Episode 32: Beyond HIPAA – Privacy-First Marketing Strategies That Win  

In this episode of The Digital Clinic, we dive into the rapidly shifting privacy enforcement landscape with Alysa Hutnik, Privacy and Information Security Practice Chair and Partner at Kelley Drye & Warren LLP. Alysa shares practical insights for navigating what she calls “a reckoning in digital privacy” – from understanding the complex web of federal and state regulations to building consent-based strategies that actually boost marketing performance instead of limiting it. This episode delivers the strategic guidance you need to transform regulatory challenges into business opportunities, moving beyond the “all-you-can-eat buffet” mentality of ad tech to build privacy-first marketing that delivers better results while ensuring full compliance. 

Listen & Subscribe:

Alysa Hutnik’s Journey of Privacy Law Specialization

Aaron Burnett: Can you describe a little bit about the work that you do around data privacy, the role that you play on behalf of your clients, and a little bit about what I think is your fascinating career history as well? 

Alysa Hutnik: Oh, sure. So, I’ve been doing this now for almost 24 years, which is really just crazy. Time flies when you’re having a good time. 

I’m a regulatory lawyer, which, you know, you hear privacy lawyers, and I think to the outside world, that sounds like the same thing for anybody who wears that title. And it just changes so much depending on what you focus on. So, I am based in DC. I represent clients who are investigated by government enforcers who are focusing on consumer protection law or privacy law. 

So that’s the Federal Trade Commission. They initiate a lot of different types of investigations, and so I represent companies in defending against those. As well as State Attorneys General who enforce their consumer protection laws and privacy being a major focus over the last few years, that’s really taken up a big part of my docket. 

So, I really enjoy doing those. We’re really making law as part of that, particularly with these new laws. How do you interpret them? And there’s a lot of both advocacy and education in that to help educate regulators who might not know the behind-the-scenes workings of how do you operationalize some of these requirements in a way that is really practical and realistic. 

So, I really appreciate that aspect. The other half of my docket is working with companies to figure out how to comply with these laws, and this is really, I would say, my passion because I just get to be a total nerd and learn all different kinds of businesses and different kinds of practices and operational stakeholders across the enterprise. 

Often, who each have their own business objectives, and you need to try to weave in what they need to do that works within the business fabric, but also addresses what the legal and policy issues are. So that’s the other side of what I do. The road to get here was winding, but maybe if the through line is that I just always followed what was interesting, and you get to work with a lot of really interesting people. A lot of interesting, different kinds of industries and businesses. So that’s just always appealed to me. 

I’ve been at the same law firm my whole career, which I think is amazing. A dinosaur these days. 

Aaron Burnett: Yeah, you don’t hear that a lot, but 

Alysa Hutnik: I think part of it is I was always able to do what I’m doing, and maybe half the time they didn’t know what I was doing, which was just fine, so long as nobody tried to stop me from doing this. And the whole practice of law and digital advertising and these areas, I think, have just really opened up before our eyes. 

So, it’s been and continues to be a fun ride. 

Understanding Privacy Law Complexity and Structure

Aaron Burnett: Yeah, it’s a very interesting time to be doing the work that you do. Privacy regulations have become absolutely byzantine over the last few years. Can you describe the tapestry, the hierarchical structure of privacy regulations at the federal level, and then down to the state level? 

And in particular, because our audience and we are focused on healthcare and med tech, the way in which privacy laws are narrowly focused and even more restrictive for healthcare and med tech. 

Alysa Hutnik: Sure. So, the word on your bingo card, usually in the center, is patchwork. That is what comes up the most frequently. 

And partly it’s because we’ve done it over time and often tried to address it via different sectors. So, at the federal level, the health industry was actually early on, obviously, intuitive, right? Health, medical records should be protected. And so, you have HIPAA, but HIPAA is really narrow. It was about health insurance. 

And so, it only focuses on healthcare providers, health insurance companies, and a thing called clearing houses, which doesn’t come up a whole lot. You often hear as soon as somebody says medical records or health-related records, they’re like, “It’s HIPAA.” Meanwhile, there might not be any HIPAA hook there. 

So that is one narrow set of laws and regulations that go with that. Then you have what we’ll call just general broad consumer protection laws. The Federal Trade Commission enforces Section Five of the FTC Act and that is unfair and deceptive trade practice laws, and we saw over the last number of years a lot of health-related privacy enforcements on if a practice is unfair, as well as if a company has misrepresented something about their privacy practices under the deception prong. So, there are some small regulations within the mix there. But those are the big federal laws that apply. 

And then we’ve had a boom time of comprehensive privacy laws enacted in a number of states. We’ve got 20 states with comprehensive privacy laws. Those regulate sensitive data in particular, and health records, medical-related records are often right under that sensitive data definition. And then maybe more in vogue over the last few years are very specific types of privacy laws, really focused on health laws or reproductive and sexual health types of data, and additional protections and restrictions around that. 

And then if you layer on different types of sensitive data, let’s say teen data, you can have teen and health data or social media practices that bring in what we’ll call X factors that then could trigger possibly other laws on top of that. 

Navigating Privacy Patchwork in Healthcare Marketing

Aaron Burnett: Some of the laws, particularly at a state level, are even more restrictive than anything that might apply at a federal level. And as you said, there is a patchwork. How should digital marketers in healthcare and med tech think about and reconcile this patchwork as they consider how to instrument their sites to support digital marketing while ensuring compliance? 

Alysa Hutnik: So, one, I would say there are multiple stages of grief, and I think for all med health ad tech, like you just got to get through the stages of grief. There was a before time and there was an after time. And I find often we’re still working through the therapy on, “but this is, what do you mean we have to do it a very different way than I had in my budget and business plans, and revenue targets?” 

And that’s just, you got to get there. And then focus on the creative ways of now what. And I think that’s really a big part of where I’m spending my time these days, because there is a path forward, but you need to really do it with very clear eyes and understand the landscape. And I’m finding that those companies that have gotten over the fifth stage of grief and are focusing on, “all right, let me just really know what the issues are, so then I can brainstorm with legal or privacy or whoever your stakeholders are to come up with what are the array of solutions we have to get there.” 

And so sometimes that is a consent strategy. And what does that really mean in this context? Others are getting really creative with privacy-enhancing technologies and really thinking about where we can have aggregate types of data. And even a third bucket is the restrictions around using sensitive data to target, but there are no restrictions around using personal information to target. 

So, how can we get really adept at using aggregate trends that focus on sensitive topics but come up with pretty rich personal information-based audiences? And there are ways to create some safeguards against health inferences to be really very pointed and very effective. And there’s also just contextual advertising and contextual advertising, particularly on certain publishers that may be very focused on audiences that you want to reach. 

So, I think we’ve had the all-you-can-eat buffet in ad tech for quite a long time, and it was easy in many ways, and now it’s not easy, and you actually have to be better. And we have AI tools. It’s very competitive, and just because it’s competitive doesn’t mean you stop at like the short term, “I have to do what I can do to get over this next quarter.” 

It really is about what’s your short-term strategy, and then what are you building for in terms of the longer-term strategy to outrun the others. 

The Reality of Current Privacy Enforcement Activity

Aaron Burnett: Yeah, absolutely. We work with our clients over time to build a very robust first-party data strategy so that they can do the sorts of things that you just described in a compliant manner, along with HIPAA-compliant data solutions. Let’s jump back to the current state of enforcement. Both governmental enforcement and also litigious enforcement around these privacy regulations. Can you give us a sense for the current state of lawsuits, of demand letters, what folks are grappling with, and what the risk profile is for digital marketers in the space? 

Alysa Hutnik: So it’s never been more active. That’s really the bottom line. There’s, I had one regulator explain to me there’s going to be a reckoning. And partly, it’s what do you see that is public, and what do you not see yet? Because we are dealing with a ton of non-public investigations. 

So maybe starting at the outside and looking in publicly, we’ve seen so many of these private lawsuits alleging wiretap-related claims, right? But a big focus there is on sensitive health data and those facts, the allegations of you’re disclosing XYZ’s medical diagnosis or interests in looking at various medical or health-related topics. Judges have not been too empathetic for technology companies, where those are the facts. And so a lot of those cases are getting past a motion to dismiss phase and settling, so you don’t have resolutions of those cases that might stop the tide of these lawsuits and demand letters from just continuing and amping up. 

And so that is a very high volume of pain points for a ton of companies. Ad tech companies, I think, are being asked to indemnify based on the kind of technology that they’re using, and it’s giving promises that you really can’t promise because it’s unknown. We’re going to have to litigate these cases until we get a true, clear answer on that front. 

So that’s for now, in some ways, that’s the cost of doing business, but you can certainly mitigate what data is being shared across the ecosystem in ways that can mitigate that. So that’s, I would say the private parties, but there are hundreds of non-ending investigations by State Attorneys General, the California Privacy Protection Agency, the Federal Trade Commission, that very much focus on health, medical, wellness, and digital advertising practices. 

In my investigations that I’ve been handling, ad tech is constantly the number one issue. It really is. And when you have health data, that’s the plus factor that allows them to sink in a little bit more. So, in terms of their sites on what practices, they really want to change and make an impact on the industry. 

Every settlement that you hear publicly announced, there’s a narrative around that, around “here is a priority issue. Here’s what we saw that was not okay.” And certainly, you’re expected to know the law, comply with the law, but once you have a public announcement of a settlement, you’re then on willful notice on, “did you see what the announcement was? How do your practices compare to that? Did you take any steps thereafter?” And the floor of, let’s just say, fines and remedies keeps going up as a result of just this knowledge. How long has this law been out there? 

Aaron Burnett: So 

Alysa Hutnik: That’s a big part of it. You’ll know from the public headlines, health has been a frequent topic in these cases. Certainly, there were the FTC cases over the last five or so years. Most of those were health-related, period trackers, and health data for audiences, and the hypothetical event of providing data as a data broker so that some companies could target sensitive locations using health information. So those were very big areas of focus. 

But you had even the California Attorney General’s office do the Healthline enforcement recently, and that’s a publisher putting media out there and having URL strings that showed the titles of articles that people were reading that were very health-specific. So, “you’ve been diagnosed with diabetes” type articles that were being shared programmatically. So there’s not clear lines for a lot of these. I think nuance is a really important component. And then coming up with that operational strategy around how does this apply to your practice and your data, your first-party data, what are you providing access to, in what form? 

There’s just, there’s a lot to be done and still be able to have a vibrant, robust business in this space. That’s, I think, the bottom line. 

Implications of Enforcement Actions and Settlement Guidance

Aaron Burnett: I think I understood you to say that each time there is an announcement of an enforcement action, the announcement and the specificity in the announcement are expected to be taken on board by other players in the space. And so, the implication is, okay, you weren’t involved in that action, but you should be aware of it, and then you should be complying with what’s been clarified in that judgment, in that settlement. Correct? 

Alysa Hutnik: That is correct. It’s not blessed what I’ll call business guidance. Sometimes regulators put out published business guidance. If anything, it’s more pointed because you have very specific facts that are alleged in the complaint that is made public, along with the settlement that says, “this is what the company shall do.” 

I know that headlines often focus on the fine that the company paid, but honestly, the injunctive terms are just so much more impactful because they speak to, with very particular language, what does the company have to do to comply with the law going forward? And it’s not usually just a “comply with this provision of,” let’s say, the CCPA. 

It talks about particular program-related changes that the company will do often as what we’ll call it mitigation, to make sure that they’re complying with the law. But that can give a lot of insights in terms of how regulators are interpreting their laws and their expectations as to what companies should be doing. 

Evolution of HHS Guidance and Regulatory Landscape

Aaron Burnett: The other, I think, really big implication of what you just said is around the Healthline enforcement action. Part of the problem was URLs that were descriptive with regard to health condition treatment, that sort of thing. And I think there’s been so much confusion about the OCR guidance out of HHS and then the subsequent AHA versus HHS case. 

Alysa Hutnik: Yes. 

Aaron Burnett: That many people believed that the disposition in that particular case eliminated the need to be sensitive around what was called the prescribed combination, that combination of identification and URL, but that clearly is not the case. And so I’m interested in your teasing that out. And then I’m also interested in what you think is going to happen with additional HHS regulations that I think will come back over the top and say, “Okay, we didn’t do it right the first time, but we’re coming back with the same information. We’re just going to comply with the Administrative Procedures Act and get it through this time.” 

Alysa Hutnik: So, one thing is everything is political. I’m in DC, and you know what, each agency is a political machine in its own way. But don’t let that be the kind of shield to think that you don’t need to do anything, just because you might say, “This is a more pro-business administration.” 

So maybe just to dial it back a bit, we had this very clear HHS bulletin that was specific about ad tech data and really making sure you understood the difference between when data was PHI-regulated by HIPAA versus non-PHI. And if there was a rush to do audits on websites and make sure you understood when certain tags were firing in a, let’s say, patient logged-in state versus not, and practices were really designed around that. 

But after that, and this is I think something that probably got missed by many, it was the FTC put out its own business guidance, which is now no longer on its website by the way, which really expanded beyond the PHI, the HIPAA side, and went to talk about what about just people’s health-related information just being put out there. And the FTC has what we say is broader jurisdiction, and that developed a ton of different cases. We have enforcement examples where there was discussion around anonymous IDs, even if they were hashed. That’s a data security measure, not a privacy measure. Hashed for targeted advertising combined with IP address plus, come up with your different attributes that should be looked at from a privacy perspective. 

And so, the formal designation of does HIPAA apply, does it not apply, was less relevant than what information is actually getting communicated outside of a first-party context. And in what form? What purposes are those data being used for? And getting really granular around that. 

So, flash forward to the present. Maybe we don’t have that anymore because we’ve got an FTC and HHS and a court ruling that really put the pause on that whole side of it. But what we have instead, I would say, is even more active because we have state AGs under state privacy laws, and we have the plaintiff’s bar under the wiretap suits. 

So, the risk exposure has not diminished. You just have different players who are pushing those arguments. And so, I think from a factual matter, it still comes down to you have to have good hygiene for your advertising practices, and you really do have to put in the work to know what information is getting conveyed and in what ways. 

I often find so much of the legal vulnerability, honestly, it’s the unforced errors. It’s the lack of doing that homework. The lack of an intentional strategy around those data points and having some management around your digital presence, and knowing the data that you’re fueling at a pretty granular level.

Wiretapping Laws in the Digital Context 

Aaron Burnett: You touched on wiretapping, trap, and trace. That seems to me even more problematic in that those laws were created a long time ago, before digital was a thing. And so now they’re being forced into this new context in a way that doesn’t necessarily make a lot of sense and is really vague. 

Can you talk a little bit about the history, and then what you’re seeing in terms of success or failure of pursuing that legal strategy? 

Alysa Hutnik: It still, I think, shocks people when they get these demand letters and they’ve been lucky enough not to have received one until the present and you dust it off and you say, “wait, this wiretap law, isn’t that what was at issue in the seventies when people were trying to tap phones or maybe watch the wire?” And so, you have these images from that, but no. 

You have a federal wiretap law, which does not have a private right of action. That was really enforced at the federal level in the way that we intuitively go to from a communication standpoint, but you have states, and California being one of them incorporate it and apply, and it’s applicable to the internet in those contexts. But it also has a private right of action. And so you had a plaintiff’s bar that had been, many of those lawyers had been filing lawsuits based on texting practices and calling practices, and the Supreme Court narrowed the definition of something that really hampered a lot of their ability to file those suits anymore and get some easy money. 

And we saw them just migrate to this creative wiretapping concept around tools on the internet that help with tracking. Originally, it was tracking. Consent was meant to be a defense to these texting-related lawsuits, but then that really migrated to tracking generally, and because it is expensive to litigate. 

After there was enough rulings that it made it clear that companies face some risk of having to actually fully litigate these cases when a motion to dismiss early on is denied, you have to put in the funds to do discovery and to risk whether you might get an adverse ruling, and you might have to appeal, and you might, it’s an investment in terms of a legal journey. And so many companies settle, particularly when they get a demand letter where they have to weigh the cost of “this demand is X amount, and I never have to litigate, and they will go away, or I will litigate and pay six, seven, or more figures to really go the distance.” 

And so that is encouraging to the plaintiff’s bar when they can get quick money. And that is exactly what they saw. There was, I hate to use the word methodical, but there is a pretty intentional focus. Take it by each different type of provider tracker, and you’ll just have to cut and paste complaints and demand letters focusing on one type of technology, and then moving on to the next technology, and so on. 

And really, nobody was left unscathed from that. Whether you’re B2C or you’re B2B. Whether you’re the technology, the provider, or you’re the site itself using the technology, everybody has pretty much received one or many of these at this point. 

The Strategy of Venue Shopping and Legal Defense Tactics

Aaron Burnett: And I’ve heard you say in other contexts that there’s a substantial amount of venue shopping as well to ensure that the cases are filed in a context in which they’re likely to not be summarily dismissed. 

Alysa Hutnik: That is true. Although I will say the bulk of these cases are still being filed in California, they’re being filed throughout California. They’re being filed in the form of mass arbitration demands, single arbitration demands, state court, and federal court. They are happy to spray these cases in lots of different places to make sure that all bets are made and it’s, and so far, it’s proving to be pretty profitable. 

Consent as a Legal Defense

Aaron Burnett: I’ve heard you say that consent is a defense, but I am sure there are very important qualifications. So, can you talk a little bit about that? 

Alysa Hutnik: Yes. It’s a really important point because you go to a lawyer often and you say, “What’s the answer? What’s the defense? What do I need to do that resolve this entirely?” 

And I really don’t like lawyer answers that say, “It depends.” So, I’m not going to say that. But what I will say is that consent is a defense to most of these claims. Consent is not defined under these laws. And so, unlike a comprehensive privacy law that defines exactly what consent is and isn’t, and how you can meet that definition in the wiretap context, you’re basing it on context and what the user experience is. 

And so, everybody, I think, has seen the rise of the banner, even though no US privacy law, state privacy law requires you to have a cookie banner on your site. It is a way of right away when somebody visits your site to have extra transparency. So, there’s that. Plenty of companies do that wrong. 

And so sometimes the language used on a banner can introduce more risk, or the choice mechanism that you tee up can introduce more risk if it’s confusing or potentially misleading. That could qualify as consent. If somebody is seeing language and responding to that, are there counterarguments to it? Of course, and it’s certainly the facts that matter there, but that is only a defense for the claims where consent is relevant. 

There are these trap and trace pen register claims that are designed around the phone and communicating phone numbers as opposed to IP addresses, and so consent is not a defense to those claims. You’ve seen some ambivalence in some ways by the plaintiff’s bar of those claims. Come up quite a lot in the demand letters to litigate those claims. And there are some being litigated. I think at its core it’s threatening that the internet is unlawful. Just the design of the internet. And I think there’s ambivalence on who really wants to see that claim go the distance. And right now, we have them just past the motion to dismiss, but not really any real substantive rulings on that. 

And that’s one where I think as a lawyer’s lawyer, we are going to nerd out over what that means, but I think from the “Don’t be the low hanging fruit.” And “Can you do enough things that make you not attractive for receiving any of those types of demands or having it be at least a very low dollar type of demand?” Yes, I think that’s doable. 

Architecture of Privacy-First Data Solutions

Aaron Burnett: Do you have an ideal recipe or architecture for data collection, data storage, and data sharing for a privacy-sensitive client? 

Alysa Hutnik: Everybody is a, we were talking about home renovations and how it’s always a work in progress. I think with data architecture and environments, nobody wants to do the home on display. I think everybody is working on that. I think partly it’s because you’re trying to retrofit in many ways as opposed to build from scratch, and retrofitting across different environments. There’s just, there’s a lot of work there to, you don’t know, you didn’t have a business reason to know, in some ways, at a granular level, and to be able to update instantaneously. 

I am seeing a lot more tools these days that help make that be a smarter exercise and persistent. I think for so long we’ve relied on really manual. You think of privacy, and it was a GRC kind of function, and so everything was very manual. People filling out forms. Even if it was a digital form, you still have people having to analyze that, and so that’s, you can’t scale that. 

And I think I am, it now is a question of whether there will be enough enterprise demand for it, but there certainly are some smarter tools that when they say data map and data organizing, data provenance, there is a way to actually do that and persist that. Like, put in the legwork upfront and then be able to have kind of an always refreshed capacity there in terms of how it’s categorized and tagging and alerting when you have certain sensitive data that’s being used outside certain purposes, so that you don’t have to really reinvent the wheel each time. 

I just, that’s rare. Like you don’t see that a lot, but for all of the movement I hear among businesses around, “gosh, loss of signal. We want to have a 360 of our customers or your prospects, and we’re making all of these changes to make that happen.” 

And yet, doing that without really thinking about the governance structure behind it. Like, how could you have a consent strategy when you can’t match permission in real time, or a change in that permission status, and the exemptions to that? And that means you can use it, but only for some restricted purposes. 

That needs to be a very constantly refreshed environment to do that, and yet, if that data is living and orphan data and being used by different teams and in different manners, where that’s not all synced on the backend, you’ve got a problem. And I think maybe what I see as the biggest problem among businesses is everybody’s in a silo. 

You have this strategy over by this team and that strategy over by that team, and maybe they need to come up with a consent strategy, but nobody’s talking across the business on what is the enterprise approach to this? What does the enterprise build over this so that you’re, I don’t even want to call them compliance solutions because really they’re enabling tools, but you need an overall approach to be able to invest and have the right architecture and not death by a thousand cuts by doing it among different teams. But I think, still in many ways, that is what’s happening. 

Privacy as Competitive Advantage

Aaron Burnett: I think there also is, there’s an understandable anxiety and misperception that you can’t drive performance if you go to full compliance. And that is not our experience. It takes a lot of work to get there. But we can actually drive better performance in a privacy-first architecture. It’s just not as easy. The platforms make it super easy. It feels really easy to log in and have all this audience targeting data and tracking data, but it’s an illusion. It’s really inefficient, and so our spend is much more efficient. The outcome is the right outcome and is much more valuable. We’re not using third-party data, and we’re not sharing with third-party platforms. 

Alysa Hutnik: You have a high confidence of what you can do with that data. So, you don’t have this delay in, “can we get the right permissions? What can we do? What’s the notice, what’s the diligence?” You’ve already done that upfront, and so what I find is companies that have done that, you’ve unlocked those restrictions that usually at least either create risk or create barriers from doing use case A, but not B or C. There’s so much nuance in that. 

Being smart about it upfront, I think you do open up a whole lot. It’s the word compliance. You hear compliance, and it’s just this Debbie Downer that businesses do not want to hear, that, as opposed to it’s… 

Aaron Burnett: immediately translated to no. 

Alysa Hutnik: No. Legal, yeah, privacy. Like there, there is certainly a feeling that I think gets in the way of progress here, and maybe we just need to call it something else. But really, it’s about, I think it’s data enablement, and what are the tools that help you enable data, and that’s both information, knowing what you can do so that you configure and you design and you invest in the right tools. But once you do that, like you’re on the fast pass to really do the kinds of just exciting business initiatives that really can get you far. 

And that’s the competitive difference. 

The Future of Privacy Regulations Across All Industries

Aaron Burnett: Yeah, that’s certainly our experience. All right, some of the most restrictive privacy regulations apply to healthcare and med tech, but there are privacy regulations more broadly for all aspects of ad tech and the internet as a whole. Our thesis is that the more restrictive environment that’s applied to healthcare and med tech is coming for everybody eventually, and the eventual is in a fairly short period of time. What’s your perspective on that? What do you think the privacy landscape will be in three years, five years, and 10 years? 

Alysa Hutnik: I think we’re very quickly moving to a consent at a minimum, a consent requirement for sensitive data. And so, a strategy of “let’s take out these states, but we’re fine in these other states that don’t yet have these laws.” That is not a long-term strategy. I think there’s just not a whole lot of mileage there. 

I had mentioned earlier on that the trend, right? We have different trends with new laws, and the trend now is focusing on very specific data. And the very specific data is health data. And I don’t see that going away. I think you just zoom out and think about popular culture and our aging population, and our needs. We’re very interested as a population in our wellness and want to live longer, and our health stats and our data points. All of that comes, there’s a movement to direct-to-consumer so that you’re not reliant on a carrier to be able to get you all that information that you have on your phone, and you can access, and you’re empowered to do so many things. 

And so, with that just societal movement, to be empowered with your information and to be able to have the data to make your own decisions and work with companies that you want to work with to help address some of those issues, priorities. That means health data is just even more pervasive across different touchpoints, across different technologies, which means legislators are going to be more concerned, and there’s going to be more litigation because, go fast, break a whole lot of things on the way. 

If you’re going fast and breaking things with the most sensitive data, you’re putting everything on the line in a way that’s very foreseeable to blow up, and we’re going to have examples of those. And the problem, unfortunately, is that it makes it worse for everybody else, because then you would tend to have new laws enacted that go even further, that get into bans or just outright prohibitions. 

And then those are going to get litigated, and we’re going to have to figure out where that nets out. So, you can’t be building your business in response to every new law. You really have to have visibility into what is around the corner, so I have a more durable strategy and can build on top of that. 

And I think that trend line is really clear. These laws are just getting tighter and more restrictive, and expect a lot more from you to be able to use that data with a very clear value proposition to the consumer, so that they want to provide you with the kind of consent that you need to unlock those data use cases. 

Aaron Burnett: And I think the more that you architect and begin to operationalize privacy-first marketing practices, the more you’re taking control of your own destiny and the less beholden you are to third-party platforms and the whims of their policy changes or the things that they’re going to do to conform your behavior and your investments to what’s best for their business model but not yours. 

So, it’s advantageous for all sorts of reasons. I also think a couple of things are likely to happen. I think that we will have one or more catalyzing bad events, likely involving AI and disclosure of health data, and that the reaction to the catalyzing event will be very restrictive, as you said. 

I also think that I hope that attention to privacy and true care will become an important brand signal rather than something that you have to do because it’s a cost of doing business. Like you, I think privacy regulations are coming for everyone, and it’s better to be proactive and maybe hue toward the more restrictive regulations now so that you’re ahead and you have that competitive advantage. 

Alysa Hutnik: I agree with that. I think if I put on my cynical lens, there’s a lot of froth right now. It’s not really apparent that there is a real business at risk type of legal exposure. And so, when you look around, you’re like, “everyone’s doing it right now, so that’s a tomorrow problem for me, not a today problem.” 

And today I’m going to get as much revenue as I can out of the very loosey goosey practices. And we’re just, we’re coming up to that line. That line is really close, and then what? And then you just hop to another job, hop to another company that did invest. Like I just, this is coming. And I think the denial that might have worked a year ago, but I just don’t see it now, based on the actual legal kind of brick wall that I am seeing in the way of enforcement and types of really tough legal exposure for some companies that don’t have a long-term plan. 

I’m a lawyer, and I’m usually talking to legal audiences, so I just really appreciate this experience. But when I do these talks, it’s usually privacy lawyers in the room, but not business folks. And I think the gap in reality, just understanding and information by CMOs and business boards on really understanding where the landscape has shifted. Like the conversation really needs to be taken to very different audiences so that it can be part of the business strategy, and you’re, I’m always happy to be the stakeholder, but I think like the business stakeholder really needs to embrace and understand these to be able to build a strategy on top of it. 

Building Cross-Functional Privacy Strategy and Education

Aaron Burnett: Yeah. I absolutely agree, and our experience is that it actually takes a lot of conversations and quite a long time. One of the things that we do for our clients is to design HIPAA-compliant data solutions. So, everything from the moment of capture and first-party data strategy and storage, and then control of data sharing down to a single data attribute. 

And we probably spend 75% of our project time on meetings with marketing and executives and compliance and IT legal, just talking through how everything works repeatedly, and understanding data flows and understanding why this is important and how the data is going to work or not work afterward. 

It’s all change management and education, and then the actual technical work is really important. But it’s the final 20 or 25%. 

Alysa Hutnik: I couldn’t agree more. I think those conversations have just changed. I think we’re so used to using HIPAA words that’s all we have to talk about. And now that is absolutely not everything we need to talk about. So, bringing in kind of the newer vocabulary and the newer subjects in those conversations. Yeah. More of those need to happen. Agreed. 

Aaron Burnett: Thank you for the conversation. I’ve really enjoyed it. It’s a lot of fun. Yeah. Same here. 

Alysa Hutnik: Good questions. 

Aaron Burnett: Yeah.