Alan Chapell Goes Public on Privacy, Parts 1-3.
By Wendy McHale
For the last 200 years we've had a Bill of Rights. In the last two, a Bill of Wrongs. The Federal Government has been unable to make up its mind between the two, so it was with great relief when Alan Chapell was appointed as privacy ombudsman in two of the most significant bankruptcy proceedings in our nation's history.
The assignment? To check out two companies located in Detroit which have been collecting data on their customers for over a hundred years.
Constitutional scholars have had it easy. If they think the right to privacy was complex by 18th Century standards (or even the 20th), consider how business, government and private citizens need to exercise Thomas Jefferson's 4th Amendment in the 21st.
What exactly is the Right to Privacy? It's the 4th Amendment , which protects our rights from unreasonable search and seizure:
[It is] "the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
After a jam-packed year overseeing how databases are and/or should be managed, we tracked Alan down and asked if he would go public with what he learned. Much to our delight he said yes! Editor Tim McHale sat down with Mr. Chapell to chat about a range of topics. This kicks off Part 1 of our 3-Part Series with Alan as he goes public on privacy!
Tim: How are you?
Alan: I'm doing well, thanks.
Tim: Great. Tell us a little about yourself and your career track to date.
Alan: Well, I've taken somewhat of an unconventional route. For the first few years out of college I was a touring musician.
Tim: Really? Tell us about it.
Alan: I recorded a bunch of albums in a style that today is called "alt-pop." I was in a band that unfortunately never made it big outside of the northeast. At our peak we drew crowds of a thousand people or more at times. We also played shows with, or otherwise crossed musical paths with some other fantastic musicians.
Tim: Like whom?
Alan: Well, there was Echo and the Bunnymen, Flock of Seagulls, 10,000 Maniacs and the Talking Heads. I have some very entertaining stories from those days!
Tim: I expect that's true. I bet it's good that a lot of them are best left private! What did you do after your recording career?
Alan: I got the opportunity to spend time in India for a spell in the mid-90's - playing in an East/West fusion band, and writing jingles for Indian TV. My current band still plays one of the tunes I wrote while in Bombay!
Tim: That's great! Can you sing one for our readers?
Alan: Have them email me and I'll invite them as a guest to my band's next performance.
Tim: Not before I get to be one! What did you do next?
Alan: I moved back to the states and found a great opportunity at a Direct Marketing agency in Stamford, CT. I helped them open an office for them in NYC while I was applying for law school. Then, kind of on a lark, I joined Jupiter Communications - mostly to kill time until law school began. But the more I learned about Jupiter, the more I realized that this is the industry where I wanted to be. So, I went to law school at night and continued to work at Jupiter - spending nearly five years at Jupiter.
Tim: Jupiter was great. It was like the bible.
Alan: Unfortunately, I graduated from Fordham in December of 2000 - just as Internet 1.0 had burned to the ground.
Tim: Didn't everyone? I think we all graduated from one thing to another.
Tim: What did you do next?
Alan: Well, I knew I didn't want to go to a law firm, and I was pretty sure I wanted to venture out on my own. But I wasn't exactly sure how or in which direction. Then I heard about an opportunity at DoubleClick; to join the research division in a sales support and product management capacity. After I arrived there I inevitably moved into the email space for the company.
Tim: Smooth operator. Seems like the tumblers were all in place. No doubt your Jupiter experience was helpful. Plus being an attorney must have made them confident you were the guy.
Alan: LOL! While it may appear that way, I did not feel on solid footing at that point in my career, but I'm really glad I did it. Nothing educates you on the concept of urgency like jumping into tech sales in a crummy economy. I learned a lot during that time - and was able to apply a lot of what I learned when I started Chapell & Associates in 2003.
Tim: Which brings us closer to today. How large is Chapell and Associates and what makes it unique?
Alan: I currently partner with a bunch of different folks as needed. A couple of years ago, I had a handful of people working full time - including Elise Berkower, a long time friend from my days at DoubleClick and at the time, DLCK's privacy compliance officer. Elise is now doing excellent work as Neilson Online's CPO.
Tim: She's incredible. How do you like being an entrepreneur?
Alan: I love it. One of the things that I discovered over the years is that scaling this type of business is tricky. The way most traditional law firms or consulting firms scale, is by getting that huge client - like a Citibank - and throwing a truckload of attorneys or MBA's at them.
Tim: I think it's caught up with them, at all of our expense in one way or another. What was it like?
Alan: I learned very quickly that I was unlikely to work much with the Citibanks of the world. Even where I'm the best option (which I believe I often am) the safe choice for a large company, the choice that DOESN'T get you fired, is the choice to work with the large consulting or law firm. And that's ok.
Tim: How did you come to that conclusion?
Alan: Over time, I realized that I would have a lot more fun, and a significantly more fulfilling experience working with start-ups and mid-size media and technology companies. The passion that my first experience in music gave me understanding of being true to your trade.
Alan: I've also realized that it's much more interesting being a consigliore to the CEO of a start-up than it is to manage a large team that's pouring over data files, or doing large scale litigation.
Alan: It's also much more profitable - because I'm not necessarily as worried about bringing in revenue to sustain a team, I'm able to be a bit more selective in who I work with.
Tim: Give me an example.
Alan: Sure, the core competency of the firm is privacy and data strategy. As you know, any time an ad is served in an interactive environment such as on websites, software, phone, iTV, Etc... There is a data trail associated with that advertisement.
Tim: So I've heard (grinning)
Alan: I'm able to help companies understand who has the rights to that data. So, while there's certainly a consumer privacy aspect to that conversation, there's also an intellectual property discussion in play. Not to mention significant regulatory and business strategy issues to address.
Tim: Absolutely, how did you get involved with the Chrysler and GM Bankruptcies?
Alan: Well, my firm had previously worked on a number of bankruptcies, including REFCO and Sharper Image. When the US Trustee's office determined that a privacy ombudsman was required in the Chrysler proceeding, they reached out to me. And right on the heels of the Chrysler bankruptcy was General Motors.
Tim: Wild times for sure. The media went bananas over it!
Alan: Indeed. While I'd like to think that the U.S. Trustee was so happy with how I handled Chrysler, it was incredibly gratifying to have then been selected for the General Motors case as well.
Tim: It must have been a busy time.
Alan: It was. It was an incredible honor to have worked on Chrysler - and to have also been selected to help on GM. it's hard not to feel pretty good about being involved in such high profile cases.
Tim: Hot stuff. Then what?
Alan: Shortly after GM, I was asked to do the Eddie Bauer bankruptcy proceeding in Delaware.
Tim: That actually sounds really cool.
Alan: Yeah, it was also about the time that the idea of working on yet another long-term brand going-under really hit me. I remember thinking to myself about the time applying to work in the stock room at Eddie Bauer when I was in high school - and now they were going through a restructuring. Stunning.
Alan: In the beginning I didn't know much about either company prior to their bankruptcy filling. I read the news like anyone else, and was floored by the prospect of economic giants such as GM and Chrysler literally going out of business. But the past year has been unprecedented for a number of reasons, eh?
Tim: Oh yeah, for sure!
Alan: My opinion going into these proceedings, and I say this admittedly as an outsider, was that both companies had focused on cost cutting at the expense of quality and innovation. It's hard to run a long term sustainable business that way. But the larger issue regarding the automotive industry is that it functioned as an oligopoly for decades. The oligopoly kept prices artificially high. The oligopoly resisted innovations like seat belts, and fuel efficiency standards. It sent jobs overseas. And the oligopoly ceded most of its market share over the years as non-U.S. automakers innovated.
Tim: What a mess! What were your stated goals? Can you give me a project plan, if you will of the privacy project from start to finish?
Alan: My goal in both proceedings was to ensure that consumer data transferred from entity #1 ("Old Company") to entity #2 ("New Company") was being transferred in accordance with existing privacy law and regulation.
Alan: Essentially, my role was to evaluate what, if any, representations were made by the Debtor to customers at the point that those customers were making their consent decisions. In other words, did the Debtor adequately inform consumers regarding how the Debtor would use their information, and to make sure that the transfer of consumer information as contemplated in the bankruptcy proceeding was in accordance with Debtor's representations.
Tim: Right. How did you do that?
Alan: Well, I spent a fair amount of time reviewing the website privacy policies and similar documents - current policies, and previous policies to help me understand what was communicated to consumers. I also spent a good deal of time understanding what types of data are collected by the Debtors, where it's stored, with whom it is shared and where it is transferred.
Tim: Sounds thorough.
Alan: It was. The size of the car companies and from a data perspective the complex relationship they share with their dealership franchises made this a challenge.
Tim: Interesting. Let me ask you a question, in year 2000, Larry Ellison (Oracle) was interviewed by the New York Times and stated at that time that the idea of people having privacy is more theory than actuality. Is he correct?
Alan: Ha! Usually when people are making this point - they refer to Scott McNealy at Sun Microsystem's infamous statement - ""You have no privacy. Get over it."
Alan: My favorite privacy quote was given a few years ago by a good friend when we were on a panel. She said, "Most people will gladly trade their mother's social security for five cents off a BIG MAC." That speaks for itself.
Tim: Can you share why the Government created the role of privacy ombudsman in certain bankruptcy proceedings?
Alan: Sure, this is an interesting story - as it has its roots in the online world. I don't know if you remember the company Toysmart.com - one of the casualties of the shakeout that we now refer to as Web 1.0.
Alan: Like most ecommerce websites, Toysmart collected information from its customers, including, among other things, its customers' names, addresses, billing information, and shopping preferences. And unfortunately, like many ecommerce websites that had emerged in the late 1990's, the company ran out of gas and had to liquidate all of its assets.
Tim: Right. What was the issue?
Tim: Now I remember!
Alan: And even after the FTC entered into a Stipulation and Settlement that would enable Toysmart to sell its customers' PII under certain conditions, forty-six (46) States' Attorneys General (and two of the FTC's own commissioners) objected. In any event, it was a mess.
Alan: Ultimately, Toysmart withdrew the sale, and one of its equity owners, Disney, paid $50,000 for the data and destroyed it.
Tim: Smart move.
Tim: Let me ask you this. Do the media play a role in how a privacy ombudsman operates? Like for example, if media companies have the freedom to act as the 4th estate, isn't that contrary to the trend that enable media companies to collect more data about consumers and companies than any other kind of company?
Alan: This is a great question - Congress didn't really give much guidance regarding transparency and accountability for the privacy ombudsman. And I can tell you first hand, that this became an issue in both the Chrysler and GM bankruptcies. Without naming names, someone at the State level had reached out to me and started asking questions about my approach, about what information I'd obtained during my investigation - that sort of thing. And this person may very well have had the best of intentions. The problem is that I didn't know of any law that entitled this person to the level of transparency that they were seeking. And I felt like if I had provided them with that transparency, then I would also need to grant the same level of transparency to others that requested it. Moreover, given that some of the information provided to me by the debtor was of a confidential nature, I didn't feel that it was appropriate to be out there talking specifics with anyone absent an order from the judge.
Tim: That's interesting.
Alan: But I think there's a larger point here - I was really concerned about politicizing the role of the privacy ombudsman. The role of the privacy ombudsman is to protect consumers. However, in certain instances - particularly in high profile proceedings such as Chrysler and GM -those without a direct interest in the case could seek to obtain information in order to derail the process for a whole host of reasons. I really don't like the idea of operating with limited transparency, but one could easily envision a situation where partisan interests are able to object to every step of the ombudsman's proceedings and bring the entire process to a halt.
Tim: Is there one way to do your job for a project that is under the radar versus one as headline driven due to the public company status?
Alan: As I mentioned earlier, the privacy ombudsman role is certainly at risk of being overly politicized. That said I operate on a confidential basis for every project in which I'm engaged. I just don't see any other way of doing things. One of the reasons that I've been as successful as I've been - that I'm able to be effective - is that there is a veil of confidentiality. Nobody would tell me anything if they didn't trust me not to go around telling others.
Tim: Does not the PR in privacy also extend into fairly managing an investigation without hurting a company's reputation?
Tim: How involved should a company's corporate communications group be in order to avoid the whacking DoubleClick got? Should they have seen that coming? That was unfair. It had everyone in our industry captivated. I remember it was the first time the digital media business was challenged in one of its most vulnerable areas.
Alan: DoubleClick's privacy issue is still the most oft-referred to answer to any CEO's question - "why should I care about privacy." Managing the PR aspect of an alleged privacy gaffe or governmental investigation is vital. Oftentimes, a companies' internal PR team may be too myopic and/or lack the requite skill set to manage this process. Mark Naples at WIT Strategy is one of the few practitioners in that space who understands the privacy landscape, and who's built his business around anticipating such minefields.
Tim: I agree. Mark is great. World-class professional. What do you think of the media business today and that 80+% are controlled by less than a dozen companies around the globe?
Alan: I'm not sure where you got those percentages, but I would be very concerned by the prospect of having too much power focused in a limited portion of the online media marketplace. It wasn't a long term recipe for success for the auto industry - and it's an even worse recipe for interactive media.
Tim: Definitely, what did you take away from your experience working with Chrysler and GM that's relevant to your work in online media? How have things changed in privacy law since the work you performed for these two companies?
Alan: Good question. As part of my role as privacy ombudsman, I spent a fair amount of time in Court during both the GM and Chrysler proceedings. Mostly, I was waiting to share my findings with the judge. But as I watched the senior executives of both organizations testify, I began to really think about the significance of these events. Two of the largest economic engines of the past 50 years had been brought to their knees. And no matter how you slice it, that means that many good people will be out of work - and many others will lose their pensions, their health insurance. To say that this was a sad time is a gross understatement.
Tim: No doubt.
Alan: And I was also thinking - if not Chrysler and GM - who is going to be creating jobs over the NEXT 50 years? What companies are going to spark the next generation of economic growth? And being an interactive person, names like Google and Y! and Apple immediately comes to mind. And I'm sure there are other companies being started as we speak - that will come in and completely reinvent things, collectively creating millions of jobs as a result. That is, if we as an industry can do the right thing and demonstrates effective self-regulation. And if the good people in DC and at the State level can equally resist the temptation to fix something that simply isn't broken.
Tim: I never looked at it that way.
Alan: I keep referring to oligopolies, but I think that one of the primary takeaways in my recent experience is that consolidating power among a handful of giants isn't good. If history has taught us anything, this type of consolidation isn't good for innovation. It's not good for consumers. It's not good for democracy. And ultimately, it's not good for the creation of jobs and economic growth.
Tim: I think Jefferson and Hamilton, two people who never saw eye to eye on almost anything would agree here.
Alan: And then I think about Legislation, where the companies in possession of the resources to hire armies of lobbyists are able to exercise more influence in making law, to create "carve outs" to suit their own unique business models, and in some respects, to stifle competition. While I don't entirely discount the intentions of the market makers, if you don't think that there's a chess match going on under the guise of privacy, IP and regulatory matters, you're just not paying attention.
Tim: That's why the industry needs you. Is regulation coming this year? Will it be too weak or go overboard?
Alan: Overall, given what's gone on over the past few years in automotive, financial services and health care over the past few years - with all the work left to be done in those industries - with trillions of dollars of taxpayer money at stake - the idea of stifling one of the few sectors that is doing relatively well absent any demonstrated harm to consumers is, well.... puzzling.
Tim: Ya think? (Smiling)
Alan: On the Legislative side, it's difficult to predict. I'm confident that a bill will be drafted this year. Whether or not that bill will have enough support to make it out of committee, or whether such a bill make it all the way to the President's desk has a lot to do with our industries response to the Government's call to self-regulate. If our response to that call is viewed as weak, I think a privacy bill will have a lot more support, and is more likely to pass. If our response to Government's call on self-regulation is strong, I think support for a bill is significantly diminished. In any event, all indications coming from Washington indicate a significantly more activist FTC, and I'm confident that you'll see additional enforcement actions in the upcoming months.
Tim: You will hopefully share your thoughts on it as it begins to be enforced. How did the laws surrounding privacy change from before to after Doubleclick's acquisition of abacus? Is this the second major case that privacy has been a key driver in a company's practices since DoubleClick/Abacus?
Alan: One positive thing that came as a result of the DCLK / Abacus privacy issue was the emergence of the Network Advertising Initiative. The NAI is a trade association that I've been affiliated with for several years - one that has established standards for (as broadly defined) behavioral marketing.
Tim: Going back a couple of months what was your reaction of Eric Schmidt's resignation from the Apple Computer board? Wasn't that due to a company's right to have corporate secrecy? Did he resign due to any self-regulating corporate policies or due to some SEC issue with regard to protecting shareholder rights?
Alan: I think the larger reason for his resignation is that Google and Apple are increasingly going head to head against each other.
Tim: When I think of behavioral targeting, I still think of Tacoda and Revenue (now Audience) Science. How has the BT landscape changed over the past five years?
Alan: Perhaps the starkest change in BT is the number of entities - at a number of different entry points within the ecosystem - that have entered the BT space. With Adobe, Quantcast, ad agencies and even offline data companies looking to participate, the funnel has flipped. We're now at the point where one might ask - who ISN'T looking to participate in the data economy.
Tim: Who owns the data in theory and in reality?
Alan: I believe that many in the advertising chain have an argument to be made that they own - or at least have some rights to - the data. The publishers believe that they own the audience and, by extension, the data that pertains to their audience. I think publishers are terrified by the prospect of de-coupling audience from advertising - and rightly so.
Tim: I bet.
Alan: Advertisers, ad networks, behavioral vendors, agencies, and even ISPs all have their arguments to make about data ownership. I've worked with a number of different constituencies, and I remain fairly agnostic. The larger issue for me is ensuring transparency.
Alan: I think consumers have a legitimate argument that they own their data. Unfortunately, if you think about the history of the old school direct marketing world, that really hasn't been the case. Consumer data has been routinely collected and transferred around the globe with or without consumer consent. Some consumers have routinely taken steps to control that data - as witnessed by those who pay extra to be de-listed from the phone book. But for every person that delists themselves from the phone book, there seems to be ten more that put everything out there on Facebook for the whole world to see. And I think that speaks to the myriad of attitudes that consumers express when it comes to privacy.
Tim: It's an issue that cuts across the entire net.
Alan: I believe that consumers have rights to own their information, but I don't think ANYBODY has quite figured out what that means yet. Consumer privacy rights should be thought about on a sliding scale. So that my rights to my credit card, social security or driver's license numbers is broader than my right to my telephone number, email and postal address. And I don't believe that it's practical to expect that my rights to information that doesn't identify me personally should be the same as my rights to exercise control over my credit card information.
Alan: What makes this challenging is that technology continues to blur the line between what is personally identifiable, what is quasi-personally identifiable, and what is non-personally identifiable.
Alan: Part of what I think gets lost in the privacy debate - at least as it pertains to interactive media - is the notion that data is subsidizing free content. And I think that the industry in generally hasn't done a great job in making this tradeoff clear to consumers.
Tim: No, we haven't.
Alan: To be clear - I don't believe that anyone thinks its fair for consumers to get free content without ads. There are real costs around creating content, and unless consumers are willing to pay for it, then I think they need to accept some ads. And nobody - not content creators, advertisers, and certainly not consumers - want too many ads. The issue is defining "how many" ads are too many. Data can be the answer here. If data can be used to help keep the number of ads to a minimum, that's certainly a positive thing. And in that respect, data can act as a subsidy for both free content and fewer ads.
Tim: I agree but I'm not sure everyone else would.
Alan: That's an issue. I believe that we sometimes under estimate consumer understanding of these issues. It would be interesting for someone to conduct research on consumer attitudes toward the tradeoff of paying for content vs. targeting. To what extent consumers understand that some of their clicks are used by those other than the website they are currently surfing. Perhaps something that asks how many people are willing to pay for their content if the targeting subsidy is taken away.
Tim: How wide-spread is privacy pushed back to the end of the line in terms of corporate compliance? Are the lines still blurry? As compared to Chrysler and GM, isn't Google an equal player in monetizing BT as these companies are?
Alan: Yes - Google is absolutely involved here. And their voice will continue to get louder.
Tim: What do you think of co-reg programs who incentivize consumers to sign their privacy issues away in return for some immediate benefit?
Alan: To my earlier comment paraphrasing a friend, Many consumers will give their mother's social security number away for five cents off of a BIG MAC. And while I personally would not do that, I'm really uncomfortable with the concept of prohibiting other people from making that bargain - so long as the essence of the bargain is disclosed in a way that consumers can understand it.
Tim: Of course.
Alan: The problem historically with some, though certainly not all of the performance marketing programs is that they were rife with fraud. Confusing, conflicting terms - or no terms visible at all. Some of the things I saw in the ring tone space a few years ago were an embarrassment to our industry. The IAB, the MMA and Performance Marketing Alliance (along with a few notable FTC and state enforcement actions) have gone a long way towards cleaning that space up.
Tim: That's good to hear.
Tim: LOL! Do you know of anyone who has ever written the "Terms & Conditions" that we automatically must click on "I agree" before interacting with some sort of tech download of digital action?
Alan: I know many people - myself included - who have written terms and conditions. Unfortunately, few consumers read them. And that's their right. One thing that's really important to point out is that there are certain functionalities that are so important that they can't be buried in the terms and conditions.
Tim: Like what?
Alan: Well, for example, if you're going to charge me $10 per month for the use of your software, you can't bury that in your t/c's. Similarly, if you're going to be collecting every URL that I visit, you need to communicate that outside of the terms and conditions per some recent FTC decisions, not to mention the recent IAB / AAAA / DMA behavioral code and the recent standards espoused by Congressman Boucher.
Tim: Are most "terms and conditions" the same for every company?
Alan: There are certainly provisions that are common to many terms and conditions. And the way our legal system functions, there are certain provisions that need to be included in terms and conditions in order for the company offering them to adequately protect its rights. Privacy policies and terms and conditions are considered legal documents. And as a result, both are written like, well... legal documents.
Tim: For sure.
Alan: There are a couple of groups making the rounds in privacy circles - talking about abbreviated or "short-form" privacy notices. The idea makes a lot of sense conceptually.
Tim: Interesting. I have to think about how I feel about that. While consumers may see their privacy invaded, they still benefit by Amazon-like business rules "people who bought that buy..." Do companies regularly promote their privacy issues to investors as a sign that the company is well run?
Alan: While I think Amazon's "people who bought that buy" is extremely beneficial, I think that's only the tip of the iceberg. Consumers see significant benefit as a result of the data practices of the online media industry. Consumers receive free content. And that free content isn't paid for with advertising; it's paid for with TARGETED advertising. Ask yourself, Tim - how much is an ad impression on Madison Avenue Journal worth to you? How much would that same ad impression be worth if you were no longer able to offer frequency caps to your advertisers?
Tim: Good question. Not my in my editor's job description! That's the sales group's problem.
Tim: Question, other than firing someone what actions do companies take proactively or by law against individuals who are caught breaking privacy rules/laws? Isn't this an embarrassing issue that could unfairly detract from a company's reputation, particularly due to the fact that their uncovering of privacy invasions is actually a sign of their diligence?
Alan: The lack of accountability - even at executive levels isn't limited to the interactive space.
Tim: Good point. You mention Tacoda and Revenue Science, but aren't companies like Epsilon and Datran potentially equally capable of monetizing BT?
Alan: Yes, and I think you're going to continue seeing more companies enter the BT (broadly defined) space. In the case of the offline data providers, they need to ensure their businesses follow consumers - not to mention the advertising dollars.
Tim: I agree.
Alan: The tricky thing for some of the offline data companies - is that some of them don't fully appreciate the regulatory differences inherent in the online media world. In the offline world, one could collect data, and use it (with a few limitations such as the Telemarketing Sales Rule and DMA guidelines) in just about any way one wants to. And one can essentially transfer whatever data you collect repeatedly to just about anyone you want.
Alan: Contrast that with the online world, where there are pretty strict rules around data usage and privacy. And many who come from the offline world don't necessarily appreciate those rules. I've had offline DM folks tell me that because they are compliant with Can-Spam, they can do whatever they want with the data. And that's a recipe for a regulatory incident.
Tim: For sure. I keep reading about the FTC - both at the Commissioner level and the staff level - really pushing the industry to change its policies and to "get serious about self-regulation." with an implied (if not overt) message of "Or else." What does the industry need to do in order to avoid the "or else", when does it need to happen, and what will happen if (in the FTC's view) the industry hasn't done enough?
Alan: Commissioner Leibowitz and what seems like the entire Commission has made it abundantly clear that we as an industry are down to our last strike when it comes to self-regulation. For example, Mr. Vladek (the FTC's new head of Consumer Protection) has signaled a huge shift in the commission's perspective. The most significant is the notion that government should be addressing certain harms of personal dignity - and that the collection of non-personally identifiable data may, under certain circumstances, may rise to that level of harm.
Tim: You've mentioned that privacy has often been used as a "red herring." Can you explain what you mean by that?
Alan: Over the course of the past few years, privacy has been used as way to rally support against disruptive business models. If someone comes up with a business model that puts yours at risk, it's much easier to jump up and down about privacy - as that gets the blood flowing, as they say - than it is to openly state that such a business model might put you model in serious jeopardy. I'm not here to praise nor bury ISP BT, for example.
Alan: I did some work years ago for Phorm and NebuAd, but I've also work with lots of other in the space. Terms like "Deep Packet Inspection" while technically accurate are also politically charged- akin to the term "Community Organizer."
Tim: That's funny.
Alan: The issue I have with the use of privacy in this manner is that it impacts us all downstream. We're in one of the few industries that seems to go out of its way to bash each other in front of legislators and regulators. And we wonder why some of them feel that there is some egregious injury of dignity that they need to prevent.
Tim: How does mobile fit into all of this? Are there standards for mobile targeting and privacy? Is there now or will there be formal legislation that allows the government the right to investigate all our gps movements, taping into past records and/or watching in real time?
Alan: So far, the CTIA and mobile marketing association have taken the lead on privacy standards. As Chairman of the MMA Privacy Committee, I can tell you to look for some additional guidance in the upcoming months.
Tim: We'll keep watching. On a related topic, at one of Digiday's events year, the ever controversial Mr. Jason Calacanis made an impression the audience on with his feverish issue of getting iPhone to develop a Bill of Rights. What did you think about his remarks?
Alan: I caught part of Jason's speech at Digiday - mostly the rant about the iPhone - and had a brief chat with him in the speaker room afterwards. Jason is an extremely bright guy. And I agree with his larger point - Apple should open things up with the iPhone. The level of control they currently exercise is not good for innovation over the long term. And that's not good for anyone, Apple included. Right now, it's a pain in the ass to work with Apple as a developer. From a consumer, and particularly from the perspective of a bright and experienced iPhone user, it's frustrating that you can't always get the functionality that you want.
Tim: You've got to tip your hat to anyone whose comments garner so much attention.
Alan: The issue I have with Jason's comments is that they don't really jibe with the way businesses work, and don't take into account the realities of human behavior. I've read a number of other critiques of Jason's rants against Apple so I won't repeat them here. But in my opinion, the way Jason frames it oversimplifies it as a black or white issue. It sounds easy to say - "Just have Apple put up a warning when the app you are downloading is not approved by Apple."
Alan: I'm sure that Jason is smart and experienced enough not to download a 'bad' app, but some consumers are not as smart and sophisticated as Jason. Many folks will download things to the Iphone regardless of the warning. So, what happens when Apple and AT&T are flooded with calls from consumers who have downloaded something that was not approved by Apple, ignored the warnings, and now their iPhone's O/S has shut down?
Tim: Somebody loses a customer.
Alan: Right, consider this. Each of those calls costs Apple and AT&T real money. Moreover, Apple's brand will undoubtedly take a hit when, as Jason suggests, "Apple tell those irate customers "too bad, you shouldn't have downloaded a non-approved application." I suspect that if Jason were to download a non-approved app, he would be the first to blog about his bad experience with Apple's 'unhelpful' customer service team.
Tim: It could be.
Alan: And this isn't exactly a hypothetical example. Back when Adware was all the rage, ISPs, Microsoft, and even Jason's former employers at AOL were complaining of millions of dollars in call-center costs due to the adverse effect of 'bad' software downloads. I'm not some apologist for Apple, but I recognize that they need to be very careful in how they open up their platform, or risk having their platform become unworkable overnight.
Tim: Got it.
Alan: It's interesting - we struggle with a very similar issue in the privacy world. Recognizing that only a minority of consumers are really interested in fully understanding their privacy choices, its s challenge for companies to provide enough choices for those who want to exercise them, without overwhelming those who don't.
Tim: I see that. Okay, change gears. What are you most proud of in your career to date? Self promotion IS allowed here as compared to other forums.
Alan: When I started my firm six years ago, nobody in the privacy arena knew who I was. I had a few contacts in the online media space from my days at Jupiter and DoubleClick, but had almost zero visibility in privacy circles. I was able to insert myself into the most significant privacy and public policy discussions, and have built a platform for myself over the years.
Tim: That's great, Alan. I'm pleased for you.
Alan: As of now, I've reached a point where there are few significant discussions going on that pertain to privacy and interactive media where I'm not taking a meaningful part in the conversation. I've been very fortunate to work with some great people - and proud of the work we've done over the years.
Tim: What drew you to establishing a practice in this area?
Alan: As I mentioned earlier, my first "real" job out of college was at a small direct marketing firm. I had landed a contract with one of the largest banks to execute a direct mail campaign announcing a new line of services they were offering. As part of that project, the bank sent me a magnetic tape that contained a list of all of their customers in Fairfield and Westchester counties. The list included names, addresses, telephones, bank balances, and even social security numbers! No encryption - not even password protected. An identity thief's dream. So, if that magnetic tape were to have fallen off the UPS truck en route to my office, everyone on that list would have been at risk. Not to mention that any employee at the direct marketing firm could probably have copied the list and sold it without anyone knowing.
Tim: Holy cow! That's unbelievable.
Alan: And I thought about that - and I started asking questions. Turned out, the tape sent by the bank wasn't some mistake - this was how consumer information was regularly transported back in those days. And this wasn't much more than a decade ago. So that was my initial inspiration. I saw a growing problem.
Alan: And then a few years later, in 2003, when I was in the email space, I saw all of the fear, uncertainty and doubt around a piece of email Legislation from California. And towards the end of 2003, Can-Spam, which was enacted in part to pre-empt the California legislation. And I thought that the time was ripe to start my own firm. Initially, I thought I would make my way as a Can-Spam attorney.
Tim: Great term!
Alan: But I realized very quickly that email marketing was only a component of a much larger issue around data, intellectual property and privacy. And little by little I expanded the focus of my business to what it is today.
Tim: What areas of business and/or advocacy are you looking to enter now and/or in the next 12 to 24 months?
Alan: I've made some angel investments in a few tech companies over the past 18 months. I'd like to continue that, and at some point down the road, look to move into the VC or equity space.
Tim: Is that it?
Alan: I'd also like to write a book.
Tim: I will look forward to your first book signing.
Tim: As a %, could you estimate what % of Fortune 500-level companies have a privacy officer now versus in year 2000.
Alan: My guesstimate is that it's gone from statistically insignificant to a very high percentage over the past decade. The International Association of Privacy Professionals, of which I'm a proud member, tells me that they have 6,200 members. So, I think it's reasonable to speculate that the number of privacy officers is growing exponentially as well.
Tim: Isn't the SEC's over-reliance on giving companies a free reign on how they manage the information one of the reasons why various financial institutions have gotten into a mess? Could you say that it was in part due to their lack of having a deep bench in privacy law?
Alan: When I think of my list of issues with the way the financial markets were regulated over the past decade - issues pertaining to the SEC's knowledge of privacy law isn't even in the top 10.
Tim: Accidents happen where confidential information is inadvertently made public versus when there is criminal intent relating to identity theft. How should companies, specifically BT-based marketing companies operate with due diligence to avoid being responsible and/or sued for either situation?
Alan: I'm really uncomfortable with the idea of using BT and identity theft in the same sentence. The collection of non-personally identifiable information for ad targeting has nothing to do with identity theft. That said, I recently read an article that opined that anonymous data isn't anonymous. And I agree - if you have enough non-personally identifiable data points, the entire data set may reach the point of being personally identifiable. Any company doing ad targeting in an interactive environment should keep this in mind.
Tim: Not every body in the business gets that.
Alan: However, the idea that there is some kind of connection between BT and identity is simply not true. If I were looking to perpetuate ID theft, there are so many easier ways of obtaining sensitive consumer information. Sorting through the dumpster near a local college, for instance.
Tim: What BT will look like in 2-3 years: with (and without) Government Regulation?
Alan: Under any scenario, we will see a significant increase in transparency in the upcoming years for all companies participating in the data economy.
Tim: What kind of legal background does an attorney need to manage government privacy investigations, versus public company situations versus monopoly-based private company issues?
Alan: There are firms which specialize in this kind of work. One of the mistakes that companies often make is to engage the Government in the initial part of the investigation without bringing in some outside counsel. Typically, companies are reluctant to spend the money. And often, that is a huge mistake.
Tim: If you were going to write a "privacy law for dummies" or got a call from a CEO 15 minutes before their shareholder meeting once they realized they may be asked about it, what are the three buzz items that you would equip the CEO with, other than "I'll get back to you on that..."?
Alan: A smart CEO would say "We recognize the importance of ensuring consumer privacy. We've taken very deliberate and proactive steps to ensure that we're in the upper echelon of best practice standards. And I've brought my CPO / GC to outline the details of our privacy program."
Tim: What advice would you give to law students considering developing an expertise in privacy law?
Alan: I think anyone looking towards a career in privacy would to get involved with the International Association of Privacy Professionals (IAPP). Privacy is a hot field - legal or otherwise - and will continue to be so for years to come. They might also consider registering for an event I am producing with the IAPP on April 20th, in Wash DC on the business of privacy. THE IAPP GLOBAL PRIVACY SUMMIT 2010. Besides that, for me personally, I took a lot of human rights classes at Fordham, which ended up being pretty valuable, as human rights law is often about building law or standards in places where there currently are few, if any. Sounds a little like the Internet, eh?
Tim: There's no question. Thanks, Alan. This was great!
Alan: You're welcome, Tim.