Masters of Privacy

Who can really claim to be a privacy engineer? Does this change in the digital marketing arena? What is the winning formula to integrate this role within the company's privacy practice? Thomas Ghys has worked as a management consultant, data scientist, and data strategist, including a 5-year stint at McKinsey, prior to setting up his own privacy engineering practice. He has deep expertise in MarTech and AdTech, auditing traditional machine learning models and data flows. He is also the founder and CEO of Webclew, a tool that helps with the auditing of websites and mobile apps. References: Thomas Ghys on LinkedIn Webclew: scanning websites and apps for privacy risks CNIL: a focus on mobile SDKs, announcing enforcement actions in 2025 Thomas Ghys: BAPD expectations for cookie compliancy unattainable for most publishers Dr. Augustine Fou: dismantling marketing attribution, ad fraud controls, and the business case for third-party cookies (Masters of Privacy, February 2024)

Can we shift the focus from documentation to technical implementation? How can we bridge the cultural differences between legal teams and engineers? What do we mean with open-source data classification? We are joined by Cillian Kieran, Ethyca's CEO and founder, in a new installment of our Privacy Tech series. Cillian is a serial entrepreneur and seasoned privacy engineer with two decades of experience leading data-intensive businesses. He combines deep technical expertise with a track record of building and scaling companies, including a global digital agency serving Fortune 500 clients.  References: Fides: the open source language for data privacy Cillian Kieran on LinkedIn Ethyca Max Anderson (Ketch): Privacy Tech spotlight I – the future of CMPs, value vs. hype in privacy compliance SaaS (Masters of Privacy, April 2025) Daniel Barber (DataGrail): Privacy Tech spotlight II – widespread non-compliance, opt-out challenges, and shadow AI (Masters of Privacy, May 2025)

It is time for a seasonal update at the intersection of Marketing, Data, Privacy and Technology. We are today covering the first four of our usual five blocks: ePrivacy & regulatory updates; MarTech & AdTech; AI, Competition and Digital Markets; PETs and Zero-Party Data.  All references and links can be found in this episode's blog post: Masters of Privacy. Allow us to thank two people in advance for their routine work in breaking down the news across some of the topics and jurisdictions covered here: Robert Bateman and his Privacy Corner and Federico Marengo with his Privacy and AI newsletter. Also, an important disclaimer: the voice that joins me today is a text-to-speech output generated with Eleven Labs.

What do we refer to with “privacy metrics”? Are privacy professionals delusional regarding the impact of the discipline in the overall business context? Lauren Reid is founder of The Privacy Pro, a boutique firm that provides essential training, tools, and support for privacy professionals to turn knowledge into action. In addition to leading The Privacy Pro, Lauren works with executives, boards, and product teams to build privacy data governance strategies that support responsible innovation and prepare companies for investor and regulatory scrutiny. She has a 20-year track record in this space. References: Lauren Reid on LinkedIn The Privacy Pro Lauren Reid: Rethinking Privacy Metrics: Aligning with Business Strategy

Can telco-powered identifiers overcome their own privacy challenges in their attempt to replace third-party cookies or email-based alternatives? Pascale is the Data Protection Officer at Utiq, a European based AdTech company. She has been working in privacy and data protection ever since completing her degree in Law, including roles at fashion group Arcadia and Vodafone Group. Pascale's main goal is always to put privacy at the heart of the business. Utiq's mission is to enable more responsible digital marketing by offering a telco powered privacy-first technology to Brands, Publishers and Tech Vendors operating in the adtech ecosystem. The Utiq technology consists of online identifiers which can be used to support and optimize digital marketing, advertising and analytics activities, whilst offering individuals enhanced choice, control and transparency, including via the application of privacy-centric controls and a dedicated privacy portal for end users, known as consenthub. Launched in 2023, Utiq was originally backed by Deutsche Telekom AG, Orange SA, Telefónica S.A., and Vodafone Group plc. It has continued to gain support from numerous other leading telecom operators across Germany, France, Spain, Austria and soon expanding to the UK and Italy. References: Pascale Arguinarena on LinkedIn FCC fines Verizon $1.35 million over ‘supercookie' tracking (The Verge, May 2016) Utiq's consenthub  

Are Product Counsels in the best position to anticipate and solve privacy and AI compliance problems before we release new products to the public at large - all of it while avoiding costly delays in fast-moving projects? Linsey Krolik is Assistant Clinical Professor at Santa Clara University School of Law, where she runs the Privacy Law Certificate and teaches Privacy Law. She is Director of the Entrepreneurs' Law Clinic, where students work with real startups on transactional law projects, and Director of the TechEdge JD, a skills based certificate program for students interested in working in technology law. She also teaches a class called Law and Technology of Silicon Valley, with students playing the role of product or privacy counsel for a day.  Prior to joining academia, Linsey held senior in-house roles as a product, privacy, and commercial lawyer at global companies including PayPal, ARM, and Palm. Also, she continues to consult on privacy and AI governance in her solo law practice. References: Linsey Krolik on LinkedIn Santa Clara University School of Law TechEdge JD Entrepreneurs' Law Clinic Privacy Law Certificate Navigating AI and Data Ethics: The Essential Role of Product Lawyers and the Product Counsel Framework (Linsey Krolik, Adrienne Go, Olga Mack) Gam Dias: Agents Unleashed, understanding the Agentic AI stack (Masters of Privacy)

Is it possible that a whole generation of consent-management solutions built for the EU-driven opt-in world are unsuitable for the opt-out scenario predominant in the US? How are DPOs and AI Governance professionals to deal with “shadow AI” and “shadow IT”?  Daniel Barber is DataGrail's CEO and co-founder. Prior to DataGrail Daniel led revenue teams at DocuSign, Datanyze (acquired by ZoomInfo), ToutApp (acquired by Marketo) and Responsys (acquired by Oracle). He also advises several high-growth startups. References: Daniel Barber on LinkedIn Unveiling DataGrail's 2024 Data Privacy Trends Report: The Time Data Subject Requests Surged 246% in Two Years DataGrail Privacy Inspector (Chrome Web Store) Max Anderson (Ketch): Privacy Tech spotlight I – the future of CMPs, value vs. hype in privacy compliance SaaS (Masters of Privacy, April 2025)

Georgia Voudoulaki is Senior Legal Counsel at Bosch, certified Compliance Officer, and adjunct professor at the University of Applied Sciences in Ludwigsburg and the Cooperative State University of Baden-Württemberg in Germany. In addition to her legal and academic roles, Georgia regularly publishes articles in leading legal journals and magazines, contributing valuable insights to the evolving conversation around compliance, digital innovation, and responsible AI.  References: Georgia Voudoulaki on LinkedIn University of Applied Sciences Ludwigsburg Baden-Wuerttemberg Cooperative State University (DHBW)  

Gam Dias is a seasoned technologist and entrepreneur with a rich background in software engineering, AI, and product innovation. As a consultant, he has helped write the data strategy for Fortune Global 500 companies, innovative startups, and ambitious non-profits. He has a degree in Computer Science from the University of Liverpool and an MBA from Warwick Business School. Gam has lived in London, Leeds, Salt Lake City, Santa Cruz, San Francisco, and he currently lives in and works from Madrid, Spain. Gam's latest work, Agents Unleashed, distills years of experience into a compelling look at the rise of autonomous AI agents and their growing role in marketing, sales, and beyond.  References: Gam Dias on LinkedIn Agents Unleashed (Amazon) Agentforce (Salesforce) Gam Dias: on privacy, agency, convenience, and freedom (Masters of Privacy, 2021)  Hubbl Process Analytics Diana Stern and Dazza Greenwood, From Fine Print to Machine Code: How AI Agents are Rewriting the Rules of Engagement (Stanford Law School)  

What is the practical case for combining CMPs and DSAR automation under a single technical solution or software provider? What do DPOs and CPOs struggle the most with when implementing effective privacy programs? Which Privacy Tech features are overvalued or undervalued? Max Anderson is a seasoned product executive with a proven track record of bringing successful technology products to market in the consumer privacy, data management, and marketing space. Prior to Ketch, Max was the Director of Product Management at Krux. After joining Salesforce as part of the Krux acquisition, he ran data privacy and consumer identity products at Salesforce, including the rollout of their industry-leading GDPR solution set. Prior to Krux, Max was a Product Manager at IPG Mediabrands, where he was responsible for multiple successful advertising measurement products. Max holds a BS in Chinese Literature from the University of Colorado. References: Maxwell Anderson on LinkedIn Max Anderson, The liability in your privacy program: incomplete opt-out compliance (Ketch) GPC: Global Privacy Control Max Anderson, Dirty Data, Broken AI—The hidden threat derailing your competitive edge (Ketch) Andy Dale: DPO vs. CPO, present and future value of Privacy Tech, and the new US administration's impact on the regulatory landscape (Masters of Privacy) Monica Meiterman-Rodriguez: automation, data minimization and comparative law in DSRs (Masters of Privacy) Sergio Maldonado, Some takeaways from PEPR'24 (USENIX Conference on Privacy Engineering Practice and Respect 2024)  

Today we are taking a look at the difference between DPO and CPO roles in the US, the present and future impact of Privacy Tech in the management of privacy programs, the evolution of privacy regulation under the new US administration, and a potential Schrems III scenario.  Andy Dale serves as General Counsel and Chief Privacy Officer at OpenAP and holds the position of Executive Board Member at The L Suite (TechGC). With extensive experience as an advisor to various companies, Andy previously worked as General Counsel and Chief Privacy Officer at Alyce, a company acquired by Sendoso in 2024, and as General Counsel and VP of Global Data Privacy at SessionM, which was acquired by Mastercard in 2019. Andy Dale earned a JD in Law from the University of Baltimore School of Law (2003-2006) and a degree from Colgate University (1996-2000). References:  Andy Dale on LinkedIn The Data Protection Breakfast Club podcast on Spotify Brian Focht: Can the American Privacy Rights Act find a path to survival? (Masters of Privacy) Amy Worley on the American Privacy Rights Act (Masters of Privacy) Molly Martinson on state-level comprehensive privacy laws (Masters of Privacy)

Where is the UK data protection reform headed? How are we to deal with behavioural advertising in the context of sports betting and gambling? Will the UK stay clear of regulating or supervising AI à la EU?  Tim Turner has worked on Data Protection, Freedom of Information (FOI) and Information Rights law since 2001. He started at the Information Commissioner's Office as a Policy Manager on FOI issues. After that, he was a Data Protection & FOI Officer for two councils and then an Information Governance Manager for an NHS (National Health Service) organisation. He has been offering data protection training and consultancy since 2011. Also, Tim is the author of the very popular DPO Daily newsletter and LinkedIn feed.  References: Tim Turner on LinkedIn 2040 Training The DPO Daily on LinkedIn ICO: Action taken against Sky Betting and Gaming for using cookies without consent UK betting giants under fire for ads targeting at-risk gamblers (The Guardian) UK Data Reform: What's Proposed (Bird & Bird) Stephen Almond (ICO): data protection laws as a primary tool for AI governance (Masters of Privacy)  

Theodore Christakis is Professor of International and European Law at University Grenoble Alpes (France), Director of the Centre for International Security and European Law (CESICE), Director of Research for Europe with the Cross-Border Data Forum, Senior Fellow with the Future of Privacy Forum and a former Distinguished Visiting Fellow at the New York University Cybersecurity Centre.  He is also Chair on the Legal and Regulatory Implications of Artificial Intelligence with the Multidisciplinary Institute on AI, and has been a member of the French National Digital Council, currently serving as a member of the French National Committee on Digital Ethics as well as a member of the International Data Transfers Experts Council of the UK Government.  With Theodore we have gone through “the good”, “the bad”, and “the ugly” in the EDPB Opinion on LLMs and personal data. We have also examined the Deepseek affair, as well as the challenges posed by hallucinations in generative AI.  References: Théodore Christakis' SSRN Author Page Théodore Christakis on LinkedIn EDPB opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models Discussion Paper: Large Language Models and Personal Data (Hamburgische Beauftragte für Datenschutz und Informationsfreiheit) Lokke Moerel: using personal data in the development and deployment of AI models (Masters of Privacy) Théodore Christakis, ‘European Digital Sovereignty': Successfully Navigating Between the “Brussels Effect” and Europe's Quest for Strategic Autonomy  Théodore Christakis, Cyber-Attacks – Prevention-Reactions: The Role of States and Private Actors Multidisciplinary Institute on AI Université Grenoble Alpes: Centre d'études sur la sécurité internationale et les coopérations européennes.

It is time for a seasonal update at the intersection of Marketing, Data, Privacy and Technology. As usual, this Newsroom is divided into five blocks: ePrivacy & regulatory updates; MarTech & AdTech; AI, Competition and Digital Markets; PETs and Zero-Party Data; and Future of Media. TL;DL: The use of SDKs for data collection/sharing has been a common factor in various fines and lawsuits on both sides of the pond. The EDPB sparked an important debate on personal data-powered AI in the EU. Texas and California went after Allstate and Honda respectively. La Liga (ES), Netflix (NL), Meta (IR), and others received fines. The FTC put an end to personal data sales by General Motors. The My Health My Data Act (WA) was put to the test. AI “reasoning” models exploded, and then AI Agents followed. Garante (IT) blocked DeepSeek and a class action in Germany could have a major impact across the EU. Australia updated its legal framework. The biggest CDP players dissolved into adjacent markets and Google kept marching towards PET-powered AdTech. All references and links can be found in this episode's blog post.

Daniel Solove has just published a new book, On Privacy and Technology. We went through a few key concepts from it, and also had a chance to revisit other core ideas in the author's work.  Professor Solove is the Eugene L. and Barbara A. Bernard Professor of Intellectual Property and Technology Law at the George Washington University Law School. One of the world's leading experts in privacy law, Solove is the author of more than 10 books and 100 articles about privacy. He has also written a children's fiction book about privacy. He is one of the most cited law professors in the law and technology field. Professor Solove has been interviewed and quoted in hundreds of media articles and broadcasts and has been a consultant for many Fortune 500 companies and celebrities. It is to him that we owe the famous taxonomy of privacy harms, as well as very recent papers on Privacy and AI or Privacy and Data Scraping. References: Daniel J. Solove on Bluesky Daniel J. Solove on LinkedIn Daniel J. Solove's personal page On Privacy and Technology: Oxford University Press, Amazon.  The Great Scrape: The Clash Between Scraping and Privacy Artificial Intelligence and Privacy  

What is the best way to address privacy risks in the context of connected cars? Is data minimization compatible with assisted driving? What is the meaning of “Core Vehicle Data”? Mark Jaffe leads the Rivian ethics, compliance and privacy program. This includes ethical culture, compliance oversight, privacy, and investigations.  Prior to joining Rivian, Mark was Senior Vice President for Privacy at Teleperformance, a global business process outsourcer with over 400,000 employees operating in over 80 countries, spending almost two years in Singapore managing privacy issues in the Asia Pacific region. He has also dealt with data protection compliance in Europe, Middle East, and Africa.  Prior to that, Mark spent 17 years at AT&T in global privacy roles as well as global compliance and ethics roles. Our guest is a frequent speaker on a variety of topics related to privacy compliance and data ethics. Mark earned his B.A., cum laude, from Duke University and his J.D., cum laude, from Northwestern University.  References: Mark Jaffe on LinkedIn Rivian's Privacy Hub FTC bans General Motors from selling driving data without permission, adding to case for CarPlay 2 (9to5Mac, January 2025) 800,000 EV drivers' data exposed in Volkswagen breach (The Register, January 2025) Privacy Not Included, a Mozilla Report about connected cars and privacy (“It's Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy”, September 2023) Investigation by Netherlands' DPA prompts changes to Tesla security cameras (IAPP, 2023) Tesla workers shared sensitive images recorded by customer cars (Reuters, 2022) Privacy4Cars  

An update was due at the intersection of MarTech/AdTech and the My Health My Data Act, with a Washington Consumer Protection Act case against Costco paving the way for the recent class action lawsuit involving the Amazon Ads SDK. Also, the date is approaching for compliance with restrictions on international transfers of US personal data. Mike Hintze is a well-known leader in the field with more than 20 years of experience in privacy and data protection. He has been a partner at Hintze Law since 2016 and prior to that was Chief Privacy Counsel at Microsoft for 18 years. He also teaches privacy law at the University of Washington school of law and has served on multiple advisory boards. He has also testified before Congress, state legislatures or European regulators.  References: Mike Hintze on LinkedIn The Washington My Health My Data Act - Parts 1 to 10 (Hintze Law) New U.S. Regulations Impose Significant Restrictions on Cross-Border Data Flows AI governance, MHMD, and third-party risks at PSR 2024 (Masters of Privacy) Written summary: P.S.R. Los Angeles 2024: Vendor Audits; My Health, My Data Amazon Sued in First 'My Health, My Data' Privacy Dispute.

As of today, February 16th, Google's platform policies allow the collection, sharing and usage of IP addresses and other signals across websites, apps, gaming consoles or Connected TV. This has been perceived as a direct contradiction of the company's long-term anti-fingerprinting policy. The company is expecting that a growing reliance on Privacy Enhancing Technologies will do away with the resulting privacy risks.  Daniel B. Rosenzweig is the Founder & Principal Attorney at DBR Data Privacy Solutions. He advises clients on legal and technical compliance with data privacy and AI laws, and counsels companies on industry mobile app store requirements, AdTech, and privacy-enhancing technologies (PETs). Daniel's legal practice is unique in that he develops and codes technical solutions to help serve as a bridge between legal, marketing, and technical teams, in addition to providing clients the usual legal services. References: Daniel B. Rosenzweig on LinkedIn DBR Data Privacy Solutions Google: Overview of the Platforms programs policies update (February 2025) ICO: Our response to Google's policy change on fingerprinting AdExchanger: Does Google's U-Turn On Fingerprinting ‘Open New Opportunities' Or Is It ‘Irresponsible'? Peter Craddock: ePrivacy exceptions, advertising, analytics, the limits of consent and server-side processing (Masters of Privacy) Sergio Maldonado on PETs and AdTech: Some takeaways from PEPR'24 (USENIX Conference on Privacy Engineering Practice and Respect 2024)   

This was a really eventful week for AI regulation, with the first rules of the AI Act starting to apply on Sunday, February 2nd and the EU Commission releasing Guidelines on Tuesday (prohibited practices) and Thursday (scope of AI systems). To cap it all, a first-ever class action under the new framework (alongside the GDPR and the Digital Services Act) was filed on Wednesday against X-Twitter and TikTok.  The following conversation with Markus Wünschelbaum, with a particular focus on digital advertising and AdTech, preceded and rightly anticipated these developments.  Dr. Markus Wünschelbaum currently serves as Policy and Data Strategy Advisor to Hamburg's Data Protection Commissioner Thomas Fuchs. In this role, he advises on key data protection & AI policies and strategic initiatives. Previously, he was responsible for imposing fines, fundamental GDPR issues, and freedom of information. He began his career focusing on the intersection of labor law and data protection, having published an acclaimed doctoral thesis on this topic and working at an international law firm. References: Dr. Markus Wünschelbaum on LinkedIn Hamburg's Data Protection Commissioner (Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit) Guidelines on prohibited artificial intelligence (AI) practices, as defined by the AI Act (EU Commission) Guidelines on AI system definition to facilitate the first AI Act's rules application (EU Commission) Class Actions Filed Against TikTok and X in Germany: A Test for the DSA, GDPR, and AI Act (Spirit Legal - Peter Hense) Peter Hense (Spirit Legal) on Masters of Privacy Luca Bertuzzi (Euractiv)

Alex Dittel leads KHQ's Data Privacy, Cyber and Digital legal practice. He brings over 15 years of experience in data protection, information security and technology commercial matters acquired during his time working for big and small technology companies and law firms in the United Kingdom and Australia. As a passionate GDPR-native data privacy lawyer, he advises on Australian as well as international data privacy matters. He holds CIPP/A, CIPP/E and CIPP/US certifications from the IAPP. References: Alexander Dittel on LinkedIn KHQ: Data Privacy, Cyber and Digital Alex Dittel: OAIC's decision a warning re use of facial recognition technology First Tranche of Australia's Privacy Law reforms explained (Association of Corporate Counsel)  

What should we celebrate on January 28th? What is the difference between Privacy and Data Protection? What about Data Privacy? Will Data Protection (or Data Privacy) evolve to encompass many of the things we now discuss in the context of AI regulation? We have asked Carissa Véliz (Oxford University), Gabriela Zanfir-Fortuna (Future of Privacy Forum), Markus Wünschelbaum (Advisor, Hamburg Data Protection Authority), Brendan Quinn, and Tim Turner.  What do you think? Feel free to participate in the conversation by finding this episode's post on: Our Spotify feed: https://open.spotify.com/show/6M2DpgfTPaGCHm31rKstBr  Our LinkedIn channel: https://www.linkedin.com/company/masters-of-privacy/ Our YouTube channel: https://www.youtube.com/@MastersofPrivacy  References: Council of Europe: Data Protection Day US Government: Data Privacy Day  

This special mountain retreat will bring together a unique combination of backgrounds and nationalities. NextAI is an initiative of Alberto Lopez Valenzuela and we have asked him to share more details.  Alberto Lopez Valenzuela is an entrepreneur with over 25 years of experience in the decision intelligence sector, mainly in the UK and the US. He founded alva in 2009, a London-based AI analytics firm that ended up working with hundreds of blue-chip clients, expanding to New York and establishing the company as an industry leader. In 2021 alva was acquired by US private equity firm Falfurrias Capital Partners and this, together with the incorporation of other companies, resulted in the creation of Penta. Alberto was the Managing Director of its AI division until 2023.  In 2024, he founded Ordino Partners, incubating and investing in AI tech startups with a meaningful social impact. As an author, Alberto published The Connecting Leader in 2018.  Masters of Privacy is a NextAI partner and Sergio Maldonado (your host) will be attending the event. References: NextAI (use this voucher code for an additional 15% discount: PRINXT25) Alberto Lopez Valenzuela on LinkedIn Ordino Partners Andorra: ski resorts, restaurants and destinations

What is the future of Customer Data Platforms in the context of recent acquisitions, the modularization of their offerings, and the privacy compliance challenges of first party data activation?  Matthew Niederberger is a seasoned Martech consultant with years of experience helping global organizations unlock the full potential of their marketing technology investments. As the founder of MarTech Therapy, his mission is to guide companies in optimizing their Martech stacks to drive better customer experiences and business outcomes.  With a deep understanding of Customer Data Platforms and a passion for bridging technology with strategy, Matthew brings both technical expertise and creative insights to the table. Beyond consulting, he shares his knowledge through his podcast and short-form videos, making complex topics accessible and engaging. References: Martech Therapy Matthew Niederberger on LinkedIn Jonathan Mendez: making the most of first-party data in the age of AI (Masters of Privacy) Tejas Manohar (Hightouch): data activation and composable CDPs in a privacy-first world (Masters of Privacy) IBM sued again in storm over Weather Channel data sharing (The Register) NBC, Peacock SDKs Let 3rd Parties Secretly Collect Users' Viewing History: Class Action Twilio's Software Development Kit, Segment, Embedded in Various Mobile Applications May Constitute a Violation Under CIPA  [ES] Paco Roldán: the CDP before the law, the logic, and the future (Masters of Privacy) 

Can we introduce greater individual agency in the management of identity? Will that lead to better controls over personal data and less privacy risks? What is the problem with LinkedIn? Are we turning a page in the evolution and potential mass adoption of cryptographic solutions? How can we avoid storing personal information on the blockchain? Dan has spent his career building products from 0-1 at the intersection of predictive analytics, AI/ML, and privacy.  He most notably served as a Group Product Manager at Google, where he built Google's most sophisticated personalized marketing and cross-identity measurement products, Google Analytics and Google Signals, respectively. Prior to co-founding Icebreaker, he served as a Group Product Manager at Coinbase, where he led Consumer Trading, earning a patent for AI-assisted multi-chain intent orchestration.  He holds a BS in Management Science from the Massachusetts Institute of Technology. References: Dan Stone on Icebreaker  Icebreaker: an open, decentralized professional networking platform Jamie Smith: AI Agents, digital identity, wallets and personal data (Masters of Privacy) Adrian Doerk: digital identity, digital wallets, and data protection (Masters of Privacy) Joana Mota: privacy compliance in a web3 world (Masters of Privacy) Gam Dias: On privacy, agency, convenience, and freedom (Masters of Privacy) Project VRM (Berkman Klein Center, Harvard University) Doc Searls, The Intention Economy

Carey Lening, JD, CDPP writes, speaks, and consults on data protection, law, technology, and fractal complexity in systems. Currently based in Ireland, Carey has over 20 years of experience in thinking about hard problems and helping people arrive at practical solutions. Besides providing data protection compliance support to select clients, Carey runs Privacat Insights, a newsletter that offers a paid tier with exclusive content, members-only Q&A, a slack channel and a yearly meetup. References: Privacat Insights 18,000 words. Four Questions. Much Delegation. Little Guidance EDPB opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models Privacy Disasters: Microsoft, Just Because You Can (Recall) Privacy Disasters: AI Spy-Wearables, and the Scourge of Competing Friendants An early adopter's thoughts on Rewind.ai's $350m pivot Privacy Disasters: FaceHuggers Are Eating Your Skeets Carey Lening on LinkedIn Carey Lening on Bluesky (Jeffrey Pfeffer) Power: Why Some People Have it and Others Don't  

Lokke Moerel is a leading global expert on new technologies, Artificial Intelligence (AI), Big Data, and the Internet of Things, as well as Morrison & Foerster's lead counsel on Binding Corporate Rules (BCR), with vast experience advising multinational companies in obtaining their BCR approvals throughout the EU. She has also authored the leading textbook on the subject, published by Oxford University Press.   We recorded this interview prior to the publication of the European Data Protection Board's opinion on AI models and GDPR principles, following both a discussion paper issued by Hamburg's Supervisory Authority (“Do LLMs contain personal data?”) and an announcement by the Irish Data Protection Commissioner that it would open an investigation into Google's PaLM model.   A separate interview on the same topic, with Jorge Garcia Herrero, was released last week on our Spanish-language channel. References: Do LLMs 'store' personal data? This is asking the wrong question (Lokke Moerel, Marijn Storm) Lokke Moerel on LinkedIn Lokke Moerel, Morrison & Foerster  EDPB opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models Discussion Paper: Large Language Models and Personal Data (Hamburgische Beauftragte für Datenschutz und Informationsfreiheit) Large Language Models do not store personal data: the LLM discussion paper of Hamburg's DPA with Dr. Markus Wünschelbaum (PrivacyPod) Data Protection Commission launches inquiry into Google AI model (DPC) ChatGPT provides false information about people, and OpenAI can't correct it (NOYB) Report of the work undertaken by the EDPB ChatGPT Taskforce (May 2024) [ES] Jorge García Herrero: ¿Contienen datos personales los LLM? ¿Cómo aplicamos el RGPD a los sistemas de IA generativa? (Masters of Privacy)

Are Personal AI Agents the future of individual empowerment? How can the evolution of digital identity make them a reality?  Jamie Smith is the CEO and Founder of Customer Futures, a company focused on digital identity and customer-controlled personal data. He has been working at the forefront of digital transformation for nearly 15 years, helping deliver innovative solutions for some of the world's largest organizations.  Jamie has previously worked at Evernym, Ctrl-Shift, BT and Deloitte, before embarking on various recent projects, always in the same space. References: Customer Futures - Newsletter  Jamie Smith on LinkedIn Icebreaker: an open, decentralized professional networking platform Adrian Doerk: digital identity, digital wallets, and data protection (Masters of Privacy) Gam Dias: On privacy, agency, convenience, and freedom (Masters of Privacy) Turning the Web3 Tech Stack into the Post Web Stack (Jamie Burke, Outlier Ventures) Anthropic: introducing Claude 3.5 Sonnet Google unveils Project Mariner: AI agents to use the web for you (Techcrunch) Top 3 Trends in Digital Identity: What's New in Standards, Privacy, & Institutional Adoption (Privado.id) Dazza Greenwood: When AI Agents Conduct Transactions Uniform Electronic Transactions Act

Has honour been restored to the Legitimate Interest legal basis after the CJEU Royal Dutch Tennis Association decision and subsequent EDPB Guidelines? Is the GDPR showing signs of rustiness? Has it instead become a new religion?  Rie Aleksandra Walle brings over seventeen years of professional experience across both the private and public sectors, having worked at Kristiania University College, Ernst & Young, Nordic Innovation and the Norwegian Agency for Public Management and eGovernment. Rie is behind the DPO Hub, which helps busy DPOs by offering concise summaries and key practical takeaways from key CJEU rulings, EDPB documents and DPA decisions, as well as by putting together a community around it. She is also the host of the Grumpy GDPR podcast. References: The Grumpy GDPR Podcast (NoTies Consulting) DPO Hub Rie Aleksandra Walle on LinkedIn Rie Aleksandra Walle on Bluesky KNLTB vs. Dutch DPA (CJEU decision) EDPB Guidelines 1/2024 on processing of personal data based on legitimate interest Guidelines on the technical scope of article 5.3 of the ePrivacy Directive Serious Privacy (Podcast): Comments on the KNLTB case and other updates  Peter Craddock: ePrivacy exceptions, advertising, analytics, the limits of consent and server-side processing (Masters of Privacy) Rie Aleksandra Walle: the DPO's guide to better resources, constructive debates, and a happier life (Masters of Privacy)

How is the role of the DPO (Data Protection/Privacy Officer) evolving in the US? What is the best approach to managing AI governance once a privacy program has been implemented? Matt Junod is a US privacy attorney and Florida native with a prior background in network engineering and security. He has worked in-house, rolling out and managing data protection programs as well as dealing with security and privacy compliance issues. Our guest has also served in privacy leadership roles since 2018, including the DPO position for a large technology services firm, and most recently a leading Internet job board. References: Matt Junod on LinkedIn EU Commission's General-Purpose AI Code of Practice NIST AI Risk Management Framework Joe Biden's Executive Order on Artificial Intelligence Elon Musk's X is changing its privacy policy to allow third parties to train AI on your posts (Techcrunch)

Robert Bateman is a data protection writer, trainer, and consultant. He has published innumerable articles on the topic, as well as led panel discussions and interviewed key well-known figures in the space on stage, at well-known privacy conferences. Besides freelancing as content creator, he is an associate with Act Now Training and a Subject Matter Expert with Heward Mills, a data protection consultancy.  With Robert, who's here for a second time, we are going to revisit recent EDPB (or European Data Protection Board) opinions on data processor auditing requirements and Meta's Consent or Pay model, with its latest twist in mind (a brand new third option with generic, unskippable ads). References: Robert Bateman on LinkedIn EDPB Opinion 22/2024 on certain obligations following from the reliance on processors and sub-processors Meta adds a Plan C to its Pay or Consent model EDPB Guidelines on the technical scope of article 5.3 of the ePrivacy Directive Robert Bateman: Consent or Pay (Masters of Privacy, October 2023)

Time for a Newsroom summarizing everything that's happened in our usual areas of focus, although we are dropping the last two (Zero-Party Data and Future of media) this time around.  ePrivacy & Regulatory Updates Enforcement On September 5th, the CNIL fined CEGEDIM SANTÉ 800,000 euros for processing health data without authorization. The healthcare software provider collected sensitive personal information, assigning a unique identifier for each patient of the same doctor. This method was considered sufficient to ensure that personal data remained anonymous in order to put together certain comparative studies, but the CNIL concluded that, given the risk of re-identification, it could merely be considered pseudonymized, exposing a breach of the GDPR as a result (for starters, patients had not been informed of additional purposes). A Reference was made to the EDPB's Opinion 05/2014 on Anonymisation Techniques.  On September 27th The Irish DPC issued a 91 million euro fine to Meta for storing certain user passwords in plain text files.  On October 22nd, NOYB filed a claim against Pinterest before the French supervisory authority alleging that the company relies on legitimate interest to underpin its behavioral advertising practices, in contravention of the CJEU Bundeskartellamt decision. The social network has also been accused of breaching the transparency principle and not responding to data subject requests appropriately.  On October 24th, the Irish DPC imposed a 310m EUR fine on LinkedIn. The professional social network is not properly applying a valid legal basis for targeted ads and the processing of first party data about their members, despite referring to three separate grounds: consent, legitimate interest and contractual necessity. This has also resulted in a breach of the fairness principle. On October 30th, the California Privacy Protection Agency announced an investigative sweep of data broker registration compliance under the Delete Act. This law requires data brokers to register with the CPPA and pay a fee annually.  On November 6th, the Canadian government ordered the closure of TikTok in the country. Citizens are however allowed to keep using the app, as this is considered a personal choice.  Legal updates and guidelines On October 4th, the CJEU resolved a famous dispute between the Royal Dutch Lawn Tennis Association and the Dutch DPA. The latter had imposed a fine on KNLTB for relying on legitimate interest for sharing data with its sponsors for purposes of direct marketing. Five days later, the EDPB requested comments on its draft Opinion on processing data on the basis of Legitimate Interest: It is made clear that this legal basis should not be treated as a “last resort” as it is of equal value to the rest, and a differentiation is made between an interest (or broader benefit that a controller may have) and a purpose (or specific reason why the data is processed). The Opinion has also stated that an interest must be related to the data controller's activities. On the same day (October 9th), the EDPB adopted its Opinion 22/2024 on certain obligations following from the reliance on processors and sub-processors: every controller should extend the diligence they currently have over direct processors to the entire chain of custody, no matter how many degrees apart.  On October 16th, the EDPB adopted new Guidelines on the technical scope of article 5.3 of the ePrivacy Directive: given that very little has changed since they opened up an initial draft for comments, we recorded a separate episode with Peter Craddock pondering the far reaching implications of these Guidelines.  Turning our attention to the UK, on October 7th the UK ICO launched its own Data Protection Audit Framework including self-assessment toolkits and other practical resources.  Also, the UK Data Protection reform is back, now with a Data Use and Access Bill (with a second reading announced on November 1st). It maintains an exception for analytics cookies that will not require consent. DPOs are back on the table (the previous reform proposal was getting rid of the role).  On November 5th EDPB adopted its first report under the EU-U.S. Data Privacy Framework and a statement on the recommendations on access to data for law enforcement. The redress mechanism has been implemented successfully but it is yet not being widely used. The EDPB has voiced concerns about recent changes to Section 702 FISA and how that could expand the role of private companies in gathering data about EU citizens.  MarTech and AdTech On November 12th, Meta introduced a plan C to its Pay or Consent models, having been told by the EDPB that the current proposal would not be acceptable. A third option (besides paying and relying on behavioral ads) is now available which will use less data and remain mostly contextual. It will also compensate its decreased targeting capabilities with increased audience reach by showing ads (“ad breaks”) that become unskippable for a few seconds. A study conducted by Boston University has concluded that the Protected Audiences API (building on the formerly called FLEDGE protocol, a part of Chrome's Privacy Sandbox), can produce similar results to those of third party cookies in the context of retargeting campaigns.  On November 5th, David Raab, who back in the day had coined the label CDP (Customer Data Platform), published a provocative piece titled “The Composable CDP is Dead”. In summary the author argues that all CDPs have already caught up with the modularization that came from sitting on top of more flexible data warehouses, so every single CDP has either become a niche modular component or an all-encompassing, highly-modularized software suite. In sum, the term will not help a Hightouch differentiate itself uniquely any longer. We suggest that you listen to our interviews with Tejas Manohar and Jonathan Mendez, CEOs of Hightouch and Neuralift AI respectively, for further context.  AI, Competition and Digital Markets The community is still recovering from Hamburg's DPA's opinion (adopted on July 15th) stating that LLMs do not contain personal data. The supervisory authority made three key points that we will be covering with some future guests: a) No personal data is stored in LLMs; b) Data subject rights as defined in the GDPR cannot relate to the model itself, but they can be exercised against the provider or deployer of a system built on top of such models, with regards to the input or output of such system; c) The training of LLMs using personal data must comply with data protection regulations.  The Irish DPC announced an investigation into Google's foundational AI model (PaLM 2) on September 12th, with a focus on the DPIA that Google is expected to have undertaken.  An ICO report released on November 8th found that AI recruitment technologies can filter candidates according to protected characteristics including race, gender, and sexual orientation. On November 13th, Meta received an 800,000 EUR fine for anti-competitive practices in the bundling of its Marketplace feature with the primary Facebook application. So, they have leveraged their control over one market to take control of another, adjacent market, in this case threatening pretty large companies in the classified ads space. That's it for today! Thanks again for listening.  

The EDPB has finally adopted its much feared Guidelines on the scope of article 5.3 of the ePrivacy Directive, but consent may still be avoided in some cases not specifically covered by an exemption (e.g., analytics). Absent such an exception, and in light of dismal consent rates, publishers and platforms have embraced highly controversial “Consent or Pay” models. Plan C? Server-side processing (Conversion APIs, Enhanced Conversions, Data Clean Rooms…), not without its own challenges. We have gone through all of it with Peter Craddock in his second appearance on Masters of Privacy.  Peter Craddock is a lawyer as well as a software developer, and he uses this dual background to help clients find legal solutions to technical problems and technical solutions to legal problems. He is based in Brussels and helps international companies with their global data strategy and with EU data litigation. He notably has strong expertise in the legal aspects of digital advertising and adtech, and has been one of the most prominent commentators of recent legal developments in that area. References: Peter Craddock on LinkedIn Op-Ed: A critical analysis of the EDPB's "Pay or Consent" Opinion (Peter Craddock) Peter Craddock: Comparison of the final version of the EDPB's ePrivacy guidelines with the version of November 2023 (including links to more in-depth comments on those guidelines) EDPB Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms AEPD guidelines for the use of cookies without need for consent in the context of digital analytics (ES) Peter Craddock on Masters of Privacy (February 2024): Could core advertising components fall under the “strictly necessary” exemption of the ePrivacy Directive? Romain Robert: Pay or OK in AdTech - How it started and where it's going (Masters of Privacy) Renzo Marchini: Unintended consequences of the EDPB guidelines on storage and access under article 5.3 of the ePrivacy Directive (Masters of Privacy)  Cristiana Santos and Victor Morel: The problem with CMPs and TCF-based cookie paywalls (Masters of Privacy) Robert Bateman: Consent or Pay (Masters of Privacy) Peter Hense: How first party data will kill CMPs (Masters of Privacy)

Dr Lukasz Olejnik (@lukOlejnik), LL.M, is an independent cybersecurity, privacy and data protection researcher and consultant. Senior Visiting Research Fellow of the Department of War Studies, King's College London. He holds a Computer Science PhD at INRIA (French Institute for Research in Digital Science and Technology), and LL.M. from University of Edinburgh. He worked at CERN (European Organisation for Nuclear Research), and was a research associate at University College London. He was associated with Princeton's Center for Information Technology Policy, and Oxford's Centre for Technology and Global Affairs. He was a member of the W3C Technical Architecture Group. Former cyberwarfare advisor at the International Committee of the Red Cross in Geneva, where he worked on the humanitarian consequences of cyber operations. Author of scientific articles, op-eds, analyses, and books Philosophy of Cybersecurity, and “Propaganda”. He contributes public commentary to international media. References: Full interview transcript (on Medium) Propaganda, by Lukasz Olejnik Lukasz Olejnik on Cyber, Privacy and Tech Policy Critique (Newsletter) Lukasz Olejnik on Mastodon Lukasz Olejnik on X EU Digital Services Act (DSA)  Section 230 (“Protection for private blocking and screening of offensive material“)  of the Communications Decency Act (1996) Cubby, Inc. v. CompuServe Inc. and Stratton Oakmont, Inc. v. Prodigy Services Co. as precursors to Section 230 Doppelganger in action: Sanctions for Russian disinformation linked to Kate rumours EU takes shot at Musk over Trump interview — and EU takes shot at Musk over Trump interview — and misses (Politico) The story of Pavel Rubtsov (“Journalist or Russian spy? The strange case of Pablo González”), The Guardian Silicon Valley, The New Lobbying Monster (mentioning Chris Lehane's campaigns), The New Yorker Financial Times: Clip purporting to show a Haitian voting in Georgia is among ‘Moscow's broader efforts' to sway the race “Pseudo-media”:  Spain proposes tightening rules on media to tackle fake news  

Can we leverage AI-generated synthetic data as a privacy-enhancing or data anonymization solution? How compatible is it with Data Clean Rooms? Will there be a path to effectively anonymize unstructured data? Ben Winokur is the co-founder and CEO of Subsalt, the leading platform for anonymous synthetic data. Prior to Subsalt, Ben worked in a variety of legal, product, and operational roles at Passport, where he first encountered the problem Subsalt solves: privacy and security risks have made it too expensive and difficult to access, share, and analyze sensitive private data. References: Ben Winour on LinkedIn Subsalt Jonathan Mendez and Alex Dean: Data Clean Rooms: Feature, Product or Platform? European Data Protection Supervisor: TechSonar report on Synthetic Data (and its use as a Privacy Enhancing Technology)  

Monica Meiterman-Rodriguez is a Partner at Tueoris, an international privacy and security consulting firm, currently residing in Barcelona. She utilizes her US law degree and her experience in data protection and privacy to assist global clients in developing, maintaining, or growing their privacy programs. She has experience supporting compliance across global regulations including US state and federal requirements, EU/UK GDPR, PIPEDA, LGPD, etc. in addition to advising on specialized matters in the AdTech space such as targeted advertising, data analytics, AI and growing industry guidance (e.g., IAB, DAA, etc.). Monica is a member of the New York State Bar, New Jersey State Bar, as well as a Certified Information Privacy Professional (CIPP/US/E) and the Chapter Chair of the IAPP in Barcelona (Spain). References: Monica Meiterman on LinkedIn California Consumer Privacy Act EDPB Guidelines 01/2022 on data subject rights - Right of access GDPR Violation: German Privacy Regulator Fines 1&1 Telecom(BankInfoSecurity) Groupon Ireland Operations Limited – March 2024: the DPC finds that Groupon infringed Article 5(1)(c) GDPR by having initially required the complainant to provide a copy of their ID in order to verify their identity for the purposes of their access and erasure requests.

Simon Hania is Global Data Protection Officer at Uber, heading the team that independently advises on and monitors Ubers compliance with data protection laws. In the past Simon held the position of VP Privacy & Security at TomTom and before that various positions in IT service management. Simon is a trained engineer who has learned to love the law. References: Simon Hania on LinkedIn Masters of Privacy Summer Newsroom, covering Uber's $290 EUR fine in The Netherlands Glovo (food delivery) receives a 500k EUR AEPD fine for sending rider location data across borders (started in Italy) FTC Finalizes Order with X-Mode and Successor Outlogic Prohibiting it from Sharing or Selling Sensitive Location Data Uber Ads

The IAPP's annual “Privacy. Security. Risk.” event took place in Los Angeles last week. Both Celine Takatsuno and Sergio Maldonado attended, took some notes, and now share their experiences and takeaways.  References: Sergio Maldonado (Medium): PSR 2024 Takeaway (DPAs, Vendor Audits, MHMD Act) Mike Hintze: Blog post series on Washington State's My Health My Data Act IAPP: Agenda and speakers at PSR 2024.  

Jonathan Mendez has been a founder and leader in Adtech and Martech for two decades, with a focus on building first-party data products to optimize media performance.  He is the founder and CEO at Neuralift AI, having prior to that been Chief Digital Officer at a major cruise line, and having also spent five years building composable CDPs (Customer Data Platform) for global retail brands and telcos. He was also the Founder and CEO of Yieldbot, which in 2016 was the fourth largest Digital Advertising Network. He was also the CSO at Offermatica, eventually acquired by Omniture, now part of Adobe.  Jonathan's blog has been active for 17 years and is a recognized source of insights into AdTech, MarTech or Media. References: Jonathan Mendez (blog): Optimize & Prophesize Neuralift AI Jonathan Mendez on X Jonathan Mendez on LinkedIn Tejas Manohar (Hightouch): data activation and composable CDPs in a privacy-first world (Masters of Privacy) Nicola Newitt (Infosum): the legal case for Data Clean Rooms (Masters of Privacy) Matthias Eigenmann (Decentriq): Confidential Computing, contractual relationships and legal bases for Data Clean Rooms (Masters of Privacy)  

What extra steps should data processors and controllers worry about now that every cloud-based tool is somehow AI-powered?  A basic transparency principle is common across FIPPs, governance frameworks and existing AI regulations (EU, Colorado), but even that can sometimes become a luxury.  Attorney Heidi Saas (CIPP/US) has over eighteen years of experience in consumer rights, six years in data privacy, and three years of ethical AI and governance experience. Her projects currently involve working with CEOs, CTOs, CISOs, DPOs, and CMOs of companies in various industries on regulatory strategy, privacy program designs, risk management, implementation, and monetization of data assets within their privacy ecosystems. She also works with businesses to provide ethical AI advisory, and pre-audit consulting services, as well as regulatory compliance, legal consulting, and public speaking events. References: Heidi Saas on LinkedIn Colorado AI Bill (Consumer Protections in Interactions with Artificial Intelligence) Fair Information Practice Principles (FIPPs) Twilio Under Investigation for Data Breach of Over 33 Million Authy MFA Users Medicaid for millions in U.S. hinges on Deloitte systems plagued by errors  

This is our second interview analyzing the impact of Google's decision not to deprecate third-party cookies on its Chrome browser. Daniel Jaye is a seasoned technology industry executive and currently is CEO and founder of Aqfer, a Marketing Data Platform on top of which businesses can build their own MarTech and AdTech solutions.  Daniel has provided strategic, tactical and technology advisory services to a wide range of marketing technology and big data companies. Clients have included Brave Browser, Altiscale, ShareThis, Ghostery, OwnerIQ, Netezza, Akamai, and Tremor Media. He was the founder and CEO of Korrelate, a leading automotive marketing attribution company -purchased by J.D. Power in 2014- as well as the former president of TACODA -bought by AOL in 2007. Daniel was also the founder and CTO of Permissus, an enterprise privacy compliance technology provider.  All of the above were preceded by his role as founder and CTO of Engage, acting CTO of CMGI and director of High Performance Computing at Fidelity Investments. He also worked at Epsilon and Accenture (formerly Andersen Consulting).  Daniel Jaye graduated magna cum laude with a BA in Astronomy and Astrophysics and Physics from Harvard University.   References: Daniel Jaye on LinkedIn Aqfer P3P: Platform for Privacy Preferences (W3C) Luke Mulks (Brave Browser) on Masters of Privacy Adnostic: Privacy Preserving Targeted Advertising (paper by Vincent Toubiana, Arvind Narayanan, Dan Boneh, Helen Nissenbaum, Solon Barocas)

Earlier this summer, Google announced that its Chrome browser would after all keep third party cookies. This interview with Robin de Wouters is the first of two episodes exploring the consequences of that update from the point of view of our usual stakeholders (DPOs, CMOs, CDOs).  Robin de Wouters is the Director General for the Federation of European Data & Marketing (FEDMA), in Brussels. He has a strong background in communication and public relations across the private, non-profit and institutional spheres. He previously worked in the field of human rights with Euromed Rights, the ONE Campaign and the United Nations. Robin is also the Vice-Chair of the Board of the European Interactive Digital Advertising Alliance (EDAA) and the Communications Director and Spokesperson for Democrats Abroad Belgium, the international arm of the US Democratic Party. References: Federation of European Data and Marketing (FEDMA) Robin de Wouters on LinkedIn Sergio Maldonado, Nobody was ready for the Privacy Sandbox, but deprecating cookie banners is long overdue Google announces they are not deprecating third-party cookies Peter Cradock (Masters of Privacy): Could core advertising components fall under the “strictly necessary” ePrivacy exemption?  CNIL publishes study on alternatives to third-party advertising cookies (Freevacy)  

Ok, the summer is nearly over, which means it is time for a Newsroom summarizing everything that's happened in the last two months at the intersection of marketing, data, privacy and technology.  California and the FTC have more specific weight on our list this time around - perhaps because much of Europe, including regulators and hackers, was OOO during the entire month of August. So, expect to hear about: A CDP (Segment) being sued for its data collection practices Uber's Catch-22 The FTC discards hashing as a means of anonymization  Chrome could be forced to support Global Privacy Control The AI Bill drama in California. (And yes, also about Google's monopoly, the resilience of 3rd party cookies and Apple's DMA struggles, but only in passing, as you've probably had enough of those.) Expect us to follow the usual structure: ePrivacy & Regulatory Updates; MarTech & AdTech; AI, Competition and Digital Markets; Zero-Party Data and Customer Centricity; Future of Media.  With Celine Takatsuno and Sergio Maldonado. References: Sergio Maldonado, Nobody was ready for the Privacy Sandbox, but deprecating cookie banners is long overdue (ie., third party cookies are not going away) Class action was filed against Twilio in California Uber received a $290m euro fine in The Netherlands The Federal Trade Commission audited hundreds of websites and apps, finding all sorts of dark patterns Controversial California AI Bill California passes another law that, if signed, will require browsers to implement Global Privacy Control standards FTC: Hashing email addresses does not result in anonymized data  Netflix announces data collaboration partnerships Apple tries a little harder to appease the EU Commission with additional Digital Markets Act measures Also, find a full blog post on the Masters of Privacy website.

Jay Averitt is currently a Senior Privacy Product Manager at Microsoft, where he manages technical privacy reviews involving Microsoft365 products including CoPilot, GPT, and other LLM products. He was previously a Privacy Engineer at Twitter, where he managed technical privacy reviews across the platform. He's been working in privacy for over a decade as both a privacy technologist and a privacy attorney. Before switching to technical privacy, he worked as a technology counsel at SAP, SAS, and Lenovo.   References: Jay Averitt on LinkedIn NIST, Privacy Engineering Program Daniel J. Solove, Against Privacy Essentialism María P. Angel and Ryan Calo, Distinguishing Privacy Law: A Critique of Privacy as Social Taxonomy Sergio Maldonado, Some takeaways from PEPR'24 (USENIX Conference on Privacy Engineering Practice and Respect 2024)

Nick Manning is a commentator, author and speaker on advertising, with a specialization in media. He co-founded Manning Gottlieb Media in 1990, and following its purchase by Omnicom he became CEO of the OMD UK Group.  He also co-founded OPera, the media negotiation arm for OMD and PHD. In 2007 Nick joined Ebiquity as Chief Operating Officer before becoming responsible for Ebiquity's non-UK based operations and Chief Strategy Officer. At Ebiquity he led the team that produced the recommendations for advertisers that accompanied the K2 Intelligence report into media transparency in 2016.  Since 2019 he has run his own consulting business, advising advertisers and their trade associations. Nick specializes in helping advertisers improve their effectiveness, accountability and transparency. References: Advertising, Who Cares? A Summit event happening at London's Royal Society of Arts on September 12th 2024, aiming to discuss possible solutions around five topics: Business models; Trading, Transparency and Trust; Measurement and Accountability; Recruitment and Well-Being; Brands and Journalism.  Nick Manning's Encyclomedia, “fractional” Chief Media Officer services. Nick Manning on X Nick Manning on LinkedIn Arielle Garcia on Masters of Privacy Sergio Maldonado, How we tried to fix advertising, ecommerce, and media by putting people in control of their data Augustine Fou on Masters of Privacy  

Tony Fish is an investor, author and self-confessed maverick. He has been building digital businesses since 1990, with a first exit in 1995 and many businesses founded, co-founded, sold and listed after that. He thrives in complex, groundbreaking and uncertain environments, being currently focused on rethinking corporate governance models, ethics and AI, data policy and evidence-based decision making in volatile situations. He is a speaker and author of four books, as well as a visiting fellow for entrepreneurship and innovation at Henley Business School, has taught at London Business School in AI and Ethics, the London School of Economics and Sydney Business School. His latest book (“Decision-making in uncertain times”) has been widely available since early June. References:  Tony Fish, Decision-making in uncertain times  Tony Fish, Why is data eating your culture before breakfast My Digital Footprint, a blog by Tony Fish  Open Governance (Tony Fish on Medium) Tony Fish on LinkedIn Distinguishing Privacy Law: A Critique of Privacy as Social Taxonomy (María P. Angel, Ryan Calo).

We are closing this season with a Spring Newsroom before we officially kick off the summer, summarizing everything that's happened in the past quarter across our usual five sections: ePrivacy (enforcement, regulatory updates), MarTech/ AdTech, AI/ Competition/ Digital Markets, PETs/ Zero-Party Data, Future of media.  This includes: EDPB's ChatGPT Task Force report EU Digital Wallets Privacy Sandbox news EU Commission vs. Apple's App Store LLM updates (Llama3, GPT 4o, Gemini, Apple Intelligence) Meta AI *not* training on EU user data Mozilla's acquisition of Anonym Oracle's exit from AdTech Revolut ads Microsoft Copilot+ Recall retreat The Trade Desk's curated list of publishers FCC fines to telecom operators for the sale of location data Consent or Pay news TikTok ban. A full transcript with links and additional resources can be found on the PrivacyCloud blog.   

John Cavanaugh is a founding member of the Plunk Foundation, a non-profit dedicated to empowering individuals and communities so they have autonomy over their digital identities and protect their sensitive information. John is helping promote digital data privacy for women, children, veterans, and marginalized communities. Our mission today: exploring a grassroots approach to privacy or data protection. References: Plunk Foundation John Cavanaugh on LinkedIn Doctor Ruha Benjamin, Race after Technology Village of Evendale (Cincinnati)  

Adrian Doerk is co-founder of Lissi GmbH and co-coordinator of the IDunion research project. He has extensive experience in the rollout of digital wallets, specializing in the European digital identity wallet (EUDI-Wallet) under the eIDAS 2.0 Regulation.  Adrian has helped us answer a few important questions on this topic: How much of our lives will soon be intermediated through digital wallets or digital identities? What is “selective disclosure”? What are the privacy risks? What are the challenges of decentralization? References: Adrian Doerk on LinkedIn eIDAS 2.0 Regulation Lissi IDunion research project  

Does the inclusion of both a private right of action and a general preemption of overlapping state laws (not limited to privacy, but also including AI or confidential information) condemn the APRA to the fire? Brian Focht is a cybersecurity and data privacy attorney practicing in Charlotte, North Carolina. His legal practice is focused on helping clients ranging from individuals to international corporations, and involves nearly every aspect of law that touches on cybersecurity and data privacy, including identity theft, internal corporate policies and procedures, data breach response and recovery, and litigation. He is a 2003 Graduate of the University of North Carolina at Chapel Hill, a 2007 Graduate of the Wake Forest University School of Law, and a Certified Information Privacy Professional (U.S.) and AI Governance Professional. In addition to his legal practice, he is the founder and co-host of the Fearless Paranoia podcast, which attempts to make the world of cybersecurity more accessible and understandable to those not in the IT industry. On top of that, Brian maintains the Resilience Cybersecurity and Data Privacy blog, offering tips and suggestions for keeping yourself safe in the increasingly hazardous digital world. References: Law Offices of Brian C. Focht Brian Focht on LinkedIn Updated text of the American Privacy Rights Act (May 2024)  Biometric Information Privacy Act (Illinois) My Health My Data: Addressing the collection, sharing, and selling of consumer health data (Washington) EU-US Data Privacy Framework EFF: Sunsetting Section 230 Will Hurt Internet Users, Not Big Tech  Colorado's new AI Act (Hogan Lovells) Vermont Legislature passes data privacy bill that could shape national efforts (Vermont Public) Fearless Paranoia (Podcast)

Can Google overcome competition and performance concerns to make the Privacy Sandbox a reality? Does it really matter in terms of privacy compliance, in the face of the EU ePrivacy Directive? How would Universal Opt-Outs affect the Topics API in the US? Alan Chapell is outside privacy and AI counsel for dozens of AdTech and Mart¿Tech companies. He started his career in the digital space in 1997 at Jupiter Research and is now the principal analyst at The Chapell Report, which is a monthly report focusing on the intersection between privacy, competition, addressability and AI in the digital media space.  Mr. Chapell is board chair of the Network Advertising Initiative, the premier trade association for 3rd party AdTech marketplace. He is also an accomplished musician. His band, “Chapell”, is about to release their 7th album, “The Underground Music Show”, on all major streaming services. References: Chapell & Associates and The Chapell Report UK Competition and Markets Authority update report (April 2024) on Google Chrome's implementation of the Privacy Sandbox Privacy Sandbox (documentation) CNIL's report on the Privacy Sandbox (July 2023)  Global Privacy Control (Universal Opt-Out Mechanism) Peter Craddock: Could core advertising components fall under the “strictly necessary” exception in the ePrivacy Directive? (Masters of Privacy) Network Advertising Initiative Chapell on Spotify

“There is a UK AI Regulation - It is called the UK GDPR” (John Edwards, February 2024). Stephen Almond is Executive Director for Regulatory Risk at the UK's Information Commissioner's Office (ICO), leading the teams charged with engineering information rights into the fabric of new ideas, technologies and business models as part of our dynamic digital economy, including through the Digital Regulation Cooperation Forum. Prior to joining the ICO, Stephen led a World Economic Forum initiative to promote the adoption of a more agile, innovation-enabling approach to regulation with governments and tech firms worldwide. He previously worked in leadership roles across the UK Government, including creation of the White Paper on Regulation for the Fourth Industrial Revolution and roll-out of the Regulators' Pioneer Fund, which invested in regulatory sandboxes and similar initiatives to unlock technological innovation. References: Technology and Innovation Directorate at the ICO ICO: Guidance on AI and data protection  ICO: Draft Guidance on Privacy Enhancing Technologies (PETs)  Dragos Tudorache: dealing with foundation models, data protection and copyright in the AI Act (Masters of Privacy)