"A strong privacy program is a must-have to do business today and it will only become more complex."Jodi Daniels, Red Clover Advisors
Jodi Daniels is the founder and CEO of Atlanta-based Red Clover Advisors, and a data privacy expert with more than 20 years of experience, including the launch of ad networks for Autotrader and Kelley Blue Book. Her knowledge of ad tech and user privacy can inform and improve our collective monetization efforts as we continue to navigate the GDPR and prepare for enforcement of the CCPA and other privacy laws.
My recent interview with Jodi offers insights, advice, and predictions for what’s next in data protection.
What inspired you to found Red Clover Advisors?
I always knew I was meant to be an entrepreneur — it was just a matter of when I was ready to make the leap from Corporate America.
I also realized that there's a gap for small- and medium-sized companies that don't often have someone focused on privacy full-time — or have anyone familiar with privacy. Red Clover Advisors was born from my desire to help overwhelmed smaller businesses navigate complex privacy laws.
Has GDPR compliance become any less confusing in the two years since its enforcement?
I think GDPR compliance still presents the same level of confusion for many companies, especially ad tech or those relying on ad tech — who, for example, want to use legitimate interest as a legal basis. Everyone was hoping for guidance and a more definitive explanation of whether that’s allowed or not.
While there has been some guidance — for example, from the ICO — there have not been many penalties. So, with fewer-than-expected enforcement actions, I think the level of confusion has remained the same.
For any law to be effective, you really need to have some type of action plan — a case study or review that sets a precedent. When we don't have that precedent, everyone's left to interpret the law on their own.
Has the EU’s enforcement of the GDPR lived up to your expectations — or has its bark been worse than its bite for most companies?
Enforcement of GDPR has not lived up to my expectations. Many investigations have been filed but the number of enforcement actions have been far less than I anticipated, based on what regulators told me directly.
I am still hopeful that it’s just a slower process, and that we will start to see some of the actions they keep talking about. I also believe that regardless of the regulators, there has been an increase in companies that (still) take GDPR very seriously — and that hold each other accountable — which is particularly important for B2B roles. B2C brands are also taking the GDPR seriously because EU consumers are pushing those companies to protect their privacy.
The CCPA and other privacy laws were initially inspired by the GDPR but each has its own nuances. Do you ever wish companies had common, consistent standards to adhere to?
I absolutely wish there were common, consistent standards. It’s very confusing and complicated for companies to adhere to multiple jurisdictions, and CCPA is the first, but it will not be the last state law. Many companies are very concerned about how they will manage compliance for multiple states and countries. Many of my multinational clients struggle with how to balance and understand what are sometimes conflicting privacy laws.
For CCPA, it would be really nice to have a standard framework. It’s unlikely that we'll see a privacy law as restrictive as GDPR, as the US is a very business-friendly country, and GDPR is very focused on individual rights.
I am hopeful that we will see more commonality amongst privacy laws here in the United States
How has your work changed with the creation of the CCPA and other new US data privacy laws?
Many companies are realizing that even if they complied with GDPR, there's still work to be done for CCPA — and that CCPA is not the last state privacy law, so it makes sense to start thinking about privacy as a holistic part of their organization. They are now beginning to build the foundational work for a privacy program.
Given the July 1 start date for CCPA enforcement, what degree of last-minute panic are you seeing? Where are your clients on a scale of 1–10?
Given the current economic situation and pandemic — and also because I serve a lot of small and medium companies — the panic is probably 6–7.
Many companies that did nothing or stalled are now realizing they need to be ready by July 1. Many of the bigger corporate companies have been gearing towards that July 1 date and have been planning for some time.
A lot of companies are still wondering if the California Attorney General will deem them “data brokers” under the CCPA. Can you offer any clarity?
The definition of data brokers under CCPA is still really unclear to many companies, especially if you compare it to Vermont. I’m hopeful we’ll see more enforcement action from the AG, unlike what we thought we’d see under GDPR.
Since the US is more litigious and fine-driven, I think some will tip more towards data brokers based on the data they are collecting, and using it in a manner that wasn’t intended and that will help set the precedent.
It’s like what we learned as kids: the one who does something wrong sets the rules for the rest of the class. I expect the same will happen here.
What do you see as the pros and cons of the California Privacy Rights Act (CPRA, aka CCPA 2.0) if it's added to the November ballot?
I see some positives to CPRA. For example, I think it's a good thing to have a separate enforcement branch, as the AG has a number of different responsibilities on its plate. If we're going to take privacy seriously, then having an arm dedicated to privacy is a good thing.
Carving out sensitive data is also good. There is so much data that’s collected and likely misused — like how we have health data and financial data now carved out under HIPAA and GLBA, which restrict what can and can’t be done with it. The ability to restrict and correct data is good for individuals.
The requirements for risk assessments and cybersecurity audits are also positives. If companies don't protect their data and they’re not aware of the risk, many won’t audit their cybersecurity systems. Forcing these companies to assess their risks will only strengthen privacy programs.
As for negatives, the restrictions on email pop-ups will be challenging, as will the transparency requirement for profiling and automated decision making. The same is true for onward transfer — what does restricting it really look like?
As we saw with CCPA, the details will matter most. If it passes, I hope we get clarity much sooner than we have for CCPA (as we’re still waiting on final regulations from the AG).
What are the most common questions your clients ask?
Is CCPA an opt-in law?No, it’s not like GDPR and doesn’t have the same legal basis requirements.
Will we have a federal privacy law?There have been many tries but nothing yet. There will likely be additional state laws and we may have a bit of a patchwork privacy system. Having a privacy program and someone responsible for privacy will help companies manage differing state laws.
I’m too small, why do I have to comply with GDPR or CCPA?Even if you’re under the CCPA threshold, especially B2B companies, customers require their service providers to comply with privacy laws. Consumers are getting savvier and want to do business with those who take privacy seriously.
Plus, investors also are looking at company privacy programs and risks before investing, so taking it seriously now will help.
As for being too small, regulators might not find you, but your customers (B2B - same as CCPA) care and they might share your noncompliance activities with regulators themselves or take it to social media.
Plus it’s a law: do you really pick which ones your company should comply with?
Am I done once I update my privacy or cookie notice? I did that data inventory thing last year.Nope, not done. Privacy notices are dynamic and should always reflect what’s happening in your organization. They need to be updated at least annually (per CCPA) and anytime you want to do something it needs to align.
For example, if you want to send that email, does the privacy notice say it’s OK to do so? There might be new products, marketing activities, and vendors that should be documented and reviewed. That’s why data inventories should be reviewed throughout the year as well.
What are the biggest stumbling blocks to compliance? What do companies most typically overlook?
Most companies try to do the least amount of work possible — and then the next privacy law or customer agreement comes along and they're not ready.
They also forget about training, which ensures employees know their roles. For example, how will they manage individual rights requests — will those go to the customer service team or the website manager? Employee training is a critical component of a privacy program.
Privacy compliance is not just a cookie banner and a privacy notice. It’s so much more.
Each vendor and third-party — and each piece of personal data that is collected, used, and shared — needs to be factored into privacy considerations. Privacy should be considered just like other core functions: technology, HR, finance, operations, etc.
Companies that don’t require a full-time person for that function can consider a Fractional Privacy Officer — but a privacy pro should definitely have a seat at the table to build consumer trust.
"What most companies overlook is that opportunity to build trust — they look at privacy as this thing that they have to do but it's actually the foundation for their customer relationships. Customers expect companies to deliver a good product and service and protect their data."Jodi Daniels
What advice would you offer ad publishers who want to ensure data privacy for their users and advertisers?
Review how you’re going to manage this on an ongoing basis and avoid the “every time there's a new law” cycle. That's stressful and creates a lot of extra work and expense.
It’s much more practical and efficient to look at privacy as part of doing business, and therefore something that requires regular maintenance.
I also suggest you look at privacy from your users’ point of view, not just the company’s point of view. How do your users expect you to handle their data? Your customers’ best interests are also your company’s best interests.
What do you see as the greatest challenges and opportunities for data privacy in the coming months?
The biggest challenge will be consumers flooding a company with individual rights requests. You could almost see that as a way to attack a company.
Other challenges could be the enforcement actions that come from CCPA. CCPA was really born out of the frustration of data sharing amongst digital companies. There is a significant focus on digital data and ad tech, so that customer-focused viewpoint will prove helpful.
I think there will also be greater scrutiny of privacy by consumers given the current pandemic. People want to know how their data is being used and who has access to it.
Finally, the real risk of data security comes with the increase in remote work. There is a significant increase in cyber security threats and there will be a rise in data breaches.
Phishing is already up 350% since the start of 2020. Companies need to be prepared for how they're managing a remote workforce, a return to the office — or even a hybrid approach — and how they're securing their personal data. There are some basic things companies can be doing now to protect their data: strong passwords, two-factor authentication, and training, just to name a few.
The individual private right of action under CCPA will be costly to companies. COVID + data breach = perfect storm.
Anything else you’d like to share with our readers?
Companies should look at privacy as not just a law they should comply with — not a “maybe we’ll comply, or comply a little, or just enough” — but as an opportunity to build trust with customers.
Go above and beyond the basic compliance efforts, as the companies that do have a competitive edge.
A strong privacy program is a must-have to do business today and it will only become more complex. Start it right from the ground up, have someone knowledgeable to help manage privacy throughout the year, and it will prepare your company for the next privacy law.
Jodi Daniels is the founder and CEO of Red Clover Advisors, a boutique privacy consultancy that helps companies build customer trust while complying with global privacy laws such as GDPR and CCPA.
Many thanks to Jodi for sharing her time and expertise.