 All right, bigger audience than I was expecting. That's good to see. Let's start out with some questions for you guys. How many people in here are content authors and editors? Couple? How many people are marketers? Developers? OK, most people. Glad I got some of that. I'll have something somewhat technical towards the end of the presentation. So not all about content, but yeah, let's dive in. My name is John Doyle, I'm the CEO of Digital Polygon. My goal is to help build a better internet. And I really enjoy hiking, snowboarding, and sailing the Seven Seas or the local lake, maybe. A big shout out to Rick Buck, who helped me put together the original version of this two or three years ago. And I've been updating it ever since. Rick was the CPO at a company called Wirewil and recently just switched jobs to be the data privacy officer at another company. He started two days ago. I don't remember the name, so which one? Yeah, I own his pharmaceuticals. So agenda for today, we're going to talk about the privacy landscape in the US and how it's evolving. We're going to talk about how privacy is going to impact your website in the United States. And then we'll talk about some useful resources staying ahead of the laws. I'll try not to put you to sleep and let's jump into it. So first thing for everyone to know is that privacy changes are moving fast. How many people have dealt with privacy on their websites? OK, most of you. All right, how many people on just the GDPR side? What about the US laws? OK, so less on that. OK, so to give you some background, over the last five years, not including 2023 on this graph, six laws have been passed in the United States. In 2023 alone, three have been passed so far. So when we talk about rapid growth, you're seeing more and more speed coming to these legislations. And it all started with California and the other states have rapidly been evolving and picking up from where California set the bar and going from that. But every state has slightly different requirements on their privacy laws, which makes things extra fun. If we take a look at this on a graph of the US or a map of the US, you can look at 2022 versus 2023 here. And you can see that there's a whole lot more green on the map. And the green is signed bills that have gone into effect for new privacy laws. And like I said, it's getting more complex. More and more things are coming. It's not going to stop anytime soon. And last time I checked, there wasn't not a likelihood that the federal government is going to pass comprehensive privacy law anytime soon. But hopefully they'll surprise us so we can stop dealing with all of these one-offs. When we look at some background on the states and when these laws go into effect, here's the dates. California is already in effect. Next month, Colorado and Connecticut go into effect. At the end of the year, we've got Utah. And then through 2024 and through 2026, we've got four other states that are going to start enforcing the legislation that's been passed. So this is just going to give you an overview of the landscape of how these things are trickling out to kind of set your mindset of this is not something that's going to go away or not something that's going to slow down. It's just going to get more and more complicated as this goes on. And if you take a look at the requirements for these laws, they don't impact every business. So California, for you to be implicated in the California law, you have to be doing business in California and then meet one of the following requirements here. So 25 million in revenue, 50,000 plus customers in California, and 50% of that revenue is from selling data for sales. And if you go into CPRA, it's from selling or sharing that data. And some nuances here. For CCPA, the selling of data was pretty ambiguous. CPRA made it very clear that if you're sharing data with Facebook, that is a sharing of data. And you're breaking the California law if you're not letting someone hop out of that. And if you haven't heard of something called the Sephora decision, Sephora was fined $1.4 million for not taking automated consent from users on their website for a Facebook pixel. So that kind of sets the precedents here for marketers and how freely we used to be able to use this data and how that is changing. And then if you look at the actual landscape here, you're not meant to actually read this graph. But at the top, we've got the states that are passed. And at the bottom, we've got all of the other states that have legislation in process for bills that are active to move forward in this process. All of them have similar pieces to them, but different requirements. And I'm not going to go through these in detail in this section. We'll dive more into what it means for your website. But the laws are pretty well categorized into these different types of consumer rights that they're trying to protect. And we'll get into here in a minute what that means for your website. But before we jump into that, some key takeaways from the landscape. There's an increasing number of international and US privacy laws. And most of the new laws closely resemble GDPR. And the fact that you need notice and choice, you need privacy rights, there's a focus on ad tech. So all of these privacy laws are about protecting your data as a user and limiting how organizations can use that data without your consent. And there's heavy penalties being assessed for breaking these new laws that are going into effect. I always like to say, who has the data has the power. And it's our responsibility to leverage that power wisely and to be able to do it in a way that benefits our users. I think we're getting more and more into this idea of a trust economy. And brands are starting to lose traction if they break consumer trust. And privacy is one of the ways that this is going to continue to evolve. So all of the things that you do as a marketer or that you support marketing as a developer for building user experiences and personalizations and targeted campaigns and advertising, all of this is going to be greatly impacted by these new privacy laws. And it's important for us as web teams to figure out how do we work in this new space and how do we still enable marketers to do their jobs? So I talked a lot about privacy laws. I talked a lot about the changing landscape, got the boring stuff out of the way. What does this mean for you? What does this mean for your website? Let's break it down into three categories. These laws basically say marketing teams need to do three things. You need to provide information. You need to facilitate requests. And you need to manage user consent. If we dive into each one of these, as a website, providing information are things like privacy notices and cookie usages. So GDPR, you have a cookie banner. It's got all your cookies on it, all the vendors that you use. And you need to tell your user what you're doing, how you're collecting information, and how you're using it. Facilitating requests is allowing users to reach out to you and make a request to delete their data, access their data, fix it, or port it. You'll see this in the industry. It's called DSAR requests. It's kind of where this started with CCPA. And your website is your storefront, right? So it's important that a user can come to your website and make these requests because there's likely not another easy way to get to you. And lastly, it's managing consent. Everyone's probably familiar with cookie consent. It's been around for a long time with GDPR. But these new laws don't target cookies. And we'll get into that a little bit more here in a minute. They target tracking, right? There's all of these new marketing vendors that pitch cookie list tracking. That doesn't matter. It's still tracking user data. It's still tracking users. It's still a problem when dealing with these laws. Do not sell, do not share. You'll see that. And then there's also consent for targeted advertising. A lot of these laws have additional nuances for special use cases. So kids, for example, and health and medical, there's a lot of new legislation coming out for anyone that deals in that space. And there's different requirements for organizations for that. As a whole, in the US, for normal websites that are targeting consumers for e-commerce or marketing, it's typically an opt out instead of an opt in like GDPR. So you can still market to people until they opt out. But one important thing that we'll dive into a little bit here is you have to give your users the ability to opt out before you start tracking them. And that adds a lot of complication to how do you show them a website? How do you give them a good user experience? How do you enable these users to opt out while still giving them your website? And what's the right amount of time? Is it five seconds? Is it 10 seconds? Is it, hey, I need to show you a modal and you have to click through it? All of which have different impacts on your user. So some examples of providing information. A lot of this is your privacy notices, cookie notices, data collection. A lot of organizations are putting together these privacy centers on their website. I think this is HomeDevose. Has a pretty good layout here. Talks about what they do with privacy and how they collect information and gives you the tools to contact them and opt out as well. Facilitating requests. This is typically a form on your site for a lot of smaller organizations I've seen just email addresses. You're not required to have a form or an intake on the website, but this helps you automate it. And but you do need a section in your privacy policy or somewhere on your website to take these requests and then you have to actually execute them once you get it. So don't just throw an email inbox on there that's not monitored because you can get in trouble for not obviously executing on these requests. And lastly, managing consent. So everyone has seen the cookie banners or not seen them on websites. And then we'll talk about a couple other automated controls here. One is the global privacy control or GPC signal. This is probably actually why Sephora got fined. It wasn't that they weren't giving users the ability to opt out. It's that they weren't allowing the automated decision making to happen. And GPC is the control that kind of sets that up right now for the do not sell, do not share functionality. One other thing to note. There are no requirements in the current US laws as I've been hearing from legal experts. I am not one. That cookie banners are required in the US. So I think industry is realizing banner blindness is real. Cookie banners suck. They're not good user experiences. There's gotta be a better way to do this. And you'll see a lot of the new tools and technologies coming out in the US to solve these problems don't involve banners. A lot of them are putting links in your footer for your privacy choices. So if you go to Sephora, you'll see it in their footer now. A link that says your privacy choices that'll take you to a portal and give you the options to opt in or opt out. And the automation around it with the GPC signal is how you can automate that for users that maybe that deals with the problem of allowing them to opt out before you track. But we'll see how the market evolves with that. So let's take a simple marketing example for consent and look at how this actually works with your website. Here is a diagram. You've got a website, you've got Google Tag Manager and you've got a bunch of tracking pixels through Google Tag Manager that load on your website. Your setup might look something like this and it might look a little bit different, but when someone opts out, basically what we do is we stop firing scripts. It doesn't matter for the cookies, right? Third party cookies are gonna go away. So deleting cookies doesn't stop you from being tracked. You loading a URL from a third party, they've already got the IP address of the client that it was loaded on. That is tracking personal information and allowing you to be targeted specifically based on that information. So again, it's not about cookies, it's about the scripts that you're loading on your website and the third party data that is being collected by them or the data that's being collected by the third parties. I guess this is better way to say it. So basically when someone comes in and opts out, ideal state, hey, we turn off GTM or we turn off the tags within GTM so we're not loading these third party scripts and I don't have a problem anymore. Obviously it's more nuanced than this. I don't think anyone's gonna have a stack this simple and a lot of times your application will actually set additional cookies and tracking scripts that you may also have to deal with depending on what laws you're dealing with. So your results will vary here. Sorry to anyone that's not technical. This next section is really meant to give you an idea of how the industry is thinking about solving these problems at scale with the laws and what might be to come for tech teams though more likely than not you'll start seeing third party tools that are gonna solve this for you so you don't have to deal with the details but I think it's interesting to explore nonetheless. So let's recap. Users need the opportunity to opt out before the tracks. Some of the laws have opt in for certain conditions so depending on what you're doing there's some complexity there. GPC signals cover the do not sell, do not share but what about the other 12 pieces of consent that these laws indicate I have to deal with? The number of laws is gonna continue to increase it's not gonna decrease, it's not gonna centralize. Your organization is gonna have to deal with do I geotarget by state? Can I really do that effectively? Should I do it across the whole US and then what's the aggregate set of state laws that I have to deal with? It's not a trivial answer and I don't think I've seen any two organizations we've worked with on this make the same decision. We're trying to get people talking and working together with legal teams to do this and there's a lot of privacy teams working with the industry to try to get this kind of ironed out but we're not there yet. So standards are gonna be introduced, right? So how do we deal with this? Websites are gonna be expected to adhere with the standards in Europe. You've got something called TCF 2.0 which is a way for a framework that the web, your website knows how to talk to your marketing vendors and they know how to read these signals that are being passed back and forth. In the US, the IAB has proposed something called GPP or the Global Privacy Platform for the United States signals and I'm just gonna walk you through a couple of slides from the IAB here on what this spec is and what they're proposing. So you can kind of understand the complexity of what they're trying to solve here. So this is kind of a diagram of what happens when an ad request is made to an ad vendor and I'm not gonna go into all the details here but basically your website sends a request out via an API to an ad agency that gets sent out to other bidding platforms and then people bid on that ad space on your website, right? So how do these ad spaces know if they can track users and if they can use this data and if I can pass this data on? They're proposing that we put together this nice little string of three values, right? What's in the string? Encoded values for these other two sections and we'll get into this here in a minute. It's gonna be encrypted. It's gonna not be human readable and it's actually pretty complex to deal with but they wanna build a standardized way to deal with this. So this is basically what it's gonna look like. This is taking one state into account for California. You've got the conditions over here. I'm not gonna go through them all but they were shown the privacy notice. They did not opt out of seller share and the GPC signal is not detected. You've got about 10 other values here. You're gonna convert this into a bit representation and then encode it for California and that's gonna be the first part of your string. The second part is gonna include the sections that you're dealing with with California, which again, getting really technical and legal here which most web teams are gonna be like, what is this? And then lastly, you're gonna encode the header here which is going to put those three pieces together and you're gonna get this GPP string here that looks kind of like garbage at the bottom and this is what you're gonna send out on your website to all of your vendors and say, this is what my user decided. Hopefully, none of us in this room are gonna have to go and do this. We're gonna rely on third party vendors to give us a tool that we could put on our website and make this happen but as these privacy laws get more complicated and these things come out and they're actually getting regulated against, we probably need to understand how they work and get more up to speed on them. So what tools are there to help right now? Well, if you're compliant with GDPR, GDPR goes further than the US laws and if you implement GDPR in the US, you're gonna be covered by 99% of the laws because it's an opt-in regime. You're not gonna load any tracking until someone opts in. In the US, you'll have to opt out so you're already doing that. Downslides to that is you can't market to people until they opt in and opt-in rates are very low, right? So not really a great choice here. There's a number of vendors that are working on tools for you to integrate into your website and support this. They've got privacy teams, they've got lawyers working with them and they ideally will start integrating the new laws into that platform, handling the GPP strings for you and setting this up so that as the new laws come out, you're already protected with the tools that they provide. Important to understand this, you know the right questions to ask when you're going to look for a vendor and what their tools are, right? Just like any other sales tool or sales products, they're gonna try to study the tool and then you're gonna figure out if it works or not for you. So important for you to understand how these privacy laws work and what the setup is. We've already talked about GPC a bit but this was first announced by the AG of California and the idea is that we should be able to set on our browser that I don't wanna be tracked and my websites that I go to should respect that and if that mechanism happens, it gives users the right to choose and it gives a simple way for websites to be able to automate that decision. We don't need banners, we don't need these complex tools to do it and ideally on the website, if I like it, I trust the brand, I can override that signal for just that website. Like I said, this right now only takes no account that do not sell, do not share. So we'll see where the market takes it but it's a good place to start and you really wanna make sure any tool that you pull in respects these automated signals because again, it's why Sephora got fined for not dealing with that. To make this more complex, you've also got downstream vendors that are implementing consent mode like Google and Google says if someone opts out and you have the right headers on your page, we're gonna not track the user on our tools. This is great but the other 99% of marketing vendors don't support this. They expect you to not fire it, right? And it's on you to understand if your downstream vendor is supporting it, they're not gonna be sued for it, you will be. So just take it with a grain of salt. These tools are nice, these frameworks are nice for the tools that support them but I don't think I've ever seen a marketing team only use Google to do this and yeah, so just keep that in mind as you're working through it. All right, key takeaways. Privacy is more than a button on the bottom of your screen. It's more than a cookie banner. Just putting out a cookie banner is not going to give you the compliance that you need to deal with the new privacy laws. It's your organization's responsibility to know the laws and regulations. You can't expect the downstream vendors to do it. They're not the ones that are gonna in trouble for it, you will be. And it really can be as simple as say what you do and do what you say. Your privacy policies should say what you do and your website should do what you say. And if you can get behind those principles, you're giving users the right to choose. You're building trust with them and this is how we can drive that forward. And together we can build a better internet. So I've got a list of additional resources and all of the graphs and information that you saw on the deck is available on the IEPP website. So IEPP is an organization that supports, runs conferences for privacy. So if it's something that you're interested in, I can share the slides for sure. There's a few other vendors that have tools for comparing laws and how they differ from one another. Wirewheel has the privacy laws comparison table on their website, IEPP has some additional tools there. And then I link to the specs, the technical specs of the GPC and GPP spec here. Most of these things are GitHub repositories. So you can go in, see how the code works, see how the specs are defined. Very developer friendly. And we can learn a lot from what Europe has done with the TCF 2.0 framework as well, which I'm sure a lot of you guys have had to deal with this. So that's all I have for today. I know I went through that really fast. So I want to open up for questions and if there's anything else you guys want me to go through again. Yeah, yeah, GA4 is a good example of a lot of the newer technology and the power of really ML, right? It's taking those heuristic identifiers like your IP address and your browser ID and things that you haven't given anyone but they can track you with. And it's not that this hasn't been done before, it's they're making it more transparent to you and giving you more access to that data and exposing it through the new tools that they have. So yeah, I mean, it's really interesting on how that goes. And I think as we see the market mature, we'll see a lot more first party data platforms come out, a lot less third party, but most organizations aren't prepared to deal with first party data and capturing and organizing and reporting on it. So yeah, we'll see. Yeah, yeah. And the good thing about the laws is really making companies and marketers understand what they're actually doing with this data and what data they're giving to users, right? I think Facebook is a good example. We can probably all relate to and just how much data Facebook took from anyone who used it and how they're using that to market. So yeah, I find it fascinating. I don't know if I watched the social network and yeah, always fun to inspire about. Any other questions or stuff? Yeah, we're seeing the same thing in the U.S. And I talk through GPP because it talks about the complexity of the problem they're trying to solve. But without the buying of the downstream vendors and without them being held accountable, right? There's, it's their product roadmap. It's something that's not gonna generate them more revenue unless marketers say, I'm not using you until you get this. That's impactful enough to do it. So a lot of the tools will probably still have to comply with that because it's gonna be a regulation for the websites to still push it out. But yeah, I think they tried something else in the U.S. with the U.S. privacy signal, which was a four character bitmap on for do not sell, I believe, or yeah, I'd have to look up the spec again. But anyway, it was the header that you put on your page requests and all the downstream vendors were supposed to respect it and stop tracking that user downstream. But I don't know, less than 1% actually adopted it. And then Facebook came out with their own version of it called LDU and then gave you some custom information to inject in there instead of using the signal. So I think we're gonna see that same problem in the U.S. as well. So a lot of the tools I'm seeing come on the market right now are similar to cookie banners where you go to a section that you can opt in or opt out that respect GPC, but they don't have banners. And once you've got that signal set, you have to manually integrate that with your tag manager or with your website to respect the actual user's consent. And if anyone's done this for GDPR, you've probably gone through your tag manager and put a new conditional in every single tag that you have to respect the user's cookie consent or not. It's the same thing with the U.S. But just a different set of consents. You're not doing it at the marketing pixel and cookie level. It's more holistic, right? Do not share my information means just turn off all tags that share this information. So, sure. I don't know much about it, sorry. Okay. I'm a little bit. Yeah. I'm easy about it. Yeah. I haven't seen that come through yet. I'm assuming it's a play for them to push CMP and to try to CYA. But yeah, I haven't seen any of the big cookie platforms market that either. So, I'll take a look at it after the presentation now. Yeah, I don't know when the recordings will be posted, but I can also share the slides afterwards. I'll put them on a slide share and if you find me, I'll give you a link in the back. Yeah, I'm not familiar with that specifically. Like the actual API itself. Most of what we've been doing is on the web pixel tracking side, but I know for sure there's been a lot of new legislation out about healthcare information in particular and targeting around that. So, I think you have a right to be concerned. I don't know if anyone else has any thought on it or experience with it. No? I can help connect you with someone that'll have the answer if you're interested. For sure. Yeah. I mean, unless they can give you the documentation on the specs that tell you how you cannot track someone through that or turn off tracking, that would be, yeah. So, we've through partners, I have, and there's a lot of, with both Wirewell One Trust and Dodomi, I've seen a lot of webinars with law firms talking about how you take these privacy laws and how you can help guide your counsel on how to move these forward. A lot of the recommendations I'm seeing for people that operate across the US is try to remove the complexity of it, right? Because things are moving so fast. Go with the safest bet across the board for the whole US. That way you're not getting into one-off legal battles. My IP didn't say California, but I'm sitting in California, that type of thing. So, yeah. I think Wirewell runs a privacy conference called Spokes and there's a lot of good sessions there with industry speakers and law firms and they've got a big library on their website. I'd also recommend checking out. So, but they usually don't get web either, right? They're looking at the laws, they're telling you what you have to do, but they don't understand how that impacts from the website side. So, education is also important, I think. So, I think so, yeah. And I think pay special attention to California. It's the most mature and a lot of the other states are basing their laws off of California, primarily CPRA now. So, that's definitely where it start and it's not new. I mean, California passed the laws, what, 2019? So, people have been working on that for a long time, getting ready for it. There's technology vendors getting tech out there to support that. But anyone who tries to target just California because they don't want to mess up their marketing in Oklahoma, it's a challenge. And that's where the GPP signal and this complexity really comes in, if you're going to try to target that specifically. So, yeah. I don't think either of these will probably solve your direct problem in the US. I think this is more for GDPR. And for the US, I haven't seen anything in Drupal that does exactly that. However, and maybe I should contribute something back here. The key for websites is do not sell, do not share. That's really the main thing that's in enforcement right now and it's one option. So, what I'm seeing and what Sephora's done and what some of these vendors are doing is, again, your privacy choices in your footer. It takes you to a form that has an opt out for do not sell, do not share. And when you set that, you either set a cookie on your browser or it's setting something in local storage that says you've opted out. And then you build in, you expose that to your data layer or take it to your website and you can put conditionals off of that. And at the end of the day, that's what cookies is doing here is when you accept or decline the cookie notice, all it's doing is setting that cookie on your browser and then exposing it so that you can read it. And then if you look at their documentation, it's having you go and conditionally set anywhere you're setting scripts or pixels to be based on that API that they created. So you could use the cookies module and the setup around it to do that but I'm not sure you could get around the banner part. So you might have to implement that custom or pull in a third party tool for the short term until someone contributes it back. I don't know if that over complicated or not, but yeah. Yeah, so yeah, other vendors like user centrics has one I worked with a lot. They've got the cookie banner, they started in Europe, the cookie banner and they've got configurations for that but then they've also got this tool called the smart data protector. And basically what it does is it's another JavaScript snippet library that's injected into the head of your site and when DOM loads, it'll rewrite all of your script tags to text slash plain. So text just slash JavaScript, which will essentially render all of your script tags not to get executed. And then it connects to their downstream platform says, have you given consent and is this on the approved list of vendors that you're accepting? And then it'll go rewrite them all back to JavaScript and then load your page. Obviously there's some performance impacts on this when you're using a tool to automate that instead of doing it natively because it needs to block rendering and needs to adjust it and then it needs to comply with it. So you're gonna get a bit of a lag there. So it's something you don't have to deal with in the industry as this kind of matures because your downstream systems aren't, there's no way to automate it yet and they're not accepting the signals really. So hopefully that helps a little bit. It's, yeah, there's a lot of UX issues with the industry right now, which is why I hope that the GPC signal and the user dictated tools will take off more, right? Like right now, I think Mozilla has the GPC signal hidden in its settings somewhere and then Brave and DuckDuckGo have it as standard options. And if you get the DuckDuckGo browser plugin, that'll also help you there as well. You can turn it off. So yeah, that's the thing though. Like when they submit the form, if they're not authenticated or logged in, it's still session-based. If I come in another browser, it's different and one of the things I'm seeing trends with as I'm listening to like legal talks and like lawyers talk about this is a lot of these cookie vendors and tools are trying to use the same heuristics that marketing vendors use to track you, to track you across browsers and devices to know you're the same person to apply the same things. And at that point, it's like, okay, you're doing the same thing, but very good. But there's not enough money behind it to stay up to speed. And that's what I'm seeing across the privacy vendors right now is like marketing has all the money from all the marketers. Privacy is something they have to do and they're gonna avoid it at all costs. So putting the same investment into the AI and the ML and the heuristic tracking and the work that goes into that, just they don't have the same resources to do it. So I think it'll eventually get there, but I think it's gonna lag behind for a bit before that becomes easier for us to use. So, yep, yep. I mean, it's why I've tried to submit this session to most of the conferences I've gone to. I mean, I'm still not, I'm not a lawyer, I'm not, I don't dedicate to this space, but I think it's important for everyone to start getting up to speed about and it's gonna bite us at some point and the more we can stay ahead of it, the better, so. Yeah, any other questions? Yeah, yeah. So just having the Facebook pixel on your website is enough to get you in trouble because you're giving Facebook that data and you're sharing it with them and they're not a service provider, right? They are a tracking analytics company and yeah, social network is enough to tell you why. Yeah. So if it's first party data, then you're not sharing it unless you take that data and then share it or sell it behind the scenes. So first party data I think will continue to see arise and CDP platforms and things like that, that you own, that data, we'll see more and more of that but the bar for a normal marketing team, small business to talk about CDP is way too high right now. So we'll just have to see how that market evolves but I think there's gonna be a lot of market opportunity in that for challengers that come up and don't charge six figures for these types of tools as they become easier to deal with. Yeah, yeah. GA is also being targeted by California and they are using all of your data for other things. So yeah, basically any third party platform that you're using for tracking and analytics that you don't own that data is gonna be targeted by these laws which is almost every marketing vendor. Yeah, so third parties cookies will go away but a lot of the tracking data that you're getting from these third parties is already available to you on your websites and your hosting providers. So if I were to go out on a limb and start thinking about what the future could hold, I think you might see more and more hosting providers get into the data game and make that data available because you have logs of visits on your web servers. That's the same thing GA is tracking but better, right? That's first party data that you could use and analyze and do the same type of thing you're doing with GA through your server. Caching and stuff gets in the way of that maybe but they usually sell that full stack, right? So I would expect to see more and more of this data to become commoditized and available from hosting providers more than just these third party analytic companies. I think it depends on how they leverage that data and how they make it available. If you're paying for that cloud hosting and you own the data that's there, I think there's probably ways to do it, right? And if they're not using it to sell, manipulate, market, but I'm just speculating here. So I think there's a lot more maturity that needs to happen in a space before that gets addressed. Yeah.