 All right, let's uh, I want to start this out with some interactive, you know icebreakers, so Can I have anyone raise their hand if they've worked with GDPR before? Okay, a lot of you keep your hands up Keep it up. If you've worked with CCPA How about CPRA Know what it is or CPA or Or you see PA All right, no hands anymore. All right, so these are the things we're going to talk about today And I'm really excited to be here with with you all and talk about marketing needs privacy I'm going to save some time at the end for questions Make sure we have time to do an interactive conversation about anything that we talk about But I'm just going to go ahead and dive right in My name is John Doyle president founder of digital polygon And the first iteration of this deck was built in collaboration with Rick Buck He's the chief privacy officer at wire wheel their privacy company product company And our information is here and we'll be on a slide deck as well He couldn't be here today, but still want to give him a call out for this So what are we going to talk about today? There's really three key buckets I want to I want to talk to you guys about the first is understanding the current privacy landscape in the United States It's changing really fast and it's going to go into effect starting early next year With enforcement being applied and it's really important that we it's why I've been marketing teams Start to understand what's coming so that we can prepare maybe have these conversations otherwise what happened when GDPR is going to happen and legal is going to come to us two weeks before enforcement happens and say Why isn't this done get this done right? So, you know, I want to start preparing people for what's coming and how we can Think about this from a website perspective and interact with With these other teams that we have the second is industry movement. So talking about Big industry and how they're responding to privacy this is more just to reinforce that Privacy is here to stay. It's not going to change and speak become a part of our daily lives Which I personally think is a good thing as an individual It's a really hard thing as a marketer and as a business owner as our life is going to change Over the next couple years if it hasn't already And then lastly, I'll talk about how privacy in your website need to interact so that we can frame the conversation we have with the different members of our teams our legal teams our privacy teams And our downstream vendors even depending on what we're doing And then I'll leave you with some useful tools and triple modules and things that Could help you in this process and we'll open up for Q&A at the end So jumping right in this is the IEPP's state legislation tracker This is a great resource available on the IPP website that kind of gives you a high-level view of the United States What bills are in progress which ones failed which ones were approved? And at a high level 33 states have introduced 62 bills as of about two weeks ago This was updated on the 7th April 7th for IEPP's big conference. They hadn't DC about two weeks ago Five have passed through four states, so California has two laws Colorado Virginia and Utah have all passed in the last six to twelve months Utah being the most recent just passed earlier this year and There's 29 bills that have died and 28 bills that are still up for some state of discussion In addition to this, you know GDPR is a big one that everyone knows about but China passed PIPL Australia passed the Federal Privacy Act Brazil passed LGPD and more and more countries are starting to Jump into this I Don't know to be honest I'm Assuming both have agreed on some of these but I haven't followed the federal side of things It looks like more liberal states when I look at the the chart here, but Something to definitely dig a bit deeper on yep Another view that they have about the IEPP is the US state privacy legislation tracker This gives you a list of every bill that's gone to committee And it really gives you an idea a high level view of what Each bill includes and you it's not meant for you to read I'll go into a little bit more detail, but this breaks it into two sets of rights You have consumer rights Which is what consumers have the right to do when they come to your organization to your business and then you've got your business obligations So this is What are you obligated to do as a business to protect your users and we'll get into this a little bit I'm not going to dive deep in the laws for this for this presentation But you can see here in the list Some of the different rights that people have and we'll focus more on the website of things And and how our website has to support these Rather than going into too many details here, but if we break this down to the laws that have passed We can see CCPA CPR a CDPA CPA and UCPA or the five With the states and you can see that there is some consistency here, which is great for us as implementers of These privacy laws, but there's also a lot of differences that we need to take into account If you've looked at any big sites recently, you'll notice that there's always a California resident policy at the bottom there's a do not sell button now and These all came out of CCPA CPRA is going to extend California's Enforcement and laws and Virginia and Colorado kind of built off of CPRA. So those are somewhat consistent But they're still going to have one offs everywhere Go ahead Sure, I can I can do my best CCPA is California consumer protection act privacy act CPRA is Calus California Privacy Rights Act I believe CDPA is consumer data protection act CPA is is consumer protection act or privacy act and then UCPA is Utah consumer Privacy Act And if I got any of those wrong, they are on this slide in more detail So I can send you a link to the tracker afterwards And the the biggest difference here that we're gonna Notice is that Utah which just passed is way more business friendly Than the other three laws and it has less less user rights that you have to comply with and that's going to make our jobs even more Confusing as we go into a web and marketing implementation that now I have to deal with different Not just by country different laws, but by state and how do I track this? How do I know where you're coming from? How do I know you're a California resident if you're on an IP address in? Maryland and This these are some of the challenges that we have as web and marketing teams to to look forward to here Coming shortly Privacy changes are moving fast. Like I said last year we started with CCPA now We've got another four laws that have passed and there's two more that are in cross-committee, which is What you're looking like they'll get passed here in the next six months things could change of course and What I'm looking forward to at some point is a federal privacy Implementation because that should help standardize this But I don't personally see that happening this year maybe next year But something to keep an eye on and you know the IPP resources are a great place to to look for that so when we look at September 2021 to April 2022 we take the same graph and you can see that the color coding is extremely different This is how fast bills are introduced or killed and move forward And I'm not going to spend a lot of time on these slides. I just kind of want you to see How fast this landscape is moving just in the last six months? You can see how different the sizes of these charts are Just in the last six months. We've had more than double the bills go into a cross-committee or above with new states throwing laws up basically every other week and a lot have also died in Committee or somewhere through the process And you can look at what these laws included in this table in more detail if you're interested in getting getting more details on it Right, so one really important part of this is when do these go into effect? So these laws were passed in the last two years and now we need to look at okay When does enforcement begin because that's really what our timeline is as web teams and marketing teams to implement these changes The answer is January 1st, 2023 California Privacy Rates Act and Virginia's Consumer Protection Act go into effect on January 1st, 2023 Some of the guidelines for enforcement aren't even out yet Last I heard we're expecting those sometime in September So that's likely when you know your legal teams are going to start pinging you and if you haven't done any prep work Then your Q4 is going to be Probably a little hectic if you have to comply with these laws Colorado Privacy Act is going to be July 1st, 2023 and then Utah is going to be the end of 2023 and December 31st So this is kind of what the timelines are looking like we'll see when new bills get passed how they add them in and how much runway you have but This is this is kind of what we're working towards here with with most of our clients And on the privacy law side, you know privacy is here to stay There's more international laws. There's more us laws. This isn't gonna, you know, we're not gonna wake up tomorrow This isn't going away. So we need to start preparing for it as Web and marketing teams and we need to start building foundations for being able to support this And the new laws closely resemble GDPR, but everything in the US From a marketing side is opt out Whereas everything in GDPR is opt-in. So there are differences here and how you have to act with these different laws And that means that, you know, your marketing team Or your sales team is definitely not going to want you to throw a GDPR cookie banner on your site Stop tracking everything if they don't have to so now we have to get way more granular with how we implement these solutions how we target users in different locales and How we work with our downstream vendors as well So with that, I want to shift a little bit over to The marketing side and the tools that we use and I really love this quote by Tim O'Reilly because it's who has the data Has the power, right? We have the data that we use to personalize people's experiences to give them a better user experience to inform decision-making and To really improve our products or features. We use this data for tons of different things It's our responsibility Now to be responsible for that data a lot of times as marketing teams We're using tools that we have no idea what else they do with that data We're not reading through the 60 page contracts to say How else are they using the data that I collect when I put this marketing pixel on my site or this heat map on my site and these are the things that these laws are starting to push and protect and You know, it really is up to us and up to these vendors to start Taking responsibility for this data. We have to protect it and and to really respect our users rights to their data So with that, let's look at how the industry has started protecting their data in in the marketplace And I like to show this because it'll it'll give you a good idea of how much privacy is impacting business And if all of the Big guys are doing it. It's definitely going to trickle down to the rest of us, right? And it's going to impact what we do. So the first thing I like to talk about is the rise of privacy browsers You know, they're still don't have amazing market shares. They're not going to overtake Google tomorrow But they do exist and they are being used and a lot of the reason that you can't see how much share They're taking is because they actually block giving you access to what browser they're using right privacy first is what brave and duck duck go do and This is already going to start impacting your ability to market As more and more people start using these tools One thing that I pulled from IEP last week, this isn't even out yet by Google Probably the best release I've seen around privacy for Google is putting out this privacy guide and Google Chrome has a lot of privacy features In the tool, but this is the first time they've provided a nice user experience to guide people through how to use that So this is going to start impacting our ability as marketers third-party cookies and Other things like that because it's going to allow users to more easily go and manage their settings in chrome Third-party cookies are going away. Obviously this has been in the news all over the place for chrome They pushed it back to 2023 But it's still in the roadmap. It's going to disappear something we need to be aware of and start looking at different tech stacks to deal with The end of Google Analytics 3, this is again pushed to July of 2023 If you're not on GA4 yet, it's probably time to start looking so you have data The collection will stop in July of 2023 They won't delete your data for six months is what they're saying right now But you can run GA3 and GA4 at the same time right now So there's really no harm in you starting to get GA4 set up now while you start to learn to use it If you have played with it, you'll know it's a bit different than GA3. It's not just Plug and play so you want to prep for this well ahead of time And Apple is one I love to talk about tim cook actually keynoted iapp two weeks ago And some of their privacy features here if you've seen the headlines are costing facebook what 12 billion dollars is what they just said So these are going to continue to impact our ability to do business So mailing privacy protection. So if you sign up for Uh an app on your phone if you have an apple phone It'll now actually put in a fake email address that proxies back to your real email address. So Google I mean the apple is the only one with your actual personal email And when you sign up it it uses fake emails so that if anyone else has a data breach You're not impacted in that way And uh, sorry that was the hide my email the mail privacy protection if you use Apple mail it'll actually remove all the tracking pixels from your emails So I don't know how many people here are marketers or salespeople that have tracking on their emails where you can see when people open it and see click through rates and open rates, but Apple's mail system actually blocks these so that people can't track what you're doing in it and you have to use their app for this to work, but um, that's really going to impact our ability to calculate metrics to you know figure out if our campaigns are working or not and You know, these are the things that are coming and safari, of course has been blocking third party cookies by default since 2020 chrome is going to catch up next year But these are definitely important things for us to think about and us to Start adapting to And hopefully it gives you an idea that again this privacy thing is not going to go away Just going to continue to impact us and if we don't change We're going to be left behind Right, so we talked about kind of the current privacy landscape in The united states we talked about some industry movement now Let's talk about how this impacts us and how we should start thinking about this as website owners and marketers on our websites I like to break this down into three simple buckets Uh, really with all of these laws from a website perspective We need to provide information to users. This is telling people what we do with their data You probably already have privacy policies you have in there What cookies do we use? What information do we collect? How do we process that information? Some of these laws go beyond that. What are my rights as a california resident? Um, that's what providing information is all about The second bucket is facilitating requests So as part of these laws I as an individual if I was in california Have the right to request access to my data that you have To delete that data To rectify my data There's some portability laws in there So you as website owners, especially now that coveted is here Your website is really the place where people interact with your brand No one's picking up a phone and calling you most sites like organizations don't even have phone numbers to call for this So you need a way on your website to facilitate these requests Can be as simple as an email in your privacy statements can be as complex as a fully automated forum That sends tickets down to your downstream systems Um, but uh, your website really needs to support that and then managing consent is the last one. So this is Do not sell is cookie compliance um, do not sell my information and, uh There's a automated decision-making consent in there too. Um, so Uh, these are the things that you need to provide your users with If we take a look at it as more of a logical diagram here We're not going to talk about email and social too much today Although that is likely part of your stack But your website sits on top of all of these tools that collect data that you pass data through And that you interact with on a normal basis And a lot of these laws are going to require you to take those preferences that users set and make sure that all of your downstream systems respect them There's also this idea of being able to keep a log of when a user opted in or opted out so that you have this audit log so that when Some lawyer comes and tries to sue you for this information because this user opted out Uh, I say well, we have it here that they did or we have it here that they didn't and and what went wrong and what went right So something to think about, um as we're Managing these consents and collecting this consent is how do we prove it? So I won't go into more detail on all of these, uh for here but I do want to actually look at some examples of Websites that do a good job of providing this information and Really big industry has already started complying with the laws that are out there and are good places to look for examples If if you need some inspiration This privacy and security center is actually home depot I think they did a really good job of breaking out their information They've got tables for displaying what cookies they use grouped by category And what they do with each type of this cookie and how they process that data who they share it with And this is about saying what you do if you're open and honest about what you do with the data You should be fine One thing to note is you are going to Change what you do with your data as new tools come on as new products come on as new processes open So this isn't a Set it once and forget it. This is I need to build a process around this with my team So we're interacting on a regular basis To keep this up to date and keep it relevant And that's again, probably going to fall on the marketing teams because they own the websites Not something that we we typically do right now Facilitating requests. This is an example of a a dsar form in the industry's Data subject access requests is a lot of what this realm is called So delete access rectification portability. There's some opt-out category access requirements under ccpa here and There are tools and vendors out there to support you if you want to automate these dsars But I've seen plenty of organizations just provide email addresses and run it through a manual process behind the scenes Large organizations. I believe they passed a law last year a requirement that um They have to actually publicly post how many dsars they got How fast they were turned around in and how many they approved or rejected and make that publicly available to everyone So you can actually see uh, how fast they're turning these things around and it's taking for them to execute these requests And we'll see more automation come in into the market as as things pick up here Um and lastly managing consent. Um, again, these are cookie notices. These are do not sell opt outs and One thing that I thought was pretty cool is this global privacy control We'll talk about it more here in a minute, but uh, This global privacy control is a open standard that they're trying to push in the united states to say um I've chosen to opt out of do not sell and way for the rest of Uh companies to respect that right now. It's very granular. It's all browser based and There's no way for you to universally opt out unless someone respects something like this So if I go to one website and opt out there I go to another website I have to opt out there if I get open a new browser or my phone. It's all very manual and segregated um, so finding a way to centralize this and Allow users to choose is what this is going after How many companies actually pick it up because it hurts their ability to market? We'll we'll see But it's out there and it's definitely worth taking a look at And with that there are tools to help you Drupal modules Open source enables everyone. So I couldn't come to Drupal con without pointing out some Drupal modules that were here Cookies consent management and gdpr are two good ones to get you started You will see disclaimers on all of these modules that say installing my module does not make you compliant This is something that a lot of teams don't fully understand Just by installing a tool and putting a banner up doesn't mean I'm compliant with these laws And this goes for a lot of like third-party consent management tools too If I've got a tool that enables consent But if I don't hook that up to my tag manager or use their tag blocking scripts or something like that I'm not actually compliant clicking that button does nothing So I've seen a number of implementations that have kind of fallen off the rails because of that So it's important to understand a little bit deeper about what this tool is doing for you and what you need to do yourself And there's a number of vendors that can help you a lot of these vendors have Drupal modules to integrate their third-party products to help you Of course wire will is is a great one They should have their Drupal module out I think last next week, hopefully So we're creating that for them and we should get it out user centrics and consent manager.natter to cookie consent tools and all the big cookie consent tools have GDPR and then they have additional versions for ccpa And they'll have the other laws being added as they go into enforcement And they'll they're taking care of a lot of the geolocation and the different Nuances of each law so that can help you really get Some some speed out of their tools if if you try to choose to go with a third party to support you But you can do it yourself if you have a team willing to do that Um, again the gpc, I won't talk about this too much more But there are also chrome extensions for duck.go for example I don't know how many of you use that but it'll block marketing scripts. It'll enable gpc Um, and the first time I heard about it was this tweet from the old attorney general from california um, and like I said It's not at a mainstream level of adoption yet But I think anything that sets a standard that we can comply with so there's not 5,000 different ways to do it is a good thing in my book so Highly recommend taking a look at it and then I couldn't leave without talking about the daa The you your ad choices if you go to privacy policies around the us you'll see Links to your ad choices and almost all of them There's not a great way for you to tell downstream vendors to change the way you adapt information and This is kind of how it's done right now. So there's about 126 supporting organizations in the daa And if you click on the link you go there It'll give you a list of all those it's like facebook google etc You can check out which ones you don't want to retarget you and automate decision making for you And save it and that sets some cookies on your browser that should limit the way that they use your data You as a marketing team can't really control this So it's it's an interesting thing that's going to continue to happen over the next couple of years. I think with vendors Supporting this or not facebook released ldu limited data use. I don't know if you're familiar with that To allow you to to flip a switch on how this user is being retargeted to for ads with facebook But it's all over the map right now and For the your ad choices I go on my phone. I go on a different browser. I clear my cookies. It all resets So it's it's just something that us as consumers if we're going to do this need to understand And like I said, it's a pretty complicated market here Um Google consent mode is Primarily targeted at the us if you've done gdpr. You're probably familiar with the tcf 2.0 framework Google's products are already compliant with that framework But if you're not implementing gdpr and you need to implement a consent mode Google's consent mode is a good one to set up with tag manager And it'll it'll pass this data through to The google products to change how The consent status things for google ads happen. It'll change some of the way google analytics work with what data it actually collects To make sure that you're respecting this These policies that are in place for this So highly recommend taking a look at it if you're not doing gdpr and you need to comply with these laws It could be a good way to get you started Um right with that so key takeaways I just want to reinforce that privacy is not a button At the bottom of your screen It's it's that's doesn't make you compliant Your organization Has to be responsible for understanding these laws and what's coming Are you're going to be hit with enforcement? I'm sure there's already law firms lining up for the january 1st enforcement Just like they did with gdpr So it's important to get ahead of this secondly I took this from rick If you do what you say and you say what you do you should be fine Um, obviously work with your privacy teams and your legal teams to make sure that You've got these things figured out But uh, it pretty much is as clear as that if you're transparent with the data you collect You know how your sub processors are using it You know what your organization is using it for And you can say that and then you can protect that data and choose what you do with it Uh, that it really is as simple as that Um, and then you know ending it with giving Users the power to choose Um, that's really what it comes down to I as a consumer should be able to choose how you use my data Um, just like I do if I walk into your store Kind of but yeah, so Um, all right, so I want to leave you with with one thought Uh, together we can build a better internet. I truly believe that privacy is is a new pillar to building foundational websites Right next to accessibility right next to security It's it's our job to protect users data and their rights. And I think if we do it together The internet will become a better place I'll leave you with slides with some resources to those IAPP diagrams I had Also wire wheels privacy law comparison table They have a interactive table that has all the different privacy laws and a lot of information Comparing them. So if you're interested in digging a little bit deeper, uh, it's a really good resource for that And with that, thank you all for coming and I'll open up to questions and we can keep talking Sure So the question was why wouldn't I just take the most stringent standard and implement with that The answer is probably because your sales and marketing teams would get really really mad at you. Um You know, I if we're being good stewards and doing privacy first It's a way to do it. But when you're talking about business and you're talking about revenue because it has direct impacts Uh, it becomes a much harder conversation within your organization That is what i'm seeing around the market. Yes, it's a different policy for every place and we're doing As little as we have to to be compliant with the laws um Hopefully that changes with the federal regulation and we can be more consistent But um, we're just not there yet. So it's really up to your organization. How you want to interact with this How do you want to get ahead of it? And you know, if you think about, uh, first party data versus third party data Maybe you have some more power if if we go away from the third party data tools That you can build trust through users and and gain that consent back yep So that example, uh for the desar forms was actually an example of wire wheels um It was their desar product and uh, yeah, if you take a look at their website, they've got demos and interactive content for that I could probably send you a link of a few sites afterwards Sure. All right. So the question was, uh, there needs to be a connection between legal and marketing teams and Is google or anyone else going to put information out to help facilitate that? Uh, I doubt google will. Um, but I think a lot of these, uh, privacy product companies and privacy management consulting companies Uh, we'll help you do that and with the business obligations. There's also privacy impact assessments and Uh, things that organizations are forced to do. Um, which they also help with and that's that's about mapping your data and Doing assessment of how you're storing personal data and how much risk is associated with that Uh, that you're required to do under some of these new laws Sure. Yeah. So the question was, uh, How do we comply with these laws with users who Like how do we tell where they live if i'm a virginia resident or a california resident? But i'm in a different state or a different ip at work. How do I, uh, make that decision? and, uh The answer is i don't have a good one. Um, you know in your on your websites, you'll see like Statements at the bottom of the website for if you're a california resident you get these benefits you can execute these So for these are processes, uh A lot of the automation frameworks for validating this user is who they say they are Which you need to do if you're going to give someone access to all the information on them There's a lot of like, uh, k y n validation processes. You have to upload like your id Or things like that to validate. You are uh, actually who you say you are Um, so that's one piece of it for actual do not sell consent Um, I haven't really seen good enforcement Uh parameters on that a lot of people are geotargeting, uh, california, but again, it doesn't capture everything so, um You know, I I don't have a good answer on that. It's it's really up to your legal team on how Uh, they want to control that and how much worse they're willing to accept and do we just allow anyone that wants to click do not sell To be enforced or not? Um, or you know, is it only if you're in california not using a bpn, uh, you know It's it's a legal decision in my mind Based on risk Does that answer your question? Okay anyone else No, all right. Well, thanks so much everyone. I really appreciate it