Todd Ruback, Managing Director, is an experienced data privacy leader within FTI Technology’s Information Governance, Privacy and Security (IGP&S) practice. He advises clients on privacy and data protection issues, with a specific focus on consent and preference management and governance related to Advertising Technology (AdTech), privacy and digital advertising. He has 17 years of experience in privacy and 11 years working directly at the intersection of AdTech, privacy and digital advertising. In this Q&A, Todd discusses his specialized area of data privacy and offers a view of the changing landscape.
Todd, what first drew you to data privacy and specifically to your focus on AdTech, privacy and digital advertising?
I began my career in privacy in 2005. Few people were in the space then and in those early days, I was helping large organizations comply with new state breach notification laws that were beginning to pop up. Initially, organizations were dealing with these requirements in California and New York, but the statutory reach eventually grew to all the states. My practice in breach response evolved to helping organizations be more proactive and develop early privacy programs.
I eventually moved into a leadership role at a privacy technology start-up, where I was the Chief Privacy Officer (CPO) and General Counsel. The company developed notice and consent tools critical for compliance with the ePrivacy Directive, commonly referred to as the “cookie” law, self-regulatory programs for interest-based advertising and eventually the GDPR. Our technology was able to identify, inventory and categorize the invisible data collection happening behind the digital curtain, and make sense of it all so companies could meet their transparency and consent obligations. This work was ultimately the beginning of my specialty in privacy for the AdTech, privacy and digital advertising.
Why is the intersection of AdTech, privacy and digital advertising so important? What problems are you solving for?
This nexus point has always presented a vexing set of issues. Many organizations rely upon revenue from digital advertising, which is enabled by AdTech and it’s real-time bidding (RTB) architecture. This electronic auction house, where pools of profiles are sold to advertisers in order to serve the right ad to the right person at the right moment, results in billions of advertising dollars each year and accounts for millions of jobs. It also enables the free internet that we all enjoy today. However, the flip side is that AdTech has historically been an opaque black-box, with consumers and organizations alike often not knowing what data is being collected, by whom, and how it’s being used. That has drawn regulatory scrutiny in the EU, widespread consumer concern and was the genesis of state consumer privacy laws, such as the CCPA/CPRA, in the U.S. Organizations are now caught between a rock and a hard place, in that they need to protect and grow the critical digital advertising revenue, but also must rethink how they do it, so that they not only comply with a growing web of regulatory requirements, but also meet growing consumer expectations.
More and more organizations are talking about this topic and looking for help. Companies need to ensure they comply with the law and can ethically leverage the invaluable data that comes with interacting with the marketplace. They’re taking control back from third parties. They want to make sense of their data, extract value and apply business intelligence to understand what it means for their customers.
So, are there specific offerings you’re launching to address these issues?
Yes, we’re rolling out a suite of AdTech privacy solutions under an AdTech Center of Excellence (ACOE) banner. We’ve already launched the first of these, the AdTech & Privacy Risk Assessment, which provides clients with a baseline understanding of their current digital/data collection practices and maps them against a regulatory standard, such as the CCPA/CPRA or GDPR.
In my many years of experience in this area, I’ve found that clients often think they have a firm grasp of third parties operating on their digital properties, but too often that’s not the case, mainly due to the dynamic nature of AdTech, bringing downstream parties onto websites. Regulators and consumers don’t care, however, and expect organizations to not only have this comprehensive knowledge, but also have a governance framework in place that monitors, documents and controls this activity. Our proprietary methodology allows us to efficiently inventory the third parties, identify potential gaps and recommend ways to close those gaps. Additionally, we also look for areas to improve website speed and the user experience, which web ops and marketing groups love.
We’re also offering AdTech & Privacy Governance Frameworks, Managed AdTech & Privacy Service (MAPS), and AdTech & Privacy Strategy Review. Each of these integrated services supports organizations through flexible, risk-based solutions that align with their marketing goals. Our goal is to help protect and grow digital advertising revenue, while helping to streamline processes and implement repeatable, documented governance rigor so companies can easily demonstrate accountability upon demand. We also recognize that while many of our clients want to continue to improve their practices, but are resource constrained. We further support them with our Managed AdTech and Privacy Services, where we do the governance, in whole or in part, while they recruit and onboard resources to take over the governance programs.
GDPR has obviously intensified the focus on privacy in digital advertising. What additional changes are on the horizon?
For privacy, it’s almost become irrelevant to focus on one specific law. There’s been an emerging body of data protection and privacy laws, of which GDPR was the beginning, not the end. As the digital economy has become global, nearly every country has had to align its data protection laws to the GDPR and privacy has become a trade issue. It’s now a matter of business. This means that data must be moved across borders without friction. To do that, an organization must comply with multiple laws between the countries of transfer.
Similar to when I started out in this business and each state enacted its own breach notification law, we could soon see all 50 states with their own flavor of consumer privacy regulations. Until there is additional legislative momentum toward a U.S. privacy law, I anticipate the patchwork of state consumer privacy laws to continue growing. This patchwork approach, unfortunately, will add to compliance complexity and increased compliance costs and risks for organizations in the U.S. This is where we can help.
What made you choose FTI Technology for this new phase of your career in privacy?
What’s appealing and unique about FTI Technology is the culture and entrepreneurial spirit. Firms of this size and scale often lose their agility and adaptability as they grow, but that hasn’t been the case here. I’d been craving an opportunity like this for years, where I would have the flexibility as well as the resources to build out a unique, first of its kind practice that helps clients solve really complex, critical issues. FTI Technology has a fantastic reputation and I had many former colleagues who encouraged me to make the move. I knew quickly it was the right place for me to execute on my vision.
Beyond your passion and expertise in data privacy, what do you bring to the table as a leader?
I trust the people on my team. I strive to empower everyone to take chances, raise their hands and ask questions. If something doesn’t make sense, I want my team to call it out, because I might not be explaining it well. New ideas might not always work out the way we want them to, but it’s so much more fulfilling to see people go for it rather than not take a leap. Either it works, or we learn something — both are wins. I never want to stifle innovation and the same entrepreneurial spirit that brought me here is what I want to encourage in those around me.
What’s a fun fact about your life outside of work?
I’ll rewatch silly movies 20-30 times, memorizing every line. It drives my wife nuts, but if Dodgeball is on TV, I’m watching it and going word for word with the TV.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.