Episode 245: Talking Privacy Policies and Terrmageddon


Show Highlights

Rob Cairns talks to Hans and Donata Skillrud about privacy policies and Termageddon.

Show Highlights:

  1. Why privacy policies matter.
  2. GDPR, California and Canada.
  3. Why you must have a privacy policy.
  4. What is Terrmageddon?

Show Notes

Hey everybody, Rob Cairns here.

Today I’m here with Hans and Donata Skillrud of Terrmageddon

How are you both today?

We’re good, we’re good.

Doing well, thank you.

So I thought.

I’d get you on and we talk a little bit about Terrmageddon, privacies and privacy in general.

It’s starting to run its.

I call it its ugly head again.

If he could deal with that.

But before we do, let me get your background story.

How did you kind of get into developing term again and how did you end up into the word press space?

Yeah, absolutely.

So I’m I’m a licensed attorney, and before I kind of got into privacy, I was in private practice so I was helping my clients with contracts I was actually working with.

A lot of agencies for contracts and they were building websites for their clients and they would.

Asked me what they should do for privacy policy and terms.

Service so I started looking into that and I guess I haven’t stopped for the last five years or so.

But you know, I was writing privacy policies in terms of service for my clients and to be honest with you, I found it kind of boring and repetitive like I’d asked them very similar questions I had like 1015 templates.

That I would you know, Frankenstein together.

And I guess this is before most of the privacy laws came into place here, but I thought that the process is very repetitive and I thought, hey, there’s gotta be a way to automate.

Yeah, and in my background I was running a twelve person web design agency.

Full disclosure, we are married.

We’re sitting together.

Hence the same last name.

Yes, yes, but yeah, I was building websites for clients and right before site launch my clients would ask should I have a policy for my website and I had no idea how to answer that I I wouldn’t know.

Because I’m not a, uh, an.

Attorney so they would ask me to copy and paste templates from competitor websites and things like that and that, just never.

All right, so Dan and I got to talking and we built term.

Augustine is an affordable alternative to a privacy attorney, and that’s probably good.

Transitioning to me, saying, you know, Please note anything we share today is for informational purposes only.

Termagants, not legal service provider, and we’re not providing legal services during this podcast.

And and I would agree with that.

I mean, we all know what’s going on in the world.

We’ve got the issues in Europe with GDPR.

We now have the issues in certainly in California, and I think there’s another US state that’s just ruled its head in the last couple weeks.

Uhm, certainly issues in Canada with privacy.

And I think.

The issue is people are being more concerned about not just the policy, but what happens to their data and where does the data go and what happens when their data goes outside of the WordPress ecosystem.

Your thoughts?

Yeah so.

You know you mentioned, like you know, the ugly nightmare of of privacy and whatnot, but when it’s all coming down to it, these laws are intended to protect and regulate the data of people personal information.

So like name your name, your e-mail, your IP address, your phone number, anything that could be used to identify you.

I personally like the idea of people getting a right to their privacy.

I, I think in fact most people do like it, but it is an issue for the people that do have websites because I would imagine most website owners out there are not trying to do anything malicious.

They’re not trying to sell off your data secretly or anything like that.

I think most people are.

They have a website they want to generate some business for themselves.

They want to, you know, send relevant information to their fans and their subscribers and.

And all that.

And it’s just, you know, we’re kind of at the crosshairs of of these people getting privacy rights and then we.

We have an ever increasing number of complex rules and regulations we have to deal with, but I would say like.

All in all.

People are getting a right to their privacy.

I think that’s where something fight that’s worth fighting for.

It’s just that for people with an online presence you you’d have more things you got to do now basically.

And I think I would agree with you.

And then the question becomes, you know before we even dive into policies and what should go in them and what shouldn’t go in them.

The question is, are you better off in the WordPress ecosystem?

Are having all encompass products to keep your information in the dashboard?

For example, one comes to mind.

Is Groundhog for doing e-mail marketing automation?

Or are you better off going to outside third party providers that have their own ecosystems built?

Which one is better from a privacy perspective?

Yeah, that’s a great question.

You know I for e-mail subscriptions in particular that typically means that some server somewhere is triggering that e-mail, which to me suggests that in either of those situations it sounds like data is being shared with a third party to send.

Emails, even if you use, you know like.

Uh mailgun or or something behind the scenes that triggers emails to be sent out to your subscribers.

I would really say that it’s kind of the same thing.

Both of those scenarios are where the the the the website owner is sharing data with third party e-mail sending tools to send emails out to their audience.

Of subscribers, so I don’t think there’s much of a difference privacy wise in that example.

And you know, I will say a lot of people say, well, I don’t share.

Data, but actually sharing data is very common in our space and you gave an excellent example right there in in what privacy laws?

One major part of privacy laws is just explaining to users.

Hey, we share this data to send you emails.

Pretty straightforward stuff, but it just has to be disclosed under, uh.

Under numerous privacy laws actually.

Yeah, and I really would say unless the services that you’re using are self hosted, it really makes no difference as to whether.

Uhm, you install something through the WordPress ecosystem or you go outside of that ecosystem.

You’re still sharing that data.

And sharing is very different than selling, so sharing very common.

You know data gets shared with processors to process payments they get shared with your e-mail inbox.

When someone submits an inquiry on a contact.

Form and you receive their contact data in your third party e-mail system.

So yeah.

I think that helps.

Clarify your thoughts.

Those around the world.

We kind of look up privacy policies and I do and I I looked at Ken and our privacy policies are national.

They’re federally controlled in the US. They’re mostly, and correct me if I’m wrong. State controlled for for a call, right? And then you’ve got the mess over in Europe.

With GDPR and that whole.

Mass I personally think and maybe I’m wrong, that GDPR is really tough for privacy policies out there.

Yeah, that’s true, and I guess GDPR gets a really, really bad rap, but.

When you look.

At what’s happening in the United States, to be honest with you, I would rather deal with GDPR than what’s happening here, so GDPR is 1 privacy law that affects everyone that either does business in the.

EU offer goods or services there or track people from the EU using their web.

Right, so it’s one set of rules that covers the entire EU here in the US we don’t have a lot like that, so we don’t have a federal privacy law unless you’re dealing with protected health information.

The information of children or financial information like financial services.

So we have every single state passing its own privacy law.

To control what businesses need to comply with and the issue with that is that we’re ending up with a lot of different requirements.

So like California and Nevada, Delaware, Connecticut, Utah, Colorado, Virginia, all of those have their own privacy laws.

Uhm, so when you think about it when it comes from like an operational perspective, I would probably rather have one privacy law than than so many that we have here that we need to comply with.

But yeah, GDPR is usually the most stringent requirement, but that doesn’t mean that if you’re following GDPR you’re compliant with all other privacy laws.

So a lot of people.

Think hey, I’m going to get a GDPR compliant privacy policy template and that means I’m covered for.

Yeah, well, that’s actually not true.

So California, for example, requires you to disclose whether you solve personal information and GDPR does not require that disclosure.

So if you’re getting a GDPR template for your privacy policy, you’re not complying with other privacy laws most likely.

Yeah, yeah, that’s so true and it’s the same thing if you’re disclosing for Canada, you need to follow whatever the Canadian regulations are, and I think that’s where the US is getting a little messy is because it’s up to the states before it out. I think he can end up with 52 privacy loss and that to me is.

A bit of an issue.

Exactly, yeah, that’s very hard to manage, and when it comes to policies as well, that’s very hard to manage.

And I think one thing that I want to highlight here Robert, that you said that’s very, very important, is that your policies need to be based on the privacy laws that apply to you.

So each privacy law has its own set of disclosures that it requires and you have to have.

All of those.

Disclosures to be compliant.

So you need to make sure that your privacy policy is based on the laws that apply to you, and the disclosures that those laws require.

Otherwise, it’s not going to be compliant.

Yeah, it’s so true.

I can remember in the in the first early days of GDPR and this going back a couple years there were actually North American big name news sites that would block an IP address of anybody coming in from Europe because frankly they didn’t want to deal with the GDPR.

Also, the privacy laws concerning, so they just set off forget this.

We’ll just park them and be governments.

Yeah, I think that’s mostly gone to the wayside now.

Uhm, you know.

I think that was a a very big reaction at the very beginning, and then people kind of started understanding what the law means and what the requirements are and said hey, instead of, you know, not offering this to a very big portion of the.

World, you know, maybe we’ll just comply with it instead.

Yeah, and the whole teams got in top for the last while because we’ve got even now.

Apple since last November in Apple Mail and Safari blocking certain tracking cookies, right? So now the vendors are all jumping in and Google’s in the process of working on a third party solution.

They get around cookies in Chrome and where where they’re gonna go, and that’s been delayed.

So I mean, we’ve got.

Vendors jumping in the middle of this, which is just making the whole issue even more complex.

As far as I’m concerned.

Absolutely yeah it is an ever moving target and not only is it ever changing because so many entities are involved with their own initiatives.

Privacy, you know privacy wise.

But we have.

You know small businesses that are cut caught in the middle of it and and having to really, really in my opinion, just anyone with collecting information has to have a strategy with regard to keeping their policies up-to-date over time.

It’s just going to change and and and Donato was kind of hinting at it, but.

You know, as time goes on, I think it’s better to have a strategy to embrace privacy rather than try to avoid it, and I think that’s that’s what we believe is the future, and that’s why we’re running.

Term gun yeah.

And unfortunately, there’s just no way to run away to run away from it anymore, right?

No, it’s so true, and as an end user, you know I think part of the problem is people understanding and.

In the marketing world, we like to use words like free and dumb.

No cost doesn’t come rattle off to tongue as well and what people need to understand from a privacy perspective the minute they.

Say I want that free offer.

Really it’s not totally free.

You’re giving up the cost to your e-mail address to get that free offer and and people need to get off and realize that.

It’s so different than walking into a store with a loyalty card that says if you spend so much, they give you a discount on your next purchase.

Well, you’re giving up your data on what you’re buying when you’re buying how you’re buying and how much to get that discount.

I that’s so spot on Robert.

Yeah, I I completely agree.

I think we’re exiting the free stage and understanding that free isn’t actually free.

You’re exchanging something for free.

Yeah, I actually have a great example on this one.

I was at a craft store yesterday and I I won’t.

To name names here, but they asked me, you know, my loyalty member and I said no and they said, hey, do you want to give us your phone number to sign up and I said no and then they continued pestering me until I said I don’t want my data to be sold and they’re like no, we don’t sell data.

So of course, being a privacy lawyer, I went onto their privacy policy and pointed.

Out exactly where they said that that date.

They sold so you know they they try to sometimes make these incentives for consumers and even providing false claims of not selling data, when in reality a privacy policy discloses that they do solid.

So it is useful for consumers too.

Yeah, and.

Oh, go ahead.

OK, I’ll go.

Uhm, you know I personally.

Enjoy I personally appreciate.

The part of privacy laws in particular that are all about forcing businesses to disclose if they sell information sharing.

It’s you know, that’s great.

I think it’s good to disclose that of course, but selling information in particular is what I personally as a consumer unrelated term.

I gotten as a consumer.

I like to know that.

You know, hey, if I’m submitting my data here, is that data going to be?

You know popped into a bucket of other people data and then sold off to the highest bidder and.

Yeah, next thing you know you’re getting calls about your cars extended warranty.

Exactly exactly, and that’s the stuff I personally think that’s really icky.

And and if it if you, if that is your business model, fine, but you need to be transparent about that fact.

Yeah, I’ll, I’ll share with you.

One of the tricks I do when I sign up for stuff that’s not legal.

I changed my middle initial and then I I know exactly where the data came from when the offers came from.

Wow, nice, I like that.

So that is.

That’s clever.

There are ways to just determine what you’re doing and what you’re not doing, so let’s jump into there’s two parts.

There’s a a privacy policy and then typically on websites we put a terms of service.

Terms term again and handles both.

What’s the components of a good privacy policy?

Yeah, so when it comes to a good privacy policy it has to have a variety of different disclosures.

So first.

And foremost, whatever, if you’re using a generator or if you’re using an attorney regardless of the route that you go, you need to figure out what privacy laws apply to you and.

Then the policy needs.

To be based around the disclosures required by those laws.

So each privacy policy is really different, but that’s the first factor, making sure it’s based on the.

Privacy laws that apply.

To you and the second factor is making sure that it’s based on your actual business and privacy practices.

So for example, if your privacy policy says we don’t, we don’t share your data with anyone, and it turns out that you’re actually sharing data with e-mail marketing providers.

Things like that.

That policy is not compliant then, so you need to make sure that it’s.

Actually, based on your business practices.

As well, but in reality the point of the privacy policy is to communicate to consumers what data you collect, which you do with that data and who you share it with in addition to other disclosures, like what privacy rights you provide and to who and how consumers can exercise those rights.

And and there’s some really good points, and I and I think I would encourage everybody.

Honestly, to read privacy policies on websites, especially if you’re doing any e-commerce or giving up an e-mail address because the common thing I hear all the time and having been in its tech space for 30 years.

I didn’t bother to read the privacy policy.

I didn’t bother to read the license agreement.

I didn’t bother to read this because I didn’t want to, and I think that’s a bit of an issue too.

I think end users need to honestly take their time and find out what’s going on.

Yeah, and I think US lawyers are partially to blame for that to come.

So I read privacy policies as well because it’s part of my job and you know a lot of them are structured in ways that are really confusing, like at the beginning it says we don’t sell your data, but when it comes to California privacy law disclosures, all of a sudden they do sell data.

You know, or it’s very repetitive, or it’s you know set up in a very confusing way where the information that you need is scattered throughout the entire thing.

So I think most lawyers are partially to blame for the fact that a lot of consumers don’t read their policies.

But yeah, that’s that’s definitely great advice to make sure that you’re aware of what’s actually being done with your information after you share it with a company.

And many websites, and I know you’re.

Service provides that is a terms of service page.

So what’s the difference between the terms of service page and the privacy policy and how should that be implemented?

Yeah, so the privacy policy explains your privacy practices and the terms of service provides the rules of using your website.

So basically, the things that can and cannot be done on the website, the terms of service.

If you’re if you have an ecommerce website will often include disclosures about like returns, refunds, cancellations.

Shipping automatic subscriptions.

Things like that.

It will also help you limit your liability and limit your damages in case something goes wrong on a website.

So for example, if you have links to third party websites and somebody clicks on that link and gets a virus, it can help protect you from that.

It can also help you determine where you would like to resolve disputes so that you don’t have to travel to resolve disputes, and it can help you protect your intellectual property and potentially help you protect from copyright infringement claims.

So in terms of service is a great way to kind of keep control of your website and tell users what the rules.

Our two using that website.

That that’s really well explained.

Before we move on is going to share with Boothia a really interesting hack from a marketing standpoint, and which I don’t know if you know where you don’t know.

But many marketers do landing pages where they’ll run, say Google AD 2 there’s actually an old hack that if the other people are unfamiliar with it, if you put the privacy policy terms of service in their contact links in the footer of the landing page, it actually increases your Google ads.

Score and drops the costs that you pay in auction for Google ads isn’t that interesting.

Yeah, that’s that’s great and I think that kind of illustrates the fact that privacy is starting to become a competitive advantage to companies, right?

If we’re not just doing this to avoid fines and to avoid lawsuits, but we’re doing this to, you know, help us with our ad conversions.

Help us with the number of people.

That actually opened our newsletter because they’re the people who wanted it instead of getting it just randomly, right?

And there’s been quite a few studies showing that.

Consumers are looking for this stuff now and they’re expecting companies to have it, and they’re willing to switch companies if those companies don’t care about their privacy.

So it can definitely be a competitive advantage as well.

No one you mentioned newsletters, one of the things I’m really surprised that is they haven’t rolled the newsletter rules for most countries right into the privacy policies themselves.

I mean, I know in Canada we have very strict privacy policy rules and then we have very strict newsletter rules, but they’ve kept them separate.

And it would almost make sense to roll them into one in my opinion.

I think I agree with that because getting newsletters that are unsolicited as part of, you know, privacy violations or you know, getting newsletters without your consent.

Things like that.

So I totally agree that they should be rolled.

Together into one.

Well, when you think about it like for the companies that buy sold data and then you start soliciting them.

And then the conversion rates they’re looking for probably is like hoping that one in 1000 people actually like.

Look at it.

You know, maybe even it might be one in 10,000, so it’s spammy by almost by definition, like it’s it’s spammy and consumers are smarter than that. You know, when e-mail first got invented.

Like, yeah, OK, I could see why people probably just opened things and like clicked and maybe got, you know hacked or whatever.

But nowadays like I think.

You know, obviously spammers get smarter and smarter too, but I would say for the as time goes on, consumers are going to be smarter about their own data and their own understanding of what happens when I submit my data somewhere, what’s going to happen next?

You know it’s so true.

Like in Canada we have a newsletter that governs newsletters, called the Castle Run.

That’s right.

One of the things Castle explicitly says is the only way you can be on a newsletter is 8.

You bought a product till you opt.

Be you opted in explicitly or see it’s politically related to IE, a political party or somebody running for political office.

That’s it.

So the problem with buying lists is you haven’t opted into any of those, so technically.

Using the emails off those lists is technically illegal, and as a result you can be fined for doing such.

Exactly exactly, and I think you know higher enforcement of those laws would stop those practices as well.

No, I would agree. We’ve seen some big funds up here, finds up here denado in the terms of a couple $1,000,000.

So we’ve already seen those fines Inc.

And then it seems that most people are behaving, I would say, but not everybody.

And part of the problem with this whole privacy thing is I don’t think.

The lawmakers in Canada and the US really understand big tech, and so they’re trying to.

Govern laws instead, without educating themselves, and that’s a big of an issue as well.

Yeah, exactly, I think that there’s a lot of privacy laws as well that sound great on paper, but when it comes to actually putting them into practice, it becomes a disaster.

Like for example, the California Consumer Privacy Act and its definition of sales of data, right?

The definition is so broad that potentially the use of like Google Analytics or ads could be considered a sale, but that’s not how consumers view selling data.

Consumers view selling data as I take your data.

And I sell it to someone and they gave me $500 or something like that. So those disclosures and privacy policies for California privacy law actually are very, very confusing to consume.

Money, yeah.

Members and potentially detrimental to businesses just because of that one definition.

In the law.

But that law was written in in about 7 days, so I guess we can’t blame them too much because they had they chose to take so little time on and actually making sure that it was proper.

When Canada’s privacy law pipeda applies to a business.

The moment they collect one piece of personal information from a Canadian which you know that that kind of helps explain the broad reaching nature of privacy laws.

Obviously CPE is is, you know, certain business thresholds force you into having to comply with that law, but many I would almost say maybe most are just the moment you start collecting personal information from one person from that state or country or territory.

So true, now let’s jump into your product Armageddon?

UM, it’s been a couple years, I think since he developed it, if not longer.

She want to kind of walk through the process.

How you developed a product and and why?

Yeah, so six years ago we had the idea and we got going with it.

It was kind of a back burner project.

We called it termagant in thinking that it wouldn’t be what it is today.

But we’re very happy that people have been receptive to a, you know, silly name yet serious product. So you know our solution is it’s $99 a year.

You go through a series of questions to figure out what laws and disclosures you need or what laws you need to make disclose.

There’s four and then we ask you the questions under required under those particular laws, so you can generate a set of policies for a business and and what’s cool about our technology is that you know, not only do you generate your policies, but you actually generate an embed code for each policy and that embed code is.

What gets copied and pasted into the body of your policy pages, and that’s what allows us to term again into control what that copy says.

So when new laws go into effect, we can notify our customer and then you know, say, hey, we’re going to push these updates to your website and then we push them automatically.

Uhm, so termagant is not only.

A way to get.

Policy comprehensive policies today, but it’s also a strategy to keep your policies up-to-date over time.

And then how we got going, you know?

I mean, well.

We wrote out our.

User flows, I wrote out all my frustrations.

There’s a web designer and what technologies currently existed in the market?

And we fundamentally built term and gotten to be client friendly agency friendly and lawyer friendly.

You know, we we have.

I think thousands of law firms using us now don’t quote me on that.

I’m pretty sure we do.

And it’s been well received by the market in in all three of those sectors, which has been awesome.

And and yeah, you know we.

We also know our job, which is to monitor this monitor this stuff and keep our customers up to date.

Yeah, and what what would you say your user bases do if you don’t mind sharing?

We have

We’re in the 10s of thousands of users at the time.

Of this recording.

That’s really, that’s really great hands, and I can tell you, having implemented the policy, and if I’d learned to.

Read a little bit.

It’s it’s really not that difficult.

It takes like literally minutes and.

And the embed code makes it so easy because all you do is take the embed codes and drop it into the website.

That’s done so that.

Well, I’m I’m happy to hear you say that you know with you being a Canadian web agency, I am assuming you probably had to make pipeda disclosures, which is Canada’s privacy law, which is actually a very extensive privacy law that I don’t think gets enough credit as much as GDPR does. Pipette as intense as well, so I’d imagine you probably went through quite a few questions.

I did.

Through your questionnaire and I’m I’m really happy to hear that you did take the time to read through it and understand what it’s saying and everything.

And you know, do not have put a lot of effort in trying to make it as readable as Poss.

Possible and you know you do have some goals to even make it more readable.

Do you want to talk about that?

Yeah, so I mean with privacy laws being passed that require easy readability for policies.

That’s definitely something that we focus on to make sure that they they are readable to the average consumer.

So it’s just a constant, you know, a constant focus.

Yeah, and I think it’s using the right language, so the average consumer understands the language instead of.

What I call high level lawyer legalese where you need five lawyers to interpret it right?

That’s right, yeah, exactly.

And that’s really the goal too.

No, and it it’s so easy. I mean, I think, uh, you know it. You’re saying at $99 a year, I think that’s really important for somebody to spend that money to protect their business because people spend money in business on things they shouldn’t. And then they don’t spend the money on things.

They should, and these are one of the things I think they should spend the money on personally.

Yeah, yeah, I think so as well.

You know, if you can afford to hire an attorney to draft your policies and monitor privacy laws and keep them up to date over time, that’s the route to go.

You know, we’ll always say that a term.

Again, nothing beats hiring an.

Attorney to do all this stuff for.

You, it’s just most people don’t have 1020 grand a year laying around for.

Such a service, so we’re honored and happy that we have so many people.

You know, leveraging our technology to help them work towards compliance.

It’s it’s.

It’s it’s awesome.

It’s great.

So what’s next for term again down the road?

So we got a lot of big plans, but we are looking to expanding into more countries and and for the countries we service offering more policies.

We have some big UI improvements that we’re going to be making into the tool just based on our customer feedback and everything like that.

We’re going to start having employees soon.

Which is really exciting.

Yeah, and we’re going to continue to strive to be the most comprehensive generator in the world.

Yeah, and of course making all the updates for the new privacy laws for next year, which is Quebec, Virginia, Colorado, Connecticut and Utah.

Yeah, there’s five.

Yeah, so definitely keep an eye.

Out on those.

What I’ll tell you denado is Quebec it it’s really funny you you start reading contest regulations and stuff and having grown up in Quebec and you turn it over and they say oh by the way, here’s all the Quebec exceptions and it’s like that with everything in this country, Quebec and from the exception to every role under the sun.

It’s quite.

Quebec sounds like the California of Canada.

My favorite part about Quebec is that, like for the first, like two months after the privacy law passed, the government, just like refused to upload the text of the law.

So we had to grow like underground to scrounge around for translation of this thing, which was kind of funny.

Me and a bunch of privacy professionals got together.

And like somehow, we got our copies from somewhere, which is awesome, but the government took a minute to get that uploaded for sure.

Yeah, existing ongoing issue and an ongoing joke.

I hate to say so.

Thanks for jumping on Boothia and sharing a little bit about term again.

And if somebody wants gets a product reach out to either one of you.

How’s the best way?

Yes, so I’m https://termageddon.com/

 You can click the purple register button to get started.

And yeah, of course, if anyone ever has any questions you know we do have a web design program.

With both reseller and affiliate options, if you do offer websites to clients, I I I would ask you to check out the agency partner’s page.

And if you’re a business or contracts attorney, I would love for you to check out the law firm partners page.

But if you’re a direct customer, you can get signed up for 99 bucks a year and move on, and you can always e-mail us if you have any questions. So Hans@termageddon.com and Donata@termageddon.com

Thank you for having us.

 

 


Similar Posts