Masters of Privacy

South Africa’s POPIA uniquely protects both individuals and legal entities, a departure from typical data protection laws. We have focused on understanding this unique figure (Will it one day offer key insights into the complexities arising from the increasing use of AI?) before discussing similarities with the GDPR and international data transfers, both within the SADC region and the wider African continent.Advocate Dirontsho Mohale holds an LLB, postgraduate diplomas in Compliance Management and Senior Management Development Programme from the University of Johannesburg and Regent Business School respectively. She is an Admitted Advocate of the High Court of South Africa, a member and a fellow of the Compliance Institute of Southern Africa - CPrac (SA), International Certified Compliance Practitioner (International Federation of Compliance Associations), is designated Fellow in information Privacy (CIPP/E and CIPM) by the International Association of Privacy Professionals and a FAIS Compliance Officer approved by the Financial Sector Conduct Authority. She is also a former non-executive director on the board of the Compliance Institute Southern Africa and chairs the Social, Ethics, Remuneration and Nominations Committee and a board member of the Each One Hold One.Dirontsho has worked in senior management positions within the financial services sector, locally and internationally, and has over 20 years’ experience as a compliance officer as well as in risk, governance and legal. She has occupied compliance roles in some of South Africa’s major banks and leading insurance companies. Her most recent roles include Senior Compliance Manager for Data Privacy and Corporate Governance at Discovery Group and Executive: POPIA at the Information Regulator SA as well as the role of a data privacy lead for Standard Bank Group after spending some time as the data privacy lead for Standard Bank South Africa.In her capacity as CEO of Baakedi Professional Practice, she offers governance, risk, legal, ethics and compliance services to organisations including data protection authorities not only within financial services providers, but in general; focusing mostly on data protection and privacy in the SADC region.References:* Advocate Dirontsho Mohale on LinkedIn* Protection of Personal Information Act (POPI Act) - POPIA* South Africa: Amendments to the POPIA regulations (Baker & McKenzie)* SADC: Southern African Development Community* Data Protection: Kenya and the EU launch very first Adequacy Dialogue on the African continent (May 2024). This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

California has enacted a sweeping wave of new privacy and AI laws in the past few days. From browsers finally reading opt-out signals to age verification, chatbot companions, data brokers and AI transparency, some of these laws will have a serious impact on the areas we mostly focus on (marketing, advertising, ecommerce, media).We have discussed AB 566, SB 361, SB 53, AB 1043, AB 656, AB 853, and SB 243 with John Pavolosky, joining us for a second time.Our guest is a partner at Stoel Rives in San Francisco. He is co-lead of the firm’s Technology Industry Group. He has also been chair of the Intellectual Property Section of the California Lawyers Association.John has taught Technology Transactions Law at the UC Davis School of Law and Comparative Privacy Law at the Santa Clara University School of Law. John has also guest lectured on technology and privacy law topics at the University of California, Berkeley, Haas School of Business; the University of San Francisco School of Management; and Stanford University.References:* John Pavolotsky on LinkedIn* John Pavolotsky at Stoel Rives* John Pavolotsky: How successful can US privacy laws be at regulating AI models and systems? (Masters of Privacy, June 2025)* AB 566 (Opt-Out Preference Signal, October 8)* AB 1043 (Digital Age Assurance Act, October 13)* SB690, the law that could have done away with most CIPA lawsuits* SB 361 (Expanded Data Broker Transparency Requirements, October 8)* AB 56 (Social Media Warning Law, October 13)* AB 656 (Social Media Account “Delete” Button, October 8)* SB 243 (Companion Chatbots, October 13)* Her, a Spike Jonze movie (2013)* AB 853 (Amendment to the California AI Transparency Act, October 13)* SB 53 (Transparency in Frontier AI Act, September 29). This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Can we ever escape never-ending assessments as a core activity of a privacy management program? How does Privacy Tech extend to AI governance? Does built-in know-how become the most crucial moat?We are joined by Pádraig O’Leary, co-founder and CEO of TrustWorks, in a new installment of our Privacy Tech series (our sixth). Pádraig (Ph.D.) is a former academic in computer science.TrustWorks works with Fortune 500 and high-growth clients, helping them discover what AI and data they’re really using, understand the context of regulations and implications, and embed governance into everyday operations.References:* Pádraig O’Leary Ph.D. on LinkedIn* TrustWorks, recipients of the PICASSO most Impactful Privacy Product Award* Christine Desrosiers (Boltive): Privacy Tech spotlight V - understanding Manipulative Design and rolling out comprehensive client-side monitoring (Masters of Privacy, July 2025)* Vaibhav Antil (Privado): Privacy Tech spotlight IV - from trust to evidence (Masters of Privacy, July 2025)* Cillian Kieran (Ethyca): Privacy Tech spotlight III – compliance as an engineering challenge (Masters of Privacy, June 2025)* Daniel Barber (DataGrail): Privacy Tech spotlight II – widespread non-compliance, opt-out challenges, and shadow AI (Masters of Privacy, May 2025)* Max Anderson (Ketch): Privacy Tech spotlight I – the future of CMPs, value vs. hype in privacy compliance SaaS (Masters of Privacy, April 2025). This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Alexandria (Lexi) Andresen Lutz is founder of the nonprofit Opt-Inspire, Inc., which is focused on empowering seniors, children, other vulnerable populations, and their caregivers to reduce scams and close the digital divide between generations.In her day job, Lexi serves as Senior Corporate Counsel at a Fortune 500 retail company, where she advises on privacy, cybersecurity, and AI. She currently serves in leadership roles in the American Bar Association and is Chair of the IAPP Boston chapter.References:* SIGN UP NOW for the Masters of Privacy NYC LIVE recording and networking event on Nov 6* Alexandria (Lexi) Lutz on LinkedIn* Opt Inspire* FBI: Internet Crime Report 2024* John Cavanaugh: Privacy as a grassroots movement (Masters of Privacy, June 2024)* Jeff Jockisch: AI-powered phishing attacks in the age of the Delete Act (Masters of Privacy, October 2023). This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Robert Bateman is a Senior Partner at Privacy Partnership, which provides consultancy and training on data protection and AI regulation, as well as legal advice via its associated law firm, Privacy Partnership Law. He also hosts The Privacy Partnership Podcast.This is Robert’s third appearance on the show. We have covered three hot topics:* How far do we take watermarking of AI-generated content under article 50 of the AI Act?* How do pre-defined legitimate interest scenarios work under the UK Data (Use and Access) Act?* What is the tension between the Online Safety Act and the new data protection framework in the UK?References:SIGN UP NOW for the Masters of Privacy NYC LIVE recording and networking event on Nov 6 (if you happen to be in town)* Robert Bateman on LinkedIn* Robert Bateman on Bluesky* The Privacy Partnership Podcast* AI Act (EU Commission’s resources)* Data (Use and Access) Act 2025: data protection and privacy changes* The EU approach to age verification (EU Commission)* EU follows UK with age verification in 2026 (PPC Land)* Wikipedia loses challenge against Online Safety Act verification rules (BBC)* Robert Bateman: the EDPB’s Opinion on auditing subprocessors and the future of Meta’s unskippable ads (Masters of Privacy, Nov 2024)* Robert Bateman: Consent or Pay (Masters of Privacy, Oct 2023) This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

It is time for a seasonal update at the intersection of Marketing, Data, Privacy and Technology. We will stick to our usual five blocks: ePrivacy & regulatory updates; MarTech & AdTech; AI, Competition and Digital Markets; PETs and Zero-Party Data; Future of Media.This includes:* CJEU decisions on Latombe (EU-US data transfers have survived, for now) and SRB (relative nature of personal data) * UK legal updates and ICO consultations on ePrivacy-related topics* Record public fines and enforcement actions in California* Ongoing explosion of pixel and cookie-related lawsuits across the US* Important fines in the EU, with CNIL’s unwavering passion for large-scale ePrivacy enforcement* Agentic AI milestones for AdTech and customer centricity/empowerment* Key initiatives to protect copyright holders from large AI labs (together with Anthropic’s settlement)All references and links can be found in a separate blog post available to Masters of Privacy Connect subscribers on our website’s Newsroom section.Our usual disclaimer: the voice that joins me today is a text-to-speech output generated with Eleven Labs. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

How can we apply differential privacy to real-world scenarios? How do you go about algorithmic design? Is there a conflict between data minimization and differential privacy? Can you solve for personal data finding its way into machine learning models? Where can a young professional find resources to dive deeper?References:* Daniel Simmons-Marengo on LinkedIn* OpenDP* Some takeaways from PEPR’24 (USENIX Conference on Privacy Engineering Practice and Respect 2024)* Damien Desfontaines: Differential Privacy in Data Clean Rooms (Masters of Privacy, January 2024)* NIST Guidelines for Evaluating Differential Privacy Guarantees (March 2025)* Peter Craddock: EDPS v SRB, the relative nature of personal data, processors, transparency, impact on MarTech and AdTech (Masters of Privacy, September 2025)* Katharine Jarmul: Demystifying Privacy Enhancing Technologies (Masters of Privacy, October 2023)* Sunny Kang: Machine Learning meets Privacy Enhancing Technologies (Masters of Privacy, February 2023)* How GDPR changes the rules for research (Gabe Maldoff, IAPP blog, 2016) This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Peter Craddock joins us once again to discuss the recent EDPS v Single Resolution Board decision by the Court of Justice of the EU. Although it builds on the previous Scania and Breyer cases to settle on the “relative” nature of personal data, its practical implications on everything we do in the Marketing Technology and digital advertising spaces cannot be overstated.Peter is a lawyer as well as a software developer. He is based in Brussels, heads the EU Data/Cyber/Tech Law team at Keller & Heckman, and helps international companies with their global data strategy and with EU data litigation.References:* Peter Craddock on LinkedIn* When is data no longer personal? And what are the implications? (Peter Craddock)* EDPS v. SRB (full text of the decision)* Peter Craddock: ePrivacy exceptions, advertising, analytics, the limits of consent and server-side processing (Masters of Privacy, 2024) This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Meaghan Henderson started off as a litigation attorney in Los Angeles, subsequently joining Snap Inc.’s Trust and Safety operations. She is now Global Head of Privacy at iRobot (makers of the ubiquitous Roomba, a robotic vacuum cleaner).We have gone over the many tasks that Meaghan has managed (and regularly manages) to accomplish as a one-person team: rolling out a full privacy program, raising internal awareness, coordinating with security teams, complying across multiple jurisdictions, and being part of the AI governance committee.References:* Meaghan Henderson on LinkedIn* Generally Accepted Privacy Principles (GAPP)* ISO/IEC 27701 (program maturity over time)* Fair Information Practice Principles (FIPPs)* NIST Privacy Framework* OECD Privacy guidelines* Amazon and iRobot agree to terminate pending acquisition This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

We revisit the topics of individual agency, consumer perceptions of privacy, and self-sovereign identity through the lens of a “personal AI”.Copenhagen-based Yngvi Karlson is the Co-founder of Kin, a personal AI built on privacy and trust. After two successful exits and a career in venture capital, he set out to answer a bigger question: can AI empower us without owning us? For him, Kin is more than technology. It’s a movement to put people back in control of their data, their conversations, and their future.References:* Download Kin* Yngvi Karlson on LinkedIn* My data, my rules? Not so fast. (Sergio Maldonado, 2021)* Dan Stone: how to own our identity, protect personal data, and escape LinkedIn (Masters of Privacy)* Jamie Smith: AI Agents, digital identity, wallets and personal data (Masters of Privacy)* Adrian Doerk: digital identity, digital wallets and data protection (Masters of Privacy)* Sille Sepp: MyData Global and the fight for Human Centricity (Masters of Privacy)* An emotional attachment to GPT 4o results in OpenAI reversing course on GPT 5 (Wired) This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Jennifer Oliver is an experienced commercial litigator who has defended consumer class actions and multidistrict litigation, including those arising from data breaches and antitrust. She has worked in several high-profile jury trials, serving as lead counsel in complex mediations. She also counsels clients on matters related to privacy compliance and use of ad tech and similar technologies.Jennifer is a shareholder at Buchanan, Ingersoll & Rooney and has a long list of relevant affiliations and certifications including being an Executive Committee Member of the Privacy Section at the California Lawyers Association.With Jennifer we have dived deeper into AdTech or pixel-related litigation in California, both in court and through arbitration.References:* Jennifer Oliver on LinkedIn* Jennifer Oliver’s profile at Buchanan* John Pavolotsky: How successful can US privacy laws be at regulating AI models and systems? (Masters of Privacy)* California SB 690 Passes California’s Senate, Signaling a Major Step in Redefining Privacy Law and Limiting CIPA Litigation for Online Businesses This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Are privacy compliance and AI governance poised to remain stand-alone practices within the large enterprise? What is their interplay with an all-encompassing compliance effort? How will we deal with consent in the world of AI Agents? Erica Irvin is SVP, Commercial and Innovation Law, and Chief Privacy Counsel at Lowe’s Companies, Inc., where she leads legal strategy for commercial operations, privacy, and innovation. With nearly 30 years of in-house experience across retail, tech, and education, she is known for building agile legal teams and shaping ethical approaches to Privacy by Design, AI and digital transformation. Erica is also a frequent speaker and advisor on privacy, data governance, and legal innovation. References: Erica Irvin on LinkedIn Linsey Krolik: the growing role of the Product Counsel in privacy and AI compliance (Masters of Privacy, May 2025) Gam Dias: Agents Unleashed, understanding the Agentic AI stack (Masters of Privacy, April 2025) This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Gam Dias is a seasoned technologist and entrepreneur with a rich background in software engineering, AI, and product innovation. As a consultant, he has helped write the data strategy for Fortune Global 500 companies, innovative startups, and ambitious non-profits. He has a degree in Computer Science from the University of Liverpool and an MBA from Warwick Business School. Gam has lived in London, Leeds, Salt Lake City, Santa Cruz, San Francisco, and he currently lives in and works from Madrid, Spain. Gam’s latest work, Agents Unleashed, distills years of experience into a compelling look at the rise of autonomous AI agents and their growing role in marketing, sales, and beyond.  References: Gam Dias on LinkedIn Agents Unleashed (Amazon) Agentforce (Salesforce) Gam Dias: on privacy, agency, convenience, and freedom (Masters of Privacy, 2021)  Hubbl Process Analytics Diana Stern and Dazza Greenwood, From Fine Print to Machine Code: How AI Agents are Rewriting the Rules of Engagement (Stanford Law School)   This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

What is “manipulative design”? How does this concept differ from “dark patterns”? How could we expand website and mobile app monitoring to a company’s ad stack?  Boltive’s Christine Desrosiers has joined us for another Privacy Tech interview. She is an operations and product professional with 20 years of experience building best-in-class publisher ad stacks and ops teams, and integrating ad and site stacks with Privacy Tech. She is involved in a number of industry working groups and advisory boards, working to raise the bar on privacy, security and transparency.  References: Christine Desrosiers on LinkedIn Boltive: monitor security and privacy compliance across the consumer front end (including publishing and AdTech) Jessica B. Lee, Chair of Loeb & Loeb LLP’s Privacy, Security & Data Innovations practice Global Privacy Enforcement Network: 2024 “sweep” on deceptive design patterns FTC, ICPEN, GPEN Announce Results of Review of Use of Dark Patterns Affecting Subscription Services, Privacy (FTC, July 2024) Bringing Dark Patterns to Light (FTC, September 2022) Daniel Solove, A Taxonomy of Privacy (UPenn Law Review, January 2006) - see “decisional interference” Website Privacy Controls (New York State Attorney General) FTC study finds ‘dark patterns’ used by a majority of subscription apps and websites (TechCrunch, July 2024) FTC vs. Amazon (“Roach Motel” pattern through the internally called “Illiad” process for consumers to cancel their Amazon Prime membership) California SB 690: A new hope for CIPA litigation overload? (Norton Rose Fulbright) Daniel Solove: On Privacy and Technology (Masters of Privacy, March 2025) Max Anderson (Ketch): Privacy Tech spotlight I – the future of CMPs, value vs. hype in privacy compliance SaaS (Masters of Privacy, April 2025) Daniel Barber (DataGrail): Privacy Tech spotlight II – widespread non-compliance, opt-out challenges, and shadow AI (Masters of Privacy, May 2025) Cillian Kieran (Ethyca): Privacy Tech spotlight III – compliance as an engineering challenge (Masters of Privacy, June 2025) Vaibhav Antil (Privado): Privacy Tech spotlight IV - from trust to evidence (Masters of Privacy, July 2025) This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Could transparency and control requirements be seamlessly integrated within delightful customer journeys? How has a famously design-led company (Airbnb) mastered Privacy User Experience? Ansuman Acharya serves as a Principal Product Manager at Airbnb, where he leads the design and development of cutting-edge privacy experiences that safeguard the trust of millions across the globe. With a foundation in privacy technology and user-centric design, he artfully bridges engineering depth with ethical product leadership. His 11-year journey at Microsoft, spanning Hyderabad, India and Bellevue, WA shaped his multidisciplinary expertise across enterprise and consumer domains spanning commerce, collaboration/productivity and healthcare tech. Ansuman holds a Master’s from the University of Washington’s Foster School in Information Systems and a Bachelors degree in Computer Science Engineering from NIT Rourkela in India. References: Ansuman Acharya on LinkedIn Airbnb: privacy choices USENIX Conference on Privacy Engineering Practice and Respect Defining Privacy UX (UserTesting) This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Will EU cybersecurity laws result in new global standards? Should companies handle NIS2 compliance in concert with GDPR, AI Act, or Data Act requirements? Does it make sense to take data localization to its ultimate consequences? Nathalie Barrera serves as the Director for Privacy for the EMEA region at Palo Alto Networks, which is a leading provider of cybersecurity solutions. Her expertise involves the company’s compliance with NIS2, the AI Act, the GDPR, and DORA. She also assists customers in navigating their own complex regulatory requirements. She has previously spent seven years at Cisco Systems working as commercial counsel and Privacy and Security Counsel.  She studied law and completed her LLM at the University of Navarra.  References: Nathalie Barrera on LinkedIn EU Network and Information Services Directive II EU Data Act EU Digital Operational Resilience Act (DORA)   This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

How do we move from mere words to actual baked-in privacy? Can built-in alerts, code scanning tools, or server-side auditing make life much easier for DPOs and legal teams?  We are joined by Vaibhav Antil in a new installment of our Privacy Tech series. Vaibhav is founder & CEO of Privado.ai. Before starting Privado.ai, Vaibhav led product management at a tech company and worked with the legal team on GDPR compliance. Vaibhav started Privado.ai to solve the language gap between legal, privacy, and product engineering teams. References: Vaibhav Antil on LinkedIn Privado: Evidence-based Privacy Bridge: Technical Privacy Summit (by Privado) CNIL: Use analytics on your websites and applications (how analytical cookies can be exempt from consent) Max Anderson (Ketch): Privacy Tech spotlight I – the future of CMPs, value vs. hype in privacy compliance SaaS (Masters of Privacy, April 2025) Daniel Barber (DataGrail): Privacy Tech spotlight II – widespread non-compliance, opt-out challenges, and shadow AI (Masters of Privacy, May 2025) Cillian Kieran (Ethyca): Privacy Tech spotlight III – compliance as an engineering challenge (Masters of Privacy, June 2025) This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

John Pavolotsky is a partner at Stoel Rives in San Francisco. He is co-chair of the firm's AI, Privacy & Cybersecurity group and focuses his practice on data privacy, information security, and complex technology transactions. He has also been chair of the Intellectual Property Section of the California Lawyers Association.  John has taught Technology Transactions Law at the UC Davis School of Law and Comparative Privacy Law at the Santa Clara University School of Law. John has also guest lectured on technology and privacy law topics at the University of California, Berkeley, Haas School of Business; the University of San Francisco School of Management; and Stanford University. References: John Pavolotsky on LinkedIn John Pavolotksy at Stoel Rives Timeline of discussions (House, Senate) leading to a final decision on a 10-year moratorium on state-level AI laws (final deadline: July 4, 2025), Techcrunch Texas Legislature Passes House Bill 149 to Regulate AI Use (Nelson Mullins) Colorado AI Act California Privacy Protection Agency: Draft Automated Decision-making Technology Regulations California Gov. Newsom vetoes AI safety bill that divided Silicon Valley (September 2024), NPR Poland puts pausing enforcement of the AI Act on EU ministers' table (June 2025, MLex - paywalled) A Brief Overview of the Federal Trade Commission's Investigative, Law Enforcement, and Rulemaking Authority (FTC) This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Who can really claim to be a privacy engineer? Does this change in the digital marketing arena? What is the winning formula to integrate this role within the company’s privacy practice? Thomas Ghys has worked as a management consultant, data scientist, and data strategist, including a 5-year stint at McKinsey, prior to setting up his own privacy engineering practice. He has deep expertise in MarTech and AdTech, auditing traditional machine learning models and data flows. He is also the founder and CEO of Webclew, a tool that helps with the auditing of websites and mobile apps. References: Thomas Ghys on LinkedIn Webclew: scanning websites and apps for privacy risks CNIL: a focus on mobile SDKs, announcing enforcement actions in 2025 Thomas Ghys: BAPD expectations for cookie compliancy unattainable for most publishers Dr. Augustine Fou: dismantling marketing attribution, ad fraud controls, and the business case for third-party cookies (Masters of Privacy, February 2024) This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Can we shift the focus from documentation to technical implementation? How can we bridge the cultural differences between legal teams and engineers? What do we mean with open-source data classification? We are joined by Cillian Kieran, Ethyca’s CEO and founder, in a new installment of our Privacy Tech series. Cillian is a serial entrepreneur and seasoned privacy engineer with two decades of experience leading data-intensive businesses. He combines deep technical expertise with a track record of building and scaling companies, including a global digital agency serving Fortune 500 clients.  References: Fides: the open source language for data privacy Cillian Kieran on LinkedIn Ethyca Max Anderson (Ketch): Privacy Tech spotlight I – the future of CMPs, value vs. hype in privacy compliance SaaS (Masters of Privacy, April 2025) Daniel Barber (DataGrail): Privacy Tech spotlight II – widespread non-compliance, opt-out challenges, and shadow AI (Masters of Privacy, May 2025) This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe