 Good afternoon. Before we get started, I definitely want to take some time to thank the volunteers, the organizers, everyone working here, and to all of you for coming to listen to and talk about the most riveting topic here on the calendar, data privacy and security. I'm very excited to be here. So let's go. So about me a little bit, my name is Ronnie Burke. I live in Austin, Texas. I have been using WordPress for about 10 years in different ways. For the last eight years, I've been working for a company called Inksub. In Inksub, we have several different services, WPMU Dev, Campus Press and Edgybox. I'm the general manager of our enterprise and education services, and I had the lucky honor of being chosen to lead all of our recent GEPR regulation and compliance stuff, so I got to learn about all of this great stuff, a little bit about what we'll talk about today. Before I got into the WordPress thing, I was a middle school and high school math teacher, and so I will also be very offended if you are not talking, raising your hand desk, going to the bathroom, and all that sort of stuff. It's just what I'm used to with my 12 or 13 year old students. So, yes. Excuse me, but what is crazy about their hacker? Ah, you'll just have to keep following along and see what happens. So, who's this talk for? So, if you'll indulge me just for a minute, if you can give a round of applause, clap your hands. If you have a WordPress site and you do not have a privacy policy on that site that you know about, round of applause. Tell me a bit. Yes, round of applause. All right, clap your hands, a round of applause. If you have a privacy policy, but you haven't read it, looked at it, or updated in six months or more, probably something to be there, that's good. And then also, if you collect any sort of data, the minute type of data on a WordPress site, and you haven't asked for consent from the visitor about that data, you may not want to admit this publicly, but let's clap our hands a little bit. So, if you get clapped, or those that should have clapped, but didn't, this talk is definitely for you. And so, I know it's not the most exciting topic, but we're going to try to be laid back. You can interrupt me if you want, but there'll be time for questions at the end. And I should have mentioned, my Twitter handle was on the first slide. It's at Ronnie Burt. I put a link to the slide, and also to a checklist that I'll talk about at the end there on Twitter, and make sure that you have access to the slides. The slides also contain some notes and some extra details more than what you'll see upon the slides themselves. So, first, I want to bust a myth here that you can use a plugin for compliance. So, there's some parts to this that we really have to talk about. A plugin, WordPress core, all this sort of good stuff is not going to be enough. There's no, like, easy, you know, hit this red button and it's going to fix it for you. And then compliance is also kind of a word that people are trying to have take on a different meaning than what it really should be, where compliance is really just about a point in time that you meet some set of standards, where our data privacy practices and our security practices are really more about a long term from the beginning to the end and ongoing, what it is that we're doing. So, if someone's telling you that you're compliant, or they are compliant, I get asked all the time with our enterprise and education customers to verify compliance and that makes me really uncomfortable. Yes, I can show some sort of certification and we can talk about a snapshot within a given point of time. But, and I understand the needs of why they're always asking for these things, but really, our data practices are so much more than that they should be evaluated in many different ways more than that as well. So, why should you care about data privacy security practices? Well, first of all, it's the law. And actually here in Massachusetts was the first, I believe, data privacy specific law in the modern age in the internet times back in 2010 that companies here with customers in Massachusetts have had to have been following. That law really was about the most basic and obvious levels of personal information, your name, social security numbers, and things like that, but really got the ball rolling. You've also probably heard of the General Data Protection Regulation in the European Union. You've probably got, like all of us, a million emails in the month of May asking them to read the updated terms and conditions and services and privacy policies of all these companies around the world. Just last month, the end of last month, California legislature passed a law and the governor signed that goes into effect on January 1st, 2020 of the California Consumer Privacy Act, which is very much in a lot of ways modeled after the GDPR. One thing for most of us that will make this not as big of a deal is that the California law, as of now, only applies to companies making more than $25 million in revenue from California residents or with 50,000 customers. So most of that probably won't have to worry about it too much technically, but that doesn't mean we shouldn't be aware of what's going on. And also in state capitals, world capitals all over the, you know, everywhere, this is a topic. It's in the news, it's what's going on, and so we just need to be prepared. So there's some differences in philosophy between the U.S. or us. I couldn't determine if it should be us, like upper case, lower case, or U.S., so I left it, versus the world. And one of those is just around the way that these regulations are enforced. So in the U.S., we're very lawsuit happy. Everything happens in the civil courts. So even in the new California law, the way it's designed is that it just makes it easier for the consumers to sue the companies. So they still have to go through that whole process, basically ask permission to sue and all sorts of things, where in the EU, in most of the world, the philosophy is more that the government slaps a fine, takes money directly from companies, shuts them down, all sorts of things like that. So here, things get caught up in the courts forever, and you might get class action lawsuits and things like that. There's a target class action lawsuit that I'll reference maybe a few times, been going on for like five years. Someday we might get seven bucks checking the mail or something each. And when it comes to this, I'm not really going to talk specifically about any of these laws so much as just general best practices and keeping in mind a risk-based approach. So what that means is you have to know your risk, know how big of a deal it is to you based on the type of data that you're collecting or the type of site that you're running and managing. What is important to me or what works for me and what regulations I need to follow might be different than you in your site. So it's really hard to be very specific, but there are some general practices that we can definitely follow that are going to get us there. One of those things that if you are in the privacy data world at all, kind of the phrase that you'll hear is privacy by design. And privacy by design has been around for a while I think since the mid 90s. I think it was Canadian data authorities started putting together this list and it has since been kind of adapted and rolled into everything from the GDPR countries around the world are modeling basically their laws, their regulations based on this concept of privacy by design. And I could have a whole session on privacy by design and you know it might be interesting. In fact on WordPress TV there's one from WordCamp Europe that our know is from WordCamp Dublin by Heather Burns that you can just Google on WordPress TV. WordPress TV and Heather Burns I think is one of the top that comes up where she goes into great detail on each one of these principles. But in general there are seven principles in the privacy by design construct and that is that everything you do it needs to be proactive not reactive. So we need to anticipate the issues before they reach the user and be preventative. They need to be a default setting. Consent from a user is not assumed they need to opt in. They need to be embedded into the design so it's not something on top of it needs to be part of the site part of the flow whatever it is that we're building. It needs to be a positive sum so we can't remove functionality. We can't go backwards and take away consent. That one's a little hard for me to explain without going into great detail so we can look into that. It needs to be end to end from the very beginning before you start building the site and you're wireframing it out through building it through putting it live on the web and then ongoing and reviews and any future iterations. It needs to be constant and then also at every point that the data travels or that the data exists needs to be protective and there needs to be visibility and transparency so we need to be able to talk about publicly basically what it is that we're doing in our practices and be very open and transparent with whoever it is that we're collecting data on and it needs to respect the user needs to be user-centric with choices. So those are the seven principles and like I said we can go into great detail on those principles but it's always important for me as I was kind of framing these slides and everything and was it framed as our process of rewriting our privacy policy as a company that we go back to these seven principles and make sure that we're hitting them all and that they all make sense. So what's personal? What's personal data? You might hear it called PII, Personally Identifiable Information and there are the traditional ones that I was talking about the usual suspects, the usual identifiers, your name, your social security number, your driver's license number, your address. Those we all understand are personal. The rest on the list these are from the new California law and to various degrees are involved in are listed in the GDPR, other laws and frameworks and a lot of what's PII what's very frustrating for those of us that are trying to meet the you know what these laws are trying to tell us to do is that they're decided in case law and and after the fact it's not really prescribed from the beginning so we're still kind of figuring some of this out but it's important to kind of think about so geolocation data if you're collecting data from where your site visitors are coming from can be considered personal information. If any biometric data our websites are probably not to the point I don't know if there's a Gutenberg block yet about like fingerprints scanning and and that sort of stuff but anything that's biometric data would definitely be personal. Your browsing history is one that's specifically listed in the California law and is also targeted in the GDPR about so any logs that you have any analytics that you're running could be considered personally identifiable information and something you just need to be aware of. Psychometric data I'll be honest is a word I kind of had to look back up to make sure I understood it but anything you know psychological data you have quizzes surveys personality traits which are the things that were listed on your sites you know could be anything learning records considered psychometric and inferences so this is a is a big one that's coming more and more predictive analytics if you're doing anything on your website to make a decision on what you should show that site visitor based on any of their information that's predictive analytics and inferences that you're making you have to be able to show that user how you're coming up with that inference and that predictive analytics according to this new California law which most of us won't technically have to follow right but it's still important and coming is coming. So security practices there was just a great talk by Adam Warner downstairs on security practices and then again it's been forever but I did want to highlight some of the like the quick things that in case you missed his talk or or even if not that we can just make sure that you have in place so security goes very much hand in hand with data privacy a big part of proving in all of these rules are in all these laws and constructs that you're following best data privacy practices are that you have good security planning good security management in place because if you can't protect the data that you're collecting then it's kind of pointless so these are definitely on my checklist of something that every site from like the most you know smallest blog brochure small business website on up the chain you got to choose a quality host I'm not really going to recommend a specific host but I think if they talk about WordPress a lot in our community and they're showing that they're part of the WordPress community they're sponsoring wordcams they have managed WordPress services that's a good place to start then you have to have a plan around your plugins your themes your WordPress core there's a lot we could talk about there so you're making sure they're updated first of all WordPress core managed hosts are generally going to help take care of that for you but these are things you definitely have to do in order to make sure that you're meeting kind of the minimal best security practices your plugins and themes updates I know it's frustrating I run sites with lots of plugins and I'm sick of every day like seeing notifications for updates constantly and and then also you know we need to test those updates the minimum backups it's a big long process but the updates if you know if you dig into the changelog maybe you can put some updates off but it's not obviously a security update if you read through and you see that it's definitely a security update and that's one you don't want to waste wait wait any time on and same for themes you know where you get your theme if you're building a theme it's built on a parent theme or something you know making sure that we're keeping those updated and then also when it comes to plugins and themes that's on the checklist is that it's not really best practice to leave unused themes and unused plugins just laying around on your install that's just a potential backdoor waiting to happen so if you're not using it it's just good good policy to just delete it you can always add it back later if you need it ssl certificate that's some way that's one way that you can judge a quality host if they're operating free ssl certificates in this day and age google will penalize you or starting to penalize you if you don't have an ssl certificate in place and honestly most with most hosts with all hosts they really should be free i know some posts will charge you more or make you be on a higher plan in order to have it but cloud flare is a service that you enable that offers some basic free ssl protection there's less encrypt there's other ways that we can get ssl in place so it definitely should be on your checklist no matter what type of site so i guess the most basic log on up the next one is two factor authentication and this is really one that's kind of my personal soapbox and anyone that um works company with me um is probably frustrated by because we have implemented two factor authentication on absolutely every single thing that we have which we use lots of different services so this isn't just your your website you need to enable two factor authentication on your website so what that is in case you're not sure you go to log in you need to get a text message to approve or a code that you put in um a lot of your banks will probably do things like show you a picture that you pre-chosen so these are just a second way of verifying your authenticity uh your authentication so it's two factor or multi factor authentication definitely has to be in place not just on your website on your email on your social media accounts and everything and absolutely everything that you can do um and then find a good security plugin that you like my company has a free one defender there's there's others out there for sure many will have a two factor authentication piece built right in that will work with something i think even jetpack has a a two factor authentication thing so if you install the jetpack plugin that's pretty popular there's a a module that you can enable to to add two factor to your sites so we'll get off that soapbox a little bit but this is the the quick one major security slide that we have here so this is everyone's least favorite slide in practice and thing that we all have to do and that's we always have to start and we need to do it pretty regularly just a complete data audit of our site and it's kind of annoying it's not fun and it's not really gonna do something that obviously is going to increase traffic to your site or revenue or whatever it is the goals that you have with your site um but we need to look at all the ways we might be collecting data listed write it down look at what those third party services are that you're using so like we use mail champ a lot for email lists that's an example that used to go in my you know my complete data audit i need to look at mail chimps privacy policy which by the way they do a big kind of great job of like all the gbr stuff and everything like that that's why i like to use them as an example but you have as part of the responsibility for to meeting a lot of these laws you have to have documentation written down somewhere doesn't have to be too formal i use just a google doc and i listed with the privacy policy a date maybe the last time i kind of looked at it um we talk about what data specifically is being collected so it used to be maybe that we would ask for a ton of things and store a ton of things in that mail champ example like names and cities and you know all sorts of things i think we've kind of gotten it down to maybe first name an email address because it's just easier that way and we don't really need that all that other information so there's use cases for all the extra stuff but it's an example of where if you don't need data you're not going to use it then don't collect it you're minimizing your footprint and that's really a big part of that privacy by design your crm tools your marketing so these things are kind of external to your wordpress site but are probably part of your your business or you know whatever it is your organization or whatever it is that you're doing to have a site for if your site has contact forms what contact form solution are you using where is that data stored is it in the wordpress database what information are you asking do you need everything that you're asking you actually use it we used to include on our forms because we thought it would be useful to the support team like all this stuff that you can collect IP addresses and you know what browser they're using and all that but it's not really it can't be useful but if we need it we can just ask for it so and we want to be more transparent to those people filling out the form that we were actually collecting that information so we turned that off that's a setting in a lot of the main like form plugins that are out there that you can append all of that information on if you don't really need it and you're not asking the user if you're if they're filling it out and you're not telling them that we're also sending as part of this email notification your IP address and your browser and all that stuff then you need to not do that any analytics that you're using google analytics or it doesn't have to be there's time heat tracking maps and all that sort of good stuff listing them out in your data audit evaluating the tools that you're using the services that you're using what their privacy policies look like and their privacy practices look like is part of what you kind of have to do this day and age if you have a site of any shape and size and the most important really is you know any payment transaction information this is why we offload payments to the specialists that can we're not actually keeping any credit card numbers in a word front database you know that's probably not a good idea in general WordPress was built designed for public content to live live on the web not to protect sensitive data so it's a good there are plugins that will let us do anything and collect anything but maybe that data is better housed in a service that was built specifically for that type of data and not WordPress so you need to have a data minimization plan I kind of already talked about this but how are you going to minimize your data footprint if you don't need it get rid of it but part of the data minimization plan is how long are you keeping that data for it used to be data you know storage chief we're going to keep everything forever we may need it but that's not the case anymore so if you don't need old contact information and you know that people have sent through your forums delete it if you don't need your analytics longer than a month in the past get rid of it or whatever it is so you have to kind of decide for yourself what makes sense on your risk-based approach to determine what your personal data minimization plan is a little caveat to that is there are laws and reasons why you do keep data long-term and forever especially financial transaction data auditing you know the IRS comes calling or whatever you need you need transaction seven years whatever it is in your state or what type of business that you're running you have the legal right in fact the legal responsibility to keep that sort of data you just have to keep it in the right place and in the right way where people aren't going to find it and do whatever they want with it and with all of these things your your plans and everything that i'm talking about i'm going to be very repetitive about this write it down put it in writing someplace safe for you that you can access and you can show to someone should the worst happen in the future you need a disaster recovery plan backups you need a way to take backups a good quality host will help you with this process it will be built in it will be automated nightly weekly whatever makes sense again you probably don't need to keep these backups forever you know determine a length of time that makes sense for you to have these backups some of you may you know there are cases where you need backups for a specific period of time for you know whatever legal obligations that you may have like for student generated data or something like that but otherwise seven days sounds pretty good to me i'm not going to roll my back my site backup more than that in general for most average sites again write that down and then another thing to mention with your your backup plan a lot of plugins that are out there for backups or services it's getting better and this is more rare but kind of look out for make sure that backup's not on the same server as your site because it's kind of useless if like the worst happens so it needs to be off somewhere else services that will upload it to amazon s3 or you know other services that are out there it'd be great oh and i'll go back with your disaster recovery plan please test it like you know once a month once every two months or something make sure that you can actually restore site from the backup it's kind of nice because it's the worst when like you need to restore and your backup is corrupt or something you need a breach notification plan and again write down your breach notification plan gpr i believe it's 72 hours that you have to notify if you are aware of a breach you have 72 hours so you will see in almost all privacy policies 48 hours written down it's rare that you'll see 72 but i think the law is 72 so that doesn't give you much time to notify users and this is one of the things if the worst does happen and you're aware that your site was hacked and some email addresses are worse were exposed you have the legal responsibility to notify those those people that their data was potentially made available to someone else you also have the legal responsibility in most cases to notify some authorities in the us it's a little bit less clear who those authorities are outside in the u.s there's data protection authorities that you must notify we're almost done i know we'll do the questions that's cool i know i told jenna rock me so i'm sorry but um i what i do is i have again google docs because i'm kind of a google nerd we have the worst if the worst ever happens i have templates that i've written of what these emails would look like they do it for not just notifications like this but like if sites are down or anything like this they're very templated that we just copy and paste in just makes me feel better to have that as a backup there are some some notification examples and templates definitely just a quick google away of what people are sending so people that might be responsible and the authorities definitely need to notify interesting in the u.s i believe it was target but don't quote me on that that tried to get around notifying their customers because they were saying that it was an ongoing investigation and the authorities were telling them not to notify because that might hurt the investigation that was going on well under the california law i know for sure and in others that are being written that's no longer an excuse you can't you can't use that this is an ongoing investigation excuse so the big one you have to publish a privacy policy good news is that there's brand new wordpress tool came out right along with the gdpr where there is a template built into wordpress under uh i think it's under settings privacy where you can edit and there's a whole list of text of almost an entire privacy policy for you so if you're one of those folks that clapped your hands at the beginning that don't have one you almost have one in your wordpress site and all of those things that i was talking about and asking you to write it down the reason i was asking you to write it down is because you can simply copy and paste for the most part what you wrote down and put it into your privacy policy and the headings that are missing so in the checklist that i have it tells you what what sections you kind of definitely need to fill out automatic the company behind wordpress dot com and jetpack and and all those things have a privacy policy that's published in all of their documentation is is open sourced and useful so that's also something to check out for some language um you know with the gdpr and another it's no longer good for your privacy policy to be legalese and nobody understands it has to be written by or understood by the non-lawyers so that's why i felt like it was okay for me basically to write our new privacy policy because i'm definitely not a lawyer and uh if i could understand it i felt like we were we were in the right direction we were making good faith uh and do diligent effort there um so ours is inside that kind of privacy policy there probably flaws so please tell me about them um but but that's also something you're you're welcome to use and help you know however helpful um and then you gotta get consent consent has to be opt-in you can't have a checkbox that's already pre-selected someone has to check that box for consent you can't just have one consent box for like everything at the beginning you can't say you're agreeing to terms of service privacy policy and this and this and that it has to be broken up consent needs to be um you know by the individual thing that you're asking for and just in time at the time you're asking for it so you don't get consent when they first visit your site for if they sign up later or something like that that makes sense and along with the new WordPress tools there's a new data and deletion request built into WordPress core released in early june if i remember right um so those are under tools there's um tools export personal data and tools for race personal data or people can request a copy of everything that's in wordpress about them and request uh that you erase it and that is incredibly useful and that was a lot of work by volunteers on the wordpress core privacy teams and um definitely check that out and play with it if you haven't yet and then plugin developers plugins can hook into this to make whatever data those plugins are collected as part of that process so when it first rolled out it was basically just your comments and your posts but more and more plugins are cooking into it we're trying to hook into it with all of our stuff for sure um the checklist that i talked about there's a bitly link i also tweeted it um that's two pages the google doc of everything i talked about with like checkmarks you can as you go through with a little bit of information that's a living document there's a way for you to comment on it it's brand uh it's new i haven't really used before so if you have comments or questions there that's a good place and we'll try to make that document more useful to more people and all those puns that you saw were part of uh all stolen i stole right from our company's weekly or three times a week wordpress newsletter that's free and it's full of puns so i just put them in there because it kind of kept this boring topic maybe a little bit more interesting i hope and all the images were from our designers on our blog um i think we have like nine ish minutes for questions yes so most websites don't collect much data right you've got paypal you've got a web or you've got all those things the one problem i see is membership sites so if you get hacked often your your site is down so is that something that you should be backing up like that list of people so that you can let them know they've been you become because that's really the only place except for comment yeah you can't get into it right you can't get into it now so that would be part of in your backups and and part of your breach notification plan like how you can get access to your user base and you know we keep a list of users outside of the wordpress database because that's really important for us to do um so it depends again it's kind of on a risk-based you know how big this idea is and how many there are if you can export them all out and save them like in an encrypted way in a safe place um and do that because that's going to help you can you take them out then you've got to save them somewhere yeah which is actually a funny like conundrum with the gdpr if someone asks to be erased so you erase them they no longer exist in all your stuff but he turns out before they asked you to erase you had a breach you can't notify them so they're kind of like it's kind of you know they shouldn't have asked to be erased i guess but um so i thought that's a really useful overview about like a lot of the core of gdpr and making the compliance effort with that do you have your slides available online yes um i have them i just on my top tweet is there and it's at ronnie burt and then i'll make sure that it's on my website just ronnie burt.com too this is great i'd love to share it with the company yeah no please do yes another question i'm i build websites and i have some people here so i do i know the gdpr and i use cookie bot for my consent are there any other tools that were sort of the best tool i could find so i'm just looking if there's any other recommendations i haven't done a lot of research into the whole cookie thing as much as i should i'll be honest um i have heard a cookie bot and that's when i've looked at two and i feel pretty good about it yeah so the question was you know about the whole cookie notification thing which is sort of related to the gdpr and cookie bot you're using and i played with it but i don't know if i could totally like endorse it yes hi um i basically had to do all the same things you did for your company i had to do all that for my company so i had to learn all this privacy stuff um so i just wanted to say a few things to help everybody else out um so that's some clarity to some of the things that you said because you everything you said was right but the distinction matters so if the 72 hour rule um it's 72 hours after you guys that you find out that you've been breached that's what it matters um also it's when the the data that the um attacker finds is actually consistent of pii so like if they just find names nothing else then you're cool you don't have to you don't have to report you don't have to do anything you're just you're okay um because when you report you have to provide forensic data so like IP addresses which user account got breached um and all the other stuff um of course the findings for this are you know incredible if you did um if it's a bad breach um it's like 20 billion euros um and also for having tools to actually become compliant here in the us there's a program called privacy shield that's made by the fdc which is also the same organization you report to if you were um breached here in the united states to let people know that's the legal authority in our country yes no excellent and i have a long story for anybody that wants to talk later about dealing with our wonderful government and the privacy shield um because it's it's fantastic and um and you know appreciate it now and good point so the and i want to reiterate one thing because i might have spoken to the 72 hour rule for notification just to make sure that it's on the live stream or on the recording is not from when the breach happened but it's when you were aware of the breach or anyone in your company is aware of the breach in fact that's part of the rules we had to talk about in the training piece that we you have to train that's something that i didn't really mention is training your anybody that's affiliated with your site works in your company everybody has to be trained on privacy and part of it is they have to know who to notify and how you know as the organization gets larger that becomes more complex and it's when the first person in the organization is aware that's when your clock starts ticking yes i think i know the answer to this question but um i put websites so um and so a lot of those sites just had simple contact forms on them and so just as a kind of a backup for my clients i've used ice contact form seven and so i store the data in the database just because email isn't 100 reliable right would i be best for those just to get rid of that is that where we are with this no i i think it depends on on what you're collecting in the contact and most people would tell you in the bottom of that contact form you now need like a little box they can send in to that says please know that we're we're going to store what you're sending us and it will be emailed to someone it seems like it should be obvious to someone submitting a contact form that someone's going to get that data but you know we have to cover our bases um and kind of what i would say is you know this scares a lot of people into not wanting to do anything you can do anything you want and collect anything you want if you get consent and you and you archive that consent um and document all that um so it's it's kind of hard to answer but i i'm fine with keeping it in the database but maybe as part of your like data retention policy you go through and clean it out every i know i know that's a pain but that's that would be a good general practice okay thank you short you spoke about how you need to get their opt-in consent when you're you when they first get to your website thinking about things like google analytics where i'm getting uh for all the users in my site they all i find out their their geolocation and a lot of a lot of data what happens if they don't accept that they opt out i don't i don't know if they opt it out because they just don't click the opt-in button and i can't exclude them from my google analytics this is very much the part of the cookie conundrum the cookie can send shuts that down so you use cookie bot okay nothing happens that's the shield to your website and all the boxes on mine i have three boxes um there's marketing analytics non-preference and you have to have like there's something you have to have that's the shield nothing happens so i have to check yeah no they can't access the site but they have to check the boxes are all unchecked you can't pre-check anything so if i don't check analytics you don't get analytics and so then there's a do not track that so analytics makes it possible to where then they will hit the cookie won't be added and it won't be trapped which makes your analytics a little bit less useful in facebook pixels you can shut them down and shut down all kinds of things called cookie bot and it's free if you have less than a hundred pages the trick to it is never have an attachment to your images you know sometimes when you go in in your images you are out where the press will create those extra pages yeah you can plug in you put a plug in that strips that out okay so we have a site that had hundreds of pictures of 10 pages it was like why is it coming on over a hundred pages it's because you haven't selected none for the attachment to the image okay so that's just a trick but cookie bot's free up to a hundred pages all right thank you sure i think we might have a few seconds left if there's if there's anymore well i'll definitely be around there oh go ahead go ahead a little beyond what i've looked into um if it's public out there you can scrape at google scrapes we want google to scrape our sites right but we don't want people that are going to contact us in nagas to scrape our site so it's kind of uh uh a different i i don't think there's anything you need to be safe with the data that you're collecting but uh no one's giving you consent to do that either right and so i don't know where the really honestly where that goes in that's interesting all right what he said last question somebody said to me that in an original world ego market just spend 15 cents on a new client send them a message to make sure your last line says i will follow up with you in a week and actually call them it kind of brings the customer service back but at least they're not going to be able to write the whole thing out yeah you know i think that's kind of uh because they have to opt into the email so you can't just send someone an email and that gets into more like the marketing email laws which are related but not exactly the same thank you very much and i'll be around for the rest of the day tomorrow happy to chat about this