Are Privacy Myths Shaping Your Business Decisions?

One of the myths about AI is that it's new. A lot of the issues that AI is raising are issues that have long been with us and long been issues that privacy law has been grappling with. I think that AI puts these things on steroids. It increases these problems, it remixes problems, it enhances problems, and there's certainly new things that it raises. Welcome to Privacy in Practice, the podcast where we bring you the latest insights, practical solutions, and real world stories from the world of data protection and privacy. I'm Kelly Dupree. And I'm Dani Strachan. Privacy in Practice is brought to you by verisafe, your trusted partner in privacy and data protection. In this podcast, we dig into the challenges and opportunities in privacy compliance, from navigating complex regulations to building a sustainable privacy program that works for your business, not against it. So let's jump in and get practical with privacy. Our guest today is regarded as one of the most influential voices writing about privacy law. His work has shaped how courts, academics, and practitioners think about privacy. We are absolutely thrilled to welcome Professor Daniel Solof to the podcast. Daniel is professor of Intellectual Property and Technology Law at George Washington University Law School. He's the author of more than 10 books and is one of the most cited legal scholars in the field of law and technology beyond academia. Daniel is also the founder of Teach Privacy, a specialized privacy training company, and the co founder of the Privacy and Security Forum. Today we are very excited to explore one of his key areas of thought, privacy myths. We'll examine the gap between what people commonly believe about privacy and what is actually true. Welcome, Daniel. Thanks for having me, Daniel, it's really a pleasure for us. You've been studying and shaping privacy law for decades. What first drew you into privacy as a field and why do you think it still continues to be such a misunderstood area? I got into this during law school in the mid-90s. I took a course in cyber law and I knew at that point I wanted to teach law and I thought this would be a really interesting field to get into. The issue I started on was privacy, and I thought the time I would be doing other issues, I didn't think there was going to be that much. You know, privacy was one like, little thing in a very big universe. Turned out that privacy was a gigantic universe. So that was kind of how it started. And, and it's been interesting and exciting ever since. You've written a wonderful book called On Privacy and Technology that, that talks a lot about this tension between the way that the law has struggled to keep up with the very rapid pace of technology. And you've also written a lot in this book about. You have a whole section on privacy myths. Why did you choose to write about privacy myths? Why do you think it's such an important part of perhaps the inability of law to keep up with this rapidly changing world? Well, I wrote about the myths because I think they're really foundational. And I wrote my book for really three audiences. One is the general public to educate them on the issues and the law in an understandable way. Two is for companies, privacy officers, data protection officers, also others involved in compliance, general counsel, and even the C suite to really understand what is going on at the macro level and understand these myths that will, I think, impede businesses from doing good, effective privacy internal work, which I think goes beyond compliance. And then I wanted to write for policymakers because I think the policymakers are the ones that I think fall victim the most to the myths, and they are passing laws that are not effective in a lot of cases and need to be better. And that's a big part of what I write about in the book, is that the law has failed here. It's nice that so much law has been passed and we've really seen a really quick response in the law, much faster than the law normally responds, but unfortunately has gone in certain directions that I think are just the wrong directions. And a lot of that is due to some of these myths. That's something we very much agree with. Arguably, if you are not protective of privacy, perhaps it may come to bite you as a business. I don't know if that's always true, but we'd like to think it is in some ways so very much align with that. And I think to pull out of what you said of the three audiences, as we've sort of talked about, our audience in this podcast is often that middle category, the sort of businesses, the people that are making these choices. And I'd like to start with the first myth in your book because in some ways I think some of these myths are more impactful to the lawmakers, as you say. But this privacy paradox myth, I think is particularly impactful to businesses. So could you please talk a little bit about the privacy paradox and why, perhaps how you see it, perhaps impacting the choices that businesses make in perhaps ways that it shouldn't. Yeah. So the privacy paradox is this well known gap or inconsistency between people's attitudes and behavior when it comes to privacy. So we look at the behavior, we see behavior that Is dramatically inconsistent with people who purportedly care about their privacy. The myth I want to attack is that this notion that a number of folks have drawn from this, which is that, well, talk is cheap, and we really need to look at people's behavior. If you really want to figure out how much people value privacy, look at what they do. It's very easy to say stuff, but, you know, when we look at what they do, it shows they really don't care that much. They. If they're going to trade their data in for just access to a website or a little bit of a discount at the supermarket or drugstore, then they really just don't care that much, or the privacy is valued. Their data is valued at a very low number. And so, you know, why should we offer stronger protections when they really don't behave in ways that they care? It's a myth because the polls and the behavior are really two different things. They're not the same thing when it comes to the behavior. That's actually not a reflection of their general views on privacy. It's actually a specific risk decision made in a specific context. And so every time I share data with a site or every time I'm behaving or interacting on the Internet or doing something, I'm essentially making a risk calculation, which is, what is the benefit of a particular site or technology or something versus what are the. What are the risks to me? And the problem is that it is nearly impossible for people to make that risk calculation. And so many things skew the risk calculation to sharing data or making choices that are not good for privacy. And so, you know, should I get a smart doorbell with a camera outside? Well, it's very convenient because I. My home office is on the third floor. I. Someone rings the bell, I don't want to run down three flights of stairs to or answer it. So it's nice to have the doorbell, camera. What are the risks? Well, I'm a privacy expert. I know all the risks, but they're hypothetical. They haven't happened yet. It's unclear. So how can I make that calculation? What I can tell is that, hey, I really want that cool doorbell has the camera, and that's what people can do. And I can't even make the risk assessment. As an expert on this, how can the average consumer possibly make that assessment? And so you dangle these wondrous benefits that technology offers with these very abstract harms that they can't really even assess meaningfully. And of course, people are going to say, I want the benefits. Why Wouldn't they? It's a rational choice. Even though they care about privacy, they really are not going to be able to figure out the risk. Well, now, in the age of AI, in fact, that can be really telling. And so very famous story from a while back was that a store called Target had an algorithm that tried to figure out who was pregnant without their buying products that were related to pregnancy, babies and so on. So other things that would tip them off that they're pregnant. And the algorithm is actually pretty accurate and would identify people who were pregnant and start sending ads to them to start shopping for baby products. In the story, there's this anecdote where a father of a teenage girl goes to the store and starts complaining, saying, like, I don't know why we're getting all these baby ads. My, my daughter's a teen and it turns out she was pregnant. She hadn't told them yet. The algorithm focused on, in fact, the items that it used to determine or that correlated to pregnancy were cotton balls and unscented hand soap. I think most people buying those items didn't think, oh, wow, I'm revealing sensitive health information when I'm buying these things. But that's what modern technology can do. That's what AI can do. It can take the data that people give and then make inferences about other things, about them, about their health, about their religion, about their politics, beliefs, pretty much anything, race. So that's one of the very common myths. I don't have anything to hide, so I don't have anything to fear. But why is it such a persistent myth, though? So people, there are these examples, like the Target example. But why do people generally, whenever I tell anyone that I'm a privacy professional, they'll say, well, why do you really care about this? I don't have anything to hide. Why? Why is this perception still out there? Yeah. So that gets into it a slightly different myth that I've written about, which is this idea that, well, if you have nothing to hide, you should have nothing to fear. And then ultimately only privacy is really about the hiding things that you don't want other people to know. And that's all that privacy is. But even if nothing could be inferred from it, even if there isn't anything embarrassing, there are still implications that go beyond hiding and that gets to use of the information. There can still be a lot of uses that could be potentially harmful to people, and it's not about hiding things. And there's a lot of other things that have nothing to do with Something that you might want to hide. So, like writing fiction. And I've been doing some fiction writing and let's say I'm writing about a character who poisons another character and I start doing all these searches about poisons. Well, you know what? I have nothing to hide. I'm not going to poison anyone, I hope. But I don't want to have to explain to some nervous government bureaucrat what I'm doing. And yeah, I have an explanation, but I don't want to have to get the call. I don't have to worry about what someone looking at me from afar is going to be thinking, or what some algorithm is going to be tripped off by or be thinking or what they might look at my data and hallucinate and come up with whatever conclusion it might draw. Why should I be subject to that risk? And I think a key component of freedom is not having to explain oneself, that we shouldn't have to worry about what some big government Sauron eye in the sky is going to think about us at all times based on what we're doing. I saw someone mention this in a different context the other day, and they said it's not really about not having something to hide, but it's about having something to protect. You have your dignity and your integrity and your good name and all of that could be affected if your privacy is not respected. So it's not just about secrets that you don't want people to know, just because it's also context, too. So it might be that you have, you know, if someone has cancer and it's not like they want to hide it, but they might want some people to know it and other people not to know it. And it's not that they want to hide it. They might be very open about it to some people, but there might be other instances where they don't want to talk about that they don't want it to be the subject. Or there could be certain people where they would prefer not to know it or that they want them to know it, but later in a conversation or later in a relationship. So it's not just about this binary, oh, there's this stuff that we just want to hide forever. It could very well be people want to reveal things at certain times rather than at the, hi, nice to meet you. And by the way, let me tell you, my health, you know, that kind of thing. You mentioned algorithms and the like. We are now in the age of AI. Are you seeing any new privacy myths emerging within that context? Well, I think AI has A lot of myths to it. You know, it is a. One of the myths about AI is that it's new. A lot of the issues that AI is raising are issues that have long been with us and long been issues that privacy law has been grappling with. I think that AI puts these things on steroids, it increases these problems, it remixes problems, it enhances problems. And there's certainly new things that it raises. And the way that this myth I think can create some problems is when policymakers try to create or focus on just like let's just create a new AI law, forgetting that, you know, there are a lot of, you know, this is an extension of some older problems that existing law is trying to deal with, but not so successfully. And so you don't forget about the old law and go back and this is a great occasion to rethink those laws and update and fix those laws rather than try to do some generalized AI law that ultimately doesn't really get at some of those problems very, very well either. It's kind of making the same mistakes rather than saying, okay, AI is showing us just why some of these older laws are problematic. And this goes to the thing that I just talked about earlier, the target example and inference. The the law has long failed to address this problem particularly well. And it really shows us some of the problems with the existing approach to privacy, which is just put a notice out there and then make people try to figure it out at the time they give the data to a company or let the company collect it. And obviously if people can't make a reasonable risk calculation at that point because later on data can be inferred, privacy law's not doing its job. And I think this has been a problem long before AI, but AI really now shows us just how bad the problem is. I'm thinking in all three of these myths, the privacy paradox, the sort of, you know, have nothing to hide myth, and the AI, all the changes that come with AI. I'm thinking about this from the perspective of a company and I'm listening to your answers and I'm thinking about, well, what does that mean for this company? What do they take away from this? And a couple things come to mind and I'm curious your reactions to these. The first is that I think companies shouldn't. Companies need to think skeptically about their customers behavior. And that's a weird thing to say, but I think that perhaps that is a takeaway. I think that sometimes we do have situations where our customers say, well, they accepted all cookies or they did this. So it's fine, you know, or you know, we can rely on their consent or whatever it is, is. And I think that to a degree that's correct, strictly speaking under the laws that's correct. But I think that to your point about the other part of the privacy paradox where people do say they care a lot about privacy and in fact they do care a lot about privacy and perhaps if they had more information they would make different choices. I think that is another takeaway for customers and our clients rather is that as the world is evolving, I think that companies that make an effort to treat data responsibly, try to be transparent, actually will garner greater trust in their customers. And putting aside the fact that as you said many times, the law is not up to the challenge yet and therefore does put companies in a bit of a weird position because perhaps what they should do is not necessarily what they're doing, obligated to do. But it does seem to me that kind of looking at some of this data and some of these myths, the takeaway should be just complying with the letter of the law is not necessarily the best thing, the only thing that you should do. And I'm curious as to your reaction about that. Yeah, I think that's exactly right. I mean, I think you're absolutely right on the money there. What the law asks companies to do is far short of what companies should be doing. And I actually think it's good for business to be thinking differently and to thinking beyond just what the law asks you to do. And we're actually starting to see that in the United States. And there's a recent verdict was $6 million jury verdict against Meta and YouTube for addictive design. It was a negligent design case. And there we saw the companies were saying, hey, we, these were people who used our services. Now we did our privacy notices, we offered them and we purportedly looks like we complied with various regulations and laws. And here we are sued and liable for negligent design, which is a pretty open ended common law protection. And so we see that the law is moving. And what I think a lot of companies don't ask or don't say, well if the law allows it, let's just do it. We'll just dump it in the privacy notice, we'll collect the data, we'll make inferences about it, we'll start using it in these ways because it's immediately beneficial to do so, even if it's something that customer might not have expected or the use might not be something they would particularly like or want. But look, they agreed to it. You know, they didn't opt out of the privacy notice or they clicked the accept button. So we kind of got them. And I think like that taking a kind of a hard objective look at is this a use that a customer, if they really, really knew about it, if they really understood it, would they be happy with it? Would they have expected it? Would they condone it? Would they, you know, is it really in their benefit? How does it benefit them? How does the risk equation work for them? If they really understood what went on rather than the formalities of hey, you know, they looks like we, we got consent under the law. And I think ultimately in, in the short term, yeah, they are, from the law's standpoint, you know, they're, you know, they can do it in the long term, I think it'll come back to bite. And I think the sooner they get ahead of that and realize, you know, how do we make our practices in ways that aren't going to be gotcha to the consumers are going to be consistent with their expectations and I think most importantly are going to be in their best interest. There's something good for them in it that I think will make a big difference because they'll be ahead of the regulatory curve. They'll be ahead of any lawsuits and changes in the law that are going to be happening. They're going to be ahead of this reckoning that we're going to see over time that is going to happen. I've heard you say that you think that of the privacy laws that exist, the GDPR is the best. And I think that perhaps one of the reasons is because it's a human rights law. And so you get these decisions like you were referring to the CGE decision about the inferences of sensitive data also constituting effectively sensitive data themselves. But the way you get there sometimes is you're think you're forced under the construct of the GDPR to think about things from the data subject's perspective. And I think that that is perhaps a good framework for companies that as you say, think about it from the perspective of what does someone expect, right? That's transparency. What is what you're doing going to be viable for that person ultimately to exercise their rights over that data? You know, you're, you have to, is it privacy by design? Are you taking into account, do you have a legitimate reason for processing the data? Are you processing it beyond that? All those things, right. That are in the sort of principles of the gdpr? And I think perhaps that's why it's the sort of gold standard at the moment and still is, despite other limitations it might have. Yeah, absolutely. I think thinking through that also just understanding where the law could go or the direction. And so in that example, what the CJU said is that certain personal data that can be used to give rise to an inference of sensitive data also counts as sensitive data. So what this means is, and we haven't seen enforcement catch up to it yet. So generally, you know, because I think that pretty much most to all companies are out of compliance with the GDPR on this front because they are collecting personal data that could give rise to inferences about sensitive data. In fact, we see from just the target example earlier, it could be literally the cotton balls and soap you're buying are actually sensitive data because they give rise to health. And with AI, almost any collection or amount of non sensitive personal data could be used to infer something about sensitive personal data, especially as broad as those categories are in the gdpr. Which means essentially, I think that all personal data is actually sensitive data in the age of AI inferences. So that means it changes the way that that data must be collected and how that data must be handled. I think being on top of that and proactively understanding where the law could go and might go and what could be enforced against what's possible is helpful then to figure out what they should be doing and how they should address this potential issue. But the only way to address it is to really understand it, to know it, to look and see where the law could possibly go and then think through how can they balance the interests they want and the goals they want to do as a business with what they're doing. I always think it's just better to be prepared and to be a step ahead of the law rather than a step behind it. And I think one other myth I want to kind of pivot to quickly, but I think it's an interesting potential contrast to what you're saying is that if we do this right from a company's perspective, if we think ahead of the law, if we treat all data as sensitive data, how could we possibly innovate, how could we possibly grow? And I think there's a myth, right, that compliance and innovation or compliance and growth are at odds. And just as a quick side note, one thing you didn't mention, what we sort of implied. Well, and I mean, we're only giving you like a few amount, a small amount of minutes to talk about all these things, but one Thing you didn't mention in terms of the curve of the law is it's not just the regulators now it's the private plaintiffs in the. You know, you might think about again that meta case, right. You get this. If it's. It's actual harm tort, it's not necessarily a privacy law you're worried about. Suddenly it's this harm to a human or it's the various wiretapping laws or various other things. People get creative, right? If people are harmed, they will find a way to. Hopefully they will be able to find a way to discuss it or, or be have that wrong rectified. So now I'm a company and I'm faced with all of this. I don't disagree with you that the people are waking up to the ways their data is being used and I think that are frustrated by it. But I do feel this tension as this hypothetical company against innovation and being ahead even of what the law requires. Do you think that's a myth and. Or what advice would you have for companies in that sense? Yeah, I mean, you raised two really great points I'd love to talk about on the mission about innovation. It's a really pernicious myth that good regulation and strong privacy protection impedes innovation. It does not. We see this myth historically happen all over the place with almost every industry as it's being regulated. And in just one example, cars, the cars were not very safe and there weren't safety features in cars like airbags or seat belts. And cars were very dangerous. They argued, no, don't force us to have these things because that will impede our ability to innovate. People don't want safety. They really don't care. Just people should just drive better. And they pushed this for a long time. Ultimately the law caught up and now we have much better car safety. And in fact a lot of innovation, a seatbelt and an airbag are just as innovative as a car that goes faster. People want safety features and they like safety features. And when they're. Innovation is devoted to them, actually the cars sell better. So we really can see that innovation can be compatible with good regulation. Regulation steers companies to innovate in a different direction, but it doesn't stop innovation. It just says, hey, there are other values here that matter. And if you focus on those, there are ways to innovate without harming people. Often the challenge seems though that compliance and innovation isn't collaborating. We see it so many times on projects where privacy is seen as the stumbling block, but it's Often because the R and D team didn't involve privacy or compliance from the beginning, it is possible to innovate in a compliant manner, but unfortunately people tend to run and try and break things instead of looking at compliance and seeing how they can build it into their design. Meeting the compliance requirements but still innovating at the same time. Absolutely. I think getting privacy involved early on in the process is better because it's much harder to retrofit something for privacy than to think about it in the beginning and develop it as you're developing a new service technology or product. And I also think this goes to a point that you both raised a little earlier about the importance of going just beyond the four corners of a law. I think it's good to just take a step back and say, what should we do? What would be good for our customers? So then instead of getting this really narrow focus on checking off a list of doing these things, which a lot of times may actually not really provide any benefits to anybody or the consumer, step back and think, okay, what would. Because that's what's going to get you their trust. That's what's going to be the kind of innovation that will really be valuable. It's kind of like when you have teaching to the test, you teach to the test and then ultimately a student doesn't learn very well because you've lost sight of the bigger goal, which is the student really needs to understand something. And if we don't lose sight of those goals, we're going to get much, much better programs and a much better balance between privacy and the business goals and ultimately do things that really benefit the consumer. And those are the things that will build the consumer trust and will be the things in the long run that are going to be valued. As we're about to close, I wanted to cover a couple of other common myths, but see if we can do this in a quick fire way because there are so many myths out here. The first one that I can think of because you've mentioned the GDPR earlier, is if an organization is GDPR compliant, that also means that they're therefore compliant with the US Estate privacy laws. Myths or true? Yeah, that's definitely a myth. That's not true. The GDPR is different than the state privacy laws. They. For instance, the state privacy laws have different types of definitions for sensitive data, different rules for sensitive data, different scoping to their rights to delete. In some cases they are more lenient than the GDPR in certain ways. But there are other instances where they're actually stricter than the GDPR or have very different requirements. So there isn't. Just complying with the GDPR will not put you in compliance with all the state laws. Here's another of my favorite rapid fire myths that we hear a lot. I'm a cloud based company. I don't really do much data processing myself. My vendors do all of my data processing, therefore they handle my privacy compliance. Right? Yeah. I think that you're responsible for what your vendors do and you're responsible for selecting good vendors, vetting them, having good contracts with them to make sure that, you know, all rights of individuals and laws are complied with and making sure that they are in fact following through on that. And if there's a failure in any one of these things, companies can be liable. And I think they don't fully realize that, you know, it's on them and they could. And if there's a breach, they could be responsible too. So it's on them. And the more effort and time they put into making sure that any vendor that touches data that they collect or is processing on their behalf, they have to make sure that they are doing the right things. And I would just add to that that very good answer. I know I'm forcing you rapid fire, so I just, I'm cheating now. And adding a couple other sentences is because I have a vested interest in the answer to this question, because I hear it a lot too, is, you know, when you're the one collecting the data from people, even if you're passing it through to vendors, you're responsible for all of the first point stuff that doesn't absolve you from also having a privacy program as well, which wasn't really inherent in my question, but I think that's something that people miss as well. I have a strong cybersecurity posture. I have a SOC 2 certification, therefore I'm also privacy compliant. Security is different than privacy. They're certainly related, they go hand in hand, but they are very different. Security focuses on keeping data secure, and there's certainly privacy elements to that. But privacy involves issues of use of data, issues of even internal access to data. It's not just protecting data against hackers or outsiders who might get that data, but improper use. And that depends on privacy laws, what they require, how the data is and also how the data is collected and which data can be collected so you could have the data really secure. But if you've collected data you shouldn't have collected, you're in violation of the law. There's a, you know the case in the United States where a company just thought, hey, you know, it'd be cool to collect the birth dates of our users because we just want to wish them a happy birthday. Well, getting the birth dates now gave them actual knowledge that some of their customers were below the age of 13. Having that actual knowledge triggers their the Children's Online Privacy Protection act, coppa, which means that they have all sorts of requirements, enough to get parental consent, which they didn't realize that they triggered that law. So how secure that data is is irrelevant. Now they triggered a law they didn't want to trigger and they were found in violation of all the requirements of that law because they collected data. And it's not even clear that collecting that data wasn't necessary. I think if they had a do over, they probably would have not wanted to collect that piece of data because it didn't benefit them in any real material way. I think that for a lot of engineers, like, sure, we'll just ask the question. Enter your birth date in a form. It's very easy for folks to gather data and collect data, but unless you have someone who knows like, okay, here are the trip wires. You collect this piece of data, you're going to trigger this law. You do this, you're going to have this obligation. Without that knowledge, you're going to make these mistakes again and again. And the security folks aren't going to know this unless they understand what the laws require. Yeah, but I'm actually going to answer it for us because I actually think it's a deceptively complicated one. The question is, okay, well then I'll just collect consent, right? If I can just collect consent, that solves everything. And the answer to that is no. But instead of discussing it, I'm going to direct people to your book, Daniel, on privacy and technology because you do a great job of talking about all the sorts of things, power and imbalance and information that's not available. As to why, it kind of takes us back to the privacy paradox at the beginning, both philosophically and practically, you cannot simply collect consent. Yeah, I think maybe that's the takeaway for this. This whole conversation is, yes, it's nice to get consent. However, more broadly, you should be thinking like your customers, particularly if you're in a consumer facing business, be thinking like your customers, be thinking about what they would actually want to know or how they would actually expect their data to be used. And think ahead of the curve. If you wouldn't want it in a lawsuit, don't do it. Exactly. I think that, you know, there's so many. First of all, what kind of consent do you need? There's many different types of consent that you need to do. Do you need parental consent, regular consent, opt in consent, or opt out consent? Then there's the whole issue of, you know, sensitive data which gets used and treated differently. There's a lot of things that exist independently of consent that turn on aspects of privacy law. So, yes, just getting consent is not going to solve all your problems. That doesn't mean that you're done and that now you can just do whatever you want. There's a lot of other requirements in the laws that must be heeded. Awesome. Well, if anyone listening is interested in more or for Daniel's sense of the future on Privacy and Technology is Daniel's book. And I think it's a very helpful read for kind of considering the future and how all these forces come into play. Daniel, thank you so much for being on our podcast. It was very interesting to chat to you. Any final takeaway message you would have to a, let's say medium sized business listening that's trying to build for the future that we haven't already said. Yeah, I guess I would leave with this that it can seem very daunting that there are all these different privacy laws. I would urge businesses not to just throw up their hands and give up and say, oh my gosh, it's too complicated, it's primitively expensive, because it isn't. And I think that, you know, having a strong, thoughtful privacy program and devoting, you know, reasonable resources and decent resources to it is a great investment. It doesn't have to break the bank and it doesn't even have to be perfect either. I think that it's worth build a strong program and it will get you very, very far ahead. Maybe you might not be in perfect compliance with every law around the world or every law in every jurisdiction that you're doing business in. And it's very rare for any company to be, you know, completely and utterly compliant with all four corners of the law. I don't, I don't think there are many companies that are. But if you have a strong privacy program, if you are devoting good resources to it, if you are taking it seriously, you can really go very, very far and make a big difference, stave off a lot of problems, a lot of enforcement, improve not just privacy, but also data security, reduce a lot of regulatory risk and ultimately much, much further ahead and in a much, much better business position and growth position. For the future. If you do these things and you do them early and you do them and you don't just kind of give up because it looks like it's climbing Mount Everest, I think if you do the climb and you, you make a good effort, there are rewards and it's worth that investment. And it's not going to be, I think, insanely expensive or impossibly difficult. Words we like to hear as people who help build privacy programs thank you so much, Daniel, for your time and all of your insights. It's been wonderful. Thanks so much, Daniel. Thanks for having me. That's it for today's episode of Privacy in Practice, brought to you by VeraSafe. We hope today's insights help you navigate privacy challenges with confidence and clarity. If you enjoyed today's conversation, be sure to subscribe so you don't miss out on future episodes, and we'd love to hear from you, share your thoughts, questions or suggestions for future topics. Send us an email to podcasterasafe.com and to learn more about Vera Safe's data protection and privacy services, you can Visit us@verasafe.com until next time. Best of luck in approaching your privacy challenges in a practical way. See you then.