#140 – Donata Stroink-Skillrud on Privacy Policies and Legal Obligations for Businesses

[00:00:00] Nathan Wrigley: Welcome to the Jukebox podcast from WP Tavern. My name is Nathan Wrigley.

Jukebox is a podcast which is dedicated to all things WordPress. The people, the events, the plugins, the blocks, the themes, and in this case, privacy policies and legal obligations for businesses.

If you’d like to subscribe to the podcast, you can do that by searching for WP Tavern in your podcast player of choice, or by going to wptavern.com/feed/podcast. And you can copy that URL in to most podcast players. If you have a topic that you’d like us to feature on the podcast, I’m keen to hear from you and hopefully get you, or your idea, featured on the show. Head to wptavern.com/contact/jukebox and use the form there.

So on the podcast today, we have Donata Stroink-Skillrud. Donata is an attorney licensed in Illinois and a certified information privacy professional. She’s the president and legal engineer of Termageddon, a SaaS that generates website policies and helps keep them up to date with changing legislation. Donata is also a fellow of the American Bar Foundation, Chair of the American Bar Associations e-Privacy Committee and Program Committee, member of the American Bar Association Cyber Legal Task Force, and the American Bar Association’s representative to the United Nations.

Donata will take us through the ever-changing topic of privacy laws, highlighting the challenges posed to businesses to comply with a myriad of regulations. She talks about the global trend of updating privacy laws to keep up with rapid technological advancements, and new capabilities.

We touch upon the significant moral and legal responsibilities tied to use a data management. Donata stresses the importance of privacy by design, which integrates privacy measures from the starts to the end of a project life cycle.

She shares real life examples of common pitfalls, such as misleading cookie banners, and offers best practices for embedding privacy in web development.

Donata explains the importance of including disclaimers in contracts to mitigate legal liabilities, and provides actionable resources, including her own website policies waiver, which helps website builders navigate the complexities of legal compliance.

We also discuss the landscape of international laws applicability, the high cost of specialized legal compliance, and how you need to be mindful of what’s coming in the next few years.

If you’re keen to find out more about the current legal landscape, or just want some more knowledge to ensure your projects are legally sound and ethically responsible, this episode is for you.

If you’re interested in finding out more, you can find all of the links in the show notes by heading to wptavern.com/podcast, where you’ll find all the other episodes as well.

And so without further delay, I bring you Donata Stroink-Skillrud.

I am joined on the podcast by Donata Stroink-Skillrud. How are you doing Donata?

[00:03:38] Donata Stroink-Skillrud: Doing great. Thank you so much for having me.

[00:03:39] Nathan Wrigley: You’re very welcome. Donata is joining me in Oregon, we’re at WordCamp US. And, Donata, I’m guessing you haven’t done your presentation yet, because nobody’s done a presentation yet. Are you feeling confident? Is this something you do regularly?

[00:03:51] Donata Stroink-Skillrud: It is something that I do on a regular basis. I am a textbook over preparer so I have 80 slides, and only 45 minutes to go through all of them. So I’m a little nervous about that. But I had my slides ready like two months ago, I’ve just been reviewing them over and over again, so hopefully I’ll do okay.

[00:04:09] Nathan Wrigley: Better to be prepared than not prepared.

[00:04:11] Donata Stroink-Skillrud: I’m always over prepared, and then it just ends up, I don’t go through like half the things that I need to talk about, so we’ll see.

[00:04:17] Nathan Wrigley: Well, you’re a lawyer, over-prepared, I guess, in that profession is good. So, okay, that introduces us to the bio. So you’re on the podcast today, and we’re going to be talking about the legal side of WordPress, and the web industry, and what have you.

Do you want to just give us your little potted bio? I know that you sent one to me, I don’t know how much of that you want to use. But tell us just a little bit about your background, especially on the law side of things, because I feel that’s where we need to know that you’ve got the chops to talk about what we’re talking about.

[00:04:43] Donata Stroink-Skillrud: Yeah, absolutely. So to start on the law side, I’m not providing legal advice on this podcast. So if you are looking for that, I would recommend talking to a lawyer in your area. But I am an attorney licensed in Illinois, and a certified information privacy professional. I’m also the president and legal engineer behind Termageddon, which has generated tens of thousands of privacy policies, and kept them up to date with changing laws.

Outside of that job, I’m a fellow at the American Bar Foundation. At the American Bar Association, I’m the chair of the e-Privacy Committee, member of the Cybersecurity Legal Task Force, and also member of the Science and Technology Council, and I’m actually the new ABA representative to the United Nations.

[00:05:23] Nathan Wrigley: Okay, so you are the real deal basically. You’ve got all of the chops, so that’s really nice to hear.

So your presentation, when it’s finally done, is called Building WordPress Websites with Privacy by Data in Mind, and Privacy by Data is encapsulated in quotes. This feels like it was a really big trend a few years ago. Everybody seemed to be concerned about privacy, and then it kind of seems like it went off the boil a little bit. And I’m presuming that you are saying, no, no, no, this is still something that’s very important.

Where are we at with privacy? What’s the state of play? I don’t know if you can encapsulate that in just a few short sentences.

[00:05:58] Donata Stroink-Skillrud: So I think when it comes to privacy, we’re kind of the frogs that are boiling in the water now. So, you know, you had GDPR that came out, and everybody was really excited about that, and that was huge. And that’s continuing, in the sense that there are dozens and dozens of fines issued every month, for privacy violations under GDPR. So if you want to check that out, that’s under enforcementtracker.com. And it’s anywhere from Facebook to a person who doesn’t even have a business that’s been fined.

In the US it’s a little bit different, in the sense that we have this kind of hodgepodge of laws. So each state is proposing and passing its own law, because we do have federal laws for healthcare data, or children’s data, but not for things that are usually collected by websites, like names, and emails and stuff.

But what’s really interesting, the newest trend in the United States that we’ve seen in the last few months is adapting really old privacy laws. So for example, the California Invasion of Privacy Act, 30-year-old privacy law, was meant to protect Californians from eavesdropping on landline phone calls, but it’s adapted to websites. So every day there’s over a dozen lawsuits filed in California for websites that use tools like IP intelligence tools, Facebook pixel, things like that, without consent from a California user.

Very similar, under the Video Privacy Protection Act, which is a federal law, it was meant to protect people’s video rental histories. So from places like Blockbuster, you couldn’t share what videos you rented from Blockbuster with a third party. Well, that’s been adapted to websites as well. So if you have a website that has a YouTube video, for example, and Meta pixel is tracking who watched that video, and you’re showing them ads, and you didn’t get consent for that pixel, you could actually get sued for that.

So we’re seeing so many lawsuits in the United States right now. It’s really, really crazy. And we’re also seeing a lot of states taking enforcement more seriously. Texas Privacy Law just went into effect. They formed an entire team within the Attorney General’s office, to enforce that law. And they’re actually going after companies, and sending letters for non-compliance. So I think in the United States, privacy’s really, really hitting up right now.

[00:08:08] Nathan Wrigley: Is this generally kind of ambulance chasing litigation? Is it people going out and finding problems in order to sue, or is it more that people have been harmed, and so they’ve progressed some kind of legal case because, I don’t know, some of their data has escaped and they’ve been harmed by it? Maybe there’s not a perfect answer to that, but it always feels like the ambulance chasing component is part of it.

[00:08:29] Donata Stroink-Skillrud: So it really depends on the country. So for example, like in the European Union, we see these privacy fines being issued when there’s actual harm. So great example is a company got sued because they were calling somebody that were on a do not call list. The person said, I don’t want this, they got 30 more phone calls over the span of a week. And they kept on saying, I don’t want this, I don’t want this, please take me off your list, and they continued calling them. So they complained to data protection authority. You know, that seems a lot more like a harm.

In the United States, especially with the California Invasion of Privacy Act, it started off with healthcare websites. So if I go on a healthcare website, and I input my data, and that data is shared with Facebook, lawsuits started off that way, which is much more of a harm approach.

But now they’re suing anyone. So they have some type of list where, here’s businesses that have the Meta pixel, for example, and they just go down that list. And they have a California individual who clicks on that website, they get tracked, boom, here’s a lawsuit.

So we’re seeing a lot of really small businesses getting caught up with this, you know, people selling coaching services. I know of somebody who was selling patches for people who are veterans, and they got sued. They’re like, we’re a tiny business, how are we getting sued $60,000 for having a Meta pixel on our site? So here in the US it seems a lot more like ambulance chasing for sure.

[00:09:51] Nathan Wrigley: I guess at the bottom of it all though is a moral position. If you’re surrendering, data and you haven’t authorised somebody to, I don’t know, use that data, sell that data, move that data on, there is a moral obligation for the person who’s running this website to do the right thing by that person’s data.

And it’s often framed as ambulance chasing, but I guess unless there’s a bit of a carrot and stick approach where, you know, for a period of time there’s ambulance chasers, nothing would change. People would abuse the sharing of data. So maybe that’s the period that we’re in. I can’t remember how you described it at the beginning. You used the phrase which kind of.

[00:10:25] Donata Stroink-Skillrud: Frogs boiling in water.

[00:10:26] Nathan Wrigley: Right, okay. So it’s that moment in time, but that’s just the lay of the land now. And it does feel like, across the pond, where I live in Europe, things are sort of skewed slightly differently. Maybe there’s less of the ambulance chasing. But as I say, right at the bottom of it all is, well, some sort of moral compulsion to do the right thing by your data. And if the law is how that needs to be enforced, then that’s how it needs to be enforced.

It does feel though, like you said, that it’s kind of gone off the, well, boil, for want of a better word, with the frog analogy. But maybe you are here to tell us that that’s a little bit different.

Firstly, there is no one size fits all. If we’re in Europe, it would be on a country by country basis. If you’re in the US, it would be on a state by state basis. From the WordPress perspective, let’s take the example of somebody that’s just got a vanilla version of WordPress. So they’ve got no forms on there, it’s just downloaded directly from the internet, they’ve got a five page brochure website. Does anything inside a vanilla version of WordPress raise any kind of privacy flags?

[00:11:25] Donata Stroink-Skillrud: I really think it depends, right? Because some people do just have a pure brochure website, there’s no forms, there’s nothing else, and privacy really starts becoming an issue when you’re collecting personal data. So names, emails, phone numbers, IP addresses, device identifiers, things like that. But I think for anybody that’s running a business, right? Like if I create a personal recipe website that I just use with my husband, which we do have, you know, it’s not a big deal because it’s just a personal use type of situation.

But if you’re running a business, you’re almost always installing other tools. You’re installing Google Analytics, you’re installing Google Fonts, you’re installing Recaptcha, you know, you’re having these forms, you’re linking to other websites. That’s when privacy can really become an issue. So it does depend individually on your setup, but as long as your site is collecting data, either on the front end or the back end, that’s when you need to be aware of these things.

[00:12:21] Nathan Wrigley: And when you say collecting data, it’s not just that there are form fields to be filled out on the front, the mere presence of, like you said, a Google Font, that was a sort of famous thing in the European Union, where the font I think was stored in the US, the file that that was taken from was in the US, and I think it was in Germany, the website, and somebody got prosecuted for that. But there’s nothing to fill in. It’s just, there’s something on the backend, Google Analytics, whatever it may be. So you do need to be mindful of this. You do need to think about it.

[00:12:48] Donata Stroink-Skillrud: Absolutely. And I think the one thing that we’re seeing as a trend right now is, especially with web designers, is starting to become more aware of these things, looking at alternatives, right? So for Google Fonts, it’s non-compliant with GDPR, because of that court decision, we can just host it locally. So you don’t have to get consent because it doesn’t track people, it doesn’t collect data, it doesn’t place cookies, right? So that’s a great alternative.

But for other things like a contact form, there’s not really an alternative. You’re going to have to collect data as a business owner, and there’s nothing wrong with that inherently, you just have to follow certain rules.

[00:13:21] Nathan Wrigley: Let’s say with the contact form example, is it that you are collecting that data, and it’s being stored in a database? Is that where the problem arises, or is it the fact that that data at some point touched your infrastructure? So, as an example, let’s say I set up a contact form, and all it’s getting is, I don’t know, name, email, and message fields. But I have a plugin, and I’ve utilised the feature in that plugin to immediately expunge the database once the form’s been sent. So I receive the form, the form is processed on the backend, but immediately deleted, but I’ve got an email with that data in it. Is my website compliant because of that, or the fact that it’s sending data, does that make me non-compliant?

[00:13:57] Donata Stroink-Skillrud: So it’s both. It’s the fact that that data’s been collected, even if it’s deleted immediately, as well as it’s been shared with your email service provider, and you’re storing it in your email as well. And that doesn’t necessarily mean that you’re non-compliant, it just means that you have to get compliant. You know what I mean? So you do have to do certain things, like obtain consent for the collection of that data, use it responsibly, provide a privacy policy, all of those types of things.

[00:14:22] Nathan Wrigley: If I was going through anything in life that required legal thought processes, I wouldn’t assume that I could do it myself. I’d work on the basis that I need to hire a professional. I don’t know, I’m moving house and I need, we call them conveyancers, which is a particular kind of lawyer that deals with moving of property, and all of the titles and deeds that go with that. I wouldn’t think I can do that myself.

And yet we’re in an industry where I’m assuming most people who build websites, probably a lot of the listeners to this, won’t be making those judgements. They might not be contacting lawyers. Is that potentially a move which you shouldn’t be making? Should you be consulting lawyers on this for each and every website? Because it kind of feels that that in itself might put you out of business because of the cost of hiring lawyers. So I don’t know what your thoughts are on that.

[00:15:05] Donata Stroink-Skillrud: Yeah, so I think it is a dangerous idea, right? It’s one of those things where, you know, I own a house, and I know that there’s certain things I can do in that house, like I can rewire my thermostat. But I know I can’t rewire the entire electricity, because my house is going to burn down, because I have no idea what I’m doing, right? I think when it comes to web designers, there are a couple things that you should be aware of.

So first of all, if you’re the one that’s providing the policy to the client, so let’s say your client’s like, hey, I need a privacy policy, and you’re like, oh no problem, I’ll give you a template, or I’m going to write it for you. You’re assuming that liability now.

[00:15:39] Nathan Wrigley: Oh, the mere suggestion of, I’ll pass on a template for you, I as a web developer, as a web designer, that’s now on me.

[00:15:47] Donata Stroink-Skillrud: Yeah exactly, because you’re the one that provided this template to them. And the issue there is that you’re probably not going to get paid enough for that website to cover the cost of non-compliance. So with privacy, you know, there’s lawsuits starting at $30,000, there’s fines starting at $2,500 per violation. So per violation means per website visitor. So let’s say I have 100 website visitors from California, and I don’t have a compliant privacy policy, that’s 2,500 times 100, that’s how my fine would be calculated. You’re not getting paid enough for that website to justify that kind of cost in taking on this type of liability.

So I think as web designers, we do have to tell people, hey, I built this website for you, it’s collecting data, I’m not a lawyer, but I do know that there are some legal things that could come up with this. There are some issues that could happen with this. You should talk to a lawyer, or you should use another tool to get compliant.

You give them that recommendation because a lot of clients just may not know that, right? They’re not tech savvy, or they don’t know any of this because they’re not in this industry. And you tell them that, and then it’s the client’s responsibility.

Same thing with your contracts. Make sure your contracts don’t say, agency will be responsible for making sure that the website is compliant with all applicable laws, rules, and regulations. And if that sounds like a quote, it is, because there are a lot of templates out there that say that. Make sure your contract doesn’t say that, and make sure your client understands that’s not your responsibility, that’s their responsibility.

[00:17:16] Nathan Wrigley: So if I have a contract with a client, they’ve come to me, I’ve built their website, I’ve handed it over, does ignorance count in any way, or do I need to explicitly put in writing, I have said to you, you need legal advice, now go and find it? Are there templates for that, dare I ask? Or is the mere templating of that sentence itself going to put me in hot water? In other words, is there a way that I can offhand this sensibly, in a repeatable fashion, where I can, I don’t know, just copy a document over to the client? Can that be done? Can I expunge the responsibility from myself fairly easily?

[00:17:50] Donata Stroink-Skillrud: Yeah, you can. So the first step would be to have that in your contract so, you know, if a lawyer wrote your contract, talk to them about it, have them add that in. I would also recommend adding, we’re not responsible for accessibility, or any other compliance issues, which would be helpful. And at Termageddon we have something called the Website Policies Waiver, and you don’t actually have to use our service to use it, but it’s basically a two pager that explains what this is, why it’s important.

It has the clients sign off on the fact that you’re not the one that’s responsible. And it gives them a couple of options, like you’ll provide your own policies, you’ll use Termageddon, or you won’t do anything. But the client signs off on it, so it’s all documented.

I think we’re kind of at this point right now where there’s so many lawsuits that I would not, I mean, personally, if I was a web designer, I wouldn’t just say that and then move on, I would have that in writing somewhere.

[00:18:39] Nathan Wrigley: Is it possible to have a catch all document like that? You just made a point that, you know, if you’ve got a hundred visitors from California, then that’s going to be impacting. And obviously, as a website developer, unless I’m geofencing the IP addresses and saying, no, Californians, you may not even look at my website. And honestly, who’s doing that? Nobody. It would be nice to have visitors from California. That’s almost the point of having a web presence.

Do I need to worry about that? Do I need to worry about every single jurisdiction on earth, or can my British, in my case, based lawyer take that on for me?

[00:19:11] Donata Stroink-Skillrud: Sometimes they can, sometimes they can’t. So if you are working with a lawyer, I would ask them, what privacy laws do you intend to cover here? And they should be asking you questions to figure out what laws apply to you, because all of this depends on what laws apply to you. So each law has different compliance requirements. So that’s the number one thing that must be done.

So if you are working with a lawyer, I would ask them, hey, help me figure out what laws apply to me. What laws are you comfortable covering? What laws are you not comfortable covering? How do you write this policy? How do you intend to update this policy for me? Are there extra charges for updating, and things like that?

I think it’s important to note that, just because your website could randomly be accessible anywhere in the world, that doesn’t necessarily mean that all the laws apply to you. So for example, like some laws, like Nevada, you have to do business in the state. So you have to have customers there, or ship there, or things like that. Some laws have business size restrictions, so you have to make a certain amount of revenue, like $25 million, or you have to collect the data of a certain number of people. So there are a lot of factors that go into figuring out what laws actually apply.

[00:20:15] Nathan Wrigley: I’m obviously not a lawyer, but I know that if I want to move house, I’m going to contact conveyancer. I have a friend who is a maritime lawyer, and I know that he deals exclusively with freight, boats out on the ocean. In other words, there’s a specific kind of lawyer for a specific kind of law. Is that the case here? Is there a growing industry of web-based, online lawyers, and are they preferred, or could I walk down my high street and use any old lawyer?

[00:20:41] Donata Stroink-Skillrud: So there are a lot of privacy lawyers out there. So the International Association of Privacy Professionals, iapp.org, which I’m a part of, certifies lawyers and privacy, and also has a directory of lawyers you can find there as well. It’s difficult because you may go to a business lawyer and they may say, oh yeah, no problem, I’ll write you a privacy policy, and then get some template online, or something like that. So definitely make sure to ask them, are you experienced in this area of law? Because it is very, very specific, and it’s very intricate. You know, I used to be a business lawyer back in the day, and I didn’t know anything about privacy. So you do have to be careful with that.

[00:21:16] Nathan Wrigley: It sounded like the search that you might perform on Google there would be privacy lawyer.

[00:21:20] Donata Stroink-Skillrud: Yep, privacy lawyer. And then you would put in like your city.

[00:21:23] Nathan Wrigley: Okay, perfect. So your presentation at WordCamp was called, Building WordPress Websites with ‘Privacy by Design’ in Mind. And it sounds like you’ve got some tips there, some short circuit things that you might want to be thinking about. Let’s go through a few of those. What is in your presentation? What things can we have at the front of our mind if we’re building websites, which clearly people listening to this is doing are doing?

[00:21:46] Donata Stroink-Skillrud: So, I’m going to start off first by just talking about what privacy by design is, and why it’s important. So kind of going over some of the legal requirements, like the laws that specifically talk about privacy by design, and what they say, and what’s happening with them. And then also talking about what privacy by design is, which is basically the integration of privacy throughout the entire life cycle of the project, from the beginning to the very end.

So it starts off with the wire frame designs, and ends with a destruction of data. So privacy is embedded into all of those processes. So a great example would be, if you have a website that has a login form. When somebody puts in their email to reset their password, and they put in the wrong email, you don’t display, hey, you actually registered with this email instead, right? You know, a well known company got into trouble with this, when you’re setting up two factor authentication, don’t add the 2FA information to a marketing list. It was Meta that did that, which was just great.

Things like that, so making sure it’s, privacy’s taking into account. And I’ll also be sharing some examples of bad practices, and examples of good practices. Some examples of the bad practices are cookie consent banners that just have an accept button and no decline. Or the decline is hidden, and tiny font underneath, and doesn’t even look like a button. Or email unsubscribes that are very confusing, where you can’t understand, you know, if I check the box, am I opting in or opting out?

The way people display their policies. I have a screenshot of policy that says, analytics, and then it’s a whole bunch of blank space, and then, how we share your data, and it says, we don’t share your data with anyone. Things like that, that I think for a lot of people, once you talk about it, it seems really obvious, but if you’re not a part of that area of expertise, it might not be super obvious at first glance.

And then I’ll also share some best design practices. So there’s some really good website design that I’ve seen, that provides good privacy choices and good design.

And then I’ll also be giving some tips and cheat sheets. So for example, like when you build a website, tell your client all the third party tools that are on the website. We get on a lot of calls with a lot of people to generate their policies, and they’re like, I have no idea if I have Google Analytics, right? Well, they should know that because that could be a very privacy invasive tool. And that really affects their compliance requirements. It can even subject them to other privacy laws. But if they don’t know that, then they don’t know. So some tips for designers about how to communicate this all to their clients, what they should be talking about, what they should be thinking about.

[00:24:17] Nathan Wrigley: Whenever I think of lawyers, forgive me, I always think that there’s an element, it’s a fairly well paid profession, let’s put it that way. And I would imagine that if I went to my brochure website client and said, okay, I’m not responsible for this, but here’s some information, you need to get a lawyer. I’m imagining that, typically, they might be thinking the same thought. Gosh, that’s going to end up costing me an absolute arm and a leg.

Is that the case? Can you achieve compliance in a, well, air quotes, affordable way? Or does it end up suddenly adding thousands of dollars of legal fees? Which may actually be the difference with launch, go, no go, you know. Build a website, don’t build a website. Does it always have to be expensive? And I’m guessing services like your own, Termageddon is trying to reduce the cost because you can kind of automate a lot of this.

[00:25:04] Donata Stroink-Skillrud: Yeah. Yeah, absolutely. So I think the cost for a lawyer, it can be expensive depending on where you’re located. So, you know, if you’re in downtown Chicago, you’re going to be paying a lot. If you’re in southern Illinois, in a smaller town, you may be paying less. But there might not even be a privacy lawyer in your town. You know what I mean?

So I think for a lot of businesses that can become unaffordable. And that’s why we create a Termageddon, which is kind of a good mesh of these types of things that is affordable for small business. And that was our whole goal, is to make privacy accessible for small businesses. Because I think small businesses do care. They care about their clients. They care about their email list. They care about what they do with the data. It’s just that they don’t want to spend $30,000 on this. But you can automate some aspects of it for a much cheaper price.

What some people do is they’ll generate their policies with a generator, and then give them to a lawyer to review, which is way cheaper than writing a new one. We provide updates as well, which is great.

For people who can afford it, lawyer’s great. If you can’t afford it, which I totally understand, you know, we’re a small business as well, using third party tools like Termageddon is very helpful because it can help you get there without that huge price tag.

[00:26:14] Nathan Wrigley: Yeah, I guess you’ve got to figure out what your exposure is. You know, if you’re doing something really bespoke, and you genuinely are taking people’s medical data. There’s no question, you need a bunch of lawyers, specifically to cast their eye over your webite. But if you’ve just got a personal blog, it’s probably much more straightforward. Inspect what you’re doing, and then go and get the legal advice.

But I do like the idea of getting some documentation, maybe from some service like you mentioned, and then getting a lawyer in your local area to sort of look over it.

But it also feels like a movable feast. It feels like, what was yesterday true, may not be true a year, two years, from now. And, is that the case? Is this the kind of set it and forget it in 2024, and then revisit it a decade from now, or is it more a month, a year, two years? Is there an iteration? Is there a sort of cadence that you need to be thinking about?

[00:27:00] Donata Stroink-Skillrud: I wish it was something where like you created it once, and then look at it again in 10 years. Take like a 10 year vacation, it’d be awesome. Unfortunately, no. There are so many new privacy laws. So in 2025 we have 8 laws going into effect. So these policies are constantly updating all the time. And if you are working with a lawyer, I would recommend asking them what their price is for the updates, so that you’re not getting a bill every other month for a couple thousand dollars to make those updates. You know what I mean?

But there are a lot of updates that need to be made very, very frequently. From the new laws perspective, there’s new rules, there’s new regulations. And here in the US we have these 20, 30-year-old privacy laws being reinterpreted as applying to websites now. So those need updates too, as well as whenever you change your privacy practices, you need to change it too.

So that can get very costly, and it could get complicated, especially if you’re trying to do this yourself, because tracking this is like a full-time job. I mean, trust me, it is my job to track all of this, and it’s very, very time consuming. It’s not one of those things, if you don’t have anybody helping you with it, it’s definitely not a set it and forget it solution.

[00:28:09] Nathan Wrigley: And so is that what you, Donata, spend your day doing? Literally consuming, I don’t know what it is, information from different jurisdictions, and collating that to try and make it work within your own business. Is that what you spend your time doing?

[00:28:22] Donata Stroink-Skillrud: Yeah, pretty much. So I’m the legal engineer behind all the policies, so I wrote all the policy questions that help figure out what laws apply to you. All the remaining questions that you need to answer. All the answers, all the text variations, which we have hundreds of thousands of tax variations now. And then I’m also responsible for the updates.

So whenever a new law is passed, you know, I have to track the bills first of all, which so many bills don’t pass, it’s like such a waste of time sometimes. You know, I do have to track all of that, and then once something becomes law, before the effective date, I have to put it in the generator and help people update their policies, and everything like that.

[00:28:59] Nathan Wrigley: So if you use a service like yours, do you then provide something, and then you’ll, I don’t know, email an update out, or is it more, I don’t know, you put something on the website which is automatically updated as you make the adjustments on the Termageddon end, my website is automatically updated, or do I have to copy paste new privacy policies every so often?

[00:29:20] Donata Stroink-Skillrud: No, so when you generate your policies with Termageddon, you get an embed code. The embed code goes onto your website, and that’s where updates are pushed through. How updates are made kind of depend on the law. So it depends on what new disclosures are required. So if it’s information that we already know, we push the update automatically for you. If it’s information that we don’t already know, we might ask you a question or two, you respond, and then the text update is made automatically to your privacy policy text.

[00:29:47] Nathan Wrigley: And do you take the responsibility? We talked earlier about who’s responsible, and at what point can you divest yourself of that responsibility. If I use a service like yours, or a rival, does that mean that I am absolved a responsibility and you have taken it on, or is it more nuanced than that?

[00:30:02] Donata Stroink-Skillrud: So when people register with us, they have to accept our privacy policy, and our terms of service, which means that they’re forming a relationship with us about their policies. So for example, as an agency, you can send clients to us through the affiliate program, you get a promo code or link. They register with us, and we’re the ones responsible for their policies. When you’re reselling Termageddon, we recommend sharing the license with a client, so the client has to create an account, and register with us, and acknowledge that we’re responsible for their policies as well.

[00:30:31] Nathan Wrigley: Okay. So we’re in the year 2024, and I honestly don’t know what the landscape looks like. I’m presuming that you do a little bit more. Does it feel like more privacy in the future, less privacy in the future, or the same? In other words, if I’m a jobbing website designer, builder, web developer, whatever it may be, is there more coming down the pike than there is now, or is it the sort of thing that I can worry about the same amount this year as next year?

[00:30:55] Donata Stroink-Skillrud: There’s a lot more, yeah.

[00:30:56] Nathan Wrigley: There’s always more.

[00:30:57] Donata Stroink-Skillrud: Yeah, I have a whole spreadsheet of upcoming privacy laws, and it just keeps getting longer, and longer, and longer. And the problem is, in the US there’s no comprehensive, overarching federal privacy law. So you’re seeing all of these states propose and pass their own laws. And that’s a really big issue because it creates this hodgepodge. Because if I’m a business located in Illinois, I have to comply with laws all over, because I do business there, I collect their personal information. So I don’t have to be located in a state or country for their laws to apply to me.

So it creates this huge, what we call the privacy law patchwork, which is like the bane of every privacy lawyers existence right now. Because there’s more and more of these laws, and more and more of these requirements. They don’t exactly match up across the states. There are some states that have a lot of similarities, there are states that are completely different. You know, some exempt nonprofits, others don’t. It’s kind of a mess.

[00:31:52] Nathan Wrigley: Yeah, wow. And that’s just the US. Map that across the whole world all the 192 odd, whatever it is, countries out there.

[00:31:59] Donata Stroink-Skillrud: Yeah. And you know, countries that have had privacy laws for a long time, like Australia with their privacy act from 1988. It’s been amended a couple times, but due to the changes in technology, and the privacy invasive technology that we’ve seen, they’re working on a complete overhaul of their privacy law. So these laws that have been established for a long time, that we’re very familiar with, are going to completely change as well.

[00:32:21] Nathan Wrigley: So, Australians, watch this space.

[00:32:24] Donata Stroink-Skillrud: Yeah.

[00:32:24] Nathan Wrigley: Where could people contact you if they’re kind of concerned, or interested, or just want to find out a bit more about Termageddon? Where would they get you?

[00:32:31] Donata Stroink-Skillrud: So you can find our website at termageddon.com. Email me at donata at termmageddon.com, or you can follow us on social media. We’re just @termageddon everywhere. Definitely feel free to reach out.

[00:32:41] Nathan Wrigley: Head to wptavern.com, search for Donata’s episode, and I’ll have put all of the links there in the show notes, if you didn’t manage to capture any of those. Everything should be there. So, Donata, thank you so much for chatting to me today. I appreciate it.

[00:32:54] Donata Stroink-Skillrud: Thank you for having me.