Afleveringen
-
Who can really claim to be a privacy engineer? Does this change in the digital marketing arena? What is the winning formula to integrate this role within the company’s privacy practice?
Thomas Ghys has worked as a management consultant, data scientist, and data strategist, including a 5-year stint at McKinsey, prior to setting up his own privacy engineering practice. He has deep expertise in MarTech and AdTech, auditing traditional machine learning models and data flows. He is also the founder and CEO of Webclew, a tool that helps with the auditing of websites and mobile apps.
References:
Thomas Ghys on LinkedIn Webclew: scanning websites and apps for privacy risks CNIL: a focus on mobile SDKs, announcing enforcement actions in 2025 Thomas Ghys: BAPD expectations for cookie compliancy unattainable for most publishers Dr. Augustine Fou: dismantling marketing attribution, ad fraud controls, and the business case for third-party cookies (Masters of Privacy, February 2024) -
Can we shift the focus from documentation to technical implementation? How can we bridge the cultural differences between legal teams and engineers? What do we mean with open-source data classification?
We are joined by Cillian Kieran, Ethyca’s CEO and founder, in a new installment of our Privacy Tech series. Cillian is a serial entrepreneur and seasoned privacy engineer with two decades of experience leading data-intensive businesses. He combines deep technical expertise with a track record of building and scaling companies, including a global digital agency serving Fortune 500 clients.
References:
Fides: the open source language for data privacy Cillian Kieran on LinkedIn Ethyca Max Anderson (Ketch): Privacy Tech spotlight I – the future of CMPs, value vs. hype in privacy compliance SaaS (Masters of Privacy, April 2025) Daniel Barber (DataGrail): Privacy Tech spotlight II – widespread non-compliance, opt-out challenges, and shadow AI (Masters of Privacy, May 2025) -
Zijn er afleveringen die ontbreken?
-
It is time for a seasonal update at the intersection of Marketing, Data, Privacy and Technology. We are today covering the first four of our usual five blocks: ePrivacy & regulatory updates; MarTech & AdTech; AI, Competition and Digital Markets; PETs and Zero-Party Data.
All references and links can be found in this episode’s blog post: Masters of Privacy.
Allow us to thank two people in advance for their routine work in breaking down the news across some of the topics and jurisdictions covered here: Robert Bateman and his Privacy Corner and Federico Marengo with his Privacy and AI newsletter.
Also, an important disclaimer: the voice that joins me today is a text-to-speech output generated with Eleven Labs.
-
What do we refer to with “privacy metrics”? Are privacy professionals delusional regarding the impact of the discipline in the overall business context?
Lauren Reid is founder of The Privacy Pro, a boutique firm that provides essential training, tools, and support for privacy professionals to turn knowledge into action. In addition to leading The Privacy Pro, Lauren works with executives, boards, and product teams to build privacy data governance strategies that support responsible innovation and prepare companies for investor and regulatory scrutiny. She has a 20-year track record in this space.
References:
Lauren Reid on LinkedIn The Privacy Pro Lauren Reid: Rethinking Privacy Metrics: Aligning with Business Strategy -
Can telco-powered identifiers overcome their own privacy challenges in their attempt to replace third-party cookies or email-based alternatives?
Pascale is the Data Protection Officer at Utiq, a European based AdTech company. She has been working in privacy and data protection ever since completing her degree in Law, including roles at fashion group Arcadia and Vodafone Group. Pascale’s main goal is always to put privacy at the heart of the business.
Utiq’s mission is to enable more responsible digital marketing by offering a telco powered privacy-first technology to Brands, Publishers and Tech Vendors operating in the adtech ecosystem. The Utiq technology consists of online identifiers which can be used to support and optimize digital marketing, advertising and analytics activities, whilst offering individuals enhanced choice, control and transparency, including via the application of privacy-centric controls and a dedicated privacy portal for end users, known as consenthub.
Launched in 2023, Utiq was originally backed by Deutsche Telekom AG, Orange SA, Telefónica S.A., and Vodafone Group plc. It has continued to gain support from numerous other leading telecom operators across Germany, France, Spain, Austria and soon expanding to the UK and Italy.
References:
Pascale Arguinarena on LinkedIn FCC fines Verizon $1.35 million over ‘supercookie’ tracking (The Verge, May 2016) Utiq’s consenthub -
Are Product Counsels in the best position to anticipate and solve privacy and AI compliance problems before we release new products to the public at large - all of it while avoiding costly delays in fast-moving projects?
Linsey Krolik is Assistant Clinical Professor at Santa Clara University School of Law, where she runs the Privacy Law Certificate and teaches Privacy Law. She is Director of the Entrepreneurs’ Law Clinic, where students work with real startups on transactional law projects, and Director of the TechEdge JD, a skills based certificate program for students interested in working in technology law. She also teaches a class called Law and Technology of Silicon Valley, with students playing the role of product or privacy counsel for a day.
Prior to joining academia, Linsey held senior in-house roles as a product, privacy, and commercial lawyer at global companies including PayPal, ARM, and Palm. Also, she continues to consult on privacy and AI governance in her solo law practice.
References:
Linsey Krolik on LinkedIn Santa Clara University School of Law TechEdge JD Entrepreneurs' Law Clinic Privacy Law Certificate Navigating AI and Data Ethics: The Essential Role of Product Lawyers and the Product Counsel Framework (Linsey Krolik, Adrienne Go, Olga Mack) Gam Dias: Agents Unleashed, understanding the Agentic AI stack (Masters of Privacy) -
Is it possible that a whole generation of consent-management solutions built for the EU-driven opt-in world are unsuitable for the opt-out scenario predominant in the US? How are DPOs and AI Governance professionals to deal with “shadow AI” and “shadow IT”?
Daniel Barber is DataGrail’s CEO and co-founder. Prior to DataGrail Daniel led revenue teams at DocuSign, Datanyze (acquired by ZoomInfo), ToutApp (acquired by Marketo) and Responsys (acquired by Oracle). He also advises several high-growth startups.
References:
Daniel Barber on LinkedIn Unveiling DataGrail’s 2024 Data Privacy Trends Report: The Time Data Subject Requests Surged 246% in Two Years DataGrail Privacy Inspector (Chrome Web Store) Max Anderson (Ketch): Privacy Tech spotlight I – the future of CMPs, value vs. hype in privacy compliance SaaS (Masters of Privacy, April 2025) -
Georgia Voudoulaki is Senior Legal Counsel at Bosch, certified Compliance Officer, and adjunct professor at the University of Applied Sciences in Ludwigsburg and the Cooperative State University of Baden-Württemberg in Germany. In addition to her legal and academic roles, Georgia regularly publishes articles in leading legal journals and magazines, contributing valuable insights to the evolving conversation around compliance, digital innovation, and responsible AI.
References:
Georgia Voudoulaki on LinkedIn University of Applied Sciences Ludwigsburg Baden-Wuerttemberg Cooperative State University (DHBW) -
Gam Dias is a seasoned technologist and entrepreneur with a rich background in software engineering, AI, and product innovation. As a consultant, he has helped write the data strategy for Fortune Global 500 companies, innovative startups, and ambitious non-profits. He has a degree in Computer Science from the University of Liverpool and an MBA from Warwick Business School. Gam has lived in London, Leeds, Salt Lake City, Santa Cruz, San Francisco, and he currently lives in and works from Madrid, Spain.
Gam’s latest work, Agents Unleashed, distills years of experience into a compelling look at the rise of autonomous AI agents and their growing role in marketing, sales, and beyond.
References:
Gam Dias on LinkedIn Agents Unleashed (Amazon) Agentforce (Salesforce) Gam Dias: on privacy, agency, convenience, and freedom (Masters of Privacy, 2021) Hubbl Process Analytics Diana Stern and Dazza Greenwood, From Fine Print to Machine Code: How AI Agents are Rewriting the Rules of Engagement (Stanford Law School) -
What is the practical case for combining CMPs and DSAR automation under a single technical solution or software provider? What do DPOs and CPOs struggle the most with when implementing effective privacy programs? Which Privacy Tech features are overvalued or undervalued?
Max Anderson is a seasoned product executive with a proven track record of bringing successful technology products to market in the consumer privacy, data management, and marketing space.
Prior to Ketch, Max was the Director of Product Management at Krux. After joining Salesforce as part of the Krux acquisition, he ran data privacy and consumer identity products at Salesforce, including the rollout of their industry-leading GDPR solution set. Prior to Krux, Max was a Product Manager at IPG Mediabrands, where he was responsible for multiple successful advertising measurement products. Max holds a BS in Chinese Literature from the University of Colorado.
References:
Maxwell Anderson on LinkedIn Max Anderson, The liability in your privacy program: incomplete opt-out compliance (Ketch) GPC: Global Privacy Control Max Anderson, Dirty Data, Broken AI—The hidden threat derailing your competitive edge (Ketch) Andy Dale: DPO vs. CPO, present and future value of Privacy Tech, and the new US administration’s impact on the regulatory landscape (Masters of Privacy) Monica Meiterman-Rodriguez: automation, data minimization and comparative law in DSRs (Masters of Privacy) Sergio Maldonado, Some takeaways from PEPR’24 (USENIX Conference on Privacy Engineering Practice and Respect 2024) -
Today we are taking a look at the difference between DPO and CPO roles in the US, the present and future impact of Privacy Tech in the management of privacy programs, the evolution of privacy regulation under the new US administration, and a potential Schrems III scenario.
Andy Dale serves as General Counsel and Chief Privacy Officer at OpenAP and holds the position of Executive Board Member at The L Suite (TechGC). With extensive experience as an advisor to various companies, Andy previously worked as General Counsel and Chief Privacy Officer at Alyce, a company acquired by Sendoso in 2024, and as General Counsel and VP of Global Data Privacy at SessionM, which was acquired by Mastercard in 2019. Andy Dale earned a JD in Law from the University of Baltimore School of Law (2003-2006) and a degree from Colgate University (1996-2000).
References:
Andy Dale on LinkedIn The Data Protection Breakfast Club podcast on Spotify Brian Focht: Can the American Privacy Rights Act find a path to survival? (Masters of Privacy) Amy Worley on the American Privacy Rights Act (Masters of Privacy) Molly Martinson on state-level comprehensive privacy laws (Masters of Privacy) -
Where is the UK data protection reform headed? How are we to deal with behavioural advertising in the context of sports betting and gambling? Will the UK stay clear of regulating or supervising AI à la EU?
Tim Turner has worked on Data Protection, Freedom of Information (FOI) and Information Rights law since 2001. He started at the Information Commissioner’s Office as a Policy Manager on FOI issues. After that, he was a Data Protection & FOI Officer for two councils and then an Information Governance Manager for an NHS (National Health Service) organisation. He has been offering data protection training and consultancy since 2011. Also, Tim is the author of the very popular DPO Daily newsletter and LinkedIn feed.
References:
Tim Turner on LinkedIn 2040 Training The DPO Daily on LinkedIn ICO: Action taken against Sky Betting and Gaming for using cookies without consent UK betting giants under fire for ads targeting at-risk gamblers (The Guardian) UK Data Reform: What’s Proposed (Bird & Bird) Stephen Almond (ICO): data protection laws as a primary tool for AI governance (Masters of Privacy) -
Theodore Christakis is Professor of International and European Law at University Grenoble Alpes (France), Director of the Centre for International Security and European Law (CESICE), Director of Research for Europe with the Cross-Border Data Forum, Senior Fellow with the Future of Privacy Forum and a former Distinguished Visiting Fellow at the New York University Cybersecurity Centre.
He is also Chair on the Legal and Regulatory Implications of Artificial Intelligence with the Multidisciplinary Institute on AI, and has been a member of the French National Digital Council, currently serving as a member of the French National Committee on Digital Ethics as well as a member of the International Data Transfers Experts Council of the UK Government.
With Theodore we have gone through “the good”, “the bad”, and “the ugly” in the EDPB Opinion on LLMs and personal data. We have also examined the Deepseek affair, as well as the challenges posed by hallucinations in generative AI.
References:
Théodore Christakis’ SSRN Author Page Théodore Christakis on LinkedIn EDPB opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models Discussion Paper: Large Language Models and Personal Data (Hamburgische Beauftragte für Datenschutz und Informationsfreiheit) Lokke Moerel: using personal data in the development and deployment of AI models (Masters of Privacy) Théodore Christakis, ‘European Digital Sovereignty’: Successfully Navigating Between the “Brussels Effect” and Europe’s Quest for Strategic Autonomy Théodore Christakis, Cyber-Attacks – Prevention-Reactions: The Role of States and Private Actors Multidisciplinary Institute on AI Université Grenoble Alpes: Centre d'études sur la sécurité internationale et les coopérations européennes. -
It is time for a seasonal update at the intersection of Marketing, Data, Privacy and Technology. As usual, this Newsroom is divided into five blocks: ePrivacy & regulatory updates; MarTech & AdTech; AI, Competition and Digital Markets; PETs and Zero-Party Data; and Future of Media.
TL;DL: The use of SDKs for data collection/sharing has been a common factor in various fines and lawsuits on both sides of the pond. The EDPB sparked an important debate on personal data-powered AI in the EU. Texas and California went after Allstate and Honda respectively. La Liga (ES), Netflix (NL), Meta (IR), and others received fines. The FTC put an end to personal data sales by General Motors. The My Health My Data Act (WA) was put to the test. AI “reasoning” models exploded, and then AI Agents followed. Garante (IT) blocked DeepSeek and a class action in Germany could have a major impact across the EU. Australia updated its legal framework. The biggest CDP players dissolved into adjacent markets and Google kept marching towards PET-powered AdTech.
All references and links can be found in this episode’s blog post.
-
Daniel Solove has just published a new book, On Privacy and Technology. We went through a few key concepts from it, and also had a chance to revisit other core ideas in the author’s work.
Professor Solove is the Eugene L. and Barbara A. Bernard Professor of Intellectual Property and Technology Law at the George Washington University Law School. One of the world’s leading experts in privacy law, Solove is the author of more than 10 books and 100 articles about privacy. He has also written a children’s fiction book about privacy. He is one of the most cited law professors in the law and technology field. Professor Solove has been interviewed and quoted in hundreds of media articles and broadcasts and has been a consultant for many Fortune 500 companies and celebrities. It is to him that we owe the famous taxonomy of privacy harms, as well as very recent papers on Privacy and AI or Privacy and Data Scraping.
References:
Daniel J. Solove on Bluesky Daniel J. Solove on LinkedIn Daniel J. Solove’s personal page On Privacy and Technology: Oxford University Press, Amazon. The Great Scrape: The Clash Between Scraping and Privacy Artificial Intelligence and Privacy -
What is the best way to address privacy risks in the context of connected cars? Is data minimization compatible with assisted driving? What is the meaning of “Core Vehicle Data”?
Mark Jaffe leads the Rivian ethics, compliance and privacy program. This includes ethical culture, compliance oversight, privacy, and investigations.
Prior to joining Rivian, Mark was Senior Vice President for Privacy at Teleperformance, a global business process outsourcer with over 400,000 employees operating in over 80 countries, spending almost two years in Singapore managing privacy issues in the Asia Pacific region. He has also dealt with data protection compliance in Europe, Middle East, and Africa. Prior to that, Mark spent 17 years at AT&T in global privacy roles as well as global compliance and ethics roles.
Our guest is a frequent speaker on a variety of topics related to privacy compliance and data ethics. Mark earned his B.A., cum laude, from Duke University and his J.D., cum laude, from Northwestern University.
References:
Mark Jaffe on LinkedIn Rivian’s Privacy Hub FTC bans General Motors from selling driving data without permission, adding to case for CarPlay 2 (9to5Mac, January 2025) 800,000 EV drivers’ data exposed in Volkswagen breach (The Register, January 2025) Privacy Not Included, a Mozilla Report about connected cars and privacy (“It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy”, September 2023) Investigation by Netherlands' DPA prompts changes to Tesla security cameras (IAPP, 2023) Tesla workers shared sensitive images recorded by customer cars (Reuters, 2022) Privacy4Cars -
An update was due at the intersection of MarTech/AdTech and the My Health My Data Act, with a Washington Consumer Protection Act case against Costco paving the way for the recent class action lawsuit involving the Amazon Ads SDK. Also, the date is approaching for compliance with restrictions on international transfers of US personal data.
Mike Hintze is a well-known leader in the field with more than 20 years of experience in privacy and data protection. He has been a partner at Hintze Law since 2016 and prior to that was Chief Privacy Counsel at Microsoft for 18 years. He also teaches privacy law at the University of Washington school of law and has served on multiple advisory boards. He has also testified before Congress, state legislatures or European regulators.
References:
Mike Hintze on LinkedIn The Washington My Health My Data Act - Parts 1 to 10 (Hintze Law) New U.S. Regulations Impose Significant Restrictions on Cross-Border Data Flows AI governance, MHMD, and third-party risks at PSR 2024 (Masters of Privacy) Written summary: P.S.R. Los Angeles 2024: Vendor Audits; My Health, My Data Amazon Sued in First 'My Health, My Data' Privacy Dispute. -
As of today, February 16th, Google’s platform policies allow the collection, sharing and usage of IP addresses and other signals across websites, apps, gaming consoles or Connected TV. This has been perceived as a direct contradiction of the company’s long-term anti-fingerprinting policy. The company is expecting that a growing reliance on Privacy Enhancing Technologies will do away with the resulting privacy risks.
Daniel B. Rosenzweig is the Founder & Principal Attorney at DBR Data Privacy Solutions. He advises clients on legal and technical compliance with data privacy and AI laws, and counsels companies on industry mobile app store requirements, AdTech, and privacy-enhancing technologies (PETs).
Daniel’s legal practice is unique in that he develops and codes technical solutions to help serve as a bridge between legal, marketing, and technical teams, in addition to providing clients the usual legal services.
References:
Daniel B. Rosenzweig on LinkedIn DBR Data Privacy Solutions Google: Overview of the Platforms programs policies update (February 2025) ICO: Our response to Google’s policy change on fingerprinting AdExchanger: Does Google’s U-Turn On Fingerprinting ‘Open New Opportunities’ Or Is It ‘Irresponsible’? Peter Craddock: ePrivacy exceptions, advertising, analytics, the limits of consent and server-side processing (Masters of Privacy) Sergio Maldonado on PETs and AdTech: Some takeaways from PEPR’24 (USENIX Conference on Privacy Engineering Practice and Respect 2024) -
This was a really eventful week for AI regulation, with the first rules of the AI Act starting to apply on Sunday, February 2nd and the EU Commission releasing Guidelines on Tuesday (prohibited practices) and Thursday (scope of AI systems). To cap it all, a first-ever class action under the new framework (alongside the GDPR and the Digital Services Act) was filed on Wednesday against X-Twitter and TikTok.
The following conversation with Markus Wünschelbaum, with a particular focus on digital advertising and AdTech, preceded and rightly anticipated these developments.
Dr. Markus Wünschelbaum currently serves as Policy and Data Strategy Advisor to Hamburg’s Data Protection Commissioner Thomas Fuchs. In this role, he advises on key data protection & AI policies and strategic initiatives. Previously, he was responsible for imposing fines, fundamental GDPR issues, and freedom of information. He began his career focusing on the intersection of labor law and data protection, having published an acclaimed doctoral thesis on this topic and working at an international law firm.
References:
Dr. Markus Wünschelbaum on LinkedIn Hamburg’s Data Protection Commissioner (Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit) Guidelines on prohibited artificial intelligence (AI) practices, as defined by the AI Act (EU Commission) Guidelines on AI system definition to facilitate the first AI Act’s rules application (EU Commission) Class Actions Filed Against TikTok and X in Germany: A Test for the DSA, GDPR, and AI Act (Spirit Legal - Peter Hense) Peter Hense (Spirit Legal) on Masters of Privacy Luca Bertuzzi (Euractiv) -
Alex Dittel leads KHQ’s Data Privacy, Cyber and Digital legal practice. He brings over 15 years of experience in data protection, information security and technology commercial matters acquired during his time working for big and small technology companies and law firms in the United Kingdom and Australia. As a passionate GDPR-native data privacy lawyer, he advises on Australian as well as international data privacy matters. He holds CIPP/A, CIPP/E and CIPP/US certifications from the IAPP.
References:
Alexander Dittel on LinkedIn KHQ: Data Privacy, Cyber and Digital Alex Dittel: OAIC’s decision a warning re use of facial recognition technology First Tranche of Australia’s Privacy Law reforms explained (Association of Corporate Counsel) - Laat meer zien
