AMA with Gary Kibel, parter at Davis + Gilbert

As you and your team continue to accelerate the subscription-based digital transformation, we want to focus on discussing proven and adaptable acquisition and onboarding strategies that not only drive growth, but ultimately lead to a better full-journey subscriber experience and an increased customer lifetime value. Our goal was to deliver actionable insights and provide connections for your continued success.

Full Transcript

*Questions submitted by community members

Please join me in welcoming today's AMA speaker, Gary Kibel. Thank you for joining us! Gary is a long time friend and colleague who has a fantastic reputation in the industry. He will be sharing. his answers to your questions on the topic of Avoiding privacy pitfalls in your subscription growth product efforts. We are lucky to have him for the next 30-45 minutes.

Question: Gary, I would love to learn more about your passion for the field of privacy and internet law....why do you love what you do?

This area of law is constantly changing. My wife is a real estate attorney and I joke with her that her area of law hasn't changed in 100 years. Mine changes daily! You can't take a day off in this space.

Question: Tell us about a subscription that you use and value highly for work/personal?

I do a good deal of newsletter reading each morning. AdExchanger is a standard for ad tech.

For privacy, I read the International Association of Privacy Professionals (IAPP) and many other provider newsletters.

For law, lawyers read Law360 and Bloomberg law.

And then there's my firm's D+G Alerts! (ok, shameless plug).

Thats some heavy reading each morning....coffee or tea with that?

I get the D+G alerts and they are very valuable.

Diet Coke. I'm an addict. Like Tom Cruise in Tropic Thunder.

Question: Let’s shift to some Privacy related questions...What are the most common challenges you see businesses face in adhering to privacy laws?

The first challenge is simply understanding what laws apply to your business and your data. That would seem to be a simple question, but it can be challenging

There's a myriad of ways in which a new subscriber can indicate their level of intent and thus quality as long as we're making ourselves aware of what those might be and tracking them accordingly.

That's a pretty general response, I know. Happy to think it through with a more specific product example.

Then you need to understand what data your organization processes, how was it collected, what disclosures were made at the time of collection and how are you authorized to use the data. Again, this can be challenging, but is very important. Compliance comes after those steps.

And lastly, putting in place internal controls to ensure you comply with the law, with your policies, with your disclosures and any contractual commitments.

I imagine there is another layer of complexity since you mentioned earlier that it is always changing?

Is this something that should be audited on a regular basis to ensure compliance?

Yes, privacy compliance is not a static exercise. As I mentioned above, it can change daily! Business practices and the law can both change. So you need to revisit your practices regularly.

I appreciate you breaking this down into the pieces that need to be understood. It's a lot more digestible.

Though not entirely uncommon, data mapping exercises can be very helpful. It's like peeling an onion; figuring out where the data in your organization comes from, how it's stored/used, obligations, etc.

Question: What are some uncommon privacy and security practices that you consider best practices?

When I see a client's privacy policy and the date indicates that it hasn't been updated in 3-4 years, I immediately think they are not on top of things. No one has a business that hasn't changed anything in so many years. The U.S. privacy landscape is lightyears different than 4 years ago. In the U.S. it is mostly not a legal requirement to have a Chief Privacy Officer or Data Protection Offer. But designating someone to be responsible for privacy compliance is very important so that the organization is not rudderless. And practicing data minimization. This is creeping into the U.S. privacy laws. Only collect what you actually need, and don't save it forever.

True, especially of the last few years.

Probably very good if that person is the consumer advocate in the org to a certain degree.

Yes, it should be someone with their pulse on the organization's business.

Data Privacy seems very much in line with customer experience, but I wonder how often those roles are in the same org.

Yeah, privacy compliance people don't have to be attorneys.

My impression is that it's someone who's mindful of the business exposure to risk but not with the customer's best experience as the priority - I'd like to be wrong about that

This is really helpful. Back to the comment on the value of a Chief Privacy Office, for instance, someone owning the process(es) that ensure change is monitored, addressed etc would be invaluable

Question: I think I already touched on this question...What is a good cadence to be revisiting privacy practices, based on speed of changes in law and consumer trends?

I would say at a minimum annually. But it should be ingrained in the organization that if there is a new product or service, privacy compliance should be considered at the outset and not as an afterthought. That's called "Privacy by Design.”

I like that...Privacy by Design.

And of course, if there are new privacy laws or enforcement that come to light, those should be tested against your products/services.

Question: Is it important for the full organization to be educated on the company's privacy policies? How often?

Definitely. Training is important. Everyone in the organization needs to understand your policies for handling data. For example, if your privacy policy says X, but your customer service people do Y, then you're going to have a problem. Everyone needs to be on the same page.

So, I would imagine new employee orientation is key but then periodic updates based on changes.

Going back to the data mapping exercise comment, you'll sometimes find out that different departments have radically different practices. That can be revealing.

Guidelines are no good if people don't follow them.

Yup, new and existing employees needs to both be trained. Don't assume just because someone has been with the organization for a long time that they understand everything. This are changing. Heck, I had to improve my Slack skills for this session!

Is Data Mapping done in an audit-like project effort?

Data mapping can be part of a broader privacy audit of privacy practiceds.

Question: Let's dive a bit deeper – what should our community know about the American Data Privacy And Protection Act (ADPPA) and what actions should we be taking today?

It's been interesting. I'm still skeptical that this will pass and become law, but it's gotten further than any other comprehensive privacy law on the federal level to date. It passed in committee with only 2 No votes and will soon move to the full House.

However, the California delegation is grumbling about pre-emption and the fact that it will supersede California law. Plus, a very key Chairwoman in the Senate is opposed to the bill. In a 50/50 Senate, that can be tough.

So I wouldn't put all your chips on the ADPPA in its current form.

Understood...thanks for helping us understand this complex new area of law (potentially).

Question: This is great stuff but I am going to move us to focus more on subscription business focused questions. Do we expect consumers to actually read the terms and conditions on subscriptions? What responsibility do brands have to ensure their subscribers are reading and understanding this legal contract?

It's the joke in the legal industy that the only people who read T&Cs and Privacy Policies are plaintiffs attorneys and regulators. The reality is consumers do not focus on them closely, but they still have a big impact. But don't rely solely on those documents.You need to consider the consumer experience. Your documents should be consistent with what the consumer expects based on the experience. If they are not, then you should do something outside of the documents to properly set consumer expectations.

So this is interesting, going back to your earlier point about disclosures at the point of data acquisition – do you ever recommend a customer-friendly version of these disclosures outside the T&Cs?

Sometimes it feels like there is little to no optimization given to the T&Cs...almost hoping that consumers will not read/understand them.

You can never confirm the terms have been read, You can confirm that they have been properly presented and acknowledged. I often work with clients on analyzing the flow on services. This can be especially important in heavily regulated areas such as text messaging where disclosures must come before obtaining affirmative consent. So the presentation is important. I am going to help you out with a link to the D+G newsletter signup form, and also offer our services to optimize your website.

Is this often the difference in acceptance experiences where one I see often (many times from Apple) where you need to literally view the terms and scroll through them before accepting, VS accepting them that are included in a hyperlink on another page?

Forcing the user to scroll though before hitting accept certainly gives you evidence that the consumer saw the terms. Often times in class action lawsuits the plaintiff says they never knew what terms applied.

Question: California passed the Automatic Renewal Law in 2010…will other states follow?

New York has a law as well. So called "dark patterns" are a major focus of regulators these days. Those are practices which either trick consumers into actions or make it challenging for them to exercise rights.

Good rule of thumb -- if it's easy to get into a service, then it should be just as easy to get out.

Question: This has been great, Gary. We only have a few more questions left. Time to get our your crystal ball. I often feel like the US is a few years behind Europe when it comes to privacy and digital media legislation. Is that accurate in your view? Should we be looking at the EU for things to come in the US?

The EU was certainly in front of the U.S. in terms of privacy laws. The General Data Protection Regulation (GDPR) has been in effect for over 4 years, and in the U.S. we still don't have a comprehensive consumer privacy law on the federal level. But don't think that complying with a so called strictest standard is sufficient. Yes some privacy laws are stricter than others, but they don't all line up properly.

For example, in the U.S. everyone things that California has the strictest law. But there are elements of Virginia and Colorado's privacy laws that take effect in 2023 that are stricter.

So there's no one size fits all.

Overall, the EU does view privacy more as an individual right than in the U.S.

Question: What legal changes do you see coming down the pipeline that subscription growth and product experts should prepare to address?

Most new privacy laws in the U.S. have consumer access rights. So you need to be prepared to respond to consumer requests, such as disclosing what data you have about them and deleting the data upon request. The more challenging aspects are around sharing data with third parties, particularly for targeted advertising. Consumers will have the right to opt out.

And keep an eye on any opt-in requirements. For example, starting in 2023 some states will require an opt-in to collect precise geo-location. While that's standard practice on mobile, it is not on the web.

Okay, this has been immensely valuable and a great way to get some free legal guidance. Thank you so much for helping to peel back some of these deep layers around the laws impacting our community.

You're welcome. Great questions and great group.

Thank you again, Gary, for your time and insights today. This topic is a complex and challenging one but certainly an important one as we strive to be customer focused. It is a good reminder that we are not doing this to appease the lawyers (only) but also to protect the consumers rights. This concludes another great Ask Me Anything event. Thank you to everyone who submitted their questions for Gary.

 Join us for our next event

 Catch up on any AMAs you might have missed in our members-only AMA library.