Mister Beacon Episode #15

Privacy - What the Beacosystem Entrepreneur Needs to Know

September 07, 2016

It's easy to make mistakes when it comes to privacy and beacon apps. The consequences are serious. Hear Jarno Vanto of Borenius, one of the leading lawyers that specializes in beacon privacy describe the pitfalls and how to avoid them.


  • Jarno Vanto 00:00

    And what happens also is that the companies then have to build a comprehensive privacy program that then for a period of 20 years, and they have to be audited annually, so. So the consequences are pretty dire. If you think about it. If you're not telling the truth about the date, your data collection practices, make sure that when your programmers make changes into your code, that when they make those changes into their end of the code, make sure that is reflected in the privacy policy. So So kind of like the developers, the programmers, they have to do their work hand in hand with the company management to make sure that you know, what we stayed in our privacy policy was actually true. There's a lot that comes into play. When we pair beacons with mobile apps and the sensors we have on our mobile device. This job exam is a huge change undergo underway in Europe right now. 28 Theme there's the new general data protection regulation or GDPR. And also the fines will increase significantly for violations. So we're looking at potential declines of 4% of worldwide annual turnover for for larger companies multinationals.

    Narration 01:29

    You're listening to The Hitchhiker's Guide to the Beacosystem with Steve Statler.

    Steve Statler 01:39

    So, welcome to episode 15 of The Hitchhiker's Guide to the Beacosystem, and this week we are going to be talking about privacy in some depth with the author of the privacy chapter from our book, The Hitchhiker's Guide to the Beacosystem. So my name is Steve Statler of Statler Consulting. We do this in partnership with Proxbook, and a kind of Proxbookl alumni is our guest, Jarno Vanto, who is partner of brainiest attorneys based in New York, but with a very cosmopolitan accent.

    Jarno Vanto 02:17

    Thanks really much. Appreciate it. Great to be here today.

    Steve Statler 02:20

    Yeah, and I really appreciate you writing that chapter. I often joke to people that actually your chapter is worth the price of the book. And, you know, you're a lawyer, and you focus on on privacy, can you tell us, you know a little bit about your history with with the subject?

    Jarno Vanto 02:40

    Sure, I'm not gonna go to my entire resume. But just to summarize on privacy, I've been working on privacy related matters, and both Europe and in the United States for about 12 years now. And I've been dealing with all kinds of companies privacy issues, ranging from just industrial conglomerates work trip across the world through mobile apps that put apps out on the App Store. So just runs the gamut really been a kind of a broad experience and all kinds of interesting privacy issues.

    Steve Statler 03:09

    Why did you decide to focus on the area?

    Jarno Vanto 03:13

    Well, I, well, I've always loved technology and always bought the latest gadgets, though playing but then it was when I was studying law. It was an emerging practice area, and I and given my interest in technology, I thought it was a good fit. And it's been growing as a practice area. Ever since.

    Steve Statler 03:35

    We are very good writer as well as an accomplished lawyer from everything I can tell as a layperson, that spends a lot of time with lawyers. And so you did a fantastic job in writing the chapter. And I kind of read it, I thought, Wow, I feel really well informed. Now. What's you're gonna do is like not gonna get any clients what you end up doing as part of your privacy practice? Why do people retain your services?

    Jarno Vanto 04:05

    Well, I mean, you know, beacons and related technologies is just one area of this kind of broader range of issues than for example, I build a lot of display, you'd call in for comprehensive privacy programs for companies that are involved with data. And there's, you know, just in recent years, there have been many companies who were whose only business's data and so they need to have a compliance program because they're dealing with data globally. They need to understand local law. So we tried to build a good build a program for privacy compliance that fits the needs of that particular company. And then then there's, you know, day to day things like drafting privacy policies for mobile apps and websites. That's what I do a lot and you always have to have your own privacy. also for the pineapple kind of data collection that you do. And so no copy paste jobs. And then of course, when companies have to deal with regulators, if they have a compliance issues or questions, then also interact on behalf of clients with the regulators. And then a one of the major challenges I would say, for companies that are upgrading globally is that different countries in the world have these restrictions and how you can move data out of those countries to other countries, and I help companies comply with those restrictions, and make sure that when they transfer data from, for example, from the EU, to the US, they do do so in a compliant way.

    Steve Statler 05:51

    Excellent. And that actually is a great lead into the rest of our discussion. And what I would like to do today talking with you is really dig into why entrepreneurs should give some thought to privacy, especially in this big grand proximity ecosystem, and then we'll talk a bit about the US the EU, and if we have time, Asia Pacific, just kind of get a sense of what the differences are. And then I think, you know, the meat of it, or the the final piece is what what are the best practices? What is it that people should be doing? So, you know, let's start off with Why should a be ecosystem entrepreneur care about privacy?

    Jarno Vanto 06:36

    Well, I mean, you know, as we both know it, because themselves are sort of dumb devices, they don't really collect any data. But when you have a mobile app that interacts with the beacon, the the amount of data is quite extensive, that can be generated. So when we understand that we understand that we need to tell, you know, the users of mobile devices about the types of data that they're being collected, where the data goes, what are the purposes of it's using all that? And so we really are, then we understand that this privacy actually quite cuts quite close to the, the beacon world and ecosystem.

    Steve Statler 07:23

    I mean, what, let's let's spend a little bit of fear to concentrate people's minds if people don't do this, what what can happen?

    Jarno Vanto 07:33

    Well, alright, so first of all, if, you know, we're, we're we have to talk about different countries and different jurisdictions like the lawyer say, in a different way. And for example, in the United States, the one of the key enforcers of the law on consumer protection is, is the Federal Trade Commission, based in Washington, DC. And they monitor what lawyers called consumer disclosures. So for example, privacy policies of companies put up on their websites or mobile applications, right. And, and there have been several cases where the last couple of years where, for example, companies that are in the Beco system, or near the ecosystem, so to speak. So for example, in store tracking companies or, or Wi Fi tracking companies that, that have told something in their privacy policies, boop, which was, in fact true, and and then the FTC investigated them and they ended up entering the settlement orders, and had to pay serious fines, we're talking hundreds of 1000s of dollars in some cases. And what happens, also is that the companies then have to build a comprehensive privacy program that then for a period of 20 years, and they have to be audited annually, so. So the consequences are pretty dire, if you think about it, if you're not telling the truth about the date, your data collection practices,

    Steve Statler 09:21

    So it can be expensive if you get caught doing something different to what you tell people you're going to do. And if you kind of took the shortcut, because you hate red tape, you could actually end up having a lot more red tape than you ever dreamt of.

    Jarno Vanto 09:37

    Exactly. No one else was still my clients, for example, in a mobile app space is that make sure that when your programmers make changes into your code, that when they make those changes into their end of the code, and make sure that is reflected in the privacy policy. So So kind of like the developers, the programmers, they have to do the work here. And in hand with the company management to make sure that, you know, what we stayed in our privacy policy is actually true about what what types of data we collect.

    Steve Statler 10:09

    Yeah, I mean, it sounds like it's a real team effort, because you gotta have like the product manager, the programmer, the the lawyer, the marketing, I mean, everyone is going to have to pitch in and the finance guy needs to sign off on actually spending time and money on this. So it's not, oh, let's just get let's go to erroneous and get a privacy policy job done. It's actually more than that. And I think the other thing that just really struck me, because I know that, you know, I've started startups, and I know that you can have to focusing on just survival. But you know, what we've already seen in the beacon ecosystem is, aside from all those other bad things, the expense, the hassle, all that stuff, you can have your beacons taken down. So you can have local government mares saying no, not in my city. And that's just that's, that's not good.

    Jarno Vanto 11:05

    Happen here in New York City in connection with this phone booth beacons that we're installing, they had to be taken out as well. Because if there's just public concerns about the privacy aspects, though, I'd say it is it's really happening.

    Steve Statler 11:18

    So, okay, hopefully, that's kind of got people's attention. And I guess the other thing that is sort of interesting about this privacy stuff, is that we're in an age when people are publishing naked pictures of themselves on Facebook. So, you know, that would be the kind of the counter argument, I guess, is why the heck are we worrying about all this stuff when these you know, it's the kids are going to be taking over? And they're all make it on Facebook? Anyway? So?

    Jarno Vanto 11:50

    Yeah, yeah. Yeah. You know, if we, like, if we think data collection and privacy is essentially don't want to go and build evil, philosophical aspects of it too much. But what what studies have found that, that teenagers are actually very concerned about the data being collected from or about their devices and themselves. So they actually do read some of the privacy policies that, you know, maybe more senior citizens would not read all, and they're concerned about the privacy practices of these apps that they use. So for example, like, you know, that your pictures will stay out there only for a certain amount of time that, you know, they they don't collect too much information for ad purposes, things like that. So I think that while yes, I mean, as such, like people can disclose more about themselves on social media and things like that. But then, for example, the data collection that's going on, on the sort of underneath the surfaces is a concern for for for these younger people.

    Steve Statler 13:00

    Well, and I think the thing that has struck me as someone who's worked for a beacon company, is you can you can accept that, oh, 99% of people do not right. Do not read the privacy statement. I think in your chapter, you say you could probably copy and paste the text from mine camp, and people wouldn't know that the problem is 1% of the people do. And we've got this thing called social media. And so then it goes from this very esoteric thing to something that gets boiled down and everyone jumps on the bandwagon. It's pretty ugly at that point. One last thing before we get into what's happening around the world, in terms of the rules, you know, what a lot of Beacon entrepreneurs says, hey, well, beacons, actually they don't track you. They're just broadcasting data. Therefore, privacy isn't an issue for us. Can you kind of give that a quick run through and tell us whether that is just rubbish? Or?

    Jarno Vanto 14:02

    Yeah, well, I mean, you know, as I as I mentioned, in the beginning, beacons themselves don't really engage in much data collection. But when you have a mobile app that interacts with a beacon, there's a whole lot of data that and data collection taking place, for example, if we add meaning or context to those beacons, to software, where you can actually extract a lot of data, for example, what the person is, for example, physic in the physical world, you know, all kinds of things that they they looked online kinds of advertising, potentially even like if, like once there's enough segmentation around the beacons, for example, you can tell where in the store they are. So there's a lot of stuff that that that that guns help in accessing. So so there are the privacy issues. And for example, that when we come to for example, if there's location data, we know where the where the mobile device is in the physical world, then we generally, the general rule is that we have to obtain opt in consent for the collection of location data that applies pretty much both in the European Union and in the United States. And if there's the sharing of that data with third parties, for example, for advertising purposes, generally method tell these users of these mobile devices, this data collection has taken place. And you know, it can potentially be shared with others and all that. So there's a lot that comes into play when we pair beacons with mobile apps and the sensors that we have on our mobile devices.

    Steve Statler 15:48

    Got it. So to the degree that you're creating software that uses the beacons and that's when the issues arise. And I think it is fair to point out to people that beacons aren't tracking. So it's not like, it's not like Wi Fi, tracking where you are listening in. But that doesn't absolve you because almost certainly you have some software there. And that's where you need to be very careful what let's let's kind of look at the difference between the US, Europe and Asia Pacific. And having grown up in the UK, I there's always I tend to default to oh, we do things better in Europe. And look, we've got this great privacy legislation. But so first of all, are there any privacy laws in the US or is it just chaos?

    Jarno Vanto 16:34

    Well, the US laws are more sectoral in nature. It's kind of a cliche, but when we privacy lawyers tend to repeat that the US law is a sectoral there is no overarching regulation, like there is in Europe, where currently there's what is called the Data Protection Directive. It's been enforces 9095, basically, and and all these national laws, it's 20 members, it's implemented that and that governs all processing of personal data.

    Steve Statler 16:59

    Okay, so just so we kind of were talking about Europe, and just to kind of make sure I'm absorbing it. So there's a EU directive. Yes. And the actual legislation is within each of the member countries. And in the US, we don't have the equivalent of that kind of national, all encompassing, so we can do whatever we like.

    Jarno Vanto 17:22

    And now, first of all, well, and then just going back to the a little bit, there's a huge change undergoing underway in Europe right now. 28 theme, there's a new general data protection regulation or GDPR. That basically because the directive means that it's implemented in national laws, and there's all kinds of differences between the Member States, although the background is the same forever, every one of these laws, but in 2018, there should be uniform regulation, Dr. Oldham II a member states and also the fines will increase significantly for violations. So we're looking at potential declines of 4% of worldwide annual turnover for for larger companies, multinationals. Mind. But so yeah, coming back to the US so. So yeah, there's only sectoral also, for example. What cuts close to home for for the ecosystem companies, for example, is COPPA, which is Children's Online Privacy Protection Act. And eight basically prohibits the collection of personal personally identifiable information relating to children without affirmative parental consent. It's been updated in advance.

    Steve Statler 18:44

    So this sounds the bane of Disney's life, isn't it? They're definitely trying to make money. And then basically, it's really, really hard.

    Jarno Vanto 18:52

    But for example, there was a case just this past year, that the FTC, entered into an agreement with a company that was collecting Wi Fi data from children's mobile devices, and did not obtain parental consent for doing so. And then And then so if there are laws that are important, but and then also, just because I talked about the FTC, so the FTC can monitor all these consumer disclosures about so what what because mica says some companies are telling consumers about their privacy practices. And then also State's Attorneys General, have jurisdiction to enforce consumer disclosure. So again, privacy policies, and it's not not just at the federal level. And then we have a lot of self regulation because the the the advertising industry has kept the legislators at bay, so to speak, by creating actually are very well developed self regulatory schemes for for mobile advertising and internet advertising. For example, the network advertising initiative has a code of conduct. And digital advertising Alliance has, has rules for for, for companies on, on, on on mobile and Internet advertising. And so and then those rules applied to the the codes applied to the membership of those organizations. And so they're pretty pretty strict in enforcing the the those those rules, including in those codes and model model rules on their membership.

    Steve Statler 20:51

    But going back to the FTC, so there's some legislation that impacts collecting data from children, and these days, children have funds. So that's material, it's not something that can be ignored. But can the FTC if there aren't, if the FTC is? Are they offering advice guidance? Or can they actually how can they find you? If there are no if there's no federal law about opt in and, and all the other things that you should be doing?

    Jarno Vanto 21:23

    Yeah, well, the FTC basically enforces make a law that prohibits unfair or deceptive acts in in or affecting commerce under the FTC Act, Section five, and unfair, deceptive acts, for example, are privacy policies that don't tell the truth to consumers about data collection practices. So that's, that's, that's how you, the FTC gets to you. Usually, if you're in this Beco space, and you're not telling the truth to consumers about your data collection practices.

    Steve Statler 22:02

    So you kind of got to have a privacy policy because otherwise you'll be called out and and Better Business Bureau, and they won't give you a rating unless you have a privacy policy. So you kind of have to have one, and then they get you if you say something, and you don't actually do it, and they can actually find you serious money. And before we kind of move on to Europe, what's your prognosis on the likelihood of actually having clear legislation? Because it seems like Al Franken one of his big causes is trying to put something in place, but nothing ever seems to happen?

    Jarno Vanto 22:35

    Well, I would, I would, I would wait and see, you know, this, for example. It's interesting what, and this ties to Europe. And so your 2018 is going to have this kind of overarching Uniform Law. And right now, just in the beginning of August, of we finally have this EU us Privacy Shield for companies that are operating now between the EU and the United States, and transferring data across the Atlantic. So gradually, I think that these European initiatives are actually going to have an impact on on us legislation, and either directly or indirectly, but but they're definitely going to generate the more effort to have similar laws in the United States as well. And and of course, depending on what happens in the elections this November, some of those initiatives can could advance faster than then then then thought but but I do think that there, you know, that the self regulatory initiatives that the US industry has developed have have tamp down a little bit these initiatives on on, on on on having a sort of a federal law on privacy.

    Steve Statler 23:57

    Okay. So let's just sort of go you've talked about Europe already. 2018 and the fines potentially going up? But what what are the kind of what's the quick summary of what the European directives are actually mandating.

    Jarno Vanto 24:16

    For example, you know, the, one of the key differences, I'm not going to go through everything itself, but um, but one of the things I would mention that often comes up when when I talk to clients is the US concept of PII, so personal identifiable information, right. So it's considered fairly narrowly so you're talking about, you know, having the addresses email addresses, social security numbers, credit card numbers, things like that. In Europe, the concept of personal data is way much broader. So for example, the courts and the enforcers of these European data protection laws have interpreted that personal data can be for example, a cookie or a day device identifier and IP address are because it's it's really with reasonable effort you can, you can determine who the person actual person is behind those behind those identifiers. So that so there's there's already a sort of a cultural and normative difference between the EU and the US. So in the US the understanding of what is this personal and employer information is kind of narrow. And and so and then the other thing is that, you know, in Europe all processes of personal data, like anyone who processes personal information is covered by and covered by these laws in Europe. And in the US, again, the scope of these losses is not not country wide, or, or are or covering all companies using personally identifiable information for business purposes.

    Steve Statler 25:58

    And it's, it seems like they have a lot more specific rules in place in terms of actually keeping data and what data you can keep.

    Jarno Vanto 26:07

    There's all kinds of laws and rules in place about how long you can retain the data, whether you even actually have any basis for processing the data at all. There's all the lists of legal basis under which you can process personal data. And if you don't have one of those, you can't. So so that already cuts out a lot of companies that data aggregators, if you don't have a legal basis for that processing,

    Steve Statler 26:37

    That's a really good point. And I think, you know, there's many business model in this space that where the values in the data and so that kind of I think the entrepreneur wants to accumulate as much data as they can. But we also try and build our services and products with a minimum viable product. So you know, what you're doing today may not justify, you're actually accumulating the data. So that might that sounds like it's a tricky problem, especially if you're in Europe. Alright, well, let's, let's just talk about Asia Pacific very, very briefly, is there? I mean, is it is there any consistency to the rules there? Or what do we do as, as a software services company that's trying to go global? And what how should we be thinking?

    Jarno Vanto 27:24

    Where we stay in the beacosystem, for example, I think the the one that if there is any consistency, the the consistency is basically there are some two points those are general general agreement about them. One is that if and beacons help in getting especial, especially when you have, you know, mobile apps and segmentation around those beacons, you have context, the beacons, they do generally give you precise location data about where this mobile device is located in the physical space. So both in the EU and in the US, and also, for example, in Asia, Pacific, Japan, Korea, the you have to get opt in consent due to access precise location data. And then the another thing that sort of fairly common is that if you're accessing any sensitive personal data, print, sensitive PII, what is sensitive differs a little bit, but you can generally talk about you know, things like health, sexual preferences, things like that the person would not want to disclose in public that you should not either, you know, direct advertising or or or collect such data in the first place without having that person something consent and personal polling, the US the advertising industry guidelines generally don't allow or the codes of conduct don't allow for for segmentation of advertising based on sensitive data categories.

    Steve Statler 29:08

    Interesting. Okay. Well, that's, I think, a good step towards what are the best practices and you do a great job of summarizing them. And we're kind of running short on time. So we'll quickly go through these and seems like I know, because I read your chapter several times that consent is a key thing. How should beacon owners be gaining consent?

    Jarno Vanto 29:29

    Well, first of all, I mean, if you think about the clue, what is a beacon owner? I mean, there's companies that are installing beacons, and they're the art companies making use those beacons to mobile applications, right. And and then there are for example, you know, property owners have you name it, but in any event, the the how the interaction to consumers takes place is through the mobile device, right? So the mobile device CES themselves already have kind of robust mechanisms for accepting data collection to true or by with the help of beacons. They ask you, if you, if you agree to the collection of your location data, they keep asking it throughout the lifecycle of the app on your phone. And then some apps also tell you about why and location data wouldn't be helpful person's experience with the app. And then there are also opt out mechanisms in place. So the consumer can, for example, disable location services on their phone, disable them for a particular app, and things like that. So those devices already helpful. It gives consumers a lot of tools to control this kind of data collection. But then, what is important that the ecosystem meaning the companies installing the apps, mobile devices, using the app using the companies installing the beacons, smoke, the apps making use of those beacons, and then the third parties who then collect data in the background, they have a coordinated chain of custody for the data. And each each in that chain of custody has proper disclosures in place about data collection. So but the mobile app, of course, is the forefront with the consumer and asked to make sure that the consumer has a clear understanding of the types of data collection, of course, often for a collection of location data. So that that's a key. Right?

    Steve Statler 31:36

    Right. So so so very quick, simplistic, should we be opt in or opt out? What's the way obviously as a marketeer, I'd prefer to just give people the opportunity of opting out and default that their opt in is can I do that?

    Jarno Vanto 31:54

    Yeah, I mean, we should we should be opt in, we should be opt in for at least for the collection of location data. And there's, of course, other types of data that are being collected in connection with with mobile apps as well. And there are the keys privacy policy and make sure that what you state in your privacy policy is actually true and corresponds with the reality.

    Steve Statler 32:16

    Okay, what about notice? So what does notice mean? And does that mean? I need to have signs up in the stores? Just like I have signs up that say there's a security camera? Do I need to have signs up that say, Hey, we've got beacons in here?

    Jarno Vanto 32:32

    While the technology is constantly developing? And of course, you know, me giving meaningful notice will change over time, what that means right now might be a completely different thing a couple years down the line. I'm not sure if we're going to see too many signs, because people tend to, to, there was a study actually about it, people don't tend to notice such signs have begun then to ignore them in the retail environment. If they're an aqueous they don't even understand what the symbols mean, really. Generally. So again, here the key is mobile disclosures, I think and going forward, I think this will remain the case because the mobile device, the consumer is holding consumers holding the app. So the prominent disclosure in the app, this is I think is good going forward still remains to the key solution to provide notice.

    Steve Statler 33:20

    Is it okay, if I have like, huge amount of small print? And I have, you know, a lot of legal jargon? Or do I actually have to put it somewhere where someone might actually read it and use words that people might actually understand?

    Jarno Vanto 33:36

    Yeah, it has to be as be prominent has to be clear, it has to be written in a language that or even, you know, almost a child could read so that it makes clear what data you're collecting, what purposes to use the data for? How long they keep the data? And who would you give the data to? Who do you disclose it to? And those are the sort of the key elements and they have to be updated as s data practices develop over time.

    Steve Statler 34:05

    Okay. And you know, the thing that I find most difficult to understand is this issue of who does what, in a very complex ecosystem, so you have the person who owns the beacon, the person that owns the app, the person that owns the data, there may be several people that owns the death finger, they own the data. How if I'm a data management platform that's plugged into a programmatic advertising network, can I meet my obligations when it's not even my app?

    Jarno Vanto 34:40

    Well, I mean, if you're in a consumer facing directly, whatever if you are what is called a third party, of course, you have to obtain a reasonable assurances contractually, for example, that those in the chain of custody of that data have, you know, probably have given proper notice. have obtained opt in consent for a collection of location data. And make sure that you use the data for such purposes that that consumers have been told about. So for example, if you're used to data for advertising, we should bear we should verify, for example, the apps collecting that data have told consumers in their privacy policies that, you know, this data can be used for, for example, for third party advertising.

    Steve Statler 35:24

    Okay. So it's got to be in the not only is it got to be in the customer facing agreement, but it's got to be in the agreement between the data broker and the will the people that connected and and maybe it's going through a couple of links in that chain of custody and responsibility. Yes, who owns the data?

    Jarno Vanto 35:46

    So I mean, ideally, you know, who wants a date? I mean, I think it's more that, who's responsible for the data. And when we're all responsible for the data that we're collecting, through our mobile apps and beacons, and all those. So we're the custodians of that data for those purposes that we've told consumers that we use for the data for so I think, you know, this, this is all a philosophical debate whether you own the mere personal data or your PII. And somebody's stealing the, what serves the the the industry, industry better is that we have to understand our responsibilities for this data and protected well, and then use it for only for such purposes that we've told consumers that we'd use it for.

    Steve Statler 36:42

    And then, let's see, I think just two last questions, before we wrap up. So one is just say a little bit more about the security obligations we have. So you talked about the restrictions in terms of gathering really sensitive data, but what what should be people be thinking how much security is enough security, when I'm guarding a bunch of personal data about where people have been, where that what their movements have been?

    Jarno Vanto 37:15

    You know, I would say that the on the security side, of course, the, the level of security depends on the type of data that you're collecting. And, and then there's also saying that everybody has been hacked, they just don't know what So. So. So, I mean, one could argue that in real reality, no security, sufficient security, because systems can always be hacked. But, but, you know, take industry standard measures to protect personal data, you know, you only give access to to any personal data that you process, including, for example, like device IDs, and things like that, that can be accessed through the weakest system. And generally, the, if you make security promises, on your privacy policies, make sure that you can actually actually meet those promises, in reality, not many companies can do and then they run the risk of being subjected to FTC enforcement, because they've lied to consumers about their data security practice, there are several cases on this topic that the FTC has dealt with, on very large global companies, so and so. And therefore, don't promise that you're gonna keep your users data safe forever. So it's just something to remember.

    Steve Statler 38:55

    Yeah, be careful. What you promise seems to be one of the underlying themes. And you've actually already talked quite a long time.

    Jarno Vanto 39:01

    You know, keep up to date with your data security technologies, keep your data and secure databases, all those things, of course, are basic things that you should be doing. But but but but don't over promise on security.

    Steve Statler 39:15

    And then, either Is there anything more to say about where this goes in the future? You've already talked about the where the EU is headed, and who knows what the UK is going to be doing? When it if and when it leaves the EU. But any other thoughts about where this is headed in the future?

    Jarno Vanto 39:33

    Well, I think that you know, this, I mean, beacons are talk about ecosystem again, you know, because there's so many things we could talk about where the Future of Privacy has gone all but then ecosystem I think, you know, beacons are just going to be spreading everywhere. And so, at the industrial level, we have to think about how we resolve this issue, for example, meaningful notice to consumers, as you know, that could be surprising to consumers. Whereas when they walk into a physical space, for example, a supermarket or a mall, and then there's all this data collection going on there. So we have to, we have to come up with solutions and how to tell people about this, but also to tell people about the benefits of beacons, because there are really many useful, useful benefits. First consumers on beacon technology, right?

    Steve Statler 40:22

    Yeah, absolutely. And so, I know that one of the things you've been working on is the idea of having a central place where folks can go to to actually see what data is being collected. And that's, to me, I'm an idealist. I think that's a great idea. And we just need to make it easier for people to.

    Jarno Vanto 40:44

    Work and practice. So So again, as an industry, we have to come up with a solution that works. Because if we can provide an opt out, applies to other you know, proximity technologies, and basically anything, for example, cookies, and things like that on the internet, that we have to provide up that mechanisms that work. Kind of health measures are not going to satisfy the consumers, they're just going to be pissed off, because, you know, they thought that, you know, they're that the self that worked, and then they see their device is appearing elsewhere. So we've just got to be, you know, and this requires industry level sort of cooperation and coordination.

    Steve Statler 41:32

    Yeah, can I sign up unicast is, has been doing some work in that area, people should go to their website and check out the work that they're doing. I think that's a really interesting approach. Well, Jana, thanks so much. Your time is really valuable. And I think this information you've provided us is, is very helpful.

    Jarno Vanto 41:52

    It was a pleasure. Thank you so much, Steven.

    Steve Statler 41:55

    And thanks for the chapter in the book. Great work.

    Jarno Vanto 41:58

    Thank you so much. Appreciate that.

    Steve Statler 42:20

    How do you feel about going to Mars? If you were told that you had to go there? Would that be good news or bad news?

    Jarno Vanto 42:27

    Build a little claustrophobic site. I didn't know how I would handle the actual trip there.

    Steve Statler 42:31

    Okay. Well, it probably wouldn't get much better when you arrive. So a reluctant traveler, but you're on there anyway. What? If for some bizarre reason, you could only take three songs, which the songs that you would take with you.

    Jarno Vanto 42:47

    While is a difficult question, because I listen to so much music I have like that in a 17,000 songs on my iTunes and on more on Spotify and Spotify. Now listen to what I might think of three right now. I could say I was thinking of Pink Floyd's, Wish You Were Here and Guns and Roses, Paradise City and Alpha Bells, Forever Young.

    Steve Statler 43:14

    All right, very well is the grand slam the Guns and Roses. We're actually just here in San Diego.

    Jarno Vanto 43:21

    Happy to see them reunite. Yeah.

    Steve Statler 43:22

    All right. And so why did you choose those songs?

    Jarno Vanto 43:25

    Well, they're just kind of a good representation of different stages of my life. You know, those songs have played critical roles in like in my you know, teens 20s 30s kind of thing.

    Steve Statler 43:38

    Your Pink Floyd fan then?

    Jarno Vanto 43:42

    Yeah, absolutely. I went to Roger Waters and now I'm really cool.

    Steve Statler 43:47

    Okay, well, thanks for sharing that.