Ketch

Does your opt-out process actually work or does it just look like it does? Ketch Co-founder and Head of Product, Maxwell Anderson, joined Jodi Daniels and Justin Daniels on the She Said Privacy/ He Said Security podcast to talk through one of the most pressing challenges in privacy right now: why opt-out compliance is a lot harder than most companies realize, and what it actually takes to get it right. A few things worth tuning in for: ➡️ Why connecting your DSR webform to your CMP isn't optional, and what happens when they don't talk to each other ➡️ Why "we stopped collecting data" isn't the same as honoring an opt-out, and what flow-downs actually require ➡️ Why the logged-in-only approach to cross-device opt-outs is a trap, and what the Sling settlement actually says about that ➡️ Why most third-party vendors don't provide privacy APIs, and what that means for companies trying to flow opt-outs downstream ➡️ The three things Max recommends every company do right now to assess their opt-out exposure Plus, Max shares his personal privacy tip, his thoughts on why most companies are well-intentioned but still getting this wrong, and how he spent time learning to hand-pull noodles in China. Listen to the full episode via the link in the caption below. 👇

Your martech stack has 47 tools in it. Legal approved three of them. IYKYK. The other 44 are quietly collecting, sharing, and activating customer data in ways your privacy policy definitely didn't anticipate. And somewhere in that stack, there's a pixel firing on opted-out users that nobody on your team put there. Marketing built it to grow but nobody built it to govern. That's not a marketing problem, it’s actually an infrastructure problem waiting to become a legal one.

Earlier this week, we asked where your privacy teams are spending most of their time. Ketch Co-founder & Head of Product, Maxwell Anderson, has a take on that, and it might sting a little. Most teams end up obsessing over assessments and data maps at the expense of front-end privacy controls, and according to Max, it's the biggest waste of time in privacy programs right now. Here's why. Enforcement doesn't start with your documentation. It starts with what regulators can see publicly: 🎯 Your website 🎯 Your apps 🎯 The observable, testable, front-end behavior that any investigator or plaintiffs' attorney can audit without ever asking for a single internal document. If your consent banner is misconfigured, your tags are firing on opted-out users, and your front-end controls aren't holding up, no amount of documentation is going to help you. Shore up what's visible first. Then worry about the documentation trove. Is your team spending their time on something else entirely? Tell us in the comments. 👇

Your legacy privacy vendor solved 2018's problems really well. Unfortunately, it's 2026. Cookie banners were built for a GDPR-centric world where showing a notice was enough. Regulators and enforcement have moved on, and the recent settlements in the U.S. have made that very clear. But the legacy tools haven't. If your privacy infrastructure was built before identity resolution, cross-device enforcement, and downstream propagation became the standard, it's not protecting you. It's just giving you the appearance of protection. There's a difference, and regulators know it.

The best privacy implementations are the ones nobody notices. ⭐⭐⭐⭐⭐ Because when the setup goes smoothly, teams can skip straight to the work that actually matters. This G2 reviewer in the retail industry put it simply: smooth, hiccup-free implementation with very clear directions, thanks to the support of our very own Joshua Grossman. That's not an accident. It's how Ketch is built. ✅ Clear, guided implementation from day one ✅ A team that shows up and stays engaged ✅ Technology that holds up once it's live When implementation is seamless, teams hit the ground running instead of spending months untangling a setup that never quite worked. Read the full review linked in the comments below.

Between the never-ending legislative updates, new settlements announced every few weeks, and the fire drills that come with both, privacy teams are stretched thin. Everyone knows it. But where is most of the time actually going? We're curious what's consuming the most bandwidth for your teams right now. 👇 Something else entirely? Let us know in the comments!

To everyone who registered for Cocktails with Ketch this Wednesday, we cannot wait to see you. 🍸 And for those who missed the registration window this time around, this is the kind of event we love putting together for our community. Great people, real privacy conversations, and yes, actual cocktail kits delivered to your door. Stay tuned to the Ketch LinkedIn page for future events like this one. See you on May 20th. 👋

Collecting consent is the easy part. Enforcing it across every device, system, and downstream partner? Not so much, and that's where most programs fall short. That's exactly where regulators are looking as well.

A question for the privacy community. If a regulator showed up tomorrow and asked to see how your opt-outs are enforced, how your consent signals propagate, and whether your systems can produce an audit trail,  how would that conversation go? Be honest. 👇

The California Attorney General announced a record CCPA penalty last week at $12.75 million. This serves as an important reminder that as data minimization and purpose limitation requirements mature, the gap between privacy disclosures and actual data practices is becoming one of the most important areas to get right. What made this enforcement action notable is what it introduced to the CCPA landscape: the first-ever data minimization violation on record. Collected for one purpose, retained indefinitely, and sold to data brokers for something else entirely. The lesson isn't complicated but a lot of programs aren't ready for it. Regulators are now comparing actual data flows against public privacy disclosures. The question is no longer just what your privacy policy says. It's whether your data practices match it, across every system, vendor, and use case. Swipe for the breakdown of what went wrong, and five questions worth asking about your own program.