Our President and Co-Founder, Donata Kalnenaite, was recently invited to speak at Wordcamp Jackson, MI about privacy. For those of you who are unaware, Wordcamp is an event for web professionals, including web designers, developers, marketers, freelancers and more that encourages the sharing of ideas and the building of a tight-knit community. In Jackson, MI, there were quite a few speakers who shared valuable tips from how to make websites ADA compliant to marketing, to refunds and to sharing solutions on common issues faced by web professionals. The Wordcamp Jackson event was one of the best-planned events that we have ever been to and we look forward to being regular attendants for years to come. Donata spoke about the three things all web professionals must know about privacy. In this post, we are sharing her slides and notes for those of you who couldn’t make it or who want to refer back to the resources listed in the speech.

The 3 things all web professionals must know about privacy. Presented by Donata Kalnenaite for Wordcamp Jackon, MI.

Donata: hello everyone and welcome to the three things all web professionals must know about privacy! Thank you so much for sticking around to hear me speak. It’s 4:00 p.m. on a Saturday so I really appreciate your burning desire to learn more about privacy. Can anyone here raise their hands if they became a web designer or developer to dabble more into privacy law? Also, who here would be comfortable speaking about privacy online if their clients asked them about it? My goal today is to ensure that, by the time we conclude our time together, you can speak to your clients about privacy without feeling nervous. If that sounds good, let’s get started.

What you will learn today

Donata: today we are going to talk about which websites need a Privacy Policy, why Privacy Policies are important and why you should be the one to talk to your clients about privacy. I’m sure that you are just jumping out of your seats to also learn about me, what I do and where I work so I’ll satisfy that curiosity for you as well.

About Donata Kalnenaite and Termageddon

Donata: a little bit about me – I’m a data privacy and technology attorney. I’m a Certified Information Privacy Professional (certified by the International Association of Privacy Professionals) and I’m the President of Termageddon. Termageddon is a generator of Privacy Policies, Terms of Service, End User License Agreements and Disclaimers. We update our clients’ policies whenever the laws change (and currently, they’re changing quite a bit). We partner with web professionals by giving them a free set of our policies and a way to make recurring revenue by protecting their clients. If you’d like to learn more about our agency partners program, please visit our partners’ page. I’m the engineer behind the policy questions and text and also keep track of the changes to privacy laws. I’m also a beekeeper and, as strange as it may sound, I’m very interested in submarines. If you have any book recommendations, please do not hesitate to let me know.

Picture of Donata Kalnenaite and her bees

Donata: here’s a picture of me with my bees. It’s my first year and I definitely recommend beekeeping to anyone who can do it. It’s truly the most rewarding hobby that I have ever had. Fun fact: I’m allergic to bees.

Part 1: what websites need a Privacy Policy?

Donata: let’s dive into our first topic – what websites need a Privacy Policy. There are some common misconceptions about this one, that the only websites that need one are those that collect financial information, that you don’t need one if your website is secure or that you don’t need one unless your website is eCommerce. All of those are not true.

What is PII and what is collecting PII?

Donata: let’s start at the beginning. Back in the 1700s…just kidding. Any website that has a contact form collects personally identifiable information. PII is any data that could be used to identify an individual. Examples include name, email address, phone number or physical address. When you are building a website, one of the main goals is for that website to generate leads for your clients. Unfortunately, a byproduct of lead generation is the collection of PII.

Any website that collects PII needs a Privacy Policy

Donata: any website that collects PII needs to have a Privacy Policy. If you forget everything else that I tell you today, please remember this as it’s the most important point.

Part 2: Why does PII collection and privacy matter

Donata: now that you know what the collection of PII is, you may be wondering why that actually matters. In Part 2, we’ll talk about privacy laws, what they say and how they are changing.

Why does PII collection matter?

Donata: privacy laws regulate the collection of PII. These privacy laws, at their most basic level, require websites that collect PII to tell consumers: what PII is collected, what is done with the PII or how you use it, and who the PII is shared with. These disclosures are made in the Privacy Policy. If you do not have a Privacy Policy or do not have a good one, you may be violating these laws. Note that the three disclosures above are not all of the disclosures that you need to make.

What laws protect PII?

Donata: let’s talk about what privacy laws protect PII.

  • General Data Protection Regulation (GDPR): mostly everyone has heard of GDPR as of right now. It’s a European Union law that protects the privacy of EU residents. One of the main concepts of GDPR is obtaining consent to collect and use PII. Having a compliant Privacy Policy is key to getting proper consent. GDPR applies to:
    • Organizations inside of the EU;
    • Organizations outside of the EU if they offer goods or services to EU residents or monitor the behavior of EU residents; or
    • Organizations that process and hold the data of EU residents, regardless of location.
  • The California Online Privacy Protection Act (CalOPPA) has been around since 2003 and applies to anyone whose website collects the PII of California consumers. This law applies regardless of where your business is located and requires you to have a Privacy Policy that has very specific disclosures.
  • The California Consumer Privacy Act passed recently and the law goes into effect on January 1, 2020. It applies to companies that do business in California and:
    • Have annual gross revenue of more than $25,000,000;
    • Annually buys or receives the PII of 50,000 or more California residents; or
    • Derives more than 50% of its revenue from the selling of PII of California residents.
  • Lastly, we have Nevada’s privacy law and its recent amendment, which went into effect on October 1st, 2019. The law requires you to have a Privacy Policy and for it to provide very specific disclosures. The law applies to:
    • Businesses in Nevada;
    • Companies outside of Nevada who:
      • Direct their activities to Nevada;
      • Transact with Nevada consumers; or
      • Are sufficiently connected to Nevada.

Note that a lot of these laws have provisions that would make them applicable to businesses outside of that particular state. When consumers search Google, they go to the website that answers their questions or fulfills their needs. Searches are not always by the location of the business. This means that these state-specific laws may apply to you or your clients regardless of physical location.

A comparison of all of the states that have proposed privacy bills

Donata: this is a pretty new phenomenon in the United States. Ever since the Facebook privacy scandals, state lawmakers are taking matters into their own hands to make sure that the PII of the citizens of their state is protected. Note that I said citizens and not businesses. Currently, there are ten states that have proposed their own privacy bills. This grid shows you the states and how their laws compare to one another. You can view this chart, which is reviewed and updated frequently on our State Privacy Bill Tracker.

Concepts that the state privacy bills cover

Donata: not all state bills are created equal. Most of them do discuss the following concepts in one form or another:

  • Privacy Policy changes: all of the proposed state bills would require changes to Privacy Policies;
  • Business size limit: some states are proposing that the privacy bills apply to companies above a certain amount of revenue or to companies that process the data of a certain number of persons. This does not mean that small businesses would be off the hook, as contracts with vendors or clients may still require them to comply;
  • Consumers can sue: some states are proposing a private right of action. This means that consumers would be able to sue for privacy violations, instead of having to rely on Attorney Generals to sue on their behalf;
  • Right to access data: this right would allow consumers to request a business to disclose what data the business has on that particular consumer;
  • Right to delete data: this right would allow consumers to request a business to delete the data that the business has on that particular consumer;
  • Right to correct data: this right would allow consumers to request a business to correct data that the business has on that consumer that may be wrong;
  • Right to restrict processing: this right would allow consumers to request that the business not process data on that consumer in certain ways;
  • Right to opt-out: this right would allow the consumer to opt-out of certain uses of data or the sharing of data with third parties;
  • Opt-in consent required: the bill would require businesses to receive express consent for certain uses of data (e.g. sale);
  • Right to portability: this right would allow consumers to request that the business send their data in a commonly structured and machine-readable format to another vendor;
  • Against automated decision making: automated decision making is the making of decisions by automated means without any human involvement. The proposed bill would prohibit such processing;
  • Imposes a fiduciary duty: the bill imposes a duty on the business to act in the best interest of the consumer when collecting, processing and sharing data; and
  • Prohibits discrimination: this bill prohibits a business from discriminating against a consumer for exercising his or her privacy rights.

Penalties for not complying with privacy laws

Donata: here comes the gloom and doom part. Penalties for not complying with privacy laws can be steep. Most common penalties are per violation, which could mean per website visitor. I’m sure that you can see how quickly this can add up, even if your clients have 200 website visitors per month. Penalties for GDPR non-compliance can be devastating to a business.

Other reasons for caring about privacy

Donata: yes, fines and penalties are the worst. However, there are a lot more benefits to caring about privacy than just not being fined.

  • Consumer interest: consumers are now more vigilant than ever about the collection, use, and sharing of their data. Make sure that they know that you have heard their concerns. Also, having a Privacy Policy can help you avoid bad press and bad reviews.
  • Competitive edge: all things being equal, consumers will choose the company that does not abuse their privacy rights.
  • Sales cycle: a study by Cisco found that privacy concerns can slow down the sales cycle by an average of 7.8 weeks. Make sure that your sales do not slow down because you did not want to devote a couple of minutes to get a Privacy Policy.
  • The right thing to do: privacy is a fundamental human right. Don’t abuse it.

Part 3: why you should be the one to talk to your clients about privacy

Donata: you may be thinking, “ok, this is all fine and great, but what does it have to do with me?” As a web professional you design and develop websites that collect PII. This means that you are in a great position to educate your clients about this crucial topic.

Why you should tell your clients about the importance of Privacy Policies

Donata: what will you get in return for speaking to your clients about Privacy Policies? Doing so makes you look proactive and professional, it improves client retention and loyalty, it helps you stand above your competition of agencies who are not in the know of industry developments and documenting this can help protect your agency.

Protect yourself and your agency

Donata: make sure that you protect yourself. You are the one designing and implementing functionality that collects PII. Your clients may be looking to you for advice and guidance. If your client gets sued or fined for not having a Privacy Policy, they may look to you for answers and may even try to put the blame on you. Having written documentation showing that you told your clients that they need a Privacy Policy can go a long way to protect you, even if your client does not heed your sage advice.

When to tell your clients about Privacy Policies

Donata: when should you tell your clients about Privacy Policies? You can do so when quoting new projects, prior to the launch of their website, in your maintenance plans or right now. The truth is that there is no wrong time as long as you make sure that your clients are aware of this requirement for websites that collect PII.

Where to get Privacy Policies

Donata: we all know how some clients are, you need to give them a solution as to exactly what they must do to move them forward on any decision. You’re probably jumping out of your seats so excited about Privacy Policies and you just cannot wait to tell your clients all about it. But where can you get a Privacy Policy? You could work with a privacy attorney to write a Privacy Policy for your clients. This is an excellent option for really big companies or clients that need special compliance. By special compliance, I mean websites for banks, websites that collect health information (e.g. insurance records, medical conditions or medications taken). Attorneys can get expensive, charging thousands of dollars for these policies. Furthermore, getting an attorney can take some time and thus it’s not the perfect solution for small businesses with small budgets. You can also refer your clients to a generator. Generators are a faster and more cost-effective solution than attorneys and can work for the majority of your clients’ websites. I hope that you consider Termageddon as a solution, since we charge $100 per year, keep your clients compliant and it takes less than 15 minutes to get set up.

Frequently asked questions

Donata: let’s finish this presentation by answering some commonly asked questions.

  • How can one keep up with all of the changing privacy laws? Since privacy laws are now constantly changing and new bills are being introduced all of the time, keeping up to date with all of the changes can be daunting. If you are more of a DYI person, I recommend using Legiscan for alerts on new laws and changes to bills, LexisNexis for updates to cases and the IAPP website for all other news. However, if you do not have the time for this, we update your policies whenever the laws change so that you don’t have to worry.
  • Is my company too small to need a Privacy Policy? Most state laws and bills do not have a size requirement for the laws to apply to you. This means that the laws and bills apply to your business regardless of size and thus there really is no such thing as “too small for compliance”.
  • Why can’t I just copy and paste a template? You could. Unfortunately, you’d be committing copyright infringement. Furthermore, you cannot be certain that the template is correct or that it fits your business. Finally, templates do not automatically update whenever the laws change, meaning that you’d have to be responsible for keeping track of it all for your clients.
  • Who will sue me for not having a Privacy Policy? You could get sued by the Federal Trade Commission or by your states’ Attorney General. If some of the bills that propose a private right of action pass, consumers may also be able to sue you for violations.

Thank you

Donata: thank you so much for coming! Please do not hesitate to reach out to me if you have any questions.