How do businesses build the right privacy team? | Colin O’Malley, Lucid Privacy

When organizations grow to a certain scale, it’s easy to justify a large privacy team to match. But what happens to organizations who aren’t yet at that scale—they have privacy challenges too.

Lucid Privacy Group founder Colin O’Malley is focused on serving this market, drawing on his experience as co-founder of Ghostery/Avidon, and helping organizations to right-size their privacy function.

He says the challenges for organizations are growing, from the onslaught of US state privacy laws to the growing role of regulators, as well as the part the technology companies play in enforcing technical standards. Overall, the pace of change is unrelenting—and accelerating.

He joined Kris for a discussion of how he helps companies keep up, as well as what he thinks is next.

They also discuss:

• Why companies at a certain scale struggle to right-size their privacy operation.

• The need for US federal privacy legislation

• The key role regulators play in privacy law

• The impact of GDPR on global privacy trends

• Wider challenges faced by the privacy industry

Resources

• 🎧 FILED S2E4: When preparing for privacy reform, privacy by design is key | Chris Brinkworth, Civic Data

• 🎧 FILED 10: Organizations must keep pace with evolving privacy expectations | Yvonne Sears, ISD cyber

• 📨 FILED Newsletter: The data privacy regulation floodgates have opened. Time to catch up.  

• 📏 Benchmark: How much PII does the average organization store?  

Transcript

Kris Brown: Welcome to FILED, a monthly conversation with those at the convergence of data privacy, data security, data regulation, records, and governance. Today, I'm Kris Brown, your host here at FILED, RecordPoint's VP of product. My co-host Anthony Woodward is indisposed today. I left him in New York and I'm sure that there's lots of good things going on there.

He's been able to make it today, but I'm really looking forward to having a chat with today's guest. And that's founder and principal of Lucid Privacy Group, Colin O'Malley. Now, Lucid Privacy works with companies at the intersection of privacy, data, and technology. Which is super exciting because that's what we're all about here.

And it's where we love to spend our time on the podcast. So, look, I'd love to start Colin by welcoming you. Thanks so much for joining us here on the podcast.  

Colin O'Malley: Hello, Kris. Very good to be with you.  

Kris Brown: Yeah, no, thank you so much. And look, let's start a little bit with a bit of a tour of your background.

Like I actually know you, you got your start there as a co-founder of Ghostery you know, ad blocking, et cetera. But how did that bring you to Lucid Privacy? What was the journey?  

Colin O'Malley: Sure. Yeah. Well, thank you. Ghostery. Slash Avidon. It was one company, had two different names, different points in time.

Actually, for the trivia wonks, it was Better Advertising before it was any of those other two. But we started the company initially in response to the Federal Trade Commission's requirement that the behavioral advertising industry implement notice and choice elements. Wherever they were collecting or utilizing data for behavioral advertising, and we developed the first disclosure system that would ride alongside advertisers that were targeted.

Those were the ad choices labels. We were the leading independent provider of those disclosure systems across the programmatic advertising space within a couple of years, serving with most of the major holding companies and many of the world's leading brands. We then of course have the, the Ghostery browser extension, which shows you who's tracking around the web, locks down the tracking if you don't like it.

It was one of the top privacy extensions out there on the web within the first couple of years. And it still remains today within the browsers of a lot of the regulators across the world, and when they're looking to see who's collecting data, who's appearing on websites, et cetera, goes to resolve to within their toolkit.

And we went from there to additional lines of business focused on compliance activities and intelligence around the tracking activity that was taking place across the Internet. We raised money from private equity, grew very fast. I was there as the co-founder and chief strategy officer focusing on product strategy and global policy. Prior to that, I was at TRUSTe where I led product development for a number of years. So, I was always on this intersection of technology and data protection, particularly in areas around media, advertising, online publishers. Where is data traveling? How is it traveling? How can that be exposed so that companies can be accountable, consumers can understand where their data is going, government and public policy and advocacy organizations can be empowered to set rules and weigh in on behalf of society for the way that these data flows were taking place and what these business models were up to.

From TRUSTe into Ghostery slash Evidon. You know, that really meant designing technical systems that help companies in good faith come into compliance with rules, but then also working directly with regulators and legislators around the world to help them understand the market dynamics, the technical complexity, and often the range of unintended consequences that might arise if rules were set without taking some of these factors into account.

In particular, on the regulatory side, this became hugely important because the legislators, their role really is to come in to set rules and then to move on to completely different markets and perhaps revisit this in a decade, you know. Whereas regulators were on the ground, politically being held to account for effectuating good privacy outcomes, handed rules from legislators that were often not very well fit to purpose, but sloppily drafted and trying to leverage those rules to, you know, do their jobs in terms of enforcing the law, but also to have their own policy view of where they wanted to take a market using the rules that they were provided and figuring out their enforcement priorities and how they were going to handle their terms of office as regulators.

So, our conversations with those regulators would become much more impactful, frankly, than our conversations with the legislators, because especially in all these areas of gray and so much of modern technology, the way to interact with privacy law is in this area of gray are really subject to the interpretation and ultimate prioritization of the regulators on the ground.

So, those conversations were very important to us at that time when we were building out Evidon and Ghostery. Your question is on Lucid. So, I left Evidon/Ghostery in 2012, and would start this consulting practice, Lucid Privacy Group. And initially it began as a small shop that was focused on, frankly providing strategic input to folks that were starting companies.

And were looking to figure out how the trends and data protection and consumer attitudes around privacy should inform their product roadmaps and various other strategic considerations. Over time, little companies became big companies, you know, our reputation in the space grew. We were initially very much dialed in on the ad tech and marketing tech spaces that continues to be a core competence.

But as our clients grew and as our reputation in the space grew, and also as we built towards the GDPR, which was this major landmark regulation that required a lot of what we would have previously considered to be best practice, good governance on the operating privacy side and embedded those requirements into law.

That was hugely transformative to the entire startup space where all of a sudden these operational components were going to be required by law and that required us to build out our practice and to enter into this phase of going from really just strategic guidance, which was our origin, to operational support, data protection officer support, fractional privacy operations for organizations.

That's really when in the startup space, privacy began to take on something that felt beyond kind of strategic guidance from our vantage point. And I think it would have been from the legal standpoint, more kind of legal ops and privacy policies into, you know, good governance and operational support on the privacy side.

Kris Brown: Yeah, and that's a really interesting journey understanding how that has changed and certainly where you've come from there really gives us a great understanding. I love there where you've said, you know, from a GDPR perspective, it sounds very much like the governance element here, just having good data governance is the piece.

And we very much preach that here on the podcast is talking about, you know, good data governance is one of the best ways to guarantee great data. You know, data privacy down, down the chain. I'm particularly interested in something you said there around the fractional CPO and obviously in DPO services.

Like, talk a little bit more about that. Yeah. Our listeners may not know exactly what those terms mean, but also my query, are companies really keen to hand over that much control to a third party and coming in and taking over that operational aspect of the privacy piece inside their businesses?  

Colin O'Malley: Hmm. Yeah, that's an interesting question. And I think that it depends really on the stage of development of the organization. And what we find in market is that there's a certain stage of development of a company, typically, when it gets to the point that it is frankly, beyond publicly listing, right? And into the 5-10 billion market cap range where they begin to bring all these functions in house.

Right. But there's a real challenge for companies at every stage before that, because what you want from your Chief Privacy Officer is not only an executive stakeholder that can take leadership and, and grow a function, but given all of the, again, this operating gray space of how your privacy operation should be benchmarked relative to your peers, such that you understand that you are responsibly managing risk, From a privacy point of view, without overloading the function to the point where you're crippling operations, where you're beginning to find that you're, you built a business that was intended to have one function and market, but instead you're, you're finding that you have this ballooning privacy operation that is, and I don't mean to say that privacy functions shouldn't be well funded and well-staffed because they should be, but it's actually a very nuanced point to be able to right size that function, and it depends on all sorts of things, including the particular geographies that you're operating in and the regulatory attitudes within those geographies and your business model and how much regulatory scrutiny your business model is taking on board and the.

Internal governance that exists across the organization and maturity, the ability of the company to manage its own risks as it's operating in market. And the answer to those questions not only can have a huge impact on how to build out a privacy organization. But also, it can change rapidly, especially for smaller companies that are growing and changing their market focus over time.

And so, in that context, what folks want, especially from a C-level compliance operative is for somebody that has deep in-market experience and that can properly understand the external factors that should determine the way to grow out a privacy function. And it is extremely difficult also for companies that are sub $5 billion of revenue, and especially as you get down to, like, sub a billion and sub $500 million in revenue to be able to pull in the kind of external resource that's going to have that kind of perspective to lead the privacy operation.

Kris Brown: So, what you're really saying is, is it just because of the level of expertise and therefore, you know, effectively the salary and the competency of the staff at that level, it's, you're kind of finding that the necessary evil against providing all of that access and pushing that privacy practice to a third party is, it's just a necessity just as they grow.

Colin O'Malley: Yeah, I think the question would be, how can you obtain the expertise that you need to be able to properly right size and grow out your privacy function? And that's the question that executive leaders are asking and in response to their board imperatives, et cetera. And if you have the right person that you can pull into it to do that for you, then that's fantastic.

And those folks are really hard to come by and especially hard to afford until you get to a certain market cap.  

Kris Brown: Yeah, perfect.  

And so, I like to liken it to, again, back to data governance and the laws are changing here very, very quickly. I was reading the new IAPP report that's come out giving all of the states that have fully fledged privacy programs.

And so again, same issue. I guess you're trying to state there is that in order to have someone, if you're across the entirety of the United States, there's now not just one legislation or one set of regulation that you need to deal with. There's many. And which are the ones that you want to follow?

Which are the ones that you have to follow? I think the report states that what's happening and even just through my attendance at PSR more recently, the practitioners are very much going pick the hardest one, respond and act to that one. And hopefully that'll cover all the others. What's your thoughts on there not being federal, federal level regulation on privacy in the United States?

Colin O'Malley: Well, it's embarrassing as an American,  

Kris Brown: I probably wasn't going there, but from an industry perspective, again, we're very immature ourselves here in Australia, and so certainly just some new legislation coming through and they didn't give us all of the promised efforts that they wanted to from government, but it's coming.

I have to believe that from an industry perspective, the practitioners are struggling. That's what they're saying. When we're at these events, they're struggling with the fact that just so much across the state levels. To deal with, do you feel it's a necessity that there's going to be, you know, that there has to be a federal legislation to make this simpler?

It's a cost thing, right? A cost thing for market for businesses. Like, you've just explained that from a fractional CPO perspective, it's finding that that X level of expertise is very, very hard. If it was federal, surely, we're expecting it to be simplified and therefore it does get easier.  

Colin O'Malley: Correct. I mean, I think the issue, frankly, is that we have a just a terribly functioning Congress in Washington, DC. And so, I would say that it is incredibly important that we have federal comprehensive privacy law, but that doesn't mean that I have any confidence that we will anytime soon. Just because it is terribly difficult for us to pass laws in this country.

Kris Brown: It's the challenge of its own right, right?  

Colin O'Malley: It's a massive challenge, and I don't think that it's specific to privacy, but it certainly is playing out within our field. Historically, it's been, we as a country, America, we tend to be Pretty cautious in passing privacy law. It's been sector by sector.

And even then, often only when states begin to take a jump, and the U. S. Congress is sufficiently embarrassed that they decide that it's time that they reign in all of these various state laws. But we're so much it. Less functional as a Congress than we were, you know, 15 years ago or so, and so I don't have the same confidence that increasing state level complexity is going to drive at least near-term action.

I would love to be surprised that this could change at any moment. So, I don't feel confident that, you know, frankly, projecting it one way or the other. But I think when we look at the commercial imperatives to get something done, that doesn't give me a lot of confidence of that. That's got to provoke Congress into action one way or the other.

I will say that the complexity goes in a whole range of directions here. And one of them is something that you begin to multiply the number of regulators beyond the rules. Right. I mean, in California, we already have a new privacy regulator that folks in market are beginning to view as FTC West.

California is not another Washington DC, but it's presenting itself that way again, you know, because they have a law that's comprehensive privacy law and they get to enforce it, and the federal government doesn't have that. The FTC doesn't have that. That tool and so they have created for themselves a very clear role there.

Californians like to view them as. Themselves is particularly special within the U. S. But there are other special states out there. I don't imagine that we're going to end up with just the Californians taking a strong position with respect to the enforcement of their own laws, especially as we have a dozen plus individual states out there, and they're all going to have their own specific ways of trying to demonstrate value and identity and the regulatory space.

None of that is good news for folks acting in market, notwithstanding the fact that there are important differences with some of the rules That are being passed in state legislatures, just having to deal with, I mean, this increasingly begins to feel like operating in Europe where you have, you know, a DPA in every country, plus multiple in Germany.

And they all have their own kind of priorities. They all have their own interpretations of what the cookie directive means. And so, you need to navigate that even though it's a single law across Europe and America is more headed down that direction for the foreseeable future until it looks like there's a concerted effort to get something done at the federal level, which I certainly haven't seen yet.

But I also want to touch on how this. From an American technology company's perspective has evolved really since 2018, right? And I think we all know as data protection folks in market, the GDPR was incredibly important. We've talked about that a little bit already within the U. S. The general perspective from a lot of technology companies that we talked to is there is a certain company of a certain scale, that needed to deal with GDPR right away, though they typically tried to isolate their response to GDPR to their European operations, right?

We're going to come into GDPR compliance with respect to our European operations and try to firewall the operational impact as they would see it, right? Others might see that differently beyond just operational impact, but certainly from a cost and process point of view, they tried to isolate it to those crazy Europeans, right?

And then what started to happen is more and more all of these international markets as Americans took comfort in the fact that they weren't going to be like Europe. It began to bubble up all around the world and all these other copycat or slightly adjusted approaches borrowing heavily from GDPR concepts.

And you had it Into Asia and South America, you know, all these different markets and bubbling around. And so that firewalls break down, but still on America, but at least not, you know, it's okay, find this market. And that market will start attacking them. We'll build it out. And then you had California punch through with comprehensive privacy law.

And that was the first creep directly into the American market. And California is one of those States where if you're a technology company, you don't get to say, you know, we'll just firewall off California and do the rest of our stuff. And then it started happening in other states in the U S now the American laws are, I wouldn't call them equivalent to the GDPR.

There are a lot of important differences, but they do begin to more and more. And now with a recent federal trade commission pressure began to pull in these back office operational requirements that made the GDPR so unique as compared to American law. And so, you have this perspective of it just being Europe and then being global, but not America and then leaking into America and now penetrating, but more than doesn't say it's in America. And so really, it's taken us six years, but we're finding ourselves an increasingly globalized market with respect to that complexity.  

Kris Brown: Yeah, no, I think naturally they had the next question, you know, obviously from the industry more broadly, you've spoken there very heavily about, you know, how the regulations are creating those challenges.

But what are the other challenges to industry? Is it where are they coming from? There's a technology, is it the attackers? So, what are the other major challenges that the privacy industry is facing?  

Colin O'Malley: Well, so part of this is just pace. The pace of rulemaking here around the world is so accelerated and operates in a multi-year tail with respect to regulatory attitudes and competencies in terms of enforcement of those rules. And so, we're still sorting through very important questions that have never been sorted out with respect to the GDPR that create all this operating gray space and will be for at least another half a decade.

Right? So, if you look at every one of the major markets where they set rules, you got like the 10 year hangover period of figuring out what the hell this rule means and how it's going to be enforced in market and that explodes in complexity. So, part of this is just the pace, right? Like understanding how to manage, how to keep on top of all this and how to right size your response to all these rules.

You have obviously AI is creating a major new vector of potential vulnerability and operational compliance that is still not well understood. And in particular, there are all sorts of potentials for AI to beyond just how do I implement AI within my organization, what my policy needs to be, et cetera.

But with respect to the core fundamental data utilization practices that data protection law was intended to govern, AI. could create really frightening black boxes in which companies could end up creating all of the consumer impression of harm that data protection laws were intended to manage in a black box that allows a company to disown accountability.

And even to come into compliance with the general concepts of what they understand to be the data that's going in and how they are understanding their direct knowledge of how they're manipulating variables. I mean, it's so much of that is just the I told me. And if you extend that too, you know, I just need the AI to help me with employment eligibility and insurance coverage decisions and marketing segmentation and who seems to be.

I don't care if they have cancer, but maybe, you know, just more likely to positively respond to a message about cancer and all sorts of these sorts of core data protection questions. You know, it creates this really fascinating and also frightening black box approach and how we manage that as an industry.

I think once we get past this initial phase of the routine kind of perimeter of utilization and get deeper into risk assessments and risk management and accountability with respect to core data protection principles and also getting further and further away from how data protection like used to be written, which was, you know.

Like, keep the PII out and don't use prescription data and you know, like, in other words, from the ground up, governing the data elements. And then as long as you do that, you're okay. And more and more into managing outcomes and consumer impact, which data protection law really isn't right now set up well to understand.

So, that's a major area, I think, for our industry to grow.  

Kris Brown: Yeah, and I think, you know, we've just tried to describe it, and I'll put a bit of an Australian ism on it, but it's that the pub test, right? Like it's, if you brought it up at the pub, would everybody say, no, yeah, that's okay. And they just say those outcomes and legislating for outcomes is going to be very, very difficult.

Just purely because we're not even sure ourselves where, where we're at there, right? Like the capability of these platforms, as you mentioned, is incredible, but I'm, I'm a little buoyed by the fact that you've still mentioned there that ultimately having good data governance. Here is still core to starting.

It's actually funny that I still talk to people and understanding that all of that data and what it is and where it is and understanding what it is. You just can't be shoving it into an AI and then expecting that you're going to get great outcomes and not seek the ire of the law, if you will, so let me change tack a little bit.

Cause I think it was getting a little dystopian there over the, the terrible things that may or may not happen to us in the future, but you published the lucid tracking technology, privacy impact assessment on your site for our listeners. Can you explain what that is and why you published it?  

Colin O'Malley: Oh, sure.

Yeah. Yeah. So, the tracker assessment template is a guide for how we actually diagnose the impact of tracking activity on a website and its implications for compliance. And this is something that we're asked to do a great deal. You know, our heritage with Ghostery etcetera puts us in a position where we really deeply understand what this tracking activity looks like and there's this complexity, we call it the in terms of the components of what you need to do this. Well, you need a good tracking detection system that scans and understands exactly what tracking elements on our website.

You need a. A privacy database that maps is tracking technologies to the companies. behind those tracking elements. And then you need to understand the impact of your compliance that these tracking companies are having. There are all sorts of interesting nuances here. Are they directly embedded with your knowledge?

Are they coming through redirects, etc? Do they need to be configured in certain ways to minimize their compliance impact on your website? Is your CMP properly gating the activity that you don't want to be at your website? And then finally, given that you have a handle of all that activity, what do you need to do to make sure that your website is compliant in the markets in which you operate?

The level of disconnect that we find within companies is, is astonishing. And what we mean there is, you know, when we do one of these assessments, our first effort is just to help a company get a handle on what's happening. And oftentimes, especially from the privacy office or the legal office, they have a vision of what they're expecting, and it just doesn't map with reality.

And so, this is the lay it on the table. This is what it's like right now.  

They then use that report to determine what their policy is going to be. These are the kinds of tracking activity that are going to be okay. This is the tracking activity that it's not. We don't want to have to say that we sell that in California.

So, how do we change your policy so that the tracking activity is consistent with our being able to make that claim. And then they can take that report their own policy and try to. Make that happen on their website, and then we do these audits to make sure that repeatedly to make sure that that remains the case over time.

It often does not. The issue is, you know, in order to have this, whatever our policy is going to be properly effectuated, all of the tags need to be properly jammed into a tag management system that's coordinating with the CMP. That one step, you know, you could do it on a one-time basis, and then all of a sudden marketing says, yep, but this tag also, and all of a sudden you have this open hole through which all this non-compliant traffic activity is taking place.

And from a regulator's point of view, this is all publicly visible. I mean, they're using Ghostery to see it, right? So, it's such low hanging fruit for a regulator. To be able to say in your privacy policy or in your CMP, you make it very clear that there's no tracking activity. If I say no, for example, and yet there is we're coming after you.  

Kris Brown: And you publish this and it's obviously available.

You've got another on vendor risk as well. What's the reasoning behind being so open?  

Colin O'Malley: That's an interesting question. Kris. Yeah. I mean, so I think just as a firm. Our attitude on this is, number one, I mean, to be frank, this is a rapidly growing field. There's plenty enough work here for everyone, you know, we operate in a field where we have the luxury of being very collegial and supporting each other.

And I, for one love that, embrace that and want to pay it forward and want to collaborate with folks as much as we possibly can. We're getting asked questions about this all the time. Do you have templates for this? How do you do these track reports? I don't understand. And so, our attitude is, let's put it out there.

Let's generate an industry conversation about these resources. We're confident that the feedback that we get from folks on these templates, if other people have smarter ways of approaching these things, you know, we love hearing about that. Our approach gets smarter over time as well. So, it generates activity that generates conversation.

It makes us smarter, and it allows us to pay it forward as an industry.  

Kris Brown: I really do genuinely love it. I think it's a fantastic answer and it's a great reason to be involved in the industry and help out. This is the collegial nature of the industry is fantastic. Colin, I think we're approaching the end, but I always like to finish with one question.

So, I'm going to throw this one out there. I pull my crystal ball out and stick it on the table. You know, you're right at the cutting edge. Whether it's technology or the evolution of regulation, what's the one thing that you're really keeping your eyes on that's going to affect us the most next? And I know we've spoken a lot about here.

I think you could probably point at most of those things, but what's the one big thing that you see in the next few years that really will change what we're doing?  

Colin O'Malley: It's difficult to pick one thing. I would say, first of all, that we need to keep our eye on the technical landscape that we operate in as well.

You know, I mentioned legislators and regulators, but the other main constituency that we're tracking so that our clients can be strategically informed about where things are going. The browsers and the operating systems and the technical infrastructure providers that are managing the rails on which all this data currency is being shipped around.

And what we find is, whereas regulators are relatively small to their teams, relatively unsophisticated as it relates to their technical understanding, though, that frankly is improving over time. That's noticeable just in the time that I've been operating the market in the last 15 years, regulators have become increasingly smart on the technical side of whether this markets operate.

But they move pretty slowly in relation to these big tech companies and the rails that they're providing. And more importantly than the pace of movement, when they make a decision—when Chrome decides to deprecate third party cookies, when Safari decides to gate IDFA, unless the user specifically opts into it, then those decisions are binary, global, immediate.

Right. There's no privacy law in the world that behaves that way. Right. In privacy law, the rule changes and then folks say, I noticed that, but are the cops on the beat? And then the cops take a year or two to decide whether or not they're going to say they're on the beat and then they say they're on the beat.

And then the question is, where on the road are they operating? I've got my, like, my Waze system here to see, like, if the cops are here, or if they're down a couple of exits, and you'll. Like it's just nothing like that when the technical rails are changing underneath your feet. And there's a huge amount of like, they're really using privacy as a principal driver of their feature set and differentiation, which has massive impact, market transforming impact on the way that data collection takes place and the way that data marketplaces operate, et cetera.

I also think just keeping our eyes on the political environment is hugely important. We've got increasingly polarized. Politics here in America and around the world and attitudes towards, you know, the balancing of commercial versus consumer privacy interests can get jerked around a great deal in that kind of polarized environment, especially where we can't legislate very frequently.

And so, when we do, it can have a really big impact. We're seeing that even in the U. S. with, you know, the Lina Khan and a very pro privacy, from her point of view, vantage point in the U. S. Watching those fluctuations definitely is going to be very important as well.  

Kris Brown: Beautiful. Look, again, thank you for joining us today, Colin.

We've had a great time. It's been a very lucid conversation. That's my poor pun of the day.  

Colin O'Malley: See what you did there, Kris.  

Kris Brown: See, see what I did there. See, see. So, thanks for listening, everybody. I'm Kris Brown. We'll see you next time on FILED.

‍