Our President and Co-Founder, Donata Kalnenaite, was recently invited to speak at Wordcamp Jackson, MI about privacy. For those of you who are unaware, Wordcamp is an event for web professionals, including web designers, developers, marketers, freelancers and more that encourages the sharing of ideas and the building of a tight-knit community. In Jackson, MI, there were quite a few speakers who shared valuable tips from how to make websites ADA compliant to marketing, to refunds and to sharing solutions on common issues faced by web professionals. The Wordcamp Jackson event was one of the best-planned events that we have ever been to and we look forward to being regular attendants for years to come. Donata spoke about the three things all web professionals must know about privacy. In this post, we are sharing her slides and notes for those of you who couldn’t make it or who want to refer back to the resources listed in the speech.
Donata: hello everyone and welcome to the three things all web professionals must know about privacy! Thank you so much for sticking around to hear me speak. It’s 4:00 p.m. on a Saturday so I really appreciate your burning desire to learn more about privacy. Can anyone here raise their hands if they became a web designer or developer to dabble more into privacy law? Also, who here would be comfortable speaking about privacy online if their clients asked them about it? My goal today is to ensure that, by the time we conclude our time together, you can speak to your clients about privacy without feeling nervous. If that sounds good, let’s get started.
Donata: a little bit about me – I’m a data privacy and technology attorney. I’m a Certified Information Privacy Professional (certified by the International Association of Privacy Professionals) and I’m the President of Termageddon. Termageddon is a generator of Privacy Policies, Terms of Service, End User License Agreements and Disclaimers. We update our clients’ policies whenever the laws change (and currently, they’re changing quite a bit). We partner with web professionals by giving them a free set of our policies and a way to make recurring revenue by protecting their clients. If you’d like to learn more about our agency partners program, please visit our partners’ page. I’m the engineer behind the policy questions and text and also keep track of the changes to privacy laws. I’m also a beekeeper and, as strange as it may sound, I’m very interested in submarines. If you have any book recommendations, please do not hesitate to let me know.
Donata: here’s a picture of me with my bees. It’s my first year and I definitely recommend beekeeping to anyone who can do it. It’s truly the most rewarding hobby that I have ever had. Fun fact: I’m allergic to bees.
Donata: let’s start at the beginning. Back in the 1700s…just kidding. Any website that has a contact form collects personally identifiable information. PII is any data that could be used to identify an individual. Examples include name, email address, phone number or physical address. When you are building a website, one of the main goals is for that website to generate leads for your clients. Unfortunately, a byproduct of lead generation is the collection of PII.
Donata: now that you know what the collection of PII is, you may be wondering why that actually matters. In Part 2, we’ll talk about privacy laws, what they say and how they are changing.
Donata: let’s talk about what privacy laws protect PII.
- Organizations inside of the EU;
- Organizations outside of the EU if they offer goods or services to EU residents or monitor the behavior of EU residents; or
- Organizations that process and hold the data of EU residents, regardless of location.
- The California Consumer Privacy Act passed recently and the law goes into effect on January 1, 2020. It applies to companies that do business in California and:
- Have annual gross revenue of more than $25,000,000;
- Annually buys or receives the PII of 50,000 or more California residents; or
- Derives more than 50% of its revenue from the selling of PII of California residents.
- Businesses in Nevada;
- Companies outside of Nevada who:
- Direct their activities to Nevada;
- Transact with Nevada consumers; or
- Are sufficiently connected to Nevada.
Note that a lot of these laws have provisions that would make them applicable to businesses outside of that particular state. When consumers search Google, they go to the website that answers their questions or fulfills their needs. Searches are not always by the location of the business. This means that these state-specific laws may apply to you or your clients regardless of physical location.
Donata: this is a pretty new phenomenon in the United States. Ever since the Facebook privacy scandals, state lawmakers are taking matters into their own hands to make sure that the PII of the citizens of their state is protected. Note that I said citizens and not businesses. Currently, there are ten states that have proposed their own privacy bills. This grid shows you the states and how their laws compare to one another. You can view this chart, which is reviewed and updated frequently on our State Privacy Bill Tracker.
Donata: not all state bills are created equal. Most of them do discuss the following concepts in one form or another:
- Business size limit: some states are proposing that the privacy bills apply to companies above a certain amount of revenue or to companies that process the data of a certain number of persons. This does not mean that small businesses would be off the hook, as contracts with vendors or clients may still require them to comply;
- Consumers can sue: some states are proposing a private right of action. This means that consumers would be able to sue for privacy violations, instead of having to rely on Attorney Generals to sue on their behalf;
- Right to access data: this right would allow consumers to request a business to disclose what data the business has on that particular consumer;
- Right to delete data: this right would allow consumers to request a business to delete the data that the business has on that particular consumer;
- Right to correct data: this right would allow consumers to request a business to correct data that the business has on that consumer that may be wrong;
- Right to restrict processing: this right would allow consumers to request that the business not process data on that consumer in certain ways;
- Right to opt-out: this right would allow the consumer to opt-out of certain uses of data or the sharing of data with third parties;
- Opt-in consent required: the bill would require businesses to receive express consent for certain uses of data (e.g. sale);
- Right to portability: this right would allow consumers to request that the business send their data in a commonly structured and machine-readable format to another vendor;
- Against automated decision making: automated decision making is the making of decisions by automated means without any human involvement. The proposed bill would prohibit such processing;
- Imposes a fiduciary duty: the bill imposes a duty on the business to act in the best interest of the consumer when collecting, processing and sharing data; and
- Prohibits discrimination: this bill prohibits a business from discriminating against a consumer for exercising his or her privacy rights.
Donata: here comes the gloom and doom part. Penalties for not complying with privacy laws can be steep. Most common penalties are per violation, which could mean per website visitor. I’m sure that you can see how quickly this can add up, even if your clients have 200 website visitors per month. Penalties for GDPR non-compliance can be devastating to a business.
Donata: yes, fines and penalties are the worst. However, there are a lot more benefits to caring about privacy than just not being fined.
- Competitive edge: all things being equal, consumers will choose the company that does not abuse their privacy rights.
- The right thing to do: privacy is a fundamental human right. Don’t abuse it.
Donata: you may be thinking, “ok, this is all fine and great, but what does it have to do with me?” As a web professional you design and develop websites that collect PII. This means that you are in a great position to educate your clients about this crucial topic.
Donata: what will you get in return for speaking to your clients about Privacy Policies? Doing so makes you look proactive and professional, it improves client retention and loyalty, it helps you stand above your competition of agencies who are not in the know of industry developments and documenting this can help protect your agency.
Donata: when should you tell your clients about Privacy Policies? You can do so when quoting new projects, prior to the launch of their website, in your maintenance plans or right now. The truth is that there is no wrong time as long as you make sure that your clients are aware of this requirement for websites that collect PII.
Donata: let’s finish this presentation by answering some commonly asked questions.
- How can one keep up with all of the changing privacy laws? Since privacy laws are now constantly changing and new bills are being introduced all of the time, keeping up to date with all of the changes can be daunting. If you are more of a DYI person, I recommend using Legiscan for alerts on new laws and changes to bills, LexisNexis for updates to cases and the IAPP website for all other news. However, if you do not have the time for this, we update your policies whenever the laws change so that you don’t have to worry.
- Why can’t I just copy and paste a template? You could. Unfortunately, you’d be committing copyright infringement. Furthermore, you cannot be certain that the template is correct or that it fits your business. Finally, templates do not automatically update whenever the laws change, meaning that you’d have to be responsible for keeping track of it all for your clients.
Donata: thank you so much for coming! Please do not hesitate to reach out to me if you have any questions.