Can AI agents be deployed for enhanced protection? What is a “triple extortion”? How is ransomware evolving? Is there hope for SMEs?

Sam Kaplan is a policy, legal, and national security professional with over eighteen years of experience across the public and private sectors. He is currently the Assistant General Counsel for Public Policy & Government Affairs at Palo Alto Networks, providing legal guidance on domestic and international legislative, regulatory, and policy matters, with a focus on cybersecurity, AI governance, privacy, data security, international data flows, and public-private capacity building.

Before Palo Alto Networks, Sam led the global product policy team for Facebook’s News Feed and News Tab at Meta Platforms, addressing issues like AI/ML fairness, algorithmic transparency, platform integrity, election security, misinformation, and harmful content.

Prior to his private sector roles, Sam spent over thirteen years in the Federal Government. He held senior leadership positions at the U.S. Department of Homeland Security, including Assistant Secretary for Cyber, Infrastructure, Risk and Resilience Policy and Chief Privacy Officer. Earlier government roles included work at the U.S. Department of Justice (Office of Legal Policy, Bureau of Alcohol, Tobacco, Firearms and Explosives, and U.S. Attorney’s Office for the Eastern District of Virginia) and as Counselor to a member of the Privacy and Civil Liberties Oversight Board, focusing on the U.S. Intelligence Community.

References:

* Sam Kaplan on LinkedIn

* Palo Alto Networks

* Unit 42 Research (Palo Alto Networks)

* Cyber Information Sharing and Collaboration Program (CISCP) at CISA (Cybersecurity and Infrastructure Security Agency)

In this live recording (January 14th 2026), we have conducted a comparative law exercise (US/EU) regarding ePrivacy compliance through Universal Opt-Out signals.

Alan Chapell is the President of Chapell & Associates, a law firm serving media and AdTech. He is outside counsel and CPO to several of the leading advertising and technology companies. He regularly publishes both The Chapell Report and The Monopoly Report.

References:

* Alan Chapell on LinkedIn

* The Chapell Report

* The Monopoly Report

* IEEE P 7012 (MyTerms)

* Alan Chapell: The many struggles of Google’s Privacy Sandbox, and how to deploy it in compliance with EU and US privacy laws (Masters of Privacy, May 2024)

* Can the GPC standard eliminate consent banners in the EU? (Sebastian Zimmeck, Harshvardhan J. Pandit, Frederik Zuiderveen Borgesius, Cristiana Teixeira Santos, Konrad Kollnig, Robin Berjon)

* The slippery slope of consent banners in preventing CIPA and VPPA claims: why effective Opt-Outs will prevail - also in the EU (Sergio Maldonado).

It is time for a seasonal update at the intersection of Marketing, Data, Privacy and Technology. We will stick to our usual five blocks: ePrivacy & regulatory updates; MarTech & AdTech; AI, Competition and Digital Markets; PETs, Zero-Party Data and Customer Centricity; Future of Media.

This season’s update includes:

* CJEU Russmedia decision (“mere conduit” safe harbour overridden by a marketplace’s role as a data controller)

* EU/UK DPA fines (LastPass-ICO, Infobel-APDB, AMEX-CNIL, AENA-AEPD)

* California: Public enforcement (by both the AG -JamCity, SlingTV- and the CPPA) and status of CIPA lawsuits

* Texas’ AG vs. TV manufacturers

* New legislation: EU Digital Omnibus, California’s spree, US Executive Order on AI

* Most recent adventures and daring moves of Meta, OpenAI, Google, Apple and X in the face of MarTech/AdTech constraints, market dynamics, antitrust actions and other enforcement initiatives.

(Our referenced monographic episode on CIPA/VPPA litigation is available here.)

All references and links can be found in a separate blog post available to Masters of Privacy Connect subscribers on our website’s Newsroom section (Newsroom Notes: Fall 2025).

Our usual disclaimer: the voice that joins Sergio today is a text-to-speech output generated with Eleven Labs.

Happy Holidays to all of you :)

On Wednesday November 19 2025, the European Commission unveiled its Digital Omnibus Package, which was basically split in two proposals: a proposed Regulation on simplification for AI rules; and a proposed Regulation on simplification of the digital legislation. We will tackle the first one today.

Today we are reviewing that AI-related block with Oliver Patel, who is AI Governance Lead at the global pharma and biotech company AstraZeneca, where he helps implement and scale AI governance worldwide. He also advises governments and international policymakers as a Member of the OECD’s Expert Group on AI Risk and Accountability.

References:

* Oliver Patel, “Fundamentals of AI Governance” (now available for pre-order)

* Enterprise AI Governance, a newsletter by Oliver Patel

* Oliver Patel on LinkedIn

* Oliver Patel: How could the EU AI Act change?

* EU proposal for a Regulation on simplification for AI rules (EU Commission, covered today)

* EU proposal for a Regulation on simplification of the digital legislation (EU Commission, not covered today)

* Europe’s digital sovereignty: from doctrine to delivery (Politico).

Can the growing use of first-party data in mobile app advertising result in more effective, privacy-preserving ads? Are app store policies (around fingerprinting and the use of deterministic IDs) more relevant than specific data protection laws and enforcement actions? Can AI take contextual information to the next level? Will LLMs result in collecting less data in order to anticipate customer journeys?

Zino Rost van Tonningen is the CEO of TyrAds, a cutting-edge adtech company revolutionizing mobile app marketing with privacy-first programmatic solutions. With over a decade of experience in growth and product strategy for fast-moving brands, Zino combines creative agility with strategic rigor to help startups and established app publishers scale effectively in today’s cookieless ecosystem.

References:

* Zino Rost van Tonningen on LinkedIn

* TyrAds: Mobile App Growth Simplified

* Spotify: How We Automated Content Marketing to Acquire Users at Scale

* Apple Developers: User privacy and data use

* ATT opt-in rates in 2025: Benchmarks, insights and how to increase yours (Purchasely)

* Overview of the SDK Runtime on Android

Dr. Stefano Bennati has over a decade of experience developing tools and processes to ensure data-centric organizations comply with privacy, licensing, and responsible AI standards.

Our guest has led privacy engineering and responsible AI teams with a global mandate. His work includes building and deploying compliance tools such as code scanners, AI-powered algorithms for personal data detection and anonymization, design processes for compliance with ISO 27701 Privacy IMS and ISO 42001 AI IMS standards. His latest work is a book (co-authored with Dr. Engin Bozdağ) is titled “AI Governance: Secure, privacy-preserving, ethical systems”, a practical and accessible guide to govern AI and mitigate security, privacy, ethics and regulatory risks.

References:

* Dr. Stefano Bannati on LinkedIn

* AI Governance: Secure, privacy-preserving, ethical systems (Engin Bozdağ, Stefano Bennati) - Use this code to get a 50% discount between Nov 25 and Dec 9th 2025: MLBozdag.

* Lokke Moerel: using personal data in the development and deployment of AI models (Masters of Privacy, December 2024)

* An overview of machine unlearning (Chunxiao Li et al., 2025)

* Discussion Paper: Large Language Models and Personal Data (Hamburgische Beauftragte für Datenschutz und Informationsfreiheit)

* EDPB Opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models

As promised last week, today’s episode provides greater context on US ePrivacy audits, CIPA/VPPA claims, and EU-US comparative law as it affects the rollout or maintenance of MarTech solutions on websites and mobile applications.

References:

* “The slippery slope of consent banners in preventing CIPA and VPPA claims: why effective Opt-Outs will prevail - also in the EU” (Sergio Maldonado, November 2025 - you are listening to Part I of the more comprehensive analysis)

* Jennifer Oliver: privacy litigation over pixels, trackers, and cookies (Masters of Privacy, August 2025)

* From wiretapping and video rentals to website pixels, SDKs, and APIs. CIPA/VPPA litigation, risk management, and practical strategies (Nov 2025 update)

* Toolbox: Fast CIPA/VPPA website auditing and case law matching for legal professionals (Alpha release).

In this live recording (November 6th 2025) we have tackled website protections from pixel-related litigation or public enforcement, paying closer attention to technical measures and the bridge between legal compliance and code-based strategies.

Our repeat guest is Daniel B. Rosenzweig, Founder & Principal Attorney at DBR Tech Law. He advises clients on legal and technical compliance with data privacy and AI laws, and counsels clients on industry mobile app store requirements, AdTech, and privacy-enhancing technologies.

Daniel’s legal practice is unique in that he develops and codes technical solutions to help serve as a bridge between legal, marketing, and technical teams, in addition to providing clients foundational legal services (e.g., conducting risk assessments, drafting disclosures, etc.). He excels at assisting organizations put the law into action by translating complex legal requirements into actionable technical implementations.

Our next live recording session is scheduled for Wednesday January 14th 2026. Find more information on the Events section of the Masters of Privacy website.

References:

* Daniel B. Rosenzweig on LinkedIn

* DBR Tech Law

* From wiretapping and video rentals to website pixels, SDKs, and APIs. CIPA/VPPA litigation, risk management, and practical strategies (Nov 2025 update, Masters of Privacy)

* Daniel Rosenzweig: OK, fingerprinting (Masters of Privacy, February 2025)

* Jennifer Oliver: privacy litigation over pixels, trackers, and cookies