technically that is not compliant with these laws and people should kind of revisit exactly what a dark pattern is because it is pervasive. Just because you see another website do it doesn’t mean it’s lawful.

I get that all the time from clients. So a third thing I’d like to bring up is we’re seeing regulators more and more say, great, you recognize that you needed a cookie banner. You have one. There may be no dark patterns. Great.

Amy Baddley (19:30.964)
even if you’re using a third party vendor to operationalize that, to give you that cookie banner and to run it on the backend, sometimes it’s still not working the way that businesses think it is. And regulators have been really clear, you business are still responsible for legal compliance and you’re gonna get dinged if your third party vendor is doing it wrong. So you still need to know what is going on on the backend.

even if you are trusting that third party vendor and hopefully they are doing everything correctly. But in those small circumstances where things are not, you know, that vendor missed something business, are still responsible for that legally. So you need to make sure you’re understanding what the law requires and making sure things are firing the way that you think they are. So cookie banners are really technical. It’s important to do that auditing and to make sure you’ve got, you know, this isn’t difficult work, but

Like many areas of the law, it’s just a little nuanced. So having the right partner beside you can really matter. again, when we’re talking about $20,000, every single person who finds a plaintiff side attorney who comes after you, this can be very expensive for especially companies that don’t have a lot of cash on hand for settlements like that.

That’s in our statement of work there. You review our work and at the end of the day, you are responsible for your own website. And we could have missed a setting or something like that. Well, we’ll do our best to validate what it is that we’re doing. And that’s where I’ve strongly urged everybody, bring an attorney, a privacy attorney in on this who not only can write, because a lot of people are like, will you also give us a template for the privacy policy? It’s like, no, no, no, no, no.

way.

Curtis Hays (21:17.966)
Right. Yes, you can find templates online. You could go to legal tools and different things like that. There are websites who can create templates for you. That doesn’t mean it’s right for your business. It’s right for your scenario. You need something that’s right for your scenario. So that match.

Yeah, yeah, that’s right. In privacy, one of my favorite things is that almost nothing is prohibited. You just have to accurately and comprehensively tell people what you’re doing. And so generally I love this area because I always get to tell companies, yes, you can do that with data. Yes, you can monetize it. Yes, you can sell it. You can gather analytics. You can do what you want with it. But the most important part of privacy, what these laws are really getting at,

is to make sure that people have full information and that be both accurate and comprehensive. And so if you are telling people that you are, you know, giving them the right to opt out of that cookie use, you better be doing it. And if you, that’s why to your point, it’s really dangerous to use privacy policy templates is because these things, your privacy policy, the whole point of this, of its existence is that it be tailored to your data processing.

Right. If that privacy policy is not accurate to what you’re doing, now you’ve introduced new risk to yourself than had you not even had a privacy policy to begin with. So I’m not saying it’s lesser risk, but it’s new risk. And so that’s something that I think a lot of people miss is like, you just open the door to like new problems. So it’s not a hard thing to get a privacy policy right, but it’s not

just you know it’s not a copy and paste from someone else online.

Tom Nixon (23:04.846)
sounds to me like there’s so many stakeholders that should be at the table for this because obviously we have legal you might have it we’ve got now in Curtis’s case, whoever managing the website, we might have somebody in marketing who may want to collect data right for advertising purposes and may just be off doing it without telling legal or so like.

You have HR because you have these career pages and stuff like that. So you’ve got human resources that’s involved in the conversation. Yeah.

mean, who are we missing Amy? And then my second question is to both of you, where do you start? Everybody’s going to want to do their own sort of audit, right? Because Curtis, you have an audit and I’m sure Amy, you have an audit. Like where do you guys suggest somebody starts?

Yeah, so who should be at the table? Generally, when I’m building a compliance program with a particular company, I am working a lot with IT and legal. But I expect that the legal department has a really good pulse on operationally what’s happening in its product development, in the services it offers.

Sometimes I’m partnering with smaller companies where there’s a really good sense of that because you’ve got a limited number of players in the company. I’ve also done privacy work with a major OEM automaker. So now we’re talking about, we have vehicle data that’s all over the place. We have business data, HR data. You’ve got more data than a lot of people can conceive.

Amy Baddley (24:41.344)
And so that’s where the level of privacy compliance really goes up exponentially when you’re talking about a lot of data and sensitive categories of data. So I think it’s flexible, right? Privacy doesn’t need to be this huge legal spend, and it doesn’t need to take up a ton of your time.

For an average company that has moderate amounts of data and it’s doing kind of the typical things with that data, that’s something we do routinely. But if you’re the more highly regulated space, you’re really going to want to give it a lot of attention because a regulator will. But where to start? I think every company should start in the same spot, whether you’re big or little. I love it when companies start with data mapping.

So this is the process in a simplified form where a company tracks every element of data that it collects from consumers online, in person. Maybe you’re gathering it from a third party, not directly from the user. You’re tracking every single bit of personal information that comes in your door. You’re tracking it within your company.

you know, is it going to HR? Is it going to a third party vendor? Is it going to, you know, any other product team? And then you’re tracking it. When does it leave our company? Are we giving it to, are we selling it? Are we giving it to that third party vendor? Are we deleting it? Do we have, you know, a retention policy that would govern this? So mapping the data from the time you get it to the time it leaves or is permanently deleted.

I think is a really valuable exercise because that’s when you can build an accurate and comprehensive privacy policy. can satisfy, know, we’ve talked about these cookie banners, cookie notices, privacy policies, terms of use. All of that is external facing. These are the external obligations under these privacy laws. But I think it’s a big fallacy to think that privacy laws really just require those things.

Amy Baddley (26:59.704)
Privacy laws also require that you have certain contracts in place, that you have data protection assessments that you’re doing internally to weigh the pros and cons of certain sensitive data processing, that you have certain security in place. And so all those internal things are important too. And data mapping is going to help you comply with every single element. Another example, say a consumer,

says, you know what, I’d like my data to be deleted. They exercise their right to have their data deleted, which they get under every single privacy law in this country. If a consumer reaches out to you and says, I’d like my data deleted, you better know where that data is. Because you have 45 days to complete that request and have your vendors who get that information also delete that data. So my companies that start with data mapping

they know exactly where that data is and they can execute within that specified timeframe. So I think for a lot of reasons, data mapping is really valuable, but it can be, it’s not legally required. So a lot of companies would prefer to just say, okay, what are my obligations? And I want to check those boxes and I understand that too. And we can certainly go about it that way and just do it a little bit ad hoc and kind of looking backward. But anytime you can,

We have this term in privacy called privacy by design. And that really just means embedding privacy principles into your products, your services, your internal workflows. That’s just gonna make it easier for you on the backend. If you’ve already built everything to be really privacy friendly along the way, you’re not retrofitting it into this privacy box.

things just operate a lot smoother on the backend. So anytime you have the opportunity to do a little bit of privacy by design, that’s really beneficial. That’s what data mapping gets you. Otherwise, if you’d say, I’m skipping data mapping, I would say your next step is any privacy obligation that is external facing that a consumer or a regulator could look online and see, do you have a privacy policy?

Amy Baddley (29:22.798)
Do you have terms of use? Do you have, you know, is there somewhere that I can opt out if I have my, you know, if I have a right to opt out of having my data sold or shared for targeted advertising, all of those external things, you know, get those right because that’s the low hanging fruit that gives people the tip off of, look, I can do a little more digging and find additional gaps. So start there and then get your internal house in order and kind of,

to get those internal processes right too.

You said something that made me really think of a gap that we have and that

What we do in our audit is review all of the tags that are firing on the website, of course, because as the webmaster, at least with our clients, we’re being asked to add these pixels, these cookies to the website. use Tag Manager, which is easier to manage it than just throwing them all on the website. So thankfully we already have Tag Manager. It’s kind of have this documentation in the Tag Manager, but then we can take it over, put it into a spreadsheet, sort through all of that with their general counsel or attorney, whoever.

to determine, what are all of these? How do we define them? How do we make sure they’re in the privacy policy? Do we need them all? What behaviors are associated with them? But you said something that made me realize there’s a gap in that. Tom, we have clients that use tools like Zoom Info, or on their sales team, they’re collecting data, not necessarily through the website, but they’re getting prospect data, information from, trying to prospect essentially from a sales perspective, contacts and accounts.

Curtis Hays (31:01.858)
They might choose to email them or call them and reach out. But yet what you just said was this is still the collection of data, not necessarily through the website and how you store and use that information. Or if you do call me and I say, hey, how did you get my information? I want you to delete it. You need to have a process for now taking that out of your Zoom info or out of your CRM, right? So it is more than just the cookies on your website that privacy and the data collection side falls.

probably a lot further beyond just that sort of analytics collection.

Definitely. Yeah, yeah. And that’s where kind of that broader privacy umbrella where cookies are one element of it and a really important element. But privacy is bigger than even online privacy. We’re talking about all kinds of personal data in any form and however you’re getting your hands on it. So you’re right. I think a lot of times clients, it’s always helpful. So I always start my compliance journey with clients on a phone call.

or really teams. But I don’t like to operate over email because I think there’s so much that comes out in discussion just like this where we start to brainstorm. Tell me about your business model. Tell me about the data you’re getting. Where are you getting that? What are you using it for? you didn’t realize that’s also personal data? Let’s talk about it. You know, so I love starting with a really robust conversation because all of my work gets easier and quicker

when we can get all of it at the table, because I don’t expect anyone else to be a privacy expert. They don’t know the scope of these laws. And so if I can get it all out on the table, that’s hopefully, I’d like to think that’s what I offer in the partnership is, I hold the technical knowledge, they hold the business knowledge, and together we’re able to kind of frame it all out correctly.

Tom Nixon (33:01.27)
It strikes me how quickly this is moving because I think California adopted like the European model in many ways, right?

I’m sorry, can say that

it.

California the CCPA adopted the GDPR model and that goes back to before 2019 does it not Amy?

Right. That was affected in 2018.

Tom Nixon (33:23.95)
19 states have some version of a law.

Let’s see how well I know this, Amy. I know like Colorado, Virginia. Well, you mentioned Texas, which I wasn’t I wasn’t aware of Texas, but there there are other states that are starting to follow suit. But even like companies here in Michigan have to realize you might be doing business with Canada. yeah. So now you’re you’re falling and they follow very closely to the GDPR rules, if I’m not mistaken.

Yeah, and they’ve had a total overhaul of Quebec’s privacy law, which, know, lest you think it’s easy in Canada either, that Canada has a broad national framework and then they have three provinces that have enacted their own that don’t track all the way. So in privacy, there’s a lot of overlap, but it’s never total overlap. So we have all of these, you know, it’s so patchwork. And so it’s

There’s a lot of, and that’s just privacy specific, right? So we have existing laws like the FTC’s unfair and deceptive acts and practices law that also comes into play. The FTC says every business that makes any representation, it needs to be fair and not deceptive. So if you don’t have a privacy policy, but you’re collecting data, that could get dicey if you have a privacy policy that’s not accurate.

you could be violating FTC law and that’s not privacy specific. So there’s, you know, I think people are often surprised to find that regulators are lurking all kinds of pulses.

Tom Nixon (35:03.647)
That’s a scary place to end it. But the point being though, think, you know, so I’ll be the one to state either the obvious or the stupidly obvious is that the internet really knows no geographical boundaries really specific, right? It’s like, this person’s in Michigan, even though they’re on my California website, you know, I’ll collect that data a little differently than I collect this. So I think what we’re talking about now is an environment where it all applies to everybody. Are we?

Are we already there? if we don’t have 50 state, you know, specific legislation.

Yeah, that’s right. it’s, you know, I think GDPR in the EU and Canada, those are both triggered if you collect the personal data of even a single resident. Now you technically need to comply with those. In the States, the state-based paradigm is that you kind of need to satisfy a lot of States kind of carve out smaller businesses and they want to give them room to grow before they become obligated under these laws.

but not Canada and not the EU. So you’re right, we’re in a global world. If you’re a mid-sized company or a larger company, there is every possibility and in all likelihood, you need to comply with the 19 state privacy laws, which are different and in some ways actually conflict. You need to comply with Canada’s privacy laws, all four, right? The national one in each of the three provinces.

EU, I mean, that’s just EU and Canada. We have China, Brazil, India. So in a global world, privacy laws are becoming increasingly prevalent and it’s an increasing risk that businesses are sorting through because that’s a lot of patchwork to be tracking.

Amy Baddley (36:57.6)
And every time you turn around, have some, you know, a new state law has popped up that isn’t exactly like anything we’ve seen before.

I guess the of the story to me, if you are as a business owner or a stakeholder in a business, if you’re unclear, which I’m sure you are on where you need to start asking somebody until you get the answers that you need, both from legal, technical advertising, et cetera. It’s my final thought, Curtis, you’re.

Do you

Curtis Hays (37:23.886)
Yeah, and I’m not just passing the buck either with clients when I say, you know, talk to the attorney. I’m being serious from that perspective, right? That it’s, I’m not going to put a template on your website. I’m not going to be responsible for that. I’m not just going to put up a banner. You know, let’s do this the right way. And now’s the time to do it. so I don’t know if you care to opine on this, Amy, but I believe there was a bill that was introduced federally.

for a federal privacy law maybe a year, year and a half ago that I don’t think went anywhere. Is that correct? And is there anything on the table that you foresee coming? Anybody working on anything?

Not anytime really soon. I haven’t seen anything that I think is serious yet. know, obviously there is an appetite to have a ceiling, right? Past that would be, you know, a federal law that would preempt all of these 19 plus state laws so that businesses can reasonably comply, right? It makes sense. To Tom’s point, we’re in a global world. Let’s get one US law.

but there, the backlash would come in the form of, know, California took a long time to hammer out its law. It was really specific and really protective of consumers. so California and other States like it don’t want federal preemption because federal preemption would probably come in at a less protective level than CCPA. And so that would be the ceiling so that, you know, there isn’t this patchwork, but it would be a trade-off and that would be a little more business friendly.

to have this federally preempting law. You could of course have a federal law that set a floor where different states could come in above it, but what’s the point? Because now we’re back to a patchwork approach, maybe just a little less patchworky. So I don’t think from a policy perspective, I don’t think Congress has worked out whether there’s the political capital to enact something with federal preemption yet.

Amy Baddley (39:28.098)
So we’ll see that conversation will definitely evolve. And we haven’t touched on AI yet, but AI laws are, that’s also falling into in my wheelhouse now. And AI laws are tracking how privacy laws came to be at the state level. And we have this patchwork approach. We’re seeing that same model come in the AI space where we have various states really with different.

legislative frameworks governing AI pop up and I think we’re going to start seeing more and more similarity but not complete overlap and still no federal preemption in AI either. So I think what’s happening in privacy is really important to kind of keep a pulse on what can we expect in AI five years from now.

That could be a whole nother podcast.

going to say, let’s do it for sure. my gosh. Well, thank you, Amy badly associate with varum varum. Let’s make sure we get that right. Where could people go to have their data collect? mean, to learn more about you and privacy and what they should be doing about it. Varnumlaw.com.

Yes, that’s right. And if you’re curious about the kinds of law that I work on, if these things are interesting to you, you can find my bio there and kind of get a scope of the things I work on every day. You can also find me on LinkedIn. I’d be happy to connect with you there.

Tom Nixon (40:47.416)
Cool. And we will post links to all of that in the show notes. So as you’re listening or watching, just look down below and click away. Thank you so much, Curtis. you ready for a cookie?

I it is in the afternoon. An apple would probably be better. Don’t you agree? Keep the sugar level in balance. I’ll go for the apple instead of the cookie.

Alright, you heard it ladies and gentlemen. He is now known as the Apple Monster. Catch him next week on Bullhorns and Bullseyes.