Episode 27: Building Trust Through Privacy – Why The Right Data Requires Consent 

In this episode of the Digital Clinic, we explore the evolving privacy landscape with Jodi Daniels, CEO of Red Clover Advisors and co-host of the podcast ‘She Said Privacy/He Said Security.’ With over 25 years navigating the intersection of digital marketing and data privacy, Jodi reveals how building trust through smart privacy practices can unlock new opportunities for growth.  

Jodi provides practical advice for companies on how to future-proof against evolving regulations,  Tune in to hear the positive impact smart privacy practices can have on customer trust and operational efficiency. 

We dive into the current privacy terrain, from GDPR and state regulations to sector-specific frameworks like HIPAA and GLBA, and discover how forward-thinking companies are turning compliance challenges into competitive advantages. Jodi shares actionable strategies for future-proofing your organization against evolving regulations, emphasizing the need for comprehensive data inventories and effective governance processes. 

You’ll learn how the right approach to privacy can strengthen customer relationships, streamline operations, and position your brand as a trusted leader in your industry. Tune in and discover how to transform privacy from a hurdle into a strategic path forward. 

Listen & Subscribe:

Aaron Burnett: So Jodi, you have a very excellent podcast yourself called She Said Privacy, He Said Security, and I would like to take a page out of your great podcasting book by starting with asking you to tell us a little bit about your career journey. 

Jodi Daniels: I started off as a financial statement auditor, so it’s funny to see how things have come full circle. I paid a lot of attention to business process, but from a financial perspective. Now I pay a lot of attention to business process, but from a personal data point of view. 

So I started at Deloitte, realized accounting was really not for me. Went to the Home Depot. I did some financial compliance obligations doing Sarbanes-Oxley work and strategy. And then I ended up at large company, Cox Enterprises, where I did strategy and targeted advertising. And that was one of the big flips in my career because I essentially created a targeted ad network. So I stalked you for cars at AutoTrader.com. If you bought a car in the late two thousands, you’re welcome. I might have been an influence in that. 

But that was really the entry point to privacy because the industry actually was trying to create self-regulatory guidelines. There really wasn’t much from a law perspective, and they thought we should really do this ourselves. And I was responsible for that compliance. From there, I realized, gosh, this is interesting. I was looking for something new. And I ended up creating the first privacy program at one of the other subsidiaries, Cox Automotive, and then left that.  

I was then in digital advertising and privacy, really a digital privacy lead at Bank of America, and I left that seven and a half years ago to start my own company and move out into the entrepreneurial space. When I did that is when GDPR came on the scene, where people were really paying attention to it full-time. Then we had the sweep of what we have going on in the US, and we’ve just built and grown the consultancy from there. 

Aaron Burnett: Your company is called Red Clover Advisors. Tell me a little bit about Red Clover Advisors, the work that you do, and I’m interested in how you work with clients.

Jodi Daniels: Red Clover Advisors is a data privacy consulting company, which means much like you actually write yourself in from a digital marketing point of view, we’re helping companies on everything privacy related. For us, that might mean, I’ve mentioned a few of the laws. GDPR is the big European law plus our friends in the UK, same version. And then we have here in the states all the different state laws. 

We might help someone figure out which laws apply to them and what does that mean. What are all the requirements of each of those laws? For some, we might take one of the requirements. Maybe they need a privacy notice or a consent management platform, a privacy rights process. We’ll help on whichever slice it is that they need, and that might be people, process or the technology. 

And for some companies that are smaller and they might have no privacy people on deck, we may serve as that fractional privacy officer or kind of be the fractional privacy office. So again, if you think about the agency model where you might hire an agency to help you on all or a slice of the marketing activities, and there’s an agency is a team of people. The same is going to be true on the privacy side. There’s a long list of privacy to-dos and operational tasks that people need to do. You might need the plan and the roadmap. You might need help on executing a slice of it. Or you might need like what the fractional CMO or the fractional team is, right? What the agency is. And we are doing the same on that privacy side. 

Aaron Burnett: Give me a sense for the current privacy landscape. The rate of change has accelerated. Complexity seems to have increased exponentially. Neither of those things seem at risk of slowing down. 

Jodi Daniels: Oh, privacy friends keep saying we have job security, so it really did start from a modern time with a new privacy law. Again, our friends over in Europe, GDPR. That was 2018 when it became effective. From there, then California was the first comprehensive privacy law. Four more states passed pretty quickly after that, over a year and a half period. And then we, as of this recording, have 19 state comprehensive privacy laws. 

And then in good US fashion, we are moving in the sectoral approach. What do many people listening are pretty familiar with? HIPAA. It’s been around for a really long time. That’s a national law that focuses on the slice of health data, but not all health data. Then for our financial transactions, many of us are used to the Gramm-Leach-Bliley Act, GLBA. If you have no idea, I’m talking about the chart that you typically get from your bank or credit card company that has a privacy notice. You’ve typically probably read it word for word. I’m sure. Maybe you actually just tossed it. That is an old law that’s been around for a really long time. Also deals with a slice of data. And then we have COPPA for children. 

What’s happening now is some of the state laws are adding in a broader definition of health or for kids’ data. And then there are other states that actually are carving it out and creating new legislation just for health data like in the state of Washington. Some are moving forward with just a children’s law, like in the state of Arkansas. And then literally while we’re speaking, there’s a variety of other laws that are on the books, which means we have more states than ever before and growing. 

So we’re still at 19. I will say, my prediction was going to be, we’re going to get to 25 this legislative season. It’s a little slow. It hasn’t quite happened yet. We’ll have to see. There seemed to be some other distractions. 

So we’ll have to see. It’s why I don’t bet. But I do think if it’s not this year, it’s going to be soon. And we are seeing, like I said, a massive focus on health data and on kids’ data. So people seem to agree you should protect my health data and you should protect the kids. 

Aaron Burnett: Do you have a thesis regarding the arc of privacy regulations? And I ask that because our thesis is the highly restrictive environment that exists only for healthcare data today is a harbinger for where all digital privacy will head in the future for virtually all industries across all geographies. Do you share that perspective or do you think that we will remain in this more state-by-state or sector-by-sector regulated approach? 

Jodi Daniels: I think for a while we’re going to be in the state-by-state and sector approach. We’ve been this way for a really long time across everything. Pick any kind of compliance topic, and I actually often compare privacy to what we see from an HR and tax perspective. There are some national HR laws and then there’s individual state, and sometimes even local laws. We have a national tax obligation, but then you also have state and local. 

So here on the privacy side, we’ve started with the state approach. There are actually some local. You mentioned AI earlier. New York City is an interesting example where they have particular use cases for HR using AI. So very local law around how you can and can’t use that data. So we have a lot at the state level and we have some older ones at the national level, but not at a comprehensive level. 

The challenge at getting the comprehensive level is to get agreement, and there’s two major challenges. One is private right of action, which means I, the individual, except not me in Georgia, because I have no privacy rights right now, but maybe in a federal law I might, so me, Jodi, in Georgia, could I sue the company for failure to adhere to one of the privacy requirements? Some people believe that’s the only way companies will do anything and others believe well, the only people who win there are the law firms. And Jodi, the individual gets like $4. Or in some situations actually I received a settlement that says there is no settlement for the egregious behavior that the company did. They just have to have a program. And I thought, what was the point of being a class action? Okay, so there’s that. 

There’s the private right of action, and some people believe this is the way it should go and others don’t. The other major problem is now preemption and will the states be able to still have a law of their own and which one wins? The state or the federal? And at 19 different states now, that’s a lot of different states with different interpretations of what is important. 

\I think at some point we will have a national law. It’s very hard to know when it will be. We’ve had a couple chances over the last couple years and they have failed for both of these reasons that I’ve shared. I just call it a political dart because it’s just so hard to know which way it will go. I do think at some point, but for now, instead, what you’re seeing are states modeling after other states. Nebraska kind of copied the Texas law and you’ll have some that are blends, like Oregon really likes the Colorado law and it looks to Connecticut a little bit as well. So you have kind of state-by-state models now. 

Aaron Burnett: Yeah, kind of a patchwork. 

Jodi Daniels: Total patchwork. Yeah. It’s going to keep us all busy for a while. 

Aaron Burnett: As you work with clients, how can you guide them so that they are to the greatest extent possible future-proofed against all the vagaries of state level regulations and all the change that is coming down the pipe? Is there a philosophical, a MarTech, a process-driven approach that best protects them from having to re-engineer everything every time regulations change? 

Jodi Daniels: The first is to actually understand who they are as a company, because if they’re B2C versus B2B, that’s actually one big distinction. The other is then who they’re serving. Are they a US only company? A US and Canada company? And where in Canada or how global is the company? Because that’s really going to determine the right operational impacts. 

What we can do here in the US is still really different from what I might be able to do in Europe and in some provinces in Canada. So actually understanding kind of current state and close-ish future state for them is going to be really important. From there, it’s then understanding the kind of data that they have and what are the goals, because that also is going to determine how hard or cumbersome any of these are or aren’t going to be. 

For healthcare, part of the challenge here is, let’s just take the states. We have 19 different states. The definition of health is different in all of those states. For some, looking at the tech stack is actually important to determine how easy or not easy it would be to unify them all. And I joked earlier, I’m in Atlanta, Georgia. I have no rights. So for some companies, it is easier for them to include me at the beginning and just make a national approach. For other companies, it’s actually the reverse. It’s too hard or would harm their revenue and their whole model more, and so they choose not to do that. 

You really have to look at the business model and the strategy and what works. I’ve had some companies say let me look at my values and just my company strategy, because I would never want to exclude Jodi. That just doesn’t work with who we are as a company, even if I don’t have to offer her these privacy rights. So there’s a lot of these different pieces that you actually have to get at, and as you noticed I didn’t even get to the actual obligations first. I just have to know who the people are and the kind of data that we have, and then I have to line up all the different obligations and figure out how does my business model and my tech stack line up when I start to get to the actual tactics. 

The reality is if you do any of these, like a data inventory is a documentation of all the data in the organization. Look at it like the flow of data. If we were all together in a conference room sitting at a whiteboard, you went left to what’s the kind of data, what are you using it for? It goes in these five systems. You collect these kinds of points. You asked for consent at the beginning. The reality is when a new law comes along, you already have the data inventory and you’d be able to easily see, oh, is this data element maybe classified as sensitive? Great, we already know that. And you move on your merry way. 

If you have a holistic process for managing privacy rights, when another state passes, you’ll just have to go to that initial strategy decision. Did you include or not include that state? If you hadn’t included them, maybe their rights are the same as somebody else’s. You already have the system and the process in place, so now you’re just adding that particular state. 

So hopefully that kind of gives some context to that idea of how you’re future proofing there. The reality is there are nuances and you have to literally look at every single state and what their special nuances are in identifying which laws are in scope for you. Your current close-ish future plans for growth, so you get the right area and the operational pieces. Then you can start building the privacy program as you need to, and new states just won’t seem that burdensome because you will have already built the foundation. 

Aaron Burnett: In that answer, I get the sense that there probably is an optimal recipe that if you could, you would introduce or implement for clients. To the extent that’s true, can you talk about an ideal state for policies and processes and MarTech that should be in place for clients? 

Jodi Daniels: The first is that data inventory for privacy professionals. That is the foundation. If we were to put it in the middle, and every privacy requirement goes around it because privacy is all about personal information. And if you don’t know how you’re collecting it, using it, storing it, and sharing it, you can’t do anything in privacy. 

A good program is going to be one that really understands that, and it shows up in, oh, I’m a new tool, I’m a new use case, I’m a new data field. All of that is then captured easily. If I’m a new tool, I have a process over here to vet that tool, not just from how much does it cost and do I have a contract in place, but part of that contract should be how does it comply with privacy laws? How is that company going to help me with privacy rights? So there’s some privacy pieces to vetting that vendor. 

Now I have to have privacy rights. Now, some companies might have a lot of privacy rights and some companies might have three. So it’s all about also right sizing to the kind of data you have and the experience you have. So from a tech perspective, I’m a big believer in getting the tech that works with you, the company, and where you are in the business. 

So the very first tech that everyone has to have is a good consent management platform. This is to manage those cookies and pixels and digital trackers. Everyone listening, that’s what everyone on the outside can see. We can all see that and everyone can test it too. So in terms of, I’m a new vendor, I’m a new pixel, how is that getting vetted? How is that being reviewed? Because what often happens is companies will install these and then they forget about them. They create new landing pages, new websites. They forget about the new pixel. Oh, they tested it. They didn’t take the pixel off. They haven’t understood what is that pixel actually carrying? What kind of data is being sent? 

There’s been all kinds of cases where they’re collecting health data and all kinds of other scenarios and challenges there. So a good process, a good cookie governance process. I have to expand that these days to pixel governance, digital tracker governance. Pick your flavor. One of those that’s going to have the people, the process and the tech in place is critical. 

So tech belongs where there’s high volume and where there’s a necessity. I’ve done data inventories with tech. I’ve done data inventories on an Excel document. We’ve done privacy rights with manual web forms and email because they literally just don’t get that many. And then we have big, fancy, complicated systems to put all those in place. But the tech everyone needs, please don’t build it yourself. Please go out and buy one of the many. That’s all they do, all day long consent management platforms and install it, but it is not set it and forget. You have to install it properly, you have to test it, and you have to build governance around it, especially with marketing activities that are happening. 

Aaron Burnett: One of your takeaways from IAPP Global was this is a thing that’s being tested by regulators right now. 

Jodi Daniels: A hundred percent in two parts. And actually one of the other areas is a privacy notice. So everyone needs to have a privacy notice. It should be updated at least once a year. Fun fact, California says at least once a year, so guess what your prospective customers, especially in a B2B space are doing? They’re going to see your privacy notice and if it’s old, how do you think they’re judging your privacy program? Probably not. Everyone can see and test that cookie experience a hundred percent. That’s what regulators are doing. 

And the other thing that regulators are doing is if they have a concern or complaint, they are using the privacy rights process to submit the complaint. So if in your privacy notice you said email privacy@company.com, if you want to exercise one of your privacy rights, and then no one ever actually checks the mailbox and you get a complaint or an inquiry from a regulator, you will have missed it. So they are doing that on purpose. Brilliant. To test our company’s just setting and forgetting or actually have a human in place to manage the process or a software in place to manage the process. But here’s one where there needs to be human intervention because if it gets in the software and then it’s ignored, that’s not going to work out so well. 

Aaron Burnett: And I know you mentioned that this is an area where you’re unlikely to get grace because you missed it in a mailbox that nobody was paying attention to. 

Jodi Daniels: Oh yes. Regulators specifically. So I was at the Global Privacy Summit. This is where all of the privacy professionals globally around the world convene and talk all kinds of things, privacy. So regulators come to share, here’s what’s on their mind. And they specifically said we are not going to give you any grace for a situation like that where you just, oops, no one paid attention to the mailbox. 

Now, if you get it at the beginning, there’s a significant amount of effort someone’s on, is out on leave. If there’s an extenuating reason where you need to ask for more time, you ask for that in advance with a well thought out reason alongside likely your legal counsel, and they might give you grace. It’s not that they’re trying to be unreasonable, but if you didn’t get it and it’s the day before, oops. Yeah, that’s on you. 

Aaron Burnett: What, if anything, do you think is broadly misunderstood about privacy regulations and the privacy landscape? 

Jodi Daniels: I think that they’re meant to be gotchas and that it’s a very much, I’ll check the box kind of activities. So I like to get people to realize why, how did we get here in the first place? Typically rules and laws are because someone messed it up, if I’m being honest, right? There are companies who pushed the envelope and they went too far. 

If I put my marketer hat on, what is everyone trying to accomplish? Everyone’s trying to accomplish a relationship with prospective customers and current customers, and we want them to buy stuff. Buy services, buy products. That’s, if we just boil it down, that’s what we’re trying to do in that message. You’re trying to get them to believe your product or service is the best one, and here’s why. And you list a bunch of reasons. You’re trying to get your message to as many people as possible, but the key is getting it to the right people. 

So marketing strategies have pushed and used data in an egregious way, and that’s how we got to privacy laws because we’re using data thinking it’s ours when we have to remember. No it’s a person that you’re trying to sell to and people don’t really love being sold to in an uncomfortable, creepy way. And so I think when people think, yeah, there’s this long list of requirements and there are, hi, that’s my business. Let me tell you about all the requirements that are here and make sure you do the right thing. And why is there a regulator? Because companies don’t always want to just do the right thing. There’s three of those on the planet that will, and thank you to those three. The ones that are left, you need the carrot or the stick. 

The thing for me, that is your customers. Your customers will buy more from you when they like you. Guess who exercises a privacy rights request? People who are mad at you, so you did something, then they are mad. They want nothing to do with your company. Don’t make them mad. You’ll never have a privacy rights request. It won’t be a problem. Don’t send bad emails. Don’t send too many emails. Give me choice, give me control. And actually your marketing will be more effective that way. 

Privacy professionals, there are some that are very much, here’s the law and here’s all the terrible things if you don’t comply. And there’s that. That’s true. But for me, I think the bigger piece is misused people’s data. You won’t have a customer anymore, and it goes to your reputation and your brand. 

Aaron Burnett: You’ve made a couple of interesting, very thought-provoking comments on recent episodes of your own podcast. One that privacy doesn’t have to be a cost center. It can be a real contributor to the value of an organization. Can you share a little bit more about that? 

Jodi Daniels: A really easy way, I think, to help explain this is in a tech space or even in a regulated space like healthcare, where you’re asking someone to give information. So from a software perspective, we tend to see, here’s the software, here’s all the great bells and whistles. It’s going to make everything wonderful. Now all the features are AI related. Look at how wonderful and amazing it’s going to be. It’s going to solve your life in four seconds. 

So then what is actually the really common question right now from an AI point of view that many companies are asking? Are you going to use my data and train on it? Now interestingly, the same question honestly should have existed before because when we were giving data to a third-party company, we probably should have also asked, are you going to also use my data? That happens with some really big companies that we might know in a marketing realm. It’s showing who might be having those conversations with judges, and it’s showing up a lot in AI.  

So what are those companies doing? They are also addressing those points upfront and center. They are listing the privacy and security requirements. I see here’s how we comply with GDPR. Here’s how we do or do not use your data. They’re addressing privacy and security concerns right up front, right after. Here’s how awesome the product is. 

When the prospective customer comes to look at that, I now am able to help that sale because I’ve alleviated the customer’s objections, which right now privacy and security are top of mind. And if you’re one where your sale’s a little bit more complicated, maybe you actually have salespeople, the more you arm them with that information to deal with those concerns upfront, you actually can shorten the sale. Because the worst thing that happens is the salesperson gets, yay. Your tool is great. And then you get to the negotiation and the vendor review and all the privacy and security and legal teams ask their 1,500 questions and you don’t have a really great story to tell. And it just slows the process down. The more you can give upfront, that is one of the ways to make it a revenue center, not a cost center. 

And on the health side or any kind of regulated data side, or honestly even just sensitive data. When you’re asking someone to share it, their concern is who are you and can I trust you? What are you going to do with this data? This is really sensitive. The more that the company can alleviate my concern over who are you and how are you going to use it, and how do I know it’s going to be properly protected? I’m more inclined to give that data. Again, moving it all upfront, it’s not just, oh, you have a privacy notice. It’s no, I can actually trust you when you want to process whatever sensitive information it might be. 

Aaron Burnett: Out of curiosity, are you aware of any studies that test this empirically and contrast an environment in which a high trust environment is created through great data privacy policies, declarations, and information versus the opposite, and whether in fact that high trust environment can be demonstrated to increase conversion, accelerate sale in a way that can be quantified? 

Jodi Daniels: I would say I typically really like to look at the Pew Research Center who does a lot of research on privacy and trust and what people are comfortable with and not comfortable with. So they tend to put out, I think it’s an annual study, but they have a wide collection of information. And the Ponemon Institute is another one that also puts out a lot of really great information. 

Aaron Burnett: I also heard you talk about the way that companies have the ability to implement good privacy policies in a manner that doesn’t disrupt operational efficiency. That’s one of the big concerns that we have as we start to work with particularly larger organizations, that this will be disruptive to everything that matters to them. Everything anyone is measured on or bonused on or that sort of thing. 

Jodi Daniels: And I think there’s different kinds of data and different parts of privacy. If I use maybe cookie and pixel governance. We’re working with a large organization now and trying to set this up. They’re at zero and they know they can’t move to the most strict ever. So that’s going to be very, baby steps to get them there. But if they have zero visibility into what’s happening right now, and pixels can basically just go up and there’s a process to actually get a pixel up. So that part’s locked down. But whether it’s pixel A or pixel B, and what’s in that pixel that’s not really reviewed. 

So one of the ways that we’ve been discussing how can we operationalize this in a way that doesn’t impede the business but also covers the privacy concerns is creating kind of the manual of, okay, if it’s this kind of pixel. You have to ask these kinds of questions, like what kind of data is being captured? Who is this vendor? Do they have terms and conditions? Has anyone reviewed them? Will they use this data for a long period of time? What’s the process to turn the pixel off so it doesn’t just sit here forever and we just keep sending our data to this random third-party company? 

And ranking them based on risk. So an analytics pixel might be one way, an advertising pixel might be another way. If it’s collecting actual, is it retargeting on certain pages? Might it be retargeting on a page that could be deemed sensitive, that might go in a different kind of bucket. Who is there? Anyone responsible for even just knowing what pixels are going to be on the site? Having a regular set of audits and that in my mind is very much dependent on how often the pixels change because for some companies, they’re changing every month. Maybe you need something every month. For some you barely are doing anything. Quarterly might be fine or even semi-annually because it’s so the same and static. 

It’s very much finding what’s right sized for you. But I would say a lot of companies work with agencies where the agencies have full cart access to the site and the company just puts like, hands up. That’s not my responsibility anymore. And actually, no, as the company, it’s a hundred percent your responsibility to manage the agency. And as anyone with an agency, it’s also your responsibility to make sure that your companies and clients are a part of the conversation and finding what does that look like? And again, it goes to how often is that? A weekly approval, a monthly approval? A list of here’s what we’ve done and here’s who we vetted. 

It has to just work with the business. But that’s how you make it. There’s a lift at the beginning to put process in place, and then you’re able to move forward, review and audit, and both sides are happy because the privacy people feel like their concerns are addressed and the business people feel like it’s not every single pixel, every single time having to have this multi-week to multi-month review. 

Aaron Burnett: From our perspective, one of the things that we find is misunderstood when we begin to work with a new client is that good data privacy practices, just by definition, mean less data and less data fidelity, and that’s not the case. In fact, we most often can improve fidelity and improve even the amount of data collected. It’s just the processes around handling that data, the processes around sharing that data that need to change. And I think that is, that’s a worry that people have and maybe even a reason that some people shy away from embarking on this sort of a privacy first journey in the first place. 

Has that also been your experience? And I’ll give you more context. When we implement, in particular, HIPAA-compliant data solutions for our clients, we will use either our own HIPAA-compliant data warehouse or establish a data warehouse for them. And we’re under BAA with our clients. And we are able to collect full fidelity data if it’s consented collection, and offer that data for analysis as long as it is within the organizational infrastructure of the organization. You can’t share willy-nilly and you can’t activate willy-nilly, but you still get to learn a lot about users and those people who have come to you through various forms of advertising. Has that also been your experience? 

Jodi Daniels: I think a lot of people do believe, I can’t use any data and exactly what you’ve described. What I would say is the laws do say collect the least amount possible for a business purpose. It doesn’t mean collect none, it means collect the least amount possible. Now at the same time, marketers might be known for trying to collect everything under the sun and having no business purpose. It might be, wow, it’d be so nice to collect this, and maybe in the future, someday, in some unknown period of time, we might collect it. That’s not a privacy first approach. 

A privacy first approach is, no, here’s the data that I need and here’s why I need it. Oh, and by the way, I communicated that in my privacy notice and in a situation where I need consent. It meets the right definition of consent. Anyone read consent where it’s like 15 lines and four point font and you can’t read it? That’s not consent. Consent where you’re not tricked. Consent where it makes sense. Consent where the person understands and says, okay, and then properly disclosed. You can have that data. 

In my mind, people consent or people more willingly give data. It’s not, it doesn’t always have to be a consent, but it might be. I choose to give the data as the relationship is built on trust. People often use kind of the dating marriage analysis when it comes to data, because when you first meet someone, if you ask them the longest list of questions, that’s like the first date. You don’t ask all of that. We just got to know each other. I’m willing to give you a little bit. Some people aren’t even willing to give name or email or phone because they’re so concerned it’s going to be tied and built on a profile these days. 

Okay. You get me warm and fuzzy. You deliver something. I feel good about it. Now you’re ready. You want more data from me? If I feel I’m getting something valuable and I trust you and you explain to me what you’re going to do, I’m ready to give you the next set of data. And it just keeps going on. That’s how loyalty is built. It’s not that you can’t ever have data. 

And of course you also mentioned good access controls and sharing controls. So those are the security architecture. So good security of course, is very important. That’s a subset of privacy, just the concept of collecting it and using it. Yes, there’s some laws that tell you what you can and can’t do, and then after that the question is, should you and shouldn’t you? And that all goes to what is your customer expect and how did you tell them and how did you collect it? 

And I’m telling you, if you ask all of it at the first moment, no one’s going to say yes. You got to work up to it. And you want accurate data. That’s the other really important piece. That’s right. Taking to this trust piece. When people ask the information too quickly or force fields, that’s the worst one. Why does everyone pick? I prefer not to answer. Why? Because they don’t trust you. So if you don’t give that field, and I don’t actually want to, and you make me answer the question, I’m going to pick a bad data field. 

So to get to good data, you have to build trust. The more you force someone to give data, you actually will not know if it is valid or not. 

Aaron Burnett: Continuing in this vein, I’m sure you’re often asked about the best privacy practices you’ve seen. I’m actually interested in the worst privacy practices that you have encountered. 

Jodi Daniels: The worst, let’s see. There was the five-year-old business or five-year-old privacy notice that I saw on a B2B website on a pretty sensitive company. So what the kind of data they were processing was pretty sensitive. And a five-year-old privacy policy in the B2B space. So that not good. Remember, anyone from the outside can see that, so that’s not a really good one. 

Right now I’m seeing just so many consent banners done wrong. Just the banners, the preference centers, the settings just done wrong. I’ve seen. My favorite is when someone gets a privacy notice and then they leave in the filler text. Maybe it came from the person who created it, or they went and got a generator and you can still see, fill in here or the brackets. Those are great. 

And the other ones are just, when you ask a company, what is the data? Tell me about the kind of data. Where do you get it? What are your practices? And they just don’t know. That is always just a concerning sign. And this happens with large companies and with small companies. 

Aaron Burnett: Sure. Absolutely. 

Jodi Daniels: So not having no idea. That’s probably not a good one. 

Aaron Burnett: Yeah. How about your favorite personal privacy tip? I’ve enjoyed the answers that you’ve elicited from your guests. 

Jodi Daniels: For me, it’s vetting where you’re giving information first. Do you trust them? Do they really need the data they’re asking for? So if you go to the doctor’s office and they have on the piece of paper, fill in your social security number, they don’t actually need the social security number filled in on the piece of paper from the form from 25 years ago. Just don’t fill it in. But then just question. 

I’ve had different organizations require me to fill things out for my kids or for my business and things like that, and just I question. I say, no, I don’t, I look at the company, I look at their privacy notice. I actually am checking it out and I don’t feel comfortable. And so you either have to then make a decision of which way you’re going to go, but I spent the time to investigate them first. So you can quickly learn a privacy notice. I know people complain they’re really long. Here’s the deal. You look at the use the collection section, use section and storing section very quickly can figure out what is actually happening. And if you can’t figure it out, it’s not well written or reach out to the company for clarity. 

Aaron Burnett: That’s great. I have really appreciated your self-evident expertise and how clear you are in your communication and the energy that you bring to this field as well. It’s been great. I’ve really enjoyed the conversation. If people want to reach you, where should they find you? 

Jodi Daniels: I spend a lot of time on LinkedIn. Please come find me. Jodi Daniels Red Clover Advisors, we put a lot of content out, and Aaron, thank you for the really kind compliment. We try really hard to help take a kind of boring and complex topic and make it fun. Easy to understand. Our philosophy is all about simplify privacy, and so to that vein, we have a lot of content at RedCloverAdvisors.com for free. You can go and grab whichever one makes you happy that day. 

Aaron Burnett: That’s fantastic. Thank you very much. Thanks again for the conversation. 

Jodi Daniels: Thank you.