 speaker. Riann Kinney is the founder of the Kinney firm and is a licensed Florida attorney, legal consultant and author with experience in market and business strategy. Today her firm represents and advises founders and businesses of every size across industries in the areas of corporate information, copyright, trademark e-commerce, as well as strategy and long-term planning. Today Riann is here to talk to us about CYA, your site. Do you guys know what CYA is? It means cover your assets. Let's put your hands together for Riann. Good afternoon. By a show of hands, how many of you have privacy policies on your websites? Fantastic. So as he mentioned, I am an attorney and I spend most of my day advising people how to get out of scrapes that they've gotten into, which is why I'm here to talk to you today to hopefully make sure that you don't get into that situation, because preventing an issue of legal matter is a lot cheaper than having to deal with it once something has gone wrong. So in looking at CYA and your site, the two main things that we're going to be talking about today are privacy policy and terms of use. The reason that you have the legal documents on your site is threefold. One, for compliance with laws. Two, to establish credibility with your clients. And three, to deter lawsuits. So when we're looking at compliance, a lot of people don't know still that they are legally required to have a privacy policy if they collect any personally identifiable information. What's personally identifiable information? Email address, name. Practically anything in a contact form means that you're required to have a privacy policy under California state law. It's CalAPA, the California Online Privacy Protection Act. Why are we talking about CalAPA in Florida? Why do we care about California law? Because if you collect any information from a California citizen, if they're located there, you're liable for that law and you can be sued in California for the violation of that law. Similarly, some of you may have heard of the recent international development with the GDPR, the General Protection Data Regulation. This has been a move to standardize data protection across the EU and also Great Britain. And they've actually broadened the scope of identifiable information. Now they're not just talking about collecting data such as name or email address or something like that, but they're actually talking about collecting photos, biometric data, and IP addresses. And similarly to how we do things in the U.S. with the California law, you're liable and you're responsible for adhering to this law if you collect any data from citizens of the EU. Again, we're talking IP addresses, so how are you going to limit that exposure? Outside of adopting the privacy policy and conforming with the law, there are, I'm sure Syed can tell you with the shopping carts, you can actually limit jurisdiction by not allowing certain customers to purchase your product. But again, when they're visiting the website, you're going to want to conform to these laws. Another distinction that the GDPR makes as different than the U.S. is they actually differentiate the type of information collected in the two categories, being personal, identify information, and sensitive data. And sensitive data actually has even more stringent requirements for what you have to do when you're collecting the information. You have to get clear and unambiguous consent when collecting this information now. So they differentiate the types of consent by the types of data you collect. And the sensitive information opting in is the only acceptable way of collecting this sensitive data. So if you're collecting somebody's health information, their height, their weight, their ethnicity, their religion, if you had any of that that you were required to opt in, you cannot have a checked box anymore. And when we're looking at where the law is going, adhering to that now, before number one, you get sued, but adhering to it now when it's such an easy fix and opting in is just great practice. Even if the law didn't require it, I mean, there's a business and legal balance that you have to do. Obviously, you know, Syed was saying, you know, if somebody has something in the cart and they have to create a user account, are they going to leave your site? Where you can have people take that, that actual physical act and check a box, you're going to want to do that. So talking about terms of use, again, anytime you put a website, and I know a lot of you already know, but any time you have a website, you're putting it on the world wide web, you can be sued anywhere unless you limit your jurisdiction. So that's what the terms of use is. It's the contract that you have between the users of your website and you can limit your jurisdiction to your home state. You're going to want to look at your content. If you allow people to add reviews or comments, you're allowing them to submit content which could be infringing material. So you're going to want to have a policy in your terms of use that spells out who owns the content on your website. Are you licensing to third parties and limit that liability that way? The other thing is you're going to want to register with the Library of Congress, the Copyright Office, a designated copyright agent. This is free. It takes five minutes. I don't have slides today, but I will have them on my website and I'm going to provide links to you all. But by registering a designated copyright agent, you're afforded certain legal protections if someone were to claim infringement. You're basically just telling the copyright agency that we're going to conform to the law. You're appointing somebody, anyone at your office. It could be you. You're providing your name, email address, contact information that you would already have in your terms of use anyway. But you're spelling it out that you're conforming with the DMCA. That's the Digital Millennium Copyright Act. So that covers the infringement aspect. Privacy policy, I wanted to revisit just to say if any of you all work with people that are developing websites for children under 13, in your privacy policy you're going to want to spell that out because they have the Child Online Protection, Privacy Protection Act, Kappa, Calapa and Kappa. So you're going to have different rules and responsibilities. You're going to have to adhere to parental guidelines and allow parents the ability to control what their children are able to do on that site and also the information that you collect from the children. So that is pretty much the nutshell of terms of use and privacy policy, but I would love to answer your questions. Yes, sir. Yeah, I mean that's a collection form. So I mean there's many different ways of being developers. I know you guys are probably more familiar than I am, but you know with the contact form, where do you live? Are you consenting to me shipping that kind of thing? So yeah, ask the questions and you're creating a contract. When you're asking them a question and they're providing you the information, you have that in writing. So yeah, yes sir. Well you're getting the consent, so you're complying with that aspect, but the requirement is that you have a privacy policy. They're very inexpensive. You know, it's very quick, easy to put that on there. So once you have that, you're complying with the law. So well I mean obviously as an attorney, I'm going to tell you, yeah, that's a really bad practice. Again, I mean I think a lot of people have an old antiquated notion that anytime you see an attorney, you're looking at a $10,000 retainer and you have to drive to a downtown office and you know it's three hours of your day, but the internet's disrupted every industry. The way we all deliver services is different. So I work from home. My clients a lot of times I'm not meeting with them and that reduces the cost to my clients because I don't have to charge for the overhead. So you can find, you get to interview attorneys the same way they get to interview you for the job. Well you charge me a flat fee. You know, that's what I do with my clients to make sure because I work specifically with business owners. And when you're starting out, you don't know what your accounts receivable are. Things are inconsistent. You're going to, you're going to want to get that flat fee per project where you can. And if you're speaking to an attorney that doesn't want to work at the rate that you want them to work or they're not open to that, find a different attorney. There are enough of us out there that are specializing. Find the one that works for you. Up here. I don't advise on error and emission policies. That would be your insurance company. I mean, basically it's what you can afford. But again, the cost of a privacy policy is going to be significantly less than, honestly, the insurance companies evaluate that when they're issuing your policy. Do you have these things in place? If you don't have a terms of use or privacy policy, a lot of times your rates can actually go up, much like home insurance when you don't have, you know, when protected shutters and in Florida, you know, it's it's an added risk that you have. Up here. Well, I mean, attorneys use templates as well. I mean, again, when we're talking about actually somebody that lives in the state that you're in that is familiar with the laws that you have to adhere to, it's not like I said, this isn't thousands of dollars. This is you can find an attorney and actually have somebody that knows your business and the technology that you're dealing with, because that that a lot. That's a lot of this to finding attorneys that are familiar with the tech space and what kind of information you're gathering, how you're doing and storing it. Not all privacy policies are created equal. There's there's certain clauses that are the same thing over and over and over and to that extent, I mean, if if the choices don't have a privacy policy or have the cheapest thing you can find, have the cheapest thing you can find, have a privacy policy. If you get nothing else for me today, it is absolutely critical and crucial that you do. And again, I mean, there's the legal liability which you can you can easily avoid. But when your clients are looking at you, you're holding yourself out to be a professional and you don't have a privacy policy and you're not following the law and doing what you need to do. How does that look to them? You're not even doing, you know, having the attention to detail to cover yourself. So, you know, that's that's the credibility component. And again, when for the deterrence, if you have that in place, they think at the very least they think, Oh, wow, this guy is following the law. He's got an attorney. I don't want to, you know, press that further. And it same thing with the terms of use. You have the rules in place. It's a clear understanding between the two parties. So, you know, the likelihood that someone is going to sue you when you have all of that in place goes down drastically versus not having anything there, them having to hunt you down and having no agreement between the two of you because anything they say goes. Yes. Sorry, I'll come back. I'm sorry. Did you just ask if a contact if you use a contact form? Yes, that's collecting. Absolutely. Yes, I want to restate this because this is what I deal with all day long. And if you have a contact form, it doesn't matter if it's a blog, if you only collect an email address that is collecting personally identifiable information, you must have a privacy policy. And a lot of people, you know, oh, well, they don't really enforce it. You know, people aren't actually coming after me for not having a privacy policy. They enforce it arbitrarily. Basically, as a fundraiser, the seat of California in 2012, decided that they were going to enforce calapa, and went after 50,000 web developers, app developers, and sent out the notice that said you have 30 days to get your privacy policy up or you're going to be hit with, I think it was $5,000 per download of the app. Yeah. So again, if you have access to a cheap privacy policy, you're not able to, you know, get the professional, you know, the full privacy, get something up, please, please. Don't have to come with me with a lawsuit. It's so easily fixable. Yes, sir. Yes, sir. Yes. Okay, so there's state state and federal law jurisdiction that can actually be somewhat complicated. But when there's a meeting of the minds when you have an agreement with somebody that they're agreeing that the lawsuit and the proper jurisdiction is in the state of Florida, then it would be in the state of Florida. Now there's there's certain ways that they can pull it into federal court if it, you know, asks or raises a specific issue or question. But again, typically, if you're agreeing to it. Now, for Europe, if you are, if you're a data processor, you have to actually appoint a registered agent or an agent in Europe. So that's how they're going to attach jurisdiction there and be able to sue you US companies by serving, right? I'm trying to get to all your questions. Yes, it's it's not about dragging you to Europe. But yeah, they can find you, they can, they can, they can suspend your website or allow it not to be viewed in their country. There's a lot of different parameters. The violation the for GDPR is 4% of your global annual intake or $20 million, whichever is greater. It's a sliding scale. Obviously, I don't think they're going to be coming after me for $20 million. But this is a very real law. This is something very serious to to look into. And again, in 15 minutes, I can't tell you all about it. But I did tell you the name of it that you need to be aware of it. So you can find an attorney, look it up and get more information on how to better protect your business. Yes, ma'am, to protect your own work. Yeah, you're going to want to I mean, depending on what type of work do you do? Okay, so you're typically talking about copyright with that. So that's the Library of Congress, the Copyright Office. That's something that I do. That's something that a lot of attorneys that work with businesses do copyright and trademark. It's your intellectual property that has a lot of value when you're looking to resell. But you're going to want to file a copyright for that. Quick, quick run through of copyright. You have an automatic copyright anytime you create an original work of authorship and fix it in the tangible medium. So as soon as you write something down, as soon as you create it on your computer, you automatically have copyright. Well, Ryan, why do I have to register my copyright if I already have it? If you want to file suit or actually defend your work from infringement, you must have it registered with the office in order to be able to win or defend a suit. Also, you're entitled to treble damages and attorneys fees and costs, which a lot of times you might be able to find an attorney that will do contingent work because if you have a strong case, so you're not as a small business owner coming up with a $30,000 to defend that suit. Yes. And again, the filing fee, excuse me, federal filing fee for copyright is like $65. $35 in some cases. You're responsible in your privacy policy for stating what your third party policies are. And I have third party people. I'm not liable or responsible for them. They have separate privacy policies that govern this. You're making your clients aware that there are, in fact, third parties. That's something that you want to disclose. Yeah. Their privacy policy governs their site. You're stating in writing that my privacy policy only covers me. I am not legally responsible or liable for anything fair to. Yeah. Great question. Thank you. So privacy policy as written into Calapa must be on the homepage, either on the homepage or the first identifiable page, and it must clearly state privacy in the hyperlink if it's a link. So it needs to be readily available and clear and unambiguous terms and conditions. Yes. And this is a value added service. And again, we're talking about credibility and something that you're bringing to your clients. You can send them an email and say, you know, I've been doing this for 20 years. And just so you know, by having a website on the internet, you're probably going to want to have a terms of use and privacy policy because you're legally required. So I see you have a contact form here. You don't. That's not giving legal advice. You're telling them that they probably want to go do that. I wouldn't recommend you giving them a privacy policy because if the law changes and you don't have something in there, then they can sue you because you gave them a faulty privacy policy. Yeah. Yeah. Exactly. Yeah. She was I'm sorry. That brings me to the next thing I was going to mention, which is how their speakers repeat every time some ask question, repeat the question that way the whole can do because we have any mic runners. So maybe you guys can chat here if we can wrap things up. One more time for the end. Thank you so much.