 Okay, I think we're ready to get started here. So my name is Donata Strang-Skilrud and welcome to my presentation where I'll talk about the three things all my professionals need to know about privacy. Before we start, I did wanna know that any information that I talk about today, anything in the Q and A is for informational purposes only and is not to be considered legal advice. If you are looking for legal advice, I would recommend speaking to an attorney in your area because they're the ones who can provide legal advice to you. So some of the topics that we'll talk about today, so we'll talk about which websites actually need to have a privacy policy, why privacy policies are important, and then as the website designer, why you should be the one to talk to your clients about privacy. A little bit about me, so I'm a privacy and technology attorney, I'm licensed in Illinois in the United States and I'm also a certified information privacy professional certified by the International Association of Privacy Professionals. I'm the president and legal engineer behind Termageddon which is a software as a service company that has generated tens of thousands of privacy policies and successfully kept them up to date with changing legislation. So my job is to come up with a policy questionnaire so all the questions that you need to answer to be able to create your policies as well as the hundreds of thousands of different variations of text and how they all match up. So my job consists mainly of keeping up to date with privacy laws. So tracking bills, tracking laws, tracking regulations, cases, all of these types of things. I'm also the chair of the American Bar Association's ePrivacy Committee, member of the ABA Science and Technology Council and member of the ABA Cyber Security Legal Task Force. And I'm also a fellow of the American Bar Foundation as well. And as you can see from this photo, I'm also a beekeeper. So I do tend to have a lot of fun with that and a lot of fun with all the stuff that I do outside of work too. And just so you know, as we go through this presentation, there will be a little bit of time at the end for Q&A. So if you do have a question, definitely put it in the Q&A and I'd be happy to try to answer that for you too. So first of all, what websites actually need to have a privacy policy? So I'm sure that you've seen these all over the internet. Basically any website nowadays in the footer has a little link to a privacy policy and you click on it and it's a bunch of information. And a privacy policy is basically intended to provide consumers with information about what happens when they submit their data online. So like what data is being collected, who it's being shared with, how it's being used, whether or not it's being sold, all of these types of things. But if your website does not currently have a privacy policy or your clients don't give you a privacy policy to put it on their websites, let's talk about what websites actually need to have one. So before we start, let's talk about one definition which is personally identifiable information. So personally identifiable information, otherwise called PII, is any data that could identify someone. So examples of PII can include names, emails, phone numbers, physical addresses. It can also include information like IP address or information collected more in the backend, like device information, like what browser a certain person is using. All of that information can be considered PII. And really all websites nowadays at least collect PII. So a great example is a contact form. So you'll see here on this contact form, it collects names and emails and a message. So names and emails will be considered PII and that information is being protected by a variety of different privacy laws. Now, it doesn't really matter whether or not the information is being submitted voluntarily, right? So when somebody goes onto the website and they choose to submit a contact form, you're still collecting PII regardless of the fact that the user submitted that information voluntarily. And what websites need to have a privacy policy? So any website that collects PII needs to have a privacy policy. Now collection of PII can be contact forms, email newsletter sign up forms, e-commerce forms. It can be different things like Google analytics, Facebook pixel, anything like that. So any website that is collecting PII needs to have a privacy policy. And note here too that it is collecting PII. So you don't need to actually share it. You don't need to actually use it. You don't need to sell it. You don't need to do anything with it. It's the moment that PII is being collected. That's when the privacy policy requirement comes in. Now, why does PII collection and privacy matter? So if you've been building websites for a long time, let's say you started in the 90s or the 2000s, you may remember a time where privacy really wasn't that big of a deal. So back then people would be concerned about their privacy if they're maybe submitting their social security number, or maybe they're submitting their passport number or their credit card information. That's when people used to be like, kind of concerned what's gonna happen with my information here. But things have really changed from then. So why does PII collection actually matter? So consumers are really becoming more and more aware of the fact that companies are collecting their PII and doing all these things with it. And they're becoming more and more worried about that collection of PII. So if you guys remember the Cambridge Analytica scandal, so that was when the firm Cambridge Analytica took the PII of millions and millions of Facebook users that was collected through surveys and used that information to manipulate political advertising. That kind of really opened up consumers' eyes to the fact that the information that I'm putting online or that I'm sharing with companies can be used against me. And there's really not much that I can do about that. So that's when we started seeing all of these new privacy laws come about as well. That was around the time with GDPR and all of the different US privacy laws like CCPA that really kind of came about because consumers started becoming worried about their PII online. And they started pushing their legislators towards proposing and passing privacy laws that will allow them to have some control over what happened to that information. So on one end you have the privacy law requirements which we'll talk about in a minute. But on the other hand, because consumers are becoming more worried about their privacy online, privacy is actually starting to become a competitive advantage to some companies too. So there's some interesting studies that I wanted to kind of bring in here just to kind of illustrate what's happening. So there's a study by Axios that found that 93% of Americans would switch to a company that prioritized their privacy. That's a huge number. That's an overwhelming majority of people who would choose a different vendor due to privacy concerns. The Office of Privacy Commissioner of Canada found that seven in 10 Canadians have refused to provide data to a company over privacy concerns as well. So for example, they may not have bought something from a particular website because they were worried about their privacy. Maybe they didn't submit their information to an email newsletter list or maybe they didn't submit a contact form saying that they're interested in working with a particular company specifically over privacy concerns. And then another study by Empathy.co found that 40% of consumers are concerned about what happens to their data online. So as you can see from those numbers, privacy can actually be a competitive advantage both to your own website and to your client's websites as well. So if a consumer goes onto a website and they see that the website has a privacy policy, that the privacy policy clearly explains what information is being collected, how it's being shared, whether or not it's being sold, what that consumer's rights are, how they can gain control over their information. So then that can be a competitive advantage because then that consumer would not be as worried about their privacy when using the website. And therefore it would be much more willing to interact with the business, whether through making a purchase, submitting a form or anything like that. So privacy laws, we'll talk about that in a minute, but privacy can actually be a competitive advantage too. Now privacy laws. So privacy laws, they regulate the collection and use of PII. So that essentially means that the moment you collect personally identifiable information, that's when privacy laws can apply to you. And privacy laws have a few different requirements, but one of those requirements is to provide consumers with information. So what PII is being collected, what is done with that PII, who that PII is being shared with. And these disclosures are made in the privacy policy. Now each privacy law has its own set of requirements for what a privacy policy must state. So some laws will require you to say whether you sell the PII that you collect, while others may require you to say how the website responds to do not track signals or who the user should contact to exercise their privacy rights. So each law has different requirements as to what a privacy policy needs to have, but these three items are basically like the meat and potatoes of the privacy policy. Now what laws protect PII? There's a lot of different laws that protect PII. So you have laws in the European Union, laws in the United Kingdom, you have laws in the United States, as well as laws in Canada, Australia has a law as well. Basically these laws are created to protect consumers. Now the laws don't really care about where your business is located. And this is really important feature of privacy laws. So as you know, the internet is a very vast space, it's not geographically limited. So let's say I'm somebody who's located in the European Union, I can visit a website in the United States and submit my PII there. Or I'm a business located in Illinois, if I'm doing business in Nevada, I had to comply with their privacy laws. So a great example, California Online Privacy and Protection Act, which is one of California's privacy laws, that one applies to any business that collects the personal information of residents of California. Now, as you know, anybody from California can submit their personal information anywhere, which basically means that the laws are not geographically limited. It doesn't really matter where you're actually located. Now, as you see on this chart, you see a lot of different states in the United States here that have their own laws. And that's because in the United States, we don't have a federal privacy law, here specifically towards information collected by websites. So we have laws for healthcare data, we have laws for credit card data, we have laws for educational data, but not really things that protect names, emails, and phone numbers regularly collected by websites. And that's why we're seeing in the US every state propose and pass their own privacy laws to protect the consumers of that state because there's no federal regulation there. And then you'll also see in here that there's a bunch of dates by some of these. So these laws are going into effect in the future. Now, what that means is that privacy laws are constantly changing and new laws are constantly being passed, proposed or amended, new regulations being issued because consumers want more rights that they're not currently getting or because technology is changing and privacy harms are changing and we need to adapt to those. So you'll see that there's a lot of laws going into effect into the future as well. So who do privacy laws actually apply to? So again, privacy laws don't really care where your business is located. So to determine what laws actually apply to you, you should be asking where your customer is located, to whom are you offering goods or services, who you're tracking online through features like Facebook Pixel or Google Analytics, and whose PII are you actually collecting? There are a lot of privacy laws that apply regardless of for-profit or nonprofit status. So being a nonprofit does not automatically exempt you from every single privacy law. There are some laws that will not apply to nonprofits but there are laws that will apply to nonprofits. There are very few laws that apply based on like revenue size or the amount of data that you collect. So if you're really small or you don't collect a lot of data, you will probably still need to comply with a whole host of different privacy laws because they're not necessarily based on your business size, employee size or revenue size. Now, because this is WordCamp Montreal, I thought that I would bring in some Canadian examples here as to who privacy laws apply to. So the first example, PIPEDA, which is Canada's federal privacy law, that applies to organizations across Canada that collect, use or disclose PII in the course of a commercial activity. And then it also applies to non-Canadian companies that collect, use or disclose the PII of residents of Canada. Now commercial activity in this particular case for PIPEDA means for-profit businesses. But Quebec recently passed a new law, Quebec Bill 64 or Law 25, went into effect September 1st and it applies to persons that collect, hold, use or share the PII of residents of Quebec in the course of carrying on an enterprise. And an enterprise is defined as a commercial or non-commercial activity, meaning that Quebec's bill can apply regardless of for-profit status. So if you're a non-profit, you probably don't need to worry about PIPEDA, but you would be subject to Quebec's privacy law. So that just kind of illustrates the different nuances that come into play as to who privacy laws can actually apply to. But that's really the first step of privacy compliance is figuring out what laws apply to you because then you'll know what rights you need to offer, what your privacy policy needs to say, what security requirements you have to meet, what contractual requirements you have to meet and other things like that. Now penalties for not complying with privacy laws are very high. So they can range from $2,500 per violation to 20 million euros or more in total. Now what does per violation mean? So per violation in this case means per website visitor whose privacy rights were infringed upon. So for example, let's say you have 100 website visitors from California and you don't have a compliant privacy policy, the cost is 2,500 times 100. So that can add up very, very quickly and can be extremely expensive. Now we also have a lot of different proposed privacy bills as well. So privacy laws are constantly changing. So for example, in Canada, you have bill C27 which is a bill that has been proposed to amend Pipeta to increase its requirements to kind of keep up to date with how information is being used and what kind of privacy violations can happen as technology evolves. So you have all of these different bills and what does that actually mean? That actually means that your privacy policy needs to be updated. So every time a new law passes, new regulations are issued, there's new enforcement actions or new cases or just the requirements are changing, a privacy policy needs to be updated because the disclosures in the privacy policy that need to be made are changing as well. So essentially that means you can't just have a privacy policy that complies with the privacy laws of today. You also have to have a strategy that keeps that privacy policy up to date with changing legislation too. And then lastly, just one more time, privacy laws, that's what dictates the disclosures that your privacy policy must have. So each law has different set of disclosures that it requires a privacy policy to make. And that's why things like templates are so dangerous because templates are not based on the laws that apply to you, right? They're based maybe on one law, but one law does not cover all the disclosures of other laws. So one thing that we see that's a very, very common misconception is people say, I'm just gonna go online and get a GDPR template. And if I get a GDPR template, that's a very stringent privacy law, that means that I'm covered for all the other privacy laws that may apply to me, very, very wrong. So great example, sale of data. GDPR does not require you to say whether or not you sell data, but Nevada's privacy law does and California's privacy law does too. So if you get a template, even if it just complies with one law that applies to you, it will not comply with all the other laws that apply to you as well. And then also templates do not update. So whenever you get this template up a couple of days later, there might be a new law that goes into effect and then your template is out of date and it hasn't been updated in your out of compliance and in danger of fines. So make sure that your privacy policy is based on the laws that actually apply to you. And then make sure that you have a strategy for keeping it up to date with changes in those laws as well. Now, part three, why should you should be the one to talk to your clients about privacy? So being a website designer or working for an agency, you get a lot of questions from people about different things that are happening to the website, right? Your clients really trust you and trust your judgment and trust your advice. And also your clients might not be as technically savvy as you, right? They don't know how websites are built. They don't know how information is being collected or what trackers are being used on the website or things like that. So you're in a great position to talk to your clients about this as well. So why should you tell your clients? I guess first of all, what should you tell your clients? So nobody is expecting you to be a lawyer, right? Nobody's expecting you to be a privacy expert or anything like that. But what you should really tell your clients is, hey, I'm building this website for you. It's collecting PII. I'm not a lawyer, but I think you should talk to a lawyer or I think you should look into getting a privacy policy. It can really be as simple as that. And then you can give them a couple of recommendations if you would like to. One thing as a website designer to be very careful of is don't put yourself at more liability too, right? So if you're currently copying and pasting privacy policy templates for your clients or writing privacy policies for your clients, you're kind of essentially saying that this privacy policy is good. It's fit for their needs and it will help them avoid fines and even lawsuits. But if you're not a lawyer or don't have experience in this field, it might not do that, right? So if you haven't taken the time to research all the laws that apply to them, what disclosures are required, how are you gonna keep this privacy policy updated? You really shouldn't be providing this service to your clients because then you can be liable for that, right? Because you're promising the client that you're giving them a competent privacy policy. And if you're not, and then they get fined for that, they could come after you. So you're probably not getting paid enough money for building the website in the first place to be assuming all of that different liability. So why should you tell your clients about that? So it really helps you look proactive and professional. So you're showing them that you're aware of the latest industry trends. This is definitely the latest industry trend that is not going away. It's getting more and more important. So being able to give your clients that advice about other things on the website that they may not be aware of can help you look more proactive and professional and just basically help you improve your client retention and loyalty. In addition, it can help you be better than your competitors. So if your competitors are just building a website and not informing your client of any of these things, and then the client later on finds out about these requirements, they're gonna be like, well, my designer built my website, they implemented all these tracking features, all these forms, but they didn't tell me anything about this. You probably would look better as opposed to your competition if you were to tell them about this. And then lastly, it can help you document this and protect your agency as well. So really you should document everything with your clients and have a contract with them as well to help limit your liability and limit your damages. And the contract should specifically say that you're not guaranteeing compliance with any applicable laws, including privacy laws. If you're currently using like a templated contract that you haven't had anyone review, just be aware of the fact that there are a lot of templates out there online that say that the agency guarantees that the website is compliant with all applicable legislation. Make sure to take that out of your contract or talk to a lawyer about that because that is horrible, horrible idea. But you can even have your clients sign a form saying like, hey, I'm building this website. It has these features that collect PII. Just know that I'm not responsible for privacy law compliance. I'm not your responsible for your privacy policy. Here's what you need to do to get one and have the client sign off on that, that can actually help protect yourself too. Yeah, so since you're the one designing and implementing functionality that collects PII, your clients are looking to you for advice and make sure you document the fact that you told them that they need a privacy policy to protect yourself as well. So when should you tell your clients about these, these requirements? So you can tell them when quoting a new project. So your statement of work should include different features that collect PII. So for example, like what forms you're building out or what features you're implementing, like are you implementing Google Tag Manager or Facebook Pixel or Google Analytics or anything like that. And then at the end you can add a sheet saying that you're not responsible for privacy law compliance. Before launch, you can also tell them then, so usually at that time you would be building out and adding a page for privacy policy, terms and conditions, anything like that. So that's a good time to say that as well. And then also in maintenance plans or really any time that it does come up when your client asks about it or when you feel like it's a natural place to bring it up as well. So where can you and your clients actually get privacy policies? So there are two different options. So the first option, which is the best option is to have an attorney. So there are attorneys who work specifically in the privacy field and those attorneys can write a privacy policy for your clients. It's not a good idea to use a general business attorney usually for this. Privacy law is a very niche field. It's definitely a full-time job because there's a lot of laws and a lot of new laws and a lot of changes. So you definitely want somebody who is specifically experienced in privacy. So what they can do is they can write a privacy policy for your clients. Basically, they would ask the client some questions, figure out what laws apply to them, figure out how to write the disclosures required by those laws and then keep those policies up to date. If you are looking to use an attorney, there's a recommendation that I would like to make which is first, ask them how much it would cost to draft the privacy policy initially and then also ask how much would it cost to keep that privacy policy up to date with changing legislation. That way you understand all of your costs upfront. If the attorney is confused by what you mean by updating the privacy policy with changing legislation, you definitely get another one. The unfortunate part is that this can be an expensive option. So it can cost thousands or tens of thousands of dollars. It's a really good option for big clients or clients that need special compliance like healthcare or financial data compliance like they're a bank or a hospital or something like that. But it is an option that is usually not affordable to small businesses. The other option is a generator. So a generator is a software as a service tool and basically what it does is it asks you a series of questions. So if it's a properly made generator, the first set of questions will help determine what laws apply and then the remainder of the questions will be used to create the disclosures required by those laws. And then the generator will create the text and then also update the text as laws change as well. They're really a faster and more cost effective solution and can work great for a majority of your clients. You can also generate policies with a generator and then share them with a lawyer to review, which is significantly cheaper than having the lawyer draft everything from scratch. Okay, so I have some frequently asked questions here, but let me check first the Q and A to see if there are any questions in the Q and A here. Yeah, so Tracy asked, are web privacy laws different between the US and Canada? Yes, they are. So Canada has its own set of laws and the US has its own set of laws as well. Canada is much more of an opt in model, which means that you would have to opt in to have your data processed. So you would have to say, yes, I want my data to be processed versus in the United States, it's much more an opt out model, meaning that data can be processed whenever and however, unless the user actually says no, stop doing that. So yes, they are definitely different. And yes, in the US it is different from state to state as well. And yeah, so that's the very confusing part about living in the United States is that each state kind of has its own set of rules and more and more states are passing and proposing their own privacy laws. So if you're a business in the United States, you might have to comply with eight, 10 different laws if you're collecting data across the United States or doing business across the United States, which is the case usually with people. Let's see here. Yes, so C27, that one has been proposed, but it has not passed yet. So you'll see in the link in June 2022, the government proposed the Digital Charter Implementation Act of 2002. So the resource in the chat just basically describes the bill that has been proposed, but it's not been passed yet. So it's not a law at this time, but it's getting closer and closer to that every day. And essentially what its purpose is is to amend existing laws to further protect data from harms that are happening online. If you have any other Q and A questions, definitely put them in the chat. Okay, so here. Okay, I deal mostly with small businesses in the U.S. If I have a single page website with a contact form, do I still have to display a privacy policy or if the form lives on its own page, do we display the privacy policy there? So not legal advice, obviously, but if your website is collecting PII, regardless of whether it's a hundred pages or one page or a landing page, you will most likely still need to have a privacy policy. So privacy laws do not change based on page size or the simplicity of the form or anything like that. So you will still have to have a privacy policy there. Usually you would want the privacy policy whenever data is being collected. So you'll want it at the footer of that page regardless of whether the page is a full page with a form at the bottom or the page is just a form. You will still want that at the footer of that particular page. Best practice is also to get consent whenever you're collecting data as well. It is required by some laws. So basically what you would want to do is at the bottom of the form, you have a little checkbox. Do not pre-check the checkbox. It's very, very important. And the checkbox should say, I agree with a privacy policy and then it should have a link to the privacy policy where the user can click on that link and take it to another page. And the user shouldn't be able to submit their information until they have actually ticked to agree to the privacy policy there. So especially in Canada as well, that this is a very Canadian requirement too, is get consent before you collect data. Okay, what about passion projects? Like someone that has a food blog or a podcast, they'll most likely have tracking ads on Facebook, Pixel, et cetera, but they most of the time run at a loss for personal projects, not a corporation. So it really depends on what you're doing with this passion project. So let's say you have a food blog, right? But on the food blog, you have affiliate links to Amazon affiliates. Like somebody can buy flour or pots or something like that. That could be a commercial aspect of the passion project because you're getting paid through those affiliate links. Or let's say you have a podcast, but you're selling ad space on the podcast. You're making money from ads on the podcast. That can also be a commercial aspect as well. So if I were to create my own website where I were to, I don't know, like keep track of things that I wanna buy or keep track of family birthdays or something like that, that's usually you wouldn't need anything like that because it's a personal thing that's done merely as a consumer. But if you have a passion project that you're trying to monetize, like AdSense or tracking Facebook pixel, you're running ads towards it, you have affiliate links, you're selling ad space on a podcast, you're having people contact you to be guests on the podcast, things like that. That's probably where it would cross that threshold into being more of a business experience. So you don't necessarily have to have like a corporation or an LLC formed or something like that for the loss to apply to you. They can definitely apply to one person businesses or one person passion projects as well. So if you're doing anything more than just, hey, here's my recipe list that I use just for myself and nobody else even knows about the link, that's when you should be paying attention to this kind of stuff. If the organization resides on indigenous territory, is there a different consideration? That's a really interesting question. I've never considered this, but I don't think there would be anything different there. So from any of the Canadian privacy laws, there is no exemption for like indigenous territories or something like that, especially since information could be submitted outside of those territories too. So if I'm in an indigenous territory and I have somebody from Quebec submit their information to me, I would want to make sure to comply with those laws even though I'm on indigenous territory. Okay, let's see, we have a couple of minutes here. Are there different considerations for education organizations? Yes, absolutely. So if you're running a school, tutoring, anything like that, anywhere where you're collecting the information of children specifically, children have extra privacy rights and extra privacy protections just because they're such a vulnerable population. And then also it's for the children as well, a lot of that data can follow them through the rest of their lives. Same thing with educational organizations like somebody is in school or something like that, there are additional protections that are afforded so that you should definitely look into that too. Can you please answer your first frequently asked question, who's going to sue me for not having a privacy policy? Yes, absolutely. So when it comes to violations of privacy laws, privacy laws are usually enforced by data protection authorities. So for example, in Europe, there are specific data protection authorities that are set up just to enforce privacy laws. In Canada, you have the office of the Information Privacy Commissioner that's in charge of enforcing privacy laws and issuing fines and things like that. In the United States, you have state attorney generals, so those enforce privacy laws in the US. Here in California, we actually have a new agency called the CPPA, which was set up specifically to enforce laws concerning privacy. So those are really the entities that enforce laws. In the US, we also have a lot of proposed privacy bills that would allow consumers to sue businesses for privacy violations. So if those are passed, then consumers would be able to sue businesses directly too. Okay, answer all the FAQs. Cool, is my business too small to need a privacy policy? Most privacy laws do not care about the size of your business. So it doesn't matter what your revenue size is. It doesn't matter where you're located. It doesn't matter how many employees you have or how much data you collect. So for most laws, they do apply regardless of your business size. So you cannot be too small to actually need a privacy policy. And then lastly, can I just copy and paste a template? So that one, tons and tons and tons of templates online, huge issues with them. So first, they're not based on the laws that apply to you. So because your privacy policy needs to be based on the laws that apply to you, because that's what dictates what's within your privacy policy, your template is gonna be automatically not compliant. Two, most templates that claim to be compliant with privacy laws, and I've read like way too many of these in my lifetime, even if though they claim to comply with the law, let's say they claim to comply with GDPR, they do not have all the disclosures required by GDPR, usually because they're written by somebody who does not have experience in privacy law. And templates do not automatically update. So whenever new laws are passed, things like that, templates will not update. So you will be out of compliance. And then lastly, if you have multiple laws apply to you, which is often the case, templates don't combine those laws together. So they usually will do only one law and then miss another one. So they're not a great option. Okay, and then if your website has clients in Quebec, California, Europe and other places, what's the policy you have to get? Do you need one for all places? So there's a lot of different ways to do this. So there are some companies that choose to have a privacy policy based on location. So you have one privacy policy for residents of Quebec, one for California, one for Europe, one for everybody else. But really it's, it worked well a couple of years back, but now it's become a really, really horrible practice because let's say you have all these different privacy policies and you decide to choose change your practices. Let's say you decide to install your Facebook pixel. So now you have to update five different documents instead of just one. So the best way to do this would be to have one privacy policy that combines all of the disclosure requirements required by all of those laws. So everything's in one place and you have to update only one document, especially now that we're seeing, you know, 10, 20 different laws being passed in the United States. You know, you can't have 30, 40 different privacy policies because it's very confusing. It's horrible to keep up to date. It's just a mess. So combining everything into one is really the best practice now. And another thing that we see a lot in privacy policies is that you'll have like all of this information and then it'll have a chapter for California residents or it'll have a chapter for Europeans or something like that. It's a terrible practice because it just restates the same information and then your privacy policy is like a hundred pages and you have to scroll for a lifetime to read through all of it. Really the best thing is to combine everything together into one. So yes, thank you so much everybody for coming to my talk. Here's my email. It's Donata at termageddon.com. If you have any questions about this talk or anything about privacy or just want to chat, definitely feel free to send me an email and yeah.