E293 -Veronica Canton, Partner at Pierson Ferdinand LLP and Chief Vision Officer of Optimized Leverage
[00:00] Debbie Reynolds: The personal views expressed by our podcast guests are their own and are not legal advice or official statements by their organizations.
[00:11] Hello,
[00:12] my name is Debbie Reynolds. They call me the Data Diva. This is the Data Diva Talks Privacy podcast where we discuss data privacy issues with industry leaders around the world with information businesses.
[00:23] Need to know. Now, I have a very special guest on the show, Veronica Canton.
[00:28] She is the partner partner at Pearson Ferdinand LLP and Chief Vision Officer of Optimized Leverage. Welcome.
[00:38] Veronica Canton: Thank you so much, Debbie, for having me. It is an honor to be here and to hang out with you.
[00:46] Debbie Reynolds: Well, it's so cool. So we've known each other for many years. We've met in person before. I think we've been on panels together as well.
[00:55] Veronica Canton: We have, yes.
[00:56] Debbie Reynolds: Mm. But I really love the things that you post.
[01:00] I just love to see you becoming your own force in the industry, being able to put your thoughts out there for everybody and just leading with your newsletter and the things that you write.
[01:11] And so I'm always like, so cool. I'm glad that you're sharing your knowledge. So I'm excited to have you on the show.
[01:18] Veronica Canton: Thank you.
[01:19] Yeah. Well, I have to say, you've been a great example. You know, you are a pioneer in the industry in terms of data privacy, privacy, cyber, and now transitioning into AI.
[01:31] We know that any company that has a good position and a good framework for their data privacy and data management program is already ahead of the game for the up and coming AI regulations.
[01:46] Debbie Reynolds: Yes, definitely. Thank you so much. It's definitely an interesting time to be in technology and intersect with all these different things that are happening.
[01:56] But you have to tell me.
[01:58] Well, I would definitely love to know more about how you got here. Your trajectory is really fascinating. But then you also have to tell me what is a Chief Vision Officer.
[02:07] I love that.
[02:08] Of optimized leverage, and I want to know what that means.
[02:12] Veronica Canton: Yeah. So about my journey. So, I went to Notre Dame Law School and graduated with an emphasis on doing some something related to technology. I took a class in data privacy.
[02:25] I was very fortunate to have that exposure early on.
[02:28] I started as a commercial litigator at a firm based out of Wisconsin, actually.
[02:34] So I've been the type of person that follows opportunity. I don't shy away from being in places where others don't want to be or doing work that others may not necessarily like at the start of their career.
[02:46] So I started as a commercial litigator.
[02:48] I did a federal jury trial, and it was a great experience. But at the end of that trial, I realized I still wanted to go back to the technology piece and the data privacy piece.
[02:58] So I started doing work on getting certifications,
[03:02] IPP certifications.
[03:04] They've been a great tool for me to transition into this data privacy, cyber and AI work.
[03:10] I used LinkedIn and my presence on LinkedIn to showcase my knowledge and interest on data privacy and data privacy laws. I had a partner reach out to me.
[03:22] This person had never liked any posts, no comments, nothing. We had a cyber coffee chat. And as you may know from my posts on LinkedIn, I love coffee with my oxygen.
[03:33] And so I said, of course, right? Let's hang out, let's talk cyber, let's talk privacy.
[03:38] So at the end of the discussion, she said to me, well, you have these certifications. What are you doing with that? And I said, well, I'm looking towards getting into the industry and this partner, she's at Holland at night,
[03:51] she said, well, we're looking for someone to add to the team. Do you. Are you interested?
[03:56] And so that started the conversation where I eventually met with the practice group leader,
[04:02] then I was brought in for interviews and the rest is history. So because of my online presence and just sharing my knowledge and my interest in the industry and the field, as well as investing time and resources and learning about it before I got into the industry, that opened up doors for me.
[04:20] And from there I've worked on continuing to learn,
[04:24] continuing to get certifications,
[04:27] networking,
[04:28] working on my career at the same time,
[04:31] supporting students and supporting other professionals that were up and coming. So it's been, I've been supported by people like you,
[04:38] by the content that you provide,
[04:40] by the positive energy and the support in general that you provide.
[04:44] And so it's really given me a lot in my career. It's given me a lot of information and satisfaction. And so I do the same for up and coming professionals.
[04:53] Debbie Reynolds: I absolutely love that. And so I remember, like, before you started posting a lot more on LinkedIn and doing newsletters, I was always so excited to see the things that you wrote because you have such a wealth of depth of knowledge.
[05:08] But then also I think, and I want your thoughts, I feel like if you are interested in privacy, that's such a huge spectrum of things that you could be interested in, you know, so it's such a wide, broad,
[05:23] vast array of areas that you can work in. And also I like the fact that you said that you put yourself out there, you started sharing the things that you knew and that started to attract the right attention that you needed.
[05:37] Veronica Canton: Yeah. And so, you know, for, for that point was scary at first because,
[05:43] you know, when you get started as a junior, I should say you're not just thinking, you're overthinking.
[05:48] Is the information I have sufficient? Is my opinion going to matter?
[05:52] And unless you start really reading, processing material, learning,
[05:57] you can't get to the point where you can start sharing. So the first thing I tell my mentees and colleagues in the industry is go learn, go spend a few hours in the weekend reading.
[06:07] The other thing is in terms of getting out there and supporting others,
[06:13] I feel like I learn a lot when I teach others. So if I'm able to explain a concept clearly and someone who's not in the industry can understand it,
[06:22] then I know that I'm succeeding in terms of not only learning but also supporting others.
[06:27] And then in terms of people getting into the industry, people from different areas,
[06:31] I make it a point to.
[06:33] And this is going back to your question about the Chief Vision Officer.
[06:36] So sharing those posts and the materials, I found a way to start sharing that content in a way that was structured and where I could impact more people.
[06:47] So with people getting into different industries like you can be, and I tell everyone all the time, especially non lawyers, you don't need to be a lawyer to work in data privacy,
[06:56] cybersecurity or AI. You just don't.
[07:00] So when I tell that to people, they're like, oh really? Tell me more.
[07:03] Debbie Reynolds: Right?
[07:04] Veronica Canton: And so moving from there,
[07:06] the different roles that are available, there's so much fun. Different roles, like helping companies with the policies. You don't necessarily need to be an attorney to do that initial work,
[07:16] helping companies with data information requests from individuals.
[07:21] You don't need to be an attorney to do that work. You may need to have an attorney involved in a team to help you assess what information needs to be shared or not shared, but you don't need to be an attorney.
[07:32] And so similar to cybersecurity, there's so many different roles in cybersecurity,
[07:38] whether you're an analyst in forensics,
[07:41] case management,
[07:42] with incident response, and then moving into AI, there's so many different.
[07:48] There's a wide variety of roles.
[07:50] And the other thing I share with people is you can use your skills from every position for the next one. All skills are transferable. So I'll go back to me being a commercial litigator.
[08:02] I also did class action litigation work. And so I bring that framework into my work in data privacy, CyberSecurity and now AI,
[08:11] where I can say, okay, what are the things that we need to do,
[08:15] to put us in a good position, should there be litigation, or better yet, to prevent litigation,
[08:21] or even better, if there's a regulatory body that's investigating an incident,
[08:27] to have all the ducks in place,
[08:29] to have demonstrative compliance so that if there's an investigation, it's closed and shut quickly versus having an extended scope of inquiries.
[08:42] Debbie Reynolds: I love that you said that you don't have to be a lawyer to do these areas, because I feel like we need more people who understand these domains and to look at it from different points of view.
[08:54] What I used to say is, like, let's say you had an object that you were taking a photograph of and you gave 20 people a camera and they took pictures of this object.
[09:06] Say it was an elephant or something.
[09:08] And so every person would have their own.
[09:11] All the pictures are of the elephant, but all the different pictures are different facets that not everybody sees. So that's why it's very important to have people from different backgrounds, different points of view,
[09:24] different skill sets, even to understand a lot of the issues. Because I feel like privacy and cybersecurity are things that run horizontal through all organizations. So there are issues that need to be looked at from all areas.
[09:40] We need people to get into these industries. We need champions, people to understand why it's important,
[09:46] even if they're not doing the work. Understanding, like the importance of the work, not just from the legal side of it, but also the technical side. So I feel like a lot of the technical stuff,
[09:57] because I'm a technologist working on it and hopefully in a proactive manner. Right. So I try to avoid problems as much as possible as opposed to reacting to them. But what are your thoughts?
[10:11] Veronica Canton: Yeah, absolutely. I love that. And I. One of the roles I had before becoming a partner at Pearson Ferdinand was working in house at an AI company.
[10:22] And I was able to work with hr,
[10:26] DA CISO technology teams in Europe,
[10:30] in Asia, in North America.
[10:34] And getting to know the business side is so important. But also it's fun because you get to understand what other teams are doing.
[10:44] Marketing, why are they collecting information,
[10:47] what plans do they have for it.
[10:49] Right. Technology.
[10:50] How are they implementing the policies that we have in place? What are the safeguards that they have in place? The CSO setting up the incident response programs, looking at spend.
[11:02] It's very, very interesting. I mean, even hr, right? A lot of people wouldn't be, back in the days, wouldn't think, oh, data privacy. And then you think, oh, wait,
[11:12] yeah, I'm an employee, I want my data protected. As an employee, the HR has so much information and then in the context, looking at regulations and cultures throughout different areas, it's so important because in the US we have a culture of sharing a lot more publicly and a lot of people don't necessarily pay as much attention to how they're using technology.
[11:38] Europe has a different lens.
[11:40] Speaking of your example, they have a different lens lens and I go back to World War II where personal information was used to target and not only in Europe in World War II, it's happened in other wars.
[11:55] But putting it in perspective for people to connect on a personal non technical side,
[12:00] Europe has that lens and it made a big impact on how Europe looks at and develops frameworks like laws, like gdpr,
[12:11] the EUAI act,
[12:13] where that lens is very important for Europe and it should be important for the rest of the world.
[12:19] But there's that cultural shift and that cultural difference.
[12:22] Debbie Reynolds: Absolutely. So you mentioned the thing about the EU and the cultural, the different lens they have.
[12:29] And so I guess in a way I juxtapose the way Europe thinks about it from the way that we think about it.
[12:36] So in some ways we're very different. So we may want the same things, but we go about them in different ways. Where like your World War II example with Hitler and the Nazis, how they were taking information of people and using it against people.
[12:52] So for Europe, a lot of information about data,
[12:57] their thing was if we share too much, that's dangerous. Right.
[13:02] And so in the US and I think this is partially because of 9, 11,
[13:07] we have this ethos now about we need to share more because that makes us more safe.
[13:14] So I mean it's diametrically opposed in terms of what we think about data. So we're seeing that play out in laws, regulations,
[13:23] frameworks,
[13:24] just general ideas about around privacy or data protection.
[13:29] Veronica Canton: I love that example because it's so true.
[13:32] After that happened, I was a kid when that happened and it really made an impact. I think most of us remember where we were when we got the news about what was going on.
[13:42] And so having to your point,
[13:44] that incident, that experience,
[13:47] it really impacted how we looked at the laws, how much information was going to be shared when it was shared,
[13:54] how much scrutiny we, we were open to accepting, traveling right.
[14:00] Looking at.
[14:01] And a lot of those things have stayed in place. And there's also that, that personal aspect of feeling safe which connects with data privacy, cybersecurity and AI governance.
[14:12] Debbie Reynolds: It's true.
[14:13] When the US around that time we had the Patriot Act. Right. And so it's Interesting, because when people talk about privacy in the US I hear some people say, oh, I don't want the government to have this or have that.
[14:26] It's like,
[14:27] do you remember, like the Patriot Act? Like we gave up a lot.
[14:30] Veronica Canton: We did willingly. Absolutely.
[14:33] Debbie Reynolds: We gave up a lot of privacy because it's so funny, because I have a graphic that I do and it's like a, a hamburger. And I'm like saying, oh, this is the Constitution, is the bread and you know, the bun and different things.
[14:45] And we think about consumer privacy that's below like the Patriot Act. So anything that go, that the government thinks is something could be a threat or terror. It goes into that layer and that's way above what we're dealing with on a consumer privacy level in the US I want your thoughts.
[15:05] What's happening in the world right now in privacy or data or technology that's concerning you most?
[15:12] Veronica Canton: So I think that there's a perceived disconnect that data privacy and cybersecurity and AI are not connected.
[15:24] I notice a lot of discourse focusing on one area alone,
[15:30] when in reality all those areas are interconnected. I think in terms of now data privacy, that's one concern because I look at data privacy from a three pronged approach. I look at regulators implementing laws and wanting companies to comply with them, to protect consumers,
[15:48] consumers wanting their information protected.
[15:51] And then with companies complying with those laws, I see that as a win in terms of they can invest resources into protecting their consumers. They get that reputational gain, the positive reputation gain.
[16:05] They can, can curtail or avoid, hopefully investigations.
[16:11] And then I see it as a win, win, win situation because consumers are protected,
[16:16] companies are complying and investing their resources in a better way than paying for fines or paying for incident response, which, you know, it goes into the thousands of dollars or AI frameworks.
[16:29] Right.
[16:29] And so for me, the one interesting thing that's going on is that there's that disconnect.
[16:36] And it seems like a lot of businesses are implementing AI first before establishing guardrails.
[16:46] And that's a concern on the personal level because AI, as we see in the news,
[16:52] there are so many issues.
[16:53] They're gains, they're great advances, but they're also issues with hallucinations, bad information or incorrect information.
[17:02] People are using these tools for medical,
[17:05] for legal advice.
[17:07] We've connecting, touching on kids. You know, kids are using it instead of connecting with people and using it for advice.
[17:15] And some kids,
[17:16] there's so many cases of kids hurting themselves because of just, you know,
[17:21] discourse, for lack of a Better word that they have with AI bots.
[17:24] That my concern, again, connecting it with the, with all these elements,
[17:29] is that we're focusing on the technology advances.
[17:33] We're missing out on the personal connections that we used to have growing up, that our generations had growing up. My kids are so connected into tech as adults right now with work, I'm connected to tech all day.
[17:50] Weekends I try to disconnect. But that human piece is so important, I think that we're losing it.
[17:57] The resources that are invested into tech and messaging about tech and the benefits are so much that the messaging, or at least my perception is the messaging looking at the benefits of using it as a tool versus becoming dependent on it, are not as strong as they should be.
[18:14] And so again, going back to the AI governance piece,
[18:17] that's where people like us are key in terms of helping companies. Going back to that three prong approach, think companies comply. Helping companies identify gaps where they're not putting guardrails around the use of AI at their companies,
[18:34] how the AI is created,
[18:36] how they're complying with laws.
[18:38] And it's not just a new AI laws, there's product liability laws that apply to AI as a product.
[18:46] So kind of having that discourse. So that's something that's really kept me engaged and interested in the latest developments going on right now.
[18:55] Debbie Reynolds: I think a lot of people don't understand the connectivity between all those areas.
[19:01] So I would say they have a symbiotic relationship. So for me, I'm a data person. So data is the food of AI systems.
[19:10] Veronica Canton: Yep.
[19:10] Debbie Reynolds: And so data of people is in there. And it's not from a legal, regulatory perspective, what all these nations and different things, what they're trying to do is get more transparency,
[19:22] give people more control.
[19:25] And a lot of those things are harder to do in AI. And so.
[19:30] And then we're also seeing consumers, as you say,
[19:34] are becoming more educated or they're seeing unfortunately sometimes like harm in real time happening with their privacy. They're becoming more attentive to that issue.
[19:45] But another thing that I'm seeing, and I want your thoughts that I think has been very influential and I don't hear a lot of people talking about that. And that is pressure the businesses are putting on other businesses.
[19:58] So like a company, let's say you're a third party to a big company and you're not in Europe, for example, and they say, well, we have business in Europe. And so even though you're not in Europe, we want you to align with our business practices to support Us because we are in Europe.
[20:17] So in some ways I feel like that that area is even stronger in some ways around regulation.
[20:23] So I feel like some people say, well, I'm in a state that doesn't have privacy regulation, but you're doing business with people who do business in California, you know what I mean?
[20:33] Business in California or businesses in these other,
[20:36] other locations that do have stronger regulation. And so that's really forcing that issue with them. But what are your thoughts?
[20:44] Veronica Canton: So this is where my lawyer hat goes. I think that what companies are, that are not,
[20:53] that may not be as informed about what's going on with their vendors.
[20:58] Instead of having those discussions, a lot of companies may be, may just be implementing blanket structures or blanket requirements for their vendors.
[21:09] Where I think that the best approach in terms of using human resources and any other resources in those relationships is categorizing the type of vendors and services that you're getting and really making those requests or requirements from vendors that are providing goods or services that are more sensitive.
[21:31] So for instance, if we have a government agency that is purchasing toilet paper,
[21:37] do we need to have a clause that says we're not using AI now tractual obligations there? The impact could be very minimal.
[21:46] Maybe a credit card is exposed if there are no, no guardrails in terms of that financial information.
[21:53] Whereas if there's information about either financial transactions, housing, employment, automated decision making technologies,
[22:02] those are the areas where I think companies can make and should make those requirements or requests from their vendors. So I don't think it should be a blanket approach.
[22:12] Because if you do a blanket approach, then you're making requirements for things that are not necessary based on the relationship, based on the goods or services,
[22:23] or just based on the length of time of when of the potential engagement. And this is something I see in cybersecurity. Connecting it with that aspect is where companies will have breach notification requirements for any type of incident.
[22:39] Where what I recommend as a lawyer is you want notification if your data is impacted.
[22:45] Because if you have a clause that says if there's an incident,
[22:49] how do you define an incident? Right. There's so many. There are 50 laws in the United States and then we have the federal laws. So I think it really comes down to context.
[22:57] Also the level of,
[23:00] or the timeline of notification for that just kind of, that's more on the cybersecurity side. But again, I think the context is what matters most.
[23:09] Not having having a blanket type of structure. I don't think it's, it's a good use of resources from from either the consumer, like the purchaser or service provider.
[23:21] Debbie Reynolds: Yeah, I agree. Context is key. Right. Because it is as you said with your. Right. And I've seen people, companies try to do this like a blanket approach, like, oh,
[23:30] every vendor has to have SOC 2, type 2, whatever. And it's like, well, they're not even doing anything, first of all, they're not exchanging data with you, they're just selling you a product.
[23:39] So like how much, how much data exchange is actually happening. So I think thinking about that is really important.
[23:46] But let's talk a little bit more about children's data.
[23:49] Veronica Canton: Yes.
[23:50] Debbie Reynolds: So the US is having, well, not just the us,
[23:53] many countries,
[23:54] I say the five eyes countries for the last couple of years they've been really pushing a lot of talk or regulation or things around children's privacy. So we hear a lot about age assurance and age verification and I do videos about this as well because this is something that will impact not only children,
[24:15] but only adults also on the web. But what are your thoughts just in general about children and children's privacy?
[24:23] Veronica Canton: Well, children represent one of the highest risk populations in the AI ecosystem and connecting it with privacy.
[24:31] AI eats data for breakfast, lunch and dinner.
[24:35] And kids don't have the guidance for the guardrails that are necessary in terms of the data they should be sharing.
[24:44] I'll take a step back on that as well.
[24:46] When I see parents sharing so much information about their kids.
[24:51] Their parents are maybe not even thinking about it, but kids in their bathing suits and vacations,
[24:59] school pictures, those are images that can and are used by predators to create AI images of children. There's so many cases or so many news about that. So on the parents side that's a concern because we don't think about that.
[25:14] So I'll even tell you, I have and this is not something that I share often, but my kids are about to be like 18 and my youngest is going to be 18 in October of this year.
[25:24] I have two stepchildren. I don't share pictures of them.
[25:27] I don't think I've ever, at least on LinkedIn and other platforms, I don't think I've even shared their names publicly.
[25:33] So I'm very guarded about them.
[25:36] And it's important to. Because I think about it from the parent context. Right. Like my friends sharing all this information. I say no, you're leaving an online print of your kids before they even know what that is.
[25:49] Debbie Reynolds: Right.
[25:50] Veronica Canton: Us as adults, we can share. You know, we're traveling, I'm at this conference, I'm doing this, I'm doing, we're adults,
[25:55] but kids don't have that.
[25:57] In terms of just general protection for kids related to data privacy, we see cybersecurity incidents where their data is exposed.
[26:08] So in that context,
[26:10] I think about companies that should be protecting data they have about kids, they should have guardrails, they should be updating their VPNs, they should have MFA multifactor authentication to access.
[26:26] And those are simple things that often,
[26:30] and it happens too often in cybersecurity incidents, they're not in place. And that's how threat actors get into systems and then expose children's generally data. But you know, that's how children's data gets exposed.
[26:43] And then in terms of regulations, we have coppa,
[26:46] but it needs more teeth.
[26:48] Maybe some people will agree, some people will not agree it needs more teeth. And then the personal aspect, we just need more education around it. We need more involvement.
[26:57] I was watching, every now and then I'll watch educational videos, but I was watching something that was discussing how back in the day it was, you know, don't get into strangers cars don't, you know, don't talk to strangers.
[27:08] Now we're talking, you know, kids are talking to strangers online.
[27:12] They're on, on gaming platforms, talking to adults who may be, you know, befriending them and potentially grooming them for exploitation. So it's a big concern mainly because they're a population that as they're growing up, they're exposed to new things and exciting things.
[27:33] And I believe as a society we should be setting up guardrails to protect them. And that's in all the aspects of data privacy,
[27:42] protecting their data, making sure we know where their data is,
[27:45] establishing guardrails protection, cybersecurity, just keeping it secure and AI creating guidelines and regulations that protect and potentially punish the misuse of kids data.
[28:00] Debbie Reynolds: One example I had given to someone,
[28:03] I was like,
[28:04] would you allow a stranger that you didn't know to come into your home and go upstairs into the bedroom of your kid with the door closed? And they were like, no way.
[28:15] I would never do that. I said, but you do that when you let them online by themselves or you give them a phone and you don't know what they're doing.
[28:24] They don't know who they're talking to. They're impressionable. They don't understand predatory behavior. Even people we've seen just over the years,
[28:32] not a stranger, but even people at schools and different things got in trouble over the years because they took advantage of those relationships. But I think yeah, in the digital age is very different.
[28:44] So when like I guess I'm date myself. So back in olden times when we like like say, say we had a school picture or whatever we took and you know you get like all the sets of different sizes of pictures that you took for a certain grade and you give it to your cousin,
[29:00] your grandma or whatever. But. And so now people,
[29:04] they're posting it on Facebook and it's like, but you don't know who these people are. They have this information.
[29:09] And not only that,
[29:11] it's not just the pictures, it's the metadata with the pictures. It's telling where it's being. You know, it has the location,
[29:17] the date. I saw this one lady, I could have fainted. I guess they. When the kid, I think her daughter was like in first grade or something and they were doing these pictures and then they were standing by a board that told like it told their school name that the grade they were in the name of the person and it was a cute picture.
[29:38] But I'm like, but you're not thinking about the way that a stranger you basically giving them all the information that they need to say hey Sally, I saw this picture about you or whatever.
[29:50] So it's just creating like a really harmful thing for children. It's something that I think parents probably aren't thinking about as much, but I think they should be.
[30:00] Veronica Canton: And there's settings, right? We talk about settings all the time. There's settings that parents can put on kids phones where when they download an app, the parent has to approve it.
[30:10] There's something that pops up on the parent's phone or whatever technology they're using for them to approve.
[30:16] If there are changes that are going to be made that the parent has to approve it. And it's additional work, but I think it's now a different stage of before like I was saying back in the day,
[30:27] stranger danger.
[30:29] Don't get into strangers cars, don't talk to strangers. Now it's okay, what's my kid doing online? What are, what are the age settings? And then connecting it with companies having processes in place where there's actual confirmation of kids age.
[30:46] There's so many kids that are able to get around that it may be tedious, but why not spend the extra money versus doing that versus down the line having to face a regulatory inquiry that results in loss of reputational loss, financial impact and the legal impact and potentially fines.
[31:09] Debbie Reynolds: I agree.
[31:10] I work with a lot of people on privacy with children and so I even did a talk with TikTok about children privacy and online and different things like that.
[31:21] And I think one of the challenges we have in the US is that children under 16 don't really have identification.
[31:33] And so unless they had a passport, their parent got them a passport, they travel or something,
[31:38] they don't really have a governmental ID that they can share. So when we talk about age verification, age assurance online,
[31:47] in order for these companies to know how old someone is, they have to know how old everybody is.
[31:52] So that's so true, right? So what I hear people bristling now. They're like, well I'm 40, why are they asking me for my ID? It's like because they have to be able to tell you from a child,
[32:03] right? If a child does not have an id.
[32:06] And so that's why we're seeing like a lot of these big companies like Meta, they're trying to do these things where they're trying to estimate an age based on like a selfie and different things like that.
[32:15] But what we're doing is we're collecting more data about children. And my concern,
[32:20] not just children, but people in general.
[32:22] My concern is like, once you know, this person is a certain age, like what do you do with that data? Like do you keep it? Like we've seen a couple of companies be breached with the data that they collected for like age verification.
[32:36] So like these are passports, these are Social Security cars, this is id. Like it's literally enough information for someone like to steal your identity.
[32:46] And so my, my thought is once you know,
[32:49] understand the age of someone,
[32:52] the companies have to take that extra step and either secure that data in a different way or try to get rid of it or scrub it some type of way.
[33:01] So what are your thoughts?
[33:03] Veronica Canton: So that's where I think and, and again, going back to my in house experience,
[33:08] operationalizing policies is so important.
[33:12] If you have a policy that says we don't collect kids information,
[33:17] or if we collect it, we delete it, or if we receive a notice,
[33:21] we'll, you know, we'll act on it,
[33:24] operationalize it.
[33:25] Talk to your, you know, this is, this is something I realized.
[33:29] So funny story because when I started working at that company,
[33:33] I started reaching out to different departments mostly because I wanted to learn what they were doing. And people would say when I said, can I join your meeting? What's going on?
[33:44] Why is legal here? And I would say, no, no, no, really, I like learning. I want to know what you're doing and how I can support you.
[33:51] And so once the different People in different teams realized that I really meant it. You know, no one was in trouble.
[33:58] I wasn't there to figure out what, you know, to be sneaky, but I was genuinely interested.
[34:05] It opened up a door with all these departments to communicate. People reached out to me with questions.
[34:12] And so I think part of that is communicating with the different teams and understanding how the different business teams are using the data, how they're collecting it and how they're protecting it.
[34:24] Having those conversations, not just assuming, oh, here's the policy,
[34:28] we have it in place. People read it once a year, they confirm they read it,
[34:33] but actually having conversations with the teams that are operationalizing or that are responsible for operationalizing and helping them prioritize that operationalization, I think that's the biggest thing. Because we can have like we have coppa, right?
[34:49] We have all these other different laws,
[34:51] but unless companies are operationalizing different guardrails, it's challenging to.
[34:57] From all fronts.
[34:59] Debbie Reynolds: I agree with that.
[35:01] I think the thing that privacy has done and the thing that companies have not been accustomed to and why a lot of companies go off the rails with this data collection is because a lot of privacy regulations are saying that your data,
[35:16] the data you collect about someone, should be tied to a purpose.
[35:20] Once that purpose expires, you need to, you know, sanitize the data, anonymize it, delete it, something, take an extra step.
[35:29] And companies generally have never had to do that. They never, they could have kept data forever. And so we're saying data of people is not forever data unless you have a good reason.
[35:38] And a lot of times companies,
[35:41] they're extremely good at collecting data, but they're very bad at that end of life stuff that you have to do. And I think it's going to become even more critical that now we're collecting data, especially of children, that was never collected before.
[35:55] So what do you think?
[35:56] Veronica Canton: I think that's where data mapping comes,
[35:59] is so important.
[36:01] It's not just about collecting the data and having marketing or product development or whatever business team use it.
[36:08] It's about data mapping and understanding where it is,
[36:11] where it resides, how it's protected, who's using it, how old it is. To your point,
[36:17] I remember years ago talking to a client that had customers data going back, I think it was over 10 years.
[36:24] And this is when I was an associate and I remember the partner asking,
[36:30] but why are you keeping that data?
[36:32] Right, it's why old.
[36:34] And the response from. And we were talking to the legal team. The response, well, marketing wants to keep it so they're keeping it and thinking about that. When I talk to clients, I say, I am such.
[36:47] And I use myself as an example. I am a completely different consumer now than I was two years ago, than I was five years ago, let alone 10 years ago.
[36:58] The shoes I wear, the clothes I wear, the snacks I buy,
[37:03] the vitamins. Right. All those things are different. So how is the data that you have for me from 10 years ago gonna help you now to give me maybe to recommend to.
[37:16] Using algorithms to recommend products?
[37:19] That's my take on it. So when I use myself as an example, then people start thinking, oh, yeah, you what?
[37:25] Debbie Reynolds: You're right.
[37:26] Veronica Canton: I no longer purchase what I used to purchase five years ago.
[37:29] I'm. I'm traveling with family, my trips are different. Or I'm traveling with friends.
[37:34] I'm not doing in my trips, my 30s and 40s, what I did in my 20s.
[37:38] So it's. Once you connect, this is something that I want to highlight a lot, is that once you find.
[37:46] And it goes back to your examples, too, like the personal examples. Once we find a personal example where people connect and the light bulb goes off,
[37:56] that's when they understand the concepts.
[37:59] So it's important as a lawyer, you as a technologist in data privacy and connecting it with cyber and AI and AI governance,
[38:09] giving examples where people can connect so they can understand why it's important and why those changes need to be made.
[38:15] Debbie Reynolds: I agree with that. I think making it plain, giving them those human examples, because all of us,
[38:21] all of us have a stake in it. Right. So all of us have our own personal experience. But I just wanted to share with you a example, something that I had read recently with someone who posted on LinkedIn.
[38:32] There was this guy, said that his wife, when she was a teenager about to go to college, she had applied for different colleges.
[38:42] And recently,
[38:43] that was like 30 years ago, he says. So recently she got a letter in the mail saying that. That one of these colleges that she applied for, she never even attended.
[38:52] Right. But she applied and did financial aid and stuff like that. They sent her a letter and said they had a data breach.
[38:58] And she was like,
[38:59] are you serious? It's like, I didn't even know that you still had this data about me. Like, I never went to your school.
[39:06] I applied for the school, I did a financial aid. So I guess they had her Social Security number. And back then people didn't have emails. Right.
[39:13] But just think about this. So that data was old,
[39:17] it was out of date.
[39:18] Veronica Canton: Yeah.
[39:18] Debbie Reynolds: It was not new.
[39:20] And then so now that data that they had stored up now is a risk because now they have to pay money to remediate the breach that they had. It's like if they had gotten rid of that data, their trouble would have been far less than it is now.
[39:37] Veronica Canton: Absolutely.
[39:39] And I love that you're talking about data minimization as, as a way to decrease risk. Because it's true,
[39:45] the less data you have or companies have,
[39:49] the less risk. And if you have the data encrypted at rest,
[39:55] you know, we have so many different options of technologies now that are not. And yes, it's an investment. You know, I was asking a colleague one of these days, like after an incident, I was like, why do companies not invest in these?
[40:07] Any plaintiffs was like, because it costs money. I said, yeah, but look at the cost. It's like, look at the impact on the company now.
[40:15] Right. So it's. You companies decide where they're going to invest. But yeah, it's 30 years. That is so. Wow.
[40:23] I'm usually. I'm baffled often, but that's crazy.
[40:28] Debbie Reynolds: Absolutely bonkers. Right. So I think.
[40:32] Right.
[40:33] And actually when you think about it, I watch very closely the news reports about companies that have data breaches and as if they're having data breaches in the U.S. we know every state has laws for that.
[40:45] So eventually it comes out what happened. And nine times out of 10 is because they retain something that they should not.
[40:53] There was no longer a high business value. So I always say to companies, data that has a low business value has a high privacy or cyber risk for the company because you aren't protecting it the same, you don't need it.
[41:10] Probably the people who knew about what it meant are like no longer at the organization.
[41:15] So it's really just risk for you.
[41:18] Veronica Canton: I agree.
[41:20] Debbie Reynolds: Well, if it were the world according to you,
[41:23] Veronica, and we did everything that you said, what would be your wish for privacy anywhere in the world, whether that be human behavior, technology or regulation?
[41:35] Veronica Canton: That's a fantastic question.
[41:38] I would say I take it to the human element.
[41:43] It's so important. And this is as a everyday person,
[41:47] as a consumer,
[41:49] as a business person working on collecting, using data,
[41:55] as a regulator, all of them have that human component.
[41:59] I think the human component is the most important one. We have to care not only about our data,
[42:05] we have to care about the way data is being used.
[42:10] Fellow humans. Right. How is it being used?
[42:13] Yes, I understand there's the business case of using data. Right. I use the algorithms. When I want to shop for something, I use it to my advantage. But I think the human element, no matter if it's in data privacy, cyber AI, in the data privacy context, that the personal aspect is so important.
[42:32] We want our information protected as individuals. The world according to me, we would have everyone when caring about everyone else's sensitive information.
[42:43] Debbie Reynolds: I like that thought. Right. I think sometimes we feel like technology is the answer for everything.
[42:50] And I don't feel that way. I think there always has to be that human insight, that human element,
[42:57] and then we're the harm that happens to humans, they don't happen to AI, they don't happen to each other.
[43:01] Veronica Canton: Exactly.
[43:02] Debbie Reynolds: So we have to think about that. So those are the things I think companies need to really think about. And then I love the fact that you talked about like personal, like examples to make it real to someone.
[43:14] So I feel like those always help.
[43:16] Veronica Canton: Yeah,
[43:17] Yeah. I realized as we were talking, I didn't answer your question from the beginning about the Chief Vision Officer with optimized leverage.
[43:25] So I started a company where and I started it separately so that I could do educational sessions for free or some are paid, but mostly for free as separate from my legal work.
[43:38] So I have an llc, I have an attorney. I have all those things. But it goes back to the human element. I've had so many wonderful people help me on my journey and my career.
[43:47] I've had amazing online mentors like yourself who show up for for our community, sharing your knowledge.
[43:54] I've had mentors who took a full hour, gave me a roadmap, and I ran with it.
[43:59] So again,
[44:00] to your question, that vision. Right. My vision is that we share information with each other on how we can be our best selves in the as persons, as professionals.
[44:11] And for me, it's so important,
[44:13] especially after having exposure to business teams, that people realize you don't need a law degree.
[44:18] There's so many different ways to do this work and it's so much fun that I'm always happy when I'm able to help someone get into the industry and have fun along with me.
[44:28] Debbie Reynolds: Oh,
[44:29] I. That is so amazing. That's so amazing. Well, I am your student as well, so I really enjoy the things that you post and I learn a lot from your point of view.
[44:41] So thank you so much for what you do. It's very important.
[44:44] Veronica Canton: Thank you as well. You've been an inspiration for a long time.
[44:48] Debbie Reynolds: Oh my gosh. Well, thank you so much for being on the show and I'm sure we'll find other ways we can collaborate in the future.
[44:56] Veronica Canton: It's such an honor. It really is a pleasure.
[44:59] Now,
[45:00] you're an amazing woman, an amazing professional. You're so, so inspiring. And, yeah, let's. Let's find ways to collaborate, and I look forward to that. Debbie.
[45:10] Debbie Reynolds: Oh, my goodness. Make me blush if you think that's possible. Right?
[45:14] Veronica Canton: Thank you. A But you deserve it. You deserve the accolades, my dear.
[45:19] Debbie Reynolds: Thank you. Thank you. Thank you. And we'll talk soon.
[45:21] Veronica Canton: Thank you for your time. Talk to you soon.
[45:23] Debbie Reynolds: Bye.
[45:24] Veronica Canton: Bye.
[45:24] Debbie Reynolds: Bye. Bye.
