Arlo: [00:00:00] Hi, this is Arlo Gilbert, CEO and co -founder at Osanto. And today I'm your host on the Privacy Insider Podcast. We didn't think any year could be busier than 2024 with new regulations, AI, and more demands on privacy professionals than they can keep up with. But 2025 already has us looking like it will prove that 2024 was the easier year.
So today we're going to look into our privacy crystal ball. We're going to predict what lies in store for 2025 for privacy, technology, and really anything else that comes to mind. And you know, who knows what we're going to talk about. Maybe we'll talk about Taylor Swift. Our guest today is Jody Daniels.
Jody is a. favorite privacy professional of ours. She works at Red Clover Advisors, where she is the CEO and co founder. They are a premier privacy [00:01:00] consultancy, integrating data, privacy strategy, compliance, and they provide a flexible, scalable approach, including even fractional privacy work that simplifies the very complex.
And she is also the co host of her own podcast, The Top 10. Frank, she said privacy, he said security podcast, which she co hosts with her husband. And she is the author of the book Data Reimagined, building trust one byte at a time. Jodi, welcome to the show. Hey Jodi, how are you? It's so nice to see you.
Welcome to the show.
Jodi: Well, thanks for having me. I'm really glad to be here.
Arlo: Well, it would be awesome to learn a little bit about you for those who don't know Red Clover and yourself. You are prolific in the privacy world, and it would be awesome to learn just a little bit about you, Red Clover, and maybe tell us a little bit about how you got into privacy because nobody gets here on purpose.
Jodi: That is true. We all have our own stories. [00:02:00] So I'll blend. I'll start at the beginning. I started my career at Deloitte Audit. I was a financial statement auditor. And woke up one day and said, Yeah, I don't really want to do that anymore. I went over to the Home Depot where I did the inaugural Sarbanes Oxley implementation.
Which is actually really interesting because for me now, in hindsight, I'm coming full circle. I documented financial controls around processes. And now I'm working with companies to understand the flow of personal data. So, the universe. It's totally full circle, but I did that for, for a couple years. I then did some strategy and corporate development work and then moved to Cox Enterprises, big media company who was actually my client for a long time, love the media space.
Also really tied to some of the work that I'm doing today. I did corporate development work, and then I built a targeted ad network for autotrader. com. So I stalked you for cars, quite honestly, before some of the other.
Arlo: So you were on the dark side. I was on [00:03:00] the dark
Jodi: side. I was on the dark side. I stalked you for cars before anyone thought I was stalking.
And before anyone thought it was personal information, and if you bought a car in the late 2000s, you're welcome. Because maybe I helped influence it. And I hope it was a great experience for you. So, the reality, though, is that's how I got into privacy. Because there was this little thing called the Digital Advertising Alliance, the DAA, a little blue triangle, Ad Choices.
I was responsible for our compliance with that. I thought this was interesting. Long story short, I made that a big part of my role. Then left the targeted ad universe after building that for several years and was the initiator of building a privacy program for one of the Cox entities. So that was my start.
Before we had CCPA and GDPR and a lot of the fancy acronyms we have, I started to build that privacy program from the ground up. So I know what it's like to have to start from scratch in a large organization or [00:04:00] a small organization and convince people to pay attention to you.
Arlo: That's always the challenge, right?
Is that the privacy professionals Tend to get treated like wet blankets, right? You're here to say, no, we would rather not invite you to this meeting.
Jodi: Yes. I wanted invitation. So at the end, I was so excited. I get an invitation and I actually started tracking how many different calls and projects that I was working on so that I could look back and be able to see the impact and the difference that, that I need, and we'll, from there, I went to one of the large banks was the digital privacy lead there.
And started Red Clover seven years ago, really to help companies figure out this privacy thing. So think of us as a full service privacy consulting firm. We help with privacy technology implementations, figuring out how to best use the amazing tech that you all help create, as well as help figure out and sort through what are the laws?
What did they tell me to do? What should I do? What can't I do? What are those notices and [00:05:00] those policies and help me decide What I need to do, just actually bringing privacy programs to life past the boring checklist. And the last piece we do is, for some companies, they might not have a full time privacy person, but they need more than zero, and we'll be that fractional privacy officer for companies.
Arlo: That is awesome. I did not know that you did that fractional work, especially for younger companies where it's just, it's not, it's not tenable for them to hire somebody full time in house right now. Right. I've got 10 people or 20 people. I just can't justify the expense.
Jodi: Yes, I would offer that there's also some really large organizations, though, that aren't going to be able to get a full time person, but they still need more than zero.
And they also need more than the half time, anointed person that knows nothing about privacy. They need privacy knowledgeable people. So the way we do it is we have a dedicated person, a senior consultant who's knowledgeable about privacy, that's the [00:06:00] dedicated. But the reality is they're actually getting the entire team behind.
So we really look at what is it you need to accomplish for the year. We're gonna divvy that up. And we're going to identify the right team members for us to be able to accomplish that. And then you have a dedicated person doing it. It's very similar to what security firms are doing with the VCSO concept.
You might have a dedicated person. But then you have the team behind you doing whatever tactical security things you need to do, we just do it on the privacy side.
Arlo: That's awesome. Well, your reputation is unmatched. It's one of the reasons that we like working with you.
Jodi: Oh, well, you're very kind. Thank you.
I'm glad to be here.
Arlo: I'm really curious, in the world of consulting and doing the work that you do, you must come across a lot of different businesses. And I was curious if you had any memories that stood out to you without naming any names, particularly bad privacy programs, or like, what's the worst thing you've seen when you've gone into a customer?
And then on the corollary, have you ever gone [00:07:00] into a customer and walked out being like, you do not need my help.
Jodi: Yeah, I, we do see a lot of businesses, so many different businesses. And it's actually the part that I find really fun and interesting and it does really connect for me. With the beginning part of my career, where I saw a lot of different businesses, I just care about personal information now compared to financial before, there's a particular company in mind and This particular company does a B2C experience and consumers would be, I have to be very careful, but I will, I will do my best to cloud it.
Arlo: We won't bleep anything out. No, no, no, no, I don't, so very
Jodi: private around here as privacy people. So, but this particular company consumers would trust with very sensitive data. It's an experience, an internet of things type company, a lot of sensitive data, and they just had nothing. They had no privacy.
They had no security. They had no policies. It was just all open and all exposed, and that was really scary, and didn't like that. I see that, honestly, [00:08:00] more often than I would like to, where these are companies, some of the brands you've heard of, some of the brands you haven't, B2C or B2B. Where when you just pull behind the curtain, there's nothing.
There's like barely a band aid trying to put together privacy or security. And then on the flip side, one of the companies that stands out the most to me It was actually a brand new startup and it has risen and a very successful company today. But when it started, it hadn't even launched its website yet.
And we worked together and they were forward thinking and said, we don't have to comply with CCPA now, but we will. And we want to do it right from the beginning. There's a couple companies that have had that mantra, where there's this technicality of a law or the dollars or the threshold. They know what they want to do right away, and they want to do it [00:09:00] right from the beginning.
Whether that be software to put in place, or a privacy notice, or just the thinking, those are the companies that really stand out to me.
Arlo: I can imagine that must be fascinating. And I think it really does highlight the reason that there's value in working with known brands in this space, right? Red Clover or Osano, these are companies that have been around, people know us, and there's a level of Trust that just has to be established with consumers and people have been bitten before by things like the trustee trust marks where people say they're doing the right thing, but then you pull back the curtain and they're not really and consumers don't really have much of a mechanism to ferret out and understand what's really happening behind the scenes.
That's where we see, hey, Red Clover gave you the stamp of approval here, and you're using reputable vendors. That buys you a lot more [00:10:00] trust in the world of business software. Anyways, I could go on for days about this, as I'm sure you could too. Let's shift gears real quick. It would be awesome to talk about, and this is a special episode.
This is our last episode before the end of the year, as I mentioned up front. And so we want to do a little bit of a look back, a little bit of a look forward. We thought we would make this a really fun episode. So, quick look back, we've got, uh, a bunch of stuff that happened in 2024. The one that stands out to me, because it was an embarrassing egg on my face, is that APRA did not pass, and in fact, I was on the episode we did, I think it was our second or third episode, and I said, my bet, a hundred bucks, is that APRA passes in 2025.
And I think it was two hours later that the bill got tabled.
Jodi: You were bold and made a prediction, so there is kudos to being bold and just being willing to make a prediction.
Arlo: That's right. Well, and we've got seven new state laws. We've got SHREMs now can do class [00:11:00] actions. And what else do we have? We've got the child protection.
Laws that had been taken over 2024 has been a very big year. Anything stand out to you?
Jodi: I think it's, if I look at like the Maryland law, that's a really interesting, complex law that was passed. The idea that we're going to have very dedicated and specific privacy laws for kids as a parent. I'm grateful for that.
Unfortunately, none of my kids will be protected because I live in Georgia and I have no rights of any kind. But, maybe one day, Georgia will be included, so I'm grateful that the kids elsewhere, those are protected. And, I think the progress we've also been seeing from California and actually trying to move, albeit at a really slow pace, some of these regulations, but it does seem like we're in a forward direction, so that's exciting to see.
And then, there's this intersection between AI and privacy, so I feel like the idea that we have. Companies that have to pay attention to privacy. [00:12:00] For me, 2024 was the year you couldn't just say, Oh, I don't have to worry about that any longer. Maybe you're going to push it off to 2025 still, but at least in this year, to have 19 laws in the U.
- that are considered the comprehensive privacy laws, that's a significant number. We're just under the halfway mark. And if you start sprinkling in some of the sectoral laws, you might get close to that. And then the other thing I think that's interesting is that some of the amendments are also including health data.
And I also might add what the FTC has been focusing on, which I would like to say, you don't mess with grandma, you don't mess with kids, and you really shouldn't mess with health. Everyone typically believes. Those are sensitive topics, get them right.
Arlo: Yes, do you think that the healthcare focus has been partly driven by the Roe v.
Wade overturn? Or do you think that this was always where it was going anyways? [00:13:00]
Jodi: I think it depends. So I think some of them, like if we were to look at Colorado with neural data, for me, I think that's actually more about the advancement of AI and technology and trying to protect in that regard. I do think some of it is around Roe v.
Wade, but then there's also a number of them where it's being pretty specific around mental health and you're just seeing more and more as a society to really be able to cover that information. And then I think where you start having some actions on how health data was used for advertising. You have some thoughts and regulations around, well, hold on, wait, you weren't clear in your disclosures of what you were doing.
So no, I'm broadening what my health data is going to be. So my view is it's a compilation of all of those factors, not just one.
Arlo: I love that. Okay, so 2024 has been a big, exciting year. Definitely moved from a privacy is something we'll get to [00:14:00] a privacy is something we really have to tackle now. And going into 2025, what are you seeing on the roadmap for this upcoming year?
We've got tons of new regulations coming, we've got federal laws we want to keep up with, European stuff. And then, of course, we will have a brand new administration. They are probably going to behave differently than the last administration with regards to regulation. So I'm really curious what you think will be happening this upcoming year.
Jodi: I'm going to go backwards. And I think many privacy pros agree with me. I don't think we're going to have a federal privacy law. Arla, if you make another prediction, it's just frame bias, maybe don't pick that one, pick a different one.
Arlo: I will not be making any more predictions for the rest of my life after that one, but I agree with you.
Jodi: I don't think there's going to be a federal privacy law coming out of that new administration. I do think the states are going to ramp up in two areas. Number one, I think we're going to have more states, and so my prediction for [00:15:00] 2025, I think the number of states that will have a comprehensive privacy law that will pass will push us over the halfway mark.
So I think in the 2025 legislative season, that would be fixed laws to get us over 25s. We need another one if you want to include the territories. So depending on who you are here, listeners, and how particular you'd like to be. I'm going with the 50 states, but I appreciate our territories too. So that's my initial state prediction, but the other is the enforcement.
And I had the opportunity when I was at IAPP PSR to hear from several of the state regulators and some of them in multiple sessions. And some of these states are hearing from consumers. I'll never forget the Texas regulator who was commenting that they received hundreds of comments through their online complaint form in just a couple months.
To me, that's telling, right? How do these people find this link on a really particular topic? In just a couple months of it passing.
Arlo: I mean, and this is the government. So their websites are not even all that easy to navigate. [00:16:00]
Jodi: Tricky there. There's not like a big campaign that came on TV. Here's where you go.
So I think for me, that's really telling. And between the Texas enforcement agency that is staffing up California, that's been staffing up and then. As more and more states pass, those states are talking to each other. They're communicating. Many people have said, well, where's all the enforcement? It's not here.
You see actions out of the FTC. Well, we also don't know what we don't know. They don't actually always communicate and put out in public all the behind the scenes conversations that we're not a part of. There are plenty of conversations happening. We just might not never know about them until they're so big or so egregious that those are going to be the ones disclosed.
I envision more enforcement. I envision, separate from the enforcement side, what I often see, especially for B2B companies. Is more pressure from sales and I am seeing this where company A won't get the [00:17:00] sale from customer B because they don't have the right privacy and security measures in place and they'll pick the competitor that does.
I think you'll start seeing more pressure from those sales teams and companies to really get this privacy thing right on the inside. And for me, as a former marketer, this will be really exciting. Actually promote that and really have great outward facing information. About what their programs are. And the last part is some of the companies I think who already have had some privacy programs in place, I'm starting to see them come back and say, okay, what worked for that isn't really going to work in my new environment with all these different nuances.
I need something better. It's time to revisit. So retooling literally with tooling or just the concept of reevaluating how the program's actually working. And then I think globally, we will continue to see the trend. Of modernizing [00:18:00] privacy laws in different countries like Australia.
Arlo: That's exciting. I love your predictions.
I keep coming back to the question on enforcement and I think it's interesting you raised a really good point which is that the vast majority of enforcement is not something that the public knows about. People tend to think that these regulators or these state authorities show up with a SWAT team or something and news cameras.
Jodi: Well, we all saw the ICO picture. Here's a gulp. I
Arlo: mean, it's so funny. I think people have this dramatic expectation of what a, a, a notice from a regulator is. It's like, yeah, it's just a letter that says, call us, basically. You know, like, people call. Hey, all right. So we have the regulatory side. What about the class action side?
Jodi: Oh, that's so hard to predict. I don't think they're going away. I think if you are a class action law firm, you're just going to keep trying to find which hole you can go through. And we [00:19:00] started with SIPA. They've gone to all different types of wiretapping. They're looking at AI chat and just so many. I am not familiar, if I'm totally honest, with every single law that is out there between all these different opportunities.
What I do have comfort in is believing these firms will find holes. We're seeing some that's even trying to find holes through CCPA, and the class action was only supposed to be from a data breach perspective. We still have Washington that, again, we haven't heard a lot, but that doesn't mean that there isn't a paper war going on.
We just. Haven't hasn't made it out yet to here's what happened to us, right? Maybe those companies have done a really great job of just keeping it as a paperwork. So as a reminder, if you have to deal with the Washington My Health My Data Act, And you feel like you haven't seen anything, yes, sometimes it might be a public filing and people can find it, but there are still opportunities for it to be private where we might not know.
That's a catchy one. I just think those people are creative and will keep [00:20:00] trying to find opportunities for themselves.
Arlo: Yeah. Well, and the wheels of justice turned slowly too. GDPR went into effect in 2018. It was like that moment where it went live and everybody went, Oh my gosh, we have the privacy law.
Yeah. Yeah. Oh, that's anti climactic, there's no enforcement happening. I thought it would just start, but people don't realize that regulators are collecting information and collecting evidence now that they may not even go and utilize for another six months or a year. And so it's always worth doing the things that you have to do to keep the regulators at bay because you just don't know.
They might be looking at you now.
Jodi: Exactly. So the idea also of show your homework, because you never know when you're going to get one of those questions, having a program, so I love one of our new state laws, Minnesota, that's essentially requiring people to have a documented privacy program. It's the show my work.
Because if you were to get a letter, it's, well, hopefully you weren't egregious. But it's possible maybe [00:21:00] someone disagrees with the disclosure, or maybe they disagree with a assumption that you've made. If you're able to show, well, here's our approach and here was our thought process and here's how we came to this conclusion, it's going to be a very different conversation in that scenario.
Now, class action lawsuits, make sure you get the right attorneys. We are not the right people. I have lots of wonderful people who will help you in a class action lawsuit. Call me. I'll give them to you. But the best there is to have, actually, in all seriousness, have really great advisors who can help and tell you, here's what we're seeing in that industry, and you want to have this disclosure.
And you want to have this pop up or this consent or don't have this disclosure because of this disclosure. Class action we're seeing so I see that from time to time where there'll be a privacy notice update someone will ask Do you have this pixel at like just the other day someone asked? Do you have pixels on videos because they're still seeing the video class action lawsuits Do you have these types of third parties?
Because we're still seeing these class actions. [00:22:00] So the idea of keeping aware of those and having the right advisors is very critical to then be able to tie to what any of those parties can see on the outside.
Arlo: Got it. Well, that sounds like great advice talking about class actions. We talked about one of the things that happened in 2024 was that the gentleman Max Schrems, who runs the NOYB group out of Europe has now become effectively certified in Max did a much better job of explaining it, but basically they now have a license in one of the countries in Europe to go and begin filing class actions.
Which is very different in Europe and it's a much higher bar. Do you think we're going to see more class action? Is Europe going to become a litigious society?
Jodi: Yeah, I think that's an interesting one. These will be interesting cases to follow to see what type of precedent it sends because typically we've always been, we being the U.
S., has been the litigious society, Europe [00:23:00] has not. Europe has very much been a regulation, you people follow it, here's some fines, you don't. And, uh, probably some inappropriate thoughts I have that don't work on this podcast. So I'll just keep them. What will happen though is, I think if any of these move forward and there's a win out of them, that's going to set precedent and others are going to follow.
I do also think they might not even wait to see how far they will go. There are other groups that have significant issues with how many companies operate, often. Many technology companies and how they operate here in the U. S. Because our philosophies are really different. The U. S. is incredibly capitalistic, company first, people second.
And even if I'm a U. S. company having to comply with European law, my philosophy's still different. And so some companies have done an extraordinary job of doing that, and other companies haven't. There's also the advertising industry, which is the era that I came from, right? That's how I got here. There are a lot of privacy [00:24:00] people who just don't like it at all.
Any kind of surveillance and data collection doesn't even have to be just ad tech, but just the concept of surveillance and the volume of data. There's people who just don't agree and the philosophies are very different. And I think that will be really interesting to see where it shakes out. GDPR, as you pointed out, it's in its infancy.
It doesn't actually have a lot precedent to be able to go on. And the rate of technology and where it is today and when that was drafted. Nearly like eight, 10 years ago, right? It was drafted for years before it was passed. It's different. And how much it's going to be able to withhold and withstand where we are.
I don't know. I think time's going to tell.
Arlo: Yeah. The technology definitely changes faster than the regulations do. And I'm always worried when I open a new bill to look and see, are we defining arcane terms that will be out [00:25:00] of date soon? So I guess that's why they did the AI Act.
Jodi: It's one of those, I think it's hard to predict and think through how a technology might be utilizing data.
These frameworks are supposed to be tech agnostic and be able to be a framework and withhold the test of time within a reasonable period. The challenge is that people are collecting and using and creating in ways that people just hadn't thought of. So, the framework may. Or may not be able to manage that.
And that's a little bit of, I think we just have to keep seeing what interesting new innovation arises and how does that line up with the intent of the innovation. And then in my mind, you often have people who create something for a great, wonderful good. And then there's another side that finds the loophole and uses it in its complete opposite form.
And those are the people why we end up with rules. It's just like how we were in kindergarten. [00:26:00]
Arlo: This is why we can't have nice things.
Jodi: Right. Someone messes it all up and then you have to sit on the floor, you have to raise your hand, you have to have the hall pass, you have to have all the things because someone messed it all up.
The kids haven't grown up. It's the same problem that we have now. Just with much bigger consequences.
Arlo: Yes, agreed. Okay. So there was also some other big, exciting news in 24 that I think have some impacts in 25. So our very favorite penal colony, Down Under, they have been. Just blazing a new trail in privacy.
They're, they're got social media now. It's illegal for anybody under the age of 16. Do you think we're going to see more out of Australia? It's a pretty big economy. So their work really has an impact on global trade.
Jodi: It does. So. I love Australia. I think if I ever were to move, that's where I would move to, and I have yet to visit the country, but it's been on my wish list since I was in third grade studying koalas, just everyone needed to know that.
So I love chocolate chip cookies and I love koalas. But back to privacy. [00:27:00] I think that it's very interesting. They definitely have a massive impact on the global economy. At the same time, they me. Aren't necessarily a country that I feel like we always follow, because we believe, not just Jodi believes, but the greater U.
- seems to believe we can do what we want. And we're so special that everyone's going to have to just deal with that. Or if we operate in that market, then fine, we'll adjust to that. I would love to see us be greater influenced in a long list of things, not just privacy that come out of Australia. I do think it's very much an important market, and what I do also believe it will have an impact on is how companies actually operationalize.
Because a lot of times it's been U. S. and E. U., and then everybody else. And there hasn't been a whole lot of everybody else, and Australia actually comes up a lot, and it's, oh, well, Australia's, like, they don't really have anything, so you can lump them in with the U. S. side is what people tend to do.
They'll probably be more [00:28:00] of the triad, if those are going to be the three big markets, or more of a striation based on wherever else they are. So you might have US, you might have EU, you might have Australia, and then you might have everybody else. So I think it will actually have a bigger impact on privacy programs and how people are going to market.
Either will you really separate what you're doing, so if you had a consent strategy, will it, will be separated like that? Or will you start to move to a single universal situation? That, to me, is very dependent on the kind of data that you have, your risk tolerance as a company, and your customer expectations.
So, the more you have, like Australia and Europe, it's going to shift the operational challenges into either a multi version or, no, we're going to make this singular because it's just too darn hard.
Arlo: I love that. Actually, I had not thought about it in that framework, so you almost went from this world where everybody thought, okay, I [00:29:00] have my European privacy laws to worry about.
I'll do that. Then it's, oh, we've got American privacy laws to worry about. I'll do that. Now I'm good to go. And suddenly, oh, maybe there's an AIPAC strategy or how people are starting to segment, but just so I understood you. It sounds like what you're saying is that because there is now a major nation that has privacy regulation, this will be forcing a re accounting of the approach that companies take to segmenting out their privacy programs.
Jodi: Yes. And for me, that goes back to what I shared before, which I think is companies are starting to, I use the word retool, but evaluate what they've done. What they did potentially for GDPR if you had to comply with that. Was one thing. Then CCPA came along, so we literally saw GDPR in CCPA. Oh wait, now I have more states.
Okay, fine. We'll do GDPR, and then we'll do all the states. [00:30:00] Or, nope, I just have California because I'm not big enough to worry about those others. So everyone was scoping accordingly. Some companies are not in Europe at all, and they're just US and Australia. Or some mix of all of that. Well, as more and more laws keep popping up, and as companies have been at this privacy game for a while.
They're realizing what I did then doesn't necessarily work now, no different than any other part of a company, right? Whatever, where you are at a company stage one to stage two, as you continue to grow or even multinational, it continues to evolve and change the same as happening from a privacy front. As you pointed out with GDPR, we are six and a half years into the effectiveness of GDPR.
So we've been at this a little while. For companies who had to deal with GPR, you've been at this for a while. For CCPA, it was 2020. We're coming up on five years.
Arlo: Yeah, these are brand new.
Jodi: I know! So there, we're like, again, selling EtherCard in. We're still in elementary school here, people. We're just moving up just a little [00:31:00] bit into the mid elementary for some of you, and For others, you're still just getting born because you're deciding to, to, to start on these privacy laws and where you are.
But I really think people are going to have to find the approach that works for them. And depending on where they are in their privacy program, in their company, is going to determine how they're going to approach privacy. All these privacy laws, but with more of them, there's no doubt it is complicated.
Arlo: All right. Well, so we got Australia. We've talked about Europe, federal regulations, any predictions on the new administration and their approach to privacy or whether it will be Wild West. What do you think is going to happen? What's your gamble here?
Jodi: And I don't think it's going to be a top consideration.
I just don't, I don't see regulation being a top consideration. I don't see privacy. And security being a top area, a focus, and so I'm hopeful that the work that's been done isn't unwound. So, for me, [00:32:00] there's, do you do any more, or do you reverse anything that's already in place? I'm hoping. It just ends up being the status quo, and the states, in my mind, like we've been talking about, I think the states are going to pick up and be more enforcement, more regulation, passing more, and honestly, I feel like you see that in some other areas.
Right, we have state regulations when it comes to HR. Of course there's federal regulations, but you also see a lot of state regulations. Famous true from a tax perspective. So this whole state federal game is not new, just it's in different areas.
Arlo: Got it. Okay, well I would agree with you on that one for sure.
I'm not betting on a federal law again. All right. So let's talk about AI, everybody's favorite topic of the moment. We look back on 2024, we had a lot of exciting stuff happen. We had the EU AI Act, we had the Texas AI bill. We've been seeing a huge amount of debate around innovation and AI. We've seen the lawsuit by the New [00:33:00] York Times against open AI and questioning who has rights to access these data sets.
We're starting to see AI and state law subject rights, and businesses are starting to implement frameworks. But 70 percent of companies, according to this survey, said they still have no AI policy. 2024, that's where we are. Did I miss anything important on the AI side that you would want to make sure we think about?
Jodi: And there's some state AI pieces that have come around as well, right? We have Colorado, we have Utah, consideration within CCPA for California, and so many bills. That it is mind boggling to truly try and capture all the different bills that have been considered. And I think even if a bill doesn't pass, it's telling information about where people are thinking and where the concerns are.
So, if you think about all the bills that didn't exist, and there's a long list of problems in the world, That we have bills to try and manage this technology again to me is a hint for where we're [00:34:00] going in the future.
Arlo: Got it. Okay. Well, I love that prediction. And when you think about 2025 as it relates to AI, which is I think actually a very hard thing to predict because this technology has been evolving at just a breakneck pace.
So you talked about it, and so I'll, I'll ask you this one. Do you think that, what's your gamble here? Do you think the AI executive order gets repealed? Do you think that's a Trump walks in and goes, I'm unwinding everything Biden did?
Jodi: The AR1 is interesting because there are some people that surround the new administration that seem to support AI regulations.
So this is an interesting one. That I'm not quite sure what will happen.
Arlo: You can hedge your bets. You can phone a friend. Phone a friend. Well, I will tell you, I'm right there. I I'm your friend. And so I will tell you, when I think about the administration there, I am hopeful that the traditions that have been followed this time around in terms [00:35:00] of, I guess I would call it a more mature transition approach, things like that.
Have given me at least a tiny bit of hope that we might have been witnessing a lot more campaign bluster than real administrative view. And so my hope is they get in and say, Yeah, this is fine. We're not going to mess with it. We've got other fish to fry.
Jodi: I hope so. I hope you are right. We're going to come back and we're going to have this conversation.
We're going to see how right we were.
Arlo: All right. And 2025, what is the AI landscape changing going to mean for privacy pros?
Jodi: We're seeing a lot of privacy pros be Significant participants in AI governance, AI assessments, AI process, AI policies, AI approval, AI everything. All of that process is still a little bit nebulous.
Sometimes it's privacy, sometimes it's a committee, sometimes it's legal. I did a post recently, it was like the AI hot potato. It's whichever group [00:36:00] wants to raise their hand. With that being said though, so many risks, wonderful features too, but there's a lot of risks that companies have to manage, privacy being one of them.
It's not the only one. There's a number of them. Because privacy is such a big one though, we find that privacy pros are often being asked to be the owners of that assessment process, as an example, because they had a privacy impact assessment process and it's so darn similar. And in some cases it should be the same, just with extended questions.
And they have the tools for it, they have the process, they have the wait when I should ask for it scenario. Because privacy's built those processes in, potentially even more than security. In a lot of cases, I envision my prediction is that privacy pros will continue to own the AI piece, and I think actually a lot of privacy pros are interested in that.
They're looking to expand their knowledge set and skill set, and this is a good opportunity to be able to do that. I do think, [00:37:00] I don't know how many, but I do think we're going to have more AI laws that will be passed. Exactly what flavor they're going to look like is That's an interesting one because we have the EU AI Act over there.
We have Colorado that took a different approach. We have EAU AI Act is very risk based. Here's your four options, kind of four different types that you might be using. Colorado really focused on high risk. CCPA in California is still trying to decide. Some of their AI pieces move forward. Some of them died.
And like I said, you have a very long list of states that tried AI last year. I think they will come back this year and do something. Exactly what that's going to be, I'm not sure. And I do think more process, more policy, more governance, more tooling is needed. And that's a lot. I just spewed, who wants more policy and more process and more assessments?
So when I mentioned that it should be integrated with the privacy [00:38:00] piece, I feel really strongly about that because you want a business to adopt anything you're asking them to do, not ignore you, not tell you, not skirt the system. We want it to work and get them to understand. And for me, that's where the magic happens.
That's where the operational magic occurs.
Arlo: I love that. Do you think that on the AI topic separately from the governance side of it, are you seeing privacy pros? Using
Jodi: AI? That's such a good question. It so depends on the privacy professional. And I love asking privacy professionals, what AI tools do you use?
And I think it depends on the company, their risk tolerance. I sound like a lawyer and I promise I'm not on it. Depends. It depends. It depends. But it really does a little bit because super conservative people, the answer will likely be no, depending on the company. And the risk tolerance of the company, they might not be willing to say yes, because they want, they have to stay in that very conservative approach.
If you're in a pretty [00:39:00] forward facing company, uses a lot of technology, maybe you've done what you need to from a privacy standpoint, but You're a little bit more on the cutting edge. Those companies tend to say, yes, these are the risks, know what to do with them.
Arlo: That tracks. We also see functional differences.
I know like marketing and sales are always early adopters of new tools, right? And then you think about risk and governance and you think, well, is that a place that you want to have any, you don't want risk in your risk and governance.
Jodi: That's exactly right, and when we think about the sales process, in my mind, you should also be asking, well, it depends, because in that sales process, what are we discussing on that sales call?
Sometimes people will share a lot of information about all the things that aren't working or all the problems that they have because they're hoping that the provider is going to be able to solve that. Are you okay if that's recorded and transcribed and shared?
Arlo: Yeah, yeah. [00:40:00] One of my favorite features of the Colorado law, I also am not a lawyer, but I've really appreciated that Colorado required the disclosure when AI is the voice.
Because I, I read recently up to 50 percent of the calls that we are engaging with when we call a company now, toll free numbers, airlines, restaurants, hotels, I guess the call center industry, almost 50 percent of those calls are now being handled by AI. And that kind of creeped me out to think like, I don't mind talking to a computer when I know it's a computer, but if I think I'm talking to a person, and it turns out I'm talking to a computer.
That feels deceptive. And so I was very much appreciative that Colorado went out of their way to include that in there.
Jodi: I would agree. I would also add, I think all of those companies should pull their customers because how many of us listen here and listening would scream at the phone because the AI.
It's not working. [00:41:00] And all you want is a real life human to solve your problem. And it doesn't work right. I'm sorry, I can't hear you. That doesn't work right. And you're screaming at it.
Arlo: Okay, cool. And then one thing we have been seeing is a little bit of an evolution in the privacy pro role and just the structure of organizations.
A good example would be Google. They recently moved to a distributed structure where every division has their own. Governance team now, and I'm curious, have you been seeing any big shifts in terms of the structure of privacy teams and governance and risk teams?
Jodi: So we are not seeing that decentralization and the companies that we're working with, we see often some type of central person and they might have people distributed.
It could maybe be a matrix, but there's still a central person who is creating The policies, oversight for the company, deciding here's what our company approach is going to [00:42:00] be for complying with XYZ law, and here's our tools that we're going to be using. So the work might be done decentralized. We certainly see that.
The kind of complete decentralization. Not as much.
Arlo: Yeah, well, and Google is a little special. They wake up every morning, I'm sure, wondering whether they're still going to own their whole business next week. They may be doing this decentralized approach in anticipation of a breakup, is my only guess. I have no inside information on that one.
Okay. And then the other big one that we've heard a lot about is burnout. A lot of privacy professionals have been telling us they're in therapy and that it's hard. Have you seen the same thing across privacy pros?
Jodi: People are tired because unfortunately budgets are not supporting the volume of work that needs to happen.
And we just had this entire conversation about AI and privacy and the intersection and a lot of those privacy people have been asked to take that [00:43:00] on as well.
Arlo: With no additional budget. With
Jodi: no additional budget. So you see this in the security space as well. There's going to have to be a change because companies are not going to have these people anymore.
There's not necessarily enough privacy pros to even go around to fill all the need. And then when you think about the experience level that people are going to want, that's going to be a bit of a challenge. It's really the same challenge you have now in the CISO market, but this is a complex. So when you have all these different laws that companies need to adhere to and understand, you want to have good people.
We do see hired privacy pros. We do also see, though, privacy pros who are starting to figure out how do I ask for what I need? How do I show the benefit? And we really like to encourage for people to realize and help explain and educate upward why privacy matters to the company. How does it influence sales?
How does it help retain customers? How does it help save [00:44:00] legal and administrative and compliance costs? In the event of a breach or a fine or some other thing or negative PR, when you start adding all of that up and you look at what that can benefit the company, what the ask is should be relevant relative to that.
And it's all about crafting a story to be able to show here's what it is you're trying to accomplish. Why this is going to be good and helpful for the company and why you should be able to get that. And then those teams need to actually execute across their ask and their promise.
Arlo: Yes. Privacy pros, one of the things that we see is that privacy professionals are for the most part, they're not what I would call marketers or sellers, right?
They are generally somebody with some operational background, some data background, some legal background. They're being asked to take a highly complex subject with lots of business [00:45:00] repercussions and Essentially turn these into soundbites, right? You've got 30 seconds when you go and talk to a group to get their interest or not.
And so just learning how to talk about these things in a way that sounds a little more sizzle, right? A little more sizzle, a little fewer acronyms is definitely one of the things that we see challenges around.
Jodi: I agree. I'd love to add, Arlo, just something to that point. One of the pieces of advice that we find to be successful, is when people speak in the language of who they're speaking to and not in their own.
Because you mentioned privacy pros in their lingo. Well, everyone on the planet Industry, function, everyone has their little lingo. You want to speak, though, if you have to convince a marketing person, you need to speak to what the marketer cares about. If the CFO is the person giving you your money, speak to how the CFO cares about things.
How are you saving him money? How are you earning him money? So think about who your audience is and use what is [00:46:00] important to them to make your case to help get that person on your side.
Arlo: Empathy. That's really all it takes. Okay, cool. And then I don't know if you had a chance to see my article, but one of the things we've also been seeing is a shift in titles.
Chief Privacy Officer is a title that we see a lot, but we're starting to see different titles. We're starting to see, like we talked about, privacy pros are being asked to handle the AI governance now all of a sudden. So, are they still the Chief Privacy Officer? Is there a future of a Chief Privacy Officer?
Is that role going to evolve? Or are the titles going to change? What do you think about that?
Jodi: I think privacy is still here. If I changed it to Chief AI Governance, okay, well, all these privacy laws, so who's going to handle all of that? It's just not all the same. You could have AI in one little part, but privacy in a number of others.
They are not always a one to one. So I still think you'll have Chief Privacy Officer. [00:47:00] I think in some companies it could be a really elevated title and then you might end up like maybe as a chief trust officer and underneath you have a privacy wing and a AI wing, almost like a split there. You could certainly have something along those lines.
I don't think the concept of privacy and a leader of that organization is going to totally go away. For all the reasons that we've had an entire podcast on, we have a long list of laws and requirements that companies have to understand. And the kind of data that I collect, use, store, and share may or may not involve AI and maybe just a part of it.
If I only focus on AI, I'm missing the entire other part of my data cycle, my notices that I have to communicate to people, the choices that I have to honor to people, and then my favorite one of the, should I even do it in the first place? Because the law might say, sure, you can use that data. The customer might.
Scratch their head and say, hold on, what are you doing? That wasn't in my expectation.
Arlo: That's [00:48:00] right. And we've talked about this on some of our prior episodes with this concept of legitimate interest. As it relates to AI, I give you my data in exchange with an expectation. You're going to use this to let me log in.
Right. Or something straightforward, but no concept that there was this future technology that you might leverage this data for in some other way. Are you seeing companies struggle with that? And do you think that in 2025, that struggle becomes harder, easier in terms of identifying, Where the line in the sand is of data that you collected previously, that you can leverage versus having to go get new opt ins.
Jodi: Well, I do. I think it is going to matter where the people are and what your notice was when you got it. In some use cases, you don't always have to have opt in consent. In some places, you do. The general philosophy, though, is if I got [00:49:00] consent before to do a particular task, and now you want to use that data for something different, that doesn't work.
So I have between the consent language and then what my privacy notice says. You'd have to go back and get. That consent. So then people will say, well, how broad can I make this? And then at the same time, you have privacy laws and regulators who say, well, it can't be too broad and it can't be too narrow.
So that's the privacy advisors game is to try and find the right balance to be able to capture that. At the same time, that goes back in my mind to that customer expectation and trust that I was just talking about. At the end of the day, companies are trying to understand their customers and sell more stuff and make money.
Yeah. Absolutely. Absolutely. The customer wants value. They want to get a good that they need, a service that they need, that something's going to make them feel good, whether you're B2B or B2C. No one wants to be tricked. No one wants to be fooled. If data is used in a way that makes that person feel that way, or they feel like it was [00:50:00] deceptive, that's a lose for everybody.
And I don't think long term, a company that does that is going to actually win in the Customer loyalty, a good strong relationship, and ultimately might even have a regulatory challenge because it would have been considered unfair and deceptive.
Arlo: Yeah, it can take you years to build that trust and it can disappear in moments.
Jodi: Yeah, I always ask people the very fancy Jodi, scratch your head test. What does the customer expect? Is it reasonable in line with what they would have done? And the laws are here to basically make companies think about that.
Arlo: All right. Well, Jodi, I don't want to keep you too long here. So a quick couple of follow ups.
First one would be any other predictions for 2025, even if they aren't related to technology or privacy.
Jodi: That is good. I am hoping we're going to have some good new movies, like. I think we talked in our pre show about Disney and Wicked, so Moana 2, I don't know, maybe there'll be a Moana 3, and I know Wicked 2 is coming out next year.
So I'm pretty darn [00:51:00] excited about that.
Arlo: All right. I will bet that Taylor Swift and Travis get engaged in 2025.
Jodi: Oh, that's interesting. I don't follow them enough. I don't know. I don't know if I agree with that prediction.
Arlo: We've been seeing the rumor mill about the engagement rings. I feel like we have a lot of Swifties at our company, so I have to make a shout out to Taylor.
Jodi: Maybe she'll announce a surprise tour.
Arlo: Ooh, or a baby Taylor.
Jodi: Let's go with the surprise tour.
Arlo: Alright, the surprise tour. I like that one. And then last but not least, Jodi, you're a privacy pro butt. We're out there trying to help people comply with regulations, give them good advice, but we're human. When we put on our PJs and sit down with our laptops at night, what do we do that we wouldn't recommend that other people do?
Do you have any guilty pleasures or any embarrassing admissions on this show? It's just friends here.
Jodi: Of course, just whoever is listening. So I am one of those people that uses the same email address and I actually give out my [00:52:00] phone number. Now, I don't always give out my phone number. It depends on, like, really who I'm giving it to, but I like my loyalty programs at my retail stores, and I personally don't want to have 10 different emails.
So there are some companies that are looking and creating really cool products, we actually had one on our show coming on soon, that I am interested in, so that I could not have to keep giving all that out, and it would be easier for me to be able to manage. But for me, I like my loyalty programs, and I'm choosing where I'm giving it.
So I am making that notice, I am informed, I know what is happening, I've decided it's a good value for me, so that I can keep getting more goodies from the places that I like. I
Arlo: love that. People think that privacy is all dry and that everybody's really uptight. And there's the side of like when we're guiding people and providing advice, yes, we have to provide conservative feedback and advice that will help move the business forward.
But, [00:53:00] you know, at the end of the day, we're all people and we still want to watch cat videos or dog videos or whatever it is that everybody's watching these days. Well, Jodi, thank you for joining us today. It has been a delight. We work with Red Clover and have been very pleased working with you guys. So definitely recommend anybody go check them out.
They also do a lot of great content as well. Thank you so much for joining today.
Jodi: Thank you.
Arlo: Well, I hope everybody enjoyed today's episode. I certainly did. Jodi is always a delight to chat with. Tune in to our next episode. We have exciting stuff coming. And if you haven't already. Go back and listen and subscribe to our historical catalog.
There are some amazing interviews in there with powerful people in the privacy world. You'll learn, you'll laugh, you'll love. We hope we see you again soon.
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
/White%20Castle%20logo%20grey%20400.svg)
/Sprinklr%20logo%20grey%20400.svg)
/Sierra%20Nevada%20logo%20gray%20400.svg)
/Sesame%20workshop%20logo%20grey%20400.svg)
/Rodd%20and%20Gunn%20logo%20grey%20400.svg)
/Ping%20logo%20gray%20400.svg)
/Newegg%20logo%20gray%20400.svg)
/New%20Relic%20logo%20gray%20400.svg)
/Loves%20logo%20grey%20400.svg)
/linux%20foundation%20logo%20gray%20400.svg)
/JD%20Supra%20logo%20gray%20400.svg)
/BuzzRX%20logo%20grey%20400.svg)
/Broadridge%20logo%20gray%20400.svg)
/Boston%20Medical%20logo%20grey%20400.svg)
/AMC%20Theatres%20logo%20gray%20400.svg)