 All right, good morning. Thanks for joining us in this interesting boardroom setup. I was saying it feels like a jury of my peers or a Senate hearing or something like that, but it's kind of, I guess, makes sense since we're talking about sort of a heavy topic. Privacy, there's some legal implications there and everything like that. So we'll just get started. Thanks again for being here. And of course, that's when the clicker stops. How many of you saw me do this like six times before we got started and it worked? We'll just go the old-fashioned way. So a little bit about me. I've been working with WordPress for more than 10 years. I started kind of just doing freelance WordPress-y stuff on my own, not really that great of a developer. So that's why that didn't last. Before and kind of while I was getting started in WordPress, I was a middle school and high school math teacher taught algebra through calculus. And so totally not related at all to what we're doing, but it does mean that I'm very used to being interrupted or getting distracted by the folks that I'm talking to. So I'll be a little offended actually if you don't raise your hand, throw questions out as we go. I'm definitely used to that. I work for a company called InkSub. InkSub is the parent company of three different services, WPMU Dev, CampusPress and EduBlogs. And a little more than a year ago, I had, I guess you could say, the good fortune of drawing the short straw to have to figure out how our company was gonna deal with this whole GDPR thing that everyone was talking about. So before that, I didn't really know much about it. No one really in our company, to be honest, really knew a lot about it, but we knew it was important. We kept hearing about it from our customers. We knew that we really had to tackle this and tackle it well. So I sat out on quite a few months just reading, watching videos on WordPress.tv and elsewhere and just seeing what I could figure out about what it is that we needed to do to make sure that we were doing the right thing. And basically the result of all that is kind of what we'll be talking about today. I wanna show you that it doesn't take really going and paying someone a lot of money to do it for you. There's a lot of tools and a lot of things available in a pretty reasonable amount of time that you could go through and kind of do these things yourself. So this talk, who's it for? Really it's for anyone that has a website. If you have a website, you are legally obligated. If your website collects any sort of personal data, we'll talk about what that means in just a second, but if your website collects anything that could be construed as personal data, in most places you're legally obligated to have a privacy policy on your website and it needs to have the word privacy somewhere in the footer or somewhere on your site that's easily found. So basically I am assuming since you're at WordCamp, that probably means that it's pretty relevant to all of us and that's probably why you're here. So we can keep going in on that. So as we kind of mentioned, I tweeted out these slides. It should be my top tweet right now. Twitter.com slash Ronnie Burt. My website is also RonnieBurt.com and it will be after this is over at the top of my presentations link that's there too. If Twitter isn't your thing or you're not seeing it there. I've also created a little two page Google Doc checklist that basically summarizes everything that we're gonna talk about in order kind of as we're gonna talk about it. That is free for you to just access, rip apart, use as needed just to kind of as be a guide if you wanna go through a similar process to what I went through or that we describe. Instead of having to go through the slides, this checklist is probably a little bit better tool for you to use. So that is at bit.ly slash WP privacy and that'll be there and you can leave comments on it, questions, things like that as well. And I'd be remiss to talk about probably the most exciting development in the last year or two and definitely as a result of the whole GDPR thing that we were talking about. There are some excellent tools and settings in WordPress itself related to privacy. I would argue that most people just don't know they're there. And even if you do know that they're there, they can be a little bit weird to kind of navigate. So I'm gonna show you that a little bit too and it's gonna make your lives a lot easier. And so if you look under settings privacy in your WordPress dashboard, that's where it's all found. So that was introduced right around a year ago in 4.9.6 or something like that, those tools. And I think they're actually being improved at least from my understanding, the way that you can display privacy pages and interact with themes and things like that is being improved in the next version of 5.22. So that's pretty exciting which is coming out here shortly. So there's definitely an active team of great people working on this and helping us all achieve this goal that we need to. So one thing that we wanna talk about is this word compliance. Because it's something that in my daily work I get asked all the time, are you compliant with this? Are you compliant with that? Can you prove that you have this? And really compliance is this word that is misunderstood or misconstrued or misused often. Compliance is about a snapshot, a single point in time. And it doesn't mean anything beyond that. So I can almost prove compliance at a single point in time. There's ways of getting around some of these things. Really compliance isn't what should, compliance is not what should be most important to you. A full well-rounded practice from beginning to end and ongoing is really what you should be after and what you should be looking for. So this is kind of parsing words and we can debate philosophically on this, but it's something that a lot of folks feel strongly about. So here the myth up here, you can use a plugin for compliance. There are decent amounts of plugins, there are decent amount of websites out there, especially when the whole GDPR craze came through that would say, we'll promise to make you compliant, just sign up for this and do that. No one can do that for you. There's still going to be work involved for you and actions that you're gonna have to take in order to make that work. And so I just don't wanna give you any false promises or feeling that someone can do this for you or a plugin or anything like that. There's still a lot of work that you're gonna have to do. And you're here, so you care, I'm assuming, or you just couldn't find anything else to sit in, but why should you care? Well, here in Georgia, I looked up, I'm not from here, I'm from Austin, Texas, but I looked up, I think in 2007, the G PIPA Act. I'm not sure if that's how the acronym is ever said or if anybody from Georgia has ever heard of it, but the Georgia Personal Identity Protection Act is in place here. So if you're a resident here, it's something you might wanna look into. The way I was reading about it, one thing that it does is it helps us define what personal information is. And in the law, personal information that needs to be protected, in that if you feel like someone has access to that personal information that shouldn't have, you have to disclose it to those people. It comes into place whenever it's someone's name, full name or first, initial and last name, along with some other personal information. So if you have two things together, that's what this 2007 law says, then you are legally obligated to disclose or get in contact with whoever's data you might have if that happens. We've all heard about the GDPR, the General Data Protection Regulation in the EU. We heard about it because we got like 700 privacy policy update notification emails last May, almost a year or around a year ago. And that's definitely still in force. Similarly, something that you're all going to start getting flood of emails in your inbox about in the next few months is the new California Consumer Privacy Act. Excuse me. I've been getting over a cold and all this cough and it's fun. The California Consumer Privacy Act goes in effect, I think on January 1st, 2020, so it's right around the corner. And it means that a lot of big companies are gonna have to update all their privacy policies again and you're gonna get these same emails and notifications. Please read these updated privacy policies and things like that. So for most of us, the California Act is not gonna directly be something that we have to show compliance for, even though I said we can't do that or we shouldn't necessarily do that, because it talks about a certain amount of money that you earn in revenue when it's in the millions of dollars from residents of California or a certain number of residents in California. I think it's like 50,000 or something. So for most of us, we probably won't reach that threshold. There is often talks about a US federal policy related to all this stuff too and it comes and goes in the news. I'm not really sure where we are with that now, but it definitely recently was talked about again. So all this to say, we're just gonna have to, it's constantly changing, constantly updating and it's something we have to stay on top of. It's a little fun to think about the differences between the US and the rest of the world when it comes to privacy and it comes to litigation and it comes to laws in general. And the way that it's kind of been explained to me, which I think I agree with, is that, I don't know if you know this, but in the US, we're pretty lawsuit happy. Things tend to be settled in the civil courts through lawsuits basically. In the EU and in most of the world, it's more regulation and government slapping fines on you or something like that. And so that is actually a pretty big difference. So you'll find in the GDPR, it's very descriptive, very prescriptive, tells you exactly what you have to do and if you don't do it, this is what is gonna happen to you. Here in the US, it's vague and it's all settled in case law and we have to just wait to see who gets sued about it and what the courts say from that and then we have to determine what we do. That's just the systems that we live in and it kind of frames the conversation and the protections that we have to take. And that's very much related to this philosophy here, a risk-based approach. So what this means is the practices that you need to take for your individual personal blog or your small e-commerce shop, it's gonna be way different than the practices that Facebook needs to be held liable for or held to the standards that they need to do. It's a risk-based approach. What is the worst that could happen if you have the worst data breach possible? That needs to frame how much work you put into this. So I say this because the rest of the stuff I have to say is pretty overwhelming, it's pretty detailed. And I want you to think that always go back to, well, yes, this is important but maybe it doesn't apply directly to me right now or I can get away with one backup here when someone else has to needs to have two or three redundant backups over there. It's just there's no hardens and fast rules to this but it's definitely a risk-based. And the last sort of philosophical thing I'll get through is privacy by design. So this in the 90s in Canada, government agencies were working through their privacy laws and came up with this construct that privacy is not something that you just tack on at the end or that it's just a project that you do because once the project is done, once your business is built, it really needs to be something that you consider from the very beginning when you're business planning, when you're wireframing your website, when you're deciding what tools to use and then it's an ongoing practice and thought process. So I won't go too deep into this. I'm so sorry for the coughing. I won't go too deep into this but there are some really great videos by Heather Burns on WordPress TV where she goes really in depth into the seven different parts of privacy by design and that's really where I got a lot of my knowledge here and really appreciate that. So one of the hardest questions to answer is sometimes is what's personal? What is personal data? What is the type of data that we need to protect and what's the type of data that we need to talk about in our privacy policies that we're writing and sharing on our website? Well, the most obvious ones, names, social security numbers, addresses, those are the usual identifiers, credit card information, all those things that you're used to. But the rest of this list comes from the new California law which means that we can be assured that it's probably going to be applied in more states laws and maybe any federal law that we come up and it may not look like at first glance that some of these have immediate implications to you but you might be surprised. So geolocation, IP addresses that you might be collecting from visitors from different tools might show where that person's coming from. California is saying that's personal information. Biometric data, fingerprinting. I haven't seen one but I'm sure they're out there fingerprinting tools to log into your WordPress website. How are we protecting those fingerprints or whatever it is from that tool that you might be using? I know you're not creating that tool but you're still responsible for making sure that whoever did is protecting that data if it's anyone that's visiting your site that needs to use it. Browsing history. So if you're tracking which pages they're visiting on your site and you're able to assign those to an individual user, California law is saying that those are personal information. Psychometric data. So word I keep having to look up but anything that's maybe educational, brain based if you have quizzes on your site or if you're learning something about personality traits or something like that. You may have something like this on your site and that's considered personal information. If you're making inferences which we're doing more and more about our visitors we're saying how we noticed you visited my site from Twitter so I'm gonna show you this particular piece of content. You're making an inference about that person. How you could make that inference or collect that data can be considered personal information. So the point of this slide is that it's not just those usual things we have to really start thinking about way more than that which can be a little overwhelming. And we can't talk about privacy without also talking about security. And this isn't at all a security talk. I know there was a great one yesterday there's probably one today. But these are just some quick things in your privacy policy you have to attest to or share or you should share some of the ways that you are safeguarding the data that you have. So that's where security comes into play. So choosing a quality host from someone that may sponsor a word camp or something like that. Plugins, themes, your WordPress core making sure that they're up to date making sure that there's no vulnerabilities and anything there. This is a given now can probably take it off the slide but making sure that you have SSL in place. Google is really helping us make sure that we all have that two factor authentication even for yourself if you're the only person that's logging into your site using one of the plugins. Jetpack I think has one with WordPress.com there's quite a few others that will enable some sort of two factor authentication for logins and then there's a ton of good security plugins that we can talk about the pros and cons of those two privately that may be something that you wanna make sure that you have in place if you don't already. So this slide is probably my least favorite and it was the least favorite part of the process for me but the most important. So when I was going through our process of reworking through our privacy policy I had to do a complete data audit. For some of us and on some sites this is pretty quick and simple and then the checklist that I shared kinda walks you through the things that you need to look through but you might be surprised even on my personal blog I found tools that I had forgotten that I had installed like six years ago that were sitting there collecting some data that I didn't know were there and so I needed to for me and we'll talk about that on the minification plan but turn those off right if I'm not using that data why collect it? So the first part is really doing that complete data audit. Is your host collecting data on traffic from you know you need to ask these questions be able to find that out and they probably are and that's fine I'm not saying they can't it's just that you have to know about it and document it so that if something happens you're able to find it. Or do you have email lists? Where are those email lists kept? Are they kept in a place that's following best practices that sort of thing? Are you using a CRM or some sort of marketing tool similar to the email list? That you know has a lot of customer data databases things like that. Cookies, that's a big one. We're all used to those really fun cookie popups on every single website that we visit which is probably the dumbest thing in the history of the world. At least the internet. But you know we have to know what cookies are on your site and this is a little embarrassing to admit on one of our sites I did a cookie scan and we had hundreds and hundreds of cookies that there was just no need for most of them because the site was 15 years old and we're still using like just legacy code legacy themes that we just keep improving and iterating on and things we don't we never take anything away which we should and we learned a lot through this process and we were able to really start pairing back what those cookies are but also it's perfectly fine to have cookies on your website obviously we see those cookie notifications everywhere and everybody has them. We just have to be able to explain what they are and explain why we have them. Why are we using that? And then make sure that whenever they can they are following best practices for people to be able to turn them off or use the browser tools to not track and stuff like that. Do you have a contact form on your site? That's collecting personal data. Someone's email address is coming through. Where's that being stored? Is it being stored in the WordPress database? Is it going right to your email? All that sort of things. So you just document it. I'm just making a list, writing down all of the different things that I found that our businesses are doing and keeping track of them and that was definitely step one. We have user profiles. What data were we asking? Why are we asking for all of this user profile information from our customers? Was it really that useful were there any that we could turn off or hide or not ask anymore? All good questions. What analytics tools are you using? Are you using Google Analytics? We probably all are. Other stat tracking tools that you might have in place. And then really significantly payment information if someone's paying you. Where's that data stored? Hopefully none of us have direct credit card information of our customers at all. There's tools and ways around having that and having access to that these days that we should just have in place. So once we have this giant list in some cases, and it may be a small list in some cases of all the different ways that we have all this data, let's see if we can minimize it. Let's see if there's anything we can take away. We can delete. If there's not, or even if there is, are there things that we can do to like itemize or document that maybe we're only gonna keep these records for five years and then we're gonna delete them? Do we have a plan to make sure we do that? All this stuff is overwhelming, but it's just kind of the right thing to do. You are going to be much better off if you're not holding on to 15 years of data like we were when the first 10 years of data is totally not useful today, right? We're not using it, so why do we keep it? Let's just get rid of it. We're gonna be better off for it. You have to have a disaster recovery plan in your privacy policy, or you should. And in the checklist that I provided, have some sample language that you can just use if you have just a simple backup and restore option with your host, that's great. This isn't like a big lengthy thing that you have to think about, but the one thing that I wanna talk about with the disaster recovery plan is you'll be surprised. You don't have to admit it, I suppose, but think about the last time you tested if your backups work. For me on some of my sites, it could be never. I know I have backups there, but I've never actually seen if I could restore from them. It's kind of scary. And we kind of learned that through this process and so I've implemented regular checks and now it's someone in our company's job to make sure that those are useful. But if it's, you know, on my personal blog, I just have gotten used to just doing a backup restore just because I need to just wanna make sure that it works. And in most cases, you know, it should be fine, but better to be safe than sorry. You have to have a breach notification plan in your privacy policy. And again, to give some sample languages that you can pull from. But I have a bunch of templates, basically, that are scary to look at that if something bad happens, we are ready to go. We know, you know, in our case, we have a large list of customers. So if that data was ever exposed somewhere, we need to be able to contact them quickly. In most cases, it's within 48 hours. That's what the law is saying these days, if you're becoming aware of the breach, that doesn't give you much time, right? And that's even harder because this goes against totally everything else in all of the privacy best practices of having customer data in a, like if someone asked you to remove their information from your database, and then you have a breach, you have no way of contacting them. So it's kind of a, you know, you're not gonna win, basically. You just have to realize that. So once I realize that, that's, you know, GDPR kind of brought this through, and we'll talk a little bit about it, but that's something that you also have to be able to do, is if someone requests that you destroy, delete, or anonymize all of their data, you have to do that. I personally at first thought, this is great, I'm gonna go to every little thing I've ever signed up for and delete it, but now I'm thinking, you know, I want them to be able to contact me if they need to. So it's just something to think about. And that's what I was talking about. These are more new tools that also are in WordPress Core that you may have not seen before, but they're under the Tools menu, where you can export data by a username. That's it within WordPress, which is pretty cool. And people, there's ways and hooks and things in there where we can have people request that their data. So if you have a WordPress site that has users that sign up for different things, these tools are already available to you, you just have to know how to make sure that your, if you have users or things like that, they know how to access them. So putting that information in your privacy policy is important. And we definitely, especially around GDPR time, when it was first implemented, had not as many as we were prepared for, but we definitely had quite a few people reach out and be like, I wanna get rid of everything that you have on me. So people definitely do it. So we've gone through the checklist. It was a lot, but now we're ready to publish. And I will say for years, thanks to the good people at Automatic that published a lot of their stuff in open source creative commons way back when, when we realized that we definitely used that for our company privacy policy and attributed it and everything. So I'm assuming it's cool for all of us to do that. They have a great privacy policy that we can, that is creative commons and you can go in and basically we, ours doesn't look like it as much as it used to, but it definitely started that way and just kind of fill in the blanks, remove the things that aren't relevant to you, add the things that are missing that are relevant to you and it's a good place to start. Our company's privacy policy there is there and you're more than welcome to use anything that's there in terms of, if you wanna copy, paste some language, update it, change it, but also WordPress itself has default privacy policy page and that's what I'm gonna show you and demo it with a lot of text too that you can use it as a great place to start. And another thing to really talk about is consent and this isn't really part of building your privacy policy but it is part of, how do you have people opt in to your privacy policy? Are you really asking for consent? And some things GDPR really made specific but other, I mean it's just good, makes good sense. You don't want someone to opt in for everything you're ever gonna do to them and in the future all at once. What it says is that it really needs to be broken apart so they're not opting into your email list and your terms of service and that you're gonna call them on the phone and everything else that might happen with your business all at once in one big statement that just says I confirm. You have to break it apart and let them know what it is that they're consenting to in line by line item. So we're probably getting used to seeing more and more of those as you're signing up to new services where it breaks it apart. For example, even in just our email list we have a weekly email list and three times a week email list and then the only email me if you really need to tell me something important list. So we let people choose from those. So when they sign up they have to go through that which is kind of a pain point. You know, the business folks don't want and the marketing folks don't wanna put a lot of choices in the funnel because it slows people down but it's just an obligation that we have. And this is why I was okay with me a non-lawyer to basically own our privacy policy. Everything needs to be in friendly language and understandable. So I think it's only fair that it's okay that it may not be in super legalese. In fact, it's preferred that it's not. And that all goes back also to the risk-based approach, right? You know, if you're a giant Google or Facebook company your terms and privacy and stuff is probably you're gonna want to be more ironclad than my personal blog, for example. And the just in time means that you're not asking for consent all upfront and at once, you're only asking when it makes sense to ask and you keep asking when it makes sense too. So I'm gonna jump over to some demo and then we can do some questions. But you may have noticed some really dumb puns. The puns were all I stole from our marketing team from our whip, so I can take no credit for that but wanted to share and all the images I also stole right off our blog. So I wanted to just give credit from that. And I'm gonna try to jump over.