Hi Ian, please tell us a little bit about your journey in the technology world and how your perspective changed in the last 2-3 years about the industry?
IAN: I started in online instructional design in the early days, doing projects with many different groups, from the National Science Foundation to university courses.
After that, I spent many years working to make consumer-permissioned data easier for the consumer to actually access and understand, first with credit reports and scores when I was the CEO of Credit.com, then at Experian as the Chief Product Officer. I also worked as an advisor on numerous other startups in fintech and/or cyber privacy following Experian.
You’ve done multiple startups and worked as The Chief Product Officer at a large company. Why did you decide to start Lokker now and how did you raise $14M? In other words, why Lokker and why now?
IAN: After years of working in consumer data and watching it proliferate so much over the last 5-10 years, I decided I wanted to start a company that would protect people’s privacy. After looking at a bunch of different approaches, it became very clear to me that the enterprises would have to manage this process. First of all, it’s far too complex a task to burden a consumer with. Second of all, companies are now constantly getting hit with data breaches, phishing and ransomware attacks, not to mention regulatory fines, so they are well incentivized to solve the problem.
Our unique approach was to treat every browser as an endpoint. More than 70% of the code loaded into our browsers is coming from third parties, rather than from the origin sites we visit. Moreover, the enterprise operating these websites are unable to see most of this activity, let alone control it.
So, we figured out a solution to this problem. That solution, along with three macro conditions earned us funding:
- There is a massive amount of awareness about our lack of privacy, particularly when it comes to our kids using social media.
- There are numerous new regulations driving change.
- Cloud software. We all use it, and it is often served directly to the browser, so this problem is rapidly growing.
Your site talks about “Beyond Consent Management.” What do you mean by this?
IAN: Transparency is important, but when you’re asked to consent to cookies, you are only seeing a fraction of the trackers that actually gather your data in the session. Additionally, even if we’re only talking about cookies, oftentimes there are many dozen or hundreds of cookies. How is anyone supposed to know how to accept or reject each of these? So again, consent is very important, but it’s far from a solution to online privacy.
Could you please explain how consent management has emerged as a must-have business requirement for modern digital organizations?
IAN: The first privacy regulations were GDPR in the EU, and CCPA in the US. These regulations focused almost entirely on cookie consent. So, the first types of enforcement dictated the focus on consent management. At least surfacing the use of these cookies in a consent form offers some transparency to the end user.
That said, while regulations have made cookie consent a major point of focus, the problem of oversharing user data without their knowledge goes way beyond cookies. There are hundreds of trackers on most sites that use non-cookie tracking.
There have been a ton of recent headlines about privacy actions taken: several class action lawsuits against hospitals sharing health data with social media companies, Congress actually talking about a bi-partisan bill (the ADPPA), the FTC and CFPB announcing new sweeping standards, not to mention new state privacy laws going into effect. Why so much activity in 2022, and where do you think this is headed?
IAN: I think we’re just getting started. We’re going to see many more headlines as transparency increases. The crux of what’s driving the recent headlines specifically is the “on its face” absurdity of what people are starting to discover. For example, medical data getting gathered by social media pixels (trackers) was the basis for one lawsuit. Another had to do with an ad retargeting company being accused of tracking form data from users when they visited other websites. People feel violated. Beyond the annoyance of spam and creepy ads, there are serious consequences to oversharing this data, including ID Theft, Phishing attacks, and most of all, who else has access to this data (from thieves to nation states).
Please tell us about the market you are targeting and how Lokker impacts business results.
IAN: We are targeting enterprises that work in areas that gather sensitive data from their customers, primarily including healthcare, financial services, insurance, and network services like CDNs. Lokker is able to substantially decrease risk and overall surface area exposure with a single line of code. Moreover, we do this without negatively impacting the web user experience. That’s the hard part in all this. We’re pretty pleased with our solution.
How does Lokker work with CMOs, in addition to CISOs and CTOs? What advice do you have for CMOs navigating the current environment, which is increasingly hostile to some (even many) of the existing marketing methods?
IAN: CMOs have perhaps the most vested interest in being able to place third-party services and tags on sites so they can do their jobs better. We enable CMOs to do this work without many of the downstream effects that either delay their being able to deploy their campaigns, or block being able to do so altogether.
- Treat each tag you drop on the site as a potentially harmful asset and assign a business owner to that tag.
- Retire trackers on a regular cadence. We often see trackers that are years old. They are still collecting your users’ data.
- Get a full readout of all your trackers once a week
- And of course, use Lokker!
For international companies, navigating each country’s privacy laws, not to mention multiple state laws in the US, seems like a contortion act. What practical advice can you offer marketers to remain effective in this environment?
IAN: In addition to the advice above for CMOs, international companies have to comply with an even larger patchwork of laws. The smartest way to do this is to tackle the problem at the source by tracking only what you need. The overall area of exposure is too large at most companies due to downstream trackers (the trackers of your trackers).
We monitor trackers by geographical region, too. Inevitably, you have to do this.
Monitor for fingerprinting scripts. These can track users on an ongoing basis without using a cookie.
Lastly, be very careful about any third-party assets on pages that collect form data. This is where we see companies getting into the most trouble.
Many privacy requests fall on marketing to implement. What advice do you have for marketers to not only navigate through this? Is there a competitive advantage to be had?
IAN: I would reiterate my last two answers in terms of specific advice on how to manage privacy as a marketer.
In terms of the competitive advantage, at the very least, protecting your company’s reputation from oversharing and ending up in the headlines is becoming a competitive advantage. Even better, being proactive and emphasizing your company’s privacy to your customers is huge.
What are some of the main privacy vulnerabilities that marketing should be aware of when launching new online campaigns.
IAN: Your third parties also use third parties, and these become 4th parties to you. These 4th parties use other software, and these become 5th parties to you, and so on. We’ve seen this chain go over 20 layers deep, so the oversharing grows exponentially. It’s essential to always look at what your campaigns are doing at the individual browser level.
Specifically, fingerprinting scripts are becoming a major vulnerability. This is where a tracker takes a unique snapshot of your browser and machine settings and assigns a unique code to “you” that follows you around the web. This includes your competitors, as well as bad guys.
Putting any trackers on pages behind logins is particularly concerning and best avoided unless absolutely necessary.
You’ve got some top talent on your team and board, especially for a company your size. Can you talk about how the group came together?
IAN: Great mission, great people, great timing. We’ve all been fortunate in our careers and have the opportunity to do what we really want to do. In this case, we bonded over the mission, and moreover, the real-world action we can take to help fix the problem and restore privacy online.
I met our chairman through our investors and we bonded over the mission. Moreover, we both wanted to build actionable solutions for companies.
Jeremy Barnett and I worked together at his last company. And most of our advisors came out of our mutual network.
You mention Privacy as a competitive advantage. What does that actually mean?
IAN: To put it in the negative, consumers won’t go to a site that they don’t trust, and this trust is easily lost. To put it in the positive, an enterprise that protects its customers’ privacy, and shows its customers that it is doing so, earns their customers’ trust and appreciation.
No one ever wanted to be tracked and targeted–i.e. treated like a commodity. That’s exactly how people often feel. It has become the default expectation for many.
Why would a brand ask for consent to mistreat their customers? Companies that are the first to step up and do better will earn their customers trust and respect.
Your take on the future of AI and machine learning technologies in managing privacy of users?
IAN: Longer conversation! We will need to escalate most issues to humans for some time to come. AI can help reduce noise.
Just as algorithms are used to target advertising today, they can also be used to target the bad guys and block threats and other trackers by default. That’s part of what Lokker Intelligence does today.
Tag a person from the industry that you would like to see featured in our Interview series?
Lara Liss, CPO for Walgreens and Stephanie Schmidt, CPO for Prudential.
As CEO and Founder of LOKKER, Ian is dedicated to providing solutions that empower companies to take control of their privacy obligations. Before founding LOKKER in 2021, Cohen formerly served as CEO for Credit.com, and CPO for Experian, where he focused on consumer-permissioned data.