Hilco Global Cyber Advisors and Offit Kurman: The Privacy Squeeze: What Middle-Market Companies Need to Know Now

By Robert Olsen & Aidan Morrissey, CIPP/US
Home / Perspectives / Hilco Global Cyber Advisors and Offit Kurman: The Privacy Squeeze: What Middle-Market Companies N...
Offit Kurman x Hilco Global Follow Up color (1)

Privacy regulations are evolving quickly, and organizations can no longer rely on California-only compliance strategies. In this session, you’ll get an overview of the latest state privacy laws, emerging risks around AI and online tracking technologies, and practical steps for building a scalable privacy program that supports growth and reduces compliance burden.

 

Transcript

Bob Olsen – 00:10

We will get started in one minute, for those that just joined. All right, let’s go ahead and jump in. Good morning, and welcome, everyone. Thanks for joining us today. My name is Bob Olson. I’m a managing director at Hilco Global, and I’m joined by a colleague from Hilco, Aidan Morrissey, who is a director within the cyber practice. I’m also joined by, two principal attorneys from Offit Kerman, Ed Tolchen and Stephanie Young.

Just a little bit about Hilco Cyber, and I’ll determine Hilco Cyber, we empower businesses to thrive in today’s digital economy by delivering expert cybersecurity and data protection advisory services. Our team helps companies strengthen security, drive resilience, and unlock growth. in an increasingly, which you’ll hear more about today, complex risk environment. Offit Kerman is a full-service law firm with a dedicated privacy and data privacy practice serving businesses not only across the Mid-Atlantic, but also nationally.

Welcome, and thank you to my fellow panelists for joining us this morning.

Today, we’re going to have a candid conversation about something that is quietly becoming, I think, one of the most significant operational and legal risks, particularly for middle market companies, and that is data privacy. Not the abstract kind that you read about in tech news, but really the kind that is showing up in enforcement actions, which we’ll go into a little bit deeper, lawsuits, and even more recently, M&A due diligence right now. And these are for companies exactly like the ones that have joined us in our audience today.

So, as we go through it, we’ve got about a dozen slides. I encourage everyone that’s on to ask any questions in the chat. As we go through it, if it makes sense to try and answer it, you know, while we’re in the middle of the presentation, then we will incorporate that.

If it makes more sense to hold it at the end, and we will have a dedicated period at the end of Q&A, then we’ll do that, so…

Unless there’s any questions at this point, we’ll just kind of jump right in and get into the meat of the presentation.

Alright, slide 4, please. Actually, let’s just go through the first couple slides.

There’s our… So you’ll see… well, we’ll pause on the agenda for a second. You’ll see we’re going to cover a range of topics, not only kind of an update on…what’s going on in the state and federal regulatory landscape, but also there have been some civil claims that we’ll go into a little bit deeper. And then ultimately, what, you know, what should you be doing to kind of really build out a program or mature your program to make sure that you’re not in, you know, in the crosshairs, so to speak, so…With that, we will jump in. Next, please.

All right, so, before we get into the specifics of the law, I think it’s important to set the stage with a few numbers, that I think will… will really reframe probably how you think about this issue, unless you are watching this issue very, very closely. So take a look at what’s on this slide. Give everybody a second. Next slide, please. Or no, I’m sorry, previous slide. Previous. There we go. Okay. So… Actually, now I’ll give everybody a little bit of a second. A little bit to read. So, some things I want to point out, you know, you may or may not realize that 35 states, you know, have active or pending comprehensive privacy laws. One of the things that might be the most surprising to you is that in 2025 alone. There were 3.4 billion, with a B, fines, nearly double from the year before, and we’ll see that on the next slide. And only 12% of the organizations describe their governance as mature and proactive. And that gap between the scale of the problem and the readiness of the companies to address it, that’s really that squeeze that we were talking about a second ago. So I’m gonna pivot, and ask some questions. Again, feel free to put some questions in the chat. But Ed and Stephanie, I’m gonna have you kick it off. From where you sit as legal practitioners in this space, do these numbers surprise you, or do they actually understate maybe the problem that, you know, even though they are kind of shocking? Ed, maybe we’ll start with you, and then Stephanie.

Ed Tolchin – 04:57

Okay, from my point of view, these numbers probably understate the issue. I’m not sure what… how old these numbers are. So it says total 2025 U.S. state privacy fines, but I suspect that this is not all 2025. I suspect that if you actually looked at these numbers, it would be higher for the full year of 2025. I just don’t think the numbers have been gathered to make them exact. And the reason why I say that is because I think that the number of Claims, challenges, both, private, private attorney general type, type claims, and claims by state authorities are just…skyrocketing. I see them all the time. I see them, I wouldn’t say every day, but certainly every month, every week. And these are going to… if it was $3.4 billion last year, and that’s a really solid number, then I expect this year it’s going to be significantly, significantly more. And the other thing that I… find, that may be somewhat understated, is, or overstated, maybe, is the correct word, is the percentage of organizations that describe existing governance committees as mature and proactive. I think the description is self-described, is, I think it should say, self-described. I’m not sure that it’s that high. I think that in the middle market, especially. you would probably find a significantly smaller number, and that’s where all the lawsuits are aimed at right now. You know, sometimes Google gets sued, but more often, John Doe Inc. gets sued, and that’s where the reliability lies, because that’s where the soft… that’s where the soft underbelly of these issues are.

Bob Olsen – 06:51

Stephanie.

Stephenie Yeung – 06:52

And I… I certainly agree with Ed’s assessment, you know, the… the, the growth of the…privacy fines deprived me because, you know, state regulators have been rattling their sabers for a long time and really dedicating, efforts to enforcement. And, you know, it… and…in my experience, you know, organizations do sort of rate them… tend to rate themselves higher on the maturity level, than… than maybe what, in reality, they’re prepared to do. You know, after all, businesses are focused on their business, you know, and unfortunately, a lot of folks are still looking at privacy compliance as sort of some paper check off.

Bob Olsen – 07:42

Yep, just kind of a compliance effort. Aidan, when we talk about the, you know, kind of the… something I hear, you know, we have enough data to be a target, but not enough infrastructure to respond, kind of dynamic. Is that really what’s driving enforcement toward middle market companies, or is it… is there something else that’s going on?

Aidan Morrissey – 08:00

So I think it’s actually both, right? And they reinforce each other, and we look at, you know, starting from growth, going to middle market. These companies have accumulated probably way more data than they probably thought that they had, and we’ll get into that later with data inventory and…being able to kind of actually understand that data, but we’ve come into a technology landscape where these infrastructures, especially for middle market companies, have become, you know, a myriad of different SaaS tools. And so, you know, you think about tools like, you know, HubSpot, Salesforce.

There’s so much data that’s been accumulated, you know, in these SaaS tools that’s probably not as completely, you know, understood. And we’re now at a place where, you know, with these types of platforms. You know, we’re collecting and sharing personal data at a scale that probably would have been completely unimaginable, you know, even 10 years ago. And I think, you know, on the infrastructure side is the other half of the problem, as I was saying, right? These… these large

you know, enterprises, they build privacy programs, they have dedicated legal IT teams, compliance functions, and even just, you know, the overall bandwidth to do it. But middle market companies typically don’t, and I think, you know, even I kind of got to this, and saying that 12% is probably self, you know, self-proclaimed is…they really don’t have the ability to do it, and it usually doesn’t get any ownership, right? Privacy, data governance, it’s just kind of spread out, it’s…piecemealed together, you know, and they don’t really have the operational muscle to manage it in general. And I think that this is kind of a very meaningful potential liability, and gives a very limited ability to defend against it quickly, but defend against it overall.

Bob Olsen – 09:56

Thanks. Let’s go to slide 5. I already touched on the numbers, but just so people can kind of see the… the big jump. And the scale does look a little off, and yes, those percent increases are correct. The scale looks a little off, because in 2023, and to Ed’s point earlier, probably underreported, even though, or maybe it wasn’t just, you know, captured properly, you know, we’re looking at about $1.2 million in fines. And then that jumps you know, by a crazy percent in 2024, and then in, you know, still a crazy percent, 2025, and to Ed’s point, and Stephanie’s, that, you know, 2026 is probably going to continue that trajectory. So, kind of eye-opening when we think about, sort of, the explosion in fines.

Next slide, please.

All right, so now we’re going to kind of shift to talking about the evolving, you know, state law landscape, which is, you know, pretty rapidly continues to move. And so let’s talk about why California compliance is no longer your safety net.

Five years ago, you know, if you had a California compliant program… compliant privacy program, you were really ahead of the curve. And, you know, that was sort of the high-water mark. That really just does not seem to be the case anymore, you know, as other states have kind of continued to raise that… that bar.

I’ll start with Stephanie. You know, so Texas has no threshold at all, you know, no size exemption, no revenue floor. Can you explain what that actually means, practically, for a, let’s say, a $50 million industrial distributor that has customers in Texas?

Stephenie Yeung – 11:32

Sure, so the Texas Act went into effect almost 2 years ago, and at that point, it was this new model of where essentially all entities that do business in Texas, or produce a good and service. That Texans consume, have to comply. Even, you know, small businesses, as defined by the Small Business Administration, have to comply with a subset of rules, So, and there’s, you know, so far, only one other state that has followed this very broad model.For a $50 million industrial distributor with customers in Texas, they really need to look at who their customers are. You know, most industrial distributors are a B2B business, but some, you know, may have a separate B2C stream that they… that sells directly to individuals. You know, this split is important because the Texas law’s definition of a consumer excludes those that are acting in a commercial or employment context, so the personal data, of that distributor that’s collected in the… on the B2B side, would not be in scope.

But if there is a separate B2C stream, the personal data of those techs and consumers would be in scope, and the business will have to comply with the Texas Act. Oh And because…Texas also requires companies that are in scope to require their service providers and any contractors to comply with the law. Companies should check and pay attention to any customer contracts that may pass that burden on to them. Other than that, the Texas Act’s requirements resemble many of the other state comprehensive privacy laws that we see, such as the requirements to have a publicly facing privacy policy that accurately describes the company’s data handling processes, provide certain consumer rights, and have written agreements with vendors and service providers that address how personal data is to be processed and used. The company will also need to practice data minimization, you know, these include, sort of, purpose limitation, only collecting what is strictly necessary, and imposed time limits, so meaningful, data retention policy, needs to be enforced.

The company also will need to conduct data protection assessments for processing with a heightened risk of harm. And some of the triggering processing activities are certainly the sale of personal data. Targeted advertising, you know, processing of sensitive personal data, health data, precise geolocation data, biometric data. Race and ethnicity, religion data, immigrations, or minors data automated process that results in a significant decision, adoption of new technologies to process data. You know, if a company is engaging in these activities, a data protection assessment will need to be conducted. So, if you have Texas customers, knowing your data and what the company’s doing with that data is very important.

Bob Olsen – 14:52

Yeah, a lot to consider. Ed, I know…you know, having worked with you, I know you work with a lot of, you know, growing companies, not that all companies aren’t growing, but, you know, you have a number of clients who are entering new states, you know, maybe doing a deal, or multiple deals adding new technology, you know, AI comes to mind. At what point does the, you know, that multi-state compliance problem actually show up on your radar? Like, when do you see organizations start to think about that?

Ed Tolchin – 15:22

Kind of interesting. So, I see it…invariably, when the first issue comes up, that’s when they come running to the lawyer, saying, holy cow, I’ve been contacted by another lawyer, and that lawyer is claiming that he’s going to sue me, for A, B, and C. That’s normally when it comes up on my radar. When it should come up because it’s a lot less expensive if it comes up earlier, where it should come up, as soon as the company decides that it’s going to expand, especially if it’s going to be B2C, if it’s going to expand outside of its little local jurisdiction, it ought to be coming to the lawyer and the technology folks before it starts that expansion. I always tell people. You could pay me a dollar now, to avoid a problem, or you could pay me $1,000 after the problem arises. You may be saving that dollar today, but you’re going to be spending a lot more money next week and next month if you didn’t pay that dollar up front.

Bob Olsen – 16:27

Yeah, it’s kind of like, it’s become like a, you know, in the cybersecurity world, from a breach perspective, it’s sort of a when, not if. So I think, to your point, you know…

Ed Tolchin – 16:36

Correct. It is a win, not if, especially if you’re moving into states that have a high level of litigation. California comes to mind, although California, you know, may or may no longer be the gold standard in the United States. It’s pretty close, but the thing that makes California, in my mind, unique is the number of plaintiffs’ attorneys out there. Who are looking to bring class actions, and the… and the state statutes that allow these sorts of Private Attorney General, litigations to… to roll themselves out. It’s… it’s un… it’s… it’s very… it’s very unsettling for any business trying to grow now. Where their liability could arise suddenly.

Bob Olsen – 17:24

Yeah, that makes sense. Aidan, I’ll shift to you for a second. So, so in these thresholds, there’s kind of a nuance, I think not only catches a lot of heart, but probably isn’t even, quite frankly, on their radar. Can you talk a little bit about the tracking technology triggers in some of these?

Aidan Morrissey – 17:42

Yeah, can we move on to the next slide really quick? Because it, you know, it goes hand-in-hand here, so…so, taking a look, and I’ll give everyone, you know, kind of a second to take a look at this applicability threshold, because it gets a little bit more into it here.

But I think that that question is, at least for me, in the work, you know, that I’m doing, and, you know, Ed touched on it just a little bit in what he last said, is…you know, we have these civil litigations, you know, we’ve opened the door for a lot of these regulators and AGs, and not only is it just, you might have one AG coming at you, and again, we’ll get into this a little bit later, and I think Ed will touch on it, is it’s not just one AG, it’s not just, you know, one state, right? We’re seeing basically, you know, regulators kind of ganging up on single companies, coming together from different locations, different states, right, different regulatory authorities, and coming down onto one single company. And it’s the exact same thing that we see going on, you know, in the civil landscape with tracking technologies and things like that, is we’re seeing things getting filed, you know, under federal wiretap that’s also claiming jurisdiction in places like California and Florida. But obviously hitting, you know, on the state law most, you know, with this slide, is with these growth to middle market companies, they’ll probably kind of get hung up on this original number where, you know, they’re not consulting outside counsel like Ed or Stephanie, and they’re taking a look and saying, oh, well, we don’t have 100,000 consumers, you know, that were, you know, whatever touching or anything like that, they might even have in their privacy policies, oh, well, we don’t sell or share data, but then you go and you see cookies, and you see, things like that, and they don’t understand, right? Because originally, we take a look at the, and I guess understand the CCPA of, you know, the original selling of data, and it probably had a much more narrow scope to it. But from a technical standpoint, you know, when they changed the language with the CPRA of saying that now we have this seller share.

Now we see that you’re using cookies, you’re using Google Analytics, maybe the Facebook Pixel, all of these, you know, typical cookies. Your threshold is now, in a lot of these, significantly dropping right? So you are selling or sharing data, right? You can’t have in your privacy policy that you don’t sell or share data, and then somebody goes onto your website with, you know, a ton of these extensions, or however that makes it super easy for the consumer and the regulators to see that that’s what you’re doing, and say that you’re either not applicable or that you’re not selling or sharing data. Because, you know, you are, right? And that now brings you, you know, into, right, we look at Colorado, Indiana, even, right, Connecticut, pretty much all of them, right? It’s dropping to such a lower number once you’re selling or sharing, you know, the data and it pretty much happens every single time, right?  This sharing data is happening every single time that somebody visits your website.

In the way that these regulators, you know, tend to look at these things in terms of fines is not just you know, the amount of technologies you have on the website, it’s the amount of visitors that have come to your website and that number obviously gets astronomical, right? You look at even maybe your internal analytics, your Google Analytics, you’re seeing hundreds of thousands, if not, you know, maybe a million users almost every single day. And every single time that those tracking technologies fire, right, is counting as one instance of that sharing of data. And again, right, so I think a mid-market company with even a modest website, right, that has a few standard marketing tools. It may already be sharing, you know, tens of thousands across multiple states every month, maybe even every day, right, without a single person, probably in the company, right, knowing it’s happening, having assessed whether it’s compliant, And so I think the threshold question isn’t just about, right, maybe how many customers are in your CRM, it’s what’s running on the website, right? In most of these growth middle market, and even as you get higher than that, these companies aren’t operationalized, and they generally don’t know the full answer to it.

You know, and I would love to, you know, for Ed and Stephanie to maybe add a preliminary kind of introduction from a legal perspective on this question. I know we’re gonna get into it a little bit later, but, You know, just in the nuance of the thresholds, especially with tracking technologies, would love to get your commentary on that.

Ed Tolchin – 22:43

Stephanie, do you want to take that?

Stephenie Yeung – 22:46

Sure, you know, I think it highlights the problem of sort of the segmentation in some of our clients about, you know, who is really looking at things and understanding what is actually happening. Because the tracking technologies that are…deployed, you know, that decision, you know, may not reach legal, or may not reach, you know, IT even, necessarily. It might be a marketing choice. And not, you know, not… not sharing that information has significant, implications because of the drop in, in the threshold. You know, I certainly have seen indications where, you know, the client will say, well, you know, I don’t have those numbers, in my CRM. But, you know, you are using, you know, the MetaPixel, you’re using Google Analytics, and, you know, we have to step through that to really understand what the compliance landscape is.

Aidan Morrissey – 23:52

Thank you.

Bob Olsen – 23:53

Ed, do you want to add anything, or…

Ed Tolchin – 23:55

No, I would… Well, I would… I would add one thing, quite often, what I’ve seen is that mid-market companies don’t really understand what their technology is doing. They know they have a website. But I can tell you that most, middle market companies don’t understand what their website is collecting, who’s looking at it, or even where the data is. So, what happens more often than not is that they’re surprised when something, when a claim comes up saying, well, we don’t do that well. Let’s look, as Stephanie said, look at the analytics. they don’t understand those analytics are there for everybody, ultimately, to see, so they better be familiar with it up front. They better be… they better know what’s there.

Bob Olsen – 24:47

Yep.

Alright, so why don’t we jump into some of the, enforcement actions, just as a representative of some of the things that we talked about. Yeah, so…you know, we’ll look a little bit at, you know, what happens when companies get this wrong. You know, obviously, based on, you know, what Ed and Stephanie and Aidan have shared, this is a pretty complex, you know, sort of problem for particularly, you know, middle market firms to…to solve for. You know, and I want to emphasize that, you know, the names that are up here, these are not, you know, bad actors. These are, you know, very recognizable brand name companies that you know, things fell through the crack, they made operational mistakes, and, you know, as a result of that. You know, unfortunately for them, there were, you know, both state and or federal, you know, enforcement actions that were taken.

So, Stephanie, maybe start with you. You know, looking at some of the enforcement examples on this slide, we’ve got Sephora, DoorDash, Sling TV, what’s the common thread you see in why these companies, you know, wound up here on this list?

Stephenie Yeung – 25:49

So, you know, the overall theme is that these companies all failed to do something that ended up taking away from consumer rights, right? That, at the core, they are engaged in sales data, without adequately notifying consumers or honoring opt-out rights. And, you know, failing to disclose how consumer personal information is disclosed and shared means that consumers can’t make meaningful choices about their privacy. Another theme is the regulators are really focused on effective, frictionless opt-out mechanisms. You know, that is a…big area looking at. And… and the progression, I think, shows that enforcement has really evolved from privacy policy compliance, you know, checking off, paper requirements to really, having the… or the regulators are really interested in looking into the back end, the operational accountability, and the user experience. To see, you know, whether signals are processed, whether data source data stops flowing when the consumer elects to opt out. How easy that opt-out process is, whether they’re meaningful, vendor controls.

Bob Olsen – 27:10

So, Aidan, when we’re looking at, you know, when you’re looking at a company in the context of a deal. And you find enforcement exposure, you know, like what’s kind of called out on the slide, you know, how does that change the conversation with, you know, potential buyers, lenders, you know, acquirers?

Aidan Morrissey – 27:27

Yeah, well, it changes it significantly. I think that, right, that’s kind of the main answer here. And I think when you look at these numbers, probably, you know, in isolation, you know. 300 and, you know, $375,000 for… was that DoorDash, or, you know, $530,000 for Sling TV. It might look manageable, right? But when we think about, you know, a mid-market company, right. they’re serious, right? But they’re probably survivable. But the problem is that by the time we’re looking at a company, you know, in a transaction context, we find unresolved enforcement exposure, these structural compliance gaps. The conversation with buyers shift from valuation to risk allocation, right? Even beyond this, I’ve personally seen it, right, in certain engagements where you know, the buyers want to come in, and even in the last few years, probably some of the main questions are what does the privacy look like? You know, what exactly is going on? Have you, you know, consulted with either, you know, technical consultants or, you know, outside counsel or things like that. And the answer is probably something that… or I guess, rather, the question is probably something that you know, on the sell side, they probably weren’t expecting. I’ve seen it go through where, you know, the company’s looking to buy, they say everything is okay, you know, the cookies are okay, we promise everything is okay, and then, you know, maybe the purchase goes through, it comes a little, you know, maybe a few months later, they take control of things, even just maybe the website. And then they start to find tracking technologies or other things, and this becomes, you know, a major issue, right, in terms of, you know, the deal going through and them not having the understanding or the disclosures, but they weren’t questions that, you know, the seller was really prepared to answer. And I think the buyers, right, they want representations and warranties around privacy compliance. They want to know, right, whether the company, you know, has received any regulatory inquiries, whether there’s any open litigation matters, whether the data processing agreements with vendors are actually in place. You know, when those answers are unclear or incomplete, it really creates, you know, deal friction that I haven’t seen, you know, in the technology space as much as I have, you know, in the last, you know, few years. I mean, we’ve seen, you know, escrow holdbacks, price adjustments, people even sometimes just completely walking away from deals. You know, and the company’s gotta get the house in order. And when I tell companies, too, that the cost of remediating these issues before a transaction is a fraction of the cost of them, right, having to surface during diligence. In a $50,000, right, investment in getting your privacy infrastructure right today, you know, or not, rather, right, can easily prevent even, like, a $500,000 deal adjustment, or, you know, a 6 months delay in closing, you know, or things like that, right? And it’s, again, just becoming a large problem.

Bob Olsen – 30:45

Okay, thanks. So one of the kind of more striking violations on the slide, I think, is the GoodRx case, which really is just, you know, essentially a tracking pixel that marketing installed. Ed, how often are you seeing that kind of disconnect between what the, you know, what the legal team thinks is happening, and what the marketing and or IT team is actually doing? Is that something you see often?

Ed Tolchin – 31:11

You know, often enough. Lawyers love to tell war stories, so I’m gonna reference a real a ROAC matter that came into my office a few months ago. It was a European company that had, that had a website, and the website was, was doing what websites do, attracting people. People would come into the website, and this was a European company, remember? So, they had developed this website to comply with GDPR, the European model for data privacy. And GDPR is a really strict model, and generally, if you’re complying with GDPR, you’re probably…you’re probably doing pretty well in the United States, and there may be some tweaks you have to do, but it’s probably really a good model to follow. So they had developed this to comply with GDPR, they were now showing their website in the United States and attracting consumers in the United States. The problem was is that they didn’t realize that their technology company that had developed the website a geo… a geolocational tool into the website. So, because they were complying with GDPR, the technology company put this geo tool in that said anytime somebody from York hits our website the following requirements kick in, and you have to have certain opt-outs and certain clear, you know, things that… splash screens that come up saying, if you want to go further, you have to please acknowledge that you accept a… whatever it was. But because they had that geolocation tool… geolocation module in their technology. They didn’t realize that if somebody hid it from the United States, none of the opt-out tools popped up. So, what was happening is that in the United States, if you hit it, you just went… the U.S. consumer’s data was being collected. And it was being transferred to somebody else who was then creating an advertising, type, type item, to… with that consumer… with that consumer’s data, which…clearly violated, several different state laws. In this case, it was… happened to be California. But the client says, but we have this opt-out tool, so I go onto the website, and I clicked on it, and I said, it doesn’t work here. He said, it’s got to work here. There’s something wrong with your… there’s something wrong with your… with your computer, something wrong with your technology. So we checked out, and sure enough, that’s how they found this geolocational tool, this geolocational module that was put into there. They had no idea it was there.

So when they… they thought that they were being compliant 100% with everything, because they were GDPR compliant, they figured that they were maybe not 100%, but 95% compliant, they were 0% compliant, because they just didn’t understand how the technology was designed in their own system. It was fixed immediately, but it exposed them to claims here in the United States, because they didn’t understand the system that they had put in.

Aidan Morrissey – 34:48

From, like, a technological, you know, disconnect is occurring that leads to kind of what I just described in some of the examples on the screen.

Ed Tolchin – 34:59

Right, so, if you… if you look at the GoodRx, GoodRx case, it was the unauthorized sharing of users’ prescription and health tracking data, because there was no opt-out that was given to those… to those people who were hitting… who were using the platform. In this case, it was identical. There was no opt-out that was given to the consumers that were coming into their platform. Although GoodRx is a little bit different because it was health tracking, it was health-related data, which in some… some jurisdictions actually is not…regulated the same way. Some jurisdictions, it’s more heavily regulated, some jurisdictions, it’s actually less heavily regulated. It just… it just depends, but in this case, it was real consumer data, and these people started getting, started getting advertisements, essentially, from other companies after they hit my client’s website.

Bob Olsen – 35:54

Stephanie, is there, you know, for anybody that’s on today, is there… is there a grace period? You know, or is that window kind of passed for… for this?

Stephenie Yeung – 36:02

I… yeah, I think the window has kind of closed on… on the grace period. You know, historically. When state comprehensive privacy laws started to be rolled out, there was, you know, an effective date and then a delayed enforcement date. With more recent state laws, that pattern hasn’t held, and the effective date is the enforcement date and while some state privacy laws still have cure periods, a lot of them are being sunset. You know, recent examples include Delaware and Oregon have both sunset their cue periods, and other states never had a cure period at all. The trend is definitely leaning heavily towards immediate enforcement. And practically speaking, you know, even in a state that has a cure period, it’s hard to… you know, there are a lot of compliance burdens. It’s hard to put all of that in place in 30 or 60 days.

Aidan Morrissey – 37:01

Alright, why don’t we jump on, we’ll keep moving along. Why don’t we jump to slide 9, please?

So we’ll talk about, you know, and this is, I think, you know, in the grand scheme of things, a bit of a relatively new event to a degree, at least the volume, and that’s really around the civil claims kind of wave that’s upon us. So, you know, enforcement actions from regulators, which we’ve talked a lot about, that’s one thing. But really what we are collectively seeing increasingly is that you don’t have to wait for that regulator to, you know, maybe come knocking. Private plaintiffs, class action attorneys, they are doing the work themselves to be kind of take a look at some of the case counts that are on here, and this is just, I think, just really a snapshot. It’s kind of, you know, probably surprising to most folks.

Stephanie, if we, you know, if we look at, you know, California alone, there’s 3,100, you know, SIPA cases. Can you help us understand the anatomy of, like, one of these cases? Who’s filing it? What triggers? You know, how fast does it escalate? What does that look like?

Stephenie Yeung – 38:01

Sure, sure. So CIPA, the California Invasion of Privacy Act, a bit of background, it was enacted in 1967, well before the internet, and the goal was to protect the rights of Californians from having their private communications eavesdropped upon. The Act bans wiretapping, recording private communications, and the use of pen registers and trap and trace devices without a court order. In the recent

SEPA litigation, what we see are plaintiffs asserting that website tracking technologies, cookies, third-party pixels, software development kits, analytic

software, they are…are functionally equivalent to trap and Trace devices, because it’s collecting private communication. Now it could…you know, the allegation could involve personal information, you know, what sort of California identifies as identifiers, or even website events like page view or navigation data. And the broad right of action and statutory damages allowable under the statute and possibility of class-based claims make this a really attractive litigation for plaintiff’s barred to engage in. And, you know, we see the number of 31, 35 cases being filed. I…suspect, and, and it’s a very reasonable, anticipation that, that many, many more cases are not filed, and being settled pre-len.

You know, a common scenario that is that, a company will get a demand letter alleging that the plaintiff has visited their website and that the tracking technologies have captured, and collected their, you know, information or navigational information, and if the company doesn’t respond, then a complaint will soon follow. This gets escalated pretty quickly because, the complaints tend to be rather cookie-cutter, and…you know, and the majority of cases,are settled rather quickly. There’s a lot of motivation on the defendant’s part because of the specter of class litigation.

If, you know, what we’re seeing is if the defendant does choose to litigate, the trend seems to be that most cases don’t go much beyond the motion to dismiss stage.If the defendant’s motion to dismiss is successful, courts will usually grant leave to amend the complaint. And, you know, some places don’t, but a lot of them do. If the plaintiff prevails at the motion to dismiss stage, then the defendant is really motive to settle after that and in part because these cases do get settled so quickly, we’re not getting the appellate courts finally deciding whether these tracking technologies are, in fact, pen registers or trap and chase devices. So, that’s the general trend.

Bob Olsen – 41:13

Thank you. Aiden, you know, earlier you mentioned that tracking technology is often installed by marketing, you know, without, you know, potentially any kind of legal review. But even when, you know, even when companies know they need, you know, consent mechanisms, why are we still seeing some of this end up in litigation?

Aidan Morrissey – 41:31

So, I think it’s… it’s a lack of two different infrastructures, right? It’s a lack of a, you know technology infrastructure, and then it’s a lack of cross, you know, maybe organizational infrastructures, I would say, right? Marketing, legal, technology, right? There needs to be an established concrete structure for, you know, the way that technologies are added, the way that these things are, are being handled and managed, right?

You know, ideally having playbooks, having, you know, assessments for when these tools get added, having approval processes and then the separate side is the technology infrastructure, which is definitely harder for growth to middle market companies, because a lot of these, you know, these tools that you can use are quite expensive, right? And then when it comes down to the question of risk management and risk trade-off you’re kind of sitting there saying, well, I’m going to spend maybe $100,000 a year on this tool, maybe just for consent purposes, and that’s probably really hard to reconcile when maybe you’re only getting a few demand letters here and there, but really, those things are building up into what could become a class action later, but…you know, even so, right, because a cookie banner’s not a consent management platform, right? The distinction is probably where most companies fall short, right? It comes to a WordPress site, you know, or a Shopify site, or something like that, and they include these cookie banners that you can use, and so you think just throwing it up there, it’s, you know, it’s probably gonna work, and we could be hands-off, and we don’t really have to think about it, you know, we have a banner that pops up, says we use cookies, but, you know, even Ed, and I think, you know, Stephanie too, I forget, Ed mentioned it, is, you know, essentially, a lot of times those things do nothing and especially if they’re not technically connected to the systems, you know, that controls the firing on the page itself, right? And I think what the law requires in most of these jurisdictions is not that tracking scripts don’t execute until, you know… The affirmative consent is given. But, you know, the vast majority of cookie banners that I audit, to be honest with you, in these growth metal market end up pretty much being purely cosmetic, right? The scripts are running when the page loads, before the user has any opportunity to respond, and, you know, consent is really the biggest issue. But what you really need, and there’s a lot of different ways to do it, I think in this setting, it probably has to be a little bit more homegrown.

But you need a consent management platform, and you need these internal processes in place, right? So, you know, the consent decisions, you know, made by the user in real time are controlling what actually executes on the page.

You know, you also need a preference center that persists with choices across it, you need a DSAR process, and you need a backend system, right, that creates, you know, auditable consent records with timestamps not only is… have I seen this for, you know, the state, the civil, even getting into SOX compliance or SOC 2 audits and things like that, they want to look at the numbers, and you need to have a way to audit these with timestamps and knowing exactly what’s going on, and that also helps create you know, defensible arguments, too. But without a full tech, you know, technical stack, you know. you have the appearance of compliance, but none of the substance, right? And that appearance without substance, I think, is, from what I’ve seen, is exactly what these plaintiff attorneys are scanning for, is the gap between what your policy states and what your site is actually technically doing.

Bob Olsen – 45:26

Ed and Stephanie, from your perspective, what are, you know, a couple takeaways, and we’ll get into this a little bit more, but just while we’re on this topic, you know, that companies can take to reduce their, you know, litigation exposure?

Stephenie Yeung – 45:38

I… actually, what I had in mind, was exactly what Aiden has said, get your consents before, you allow the tracking technologies to fire when users land on your website, honor GPC signals, global privacy controls, and you have to audit your consent management platforms to make sure that they are working, as they are supposed to.

Bob Olsen – 46:08

Ed, anything you want to add?

Ed Tolchin – 46:09

I would just add, not specifically to answer your question, but on these numbers here, these numbers are cases filed. These are not claims made, and that’s really important for everybody to understand. Just an estimate, I would say that 10% of all claims made go to litigation.

In other words, if you look at those numbers, multiply them by 9, or 10 to figure out how many claims are made every year, because most claims get settled, and the reason why the claims get settled is because… is for two reasons. One is, when you’re dealing with plaintiffs’ litigation counsel quite often, they’re very happy to settle a case relatively inexpensively if they… all they had to do was write a letter and talk to you once or twice. Then they’re willing to settle relatively inexpensively. But once they file a lawsuit, then it gets really expensive for you to try to resolve it. So, what happens more often than not is that you’ll get a letter, let’s say they’re… so instead of $3,100,to 35, there were actually 30,000 claims being made. So you’ll get one of those 30,000 claims, and you’ll see that there’s a demand for $100,000. And you can say, $100,000, oh my gosh, that’s just… that’s just incredible. I can’t afford $100,000. That may be true, but if…There’s really a good claim there, and you don’t settle up front, and you can always negotiate well below $100,000, but if you don’t settle up front, that $100,000 is going to grow, plus your attorney’s fees, plus your technology fee. It’s going to be extraordinary. So…right, so… remember, that’s… these numbers are really low because they’re only reflecting the cases that get filed.

Bob Olsen – 48:03

Thank you.

All right, we’ve got about 10 minutes, I want to make sure we leave at least a few minutes. We’ve got 2 more slides, be remiss, we’ll jump to slide 10. Yep, the, you know, be remiss without talking about AI, so we’re just gonna spend kind of a few minutes here. Obviously, you know, maybe the fastest moving piece of our entire conversation from a regulatory landscape. You know, it’s changing regularly and rapidly, both at the federal level, but even more specifically at the… and particularly at the state level.

Aidan, we’ll start with you. You know, so you’re working with inside companies that are adopting AI tools. You know, most companies have done it quickly and without, quite frankly, a lot of, you know, governance structure around it, and there’s lots of good reasons why that’s the case. But there’s also obviously a lot of risk that comes with that. You know, how are you seeing shadow training? And, you know, unvetted AI adoption show up in practice with some of these companies?

Aidan Morrissey – 49:01

Yeah, so I think this hits, too, on my earlier statement about the large use of SaaS tools in this large, you know, landscape is, you know, these companies are adopting these SaaS tools, because they do typically, right, solve a real problem, and are you know, very helpful. And so these things are being adopted very quickly, and like you had said, without a lot of, you know, thought process to it. And the shadow training comes, you know, especially through you know, these vendors taking the data without your understanding, right, without and I think ultimately it comes down to vendor management, right? Are they using the data? Do you know if they’re using your data, you know, to train their models? Do you know what kind of access they have? Do you have the right, you know, agreements in place? And the answer is probably typically not, because these tools are adopted, because they’re seen as kind of a quick hit in terms of ROI.

But the due diligence you know, really isn’t being done. And we think about how this can be solved is…you know, adding these questions into your vendor assessments, sometimes having separate vendor assessments for these AI vendors, but what we have now, really, you know, outside of, you know, some of these frameworks. is this, you know, NIST AI framework, and what that’s doing now is it’s basically creating, at least in what I’ve seen and what we’ve been able to you know, use it to operationalize is a new gold standard for the ability to handle AI, to assess what’s going on, and to be able to kind of move on from there. But really, it comes down to this third-party risk management.

Bob Olsen – 50:52

So, Ed, or Stephanie, you know, Aiden mentioned the AI Risk Management Framework, you know, which I think is a good framework, you know, kind of a starting point. It’s, you know, it’s definitely voluntary in name, but I would say more and more…companies are using that as their kind of, you know, guardrails or guideposts to kind of get there. You know, what does that mean for a middle market company that’s just maybe starting to think about AI governance? You know, how should they think about the NIST AI Risk Management Framework?

Ed Tolchin – 51:22

So, I’ll… I’ll give you the rule of thumb.

Compliance with… I don’t say compliance may be an overstatement, but trying to conform yourself to the NIST standard is not going to protect you 100%. But if you’re not complying with a NIST standard, you are almost certainly going to be exposed 100%.So, it’s not a defense. But it is a necessary gating, I would guess, would be the way to describe it. So, it’s always good to have standards. Apply with the standards because that gives you something that you can then argue about if claims are made, and you get yourself in trouble, but it’s not going to be 100% protective. But without it, you’re 100% exposed.

Bob Olsen – 52:15

Okay, thanks. Stephanie, you know, the, the, you know, Colorado seemed to be at the forefront from an AI regulation. They’ve got the, you know, Colorado AI Act, which was just delayed one more time, or pushed out one more time to 2027, which I think is the third time. Does that, you know, any thoughts around whether that gives companies a window to prepare, you know, a window to prepare? Is it a false comfort? You know, should we kind of assume that they’re going to continue to, you know, punt that down the road?

Stephenie Yeung – 52:45

So, I don’t think it’s a false comfort, and I think companies will have sufficient time to prepare, and I say that with an asterisk. About 3 weeks ago, actually, the original Colorado AI Act was repealed and replaced with a version that is much narrower in scope. and what, you know, a lot of the more burdensome requirements have been dropped. So instead of focusing on high-risk artificial intelligence systems, and imposing a duty of care to mitigate, algorithmic discrimination and bias the new act that is going to become effective January 1st, 2027, and I do think that data set that is only going to focus on, automated… automated decision-making tools, automated decision-making technologies, ABMTs. So…and it… and the focus, instead of this sort of vast, duty of care, high-risk focus system is going to focus on transparency. So there’s still, role-based obligations. Developers need to make certain disclosures to deployers or users of the ADMT, and internally, the users of the AT&T has to give notice to consumers. What those notice needs to include, that’s going to come down the pipeline in the next few months, while the state regulators tell us. So, it’s definitely an area to keep your eye on, but I think I think January 2037 is… is intent… very much intended to be the firm deadline, but the narrowing of scope.

Yeah, the narrowing up scope definitely helps.

Bob Olsen – 54:41

Yep. Alright, let’s jump to our last slide. You know, things that, you know, attendees and really companies should be thinking about around building, you know, your privacy program.

We’ve obviously spent a lot of time going through, you know, the complexities, kind of what’s go… you know, what could go wrong, if not, you know, if you don’t have a, you know, a good, strong data privacy program. And we’ll, I know, recognize we’ve only got a few minutes, maybe we’ll just kind of ask the panelists to hit highlights, you know, from a legal defensibility standpoint, Ed and Stephanie, you know, what does a good faith privacy program actually need to show?

Ed Tolchin – 55:15

I’m not sure a good faith privacy program is good to protect anybody, because the definition of good faith is quite often more… more or less subjective to every company. And, you know, it’s always… it’s a good start. If you have nothing, then you’re in a lot of trouble, and if you have something, at least you have… you can build your defense. But if you look at these boxes here, or your circles, I would say data inventory and consent management if you have to…pick and choose where to start, I would say those are the two things that you start with, and policy updates and implementation sort of come hand-in-hand between them. So, if you have a good data inventory, and you have good consent management, you automatically could have policy updates and implementation, and everything else will if you’re time-limited and money-limited, I think that’s where you start, and that will give you more protection than not.

Bob Olsen – 56:15

Aidan, do you… Ed mentioned, I think, an important point, you know, most, you know, it really starts with data inventory. Like, it’s really hard, if not impossible, to do anything downstream, kind of effectively, or upstream, whatever’s the right way of saying it, without understanding that, you know, the data that you have. What does that kind of look like from a, you know, technical standpoint?

Aidan Morrissey – 56:31

Yeah, I think it’s taking a broader perspective to understand, and kind of actually open your eyes to widen the scope of what you understand to actually be the data that you have, right? I know I mentioned all these different SaaS tools things that people don’t think about, Salesforce, HubSpot, maybe when it comes to B2B, or even consumers and things like that, but it’s really just the need to get things in order, to understand what’s actually going on, to create repeatable processes, to, you know, find a way, you know, regardless of the level of technical capacity that you have is to find a way to make it work, and to find a way to make it organized.

Bob Olsen – 57:16

Thank you.

All right, I think we’ve got time for maybe one question, if anybody has any, you can obviously find, you know, we’ll share contact info, but, you can definitely find us online if you have anything you want to talk about a little bit deeper, but I really want to thank, yep, we’ve got a question, looks like a legal question.

From Jack, thanks, Jack. What does the regulatory enforcement landscape look like with respect to global privacy control, and what types of practices or failures are most likely to attract regulators’ attention?

I will offer that up to any of our panelists.

Ed Tolchin– 57:56

Stephanie, do you wanna take a swing at that one first?

Stephenie Yeung – 58:00

Right, I think GPCs, honorary GPC signals are definitely something that… that state regulators are looking at. It’s… it’s easy to tell, it’s, you know, whether it’s being honored or not. So it’s, it’s a, it’s a point where, you know, like all sort of other op-outs, you know, in the quest of having an easy and frictionless opt-out, that is one thing that regulators are really focusing on.

Bob Olsen – 58:34

Any other questions?

All right, I want to thank Ed, Stephanie, and Aidan for, I think, a great and hopefully informative conversation. You know, key message, hope everyone takes away that this is not a problem you can defer. Laws are already in effect, the regulators are active, Plain Aspar is active, like we already talked about. You know, but the good news is that, you know, if you build a practical, defensible program, it is really achievable. And so, just want to say thank you for joining everyone today. And, yep, Stephanie put her contact in there for you, please feel free to reach out, and…Hope everybody has a good rest of your day. Thank you.

Contributors
View Bio
Bob Olsen Web

Robert Olsen

Managing Director Global Cyber Advisors Professional Services
View Bio
ROlsen@hilcoglobal.com linkedin
View Bio
Aidan Morrissey Web

Aidan Morrissey

Director Global Cyber Advisors Professional Services
View Bio
amorrissey@hilcoglobal.com linkedin

Let’s connect and work together

If your business or a business in your portfolio is facing a current challenge, our team can provide a qualified perspective and experience-based guidance toward an optimized resolution.
Contact us