Privacy Lawls with Donata

Ep. 1 | What is privacy? (with guest, Hans Skillrud)

What is privacy? Why should we care? Why does Mickey Mouse need your fingerprint? Are doorbell cameras worth the risk?

Guest, Hans Skillrud (Co-founder of Termageddon) comes on to discuss how today’s world views privacy for the first episode of Privacy Lawls.

Brought to you by Termageddon — website policies that automatically update as privacy laws change.

Show Transcript

Hello everyone, and welcome to the first inaugural episode of Privacy Lawls, where we talk about the basics of privacy, the latest news, and meet people who are doing great things in the privacy field and hopefully get some laughs in as well. My name is Donata Stroink-Skillrud, and I’m the host of this podcast.

Before we jump into today’s topic and talk about what privacy actually is, I’d like to take a moment to introduce myself and talk to you about what we’ll be discussing today and in this podcast overall. As I said, my name is Donata Stroink-Skillrud, and I’m best known as a privacy enthusiast.

I’m an attorney, licensed in Illinois, and a certified information privacy professional. I’m the chair of the American bar association’s e-privacy committee, member of the ABA’s cybersecurity legal task force, and member of the ABA science and technology council. I’m also the chair of the Chicago bar association’s privacy and cybersecurity committee and a fellow of the American bar foundation.

So my first introduction to privacy came when I received a letter from Target saying that my credit card information was exposed in a breach which took place in 2013. That really opened up my eyes to the fact that when I give my personal information to another company, then it’s within their control and that information could be sold, shared, or breached, which actually has real world consequences to me.

After I graduated from law school, I worked for a software development company as their COO. And after the sale of the company, I went into private practice where I wrote contracts and privacy policies and terms and conditions for my clients. I realized that a big portion of the website policy creation process could be automated, so I found a Termageddon with my husband Hans.

And fun fact, I’ll be interviewing Hans today, so keep on listening to hear his takes on what privacy actually is. So Termageddon, we’re a website policies generator, and we create privacy policies, terms of service, disclaimers, cookie policies, and more. So I’m the president and legal engineer of Termageddon, and I’m responsible for drafting all of the questions that we need to ask clients to generate their policies, the thousands of tax variations that we offer, and for keeping those policies up to date with changing legislation, which is kind of a fun job, but it’s also a lot of work.

At the time of this recording, we manage over 15,000 privacy policies for our clients. While the concept of privacy itself has existed for hundreds of years, privacy law compliance is a relatively new field and is constantly evolving with new laws, rules, regulations, new technologies that affect privacy almost every day.

With all of these changes taking place, it’s really no surprise that we’re all rarely on the same page when it comes to privacy. We use different terms, have different understandings of the inner workings of privacy laws and privacy requirements, and therefore, at the end, we just all end up being.

Confused. And that’s the impetus for this podcast, to get us all on the same page, to learn the basics and the more complicated nuances of privacy law compliance so that we can adequately protect ourselves and our businesses. I hope that this podcast not just helps you get on the same page about established concepts, but also helps us stay up to date with the latest news.

In this first season, my guests and I will be giving you introduction to privacy, including what privacy is, the history of privacy, and what privacy means to different people. We’ll then move on to learn about privacy terms and definitions, and we’ll look at privacy from the lens of multiple countries so that you can know what privacy means to you.

We’ll also interview professionals who are doing interesting cutting edge work in this field and relay their stories and lessons learned. So let’s get into our main topic today. What is privacy? So Hans, congratulations on being my first guinea pig, and thank you for agreeing to speak to us today.

Can you tell our listeners a little bit about yourself and why you choose to work in privacy? Yeah, that’s a great introduction to Nana. Thank you. So my name is Hans. I am the other co-founder of Termageddon. I was first in privacy because, well, I was dating a privacy attorney who is now my wife.

I’d be lying if I didn’t say it was because of that. But what’s been interesting and about with how things have gone on, with what I’ve experienced, privacy is a constantly changing landscape, and I choose to work in privacy because of how exciting it is. I think a lot of website owners think, oh, this is boring stuff, this isn’t that interesting.

I know it’s important, but it’s kind of boring. Well, I think on the outside that could be pristine that way. But once you actually learn about it, you’re like, oh my gosh, there’s things that aren’t figured out yet, like worldwide issues that aren’t figured out yet. There are actionable, things people can do that often go missed.

So I think I choose privacy because I like to help people and this is a space I’m passionate about helping them in. And you worked in an agency before this, right? That’s right, yeah. I ran a twelve-person web design agency, actually. When I bought out an agency, that’s actually where I met you.

My experience as an agency owner is clients would ask me what should I do for website policies? And I would be like, I don’t know, I’m not an attorney. And then they would immediately ask me to copy and paste someone else’s legal documents onto their website. Never felt right, always felt unprofessional.

But I didn’t know what else to do or say or recommend, so I would just do it. Turns out I wasn’t the only one. This seems to be an industry-wide issue, and I think that’s why we have so many agencies leveraging Termageddon to help their clients get protected.

So what was your first introduction to privacy, and what did you learn? So my first introduction to privacy was when it was the target scandal again. In. I was on the other side of it watching you have your data get basically hacked, and I watched you struggle with figuring out what you can do about it.

So it kind of reminds me of like, you see those videos of guys who are watching their wives give birth and they just feel so helpless. I felt very helpless there, and that was never a fun experience. And I would say that was my first introduction into the consequences of what happens when things go wrong with privacy.

Yeah, definitely not as bad as giving birth, but it’s definitely irritating and confusing. That’s very sure. So on today’s episode, we’re talking about the basics of privacy. So can you explain to us what privacy is, in your opinion? Yeah, privacy is privacy gives people a right to freedom of expression, freedom of thought, freedom of ideas.

And I think we were going to dive into that a little bit today, but that would be the basis for it. And I think privacy is going to be a pillar to the future because it seems like more and more people are going online. So privacy rights are something I think we’re going to probably talk about in more detail today, but I think it’s going to be absolutely necessary if we want freedom of thought and freedom of expression online.

Yeah, I think generally we define privacy as the right to be left alone or the right to not be observed or disturbed by other people. But that’s so kind of out there that it’s hard for people to connect with that. And really, I think privacy allows us to form our opinions and be ourselves without other people knowing what that is and gives us the ability to form those opinions before we have to share them with other people.

And I think with business privacy, I think it really allows consumers to choose what level interaction they want to have with the business. So, for example, for me, if I buy something online where it’s an item that I would purchase again and again, let’s say I’m buying a shirt from a clothing retailer and they have all kinds of shirts and all kinds of clothes, maybe I’ll sign up to their email list to hear more about their deals.

If I like their brand. But if I’m buying something that I buy once every ten years, like a mattress, for example, I wouldn’t sign up for the subscription for the email subscription because I’m not going to be buying a mattress every other week. So I don’t really care about their sales.

So that really allows me to choose how I interact with a business if I want their ads or maybe I don’t want them or if I want them to text me or maybe I find that really annoying, so I don’t want to sign up for that. And I think in a business context, it allows consumers and buyers to choose what level of interaction they want to have with a business.

Yeah, that that’s why I love privacy rights, which is someone’s name, their email. Address, their phone number, their IP address. That’s their property, that’s their data. And whether you like it or not, companies are going to have to respect that property and understand that that’s not their property to do whatever they want with.

It’s up to the human to decide which companies get to have their data and which companies don’t.

I’m a naturally curious person. I love surfing the web ebook. I start in Reddit or YouTube or something or Twitter, and I end up on just interesting sites, blog articles and things like that. Well, I go to sites that I regret ever even visiting. I’m like, those not safe for works don’t click this link.

Of course I click it and I’m like, oh, why did I just look at that? But now that website would have my data and could do whatever they want with it. And I don’t love that fact because I want to stay curious. I want to explore things. And I think naturally you can explore fringes, fringe thoughts and fringe ideas.

And that’s why I think privacy is important, to allow that to continue to happen. Yeah, I think I have a great example of one time where your own privacy was accidentally invaded, where we were at work, Camp Phoenix, I believe, and I was supposed to give a talk and my computer just shut down.

So I had to use your computer and I hooked it up to the screen and it immediately pulled up your YouTube history.

So that was definitely accidental. Did not mean for that to happen. But you had like 100 people see what videos you watched in the last couple of days, thankfully intentional. I think I was watching a lot of impractical jokers at that time, so I think it wasn’t too bad.

But that’s such a good example. That level of control needs to be on the human level, not the company level. Exactly. So you already gave us some examples, but can you also give us some more real-world examples of how we interact with privacy every day? Well, I think

are you talking about like online or in person? Like both, I guess. Any example? Yeah, well, I think it’s important to understand when you’re visiting a website that has embedded a Google map, for example, you are having that data, your data just got shared with Google, and Google’s business model is to take that data and sell it to advertisers at the highest expense.

When you submit your data through a contact form, you are taking your data and telling your company, hey, you can take my data and use it to contact me for services, but that data is going to be often shared with people’s email inboxes and maybe you get added to an email marketing system as well.

So privacy is

constantly being attacked from all angles when online. And I don’t think any I’ve talked to enough people to say that the vast majority of people mean? Well, they don’t mean to be hurtful to people. But they also need to understand that when you’re utilizing free tools, sometimes those free tools are technically free to you because they’re costing your website visitors their data.

Yeah.

To think of one kind of specific example to you as well. So your mom’s a physician, and she works in a pretty small town, and she sees a lot of people as patients who live in that town, but she’s always very careful not to tell you who those people specifically are.

Can you imagine you’re seeing your neighbor at Target or whatever, and your mom’s their doctor, and she told you, oh, they have this really embarrassing problem that would just be awful, right? Yeah, be so stressful. But she doesn’t do that. So that’s an example of privacy, too, is doctors not sharing that information.

Or even when we went to the airport last time, we had an option to opt into biometrics being collected by DHS to expedite airport processing. Well, that’s an example of privacy as well, because it’s an opt in model, right? So you have to say, yes, I’m okay with that, for them to take their biometrics.

And if you say no, they won’t take the biometrics, and you could still continue on the path of getting into your flight. So I think or app selling geolocation information to governments as well, I think that could be potentially very dangerous, too, I think.

We had an event in Orlando, and included in that event was a trip to Disney World. So you and I went to Disney World, and

right out the gate, no pun intended, like, right at the gate, we had to provide our fingerprint to get into a theme park. That, to me, is the most abusive amount of power to bring someone into a child theme park. Like, why take a fingerprint ID? And maybe I don’t know enough about that, but that seems extensive.

Well, what’s really interesting about that, too, so we gave up our fingerprints, even though we didn’t want to, but nowhere in the park were our fingerprints required. That’s true. So you didn’t need them to get on a ride or anything like that. So why would our fingerprint need to be collected?

And why couldn’t you just verify someone’s ID or put an armband on? And that serves the same purpose, and there is no explanation as to why the biometrics were actually necessary, which I thought was I didn’t like that. I can’t imagine. I know we’re in privacy, so seeing that was obviously a big issue for us.

But I would imagine the average person finding they have to put in their fingerprint, they probably do it, and they’re like, all right, I’ll just get into the park. Like, this is the final thing I have to do. But that’s got to not feel good for just the average person, too.

It’s bizarre. And

we tried to decline. Is there any other way to enter this park? Well, if you have a religious purpose. So we had to go to the side kiosk, which was like, just way dingier looking, I remember. And this one person finally opened up the glass wall, the curtains from the glass wall to speak to us and like, are you doing this for religious purposes?

Were like, no, we just don’t want our fingerprint being something you have access to forever. Like, well, sorry, then you can’t get into the park. And I’m just like, that’s just ridiculous. They didn’t provide any information as to what they’re doing with those biometrics column, storing it or any of that.

So. Yeah, that’s another great example of privacy in the real world. And great example if Disney gets hacked and all those fingerprint icons or fingerprint icons. Fingerprints. Get picked up by a third party, who then sells it to whomever your fingerprint the most, the item that can identify anyone the most accurately, because you can’t really change your fingerprint, that is now in the hands of third parties that aren’t even Disney World.

That’s the risk that your fingerprint ID is no longer going to be valid. And you use your fingerprint for so much stuff, like unlocking your phone, signing into your bank account, things like that, it’s very dangerous. I know some people say that privacy isn’t really important to them because they have nothing to hide.

What are your thoughts on that?

So

there’s enough books written where feeling like you have nothing to hide is not a good strategy long term for

the longevity of civilization, in my opinion.

I think it’s more so about, I don’t have anything to hide. Rather, I think people need to look at it as I just don’t have anything I need to share, and that we as people matter more than companies. We as people have things that we use to identify ourselves.

My name, my email, my phone number, my fingerprint, these are my things. And I really think it’s important for us to understand and respect that. This is my data. I get to do with what I want with it. So when it’s like, well, I have nothing to be concerned about privacy, because privacy doesn’t really matter because I have nothing I don’t want to share.

That is the wrong way of looking at it. Because what you need to understand is you need to respect what you own. And you need to understand that companies are less important than you. You have the right to your data. So think of it more so as it’s not that I have nothing to hide, it’s that I have nothing I don’t want to share.

I think that’s a great way to look at it too. And I think a lot of the things that we search online, maybe initially they seem, but for some people, they might look at you differently, or even if you’re just curious about a particular topic, and there’s nothing wrong with that topic that might be an issue for some people.

Also, I think that some of these things, like having an Alexa in your house, for example, that constantly listens for those words, hey, Alexa. So it’s almost constantly recording. You might say something in your own home where maybe you don’t want your son’s teacher to hear that, or maybe you don’t want your grandmother to hear that.

Right? So it’s certain things that you might not notice them, but if it is exposed to other people, it could cause you a lot of trouble. So. Things like that I think are the reason why we need privacy is we need that space for ourselves. Agreed. And don’t get me wrong, I love Google.

I love Google products. Like, I’m a big fan.

That’s a good example of a company that bases its business on selling people’s data. But I love their products. I love using them. I like YouTube. I like Google Maps. And that’s something I feel like when people hear people talking about privacy, they think conspiracy theory, like tinfoil hat type stuff, when in reality, I’m just like, no, I love that stuff.

I just believe that we as human beings get a choice. We need to have a choice on what companies can and can’t do with our data. That’s really it, right? And who they share that data with and how they use it. Like some of this stuff, like, people have Nest cameras in their home, right?

So if you think about it, a camera to your front door can tell someone when you leave for work, when you come back, what big purchases you’ve had. Like, let’s say you’re bringing in a giant new TV that you just bought and you’re bringing it in through your front door.

The Nest camera will capture that. So if that data is shared with someone, or let’s say it’s breached, all of a sudden, you could be a victim of a home invasion, because they know all your habits. They know who lives there. They know who comes in and out of the house.

They know when you’re home, when you’re not home, what kind of purchases you’ve had. I mean, that’s like a criminal sweat dream right there. Yeah, that’s a frightening amount of insights they would be able to have on you and your home. Exactly, yeah. That’s why I personally refuse to have that in our home.

I know you bought smart bulbs a couple of years back. You never plugged them in,

and it’s a light bulb. I mean, what harm can it cause, really? But I just don’t want that in my house. But privacy means that I don’t have to have that in my house. And if you’re the type of person who believes that the exchange is worth it for you, let’s say it’s a very useful product for you, and you’re okay exchanging that information with them, awesome.

But you should have that choice. Agreed. So let’s talk about the other basics of privacy, and we’ll be diving deeper into each of these topics throughout different episodes, but I just want to ask you for a quick description of some of the main concepts in privacy. So we’ll start with personally identifiable information, otherwise called PII.

What is that? Yeah, so personally identifiable information is information that can be used to identify an individual. So earlier I was talking about people’s names, their phone numbers, their email addresses, their IP addresses. These are all examples of personally identifiable information. I’m going to start saying PII moving forward, because that’s just way too many syllables.

But PII is what’s being protected under privacy laws. Got it. Yeah. And it could also be information related to non identifiable individuals as well. So let’s say you’re watching YouTube and you have your account dot. Han Skillrud is watching cat videos, or Han Skillrud is watching videos on how to. To create a watering system for an outdoor garden that could potentially be considered PII as well because it’s tied to a specific person.

Yeah, that’s right. Like if you’re shopping for a new car and let’s say you’re searching for a purple car and that data gets stored about you on your profile, well, that is now personally identifiable information too, because that business understands Hans not only wants a car, he wants a purple car are.

Exactly. And then can utilize that for advertising, which again, I think that’s great. I personally love targeted advertising. I just want the choice because sometimes I’ll visit car sites that look super sketchy and I don’t want them to advertise me. I just didn’t get a good vibe. That’s where I want as a user to be like, no, don’t track me, I don’t want your stuff.

And we’ll talk about targeted ads later too in our privacy news segment. But I think targeted ads is one of those things that spurred privacy laws as well because consumers just generally find them really creepy overall. Because if you’re going to a completely unrelated website and you’re looking at mattresses, right, all of a sudden you’re getting ads on Facebook for mattresses as if you’re some kind of mattress collector.

Now you’re going to buy thousands of these over the next year. And people find that really creepy because they don’t understand that. The fact is that when you visited that mattress website, they had a Facebook pixel on there that tracked you and all of a sudden that’s why you’re seeing ads on Facebook for the same product.

But people don’t really love that. So that’s becoming increasingly regulated now. Yeah. Privacy laws are really kind of bringing to the forefront what’s been going on for a long time, which is that data brokers exist and they use stuff they collect behind the scenes of the websites you visit to package.

Up and sell your data to other companies that will then pay money to the brokers in exchange for being able to send you targeted ads. So it not only goes from just like I visit a site, I’m getting targeted ads from them, but I visit a website and now I’m getting ads for purple cars from someone completely different or insurance providers saying, hey, get your purple car insured.

And that’s when your data is not only being shared with third parties, but even sold off. Yeah, it’s creepy to think about how many people get access to your data once you visit one particular website sometimes even. So how is PII protected? Our names or emails, phone numbers, IP addresses, all of that, how is that being protected?

So it’s being protected under privacy laws. So governments all over the world right now are creating and implementing privacy laws to protect and regulate the collection of their people’s data. So in California, there’s actually two privacy laws at the time of this recording. Just yesterday, another state in the US.

Passed its own privacy law. What all privacy laws have in common is, hey, we’re protecting our people’s data. They may define it differently. They may have different definitions, different disclosure requirements, different penalties for non compliance, but they are all based around the. Idea of we are protecting our people’s data.

If you want to collect our people’s data, you need to comply with our laws. Got it. So privacy laws don’t protect everyone in the world, though, right? It’s only if you reside in certain countries or states. That’s right, yeah. So we’re based in Chicago, and in Illinois, we only have one privacy law, BIPA, which is not really related to online website stuff.

So we we have very little privacy rights. For example, in Wisconsin, if we lived 100 miles north of here, we’d have zero privacy rights.

What matters is where you’re located and if there are laws in place, either on a federal territory, state level, or continent level, if you have those rights or not. So in the US. We kind of have this fragmented approach where certain states have privacy laws, others don’t, but other countries view it a little bit differently.

So here in the US. We have an opt out model, which means anybody can collect your information unless a specific privacy law applies. They can do what they want with that information, sell it, share it, whatever. And all you can do as a consumer is opt out of that sharing.

But in other countries, like the EU, it’s an opt in model, meaning that they can’t take your information and do anything with it unless you specifically say that that’s okay. And I think that’s really interesting to see that kind of world difference in cultures when it comes to the approach.

I was just going to say that is the most America thing ever. Like, hey, we’re going to give you privacy rights, but by default, companies get your data, but we’ll give you a choice to tell them, no, don’t take my data and sell it. Right. It’s only after the harm has occurred can you actually say, no, not prevent the harm in the first place.

That is the most America thing I’ve ever heard. Yeah, that sounds about right. So you touched a little bit on privacy rights earlier. Can you give us a couple of examples of what privacy rights are? Yeah. So the first one that comes to mind is the right to access, meaning that some people around this world have the right to tell companies, I want to access all the data you have about me.

And the company has an obligation to provide that if those laws apply to them. Right to deletion is a very popular one. The right for human beings to tell companies, delete all my data. I think that is essential. It’s kind of insane that

being a Chicago based, I could tell a company, delete my data, and they could be like, nah, I’m not going to. That is absolutely wild. That still exists in this world. We need to get that addressed. Illinois, if you’re listening, come on, give us some privacy rights.

So those are two of the first ones that come to mind. What are some that come to your mind. So to me, the rights are correct. Being a married person, that’s a really big thing for me, right? Because I have my. Maiden name. And then we got married and all of my accounts were wrong now because they had my maiden name.

So I had to correct my data. And being in Illinois, not having that right, I had to send in reams of paperwork to every single company, essentially begging them to change my last name. And some of my accounts are still under my maiden name because they never process that change, which is just so annoying.

There’s a startup idea for anyone listening, create a company that allows married couples to allow whoever’s changing their maiden name to change it very easily. I did use a company for it, but all they did was provide a checklist and templated documents that I saw had to fill out, but I still had to send in the marriage certificate and like a letter saying that my last name was changed.

And like all this stuff, all this personal information and wait like weeks and weeks and weeks for them to respond, which some of them never did, even after I followed up another privacy right, that I think is very interesting is the right to portability. So that means that you have the right to send your information from one vendor to another vendor.

Which sounds kind of lame initially, but when you think about it so let’s say right now I’m using Facebook, right? It has all of this information, all these pictures, all my posts, all my likes, all of that stuff since high school. And that’s the case for a lot of us, right?

Let’s say I want to change to a different social media provider because I think Facebook is invading my privacy, which most definitely is. The right to portability would mean that I can ask them to take all of that data, all my pictures, all of my

posts, all my likes, all my friends, like, everything to another provider, making it significantly easier to switch providers and almost like busting these monopolies. Because the reason why most people don’t want to switch is because they don’t want to start all over from zero, right? But the right to portability allows them to change that, which I think is really cool.

I don’t think we’ve gotten a taste of what that’s going to look like too. That could become absolutely huge for the privacy industry. It’s going to force those monopoly-type businesses to actually take even more effort to respect people’s privacy. And it could be huge for small businesses too, because if you think about it now, it’s so hard to switch from Facebook to like a small business social media provider because you have to start everything over.

Most people don’t want to do that. Well now if it’s like a five minute process, oh, man. I think a lot of people would switch to smaller businesses in the future, which I think would be really cool, as well as the right to opt out of targeted ads or the right to opt out of the sale of information.

I think those are great, too.

If you don’t want the business to sell your information, you can just say no, which I think could be a really big deal. Right to opt out is important. Yeah, exactly. Right to opt in would be better, but right to opt out is is great, too. And just to remind everyone, I know we kind of covered it earlier, but right to opt in.

Means that by default you have the right to not being tracked, not anything, and only if you clearly accept and consent to that website targeting you. Hence why you see so many cookie pop ups. Only then will they allow themselves to put cookies on your browser and track you for marketing purposes.

Again, targeted advertising I love, but I love it when I get the choice on what I get to get sent to me adwise. Exactly. Because I already built my garden bed. I don’t need garden bed ads anymore. There can always be more, I guess. Yeah, that’s true.

So people have these privacy rights and I think we’re both in agreement that that’s a great idea that people should have these rights. But who’s responsible for ensuring that individuals can access those rights?

Help me out with that one. Actually. Yeah, so I think it comes down to two things. So one is businesses. So they need to make sure that information as to how to exercise privacy rights is easy to find. So usually that’s done through a privacy policy, right? So it says here’s where you contact us to submit your rights.

We might need you to verify your identity here’s when we’ll respond. And it’s the business responsibility to respond within that specific time period that’s stated in the law. And then also, I think part of the responsibility lies on the government. So to educate people about the fact that they have these rights and they can exercise these rights because most people don’t know what they are or that they have them at all.

And then lastly, I think it’s partially on the individual as well to be educated on what the rights are, what they mean, and then actually submitting the request as well. Got it. Yeah, that makes a lot of sense. It reminds me of California CPRA, which you actually have to disclose like designated agents and what do you allow as a website owner in terms of people being able to verify their identity before even exercising the rights.

So yeah, such a great call on that. Business owners have a responsibility, a legal obligation under these privacy laws to provide that information. But I agree with you. I think governments need to do a better job at enforcing privacy laws. And I mean that because

there are a great example. There are so many non working cookie consent solutions out there and it actually, I think, causes more customer confusion. I think the average website visitor still doesn’t understand a cookie consent isn’t a bad thing. That’s a company saying, hey, I’m not going to track you until you give me the right to do so.

That is awesome. Well, first off, it’s required by law, but it’s also awesome that companies do it. But unfortunately, there’s a lot of people providing cookie consents that don’t actually do anything like, hey, we use cookies. Click. OK. And that’s all you have the choice to do that’s not compliant with any law.

Yeah, that’s not consent. And I think that causes more problems, more confusion in the market. So I think government’s not only have to create more enforcements to make sure people understand these are your rights. As people, we’re protecting it. But also, I would say, more than anything, governments need to provide resources for business owners on how to properly comply with these laws so that we can respect people’s privacy.

I very rarely meet someone who says, I don’t care about privacy. I would say most people do nod their head, like, yeah, people do deserve a right to privacy, but it just amazes me when it comes to their own website. Well, no, policies aren’t that big of a deal.

I guess that’s kind of rare more these days. But five years ago, that was definitely the thing. Yeah. And whether people like it or not, times are changing and people are getting privacy rights, so might as well get on top of it. Yeah, a couple of different tangents in response to that.

So governments providing businesses with information as to how to comply, there’s a huge difference between countries on this as well. For example, so I work with privacy laws every single day. So in the UK, for businesses, they have reams and reams and reams of documentation, videos, any kind of question that a business could possibly have about privacy law compliance, that question is answered at length.

Right. You can watch the videos, you can watch webinars, you can even contact the information Commissioner’s office and ask them a question and they always respond right away and they always give a thorough response. Here in the US, the best that we get are regulations, which are often released six days before they go into effect that conflict with the law itself.

And then if you actually contact the Attorney General’s office to ask them the very basic question, they’ll just respond, oh, we can’t provide you with legal advice like hire a lawyer. Well, if I’m a lawyer myself and I can’t understand what the mess that they’ve created is and what that means for compliance, you have a problem.

And the refusal to provide any information whatsoever on how to comply is a really big problem. And then you can’t really be surprised that businesses don’t comply if nobody’s explained to them how to actually comply. Yeah, the conflicts we’ve seen wild. Yeah. And not all of them are bad, but there’s some laws that were created by people that not only aren’t in tech or have any sort of online experience, but they’re not even in government.

Like they’re like they build houses.

I wasn’t going to call it out, but there you go. And another tangent that I had is

verifying identity to exercise privacy rights. So if a consumer contacts a business saying, hey, can you give me access to all my data? The business has to confirm that it’s actually that particular person. It’s not like a scammer or somebody like that. But some businesses go really far with that.

I remember Grindr got fined because if you wanted to your Grinder account, you would have to upload a picture of your passport.

Yeah, which was never part of the information that they initially collected. And Grinder is one of those sensitive websites where if you live in certain countries, you could potentially be prosecuted for using a website like that. Sure. So having somebody upload their passport to delete their account is just egregious at best.

So, yeah, they got fined for that because it was overreaching. I’m happy to hear it. Um, so what obligations do businesses have when it comes to privacy? Well, that kind of depends on what laws apply to them, but I would say in general,

some best practices would be to limit the amount of personal information you collect from your website visitors and even your customers. I always think about like, how ten years ago, every website would ask for someone’s birthday, and then we’d set up an automation to send them a birthday 10% off discount code or something, and it’s like, okay, is getting someone’s birthday really necessary?

And of course, some industries it is necessary. Like if you bake cookies and cakes for a living, like, yeah, birthday makes sense. Yeah. If you sell like, restricted age products,

you do have to ask for an age. But if you are selling website policies, I’m sorry, you don’t need someone’s birthday just to send them some sort of promotion. So limit the amount of personal information that you collect. It’s just a general there’s not a single privacy law that will be upset with you doing that.

I would really recommend, even though it’s not required by all laws, but when people are submitting their data to you on forms, for example, whether it’s a contact form or through ecommerce websites making a purchase to the website, have people agree to your privacy policy prior to clicking submit.

So have a checkbox. Have it unselected by default where it says, I agree to the privacy policy. Put a link to your privacy policy and make that checkbox a required field so that the user has to consent. So that you, the website owner, get a timestamp the moment they agree to your policies, your privacy practices,

and that protects your business, while ensuring that if there ever were to be a problem in the future, you could always fall back and saying you did agree to our policies at this time. Yeah, and having a privacy policy that complies with the laws that apply to you. Right.

So each law has its own set of disclosures that it requires privacy policies to make. So you need to make sure that your privacy policy is based on the laws that apply to you, that it has those disclosures, and that you keep it up to date with changing laws.

So, like, this year, we have six new privacy laws going into effect, all of which change privacy policy disclosures. So you need to have that as well, if applicable to business. Yeah, exactly. And respecting user choices as well. So if somebody says, hey, opt out of the sale of my data.

You need to stop selling their data. Right. So what happens if a business does not meet those obligations? Are there any consequences there? Yeah, well, consumers. Could complain to their authority, whether it’s Attorney General or the data protection authorities of Europe or wherever they have privacy rights. And that would then be reviewed and you could be brought a fine or a non compliance penalty.

And the penalties, they aren’t something to kind of downplay. I think the starting penalty comes out of California. The lowest price is $2,500 per website visitor whose rights you’ve infringed upon. So

100 visitors in a month from California,

if that law applies to you and you’re found to be non compliant, it’d be $2,500 times 100. So that’s like 250 grand for doing something incorrect with your website. I mean, come on, you got to be aware of that stuff so that you don’t ever find yourself dealing with such a serious issue.

I mean, that’s a crushing price point for any website because even billion dollar companies, they get probably tens of thousands, if not millions of visitors from certain states and stuff. And oh boy, I can’t imagine the fine they would experience at that price point. What’s interesting to see, too is even though in the news we’ll see like Facebook, Google, Instagram getting fined millions or billions of dollars, I think it’s important to note that small businesses are getting fined as well.

So if you’re ever interested, I would recommend looking at enforcement tracker.com which tracks all GDPR enforcement penalties. And you’ll see that there’s been one person businesses being fined for changing a consumer’s email address in their database without the consumer’s consent. So you see a lot of small businesses getting fined as well.

Those fines are obviously less than millions of dollars, but you can see up to 100,000, 200,000, which can be really impactful for a small business. One person company is getting fined five figures for incorrectly subscribing some email that they weren’t supposed to. They’re supposed to subscribe a different email.

Exactly. Yeah, and I think it’s important to know too, that apart from fines, there are other consequences too, like the loss of consumer trust or the loss of brand trust. So if customers receive text messages from you about sales from 03:00 A.m. That they never signed up for, they’re not going to think positively about your business.

They’re going to unsubscribe, and they’re not going to want to use your business anymore. And what’s really interesting is that there’s been a lot of studies saying that consumers are increasingly using privacy as a factor when determining whether or not to share their PII or buy from a particular business, and they are switching to more privacy focused alternatives.

So it could potentially affect your business revenue as well. Well, yeah, and the trend is very clear that people didn’t think once about privacy years ago and that more people are thinking about it than ever before. The trend. More people are getting privacy rights, more laws are passing. This trend is going to continue.

I mean, all the writing is on the wall that more people are going to demand that their data, their personal data that identifies them is respected by website or by business owners.

So you’re a business owner yourself, you work in privacy, but you’re also a consumer. So what do you wish consumers would know about privacy?

Number one, that cookie consents are actually a properly working cookie consent is actually a good thing. Those website owners are giving you the choice on being able to assuming it’s an opt in cookie consent. There are opt out cookie consents. But an opt in cookie consent means, hey, we’re not tracking you, period.

You can click deny and go to our site. All the stuff we offer on our website is free. Your data is not being sold off. So I wish consumers would know more that a cookie consent is actually respecting people’s privacy rights. And I think that’s going to be figured out over time.

I wish consumers knew more about

their own privacy rights. It amazes me how everyone’s like, oh, California passed a privacy law. Well that law doesn’t apply to me, I’m a business in Illinois. Well it could apply to you still. Like absolutely. Privacy laws protect people. They don’t carry or locate it. And to flip that consumers in California don’t realize that the websites they visit, if those laws apply to those business owners, that those business owners have very specific disclosures they need to make in their policies to respect those rights.

So I hope people go beyond just thinking, oh, I know privacy is important, to really taking it in because this is one of those things that is worth fighting for. Because if we don’t fight for privacy rights, we’re going to be subject to whatever companies want to do with our data forever.

And that’s not man, I don’t know if you all seen Black Mirror episodes, but I don’t want that life. And I’d recommend we try to make privacy rights a pillar of the future. I think one kind of interesting tidbit that someone has told us, and unfortunately I’ve forgotten who said this, but I guess they have this strategy to determine if somebody’s selling or sharing their data.

So when they sign up for a service, they use the plus sign. So let’s say my email is donata@gmail.com, which it isn’t, but let’s say it is. So let’s say I am buying stuff from Walmart. I would put my email as Donata+walmart@gmail.com. And then in the future, if I’m getting emails from people that I don’t know and it says Donata+Walmart, then I would know that Walmart shared my data or sold it to someone else.

I’m not saying that they do, just using this as an example. But that how she figures out who actually siphons their data to other companies, which I thought was just. Is so cool. Such a great idea. Yeah, absolutely genius. And for those of you that don’t know, when you have an email like donata@gmail.com, you can add plus and then just type in whatever else you want.

Hampster, Walmart, gum. Just type in anything else you want. And

when people email that email address, it goes directly into your Donata@dot.com email. So that’s the trick. And what a genius way to kind of figure out who’s up to no good. I wouldn’t be surprised if we see enforcements being made based on that fact. Yeah, because it’s very easy to prove if you just gave that email to one company, it’s clear who shared or sold your data.

Yes. And then on the flip side, what do you wish businesses would know about privacy?

Okay. And I kind of alluded to it earlier, but I wish business owners understood that privacy rights protect people. It doesn’t matter where your business is located. What matters is whose data are you collecting? Because those privacy laws may apply to you regardless of where you’re located. Privacy laws protect people.

They don’t care where your business is located. So you need to find out whose data you’re collecting. What laws do I need to comply with? And then from there, you can start making educated decisions on what you need to do to comply and respect people’s privacy rights. Yeah, that’s really step one.

Figure out what laws apply to you, because otherwise you won’t be compliant.

Exactly. And it’s very hard to get lucky with compliance. Oh, boy. That’s the other thing. Don’t randomly become compliant with the law without knowing what the obligations are. It is amazing, because we say that what I just shared, I’ve probably said 10,000 times over the last couple of years.

And the moment I say it, everyone’s like, oh, yeah, that makes sense. But prior to hearing that statement, the thought is, I need a privacy policy. What should I do? Okay, I’ll go to a template online. Like, oh, gosh, I have yet to see a single fully compliant template, because here’s the reality.

They don’t exist. Because every privacy law has its own unique disclosure requirements. Every privacy law has conditional based disclosure requirements. CPRA requires a toll free telephone number under some circumstances, where in most other circumstances, they don’t require it. So does the template provide? Which one does it choose to provide?

So templates are just so risky. And I guess the third and final thing I would recommend business owners consider is that you have to have a strategy to keep your policies and privacy practices up to date over time. The reality is, more people are getting privacy rights than ever before.

Things are changing. At the time of this recording, we’ve had three more states pass privacy laws in the last couple of weeks with their own new disclosures, their own new protections. You have to have a strategy to constantly change this stuff. Policies are no longer static documents. Exactly. Yeah.

And for our listeners, just know that we’ll be taking deep dives into each of these topics and more topics throughout the season and next season. So don’t worry, there’s much more to come with each of these. Topics as well. And then I think we have one last segment that I wanted to talk about, and that’s privacy news.

So there’s some new privacy laws that are coming into effect this year, six. And here’s the fact that these new laws are starting to regulate targeted advertising, which wasn’t really the focus of many privacy laws in the past. So this is something that’s new, something that’s considered being added to new privacy laws and privacy bills.

So basically, they provide consumers with the right to opt out of targeted ads. So, Hans, what are your thoughts on this? It’s interesting. I think privacy goes beyond targeted ads, but I understand that targeted ads are probably what consumers are requesting to get some more control over. So I’m happy that the fact that people are getting privacy rights, I do think there could be some more

European style privacy rights that could be implemented that give humans more I just said humans. Like, I’m not one give humans more rights. All right. Mark Zuckerberg. Yeah, right. Give us all more privacy rights like that, where by default, we’re not being tracked. By default, we’re not being targeted.

That would be where I’d like to see it progress to. But hey, I’ll take any privacy rights at this point. What’s interesting about this, too, is that cookie consent banners were usually an EU UK requirement, and I think now we’ll see them more as a requirement in the US.

Because that’s really the easiest way to have somebody opt out of targeted ads is through a cookie consent banner where they don’t consent to those Facebook ads or LinkedIn ads cookies. So maybe we’ll see more of that here in the US. As well. Yeah, and I really hope consumers understand why they exist.

So I think that’s all for today. Hans, thank you so much for joining me today for our inaugural podcast episode. And make sure to subscribe and listen to our next episode where we’ll be talking about the history of privacy. Awesome. Well, thanks for having me, Donata. And if anyone wants me to speak again as a guest speaker, please let Donata know.

Otherwise, will be the one and only time you hear from me. Thank you. Hobbs thanks, everyone.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy

Culture

Disclaimer

EULA

How To's

Privacy Policy

Terms of Service

Subscribe for Updates
Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy

Culture

Disclaimer

EULA

How To's

Privacy Policy

Terms of Service

Subscribe for Updates