The Sherwin-Williams Company (SHW) Earnings Call Transcript & Summary

Great. Welcome, everybody. The panel today is on states taking the lead on data privacy, and we have 4 really great speakers who I think have very different viewpoints about states interaction with privacy and what's really coming next. So this is David Zetoony speaking from Bryan Cave Leighton Paisner. I'm a partner at Bryan Cave Leighton Paisner, and I'm the co-Chair of the Data Privacy group's about 25 attorneys, who focus on data privacy in the United States and in Europe. David Manek, do you want to introduce yourself?

David Manek from Ankura. I lead the privacy practice here at Ankura. We've been largely helping the organizations over the last several years to prepare for the [indiscernible] of the California Consumer Privacy Act, and I'm looking forward to [ speaking with you today ] [indiscernible].

And Alan Friel from Hostetler.

I'm a partner at Hostetler of [ the data management practice ]. I lead our consumer, privacy compliance and governance practice.

And then Jill McFarland from Sherwin-Williams.

My name is Jill McFarland, and I am Lead Counsel at Sherwin-Williams for privacy and human resources matters.

Great. So what we hoped this [ discussion's ] going to bring is a different perspective. Two of us are from outside law firms, Alan and myself; David Manek, Dave's on the consulting side; and then Jill is in-house. But I think all of us have very strong opinions about what states have been doing about data privacy. So we've organized this panel by -- each of the 3 panelists has picked the question they've heard the most from their clients [ and I'd say ] internal clients for Jill or external clients for Alan, David and myself. And we were going to raise that question, give our initial thoughts on it, and then the panelists will go around and talk about each of their reactions to it to see the different viewpoints that people have in terms of what states are doing in the world of data privacy.

So let me start. One of the questions I received the most is, how can you leverage data privacy work that you're doing for one state, let's just call it California for the CCPA, to address other jurisdictions? And I'm going to start this off by asking a few questions to the audience. So first question is, do you think that another state or the federal government is going to pass a comprehensive data privacy statute in the next 12 months? And I think that question is now hopefully on screen, and there should be a polling functionality, if you can hit yes or no. I think it'd be interesting to see kind of a crowd-sourced response and the likelihood that people think of another passage. And I think see the metrics moving. So yes, overwhelming; and no, minority position, but it's still moving. So it looks like group consensus is that yes, data privacy, the statute will come in the next 12 months. That will be overarching. So let me ask the second question to the group, to the audience. How future-proofed do you think that your privacy program is to account for the next privacy law? If you're in-house, compliance, in-house counsel, talk -- think about your own program. And then if you're a consultant or outside, think about what you've been giving in terms of services to your clients. So I have a hard time reading the screen there, but I think -- and maybe the moderator can tell us -- read out the answer that's getting the most responses there. There it goes. I would probably have to make minor changes to my privacy proxy program, 62%. That's great. I probably have to make significant changes to my privacy program. And it keeps changing, I shouldn't have pushed the finger on the scale. And no respondents with -- good. Let's give it another minute. I see there's a minority position coming in. All right. Movement seems to be stopping. So the majority is minor changes. We've got a significant minority that there have to be significant changes to the privacy program. We've got some honest respondents who are saying, what does future-proofed mean, which I love. And we have nobody who is saying that they have to make no changes. So I think that's really interesting. Let me give you kind of my thoughts on it. So first off, in terms of the likelihood of legislation coming in, in the next 12 months. I find that companies tend to overweigh the likelihood of passage on the federal side of a comprehensive data private statute. So I've been practicing in the field of data privacy and security for almost 20 years now. And every year, there's discussion of a comprehensive data privacy statute or a comprehensive data security statute on the federal level. And every year, I think if you asked the same question to -- in audience in a conference, you'll probably get the same response that it's over 50%, I think there's going to be something comprehensive. I haven't seen it yet. And it -- my viewpoint on this is the issues of data privacy and security are so complex that it really takes coming together from both sides of the aisle to iron out some of the complex issues, which in a election year, I think is probably not likely to happen on the federal level. The state level is a different story. So I take the same view in the example. [ When Cal cast its first privacy statute ] [indiscernible] [ a lot better ]. It's a statute that require privacy notices on websites. There was talk and speculation that was going to spread wildfire throughout the U.S., and the same talk is happening now with the CCPA. 10 years passed before any other state jumped on that band market. And then when other states did, it was a couple of states, and it ended up being 2 or 3 other states that followed suit. I somewhat see the same thing happening with the CCPA. I mean there are dozens of proposals on any particular legislature in terms of new CCPA-like or GDPR-like statutes. Washington got a lot of attention this year, and yet that one fizzled as well. My personal view is, in all likelihood, what we're going to see is a wait-and-see approach. A lot of proposals that don't go forward, and then waiting and seeing what actually happens to California and how it pans out before we see too many other states stepping forward. But in terms of future-proofing, it doesn't mean you shouldn't try. So what is future-proofing for the honest respondents. It's -- your privacy program is designed to comply with state and federal and international laws today, but those laws keep evolving. And there are different ways to structure a compliance program so that when an evolution happens, you're not starting over from scratch. The key of future-proofing is even if you don't get a comprehensive law today, it doesn't mean there's not going to be some laws that take effect, and you also never know when something is going to pass. So what we saw a lot with GDPR was some companies designing GDPR programs that were very narrow, tailored to GDPR, not really designed to account for other laws and jurisdictions like California coming on board. But then when that happened, other companies tried to make their programs more open, more accommodating to changing loss, more future-proofed. And still even those that had narrow laws were able to leverage some very common core denominators. So at least in my practice, what we found is companies that were GDPR-compliant invested 25% of the effort that it took for companies that were not GDPR compliant to address CCPA because they weren't starting from scratch. They already had a privacy notice. They already had DSR, Data Subject Request protocols. They already had data retention policies. They already had vendor management practices. They had already addressed cookies. Didn't mean it didn't need to change. Now there were minor changes that needed happen on all of those to account for CCPA, but it meant that a lot of the heavy lifting had already been done. So I guess, my closing word on this, and I'll hand it over to the rest of the panel and so it would be interesting to hear their thoughts, is there's a couple of things you can do to facilitate the leveraging of what you've already done and so you're not starting over. One thing is look towards the base common denominator. CCPA in the U.S. may be a default, but there are still businesses that aren't subject to it. But think about going towards that common denominator of things like privacy notices; Data Subject Request protocols; looking at your marketing practices and how that relates to data; retention policies, vendor management, cookie management. And if you build that across the board, not narrowed just to California, you're going to find that when some other state does come into play, you may already be halfway there. I mean the second thing is more strategic. There's a lot of choices you can make when you're building a program that make it more future-proofed. So take a privacy notice. You can have a California privacy notice that doesn't talk about anybody else, it's very narrow to California. You can have a European privacy notice. You can have a French privacy notice. Or you can take unified approach and have a privacy notice that applies to all the subjects that is more jurisdiction agnostic. The former is going to need to be constantly revised as other jurisdictions come online. The latter is probably going to be 80% of the way there as other jurisdictions come online. So there's pros and cons to both ways, and I'm not pushing every company to make sure that they do unified approaches on everything, but I do think that there are ways to try to leverage that work product if one of your goals is future-proofing. But let me turn this over to the other panelists and get their perspective on this concept of leveraging privacy work to address other jurisdictions. And before we go to -- maybe a good place to start would be David Manek and give a nonlawyer-ly impression about how data privacy programs can be leveraged.

Thanks, David. Happy to. I think one data point for folks to consider is it goes back to the Cambridge Analytica kind of fiasco, if you will. And so this is where basically the FTC fined Facebook $5 billion. And the interesting statistic there is that, that $5 billion represented 9% of Facebook's prior year's revenue, which is substantially higher than the 4% [ top year buying ] under the GDPR, or the General Data Protection Regulation. And this is -- the 4% fine we saw under the GDPR, that's what got the GDPR so much attention. But we have, just here in the U.S., the FTC, maybe with some support by the DOJ, bringing in some bigger fines than what would otherwise be available under the GDPR. So my point there is even in the absence of a -- of like a strict federal privacy law, there still are significant regulatory threats at the federal level. And then, David, you used a nice term, the common denominator. And another data point, I think, our audience would find helpful is the National Institute of Standards and Technology, NIST, they came out with a framework, a draft framework in October -- or kind of a version of one framework in January. That framework has about 100 data privacy controls in it. And at Ankura, we went through the process of mapping the GDPR, the CCPA. We mapped in 8 of the other pending state privacy laws back into that framework because we wanted to start to develop that lowest common denominator, if you will. And the interesting thing I observed was that of the 8 pending state laws that we mapped back into the NIST framework, 5 of them were basically copy and paste of the GDP -- of the CCPA, excuse me, 5 of them were basically copy and paste of the CCPA. So the text was almost identical to the CCPA, just referencing a different state. And then there were 3 others that were more kind of a hybrid of the GDPR and CCPA, Washington, Illinois and Virginia were a little bit different than the CCPA. But the point here is if you're an organization preparing and investing in a GDPR-compliance program and a CCPA-compliance program, you're, at the same time, reducing your risk profile relative to these other state pending laws and the potential for a federal-level law. Alan, do you want to comment on that?

Great.

Yes. Well, I think one thing that we've discovered and working through clients in an information governance program frequently with you and other consultants is the importance of data mapping and getting a thorough understanding of your data practices, right? Because there are common features that go all the way back, where you talk about NIST, you go all the way back to PIPs. It's transparency, choice, access, maybe correction, deletion. But in order to do any of those things, you've got to know what data you have, how you're using it, where it's coming from and where it's going. So that's the sort of the building block for any program. And if you have those solid building blocks, you'll be able to pivot and tweak your program to address new legislation.

Jill, what's the view point of an in-house counsel?

I can't agree with Alan more, honestly. The building blocks are really the vital part of everything, and that was the hardest part for us. When we saw GDPR coming, as a global company, we had to really step up our game and get those building blocks in place quickly. And CCPA was a challenge, but because we already had those blocks, it was a lot easier for us to build into the new law. So I think barring any unforeseen developments that will only continue to be easier and easier once you get the basics in place, but the basics were really hard to do.

Yes. And Alan, before we can move on to the next question, I mean, I think data inventory is one of the primary core basics, but it is one of the hardest things to do, that and data retention policies. What have you found in terms of companies' willingness and ability to kind of complete data inventories as part of the CCPA, predominant position, minority position, mix?

I mean it's a mix. I mean it's sort of more to me the sophistication of the data inventory and the due diligence. And part of that depends upon how big a company you are. If you're a start-up that's only been around for a short period of time and you have Privacy by Design from the beginning and you've got a small number of data assets or databases, it's pretty easy, right? If you're a company that's been around for 100 years, that has got distributed control with a lot of subsidiaries or business units that's really had no real information governance program, then it's a massive undertaking. And most companies don't have the internal resources to do that. And so they really have to look to consultants of the world, like David, to come in and whether it be with tools or surveys or a combination of the 2 to help them map that. Now one of the things that we've seen is that there are some ways to not only minimize your risk by cleaning up the data, but also to better be able to commercialize and exploit the data once you know what you have. And so there are commercial advantages beyond risk mitigation and compliance to having a thorough data inventory and a good IG program.

David, it's probably -- David Manek, this is a good transition point. So kind of switching gears a little bit, in terms of your clients and your companies, what's one of the most common questions that you hear that gets asked about states and the state privacy laws?

Yes. So we have a lot of clients now asking about Privacy by Design and specifically, what does Privacy by Design look like under the CCPA. And if we can maybe pull up that first polling question, I know it kind of got timed a little prematurely before. But if we can pull up that polling question, and I can talk through that here in a second. Yes, there we go. So just quickly to define Privacy by Design because it's somewhat of an ambiguous term. Really what -- the way we think about this at Ankura is considering data privacy at the onset of an initiative, of a project, at the onset of a product enhancement or really any type of product development. So the poll question here, does your organization consider Privacy by Design, your product or your software development life cycle? And it looks like -- I can't see that text, but I'm going to guess that the bulk of the responses are I informally consider Privacy by Design in my privacy program. Yes, there we go, 64% informally consider Privacy by Design, which -- yes, I think that just about lines up with my in-the-field client experiences. What I want to do is talk through a quick case study, drawing in some regulatory action from the GDPR. And this case study goes back to the fall of 2018, so a few months after the GDPR went live. The GDPR was the big European privacy law that hit a few years ago, which is really driving a lot of the privacy laws here in the U.S. And this case study goes back to the Denmark Data Protection Authority (sic) [ Danish Data Protection Agency ]. So I was investigating a taxi company called Taxa. And effectively, what happened was Taxa was taking steps to erase names and addresses of its customers after a 2-year retention policy, but it was not able to erase the customer's phone number. And so for those of you who are a little bit more technical in the audience, the phone number was a critical field in the database, sometimes we refer to those as primary keys. And effectively, the taxi company was unable to convert that phone number into an anonymized value, unable to delete that phone number because it caused too much interruption to its systems. The Danish DPA that came out with just about a $200,000 fine and said that just because the system makes it difficult to comply with retention or erasure, doesn't really provide for an excuse. And I highlight that because maybe the phone number as a unique ID doesn't resonate with you, but there are a lot of systems out there that use e-mail address as a unique ID. It's like -- it's -- there are a lot of systems out there. And it's the same thematic point in that a lot of systems, especially if they're homegrown, are relying upon personal information to really drive and link up those databases. And so that's a bad example of Privacy by Design. That's poor implementation of Privacy by Design. I want to just hit on a couple scenarios of what good implementation of Privacy by Design looks like. So the IAPP, they have 7 foundations of Privacy by Design. The IAPP, International Association of Privacy Professionals. I'm not going to go through all 7, I'm going to hit on 2 of them. The first is privacy embedded into design. So a lot of our clients will have a predefined software development life cycle, or SDLC. So envision a data flow diagram or a Visio diagram with different kind of steps all linked together. And what we'll do is we'll take that SDLC, the software development life cycle, and we'll insert a step associated to data privacy. So as the developers are thinking about product enhancements, they'll go to the SDLC, they'll say, okay, this step relates to data privacy, and now that will trigger some thought around the controls related to privacy. Another really important step is introducing a privacy impact assessment, and these are typically -- they come in short versions and longer versions depending on the jurisdiction. But here, we would want the privacy office to be able to trigger privacy impact assessment and send them to, say, the product development team when they're trying to introduce a new feature. And the PIA may ask questions such as, what type of personal data elements are you collecting? Do we really need to collect all of those personal data elements, right? There's this constant overcollection of information going on. But the PIA as a tool is a great way for the privacy office to interact with the different business functions really spread across the company. We're actually seeing a lot of PIA activity right now around the COVID-19 return-to-work screening process. The idea is the privacy office, along with the human resource department, are using the privacy impact assessment process to drive standardization across different locations and ensure that what is actually being collected is needed and ensuring that we have the appropriate security protocols wrapped around that process. So it's a very useful tool. And then I think another piece is just don't use personal information as a key attribute in an information system. The personal information should be in fields or in a format that could otherwise be deleted. And then real quick, another element of Privacy by Design is visibility and transparency. That's one of the IAPP's -- one of the 7 foundational principles. And as we draw CCPA in here, there's a line in the CCPA, a requirement, the notice at collection shall be made readily available where consumers will encounter it at or before the point of collection. Now this is our precollection notice, and so what does that mean? It means that as a part of Privacy by Design, we need to go through the process of compiling a list of all the personal data entry points into our clients' environment and then ensuring we have notices at each of those data entry points. So we need a list of websites. We need a list of forms. There's probably other portals. There are probably apps that are being used. And we need to have precollection notices at those data entry points. So that's kind of how we would operationalize visibility and transparency. I think another key piece, as it relates to CCPA, is specific language related to mobile apps. And so there's a requirement in the CCPA that says when businesses collect PI through a mobile app, it may provide a link to the notice on the mobile app's download page with -- or within the application, such as through the settings menu. So what does that mean? It means that we need to be very cognizant in terms of Privacy by Design as we're engaging with the app developer because a lot of these apps are outsourced. We need to be very engaged with them and ensuring that they are developing the app in a way where we're able to present a precollection notice via those apps. And as we've gone through a lot of these California Consumer Privacy Act projects at this point, the one thing I was surprised to see was the number of mobile apps being used by organizations. Some had 5 to 10 different mobile apps because they would have apps that would be consumer-facing and then there would be apps that would be directed to the employees. And I think that -- just the kind of discovery of that during the data inventory process was -- it was really enlightening for me. And so let me wrap up the Privacy by Design discussion there. I think we have -- Alan, if you have any other comments on Privacy by Design?

Well, I've been a big fan of Privacy by Design and privacy impact assessments in the U.S. for many, many years. I mean in the online context, in order to comply with Cal APA, you have to know what the data practices are. There's currently no specific requirement like there is under the GDPR for the use of privacy impact assessments, although the ballot initiative may change that come this fall, at least for sensitive data. But again, I don't know how you provide an accurate description of your data practices and how you minimize your risk without doing it.

Jill, any other thoughts on Privacy by Design?

Yes. I mean I think my job and our job on our privacy compliance team is made much easier through Privacy by Design. It's a lot easier for the business side as well to build things from the ground up now with privacy in mind than to have to go back and edit legacy systems and programs. So as we get more systems designed with privacy in mind, it's been great, and it's absolutely easier for us than having to go back and redesign things.

I think the only thing I'd add -- I mean I agree with everything the other speakers have said, and won't go into kind of the full landscape of Privacy by Design, except to note it really starts at the top. So what I saw 9, 10 years ago or 8 years ago, around the time of the target breach, was security start getting elevated to the C-suite. And so security by design became not just a tech issue, it became a C-suite issue. I think that's happening now with the Privacy by Design. I can't tell you how often we've had CCO, CEO, CMO, CIO, CTO involved in those privacy discussions before any product design, just about strategy and business products, what it's going to look like to the market and whether it's going to be accepted. So I think I'd just add that to kind of the mix of it's part of a life cycle, but it's also part of the head of the organization. Alan, why don't you tell us kind of one of the questions that you've received the most in terms of states leading the charge on data privacy?

Okay. Well, I call this the cookie conundrum. So let's start out by asking what do you think data collection by cookies and tags is potentially a sale under the CCPA? I think...

[ A lot of tips. ]

Well, that was one person, so let's have a few more [ people ].

There it goes.

We'll give it a few minutes and if we get a statistically relevant sample here. All right. So not a whole lot of people choosing to answer this question, everyone is shy. But right now, it's currently about 50-50. So I could talk about this issue for an hour. And in fact, just last week, I moderated a panel of cookie consent management platform vendors and the Internet Advertising Bureau on this issue. It's recorded. It's on the IAB's website. There's an hour of panel and 45 minutes of Q&A. It's a good resource if you want to dig deeper. But the cookie conundrum as it relates to CCPA is that the CCPA provides a right to opt out of sale, sale is broadly to defined to be pretty much be any commercial disclosure absent a statuary exception. Those statutory exceptions are very narrow, including one of which is service provider into the -- and two there is that the regs very greatly restrict even more when the statute did what a service provider can do, what the personal information, personal information including IP address, device identifier or the QQ ID and usage activity. Another exception is at the direction, the express direction of the user, but only if there's no further downstream sale. And in the context of digital advertising, there's multiple, multiple downstream disclosures with commercialization at each stop along the way. So now if you're a [ problem chair ], the question is who is the business that is responsible for collecting that demo? And there are 2 theories to this. There's the theory that the publisher is making the data available. And part of the definition of sale is to make the data available, professional information available. And therefore, it's a sale by the publisher unless there is a statutory exception, such as being a service provider. The other theory is that, no, these tracking technologies are themselves independently a business. They're collecting the data completely independently, just as if you went into Costco and you built out a sweepstakes card with the Jimmy Dean sausage vendor. It's Jimmy Deans that's collecting the data, it's not Costco making it available merely because they let Jimmy Dean set up a sample booth on the floor. Now one of the problems with that theory is beyond the fact that publishers are doing a lot to integrate that technology into their site is that the -- unlike Jimmy Dean, you don't know that, that technology vendor is there collecting your data. Also, the technology vendor has the obligation, unless it's a registered data broker -- and that, by the way, is something that's in the last set of the regs, it may not even make it in that exception for registered data brokers. But otherwise, a business has to provide precollection notice, and it's opt out in the event that it is further downstream selling. Cookie operators don't have any direct connection with the user, so they would have to pass it down through the publisher. And you can imagine the chaos if there were 100 different pass-throughs. So what has the digital advertising industry done to solve for this? There are 2 competing frameworks. One is the framework by the Internet Advertising Bureau, which has also been sort of partially adopted by Google, and that is the -- that is that a -- the publisher must do 1 of 2 things. It must either create a signal that tells its digital advertising partners, you may only process this data to act as our service provider and not for any other purpose. Or you integrate your do not sell button with a signal that basically indicates [ some user by -- interface ] whether or not they've opted out. The other approach is the Digital Advertising Association (sic) [ Digital Advertising Alliance ]. They take the theory that the cookie operators are independent businesses. And in order to pass down the notice, there is a single notice and linked to each participating cookie operator's opt-out page. So these are both starting to get -- they both have about 200 to 300 participants per framework, but still not quite widely adopted. Then the other approach that's being taken is just plain old choice, a cookie consent management platform. This is basically jerry-rigging the GDPR approach to cookies. A couple of challenges here. This is an opt-out system, not an opt-in. Then you've got to decide what the opt out means. Is it going to be integrated do or do not sell? Is the do not sell going to be a nuclear option that just stops the data collection? Or is it going to be more sophisticated and integrated with a restricted data processing signal that will allow the vendor to continue to use the data just limited as your service provider. Almost all of the CMPs now offer some kind of integration with the IAB program. But still, there's lots of challenges. Most of them still have 2 different do not sell buttons, one for online, one for off-line. There are -- there's a lot of notice challenges, particularly if you have vendors in both programs, you've got to explain to people that they've got to opt out in multiple different ways, through multiple different frameworks. They've got to do it on every device. And by the way, this does not opt you out from interest-based advertising. So you're still going to have to go to the DAA and the NAI opt-out programs for serving interest-based adds as opposed to just collecting and sharing the data. So super, super confusing for publishers, even more confusing for consumers, still no industry consensus.

Jill, do you have any thought process from the big corporate standpoint, company standpoint? Are cookies a sale?

Yes. So I think I'm going to do that thing that everybody doesn't like and answer this question with a question. But one of the strong challenges, I think, that we face and that all companies based on this is the customer experience, the consumer experience, right? So what are going to be the expectations of the people using your sites in the future? Are they going to expect that they'll be able to opt out? Are they going to expect a tool? Is it going to bother them? Is it going to be too frustrating to use? I think that this question of whether it's a sale or not is an important one from a legal standpoint. But I think something that it's leading to is when someone comes to your site, are they going to have an expectation that they're going to have to opt in and out or -- of all of these things? Or is it just going to bother people? The Internet is the new store, right? So we have to think about the customer experience in addition to the legal issues involved. So I think an important question to ask ourselves, too, when we think about whether these things are a sale is, are our customers going to expect the ability to opt out and how do we address it, regardless of whether or not we consider them the sale?

I think -- and this is David. I mean I think that's an excellent point. And what I'd add to this part of the discussion, I think Alan did a great job of framing up the 2 arguments about is it a sale or is it not a sale. And what it really boils down to is if you're a privacy advocate, you probably say it's a sale. I think the better argument is, what would a reasonable consumer perceive cookies to be? If a reasonable consumer understood and was explained that you go to a website and the website serves you advertising and no money comes back to the company for deploying a cookie, regardless of the legal arguments, the reasonable consumer consider that a sale. I think the answer is no, that a reasonable consumer probably wouldn't. The only other thing I'd add to this, ultimately, courts will decide it on whether it's a sale. But in terms of industry practice, if you look at the Fortune 500 websites now, and you look at just those websites that are heavy ad tech users, I mean they're deploying 5, 6, 7, 8, 9, 10 ad tech cookies, 43% of them take the position it's not a sale. And 28% of them take the position that it's a sale. So the predominant position is it is not a sale. That is the business community's position on this. And then again, if anybody is doing the math, that doesn't add up to 100%. You have about 29% who are remaining silent because they are not taking a position, which one can argue whether or not that's a CCPA violation into itself because the CCPA kind of mandates that you say whether or not you are selling information. But yes, I think my takeaway is it is not settled. There's a lot of debate about the IAB framework, the NAI framework, about the definition of sale and about whether any of those frameworks really comply with the statute and then the expectations of the consumer. David, I want to make sure we have time for the last question, but do you have any final thoughts on the cookie issue, sale and not a sale?

Yes. Well, I would just say, I think this one is really tricky for clients to find a solution for due to the lack of consensus. I think the IAB and DAA really are kind of signal-passing schemes, if you will, passing different opt-out signals up and down the ad tech chain when it's not well developed just yet. So in terms of kind of risk reduction or things we can do while that process evolves, clients can think about having a cookie notice up on their website, which outlines the different types of cookies they're using. We can provide, through that same mechanism, instructions for the user to update their browser settings, so they're not getting cookies landed on their browser all the time. I think the key there is just transparency while we wait for solutions to further develop. And the last piece I'd say here is if we are getting opt outs, we should hang on to those because when a well-developed kind of signal-passing process, either IAB or DAA, and we reach consensus on one of those, we want to know what the historical opt outs work so we can have an opportunity to push those through.

So the point of this has been so far -- I'm sorry?

Can we trigger the last polling question? So with that, have you undertaken efforts to avoid a sale in any way, including cookie consent management or the IAB or DAA's CCPA framework? We're half and half. No? Little...

Not too many respondents on that one. I think that may not be a statistical sample. So the format that we did so far was really starting with the 3 of us who are outside consultants or lawyers and responding to the questions we received most from our clients. Last question. Since, Jill, you have one main client. You don't receive lots of clients from many different clients, you receive lots of questions from one client. So let me ask one to you, which is what's been the largest operational hurdle not anticipated by regulators or privacy advocates that you think your company or that other companies, your counterparts of other companies, have really had to deal with.

So I think that Alan actually alluded to this earlier in terms of companies that would have trouble building a process. And so our largest operational hurdle is tied into that, right? We're a very old company. We've never been acquired. We were found in 1866 in the same location that we are headquartered at right now and are also extremely global, right? So it was very difficult to kind of take those legacy systems and fit them into laws that have been drafted to address sort of tech company-type issues, right? So for example, and this is the single biggest operational hurdle that I have encountered to comply with DSR requests and other significant privacy rights issues. We have to do a lot of manual work. Our systems don't talk to each other. They are isolated. We have different brands. So the question I get most is, well, how do I operationalize this? And until our systems are newer and all talk to each other, we have built enormous manual processes behind the scenes to comply with DSR requests, to comply with opt outs across the board. And they're very robust, and I'm so proud of our privacy and other compliance teams that have had to put those in place. But I think that probably wasn't an anticipated outcome, right? I think most folks drafting these laws anticipated kind of this large aggregation of data at a large tech company and that those processes could be built one time. At a company like ours, we have to build 65 different processes for 65 different systems and a process to align the processes. So the number of flowcharts and individuals and manual button pushing is pretty extraordinary, honestly, to make these things work, and I'm so proud of our team for doing that. But I think that, that is a really unanticipated outcome, I think for the folks that probably drafted or came up with the paradigms they wanted to put into these laws. And that is definitely the question I get most often is, well, what about -- how do I make these things aligned and do this across the board? And my answer is frequently, here is the really complicated flow chart we built that you will have to follow.

And I'll be the first to chime into that. I mean I think you've hit the nail on the head, access and deletion effectuation is a huge operational hurdle. And I think, unfortunately, the state regulators, [indiscernible] the CCPA, had no concept of it. And you can see it when they were doing their impact on -- financial assessment impact on what the regulation would do. They did not allocate any time for this, any cost to businesses. But any business that's gone through this knows there was a development cost, there's maintenance cost. And every request they receive in, there is a real cost. There is no magic button. And clearly, they were conceptualized and even called it opt-out button, like there would be some kind of magic button you pushed and things would magically happen. So I think that hits the nail on the head. In the last minute or 2, David or Alan, any other large operational hurdles that you think were not anticipated by the regulators or by privacy advocates for the CCPA?

I'll let David answer that because he leads with clients every day on this.

Yes. I mean I think one of the biggest pieces without getting overly specific comes to older organizations with lack of budget. We actually did a study where we did -- organizations that reported a data breach [indiscernible] [ California AG's ] website. We looked at their privacy notices back in February and only 10 of the [ 30 companies ] that reported a data breach had taken steps to prepare their notice for the CCPA, which means 66% of those organizations that reported a breach did not take steps to prepare their [ orders for ] CCPA. And we gave them credit if they had any reference to CCPA, if they had [indiscernible] on their privacy notice, we weren't holding a high bar. But it just tells me that there's -- [ it's going to happen]. Organizations that have taken steps to prepare for the CCPA and those that haven't and still will be likely when we start to see some regulatory enforcement.

Great. Well, I want to thank all the panelists. I think this has been excellent. And I think all of our contact information is out there for the attendees, so if you have any follow-up questions, feel free to reach out to any of us. Thank you all.

Thank you.

Thank you.