Through GDPR, CCPA, and other significant privacy regulations, consumers are more aware of their rights than ever before. In this episode of LiveRamp’s podcast, “Saying the Quiet Part Out Loud,” Anneka Gupta, President and Head of Product and Platforms at LiveRamp, and Eloise Dietz, Team Lead of the Data Stewardship Engineering Team at LiveRamp, talk about how LiveRamp helps consumers understand their data rights, allowing them to connect with brands and publishers in ways that they find welcome and relevant.
(Please note that this transcript has been edited for readability.)
Anneka: Welcome to, “Saying the Quiet Part Out Loud,” a podcast from LiveRamp that uncovers what’s unsaid about technology, data, and business, and explores how they intersect. My name is Anneka Gupta, President and Head of Product and Platforms at LiveRamp. Today, I’m joined by Eloise Dietz, team lead of the data stewardship engineering team at LiveRamp, and we’re going to talk about data privacy and privacy by design. Welcome, Eloise!
Eloise: Thanks so much for having me!
Anneka: Can you tell our listeners about the data stewardship engineering team and your role within LiveRamp?
Eloise: LiveRamp has always given people the option to opt out of our products, but new privacy regulations take this even further and give consumers the right to access or delete their data as well.[i] My team builds services that enable LiveRamp and our clients to honor these requests, both at LiveRamp and across the adtech ecosystem. The goal is to provide individuals with more transparency and control over their data, and of course, to remain compliant and stay ahead of future data regulations.
Anneka: Data privacy regulations are everywhere, yet there are so few people who truly understand the issues we’re facing around data privacy and protecting consumers, and how multifaceted they are.
Today, we’re going to talk about privacy by design—what it means, what the product and engineering implications are, and how it ultimately impacts consumers. In an earlier episode of our podcast, I was on with Fatemeh Khatibloo, an analyst from Forrester, and we talked about the concept of privacy by design and what that means. How do we think about privacy end-to-end when we’re building and designing our products and solutions? We also touched on how things like GDPR and CCPA impact consumer data,[ii] and ultimately how that affects what companies market to them. Today, I wanted to chat about how you implement privacy by design and the choices that companies—and by extension their engineers—have to make in order to comply and meet regulations. Eloise, can you talk a little bit about what privacy engineering is?
Eloise: Privacy by design and privacy engineering are a set of principles that call for privacy to be taken into account throughout the entire engineering process. Regulations like GDPR and CCPA incorporate these principles into their requirements. One example is data minimization, which is the principle that data should be held in as few places as possible and used only to complete the primary use case.[iii] For many companies, preparing for CCPA was a massive and costly undertaking. I think a lot of them realized afterwards that by thinking about privacy from the beginning of building these products, they could have avoided many of the costs that came with considering it only as an afterthought.
Anneka: Can you give a specific example of how we’ve implemented data minimization at LiveRamp within our engineering architecture?
Eloise: Sure. One example is the opt-out. Before CCPA went into effect, and before our team was created, LiveRamp held opt-outs in many different places. Some products would hold their own list in order to ensure they never delivered data about that person. Our team decided to centralize this to ensure that there is one source of truth for opt-outs at LiveRamp, and also ensure that identifiers representing a person who had opted out only existed in one place. Other teams now call us to determine whether or not they are allowed to distribute data based on that person.
Anneka: Talking about CCPA, which went into effect at the beginning of this year, what were some of the issues beyond legality that you had to think about as you were implementing changes within our products?
Eloise: One issue was more of an engineering challenge. LiveRamp, like many tech companies, processes terabytes of encrypted data. We use distributed workflows designed to compile segments of people like, “women who bought sneakers last year.” Access and deletion requirements under the CCPA present a very different obligation: return or delete data based just on one person. When implementing these workflows, we had to make numerous technical trade-offs. To return someone’s data quickly, we could store personal data keyed off an individual identifier. This approach would involve retaining the data twice, however, and as I mentioned before, we want to ensure that we follow the principle of data minimization and not increase the risk that the data could be compromised. So, we elected not to change the structure of how the data was stored, but instead chose to search through our existing data stores to find the individual’s information. The solution does not compromise the security of the user’s data, but it’s a slower and more costly approach.
Anneka: One of the big challenges that companies face is how fragmented the regulatory provisions are, and it’s only getting more complicated. Over the past couple of years, we’ve had both CCPA and GDPR come into effect. Just as a reminder to our listeners, CCPA is the California Consumer Privacy Act and was primarily modeled after GDPR, which is Europe’s General Data Protection Regulation. The two laws are extremely similar, and many companies had to figure out how to comply with both, but there are some key differences that make implementation and compliance complicated. GDPR has taken a primarily opt-in approach, where consumers have to actively opt in to their data being used, while CCPA has taken more of an opt-out approach. Eloise, can you talk about how you approach privacy engineering in a world where there is so much fragmentation and regulation? How do you simplify the complexity of fragmentation in the work you’re doing?
Eloise: One of the first things we did while preparing for CCPA was to undergo a massive data inventory project to be sure our products were compliant. However, technical companies innovate for a culture of building products quickly and continuously iterating on these products, so our data inventory was destined to become outdated within several months. One of the hurdles we encountered was guaranteeing that our assistance remained compliant as LiveRamp’s products evolved and as new privacy regulations emerged. Our team needed to insert ourselves as stakeholders within other teams’ agile development processes, without adding too much red tape that could also hinder product releases. I think this is a big reason why LiveRamp decided to invest in a data stewardship scrum team. We knew that building these systems to comply with CCPA wasn’t going to be something we could build once and then never have to think about again.
Anneka: What are some architectural examples of how you designed that kind of flexibility to innovate as the regulation changes?
Eloise: One thing we did was work closely with the identity engineering team, which works to resolve consumer directly identifiable personal data to encrypted data. This way we could help LiveRamp expand while staying compliant with new data regulation laws that include data localization. We had one interface with the identity engineering team that allowed us to deploy our services in new regions while keeping directly identifiable personal data in that region.
Anneka: That makes a lot of sense. It’s an interesting and difficult challenge. I talked to technology leaders across many of the partners we work with, and just as you said, if you’re not taking an adaptive approach, what you do becomes out-of-date pretty much within seconds, which is very difficult when you’re trying to build scalable solutions for the future.
Let’s talk about design challenges. When I was in Europe last year, browsing websites on my phone and computer, there were pop-ups on every site asking me to accept cookies because of GDPR. Since CCPA went into effect, we’ve seen more of that in the U.S. as well. Can you talk about the intersection of user experience and consumer privacy when you’re developing these solutions?
Eloise: Improving transparency is one of the main goals of a lot of these data privacy laws, and it’s important for the user to understand what our products do in order to decide what they want. and before they access or delete their information. How do you explain how cookies function to a user who doesn’t know what those are? How do you explain technical concepts in a straightforward way that doesn’t result in pages and pages of text that no one is going to read? And how do you do this without compromising your original website design? LiveRamp retains an identity graph that contains only pseudonymized identifiers. One of the challenges we faced in designing our consumer portal was how to explain the cryptography algorithms we use to tokenize the data.
Anneka: How have you thought about developing that language to explain technical concepts to consumers? Do you try it out on your family and friends? Or do you have any tips and tricks for our listeners on how to approach that?
Eloise: I think something that helped was our collaboration with the LiveRamp data ethics team. By working together, we found a common language in order to build these systems, and working so closely with their team also prepared us for building this consumer site.
Anneka: Often when we talk about CCPA, GDPR, and data privacy, it starts out as a legal question, right? Our leaders across the company go to our legal team and ask, “what does this mean for our product and for our business?” One of the challenges I’ve seen is that the solutions are very technical, and can’t be solved by legal alone. Can you talk about how your team partnered with the legal and data ethics team to make sense of the changes that are happening? How did you design solutions that meet the needs of the regulation and the consumer?
Eloise: That’s a great question. I think something that worked well for us was spreading the word about privacy laws and regulations within LiveRamp. Once we explained the CCPA principles we needed help with, the engineers who knew their product best came to us with solutions. By spreading the word about privacy, we were able to crowd-source solutions with the rest of the engineering and product teams.
Anneka: Can you talk about how you work with the rest of the engineering teams to design and implement solutions? Clearly your team alone can’t do all of the heavy lifting across the business.
Eloise: We see ourselves more from a technical aspect as the coordinating team. Even though data ethics and privacy questions might be directed to our team, we work with all other engineering teams at LiveRamp that store data. We coordinate the access, opt-out, and deletion responses, but really what we’re doing is providing other teams with the relevant information they need in order to process the access, deletion, or opt-out requests. We might send our identity team the pseudonymous identifiers that represent a person, and they actually build the workflow to delete or return the data associated with that person.
Anneka: Have you found any tips and tricks that work well for educating the broader engineering team about these regulations and their nuances? How do you take the complexity of this regulation and make it consumable and actionable for them?
Eloise: We try to distill the information so the team only gets what they need to know in order to complete the request. For example, under CCPA, we need to respect both direct consumer requests as well as indirect consumer requests. Direct requests are when a consumer comes to LiveRamp and asks to access or delete their data. Indirect requests are when a consumer asks one of our clients, who then forwards the request to LiveRamp. We don’t necessarily tell other teams at LiveRamp what the request is. We hold the information that differentiates what needs to be done for a direct versus an indirect request and only ask the teams to delete specific data.
Anneka: Another topic I wanted to chat with you about is how we think about and incorporate diversity, inclusion, and belonging into every part of our business operation. I wanted to ask, in terms of consumer privacy and privacy engineering, what role does diversity inclusion play, and how does it inform the decisions you’re making?
Eloise: I think privacy has a unique perspective on that question. It’s important to remember that privacy regulations aren’t meant to stop companies from collecting and sharing data, but instead to ensure individuals understand and have control over that process and can trust the companies that are collecting their data. However, people in different cultures perceive privacy differently. So, when we’re building products to interact with consumers, we need to have diverse perspectives in the room when making decisions, so we can better represent, and ultimately produce, a product that fits more individuals’ privacy perspectives.
Anneka: When you talk about culture, what we’ve experienced at LiveRamp—and what many companies that operate internationally are experiencing—is that the ethos around consumer privacy takes a different form in Europe, compared to the U.S. The way we think about the interactions we have with consumers—even though we’re not a consumer-facing company—looks substantially different in Europe.
Anneka: We talked about how privacy engineering was formed at LiveRamp, and how you have led the development around CCPA and GDPR compliance across our products. As you look to the future, what’s next for you? What are you focused on and excited about in the coming months and years?
Eloise: There’s a lot that we’re really excited about. Now that we’ve built these systems in order to respond to the CCPA requirements, we’re excited about testing them in new jurisdictions and on new privacy laws that may happen in the future. Our approach to CCPA was more reactive, so now that we’ve built these systems with the understanding that privacy regulations are going to be changing and expanding globally, we’re excited to see if our preparations can meet the challenge of expanding to take over the GDPR process, or expanding into new regions that also have privacy regulations.
Anneka: I know a lot of our customers value the work we do within privacy and data ethics, both on the legal and policy side, and within our technology, because they have to be reactive to what’s coming down the pipe. The more we can be proactive about our approach, the better we can prepare our customers for what’s coming—and not just our customers, but the entire ecosystem in an industry that runs on data.
Eloise, we have a lot of different kinds of listeners, including some nontechnical ones as well. What advice do you have? How do companies stay ahead of what’s coming next down the regulatory pipeline?
Eloise: A great way to prepare for the future is to remember that all of these laws distill down to a couple of key principles that revolve around providing choice and transparency to consumers. Think of how positive that will be for the adtech ecosystem. Many Americans are increasingly concerned about privacy and feel they have little or no control over the data that companies collect on them. Features that give individuals transparency and control in a way they understand will benefit companies by helping them regain trust with users. And it will also prepare them for future privacy regulations that come their way.
Anneka: That’s a great message. It really does all come down to trust at the end of the day. We have to figure out as an industry and ecosystem how to build trust with consumers. As you’ve shared with us today, Eloise, it’s not an easy problem to solve from a design perspective, an engineering perspective, or a product perspective. It’s been such a pleasure to have you on the podcast today. Thank you for joining me and for having this interesting discussion on privacy by design and privacy engineering.
Eloise: Thanks so much for having me. I really enjoyed our discussion today.
Anneka: Thank you everyone else who is listening today. We hope you enjoyed today’s podcast brought to you by LiveRamp. You can find us online at LiveRamp.com, and follow us on Twitter and LinkedIn. You can subscribe to “Saying the Quiet Part Out Loud” on Apple podcasts, Spotify, or wherever you listen to podcasts.
[i][ii] Note that these rights in the U.S. are afforded under CCPA for CA residents and under GDPR for EU residents.
[iii]This example differs somewhat from the definition of the principle of data minimization, which involves limiting data collection to only what is required to fulfill a specific purpose.