 It is an absolute pleasure for me to be here. Food, wine, amazing people, outstanding organizers, amazing sponsors. Thank you so much for putting this together and allowing me to be here. So as she said, I am a U.S. privacy and technology lawyer. I work with a lot of the digital agencies that you know and love. I work with everyone from freelancers to large companies handling their tech issues such as trademark, copyright, contracts. And most recently I've been working with companies on privacy and GDPR. You all have been very familiar with it for a long time because you've had two years to kind of gear up and learn what it was about before you started implementing it. And during privacy by design, the U.S. I don't know if we thought that it just wouldn't apply to us or we didn't need to get ready for it, but it really kind of hit the U.S. as more of a surprise even with the two-year window of opportunity. And we had companies that were rushing to meet that May 25th deadline and really companies don't know even their in-house attorneys don't have the background or experience in privacy law to even know how to talk about it intelligently or effectively. So being in this space right now, finding especially in the U.S. an attorney that knows about privacy law and can advise on GDPR and EU law is very good to find. It's a really great business to be in. But similarly, we're starting to legislate U.S. privacy law and we're going to make things very interesting for you in return, which is why I'm here. So I know you guys would be disappointed if I didn't do my attorney disclaimer of, yes, I'm an attorney, but I'm not your attorney. So this will constitute information for informational purposes only and is not legal advice. So now that we got that out of the way, I hope to have time at the end of the talk to answer any of your questions. And I would love to have a discussion with you later if you're out and about and you have questions, you can always email me. I love talking about privacy law. Everybody says, oh, I'm a nerd. We all have things that we're super nerdy about and law is my jam. So please contact me if you have any questions. So in looking at differences in privacy law, it's important to understand kind of all of it, where it comes from, the different cultural approaches and legal approaches because it affects how we not only legislate the issue, but how you all design. So in Europe, you guys have more of a privacy as a fundamental right. There's been a lot of, unfortunately, religious persecution, inquisitions, genocide war, things that have really valued, there's a value placed on privacy and identifying information such as your religion or your background. Your information, your fundamental right belongs to you, which is very different from the U.S. And you have an opt-in culture where we tend to have more of an opt-out. You also tend to trust your governments more and your companies less, where we tend to not trust companies and distrust our government. And this is important because our approach to valuing free speech and your approach to valuing privacy means we haven't done a lot to legislate or protect privacy in the U.S., pretty much at all. And we're working on that. So from a legal approach, the EU has come together, 28 different member states and countries have all come together to legislate one unifying body of law that oversees everything. And while you have member states that can create some laws that are slightly different where you can change the age of adulthood from 16 to 13 for enforceability of GDPR, the U.S. functions very, very differently. And the fact that we don't have an overarching federal law across the U.S. is really done individually by the states at this point, which can create a lot of havoc and make it very difficult to comply. You also tend to legislate and do things through hard law, meaning you have a GDPR regulation, you have an enforcement body of people, the DPAs that will actually enforce it and come after it, where a lot of the legislation and laws in the U.S. are soft law, they're suggestions. Our FTC has marketing guidelines where they're not, if they're not enforced, they're really not followed because in the U.S. we are looking at legal penalties rather than a fundamental privacy right. So talking about, again, our legal approach right now in the U.S., the real privacy law per se that we have in effect at a federal level, the only law that I can think of is the Child's Online Privacy Protection Act, that's COPPA, and that affects through the FTC companies that market and target towards children 13 years or under. This law actually talks about children's privacy and what you need to do as far as getting parental consent and things like that. Other than COPPA at a federal level, we have laws that are specific to industry, very fragmented approach to privacy law, so we have HIPAA, I don't know if any of you are familiar with that if you work in the health industry, so HIPAA has similarities with GDPR in that they require business associate agreements. Our health profession through HIPAA is responsible for vetting their vendors and making sure that the people that they do business with protect privacy to the same level that they're required to. And we have the Graham Leachy Act, if any of you are in the financial sector, that also discusses the information that can be collected, who it's able to be disclosed to and the accessibility. Those are two industries. That's a lot of industry and a lot of people that are not covered by privacy law in the U.S. outside of health and the financial aspect. So as I said, we tend to legislate at a state level as opposed to a federal level, and I'm gonna talk to you today about California law. Why California? Because California, like Germany and or Great Britain and Europe tends to lead as far as privacy law is concerned. So you can see the Data Security Breach Act was passed in California in 2002. They were the first to have a data breach law on the books. We just got all 50 states to have a data breach law in effect as of March of this year. So for 16 years, there were people, citizens of the United States in certain states that didn't have the right to be notified if their data was stolen or leaked or anything like that. And so a lot of the states merely took California's law and passed it through their own. So we always look to what California's doing to see what the rest of the United States is going to do. Also, CalAPA is the premier privacy law on the books before GDPR came into effect. That's what we were really going off of, and it merely requires the privacy policy that you have won, that it's on your home page and certain disclosures, but it is nothing like the comprehensive level that you guys have taken into GDPR. If you comply with GDPR, you're automatically complying with CalAPA because it's kind of bare minimum. Did you have a question? Okay, I just want to make sure. And also, California's the fifth largest economy globally. So it's not just within the United States. It functions with... We have Amazon, Google, Facebook, Apple, headquartered in California. So again, this is where our tech industry is located. This is where they have their lobbyists. This is where they're most active. So again, California law is the one to look at if you're doing business with the U.S. and you want to know what you need to be complying with. We're talking about the California privacy law today. Again, number one, because it's in California and it's very important, but number two, it's going to change and evolve over time. It was passed in July. It's already gone through committee and had some revisions. And it doesn't necessarily apply to everyone. I've included here who this applies to, and you can see it. They're really targeting larger companies, global companies. So this might not apply to everyone right now, but we're also in the U.S. now starting to talk about privacy at a federal level. Maybe we should have a unifying body of law that would make it easier instead of having 50 different states have individual laws. So we're looking at California to kind of shape the direction of that conversation for us. So I kind of think that even the title of this law is somewhat misleading because it's called the Consumer Privacy Act. But to me, it's really more of a consumer protection act because it focuses less on privacy. Again, as a fundamental right in the EU and more on trying to regulate what businesses can do with the information after they've collected it. It's not focused really on my rights as, you know, Ryan the individual. It's really what can they do with my information as far as selling it to third parties or reselling it or not. So you have the information as far as who does it apply to. Another major difference between EU and US is how it's applied in EU. Everyone located within the EU is covered by GDPR regardless of whether they're a resident or a citizen. In the US, it's based on citizenship of the specific state. So in order for this law to apply, you're looking at collecting information of California residents which means you have to know if they're located in California. You're doing business in the state and one or more of the following. So again, the good news is this law right now as drafted is not overly applicable to smaller businesses, which a lot of people were complaining about GDPR. It's hard for smaller businesses to comply. One major difference between the two is how we even classify what's being collected. With California, we're calling it information versus data. And the information that's being collected under this law not only includes all of the personal data collected under the GDPR, but also includes households. How do you define household? It also includes devices on the IoT or the Internet of Things. This is including all of your Alexa, your Google Homes, anything that's collecting statistics about you. That's now considered personal information or consumer information under this law. And when it's looking at identifying an individual or a household, even things as basic as your annual water consumption or your electric bill are considered personal data and are not allowed to be resold under certain circumstances. Penalties. Everyone loves this part. Okay. So I think everyone, we all know about the penalties under GDPR. We all know about the percentage and the euro and the reprimands and everything like that. So under California, this is a huge shift and change from the way that the U.S. has viewed privacy or consumer protection in that they've now included a private action right for an individual to sue you, to sue the company. Okay? So we've always had statutory provisions. If you break this law, the attorney general of the state of California who would regulate it or pursue the action can find you under the law. And now if you breach my data, not only can the attorney general come after you and punish you, but I can sue you and get paid for harm caused. There's two ways for me to get money from a business that has breached my data. One is the statutory minimum or maximum, which is that 100 or 750 per California. It's per resident, so if you have thousands of people that have, you have a data breach, each individual can sue you for these amounts. If they're what? If they're Texans right now, Texas doesn't have a law. But please understand, so far we've had four states already enact brand new privacy laws. I believe it's Vermont, Colorado, California, and I can't remember the fourth one off the top of my head, but that's the problem right now. We have these individual states that are saying our citizens are entitled to this. And even doing business as a U.S. business, if I have to comply with 50 different laws and 50 different residents having all of these different rights, it's incredibly confusing. Even this law as drafted conflicts with California's own laws. They're in the process of refining this and going through it, but it's overwhelming and the U.S. is more and more seeing that this way of doing things is ineffective and it's going to make things so difficult for people outside of even the U.S. to do business with us that it can hurt our bottom line. And this is a great thing, I think, for all of us that the U.S. is seeing that this is a problem. But that's also, I mean, we're kind of having more of a discussion at this point than the presentation. But again, I mean, this is the conversation that we need to have and that I want to be having with the WordPress community. But yeah, so this is, in WordPress, we have the ability to shape the actual organization and the tools that we use. We have the ability to change the way the laws are drafted and to create communication between our legislators. I hope some of you had the opportunity to watch the Facebook congressional hearings. Hilarious. I mean, the questions that were asked were embarrassing. How does email work? These are the people that are drafting our laws that don't even know about technology or how it even functions. And if we, as a technological community, aren't reaching out to them to say, this is how it works and this is how it functions, expect to get laws that make no sense for you. Expect to get laws that are going to put you out of business or hurt your customers because you did nothing to step up and help the situation. In the U.S., we have now a tech congress. I've shared the link on my Twitter, so my clients and friends can join that. I don't know what you have in Italy or specific countries and organizations that you're involved with, but step up, have meet-ups, be talking about this and be talking to the people that are making the laws and help them understand. So that's just my little shtick and we can talk about that more. The other key difference between the California law and GDPR is the 30-day right to cure. So the California, if you write the company and say you've breached my information, I'm going to sue you if you don't change it. They have 30 days to change it. If they do, you're not entitled to statutory damages anymore. So that's a good thing for businesses that are actually trying to do the right thing. Now, differences between the actual individual rights under GDPR and California. California's law is more interested in the stories of information. It's a lot less comprehensive as far as the data that's being collected and what the companies actually have to conform to. Again, California's law is looking more at the sale of information and resale of information. So I have this here. The slides are going to be available. I don't expect you to read all of this. And again, you can ask me questions. But the other key difference here is the portability. California says, yes, you have the companies have to provide the data information in a portable format, an electronic format, but they're not necessarily required to forward that on to the next vendor. Right to erasure. When it applies is actually different. Again, you guys see, I don't want to say you guys, but the EU sees it more as a fundamental right that applies and really goes through the list of when you have a right to erasure. California is taking this approach where they have to erase it if I ask them to. So it's a lot less explained as far as they have to erase it under certain circumstances. If I ask them to erase my information because I don't want them reselling it, they have to. And there are, again, some exceptions and the exceptions are different. So if you're looking at GDPR versus California, knowing these exceptions is going to be incredibly important. But if it's for security purposes, making sure that you don't get breached, they're allowed to keep my information to better protect the system and other users, public interest, certain things like that. I want to make sure you get that. Again, the difference between EU and US is right to opt in and right to opt out. So with this law, it requires that companies provide US or excuse me, California citizens the right to opt out because we're automatically opted in. And you must have a clear and obvious link. This is the type of thing that you're looking at from a design aspect. You must have a link that says, do not sell my personal information. It must say that specifically. And it must link to my ability to opt out. So that's important. And of course, I pair that with your right to object. The right to object to processing different data and how it's defined in other GDPR is very, very different than what we're looking at at California. Again, because California is looking at the sale of information and GDPR is so comprehensive as a privacy right as a whole. Duration. Here's what I found interesting is under California, must respect consumers decision to opt out for at least 12 months before you can ask me again. So I know that you guys are familiar with the ePrivacy Directive which will be the regulation soon. And yeah, you're not allowed to ask me 20 times whether I'm really serious and I really didn't want you to sell my information. But the US were like, yeah, you know, 12 months. Hey, were you serious? Can I sell your information? So I did a summary of the differences and what the California law entails. But I want to tell you guys the other major provision here which is groundbreaking. Not only do we now have the individual right to sue for breach of data. We have a provision in this law that says that anything that tries to wave or limit a consumer's rights is null and void, which is our arbitration and our class action lawsuits. So where before people could put in class action waivers and you would not be allowed to have class action sues, they've done away with all of that. So expect a lot of the larger companies to not only be dealing with individual people that are suing but a lot of class actions. And this is going to be a huge moneymaker and deterrent until we have come up with some other kind of legislation. So the other aspect that I didn't really touch on, I just wanted to make you guys aware, toll-free phone numbers. If you're doing business in the state of California and you meet those requirements that I talked to you about earlier, you're now required to have a toll-free number and specific mechanisms in place for California residents to contact you and discuss the removal of information and the specific rights. So what happens now? We've touched on this throughout my talk. The U.S. is talking at a federal level about enacting privacy laws. The Department of Justice has reached out to or allegedly reached out to tech companies to open a discussion. The tech industry is very concerned about what's going on. We see the congressional hearings, but this is something that we in the U.S. are talking about and it's something that you guys need to be looking for. Privacy shield suspension. I don't know if you guys are aware of this, but the U.S. was told that they need to comply and make certain changes under the privacy shield by 9-1. There's no output as far as whether that actually happened. And if privacy shield is overturned, that's going to be a huge issue internationally for everyone involved because that was our cross-border transfer of information and the way that a lot of U.S. companies were doing business and complying with GDPR and cross-border transfers. So they're going to be having, I think their second or third annual meeting later this month for privacy shield and EU to determine what they're going to do about the U.S. You guys are welcome. And moving forward. And again, I don't know if you are familiar with Shrems, but that was the major litigation that had to do with the contractual clauses, the mechanism for cross-border transfers that were the pre-approved and binding corporate rules. But that is now being referred to the ECGA, the 2.0 version, to see if those contractual clauses are going to be upheld or not. So, I've told you all, you guys can get involved. If you saw Release 4.96 and the export tools, you guys can thank the core privacy team who worked tirelessly, Leo Postdevoit and Heather Burns. Shout out. They worked tirelessly to get this done and included as well as the privacy policies, but as the laws change, as technology changes, we need to start integrating certain tools into WordPress, and you can be a part of that. Not only if you're a developer in a design aspect, you can contribute in that way. If you're like me and you don't have this particular set of skills, you can contribute your knowledge of the law and help proof privacy law. But there's a way that you can contribute to WordPress marketing, core privacy, accessibility. Just get involved. It's an amazing thing. And here's the information for how to get involved on Slack. You can always message any of us individually. We would love to talk to you and work with you. I did my special thank you. Heather Burns, if you are not familiar, is very well known in EU. She spoke at WordCamp, EU, and had an entire workshop on developing for GDPR. Her website online is a huge wealth of information that was very influential in my knowledge and my ability to do this in the US. And she is on top of all of the latest. So definitely follow her on Twitter because she'll have all the info you need. So you can follow me. And again, please do send me questions, emails, whatever. I'd love to talk to you about this and see how we can work together.