Apple drew first blood with iOS 14.5 and the new tracking consent requirements it has. In the other court, Facebook and some of the other advertisers punching back. On top of that, Bill C-11 is on the horizon in Canada to take privacy laws to the next level. Is strengthening privacy laws good for the end-consumer? For brands?
Once again, we invited Andrew Di Lullo, managing principal of Listrom Di Lullo—listromdilullo.com—to talk about this important topic.
Listen to our podcast here:
Also available on:
Recorded on June 25th, 2021
Brad Breininger: 0:00
Hi, everyone, and welcome to this week’s Everything is Brand. This week, we’re really happy to invite Andrew Di Lullo, from Listrom Di Lullo again, to join the podcast to talk about privacy and beyond. How deep to brands go? Let’s get going. All right, Andrew, welcome back to the podcast. We’re so happy to have you again. It’s great to be here. Thank you. What we want to talk about today is that privacy and beyond and what brands need to do with privacy going forward. Apple drew first blood when they came out and expected consent for anyone who has an advertiser follow them. And even if you look at some of their advertising, now, they have that great ad where people are following you around. And in the other court, you had Facebook and some of the big advertisers punching back a little bit and saying, why do we need to do this. And on top of all of that Bill C 11 is on the horizon in Canada to take privacy laws to the next level. So there’s a lot going on in the privacy world. So we’re happy to have you here to talk about it a little bit more, why don’t we break it down for listeners a little bit and start by talking about what some of the features of Bill C 11 are and what could potentially happen in Canada?
Andrew DiLullo:
Sure, I’d be happy to do that. So Bill C 11, is not law yet. It’s still being decided on in the house of commons, but been fairly positively received. And when it does pass, it will probably be passed in the form similar to its current form. And it just represents this evolution of privacy law, the various g7 nations leapfrogging each other getting to where privacy law ought to be relative to the state of play. And so the 11 is an update, of course, to Canadian privacy law, leapfrog sort of the GDPR and it rests on what I would say is three pillars of update, which would be recentering consent, as the most important aspect of the consumer business relationship, the consumers consent, I should say, giving our privacy laws some teeth so actual penalties and fines that can be levied under the law itself, then also taking steps towards making the use of consumer data or private data transparent. So there’s no secret sauce, no hidden algorithm, no Cambridge Analytica combating that aspect of data useage.
Brad Breininger:
So it’s really about expanding what we’ve meant by privacy. In a way we’ve kind of had these, let’s call them low cal privacy laws in place. And this adds a little bit of meat on the bones. Is that what you’re saying?
Andrew DiLullo:
Oh, definitely. Yeah, I mean, our privacy law in Canada was fairly good in terms of the principles it was attempting to advance and the model codes that it was using, but our Privacy Commissioner didn’t really have the ability to do anything other than advise they weren’t able to enforce directly. And there was no such thing as a private right of action from citizens who discovered that their data had been misused in some way. And so v 11, will update our privacy law to give that enforcement ability so that we can start enforcing and asserting our values, not just merely expressing them.
Brad Breininger:
So in your opinion, why do you think some brands are fighting back against what’s going on with this deeper privacy and requiring consent, they have a lot to lose, right when it comes to advertising and access to people’s personal information?
Andrew DiLullo:
Absolutely. I mean, they probably stood to risk quite a bit when they’re holding onto this, all of this personal information. But as we’ve seen over the past few years, the amount of useful information you can glean from the data that you can scrape from a casual consumer interaction or from partially unsecure social media network is extraordinary. The amount that you can learn about an individual person or even a small population of people within a tight geographic area is extraordinary. I can absolutely see why brands and particularly those businesses, which procure and curate the data for brands are very much interested in maintaining the current state of play, because, you know, also Apple’s private activity are all about defanging and neutering that kind of activity and making it arguably significantly less valuable.
Gabi Gomes:
So from an advertising perspective, I’m assuming that we’re gonna see the biggest shift in advertising, essentially, where right now we’re able to target really specifically based on all of that data, age, persona, whatever, do you feel that we’re going to see a bit of a broader shift to more broader advertising and less probably personalization down to because data points won’t be so readily available? Is that what you’re seeing, at least on the advertising side of that happening?
Andrew DiLullo:
That’s absolutely one way that it could go. An easy way for it to go is of course to, as you said, expand or water down or make more broadly accessible, the brand that you’re trying to present and the the materials that you’re producing in support of that brand, because that requires less personally identifiable or specifically identifiable information. But it could also go the other way, where if you accept that you’re not, you can still create these hyper targeted ads or brand extensions, you just don’t know where you’re targeting them to, right? So it’s still possible to heavily de identified data, create a model consumer based on that heavily de identified data and produce a brand outreach plan targeted to that consumer. But you won’t know where that consumer is, you won’t know what sort of community they were part of, you won’t know exactly where your SEO should be targeted or where your billboard should be hosted. So depending upon your strategy, your branding strategy, and how much money you’re willing to throw at the problem, you could continue to do this hyper targeted stuff, it would just exist as a hyper targeted idea without the bullseye.
Gabi Gomes:
Needle in a haystack. Yep.
Andrew DiLullo:
So does that mean, really the data is still being collected it’s just being a little bit less of a personal I guess, where they don’t, they don’t really know where it’s coming from, per se. But they’re still collecting that data, so they won’t be able to target as easily, but they still have the information they need. Is that the case? Yeah, there is still a middle ground where heavily de identified data in Bill C 11, but also in other draft policies can be collected and used, because the balancing act is to permit branders, marketers, advertisers, data researchers to still collect information, but to use it in a more ethically sound way, or at least a way that’s more reasonably compliant with consumer expectations, right? That’s probably one of the more heavily debated aspects of C 11. Because, of course, there are some consumers who are out there, and they want absolutely no data about me whatsoever. Even if it’s de identified, I don’t want anything that I give to you to be used for any purpose, though, there are some people who want bill C 11 to go even further. But there is that aspect of de identifying as, again, as we’ve learned from the Cambridge analytical experience, even heavily sketchy, incomplete data in sufficient quantities can get
Gabi Gomes:
Or maneuver elections. you some really useful stuff, right?
Brad Breininger:
Let’s Yeah, right. I mean, that brings up a really good point, and that is advertisers. And brands are one side of this coin. But the other side of this coin is politics and elections, and even international spying and international information, CSIS and the FBI and all that kind of things. What are your thoughts, Andrew on that side is C 11 being implemented not only for the advertisers, but to maybe quell some of the fake news that’s been flowing around during these elections, and highly accurate targeting of political messaging to groups that are very susceptible to it.
Andrew DiLullo:
I mean, there are provisions in C 11, which could be used to that effect. I don’t know if that’s necessarily the intention of the bill, because it is a very consumer focused bill. And a lot of the legislative intent, it’s definitely giving consumers control and the authority over their data once again. But absolutely, if inherent in these bad actors attempting to act in the political sphere, they’re probably going to run afoul of certain provisions in C 11. And now that there’s teeth under c, 11, and private rights of action, they’ll actually be able to be punished. Probably the government is going to address Politics and International espionage and all sorts of things like that, in more focus more targeted bills, such as the hate speech bill, which they announced a couple of days ago, right targeting the problem with online harassment, which is related to but separate from privacy. So really, what you’re saying is that there will be a suite of bills or a suite of legislation that covers all of these things that have been going on over the last several years. Oh, yeah, absolutely. Privacy is a moving target. And as I said, all the g7 nations are attempting to leapfrog one another, as time goes on, how far can we go? How much do we need to pare back or control? They say Oh, no, that wasn’t quite enough. It’s going to be an evolving conversation. This is just the next step.
Brad Breininger:
So one of the key features of C 11. And other legislation, whether it’s private or rules and regulations or legislation in different countries, one of the biggest elements of this is the idea of consent, giving your consent to give access for your information. So are we going to see two groups of data, the data that’s hidden where people haven’t given consent? And then those who do give consent? Are they going to get more targeted ads? Are they going to be part of broader campaigns where the brands can go deeper with them? Because they have access to even more information?
Andrew DiLullo:
Yeah, I think that’s almost exactly what would happen. Those individuals who do consent and who do give consent for their data to be used in these particular expressed ways. Yeah, they’re going to find that brands and companies are exploiting that ability.
Gabi Gomes:
I’ve got one on this one, because, honestly, I don’t know what website I have entered or anything but it is literally if you want to play or you want to use that platform or game or whatever it is, you’ve got an encyclopedia of terms and conditions that you have got to sign off. And essentially, I for the most part, read probably page one, page two skim, they’re kind of all there. But I think that brands if they want to put something in there, they will put something in there. We’re so complacent now, just click and accept terms I don’t know, people who actually read it end to end and say, how is my stuff going to get used? It comes up after if there’s been a breach if there’s been something else, but for example, super popular to have all these cartoon characters of your face done, right? And if you think about it, most people are just innocently Oh, it’s like a gimmick, get my face characterized, blah, blah, blah. However, what they are collecting that app is collecting our facial data points. We’re not talking about age, we’re not talking about your date of birth, we’re talking about facial recognition now that they are collecting. Do people really understand that they probably signed off on terms and conditions and said, Yes, I would like to use this click Done. Is there anything being done in c 11? with stuff like that, like malicious intent for the use of that? And do we still feel that, at least I feel personally, from a policy and judicial perspective that we’re always behind the eight ball when it comes to privacy and legislation? Do you feel that we’re a little bit more ahead at this point or on par? And do you see a commitment being made within the lawmakers to stay on top of that, rather than always playing a catch up game?
Andrew DiLullo:
No, I think that legislature is comfortable being slightly behind the times. And that’s because it’s difficult to legislate so proactively. This is absolutely an advance, in the sense that this is a half measure, but in other senses, it goes beyond the GDPR. Quite assertively. And so this sort of leap frogging processes probably have privacy laws going to work. It’s the classic red Queen’s race, you have to run, do all the writing you can just to stay in place. That’s the dynamic between private industry and their ability to find and exploit new sources of data versus legislature evaluating these methods and figuring out whether they’re kosher or not. So a little bit behind the eight ball at all times, the express consent requirements are much stronger. So this covert Yes, will will give you a cartoon of your face. But we’re also going to secretly train the Chicago PD as to how to identify faces, that’s probably probably out. If an organization were to be discovered doing that there would be penalties under c 11 as drafted. The other thing I should mention is that C 11 argues that it Canada can enforce this internationally, this privacy law. So Chicago PD wasn’t facetious, there could actually be something there. I think that there is definitely an attempt to clamp down on this malicious acting. Look at this your street name when you were a child and your pets first name, because they’re fishing for identifiable, that’s always going to exist, but there’s going to be increasingly targeted penalties for that kind of action. And not just under privacy law, but under an anti fraud or anti exploitation laws as well.
Christian Rosenthal | ZYNC:
Andrew, going back to consent piece, we’ve talked a lot about express consent, but we haven’t talked about implied consent, and I noticed that the bill doesn’t talk a lot about it. So could you elaborate on that? Is that something that will be regulated as well and how it works?
Andrew DiLullo:
Yeah, so the definition of implied consent is being tightened up a little bit under c 11. Okay, so implied consent can be, I mean, we’ve got model codes for what implied consent looks like implied consent, or rather, the various kinds of consent that a consumer can give permit certain kinds of subsequent use of the data there is actually kind of a flowchart in that way. There are questions about whether this this particular flowchart like the consent of this nature permits you to use data in this way is enforceable or even reasonable to reality. But it is an attempt to make sure again, that if data is collected in a particular way, from a consumer, whether that consumer is aware of it or not express or implied consent, the data is then only used in a way that consumers would expect it to be used, bringing the guidelines for use of private information into accordance with the mainstream common denominator expectations, which is always going to be a moving target.
Brad Breininger:
Yeah, for sure. Andrew you talked a little bit about the international community and the fact that this can C 11 can be implemented internationally. How much partnership is happening globally, between governments and even private organizations to come up with? Obviously every country legislates for itself. But are there bridges being created among all of these legislations? Are there bridges being created among the organizations that this is really important to in order to kind of create almost like a web of coverage across the world?
Andrew DiLullo:
Bit beyond my paygrade, I can’t. I can’t say if there is a concerted international effort to consolidate and harmonize privacy law, generally what seems to be happening is a nation with a large enough market sees a problem and legislates to deal with that problem. And if they are, in fact, a large enough market, advertisers and companies will follow suit. So this is what happened with the GDPR. Any advertiser that wanted to operate in Europe and or brand that want to operate a Europe, a large enough market that it was worth taking on the effort of being GDPR compliant. And then because the GDPR was this head and shoulders above any other privacy law, they just implemented it worldwide, it was easier, Australia, Canada, us, everybody gets that. Similar to the international tax order, I guess, where you have the taxes, the new taxes targeted at Facebook, apple, Amazon, Google, the Fang, Netflix, Netflix seems odd in there. But anyway, the Fang corporations, Australia starts, and Canada follow suit. And eventually everyone’s doing it. I don’t know if Canada has the population and economic clout compliance the same way the GDPR did and does. But it’s certainly going to again, it’s easier for brands to be compliant to the highest level of privacy law, than to have a piecemeal application depending on where you’re serving your website or whatever.
Brad Breininger:
I mean, it comes down to risk and reward, it’s a risk to eliminate the European Union from your marketing, perhaps and so you want to make sure that you’re compliant. Again, my expectation wasn’t that there will be some global law that will that will govern all of this, it was more along the lines of it sounds like what’s happening is that it’s lead by example. So a lot of the bigger markets are putting things in place. And then some of the smaller markets are following suit. And eventually, hopefully, what happens is that there’s a network of rules and regulations that everyone agrees on, not yet part and parcel, but generally,
Andrew DiLullo:
Yeah, I would agree with that it’ll sort of evolve the same way that the international copyright trademark market is thought of, you have the world international Property Organization, and everybody’s in various degrees of compliance with that.
Brad Breininger:
Yeah. So Andrew, what do you think is most important for brands to know whether they’re small organizations or midsize or large? What does this all mean to them? What do they need to keep in mind over the next little while, if c 11 does pass, and it needs to go forward?
Andrew DiLullo:
Well, it C 11 does pass, it would probably be a good idea to get in touch with whoever was doing your privacy policy, which is probably most recently updated for GDPR. And just make sure that they’re aware of the most significant changes that will need to occur.
Gabi Gomes:
And don’t just copy it off of the internet or off of somebody else’s website for your own use, right, consult a lawyer.
Andrew DiLullo:
Exactly. Yeah, consult a lawyer, gosh, the lawyer saying that, what a surprise. But no, it would be a good idea to check in very quickly and make sure because again, the leapfrog iterative process of the changes will be fairly tightly bound. If you’re already compliant with the GDPR, beyond making sure that your policies or your policy maker, your policy adviser is apprised of the current text of the bill, there really isn’t much that needs to be done. Although what you could in fact do is a brand could decide to take upon itself, the apple approach and say, well, Bill C 11, is good, but I think we can do even better. And we can actually make that part of our brand that we are doing even better than what the latest state of play legislatively is. And if a brand decided to take on that effort for self, it could actually gain a lot of goodwill.
Brad Breininger:
Yeah. And really, it’s an opportunity. Anytime you have legislation like this, I mean, if you look at just previous things like the GDPR updates that were done in privacy before, or even if you look at the AODA compliance for websites and digital properties, the whole objective behind all of these things is to move us forward in the wild west of the digital world. And so the real opportunity is for brands to understand number one, what they need to do to comply. So that’s first out of the gate, as you’ve stated, second is to find out what the other opportunities are, do they want to go down the apple route where they’re doing something even more, and they’re putting themselves out there as a very woke ethical organization that understands what it is that the legislation’s trying to achieve. And then the third is, if you’re an advertiser, rethinking how you advertise, maybe your old ways of working aren’t going to be exactly the same. And you’re going to have to pivot a little bit, you’re gonna have to adjust a little bit, and there will still be data out there for you to use to target. But you have to use that data in a very different kind of way. And we’re always having to change, we’re always having to update we’re always having to pivot and go in new directions. And I think that this is no different than that. The onus is on brands to not only target their customers, but to be a good corporate citizen, to play well with others, to really take care of your customers in a way that make them want to be your customer. So I think that there’s a lot here that brands have to really decide upon it. This isn’t just about having some of your data taken away. It’s also an opportunity to rethink how you go out to your customers and how you share messaging with them and how you target them. Like we always say be creative, be creative about how you’re advertising. No one is stopping you from building up your customer base. They’re just trying to protect us all as human beings so that we’re not being taken advantage of whether that’s on the consumer side or with additional legislation, whether that’s on the political side, I think that not everyone is as tech savvy as everyone else. And I think that it’s really inherent in these brands to understand what they need to do. But also to just be a good corporate citizen and continue to build your business. No one is stopping that, but do it in a way that is really going to connect with your customers. So Andrew, thank you once again for joining us on the podcast. We always love having you here. Again, it’s Listrom Di Lullo, you can find them online, you can find Andrew Di Lullo online, connect with him. If you need to review your privacy policies as this goes forward, I’m sure he’ll be happy to help or point you in the right direction. And Andrew, we look forward to having you again in the future. So that’s this episode of everything is brand. Join us next time for a new topic, maybe a new guest, but definitely a new conversation. And remember, everything is brand
