Website Privacy Q&A with Termageddon

If you work on the web, I’m sure you’ve heard about the increasing user privacy regulations and data retention regulations. You’ve seen the acronyms: CalOPPA, CCPA, GDPR, PIPEDA, UK DPA, or others, but perhaps you’re confused about the rules. Maybe you aren’t sure whether they apply to you- or your clients. 

On March 30th the team at Termageddon answered our questions about website privacy. Here’s the video and transcript. Please note: this should not be considered legal advice. If you have any questions, please speak with a lawyer.

Show Notes (and clarifications):

  • The Attorney General does not make amendments to the law itself. The Attorney General releases regulations that interpret the law and state how to comply with the law. Amendments are made by the legislature of the state that passed the law. Not a big deal. 
  • Is there anything else to worry about with compliance apart from publishing a Privacy Policy? You didn’t really answer this question. I would answer it with this: 
    • You need to ensure that you are appropriately responding to individuals inquiring about their privacy rights; 
    • You need to have contracts with the people who process data on your behalf to make sure that that processing is compliant with privacy laws; 
    • You need to have appropriate security measures in place; 
    • You need to train your staff on privacy and security practices; 
    • You need to assess the third party services that you use on your website or in your business to make sure that they are compliant with the privacy laws that apply to you. 
  • A Cookie Policy is technically not required by law as that information could be incorporated into the Privacy Policy. 
  • Colorado’s privacy law goes into effect in July, not January (of 2023).
  • There is a method where transfers of data are compliant – SCC’s, DPA’s and technical measures. 
  • Consent protecting you from the Google Analytics ruling – we don’t know whether consent would make a difference here because the decision did not talk about consent. 
  • Where the country is US speaking – I think you mean “english” speaking lol
  • Here is the map that shows all privacy laws across the world: https://www.dlapiperdataprotection.com/

Transcript:

David: So welcome, everyone, to our first of many Q&A sessions. It’s the fifth week of the month so we wanna invite a guest to come speak to us about something that we don’t normally get to ask an expert about. I am not an expert in website privacies and privacy policies but Hans is. So hey, we’re glad you’re here. So let me… I guess we’re just gonna get started. Let me introduce Hans. Hans Skillrud here is from Termageddon. Termageddon is something he’s developed after a few years of owning his own agency in Chicago. And a few years ago, he moved on and started developing this full-time with your partner, right?

Hans: That’s true. Yes, my wife is a privacy attorney. She wanted to join today but unfortunately, was ill. So I briefly accepted this opportunity to take my years of working with her and hopefully field everyone’s questions today. She did, however, offer to come in and join if there’s a question that you all stump me with. So I’m gonna ask you for easy questions today but in reality, let’s just ask whatever we need to. And also, I just got a note, but for you choosing to talk about privacy as your first Q&A interview, my hat is off to you, because that can’t be the most exciting thing to a standard attendee. So I thank you all for listening and hopefully, this is a fruitful discussion for us all.

David: The opportunity here is that we do these weekly office hours, we talk, we have questions and answers about SEO. And oftentimes, we’ll talk about website privacy, because a lot of people are. And I have to admit, this is not something I have delved into to the extent that I should, and it’s complicated, and it’s scary. So, Hans, I so appreciate you being here to help us maybe make us less afraid or maybe we’ll be more afraid, I don’t know. But at the end, we will know more.

Hans: I would say less. Yeah, and we certainly will know more. You know, and just to preface this, you know, I ran a 12-person web agency for seven years, hence, all the hair loss. And, you know, I was copying and pasting privacy policies for my clients. Like whenever they would ask, I just would copy and paste one. And I think that’s kind of the modus operandi of the standard web designer, certainly, three, four, or five years ago. And really, all we just have to accept as web designers is, our industry is being regulated more and more and this is just one of those regulations.

And where I’ve kind of turned is, with Termageddon, I’ve kind of turned my viewpoints on it. And really, I think, if we look at privacy as something we can embrace rather than hide from. I think we’re gonna benefit in the short-term as well as the long-term. Because whether we like it or not, this stuff is coming…it’s already here but there are way more privacy laws that are likely to come in the future, which we can talk about as well. So might as well get on board, respect people’s privacy and be conscious about it. And I’m really excited to talk about that, too.

David: Yeah, I actually think that was a pretty generous characterization because I think most people just ignore the website privacy aspect. It’s scary, it seems like it’s complicated, is just easier to kind of put your head in the sand and hope it goes away.

Hans: And I think humans…what I think I’ve learned is that…I think, most humans are reactive, not proactive. And there will always be those people that will drag their feet until they are in court dealing with a lawsuit or a fine that they have to pay for non-compliance. And, you know, business owners are for proactive people, and hopefully, I can share some tidbits today that will help reduce the concerns, but also acknowledge where there’s still things that need to be flushed out.

You know, David, you and I got into it earlier talking about Biden’s speech around data privacy in the E.U, and how that sounds like it completely conflicts with some other information that we have. So there’s a lot of stuff that’s still unknown. And then that…and I’m gonna instantly get into philosophy, but that always has me draw back now to, “Well, how do I move forward and respect people’s privacy to the best of my abilities as possible?” And we could talk about ways to do that, too, today.

David: Yeah. Well, you’d suggested that you might have some kind of ideas or thoughts that commonly are asked. It might be a great start for helping us to think about this topic. What are some common questions you get as it relates to website privacy?

Hans: Yeah, I’ll give a high-level overview of my view of the privacy law landscape. And I think that’ll be a good starting point for people to either disagree with me or ask questions on my opinion and whatnot. So before I move any further, as any good husband would say, please note Termageddon is not a legal service provider, I’m not providing legal services today. Termageddon is a tool, not a law firm.

So with that all being said, privacy laws are out to protect people’s data. And what that means is things like names, email addresses, IP addresses, that is regulated data now under multiple privacy laws. And privacy laws protect people’s data. So a privacy law in the E.U, for example, protects the data of E.U residents. Privacy laws in California protect the data of California residents. Not a single privacy law cares about where your business is located. If you are collecting data from their people, you may, may, need to comply with their privacy laws and make very specific disclosures under those laws.

So really, what we need to be thinking, as web designers and web agencies is like, hey, if I’m building contact forms, installing Google Analytics, installing WordPress onto a website, for that matter, I need to be conscious and tell my customers like, “Hey, look, your website’s collecting potentially regulated data. I need you to be aware of this fact and let you know that you may need website policies.” And so rather than hiding from it, putting it into the right people’s hands to make a decision themselves. Termageddon, we have some free waivers, you don’t have to sign up with Termageddon, I’ll give it to you for free, it’s no problem.

But using a waiver, I think it’s one and that’s such a…I just dove right into the details of…a standard Hans move there. But, you know, using a waiver to help acknowledge, like, “Look, I’m helping you collect regulated data. I’m not responsible for your website policies, please sign this waiver acknowledging that I told you you need policies, And you can choose to do nothing, that’s fine, but you need to sign it telling…where you acknowledge where I told you you needed it.” But let me get back to the high-level stuff.

So this regulated data that a website may be collecting…well, if you connected the dots, you’re probably sitting there thinking, “Well, I have a website, it could get traffic from anywhere, so do I have to comply with like all these laws?” And like, I hate to be the bearer of bad news, but unless you’re like blocking IPs, which even that comes with an asterisk, yeah, you kind of do. And that’s frustrating, you know. As a human, I love the fact that people are getting rights to their privacy, like I absolutely love that. Like, I’ve yet to meet someone who’s not like pro-privacy for human beings. What I get frustrated about is that as a small business owner, if I have an online presence, I now have to comply with an ever-growing number of ever-changing, ever-complex privacy laws.

And like that’s the part that we’re in the middle of, and it is still being flushed out, and we have a lot more to figure out with regard to like, what that all looks like. But what I can tell you is it seems like the main takeaway is to understand, is your website collecting regulated data? And what laws do you need to comply with? And what disclosures do those laws require? And, sorry for the sales pitch here, but that’s like what a great website policy generator can do. So like Termageddon is the company I co-founded with my wife and our tool will help you identify the laws that apply to you by asking you those questions. And only then do we ask you the follow-up questions to make the disclosures required under those laws.

So it’s really about, find out what laws apply to you, make the disclosures required under those laws, and then last but not least, have a strategy to keep your policies up to date when the laws change. And there are tools, like Termageddon, where they will monitor privacy laws for you to notify you of changes. For example, on Friday, last week from the date of this recording, Friday, Utah just passed this privacy law. And there’s 36 privacy bills in the U.S. on a state-by-state basis right now. But having a strategy to keep your policies up-to-date is also a critical component, and just the reality of running a business in this modern day and age.

So I’ll stop there and yeah, like… Collecting regulated data it’s not bad it’s good it’s how businesses are run but you just need to now disclose what you do with it, how you collect it, what you do with it where are the sources from where you collect it, and various other things depending on which laws you need to comply with so. Man, I am very disorganized, say, that was like all over the place. But hopefully, I just threw a bunch of stuff out at you guys and you can come back with some feedback for me.

David: Yeah, well, my first question would be legal in nature, even though… This as a… I don’t build websites but I help manage websites for clients. So most of my clients would hear about this from me because most of my clients don’t get…they are still far… I’ve had one client who was proactive and says, “We are doing this,” right. So what point am I liable for saying nothing to my clients and pretending to be ignorant of this issue?

Hans: So the very first thing I would say is, with your client, whether you’re building websites or maintaining websites, really what you wanna make sure, first and foremost, is your client contracts don’t say things like, “I’m gonna make sure your website is compliant with all applicable laws.” Because that…I have seen that in contracts and that is, like, just traumatizing to my mind to think that… Because I know they are charging $4 million for that website, you know, because that’s what I would charge if you’re gonna claim to build a website complying with all laws. Like, that’s just no, you don’t do that. So unless you’re charging seven-figure deals, like, do not include in your contracts that you will build websites complying with all laws.

So that’s the first thing I would note is just to make sure your contract has nothing in there stating that you’re their privacy person or accessible person or whatever it is, in terms of the laws, you don’t want to make yourself subject to, on behalf of your clients. So your contract is the most important thing to understand, is like don’t promise something you’re not offering. Assuming that is the case, well, then there’s nothing else that you’re really responsible for because the client…it’s the company’s responsibility… Whoever owns the website, the company that owns the website is the one responsible to keep those policies up-to-date with new disclosures and comply with applicable privacy laws which go beyond just website policies, of course.

So I think it’s really just a matter of not ignoring the fact that you probably know, and the client probably doesn’t know, about these privacy laws. And that’s why I think agencies have such a wonderful opportunity to educate people about this stuff. Let’s not lose sight of that fact because like, let’s be real, we will probably be the only opportunity they ever get to be notified of the fact that this stuff is becoming very important. But also, keeping in mind that you need to protect your own agency, and making sure that they clearly understand that you’re not responsible for their legal compliance needs just because you built their website or maintain their website. So I think that’s the balancing act.

David: Thank you, that’s helpful. To maintain some order today, and to make sure that I don’t ask all of my questions, and you can all ask your questions, please, like, do the Zoom thing to raise your hand and I’ll call on you, or write your question in the chat and I’ll watch that, too. So Tim, you unmuted yourself, did you have a question you wanted to ask?

Tim: No, I was just gonna say it was nice to know…be informed of the new law passing in Utah from your email that I received last week about it. So I just wanna add that that’s a helpful email list to be a part of as well.

Hans: That’s awesome. You know, we do have customers that cancel every now and when they do, I have like a good portion of them, say, “Unsubscribe me from receiving privacy law alerts.” And I’m just like, “Dude, why would you not take this for free?” And here…I’ll add into the chat here a link to our Privacy Bill Tracker, just in the U.S., you’re gonna see 36 privacy bills currently out in the U.S. alone.

So in the U.S., we do not have a federal privacy law for general websites. I mean, we have HIPAA, we have COPPA but I’m talking like just for general websites. We have FINRA too but anyways. For general websites, we don’t have a federal privacy law, we have individual states proposing their own privacy bills. And like, everyone in the privacy community is just like, “Look, no one’s wanting to say we don’t like privacy rights, we just think it’s a joke, like, how is the small business owner gonna stay up-to-date with all this stuff?”

And you’ll see what those 36 privacy bills are in that link. If you go down to New York, you’re gonna see that there’s three privacy bills in New York. And if two of them pass, any two of them…two out of the three proposed bills, if one of those passes, it will enable New Yorkers to sue any website owner located anywhere just for collecting an email address on a contact form without a proper New York privacy law disclosures.

Like, do we really realize the depth, the gravity, of that situation? Because look we’re all from tech, like, I hate to say it but like someone could probably pretty easily create a bot that scans a website for a contact form, scans the website if they have New York privacy law disclosures, if they have contact form with no privacy law disclosures, submit a lawsuit on a contact form. I mean, I feel like entry-level devs could probably figure that out within a weekend. Like, you know, and some people could probably do that in 15 minutes and like, that’s a frightening thing, in my opinion.

David: Yeah. Hopefully, no one watches this and then says, “Hey, that’s a great idea, I’m gonna develop that.”

Hans: If you do, you’re not a cool person like, not cool, not cool at all, like…

David: Trisha, did you have a question?

Trisha: Yes, I’m sorry. My hand-raising goes away occasionally, so… My question is… So I saw the email about Utah, but I haven’t had a chance to look at it. So my question is like when those emails go out, when there are new laws like that, like, are you saying that I specifically need to go into any of them that I’m managing and update things?

Hans: No.

Trisha: No?

Hans: No. And in the email, we say ‘No action required.” I put it at the bottom, I should have probably put it at the top, like my bad.

Trisha: Well, I didn’t… I saw the [crosstalk 00:15:44] I didn’t know.

David: That was my favorite part of the email.

Hans: I knew… When people saw that, I was like, “I’m sure that will be appreciated.” So the Utah privacy law passing is a very good example of the initial email we send, it’s just, “Hey, this law passed just so you know. We’re watching it.” And that’s really just to let everyone feel confident that we’re staying on top of this stuff. Granted, we’ve been monitoring this bill… When it was a bill, we’ve been monitoring it since its birth. But we feel like it’s a good time when it passes for that to be the first moment, the first notice of a change.

But the effective date is December 31st, 2023 so we have like 19 months or? I’m not good at math. But we have a decent amount of time here between now when the Attorney General probably make amendments, which they seem to always do, at least in California, and then the actual enforcement date. So it is due on December 31st, 2023. Between now and then, we’re gonna define if our tool can push an automatic update, or if we need to ask any additional questions. For this law, in particular, there are some nuances that we don’t have answered yet within our tool, which is, do you process the data at 25,000 or more Utah residents? I could be wrong on that number so don’t count me on that.

But Utah’s privacy laws, similar to California’s second privacy law, the California Consumer Privacy Act, only applies to larger businesses. And what I mean by that is you can do business in Utah, but that doesn’t necessarily mean you have to comply with that law, there’s other factors that go into consideration for that. I think it’s 25 million or 25…processing the data of 25,000 or more residents of Utah on an annual basis or generating 25 million or more in revenue a year. Or I think…if only there was a blog post for this. Or selling the data of…driving 50% or more of your annual revenue from selling the data of your consumers.

So with that all being said, you can absolutely confirm or deny that fact by just going to our blog and clicking the first article, “The Utah Consumer Privacy Act Compliance Guide,” which I’m doing right now, and I might as well tell you. So, okay, so annual gross revenues of more than 25 million or more, and meets one of the following thresholds, during a calendar year controls or processes the personal data of 100,000 or more Utah residents or derives 50% or more of its annual revenue from selling the personal data and controls or processes the personal data of 25,000 or more Utah consumers. So happy to expand on either of those, but I’ll add a link to the article here.

David: So for how many of these privacy policies are there thresholds like that?

Hans: Yeah, so GDPR no threshold, UK Data Protection Act, no threshold, there’s no thresholds for Canada’s PIPEDA, DOPPA, Delaware Online Privacy Protection Act. CalOPPA, the California Online Privacy Protection Act, in Nevada, Nevada Revised Statutes Chapter 603A. That would be it. And then for Australia, CCPA, the California Consumer Privacy Act. I’m not sure of Quebec, Quebec is launching September of next year. Utah, Colorado, and Virginia, those would be all the ones that have business size restrictions.

I mean, they all seem to be floating, it’s 10 million or more revenue a year or 25 million or more revenue a year. Processing the data 50,000 or more California can start…processing the data of 50,000 or more people within a state. Those tend to be kind of the variables we see to be, if they’re adding business size restrictions. And what you can see in that Privacy Bill tracker is we identify if there are business size restrictions with the proposed bill out, just so everyone knows. I think it’s column three.

David: So most of these are about the website visitors coming to your website from these locations, not where you happen to reside as a business. Is that correct?

Hans: That is correct. That is how every privacy law is designed. It is designed to protect us people not the businesses. So it doesn’t matter where you’re located… Some privacy laws are only for for-profit entities. So PIPEDA, Canada’s privacy law, for example, doesn’t apply to nonprofits. So you can take data, as a nonprofit, from Canadians and not have to comply with that law necessarily. So yeah, hopefully, that helps answer that question.

David: Is there more to worry about compliance than the privacy policy? For instance, oftentimes, my clients will have a WordPress plugin that will collect forms. And it will collect the form information, perhaps their name, perhaps their email address, perhaps a phone number, and some notes in a database. I, as someone who has access to the WordPress site, could theoretically log in to that website and see all that information. Theoretically, I could download all that information. And theoretically, no one would know that I might do whatever… So like is there more to compliance than just publishing a policy? Do these businesses need to make more proactive action to prevent this or guard the data they do control?

Hans: So, great question. Actually, the example that you gave is a requirement under several privacy laws, which is disclosing who you share data with. And I love to give this example. I have so many people that tell me, “I don’t share data. I don’t share any data that I collect.” And I sit there, I’m like, “Okay, I’ll confirm that with a few questions. And I’ll give you my short answer.” I think when they hear the word share, they think they don’t sell data. But sharing and selling are very, very different things. And I’ll give you a great example, let’s say you add a newsletter subscription to your website where people submit a form and put it in their email and they subscribe to your newsletter, which is through ActiveCampaign or Constant Contact, or MailChimp.

That is a fantastic example of when you are collecting not only names and emails, but then you’re taking that and sharing it instantly, but sharing it with your third-party email marketing vendor. So that is when you’re taking emails, sharing with third-party, MailChimp, ActiveCampaign, whoever it may be. And then that exact same example, when a form gets submitted on a WordPress website, nine times out of 10, a backup gets stored in the Content Management System, aka WordPress, and that hosting providers and parties that need to operate the website may have access to that data.

So that particular question, the best way to answer would be by disclosing it in your policies to let consumers know that, “Hey, people that need to operate our website, may be able to see the data you submit.” And being outright and forefront with it and sharing that information. And it brings me to a more of a philosophical talk but like your privacy policy is really like your operating procedure for what you share to the outer world on how you practice privacy. And yeah, there is more things to do outside of having a privacy policy but in a lot of ways your privacy policy helps you discuss like what you do and what you don’t do. So yeah, hopefully, that helps answer it. And I like Termageddon because you can generate your privacy policy, review it, and make sure it aligns with, you know, your efforts and whatnot, so. Does that help with that one?

David: Yeah, yeah.

Hans: Cool. So yeah, sharing data is very common in our space, like it is natural. I mean, the moment someone submits a contact form and that triggers an email sent to your email inbox, assuming you didn’t build your email inbox yourself, rather than using G Suite, or Outlook or something. That’s also when you’re sharing data with your email service provider. So, you know, the moment someone submits an inquiry on a contact form, and you receive an email is the moment you’re not only collecting that data but sharing that data with a third party whether it be G Suite, or Outlook, or any other third-party email service, provider.

David: Trisha.

Trisha: And I can’t remember… I don’t do a lot of websites, I only occasionally do a few things where I’m using privacy policies so I don’t remember the last time I did this. When we say we share data, do we have to, like, include the names of the companies, like you said MailChimp, we don’t or we do?

Hans: So yeah. So typically, I get that question under GDPR, the General Data Protection Regulation which protects the data of E.U residents and EEA residents. So that is one of two ways to comply with that law. So the other way is to disclose the categories with whom you share data with. And we…Termageddon we went the category disclosure route because GDPR also states that policies need to be minimal in length. So our thought was, say the categories with whom you share data with, therefore, it shortens your privacy policy, therefore you’re adhering to GDPR and your two requirements. But yeah, you’re welcome to share the names of the companies you like. I like doing categories…

Trisha: Yeah, I do too, because, well, you know, the client adds something, and the person who adds it doesn’t realize the impact. So then you could go add, and I think that does make it better. Okay.

Hans: Yep. Or you switch between ActiveCampaign to MailChimp. And now, you don’t have to update your privacy policy laws because you already disclosed that you share it with those vendors, or with those categories, so.

Trisha: Okay.

David: When using a privacy policy generator like Termageddon, what would be the best practice for an agency or a service provider to say, “Hear client, you need to comply with this, go answer Termageddon’s questions.” Or me as the provider of a lot of services, many of which, frankly, the client might not know the details of, to do it on behalf of the client?

Hans: Yeah, great question. So for one, I would never push Termageddon on a client, you’re more than welcome to but I would recommend not doing it. Rather, I would use like our waiver as an opportunity to educate clients about the importance of policies and have it understood that you’re not responsible for their policies, regardless of what they decide to do. And then give them the option to hire an attorney and just be like, you know, once your attorney drafts it, give me the stuff to add to the site. Or, you know, offer them the option to do nothing and just be like, you know, you can operate…you’re a business owner, you can make your own decisions. If you don’t wanna comply with the laws, that’s fine, I still want documentation that I told you you need this, and that I’m not responsible but you can sign that off or you can sign up with a generator like Termageddon.

And hopefully, they all sign up Termageddon, but for the ones that do, I’ll note that we’ve really designed Termageddon to be client and agency friendly. And what I mean by that is like, I built enough websites to know my clients do not always know if they use Google Analytics or not, like that’s just the reality of the situation. So that is why, as an agency owner, you can go in and like pre-answer some questions for them and you can share access to the license to ensure that they not only receive the questionnaire to edit it or change it however they’d like but also by giving them access that ensures that we can email them directly when new laws go into effect when their policies are being auto-updated, or if there’s any new disclosures that need to be added.

So really, I like Termageddon because I think it’s a solid marriage between agency and client where agency can go in pre-answer some stuff that they know the websites doing, but then give the client the ability to, you know, fill in their legal name, where they’re formed, where they wanna resolve disputes, stuff that an agency would not necessarily have the answer to. And the client could even share the license with their attorney if they want to, so their attorney can log in and change out whatever they want so.

David: What is the difference…? I mean, I’ve seen various things like this lying around and I don’t understand the difference between a privacy policy, a terms of service, and a cookie policy.

Hans: Ah, I love this question. So I didn’t know this stuff either, I had to marry a privacy attorney to figure this stuff out so.

David: For those of us who are married already can’t marry a privacy attorney.

Hans: So I’m working on how best to articulate this joke but I wanna say something like I married a privacy attorney so my web agency partners didn’t have to. But I’m still working on… Yeah, it comes off so bad. I love…I’m very happily married, but I’m still working on landing that joke. But a privacy policy helps explain to users how you collect data, with whom you share that data with, what the purpose is for why you collect that data as the core, and then any other additional disclosures required under the law. So privacy policies are there to comply with privacy laws and share with users your privacy practices.

Terms of Service, otherwise known as terms and conditions, otherwise known as terms of use, I think there’s another one in there too. But terms, that is setting the rules to using the website. So terms, although it can be designed to help you comply with consumer privacy laws, or consumer protection laws, such as like E-commerce websites and explaining refunds, cancellations, and all that stuff. Really, terms of service is just about setting the rules to using the website, saying this is what you can and can’t do as a user of this website. And this is where our liability stops.

A great example, and why I think the terms of service should be on virtually any website is saying, we offer links to third-party websites. We’re not responsible when you click one of those links because we don’t control those sites. So if you get hacked, you can’t come back and sue us. I like that for virtually any website because we all have links to third-party sites these days. So setting the rules by limiting…and really what that is intended to do is limit your liability as a business owner.

The third one is a disclaimer. A disclaimer is really kind of providing the context to the content, letting people know, you know, nothing on this website should be considered legal advice, health advice, hey, we have affiliate links. It’s kind of like those commercials you see for medicine and the last five seconds, someone’s talking like 3x speed on like all the things that, “Hey, this” you know, “medicine will make you sick.” Whatever it is, that’s what a disclaimer is like it’s like giving all that…the details out, just making sure everyone’s on the same page of what this is and what this website is, and is not providing.

And then a cookie policy is required under the ePrivacy Directive, GDPR, the UK Data Protection Act which is all mirror copies…the UK Data Protection Act, and GDPR are basically mirror copies of each other. A cookie policy helps explain to users the cookies you put on to their browsers when they’re visiting your website and how they can control that level of access. And a fun fact for everyone listening, on Wednesday, April 6th, so one week from today, we are officially launching our cookie consent solution, as well as our cookie policy.

David: Yes.

Hans: Yes, I know…

David: Thank you.

Hans: I can’t wait.

Trisha: That was one of my questions.

Hans: That was good, yeah.

Trisha: Still have a follow-up but that was part of it.

Hans: Yeah, is your follow-up “Why didn’t you do this in February when you promised it?”

Trisha: Yeah. No, no, no. You said April 6th?

Hans: Yeah, one week from today.

Trisha: Okay. I do have another follow-up but…

David: Go ahead.

Hans: Yeah, yeah, please.

Trisha: I wanna make sure you’re finished with that.

Hans: Yeah, I think I got it out. Yep.

Trisha: Okay, so my one question was about cookies which you’ve answered, the other part actually has to do with like Terms of Service. So with all this stuff that came out recently with reviews and FTC, there are review Terms of Service that are now highly recommended. Do you all have something like that?

Hans: So reviews, specifically, will be added to our terms of service 2.0, which is our next sprint after launching the cookie consent solution. With that being said, right now, what’s already in the terms of service questionnaire is limiting people’s right on what they can and cannot post. So that can help control that by saying, “You know, you’re not allowed to post anything that’s infringing on someone’s intellectual property, abusive of children, exploitive, sexually explicit…” And there’s like, 50…no, not 50 there’s like a dozen things that we. You know, before I married Donata, I used to say…I would just say yeah, and there’s like 50 other things, but now I’m like, no, no, there’s a dozen [inaudible 00:32:52].

David: There are several.

Hans: I think so differently these days, but yeah, it’s about a dozen.

Trisha: Well, I may…before that comes up, I might follow up with an email because I do have some different questions about repeat Terms of Service.

Hans: Yeah, I know your business, obviously, because I don’t know we’ve sponsored trade shows together and stuff. But yeah, shoot me an email… You know, for anyone listening, every Termageddon license can be customized, you can add additional paragraphs. And, you know, so long as you’re willing to accept this isn’t legal advice, we might be able to give you like a…for your review thing we might be able to give you… We might be able to write a blog post being like, “Hey, you can add this between now and when we launch that terms of service 2.0,” so.

Trisha: Yeah. Okay.

David: Sweet.

Hans: But yeah, what’s currently in there does limit that liability significantly. I mean, it cuts the legs out from under it, but those new decisions will be added.

Trisha: Yeah. Okay. Yeah, I did a webinar last month or this month. Anyway, on the whole review stuff with the FTC, they just kind of…FTC is cracking down. If it’s not one thing it’s another with these laws and the guidelines cracking down on businesses. I don’t know how you keep up with them.

Hans: We’re also seeing it in the E.U. Right now they’re rethinking consumer protection laws, you know. And that’s actually a large reason why we haven’t launched in the EU because we’re just like, “All right, let’s wait till they finalize that and then we’ll launch into those countries.” But they just keep changing it and changing and changing, it’s just like America we just have to launch and just constantly change the interpretation or the adaptations to their changes.

So yeah, it’s a moving target. It does move pretty quick so… But privacy, in particular, is what’s changing all the time. I mean, it’s… January 1st, we have two privacy laws that go into effect…three, excuse me, CPRA, which is replacing CCPA, Colorado’s privacy law, and Virginia’s privacy law. And then nine months later, we have pulled back and then now we have…four months later, we have Utah. So that’s really where we see most changes but regardless, you’re right, changes to terms still happen too.

David: So let me clarify that. Termageddon doesn’t support Europe, is that correct?

Hans: So we are compatible with businesses in Ireland and the UK. But we don’t offer additional languages so we haven’t deployed in additional EU countries. So although we provide GDPR disclosures…in fact, Donata teaches GDPR at the American Bar Association and the Illinois State Bar Association, for the record. But we make all those disclosures…we have all those disclosures in place, but it is the fact that we don’t have German, for example, which is why we haven’t launched Germany. So like, technically, we could launch Germany today but we just, out of respect, we wanna have language supporting policies for the native languages of those countries.

David: So someone using Termageddon could be confident to be reasonably protected if they got traffic from the European Union.

Hans: Yeah. Oh, yeah. Yeah, we’ve been covering GDPR since the day we were founded.

David: Yeah, that’s the clarification like… I was oh, yeah, oh.

Hans: I gotta be careful with how I word it because I think people…you’re not the first to react that way. And I got to word it correctly, which is we make the disclosures because privacy laws protect the people. So we make the disclosures for the people. However, when you go through our questionnaire, you have to say what type of business entity are you. Well, in America, we have LLCs. In Germany, they’re not called LLCs they’re called other things. So that little tidbit is what we have to add just so that German businesses can be adding to us. And I don’t mean just Germany…it’s just my name is Hans, I picked Germany but France, Spain, Italy, Estonia, Lithuania, I mean, the list goes on so.

David: Okay. Is Google Analytics legal?

Hans: Ah, ha, oh. I literally was like, Dave, are we gonna bring this up? And we instantly got into it. So yeah, we’ve [crosstalk 00:36:58].

David: So full exposure, you’re like, “I love Google Analytics.”

Hans: Me too.

David: On every website, I use it every day and it is indispensable. So I asked this question, and I’m gonna duck under my desk with the answer.

Hans: Oh, you might as well start ducking because, yeah, under the EU’s privacy law GDPR, a decision was made by the Austrian data protection authorities that Google Analytics is illegal under GDPR. What’s crazy is, and I don’t think what a lot of people talk about is the fact that it’s not Google’s fault why it’s illegal… Well, I should be careful with my wording there.

What I can say is that the issue that we have with data being transferred from the E.U to America is that it’s not legal because of U.S. surveillance laws. And my wife… I feel like I probably am leaning towards bringing in the big guns to like, really share some articulated opinions on it. But really, what it’s coming down to is that the Australian data protection authorities made the decision that Google Analytics is illegal. The implications are much broader, though, because why it’s illegal basically implies that no U.S. business can have really any operations of any guide in the European Union, because of U.S. surveillance laws.

So Joe Biden recently gave a speech, I think, within the last three or four days with the president of the EU, I believe, stating that they’re making efforts to really value data being transferred between these two parts of the world. And like, don’t get me wrong, I saw that video I was pumped, I was like, good because this needs to be figured out. This is way bigger, in my opinion, than small businesses, this is like, how does the internet work and are we reinventing that right now? Like, because that’s borderline where we’re at.

But I’m happy to see that like speeches are being given talking about the importance of like, being able to still have working websites. Because like, more or less, you can’t, if you think about it too long. But in the same breath, there is no method I’m aware of where transfer data outside of the E.U to the U.S. is compliant right now with GDPR.

So long story short, yes, GDPR is illegal under the EU’s General Data Protection Regulation. We have an article on it discussing it in more detail. Yeah, and I hope it gets figured out because Google Analytics is great, you know, I mean, it’s fantastic. That being said, there are some fantastic privacy alternatives as well though. Usefathom.com, big fan of that company, the people who founded it, and the vision behind their business.

So, usefathom.com is a wonderful privacy-focused alternative to Google Analytics that I would highly recommend anyone check out. Very affordable pricing I think it’s like 50 websites for $8 a month or something like that, up to 50,000 impressions a month or something like that, very affordable pricing. And like, look, if you’re recommending solutions to your client, I do believe we have an ethical obligation to express the knowledge that we have, which is, “Hey, just so you know, this is illegal under the E.U. If you’d like we can use a privacy-focused alternative or you can make the decision to continue using Google Analytics.” And let the business owner decide that one, it would be my recommendation.

David: So if a website…let’s just presume a website that especially does a lot of business in Europe, is the best practice to remove Google Analytics at this juncture? Or is that a decision for the business and their lawyer to discuss?

Hans: It always is a decision for you and your lawyer to discuss, without a doubt, it’s always that. But if you want my opinion, I know that you all listen to me from a privacy perspective so that’s where I come from, as I speak. And so from a privacy perspective, yeah, you have to switch. I mean, it’s that simple. Now, I’m also a former business owner of an agency, I know what it’s like to hear people talk and give those types of advice, like, “Hey, just flip how you run your business.” Bye, and I’m out in 30 minutes, you know. There seems to be a lot of people ignoring this decision, I guess I’ll say that and I get it, it’s stressful, you know. But yeah, from a privacy perspective, yeah, you got to get rid of it.

David: So wouldn’t that like…cookie managers do that automatically for you?

Hans: No. So the issue is that a cookie consent solution helps people consent to putting a cookie on their website and collecting their personal data, they first have to consent. So websites that need to comply with GDPR and other privacy laws for that matter, you need to have someone say, “Yep, you’re allowed to track me” before you track them. That’s a fundamental difference with how we all used to think, which is like yeah, they go to our site, I have a right to track them. No, they come to your website, you should be thankful and then ask them to confirm if you can track them, and only if they ask you, do you put those cookies on?

And the reason why a cookie consent solution is not a solution to this problem is because the moment someone says, “Yeah, no problem, track me on analytics, that’s fine.” You consent, you say yes, and you install that cookie, what you’re doing then is you’re now grabbing that website, visitors’ IP address, sharing that data with a third-party, aka Google Analytics. That is the problem because Google Analytics is U.S.-based, therefore because the U.S. surveillance law is being able to tactically see that data, you’ve now crossed the threshold. So hopefully, you all followed me there but that’s where the issue is, it’s like, even if you consent, you’re still sharing the data with a U.S.-based company. And because of U.S. surveillance laws, being able to see that data, you’re not compliant.

David: So the user consenting to allowing you to use Google Analytics does not protect you from the GDPR ruling that recently made Google Analytics illegal.

Hans: Yeah, and it sounds, you know… And I’m trying to think of it like a normal situation, like if I’m a person in Europe and I visit a site and I consent to them tracking me, the odds of me going and then complaining, like, that’s super rude if you were to do that. Like you consent, like, “Oh, I consented,” now I’m complaining to the data protection authorities. Like man, screw you, you know, like, that’s not cool, you consented. But if one person consents and moves on, great, but maybe the next person that comes to your website doesn’t consent, does see that you have Google Analytics and are trying to install it. And then they make a complaint to you, you don’t do anything about it, and then they complain to the data protection authorities and you get in trouble. So that’s what I think could happen.

David: We’re getting close to the end of our hour so I want to make sure that everybody has any questions, feel free to jump in or ask them in the chat. Otherwise, I think I have another one, I just escaped…

Tim: I’ll say something if you don’t mind.

David: Yeah, please.

Tim: Thanks, Hans, for all this, it’d been really informative so far. I appreciate it. I talked to you a couple of years ago probably when I was setting up my account and so I made sure to attend this because you were very helpful. I’m a big fan of Termageddon, it’s a great solution for me. I include it in my hosting plans, my web care plans for clients, one to give me more of a competitive edge. But I don’t want to give them the option, I wanna say, “If you do business with me, your privacy policy is included to the fact that I set it up initially for you and you’re responsible for it blah, blah, blah.” You know, adhering to laws, therefore… And you told me exactly what to do. You told me exactly how I should set that up, go through the initial process myself, and then invite them, the client, the website owner, to manage. And, you know, leave it on them to get any legal approval or advice from there. And it’s worked really well, and clients appreciate it. So I like that a lot. And I’m excited about the cookie consent coming out. I’m wondering if it’s going to look like the one on tarmageddon.com?

Hans: It is.

Tim: It’s gonna have that similar look, okay.

Hans: Yeah, yep. Good, good. And you will be able to style it. So you can choose like a popover, you can choose like… In fact, I won’t share because I think my alarm bells are going off maybe that won’t be like unappreciated I don’t wanna openly share. But yes, you’ll be able to change the style and formatting and stuff like that, to your liking. And what’s cool about the company we confirmed…well, one, U.S.-based cookie consent solutions are also illegal under GDPR from a recent decision. So that…we really dodged a bullet on that one.

We felt like that was gonna be the case so we decided to partner up rather than build our own, which is a very difficult decision internally, to say the least. We finally made the decision to partner up with an EU-based cookie consent solution, and then a few months later the decision came out that EU-based cookie consent solutions are really the only way to go these days. So happy to say that it is partnered up with Usercentrix, which is the company that bought out Cookiebot, and they are EU based. And they have a WCAG Accessibility 2.1 Certification, I believe, which is great too because I heard in the cookie consent space, accessibility is a big issue so.

Tim: Of the consent tool itself, the accessibility in light of itself.

Hans: Correct. Yep. Exactly. So.

David: All right, Trisha.

Tim: I was gonna… Oh, go ahead. I didn’t know you had a question.

Hans: I got to pay Tim under the table for giving me such a great vote of confidence here, I really…

Tim: Just put that on your website and I don’t know if you wouldn’t mind linking to my website.

Hans: I can throw a do-follow in there, for sure. That’s no problem.

Tim: Yeah. Thanks. [crosstalk 00:47:20] that in writing.

Hans: In reality, if you want one, and you could use a benefit with a link, shoot me an email with an official testimonial. Or if you just like want me to pull from this recording I will and I’ll get it out. It would mean a lot.

Tim: Yeah. No, I’d be happy to put that together in my own words and send that off to you. I’m sure I still have your email address. Just one thing I was gonna ask really quick, I was just curious when you were talking about U.S. surveillance laws, does that really mean that all data traffic is being looked at?

Hans: Watch me disappear in like two days. I am not an expert in U.S. surveillance laws. The way I think it’s going on is like because the U.S. technically could access that data, it is illegal. So I think it’s that you’d need a really big server to be processing everything all the time and scanning everything. I’m not saying it’s not possible, I just don’t know. So yeah, I don’t have a terrible amount of good information, my guess would be the fact that they can access that data at any given time, would be my guess.

Tim: Yeah, makes sense. Thanks.

Trish: Well, so I need David to help with my question because I don’t remember all of it. We were talking a couple of months back, David, about cookie policies and there was something that you were saying about keeping track or having some kind of list of something to do with the cookies, what was that?

Hans: Provide a list of the cookies and like if they’re marketing or essential or functional, is that…?

David: Well, where are we talking and I did… Hans, this is a clarification point for you, I guess. My understanding is you have to be able to say, if a user comes back later, how they answered the questions about compliance with cookies.

Hans: Yes, so typical cookie well, probably…I shouldn’t say typical… Properly designed cookie consent solutions will have that available right for the user within the browser that they’re visiting the website in. And so upon closing out the cookie consent solution of Usercentrics, what remains is a little fingerprint icon or security icon, you can change the icons. But you can click back into that at any point in time and see the settings that you have and then change them if you would like so that it works like that. Also with Google consent, this integration includes integrating with Google consent mode. So if you do have Google consent mode activated and enabled, you will be able to connect to Usercentrics account to your Google consent mode, to also control it at that level as well, through Tag Manager.

But I think most people don’t enable consent mode because it’s very complex, to say the least. Most people just activate the cookie consent and give users the ability to access their past selections as well as change them in the future. And then always, you know, my opinion when in doubt, just clear all cache for all browsers and all devices. Like, I mean, I use… I don’t know about you all but I use WP Rocket, I think it is, like clearing cache is one of my favorite things to do. Like I feel like it’s like go in the bathroom for a business, you know. For a business website, you clear cache and just feeling great. Like everything’s clean and ready to go. So that is the weirdest analogy I’ve ever done but that is how I feel so.

David: Flush it down the tube.

Hans: Flush it, yeah, it’s gone.

Tim: So you need one of those like sound control machines like a toilet flush to do that.

Hans: Yes, I’ll ask WP Rocket to add that.

David: There you go. Well, we have five minutes left so Hans, I’m gonna let you…

Tim: Looks like Youssef had a question in the chat.

Trisha: Yeah.

David: Well, I’m sorry, Youssef.

Tim: All right.

Youssef: Hey, Hans, it was very insightful. I see that you talked about mostly the U.S. and Canada and Europe. What about the other continents like Africa, Asia, like, how do you comply with their privacy?

Hans: So yeah, there are, I think…gosh, I have a list, I can pull it up but I think there’s like 42 different countries with privacy laws. So we tackle the ones that are…where the country is U.S. speaking as well as the EU. Brazil, for example, has one that made a lot of news wasn’t really, as far as I understand, wasn’t enforced. But yeah, there are lots of privacy laws out there. So we cover the ones that we disclose on our website, Australia, UK Data Protection Act, General Data Protection Regulation, PIPEDA, Quebec, and all the ones in the U.S. However, there are others that some people may need to make disclosures for. The others are for where the country is not English. So we don’t cover those actively currently, but as we launch additional languages, we’ll be addressing those as well.

Youssef: Do you know if there are like some countries who don’t care about these privacy laws and…? Yeah.

Hans: Yeah, so there’s, I think…and I’m sorry, I should have… I don’t look at this number all the time. The number 42 is coming to mind, that there’s 42 countries with privacy laws, and I could be completely wrong with that, I’m sorry. But what that would imply is for the other 19… How many countries are there, 196 or is it 207?

David: That sounds right.

Hans: Oh, so the remainder would be the ones that don’t have them. So I’m now just curious, so 195. Okay. So it’d be like roughly three-fourths. But I would hate for you to see that and then think, “Oh, well, then no countries value this,” because there’s certainly a move to provide privacy rights to more and more people. And I think as time goes on, we will see more and more organizations putting those forward.

Youssef: And is there a place to know if the country have these privacy laws or not?

Hans: Well, if you wanna shoot me an email Hans@termageddon, I’ll just send you my doc, where I can send you links to them all. But the number one place I would recommend is the IPP, the International Association of Privacy Professionals, ipp.org. That’s a group of about 60,000 privacy attorneys and certified information privacy professionals. They go into like… I forget, there’s a handful that are in Arabic and other like languages and even using different, you know, alphabets and stuff like that, too. So the list is extensive, so.

Youssef: Thanks.

Hans: Yeah, no problem.

David: Thank you for asking. All right, well, we’re almost out of time, Hans, so I’m gonna give it to you to tie us up, tell us more about what we need to do with Termageddon.

Hans: Yeah, absolutely. So for any of you who are interested in the program, I know we have some existing partners here, shoot me an email… For the existing partners, shoot me an email, I’ll add an extra free license to your account just as a thank you for joining our call today. And then for anyone who’s new, we have an agency partner program, we give you a free license for life. Assuming your website says that you offer web design services or you’re in the web design or support space, we will give you not one free license which we do normally, we’ll give you two, just as a thank you for listening today.

David: Thank you.

Hans: Yeah, no problem.

Tim: Thanks, Hans.

Hans: Awesome.

David: Well, thank you very much for your time. We hope your privacy lawyer spouse feels better soon.

Hans: Oh, yeah. She really wanted to join today. And for those of you don’t know, Donata, I talk about her all the time, not only is she my wife, but she’s the real head honcho of this company. She’s the chair of the American Bar Association’s Privacy Committee she provides guidance to us legislators on how to write privacy laws. So it is a shame she was sick today and wasn’t able to join. Hopefully, I did a B-plus job. I’m not looking for an A but I’m looking for B plus. And yeah…and hopefully we can bring her on for a future discussion.

David: Well, thank you. Thank you everyone, for showing up and listening in, and thank you for the good questions. And we will sign off today and say thanks a lot. We’ll hope to see you at the next fifth Wednesday, which will be June 29th. And we’re gonna bring Dave Braun in to talk to us about hiring virtual assistants from hiremyva.com. So until then, thank you.

Hans: Where can we find more info, David?

David: Where can you find more info? Oh, thank you for [crosstalk 00:56:21].

Tim: Yeah, I’m curious too.

David: Oh, wow. Thanks. Yeah, I hit the softballs here. Thank you. So this is all put together by Curious Ants, which is a way to learn SEO while doing SEO. And we have a weekly meeting that members can participate in, ask their SEO questions. This is the quarterly meeting, everyone can attend and ask questions about a particular topic. So you can follow Curious…go to meetup.com and look for the fifth Wednesday SEO meetup. Or you can go to curiousants.com sign up for a free account and we’ll tell you when the next event is.