Briefly

TRANSCRIPT

00:10
Adam Stofsky
Hey, Daniel, how's it going?

00:12
Daniel Goldberg
Doing great.

00:13
Adam Stofsky
I want to dive into the question of the legalities, the legal guardrails around monetizing data, making money off your data. So this is like a huge question, I'm sure, but can you kind of give us the high level answer? What are the most important things a company needs to understand kind of legally before it starts to monetize its data? Is there even a way of answering that broad question?

00:37
Daniel Goldberg
So what I would say is the fundamental question is around ownership of the data. Do you own the data? What are the rights in that data? And in the work that I do, there's almost two different funnels that sometimes get confused together and you'll see a lot of groups that confuse them. But there's probably privacy and intellectual property, and those are two distinct areas. Intellectual property truly is around copyright and ownership. Can I claim ownership over it? Do I have the rights to it? Do I have the license to it? And privacy is more of a compliance regime that's did I adequately inform the consumer and get the consumer's consent to use the data? Now privacy is interesting because privacy relates specifically to consumer personal data. Right. So it's data that identifies or could reasonably be used to identify an individual.

01:34
Daniel Goldberg
And so that's why, Adam, in our prior discussion, we talked about these different categories. A lot of times we think about data as consumer personal data, but that is not everything. So, you know, the majority of data, really, we're not even thinking about the personality personal data obligations, those only attach, those compliance obligations only attach if it triggers those laws. Otherwise you're looking at it primarily as intellectual property. And then with that, just like any other intellectual property, you need to do analysis about do you have the rights to use it and how can you provide that downstream?

02:11
Adam Stofsky
So if I have this incredible treasure trove of data about temperatures and pressures on the seafloor or something like that, you know, or weather patterns or something, I don't have to worry about data unless somehow there's a connection to a identifiable human person. I don't have to worry about the privacy.

02:31
Daniel Goldberg
Correct, correct. And that's actually really. Let me give you an interesting use case here would be, let's say you have a weather app and the way that you get all this information about weather in regards in certain ways is based on people's devices that they bring into certain locations and you're collecting it. It, okay, so it could be personal when you collect that, but if you take derivatives of it, if you aggregate that information, you can Pull that outside of privacy scope and bring that in and claim ownership. And then once you're an owner of all that data, you can basically use it however you want. You know, subject to some potential qualifiers, but essentially it's yours. And you get these insights that are truly valuable.

03:13
Adam Stofsky
Very interesting. So who needs to worry about this in a company, right? I'm kind of asking you a bit of a softball question here.

03:23
Daniel Goldberg
But it's not just a lawyer, everybody, it's everybody. It starts from the very bottom. Like if you are involved in a project and you say, we want to figure out some way to use this data set to license it, to get value out of it, the person who's actually coming up with the concept should be the one who's like looking at this and actually saying, like, is this something we can be doing? Right, to dig into it.

03:51
Adam Stofsky
So I want to make use that. I'm completely just making this up on the spot here. I want to make a cool new fishing app that uses sea temperatures to tell you where to fish. Right. So I kind of need to understand where the underlying data set came from if I want to know how to use it and not get my company in trouble. Is that a good example?

04:12
Daniel Goldberg
Yeah, absolutely. And so one of the primary questions we always ask is where did you collect the data from? How did you collect the data? What rights are around that? So in your example, let's say that we are this phishing app and we're collecting data. If you're getting data through your phishing app that somebody has that is being deployed out, used in the real world, that is what we would call first party data, because that's data that you have a direct relationship. You got it directly through your application. You essentially own that data. Okay, but let's say you're getting the data. Let's say you're also, as part of this phishing app, you have this weather. Let's stay on the weather theme here, right?

04:58
Daniel Goldberg
You have weather and you want to pull this weather live from a third party source because you're not just getting it based on where this app is being deployed, but you're getting it from repository that is third party licensed data. Now you're combining, you have your first party data and you have your third party license data and you're combining them together. That's what makes things really tricky is that the way the databases are set up when companies have their CRM, it's not like, oh, we're siloing all this, it gets combined together. So now it gets a little tricky because you have to look back on saying, where did I get all the rights to all this stuff?

05:35
Adam Stofsky
Right. So like, what can I do with that first party data? Fine. I know there's other issues with first party data around privacy, but let's say I have a third party data. I need to know, like, what rights do I have to use this? There's some license that maybe I just, maybe I'm just licensing it to read it and enjoy it, but not actually use it.

05:51
Daniel Goldberg
Absolutely, that's exactly right. And so oftentimes these databases, you know, have some type of license associated with them. As we just talked about monetization, those that are assembling this data want to make money too. Right. So sometimes they're public and freely available. Doesn't mean that there's not requirements around the data. Doesn't mean that there's not restrictions. There may be restrictions that say you can't use this for an illegal purpose. You know, you can't use this for an app that's pornographic or something. But on the other hand, it may say, you know, you don't have to pay us for it, otherwise it's generally free or you may have to pay for it, but there's always the license restrictions in it.

06:30
Daniel Goldberg
So you got to look really carefully at your contract when you're getting this data, because the contract sets out the parameters of how you can use it.

06:40
Adam Stofsky
So you need to understand anything you're using, whether it's first party. In other words, is it yours and did you collect it? Did you collect it as a company or a third party? Are you, have you purchased it or licensed it? And what are the various intellectual property restrictions on your use of that data?

06:55
Daniel Goldberg
Correct. And the one caveat would be it gets a little bit more complex when you bring consumer personal data into this. Because if you're licensing consumer personal data or you're collecting it directly, you have to deal with all the privacy obligations.

07:09
Adam Stofsky
Great segue. That's where I was going with it. So, yeah, so, so start there. Right, so what do we need to be, if you have that data, I guess third party or first party maybe talk about generally what are the main privacy concerns that are, that are an issue with all of this data.

07:25
Daniel Goldberg
So we, Adam, are going to have to do a whole session talking more about that too, because it's so in depth. But what I would say is there are certain tenets of privacy law that we should be thinking about here. So the tenants Would be. One of them is notice and choice. Did the consumer have notice about the collection, the use, the disclosure of their data, and did they have choice? Did they have choice to submit it? And if it was collected in certain ways, did they have a right to say, well, we want to opt out? We don't, you know, we don't want it to be disclosed that way. We don't want it to be used that way? Not every state gets gives this. In the United States now we have 19 plus comprehensive state privacy laws.

08:12
Daniel Goldberg
It's state by state, which is what makes this difficult to address. There's already been other states that are moving towards passing laws. But point being is you can't just look at this and say, oh yeah, you know, no problem. Like you have to look at each state individually. What do they require? Okay, so tenant number one is what I would say is notice and choice. I would. And that's about disclosure and that relationship. I would say tenant number two is around what we would call expectation. Does the consumer have an expectation that they would. You would be using this data in this way? You know, there are certain elements where it's like, it's such a potential abuse of the way the data is being used that regulators will look at this and say like, that could just be like unlawful on its face.

08:57
Daniel Goldberg
So we have to be really careful. And what goes with that is something called purpose limitation, which is only using the data for the purposes for which it was collected and no other. And this has been one that there's always that push pull where marketing goes. We want as much data as we can get because I want to be able to use it for anything. And then it's like, well, what are you thinking? We don't know, but we think we're going to use it one day for intellectual property purposes. Generally that's probably okay. But when it comes to consumer personal data, very clear, it's not okay. So you have to make sure that if you're going to be using data for additional purposes that maybe you didn't originally think of, they have to be compatible with the original purpose.

09:41
Daniel Goldberg
We call that the compatibility test generally.

09:43
Adam Stofsky
Right. So I run an amusement park and I need to get everyone's height to know which rides they can ride. I can't then kind of hand that over to the apparel company I own and use that to market certain clothes.

09:55
Daniel Goldberg
Well, maybe. And that's where you talk to somebody like me who can help and help, you know, navigate some of that. Because I want to be Clear. There's a lot you can still do with it. I'm not saying you can't, but what I'm saying is it's also dependent on what you're thinking and how far you're going with that. Okay, So I would say that's the second tenant. I would say.

10:15
Adam Stofsky
So expectations and purpose limitations.

10:17
Daniel Goldberg
Yeah, we're going to put those together. Then the third one, let's say, let's just talk about security for a moment because I know that there's concern, confusion sometimes about what is privacy versus security. Privacy is what would people expect that you do with the data and how do you actually use that data? Security is more of the technical implementation. How are you making sure that once you have that data in your possession or control, you make sure that data is okay, that there's not unauthorized use or disclosure. And there's a bunch of laws that have been around for a long time now, data breach laws. Right. If you've ever gotten one of those notices in the mail from like Equifax or something, hey, your data's been compromised. That's a security obligation issue. Okay. So, but that goes hand in hand.

11:05
Daniel Goldberg
So if you're going to have this data, you can't just go, okay, we're just going to keep it, you know, in a way that whatever, we're actually going to keep it secure. And going in connection with that is also, you can't just keep it forever. There should be retention obligations. So you're going to go, okay, we're going to keep it for a while, but absolutely not forever. Okay.

11:25
Adam Stofsky
Okay, great. So let me just. I think that's a really good summary about the very broad strokes, rules of the road. But I think it's interesting here is you didn't really mention any specific laws. You mentioned privacy laws. But these are kind of almost principles that a lot of laws address.

11:41
Daniel Goldberg
Right, Right. And so a lot of these principles actually came before the laws. Right. Like these have been around and there are other principles, Adam, but these are the ones that come to mind to me immediately. The, the only other one I would say would be around sensitive data sets, that there are certain high risk categories of data, financial data, health data, children and minors data that they go. We go, well, this is such a risky category that it's not the same as getting an email address that's available everywhere. This is something that like we actually need to be taken care of to look at and make sure it's treated with a higher level and a higher protection standard. It just basically raises the bar on those things. So, good example would be security. Right.

12:27
Daniel Goldberg
You may be able to deploy certain encryption measures around an email address, but if that email address is associated with a Social Security number that you have in your database, well, you should probably be using a different level of encryption for that.

12:39
Adam Stofsky
Right? Okay, great. So let me just give a recap now that was incredibly useful. If you are going to monetize data in any way, you need to understand two broad kind of legal areas. The intellectual property considerations. Do you own it? What is your relationship ownership wise to that data? And if you don't own it, you're licensing it. What are the rules around licensing? What are you allowed and not allowed to do and for how long and where? All those different questions, then you have the, if the data is in any way touches people, consumers in a way that could potentially identify them, then you're in this world of privacy law and you have all these different rules, again depending on where you are. But some of the basic concepts are notice and choice, which I guess is also consent we didn't use.

13:25
Daniel Goldberg
That's right. And the reason I don't use consent is that consent is not always the requirement. I, I, I actually said the term opt out too because a lot in the US is opt out. So yes, that's why I would look at that. Choice encompasses consent or opt out.

13:44
Adam Stofsky
I like that. So notice and choice expectations and that idea of purpose limitation, security kind of retention when you have to actually sort of delete that data and then even beyond that, this broad category of sensitive data which places some greater scrutiny, greater obligations on all those categories.

14:05
Daniel Goldberg
Exactly.

14:05
Adam Stofsky
So that is your like 12 minute kind of crash course in the over sort of the big picture legal issues you have to think about when monetizing data. Was that a good summary?

14:15
Daniel Goldberg
I think it was great.

14:17
Adam Stofsky
Right. All right, thanks so much.