Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

July 2019
One appeal of moving in-house was that he wanted to be involved in advocating for an industry, and he more than got his wish.
After nearly 16 years at Lowenstein Sandler, where his primary focus was antitrust, ​Michael Hahn had an opportunity to become the general counsel of one of his clients. “I think everyone wonders what it’s like on the other side,” he says. But this wasn’t one of his corporate clients. This was a trade association: the Interactive Advertising Bureau (IAB),  based in New York. And that was one of the lures. Not only would he be the jack of all legal trades, which appealed to him. There would be a major legal advocacy component that involved “pulling the industry together on common legal issues, and that is something that you don’t find in many in-house jobs,” Hahn notes. For a lawyer who earned a Master in Public Policy while completing his J.D., it was almost ideal. And when Hahn took the job in July 2017, he didn’t have to wait for an important issue to galvanize the industry. One was already there.

CyberInsecurity News: When you arrived at the  IAB, what were the big legal issues?
Michael Hahn: When I arrived, the GDPR [the General Data Protection Regulation] was the biggest legal issue facing the industry. But my immediate focus became: How do we develop stronger and more meaningful relationships with the senior in-house attorneys in the industry so that we can better understand what the legal issues are that concern them most? We eventually launched a Legal Affairs Committee to deepen those relationships and to help solve broader industry issues.

CIN: What was the purpose of the Legal Affairs Committee?
MH: About one year into my position as general counsel, I began planning for it with approximately 50 phone calls with member company legal departments. We had some fascinating discussions about what issues most concerned them from a big-picture legal perspective. The other aspect was that if we were going to launch a legal affairs committee, we really needed to do it with high-level involvement and high-level participation by member companies. And while it’s easy enough to have a couple of meetings a year where you bring in attorneys from law firms and from government and have an interesting discussion—and certainly that’s part of the portfolio—if we’re going to do this, we should really be ambitious in what we want to tackle. But that can’t happen without real involvement from members. And that’s doing extra work.
     That was how we began. At our first meeting in 2018, we had somewhere in the neighborhood of 80 lawyers attend—either in person or on the phone. And then, in the fall, we launched our first subcommittee—the Privacy Subcommittee—to focus on the CCPA [the California Consumer Privacy Act] and the GDPR. Basically, we pulled together the privacy lawyers in the Legal Affairs Committee and asked them to focus on key issues. That’s been an area where we’ve spent a lot of time and a lot of effort over nine months.

CIN: How many lawyers are on the Legal Affairs Committee now?
MH: We just pulled those numbers: 238.

CIN: What do you attribute the tremendous growth to?
MH: I think there’s a number of factors at play. Lawyers in the industry understand that we are ambitious in the problems we’re trying to tackle, and I like to think that we provide a high level of engagement and service in doing so. But context also matters. We’re in a period of time where the industry is pivoting as it becomes increasingly regulated, and I think the role of the legal department is changing in many companies. So it becomes more important than ever to understand these common issues that we face and to try to create solutions.

CIN: What level are these lawyers who are representatives from the various member companies? Are there many general counsel?
MH: With 238 lawyers, I’d say there’s a broad representation. We have plenty of general counsel, deputy general counsel, a lot of chief privacy officers. We have a good number of midlevel attorneys as well. So it really covers that gamut.

CIN: What do the members of the Legal Affairs Committee and the Privacy Subcommittee do?
MH: Our activities fall into a couple of different buckets. We have meetings of the broader committee several times a year. We try to bring together interesting speakers to give important updates that lawyers want to hear. But we’ve got a couple of distinct workflows that everyone has worked real hard on.
     Earlier this year we released our IAB CCPA Roadmap. That was a tremendous investment of time by our members. It created a structured and comprehensible framework for the CCPA. It’s really become a critical desk reference for industry lawyers. It gives you the statutory provisions. It gives you summaries. It gives you checkmarks of whether a provision relates to obligations if you’re a “business,” “service provider” or a “third party,” as those terms are defined under the CCPA.  And it also has functionality that we’re building out to crowdsource legal commentary about important provisions. The fact that there are many different perspectives about the interpretation of the CCPA and how to address the ambiguities also is a broader industry challenge.
     When I came into this job, the biggest issues I heard about were the divisions about who’s the controller and who’s the processor and who’s going to be contractually responsible for getting consent. In the context of the CCPA, we’re trying to facilitate a common dialogue around these admittedly ambiguous issues. We’re going to be hosting a CCPA Legal Summit, where we try to have everyone in the same room sharing their different perspectives about how the statute operates. We’re trying to be a common place where the industry can have discussions. And that goes broader than our membership.

CIN: When you say “everyone in the room,” would this involve regulators, too?
MH: No, the CCPA Legal Summit is not going to involve regulators. I think the regulators are focused right now on trying to draft the regulations, which we understand might be sometime during the fall. And believe me, I would love to have a dialogue with the regulators right now, but we need to see when they’re ready to have that with us.
     But we’re in a position where we as an industry need to put compliance programs in place by January 1. We need to make the best-educated decisions we can, based on the information that we have. That might change when we get regulations from the attorney general’s office. So we’re inviting not only our members, we’re inviting other associations, we’re inviting law firms that support many members in this industry, so that we can have an intelligent dialogue about what we think the law says and how it applies in some of the circumstances we see in the industry. And we’ll have another one of these conferences after the regulations come out as well.

CIN: How many members do you have on the Privacy Subcommittee? It sounds like they are the most active members of all.
MH: There are between 30 and 40. And it doesn’t stop with the roadmap and the meetings. We’ve got real issues to figure out concerning how to effectuate the “do not sell my personal information.” This requires broad industry cooperation. We also need to figure out how section 115D of the CCPA applies to the industry. A third party, as defined under the law, can’t “sell” the data of the California consumer unless it knows that the consumer has been given explicit notice and the ability to opt out. But that third party doesn’t necessarily have a relationship with the consumer. So this requires a lot of cooperation between lawyers and engineers to try to solve these problems.

CIN: Is the Privacy Subcommittee also looking at other states?  
MH: It largely focuses on California. The people that we’re bringing together on this Privacy Subcommittee are the people who are responsible, from a legal perspective, for implementation and compliance with these laws.
     What you’re referring to with respect to other states probably comes closer into the realm of public policy. We do have a public policy committee that’s run by our executive vice president of public policy in Washington, D.C.  But lobbying and those types of activities are not ones that the Legal Affairs Committee undertakes.  With the proviso that the Legal Affairs Committee and the Public Policy Committee submitted detailed comments to the California Attorney General’s Office. So, there is some crossover.
     And when we submitted those comments, we went to our members first, and the people who are responsible for creating compliance programs in their companies, and said, “Where do you see gaps between what the law says and what you would need to do to implement? Where do you see the ambiguities arising, as applied to the industry?” So we pulled this group together to work on that submission that we made to the California Attorney General’s Office, because we asked for clarification in a number of areas.

CIN: What about the GDPR? It went into effect in May of last year, but it had been in the works for a couple of years. Did your members already have a handle on it by the time the Privacy Subcommittee was formed?
MH: Our members spent quite a lot of time focused on the GDPR prior to the effective date. At present, we update our members on enforcement actions and are undertaking to solve other common problems that we see in the industry—like inefficiencies that arise from data processing addendums.

CIN: Is cybersecurity an area of concern for you, your members or your organization right now?
MH: I’m sure that it’s an area that our members think about. But it’s not an area that our members are turning to the  IAB to in a search for solutions. With respect to the lawyers that we’re interfacing with, their areas of responsibility are focused on the privacy issues that we’ve been talking about.      

CIN: Did you expect when you took this job that you were going to be as busy and engaged as you have been?
MH: I did. I thought that if I did this job right, I would be busy. This job is entirely what you make of it. It’s about seeing that there are issues to be solved in the industry, pulling member companies together, applying some legal acumen to it, and trying to converge and create solutions. So it’s enjoyable, and also incredibly time-consuming.  

CIN: Have you been surprised by the response you’ve received?
MH: I think some members had a measure of surprise when I called them. A number of lawyers said to me, “I’ve never had a phone call like this in the industry before.” Now, granted Legal hasn’t always been the main focus, historically, for the industry in terms of pressing issues, the way it is today. But I think our members responded well. I come from a client-service-driven background, and I view our members like our clients. So my job is to engage them and listen carefully to what the issues are.
     And there are times when issues are raised, and I say, “Wow, I never even thought of that.” One of the things I heard during my initial engagement calls was, “It would be great if we had sessions that talk about the the technical side of this complicated digital advertising ecosystem that we’re involved in. We don’t really want another CLE class. But helping educate our lawyers—in particular some of the younger lawyers who are newer to the industry—around the ecosystem and some of the technical aspects, that would be great.” That’s something I would never have thought of, had I not had those one-on-one calls. And I’m happy to say that we just had our first course, digital essentials for lawyers and public policy professionals. It was completely full.  

CIN: Looking ahead, what do you think some of the big issues are likely to be for your organization in 2020?
MH: The biggest legal issues will continue to be around privacy. There are bills pending in a number of states that could lead to additional privacy laws. There are open questions about what those laws will look like and to what extent different state obligations might conflict with one another. And likewise there are efforts underway for a federal privacy law. Our hope is that there will be a federal privacy law that would pre-empt what might ultimately be a whole host of different and potentially conflicting state laws. That’s a pretty complicated landscape that we could be in in 2020.