[Music] [Ojas Rege] Hi, everybody. Welcome, to our session today. We're really looking forward to this. I know it's mid afternoon, so we're going to try to do our best to make personalization and permission based personalization as exciting as possible. [David Barnes] Yeah. We're here to keep everyone awake. So thanks for coming to the session. And, what I wanted to do is just a quick little intro for David and myself, and then we'll dive in. My name is Ojas Rege. I'm the general manager for Privacy Data Governance, which includes consent at a company called OneTrust. We're a solution or software company. And David is the product owner, as you can see, for the Adobe Experience Platform at U.S. Bank. But before he introduces himself, I wanted to let you all know this fantastic honor that U.S. Bank got two days ago, right? Two days. So Adobe gives out the Experience Maker of the Year Awards, and so the team at U.S. Bank won that award for the Americas two days ago. Raise your hands. So he's right here. These guys here. Yeah. Yeah. - So, first of all, great congratulations. - We were excited. And we'll bring in some of the things that the team has done to be able to share here as well. But let me turn it over to David too to introduce yourself and U.S. Bank.

Pop it to the next slide. Okay.

Basically, I am the product owner of Real-Time CDP, as Ojas just said. U.S. Bank is a predominantly national bank from a banking products perspective, consumer banks and lending, and that matters. A lot of you heard me say some of this, this morning. Anyone who was at my session at 8AM this morning? Actually, was anyone at the cookieless future session? - Yeah. - Well, great. Thank you for tolerating me again. And that's the nice kind of sequel to it, so don't worry, we're not going to repeat too much. We're going to get to-- Yeah. I'm going to do my best not to repeat. But from a consumer banking products and non corporate business banking products, we're pretty much a North American perspective. So I said that this morning, there is an international perspective, and if I remember, I will actually bring up something that one of the other clients told me who is international that I thought was really interesting, but we do have an international branch, which is our merchant credit card, Elavon, and so I will also bring that in a little bit. But in terms of deposits, 512 billion assets, 663, so we're not the largest bank in the United States, but we're up there. Significant number of branches, mostly in the west, which again will come up, and in the Northeast Minneapolis' headquarters. - And you can read the rest on your own. - Exactly. So the point that we wanted to make here is there's a lot of financial services organizations in the room, but we're going to be covering things that are relevant really for anyone, right? It's anyone who's operating under either regulation within their industry or their sector or just overall, right, and the impact that it has on personalization. Right. So the first thing that we thought we'd do is you just lay out why are we even here? Right? What is actually changing in the general environment that's causing people to rethink how they do their personalization strategies? So I'm going to turn it over to David because we thought it would be maybe good to start just with kind of a quick, very short primer on some of the underlying technologies, and then we're going to talk about how those have shifted and then what that implies for our strategy. Right. So we're talking-- My session this morning was about post cookie marketing, and there's the buzz this year is deprecation of third-party cookies, but depending on where you are, I assume this morning I think when I was talking mostly to marketers, this group, I assume some of you are legal privacy compliance, if you're involved in consent. I hope you all understand cookies, but let's make sure we do. And I'll give you a quick story that happened this morning, I couldn't sleep last night, happens to me all the time in Vegas because I'm an East Coaster, and I was at the ballroom at 5:45 this morning and security came up to me and said, hey, do you know what time it is? And I said, yeah, it's 5, and they said, you can't go in there. So they let me sit outside and I worked on my slides, and when I was done, the Adobe security person came up to me and said, well, what's your topic? What are you talking about? Okay, she's curious, that's fun. And I said, it's post cookie marketing strategies. And I said, do you know what a cookie is? And she said, no. And so I got to explain to her, so I'll give you the explanation I gave her. A cookie is basically a snippet of code that is dropped on your computer every time you go to a website. And in the past, what a third-party cookie was, was a provider like LiveRamp or DoubleClick or Facebook, dropping those cookies on your computer, and every time you went to any website, not just theirs, not just yours, they were grabbing that cookie and saying, this identity, this cookie, this piece of JavaScript, this script, not necessarily JavaScript, but this piece of code on your computer is the same. So they could connect your activity across all these different websites that you went to because of this little piece of code that's on your computer. And you could clear cookies, which I'm sure most of us have done or always do, and that made her happy. So that's one of the things I just want to make sure everybody's clear what we're talking about. It's a piece of code on a computer, and the way that was used is companies like Facebook, LiveRamp, DoubleClick, which was purchased and became, I think, DV360 Google, would use that piece of code to connect your behavior. Let's say you went to a BMW site and you're building a car and, trying to decide what BMW you want to buy, and then you go to Amazon and you authenticate and you buy something, and then you go out to PetSmart. By this point, they know what you buy on Amazon, they know you're interested in BMWs, and they knew that you had a dog. So all that's put together, and plus other stuff, and we used that in the past. So this is how we've lived for like 15, 20 years in the ad tech industry. We would use that data for a variety of third-party uses, demand side platforms, DSPs would use it to provide paid media, etcetera, etcetera. And that's what's going away. It started going away in around 2017, Safari, Firefox, and now Chrome has been very annoyingly saying, they're threatening they would do this every year, we believe they're going to do it this year, I hope they're going to do it this year. I'm actually a really big fan of them just getting it over with and letting us move on instead of dragging us through whatever it is they're doing to us. So I'm hoping it's this year, personally, and that's it. That's where we came from, and that's deprecation of third-party cookies. And one thing that we want to talk about, and just kind of note to everyone, there's a lot, if you just read things out there, it sounds like this deprecation of cookies, third-party cookies is a brand new thing. But as David said, the other two major browsers, two of the other major browsers have already done it. So it's not that this is a new thing, but Chrome obviously has got market share that drives a lot of digital marketing around what we do. So Google earlier this year started deprecating a little bit like a 1% and so forth and it's continuing on. Yeah. But one thing to keep in mind with this is, and we're going to talk about some of the specifics underneath this, but we wanted to kind of make sure that at the top of like everyone's thoughts right now is this notion of deceptive consumer practices because, yes, there's lots of regs happening, there's different regulations by state, but a lot of enforcement of regulation has not actually been the privacy regulations at the state level. It's been deceptive consumer practice enforcement by the FTC, the Federal Trade Commission. And so that's also something to kind of keep in mind because all of this ties together as we get to personalization because we're going to talk about what data we get from you, how do we understand, have you consented to giving us that data, what is the purpose of that use, and then how is that tying to all the different services that an organization might put in place? I wanted to make one more comment on the way the regs are changing. So I think as most people probably know, right, the U.S. regulatory landscape has changed dramatically in 2023. So we started the year, last year, there was only one US general regulation, which was in California, and by the end of the year, there were many more that have gone live and many, many more that are in the process of going live. So we used to joke at OneTrust that on January 1, 2023, every state attorney general woke up with a New Year's resolution, which is privacy legislation. So don't know if they did or not, but that's what's happening. And what's interesting with all of those new regulations in the U.S., but also Law 25 in Quebec, the new enforcement actions in Europe. The notion of consent is increasing in importance. So there's always been multiple ways that you can get, like, legal ways that you can use personal data and consent was one of many. But now the way that I'm thinking about it, at least structurally, where it was consent and others, now it's consent up here and everything else is starting to become more of an exception. So just in general, it reinforces why these conversations are so important. Right. Anything else you want to add on the reg side? I'm sure we'll have chances. Yeah, going forward. Yep. All right. So great. We've got all these changes going on. What is the impact of this on personalization strategy? That's the core of the session today. You've got this notion of permission. It's going to drive personalization, but one of the things, David, that I thought was really interesting in the discussions we were having as we're prepping on this is that you got to really think about this segmented. Yes. So CPRA, as we talked about January 1, 2023, the kind of date everything changed in the North American point of view, was very focused on paid media. And there are three ways you can approach paid media. This is something that Ojas and I were really talking through early on, how you approach consent really matters on what your identity is and your identity depends on what kind of customer you're talking to. So if you're talking to a known customer in paid media, particularly post cookie, your targeting identity is probably email, right? So you need to be able to opt-out at an email level or a customer identity level. So the customer needs to be able to say, don't target me, do not share, do not sell in California, and it needs to be an authentication based key because they're a known customer and that's how you're typically marketing them. If you're using cookie and IP address to target a known customer, you're kind of wasting data. Then you have anonymous visitors. They show up on your website, you'd have no clue who they are, but you still want to talk to them somewhere. If you want to do that, again, post cookie, you're kind of stuck with IP address right now. If you want to do it with cookie, you've still got to have an opt-out option that's related to those IDs. And we'll talk a little bit more about IP address, but legacy, we're all used to GDPR. Again, U.S. Bank had the Elavon component, our privacy people understood GDPR. So the idea of a cookie based consent was well understood within our legal and privacy teams, so that one wasn't a big deal. And the third one is, what if you're trying to target email or paid media, well, paid media in particular, for people who are unknown? You purchase a list from an identity provider, let's say Acxiom or NewStar, Merkle, Epsilon, some of the big identity partners, you buy a list from them, and now I want to send that to a paid media platform, how do I get opt-out? How do I get consent in California? I've never talked to them, they haven't given me permission, what does consent even mean for an unknown, like, I love the name digital cold call, but for a digital cold call, consent's not even an option, you haven't talked to them. So these are all different levels of challenge for how you manage consent for paid media. And the other interesting thing about this is, as David said, the level of interaction you have with each of them is different. The type of information you can collect on each of them is different, and they raise a really pretty fundamental question, which is who actually owns consent, especially in the digital cold call example that you described. - Right. - Right. So how do you think about that? And I'm going to start to blend this with another question.

At U.S. Bank, any question of marketing involves fair and responsible banking, so those are your CFPG or your regulatory people, risk, legal, compliance, privacy, and marketers, and business lines. So you have all these, and the technologists, ourselves, all these different people are in a conversation with different understandings of what it is you're trying to do and how you do it. The lawyers tend to think they own it.

I think the marketers object to that. So it really is an interesting question. We struggled a lot with who owns it and that's what took us, and I'll describe a little bit our process in a moment.

It took us a lot longer than it should have because there was no clear dominant voice, it was kind of consensus without ownership. Everyone had the ability to say no, no one had the ability to say yes, and it took a long time to get everybody to quit saying no. So, yeah, I think this is a really critical question that's hard to answer sometimes. It is. And the other thing that this connects to, I think, to his point that David was making, you've got all these different organizations. And, generally, a lot of these organizations, they don't necessarily speak the same language, right? So we're talking about how do you communicate internally to figure out who owns consent, who makes the decisions, and then there's an external part of this, right? So when you're working with an identity provider or others who have collected data, how does that work? Who owns consent there? Okay. So, and I'll use our specific example. We are trying to use Acxiom third-party data, InfoBase, to personalize on our website. So take an IP address, someone shows up on your site, unauthenticated visitor, we want to personalize a little bit, and I talked about that some this morning, that was one of our use cases. You take the IP address, you ping Acxiom, they send back some characteristics, whatever we ask for from InfoBase.

Our compliance people, our privacy people said to Acxiom, well, how do you manage CPRA consent? If we're going to personalize, particularly if we're going to retarget in paid media, but if we're going to use your InfoBase data for a California based customer, how do we manage consent? And they said, you don't, we don't.

That didn't go over well. And after several iterations, what we came to understand was Acxiom had decided that the right of refusal or I forget the exact term, but the right to block collection of their data was what they considered consent. So they, as a third-party provider, provided the right to an individual to not have their data collected and aggregated and sold.

And so that was meant to cover our liability for actually trying to communicate with them. So they just they spoke about it differently and they handled it differently, and it took us several months to figure out we were saying sort of the same thing and how it could work together, and I think we got past that. Yeah. But it took a reframing of the question to get there. - To get there. - Yeah. And I think one of the things with all this is there is no clear answer to pretty much any question we're going to discuss today, right? And we can't give you legal advice, of course, but there are multiple options to think through and there is some value in just thinking about what's the framework you're going to use to make decisions across those different segments, across the different kinds of consent over time as well, right, because you're going to have different needs that pop up. Right. So what we thought we would do is we would use this kind of foundation that there's technical changes happening. People will be moving to a mix of first and third and really second-party data, right? The weightings might be different. So your weighting is probably going to be more on first party data moving forward than it was before. It would have been more on third-party data before, most likely, right? But now some of those things are not possible. So how do you approach these changes, right? This becomes really, really fundamental, which is what is the rational way to look at this in a way that doesn't become too overwhelming for the organization given the level of complexity? So what David and I thought we'd do is segment this into three different areas. How do you think about the strategy components of it? How do you think about the organizational elements? And then what are the technology pieces? And obviously, each of these is a much broader conversation, but we're going to hit the highlights. So maybe, you had brought up earlier some of the questions around unified and regional and so forth. We talked a little bit about some of the strategy that you're putting in place, but what are some of the considerations that you think would be useful to the rest of the audience? Well, again, North American point of view, we decided that once you opt-out in California, we would just apply it throughout the country. We didn't attempt to-- We're not getting that many people opting out, we've only had a couple of 100 opt-out in four months since we implemented this in early December. So it was not a big risk for us to just say the whole country gets treated the same way. If you opt-out in California, we just won't send you paid media in any channel at any time if we can identify you, as long as the key's stable.

But I had this interesting conversation with another Adobe client this week, and their approach, they were international, they had already built a GDPR cookie based, and when they started going to IP address and email and all sorts of marketing communication, they just created one ecosystem where you opt-out once for all keys. So it doesn't matter the channel, it doesn't matter the key, they would enable an opt-out that would handle everything. I think that's, first of all, it's really cool, but secondly, I think that's more than we would do because again, North America, California, paid media is pretty much our obsession.

But I thought that was interesting how they took a different approach because they had that international GDPR foundation that we just didn't have in. Exactly. And I think if we went through everyone in the room, everyone here would have a slightly different approach from everyone. And we see this across all our customers. So we have 14,000 customers globally, and there's very different ways people approach this. Some organizations take a purely jurisdictional approach, right, which is I'm going to do the minimum that I need to do within a specific jurisdiction. So I might do something for one state, different for another state, so I'm going to target all my consent experiences differently state by state, country by country, whatever else it might be. So there's some benefit to that, which is I don't put a higher bar where I don't need to if regulation is my goal, right, compliance is my goal. It does get complicated without a doubt, and efficiency can become a little bit challenging. But then there's another approach to it too. So if you come at it from the regulatory compliance piece and you can deal with the inefficiency around having jurisdictional, okay, you could do that. But then there's also the other side of this coin, which is if you come at it from the consumer side and you ask yourself, what is the brand impact that this has on you and just how do you want to structure your program? Right? Is it better for you to set a bar that's consistent across a broader region, which is I think what you've done. - Right. - Right or not? And where we see a lot of the variances on this is by industry. So there are certain industries, financial services, healthcare, certain industries like that, where the notion of trust is so fundamental that companies have been willing to kind of go to that higher bar. There's others where it may not be the case. Right. But regardless, this question of unified versus regional approaches ends up hitting everyone because whatever you do on the consent side there is going to drive what you do, obviously on the paid media and digital marketing side as well. - Heavily related. Yeah. - Yeah. Now how about from an organizational perspective? Because there this is something where David and I spent a lot of time when we were going through the discussion for prepping for today, thinking about the technologies and piece and the different elements and the market changes. But as you all know in the end so much of it just comes back to who you have in your organization, how you set up the responsibilities and the processes. So maybe you can share some examples with us on what you've seen there. Yeah. And wait. I think you went too far.

So my obsession is digital identity and digital data, and so when I talk to compliance, legal, non marketing people in this chain, usually my role is to educate them on what we're trying to do, why it's not scary, or if it is scary, to make sure they understand exactly why it's scary so they don't overregulate us.

And that's really interesting to me, but one of the things I have found is that education conversation, making sure everybody understands, first of all, what you're actually doing, not what they think you're doing, what they're actually doing is critical, and also making sure everybody's prioritizing correctly. One of the issues we had, one of the reasons I would say that we should be an example of what not to do instead of an example of what you should do, so I'm kind of here as a warning as opposed to an example of doing it really, really well, is our privacy and legal teams were very obsessed with GDPR. Again, we have this Elavon merchant branch in Europe, they all understood it. They had run into issues where we incorrectly implemented something in Europe, they understood the fallout, they understood cookie. So in the fall of 2022, with this January 1, 2023 deadline, and coming rapidly fast, they were all obsessed with, we got to have a cookie opt-out. We have to be able to target paid media based on cookie. And I kept saying, hey, that's the past, that's 20 years ago, right? Now it's email. We care about social, we care about email marketing, Trade Desk, UID 2, they wouldn't hear me. They knew GDPR, they were comfortable with GDPR, they were under pressure, they stuck with what mattered. So if I'd been able to convince them that email was actually as important, if not more important than cookie, it would have saved us the next component of pain that we're going to talk about. But that communication with the teams that are your support mechanism for getting through consent, enabling marketing and consent. It's critical that everybody understands it and everybody has the same priority. And it's not always easy, but I have found that in time, people will listen.

Especially we have ties to things that are now so fundamental to the business, right? - It helped. - Yeah. The story that we had, and we'll talk about, again, we'll talk about this in a second. There became an emergency a few months later, and that's when everyone listened. And we'll talk about that emergency in a moment. But it took pain for everyone to really focus and get out of their comfort zone, which was cookies. - Right. - Yeah. The other thing to think about here is also the way you think about, depending upon the structure that you have for opt-out, how incremental do you want to be? Do you want to have a nuclear opt-out where folks are just opting out of everything, which causes a lot of pain, obviously, because now you have no ability to contact that consumer for anything, or do you go incremental? And I'll share an example, similar kind of story, kind of war story, if you will. There was one customer of ours and you make mistakes, right? So someone in the organization made a mistake and they went and did a whole marketing campaign to folks who had opted out, and this created, not surprisingly, big issues around kind of both sides. But they had actually thought about it pretty carefully in terms of how do I structure my incremental opt-outs so I give the consumer the ability to make the choices they want, but I minimize the impact on me as an organization to be able to reach out to them further. And so that well thought through in advance, framework that they had around incremental opt-outs probably saved them just a-- There was a real ROI attached to this, right? It saved them actual dollars because they were still able to maintain connections with a lot of the consumers that otherwise they may not have. So there's the side of this, which is the proactive, how do I make sure I've got the right consent strategy in place and how am I tying it to, as we're going to talk about in a sec, all my personalization structures and strategies. And then there's also the reactive, which is when something bad happens, because inevitably, something will happen. We all make mistakes. What do I do, and have I put in place a framework that's going to minimize the pain for me? Right. Right.

There are several examples that David shared with me around some of the different kind of gotchas that popped up, right, as you went region to region. - So I'm hoping you can share some. - Yeah. - So again, the big one's California. - Yeah. North American mindset here. So on January 1, 2023, we could no longer target social media in California because we didn't do that email opt-out that I was begging for and it didn't happen. So that's bad, right? We have a footprint in California. What made it worse was we bought a bank in California and merged with them over Memorial Day, May 2023, and we couldn't talk to anyone from that bank in social because we didn't have an opt-out capability for email. At that point, people knew they were suffering, the media team was worried, we got everybody's attention, and we started talking to Adobe and OneTrust. And thank God, there were some native integrations and it was just an API call. What took time, because it was still four or five more months, was getting permission, getting funding, getting legal and privacy to say yes, figuring out the wording, but the actual technology of the integration took about a week. So we were able to implement the API call on our site, send the data to OneTrust, integrate with an out of the box, Jason's team, with an out of the box, OneTrust to AEP integration took about a day. We had it up and running, we were running computed attributes, loading the data back to AEP, and we could suppress, again, the actual technology work was about a week. The surrounding work to get permission to do all that and pay for it and everything, again, took several months, but we were able to get permission to do it and we were able to do it very quickly. Now, we didn't do it the best way. I know I've talked to several other people who use OneTrust, and you guys are so much more sophisticated than us. I'm very happy that we were able to do something quick and dirty and very simple, but it allowed us to start talking social media again in California, which was critical. - Right. - Yeah. Right. So it didn't have to be complicated. And the pain part, not to focus on the pain, but sometimes that is the catalyst so I'll give an example of one of the regional healthcare companies I was talking to just a couple of weeks ago. They're in a position right now, because of some compliance issues that they had, they've had to turn off all tracking across all their web properties. So they're in a position where literally no one has any idea until they get the basics in place what's happening out there. And the impact on them, of course, is huge. So it's gone from being something that was kind of a secondary priority, which is why it didn't get done, to being the number one thing at the C level for the organization. So anyways, everyone's here because you guys know kind of how things are changing and why this is important, but we want to shift now to thinking about and this is something that I'm going to throw in as a surprise for David. Great. Is with all this change and if you think about what impact that's had on the way that U.S. Bank and others like yourselves are thinking about personalization. What has popped to the top? Like what is the difference in approach that you are doing now or will do-- Because of consent. Because of these things, because of these changes. How has permission based personalization changed? - And you didn't warn me at this course. - I didn't warn him.

They won Experience Maker of the Year Award, right? I may be able to think on my feet, right? So I would say two things. Again, North American perspective here, CPRA, that's very paid media obsessed.

The challenge we're having, email, we've solved email, cookie, thank God, will be dead shortly, but IP address. - Yeah. - So I'm going to answer this in two ways. The first way is IP address. So the question right now is, if we're going to do remarketing for unauthenticated visitors, IP is the new cookie, how do you get permission for an IP address to target it? Because we're not going to ask people to consent on their IP address. That's almost embarrassing to ask that, hey, do I have permission to use your IP address in California for sharing? They'll think we're crazy. But can we get a perspective that legal and privacy accepts, where the IP is translated to an email, we know the email of that network, that IP home network, and we get permission to opt-out the email, which I think most people going to be fine with, email opt-out seems to be a concept users and consumers can handle. Can we get our own internal teams to accept that IP address translates to email and do the opt-out on email? So that's one thing. The other thing, this word email really confuses some of my partners, and this was another issue we had. They keep saying, but we already have CAN-SPAM. - Yeah. - Yeah. But CAN-SPAM is not paid media. So I think, again, it keeps coming back to does everyone speak the same language. So if I'm personalizing emails, that's actually a different question than personalizing paid media, which is a different question than personalizing your website. And I think it's that diversity of what you're trying to accomplish and how the use case drives the consent management, getting everyone to understand that is, I think, the next challenge. The next challenge. And I was also thinking as you were talking. There was that little tripod, if you will, the three segments that David had earlier, right? And now we've got different. So if you think about those three that he had, and now you've got these different elements of personalization, it's a relatively straightforward grid, right? Maybe it's like a 3x3, the way that that you described it. But each of those cells does require a different approach potentially, and you don't have to do them all. Maybe there's some that aren't prioritized, but here again, I keep coming back to, in a world where there's the kind of change we're seeing right now, having some kind of structure, having some kind of framework that you can help the rest of the organization think this through becomes really important because the moment it goes reactive and the moment things start changing, it's really difficult, right, to keep everyone together and on the same page. And panic's not the best way to do things professionally. It really isn't. - Yeah. - Yeah. Panic, not the not the preferred approach. No. So we wanted to switch a little bit into technology and then look forward on what's happening over the course of the next year. There's a lot of work that you've done with Adobe CDP. Right. As you think again about personalization strategies, I'll talk a little bit about how we look at consent, but how do you think about the work that you've been doing with Adobe in this context? Well, and I kind of jumped the gun on this one. The very simple thing we did, which was to get the API call from our website, grab the email, load it to OneTrust, load it to AEP, use it for suppressions. That was very simple and pretty straightforward. That's very powerful. Again, it's when you start to think, should your email opt-out align with paid media email opt-outs, CPRA in our language, align with your CAN-SPAM opt-outs. So I think there's a level of opt-out integration, which I would call technology, it's not necessarily CDP, but I guess in an ideal world, all of that would be in there, it'd be dual. We are not there yet, and I don't know that we will get there quickly, but I think a lot of the technology around this now is just making sure that you're being consistent. Yeah. And how do you align all the different groups that manage a piece of consent in totally different ways, because we run our CAN-SPAM consent in a completely isolated area. And my team just took over CPRA email opt-outs because we had to. It was the only way we could start doing paid media. But we shouldn't have owned it. We're not the right owners for the technology. How do you get all those people working together with common technology? I think that's probably the biggest issue. Same question I brought up earlier, it's just the organizational alignment is also probably the technology alignment. - Right. - I think they come together. Yeah. They've got a map, certainly. Yeah. I think so. But otherwise, yeah, I don't know. You're probably more the expert of how to implement than I am. Yeah. And in fact, most of the people in this room probably know more about implementing OneTrust than I do, but, yeah. I think that for us, I was just thinking about what's been changing over the past while as well. There's definitely a level of sophistication now on the consent side that wasn't there earlier because people are seeing that this is going to be fundamental to my first-party data strategies, and I need to really start thinking about what matters and what doesn't. Because one of the challenges that happens in any customer data program is you kind of want to collect as much as you can. - Right. - Not always the best approach, right? Because you don't necessarily need everything, And so how do I actually or how do I identify what are the sets of data that-- What are the sets of data or preferences for my consumers that I'm most interested in that I'm actually going to use, becomes important because that's how I get my tactical wins to be able to say, we've done x, right, in terms of collection. We've got a good consent approach to that, and we've got a business case to be able to use it instead of getting a whole bunch of data that I don't know what I'm going to do with. Because I think sometimes that data black hole is a problem that everyone runs into.

So we're going to shift gears a little bit and we're going to talk about what might happen in the future. And then after we go through this last section, if anyone's got questions, they've got mics set up. So feel free to come up and ask questions, and we'll do our best to answer them. But now this is the a bit of the crystal ball. Right. So we'll see how we do on the crystal ball. So a lot of what we've talked about right now has been considerations for first-party data. I wanted to add a little bit around a topic that clearly is core to everything that you saw at Summit this year and pretty much probably any conference you go to, right, which is AI. But I want to kind of dive underneath that a little bit, which is what AI in the context of personal information. So if you think about consent, consent has to be explainable, right? Like the user has to understand what they gave consent for. Right. And if you say, Ojas, I have your email address so I can send you a newsletter, I kind of understand what that means, right? And I can say yes, no, and maybe I'll change my mind later.

Complex technology systems of which AI is one. This is not all about AI per se. It's just that AI is an accelerant on some of this stuff. It's very difficult for consumers to understand that. So it's not always clear if a consumer can actually even consent to using their data in an AI system, because remember, the AI system is just the technology, there's still some underlying purpose there, right? So why am I bringing that up is because there's a lot of ambiguity around the role of consent when it comes to model training, right? Because once data goes into a model, it ain't coming back. You can't pull it back out and say, sorry about that. And here you've got now consumer rights where I can actually say, my data, you got to give that back to me, you can't use it anymore. But if you've trained your models using my data, you're kind of using my data even though I asked for it back. So this is what becomes really, really key, which is the thing that's changed in the last year is not AI. AI's been around forever. The thing that's changed is we have the compute power to be able to do large language models and similar models at a rate that we couldn't before, and you can put a consumer interface in front of it that makes it available to the general population, right? So suddenly, you're in a situation where if data goes in and it may go in unexpectedly, there's all kinds of ways that data can go in, you're not going to be able to get it out. So what does that mean? What is the consideration to think about in 2024? It's to think of your entire consent strategy, the data that you're using, how you're using it for personalization, and then ask yourself for the big data analytics or AI systems, what out of that data set is going into those and should it, or do you have to take actions on that data? Maybe you need to mask it, maybe you need to modify it to be able to reduce your risk that something goes wrong. Because the big risk that everyone's worried about, like the major one, is I train something fundamental to my business, maybe my behavioral targeting system with data that I shouldn't have. And now I'm chugging away for two years, and my business is great. AI, I love AI.

And then I realized, I trained it with data I shouldn't have. What do you do? You got to turn it off. And so now suddenly you have something business impacting, and I always think in my mind there's this distinction, the reason privacy legislation exists is so that a company doesn't do the wrong thing with David's data or Ojas' data and cause us harm. The reason that AI regulation exists, one of the reasons is if you take Ojas and David's data and now combine it with a whole bunch of people like them, now I'm potentially going to cause harm to entire communities in a way that's very difficult to reverse. And so that's why there's been such an emphasis on how you use this data in financial lending, in law enforcement, in healthcare, right, underwriting, you name it, right? So that's a lot of kind of words around, probably the simple theme here, which is that all the things we've talked about for consent and personalization, keep those in mind as you now kind of turn your lens on where else is that data going, and work with the appropriate teams in your organization to identify what should be done to that data, what should be used, and what not. So it's really an awareness thing, I think, in 2024 for us to get started so we don't dig ourselves into holes that we can't get out of, right, in particular businesses. Anything else you want to add on the first party-data side? And then I wanted to share the really cool IAB stuff. I don't think anything else in the first-party data. I will say on the artificial intelligence. The U.S. Bank's really nervous about exactly what you're saying.

That will take a lot of getting comfortable with, a lot of time. And it's hard to know where to start. Like it feels a little overwhelming because every piece of software that you're using has AI in it now, or says it has AI at least, but at least half of them do. And so it comes back to some of the basics around privacy as well, which is the models are hard to understand, but you can understand the data that's going in them, and that's a good place to start, right? Because this is a conversation, obviously, about data. Right. So the final thing I want to leave you with on the IAB side is this statement here that was the final-- It's the last statement in the whole report which is embracing privacy-by-design collectively spark innovation, growth. It'll pioneer new advertising models because it's kind of got to. - Yeah, yeah. - Right. The world has changed. And we're going to have new technologies that honor consumer privacy and so forth. And so there's a very aspirational final sentence here, right, this concerted effort they're talking about across the industry, all of you in the room, can significantly enhance the industry standing, meaning establish more trust with consumers and pave the way for economic opportunities previously unimaginable. So that's quite broad. We're not quite that broad in this conversation today, but if we kind of tone this down, right, to the basic starting block or starting points, what would you say to folks who want to leave it? I think they're saying the same thing we were just talking about, which is it's just a broader language. Well, yes. But those of us that understand marketing technology and understand where the industry is headed post cookie, how we're going to target with paid media, how we're going to use third-party data, data collaboration, the whole Adobe clean room thing, or other forms of clean room. All of that, when correctly combined with privacy, I think that's what they're actually talking about here. And we as the people who understand it first can help the whole organization achieve what this is saying. That's how I interpret this. That is a really powerful point. So, yes, the way that we collaborate, the way we personalize, the way we share data will not be the same ever again, right? - Like the past is the past. - Right. But who gets the most value out of that is going to be organizations that are able to internally collaborate and educate. Yeah. Which suddenly is a role to your point, right?? A role that folks within the marketing organization have to take. - Marketing and marketing technology. - Yeah. People who grasp what we're talking about have to spread and evangelize within the organization. So our final word to everyone here is that lots is changing. It's going to continue to change. Getting the frameworks in place right now makes a ton of difference, and to David's point, it's all about alignment, right? And educating the rest of your organization. David and my LinkedIns are up there, so if you want to connect on anything else, please feel free to do so. We're here to share and learn, and most importantly, thank you all for being here. And we'll hang around for any questions there are. Have a great Summit.

[Music]