Introduction 0:03
Welcome to the GrailCast, your executive briefing on privacy, top line privacy insights from the voice of your peers.

Daniel Barber 0:15
Today, I’m thrilled to have a part comedian, part privacy leader in this space, and I’ve been looking forward to this one for quite a few months. Today, we’re gonna welcome Andy Dale, general counsel and chief Privacy Officer of Alice. Welcome, Andy. Thanks. Thanks for having me. Cool. Well, definitely be looking forward to this one. I feel like we joked about sccs. I don’t even know how many months ago that was. But yeah, why don’t you give us a bit of an intro on your background and pasta here?

Andy Dale 0:43
Well, here they are, in the new SEC’s are here. And I couldn’t be more excited and thrilled about them on the GC and CPO of Alyse, which is a gifting engagement platform. And prior to Alice I was the general counsel and VP of privacy at a company called session m that we sold to MasterCard in 2019. Prior to that, it was in the ad tech business running the legal team at a company called Datazoo. Got my mentorship and start in privacy at TD Ameritrade before that on that legal team with a really great chief privacy officer named David Hale,

Daniel Barber 1:13
you mystified in there, which is you have these fantastic show the data protection Breakfast Club for season, right? This is season four.

Andy Dale 1:20
This is three, we’re like sort of recording on to four Yeah, this it’s super fun.

Daniel Barber 1:25
You know, I have to ask, like, what was the inspiration for the show?

Andy Dale 1:28
Pedro Pavone, from Facebook. And when when we started, he was at Salesforce. Pedro I met when he was at Oracle. So we thought it’d be fun to we’ve been good friends for a long time. And we have a lot of kind of fun and casual conversations about privacy and about these issues. Because, you know, we feel like that can be to be sort of brought down a level, there’s a lot of legal talk and a lot of law and regulation and people quoting article blah, blah, blah. And that just feels like that’s okay, there’s a time and a place for that. But there’s a lot of conversation happening around these things that we felt was being missed. And we thought, okay, we’ve got over the years, we’ve met a bunch of really cool, interesting fun people, let’s just have chats with them about it. And let’s try to you know, we’re not trying to split the atom where, or rewrite and rewrite any laws or anything, we’re just trying to kind of discuss these things and get different points of view on them. And we love the 80s. And so we just thought like, let’s make it fun.

Yeah, like, let’s make it let’s have some fun with it. And let’s have our friends on there. And honestly, during COVID, it’s been great, because I got to in a way, we got to sort of see our friends, you know, you and I before we were recording, we’re talking about missing those live events. And that lobby of the IPP summit, you know, that’s what we’re sort of trying to recreate, you know, with our friends, just having drinks, and you know, commiserating a little bit.

Daniel Barber 2:46
I find even this kind of dialogue. super interesting, because you pick up insights from folks along the way. What have you learned? Like,I mean, I imagine you would have captured a bunch of things from

Andy Dale 2:56
a ton a ton. And it’s been, it’s been cool Dan because like, we’ve purposefully put a variety of people on from a friend of ours who’s a spacesuit designer talking about the data they use to build spacesuits. So I learned a ton from him about, they have a partnership with Reebok, and they’re talking about the data that’s used when you build clothing, you know, and your sensors are delivering data back to these companies to increase performance, right. And we discussed the privacy issues around that. That was super interesting. We also just learned a lot from peers of ours that have been doing similar things, but doing things a little differently, or people that have been in the game a really, really long time to like, that’s a super interesting one. Our second episode, we had Jules polonetsky, the CEO of FPF, the main think tank and privacy, and then we’re going to talk about AD tech in a little bit. But like Jules is one of the founders of like ad tech privacy, having worked at double click, which was bought by Google, and which is really their ad tech stack. Just a lot of insight from the people that have been doing it, you know, across the generations. Also, it’s been interesting.

Daniel Barber 4:00
You touched on ad tech, I find the folks that are either in that tech or have had a journey through ad tech have sort of battle scars, so to speak, of going through that path. It’s an industry in flux, right? Lots of things going on challenging decisions that legal professionals have to make. Where do you see that landscape going?

Andy Dale 4:17
You said it? Well. I mean, it’s majorly in flux. Interestingly, if you zoom out and you look at privacy in general, the practice or or like the, a lot of those folks, that started kind of, like I mentioned, Jules, and Trevor, and also the CEO of IPP, they all come from AD tech. I always say it and we always like want it to be true. But I actually think it is true that like, a lot of the sort of policymaking started at the ad tech level. And so now I think you’re seeing the sea change happen, which is super interesting, because so much of the internet was built on that and internet privacy was built on that framework of, Okay, I’m making a pretty clear trade. I’m trading cookies for content, or I’m trading cookies for content and I’m going to look at pair of shoes and I’m going to see it again later. While that may at first feel creepy to me, like people have gotten used to that, for better or worse. And in Europe, they click a banner. We’re getting rid of the cookie notionally other Google push that back now two years, which is an interesting decision, arguably, there are a series of different identifiers that are going to be used for ad tech, that’s never going to end, there was sort of a race to figure out which one of those will be the winner. I actually asked the question I don’t I legit don’t know. Like, cookies aren’t that big of a privacy risk. To me. It’s a device ID. So I find it interesting that we sort of are playing with fire in some sense. In AD tech, where we’re going to change IDs, we’re going to notionally carve out something that is arguably more privacy safe, in some sense, but but I just have this sort of existential question, are we? You know, I don’t know.

Daniel Barber 5:50
Yeah. Yeah. It’s interesting. off script a second, you have Apple, obviously presenting a competitive position on privacy. What applications do you use their Apple applications these days, you’re actually using third party applications, like by choice there was talking about it with my fiance. We use the iMessage app, you might use the weather app. That’s about where it finishes. Yeah. For applications owned and run by Apple.

Andy Dale 6:13
Mail is an interesting one. Dan, the mail. some people are I think using the Gmail app or the aerosoft. Some people are just plugging their their emails into the Mail app. And I guess I don’t know a ton about this. But the next iOS version has some changes to the Mail app and opens. Yeah, and so like that will have an impact on potentially ABM marketers, and the idea that they’re collecting. So like,

Daniel Barber 6:38
it’s in flux is Yeah. This whole field, right, but particularly as we zoom out to your level, right, thinking as like chief privacy officer, you’re engaged with CEOs all the time, you see red lines go back and forward. I think a lot of leaders, you know, running companies are trying to figure out how they deploy resources, how they should think about staffing a team, do they bring in consultants? Do they not? When do they buy technology? How do you think about like, CEOs? And how should they think about, you know, staffing a privacy team, like, what should the first hire be? If you’re a company like Alyse, and you’re in b2b, or maybe it’s a b2c example

Andy Dale 7:18
in our situation? Greg, our CEO, had a had a product that was privacy knowledgeable, he wasn’t an expert, but I think it’s helpful to think through, if you are going to have a data play somewhat, you know, or or being processing data to have a champion in your business, I don’t, you know, you probably won’t want to have a CPO right away, unless you’re a really privacy focused business. And you may not even want to you I’ve seen GCS get hired earlier, you know, maybe they do, but still, I don’t think at the seed round, somebody is going to be like, I need a GC like, that’s not gonna happen, right, unless it’s like a legal tool. So while that is happening earlier, I think probably you’re going to work with your product team to get the best champions, you can and then just get really good counsel while you need it. And then I think the first hire probably has to be an attorney. And I don’t know that it needs to be a CPO. But it needs to be somebody that’s either done it in a law firm for a little bit or done some privacy work at a company before, I think that’s critical, because they’re going to need to be sort of player coach for a while. And then I think the next critical hire, if you are going to either level up and get a general counsel, you do that, where maybe that person grows into that role or something. The next role is operations. And whether that’s legal operations or mix of legal and privacy operations, there’s so much compliance work to be done. And it requires like knowing technology systems like yours, like others in the tech stack, got to have an operator, and somebody that’s going to be able to like build that tech stack. And that isn’t always the GC,

Daniel Barber 8:49
you’re obviously learning a bunch from the folks that you’re speaking with. And you’ve been doing this, like you said, for a long time, right? But I’m always curious, especially folks in your position. Where do you go to like, source information for yourself is up is like, that’s obviously one area. But what are your weekly blogs that you go read or newsletters that you’re signing up to?

Unknown Speaker 9:10
It’s funny, I don’t have newsletter, I don’t read newsletters, I, if I’m picking three, they’re gonna be maybe a little different than things other people have recommended. But awesome. That’s what we’re looking for. One is Twitter. And maybe somebody has recommended that before. But if you have the right follows on Twitter, you’re gonna get a real digest of what is interesting, and what’s cutting edge and what is new and out there. And Pedro uses Flipboard, which is not something I use, but I would put that out there. Like if you sort of create magazines and Flipboard, which is an app where you can sort of like focus on privacy or security or like, even more granular if you wanted like GDPR or something or if you’re focused on ccpa or something you can sort of like dial in different like feeds in Flipboard. But I find Twitter to be really helpful like certain folks and I’m happy to like share a list of what of what is At some point, we can compare notes. Yeah,

Daniel Barber 10:01
Yeah, that’d be cool.

Andy Dale 10:03
Twitter’s great. It’s because I can digest it between something, you know, I can just be like, Okay, and then I’ve got a sort of lineup a couple articles and make sure I’m checking them out. When I get a free moment. That’s always helpful. It’s usually like kids are in bed late at night. But and then two other things I’d say. One is, I have a really good outside counsel who happens to live 15 minutes from me, and he’s a good friend, oh,

Daniel Barber 10:24
that’s lovely to grab, like a quick coffee or a quick chat,

Unknown Speaker 10:28
we’ll go for coffee during during COVID. Like, I would just like drive over to his neighborhood. And we’d like walk his dog around the neighborhood. Sounds, it sounds silly, honestly. But it’s like, I get to see my friend and I get to talk about like, the credit problems you’re trying to solve. He’s doing things he’s got it, you know, it’s really nice to have an outside counsel that sees a bunch of different companies and can go without naming the companies or have talked to you about like, well, these are the issues that are coming up. So like, that’s really nice. And then the third thing sort of related to that is a group of peers that I’ve developed with Pedro’s since 2017, pre GDPR, we have a chat on signal. And we do the chat all the time. And then we you know, now we’re doing it over zoom, you know, about once a quarter where we like, get together and we have like roundtables, closed door, funny ish people, and we sometimes bring some of our outside counsel or CEOs, like you will come in and just like unvarnished. Here’s Yeah,

Daniel Barber 11:21
what’s actually happening?

Unknown Speaker 11:22
Yeah. And like, here are the problems we’re actually trying to solve. And people will actually, you know, in sort of that roundtable environment, say, like, I’ve got an issue with employees doing x or one last one I’ll throw in it doesn’t have to do with privacy, but I think you might be interested in it as you listen to 20 Vc?

Daniel Barber 11:38
I do. Yeah.

Andy Dale 11:39
I mean, like that. That’s just like, if no one knows about that. That’s just need tech leadership advice. Yeah. Yeah. For any level of the leadership team. It doesn’t matter. Like it’s not just geared towards CEOs. It’s like, yeah, how do I lead teams, you know, and how to scale. And that’s really critical. Ah,

Daniel Barber 11:57
got a good podcast. Yeah. Yeah. So last one, as I mentioned, this is valuable for folks that are starting out in their career, or aspiring to be where you are today. And we have a lot of listeners that will like write in and ask questions here. But I’d be curious, like, what advice you would have to have someone who’s early in their career thinking about a journey into privacy or, or into security or just the field in general, any parting advice you’d share for folks going down that path?

Andy Dale 12:28
I mean, I get a CIPP right away, not to say it like this. It’s not that hard, like study, read, you know, read a short book, study, learn, you’re probably already interested in it. And you’ve probably already read a lot about it. So like, it won’t be that hard for you to go get the C IPP and start getting involved with the IFBB. Like those resources on their site. Going to events, when we when we’re we definitely were traveling all around, if you can, or any, like dinners or anything, just simple stuff like that. That’s the first thing because it’ll be hard to get practical experience. We interviewed somebody who I really liked. And she didn’t have a ton of practical privacy experience. But I could tell like, she was really engaged and interested in wanted it. And that goes such a long way when you’re interviewing, and you’re trying to show like, because curiosity is one of those things that you know, over the years of hiring, you start to look for it, you know, you really think that Okay, that makes somebody really helpful to a team if they have sort of the desire to continue to learn. And that always comes from people that are like kind of diving in on their own. Even if you don’t have a ton of like day to day, you know, hardcore piia experience, you don’t like doing stuff like that. So that that’s some advice. And then I think the other thing is just get the privacy content where whatever you can any privacy job that you can get, it doesn’t matter what it is, you can go be an entry level ops person, go intern somewhere, and like spend six months or so you don’t need that much. You just need, you know, to be able to say, I did some practical GDPR work. I did some practical ccpa work, or I read some privacy policies, right, like anything like that. And then once you sort of got that chip, you know, you can play it

Daniel Barber 14:12
makes total sense. Your advice there just like trying to engage in content and getting a start in something early is key, regardless of how far down the complexity stack you are. Well, I have a question for you before we lace Yeah.

Andy Dale 14:26
I’m curious. I would like to sort of flip the question on you like you’re probably at a point in your business where you’re thinking about what are my privacy legal hire is going to be how do you think about it like, when will you say I need to CPO or a GC? Like how have you thought about that?

Daniel Barber 14:41
We’ll probably hire someone as our GC and sort of Chief privacy, someone similar to your role, I would think in the next six months, we’re sort of now in a position where the company is in the spotlight on a bunch of fronts. It’s time we have someone guiding the business through best practices. We have phenomenal outside counsel in in government and dettmer. And they invested in our seed round and then again in our B round, and we have a collection of advisors as well who provide regular product guidance as well as practical, operational guidance day to day. Those are great, but I think it’s now time we’re probably going to start, you know, shortlisting for someone to actually lead the legal and sort of privacy function is the right time. Like it feels like it’s the it’s the, that’s the stage. Yeah. Now we’re like, fully into the round in the executive staff, right, for executives in the last six months. So it’s, it’s time. Well, look, I’ll close on you know, definitely enjoyed the discussion, Andy, love the show. Looking forward to season four. You can find this podcast and the sessions on Spotify on Soundcloud on iTunes. Keep an eye out in a couple weeks. We’ll have another speaker on the show. But thanks again, Andy, and definitely look forward to chatting again soon.

Andy Dale 16:03
Thanks. Thanks Daniel.