 GDP armor again and happened. It was really scary. They said the world was gonna blow up. We all there. I was there It was a scary time It's the hottest topic, right? Everyone's like privacy. It's a thing. Everyone's like super excited, right? Yeah. No It actually is a really really important topic a lot of what we do already Encounters the topic surrounding privacy. We've been thinking about this for a very very long time We just haven't been using the words We've been thinking about it as it incorporates to our design and today Kevin and I are gonna be spending some time talking about what privacy actually means As you just heard Kevin works at automatic. I work at XWP And originally we're gonna have Ryan Kinney who's a lawyer who helped make this talk be here today Some things happen and she can't be here, but that's okay We're not lawyers. This is not legal advice, but this was reviewed by a lawyer, which is pretty cool So we are not lawyers. It's very important and this is not legal advice But you don't need to be a lawyer to care about privacy. In fact privacy is for everyone not just the lawyers So GDPR is the big topic of the year, but we're not gonna be talking too specifically about GDPR today No, we're gonna talk to specifically about particular implementations for your website or tell you how to design your checkboxes as fun as that might be because focusing on the GDPR and One regulation is a little bit small a little bit myopic when privacy is a much more on-company topic And also the GDPR is just the latest of privacy regulation that has a big impact Understandably got a lot of attention got a lot of people looking into it probably because of the penalty mechanisms and the big fine numbers But it actually isn't new or a dramatic change At least if you talk to the privacy regulators and people who wrote the legislation Designed to be an evolution not a revolution And in laws there are a lot of existing laws in Europe all over Europe And the GDPR was designed to update them a little bit, but mainly like harmonize them So there are a lot of laws. Well, you can see here That should have been in effect and should have been followed for a long time Consistency and clarity consistency and clarity right and then over here on this side of the pond There actually is a lot of privacy law as well And some of it's you know, a little some of it's a little outdated and big dates back to the phones of the early teens But there is lots of different laws and the way that privacy has been regulated so far in the United States It's very industry specific in very like specific case just because it's different kind of case use cases so you have You know the can spam act about you know email newsletters you have you know Kappa about children you have particular regulations for running a college or education or medical You've probably all had to sign HIPAA notices on line or off And so all those apply to businesses as well I mean there's like a lot of laws in California where a lot of technology firms are based So that regulates all those privacy policies and those checkboxes and those things that you agree to which May not have gotten as much news or attention as the GDPR But has you know for years led to fines enforcement actions lawsuit settlements So Privacy is not new. We shouldn't look at just one little piece of it. We'd like to look at all of it But and furthermore There will probably be more privacy legislation in the us In this year, the california passed a pretty ambitious gdpr like A legislation called the ccpa which will go into effect on you know, some large businesses in 2020 Will probably be amended before then And there is actually a pretty decent chance that the new congress will take up some federal privacy legislation in sort of the mold of gdpr So that's a lot to think about if you're running a website. How do you grasp on to all of those different things? And the way we think she should approach it is to not think about any particular jurisdiction any particular law She started with the strongest possible privacy practices that you can build into your site and your business And if you start from that place, then it'll be much easier to adapt to whatever laws get passed Now in the future or to your particular jurisdiction or to your particular industry So you'd have some privacy practices baked into what you do All the time and then if you have you know, a new client in health or with like a weird legislation in brazil or something You'll be able to easily adapt to that and carve out exceptions things like that If you focus on just the strongest possibly privacy Practices to begin with that are kind of common among all legislation So what are some of the common areas? The gdpr as it was like harmonizing and clarifying Existing law actually has a nice section on principles. It's like here are the data protection principles from existing law and you can see This is actually the shortened version. You know lawfulness fitness transparency. It's too much minimization limitation Confidentiality too much. Um, you can read it if you want. It's not bad But it's very confusing when you get from that to like, okay, how do I put that into a website or you know into my wordpress? um, so let's boil that down a little farther into plain language and um, these are kind of the I'm glossing over some particulars here. Definitely again, not legal advice, but these are the these are the common ways We think it should approach privacy Want us to be the transparent about the data you collect and why? That's actually easier said than done You might not know all the data that you're collecting using third party tools where that data goes You need to look at look at it and figure it out and to be transparent means that the people who are using Your site your customers your visitors They should be able if they want to to understand what you're doing with the data as well And that doesn't mean you can just throw an opt-in chat box on everything Opt-in is just one of the legal basis is you can use To be transparent with your customers about data and some people might think it's kind of the lowest common denominator Like just because you got to check opt-in doesn't mean you can do whatever you want with people's data You need to think more holistically like are they going to understand it? Are they going to have some transparency and control there? Another big principle is to get only the data you need And to don't store that data any longer than necessary And that's another thing that's easier said than done Internet technology makes it amazingly easy to collect lots of data and you know just like like You know pulling in a library or implementing any code or putting a little plug in here or there But it's actually better to think about what all are they doing? Why and do you really need it? So if you start from collecting only the data you need It'll make all your compliance efforts a lot easier And it's actually a requirement of a lot of privacy legislation that you have a good reason And if you are asked or questioned You will need to know what's the reason for it? So it's good to figure it out and make sure. Hey, do I really need it? And you may have you know legacy code from years ago and you're not even sure that it didn't even know that it did something You can justify everything though. You'll be well on your way to being safe And then you have to keep that data safe, especially if you have sensitive personal data You know social security numbers are things that could be cobbled together to make a sensitive profile on someone Even if you have great privacy practices, if you don't have great security practices It's kind of a moot point and you can still get in trouble And the very last thing is to be accountable to your users. Did it go away? All right, be accountable to your users Which means if they want to access data if they have questions You should be able to answer them if they want to delete or update things They are your constituent that you're boss a little bit Under privacy law and so you should be accountable to them And if you're accountable to them, it'll make it a lot easier to be accountable to regulators if You meet the circumstance where you run into a regulator. Luckily a few people do but If you're accountable and up forth right, then you'll be well on your way And undergirding kind of all of these is you should write all of this down Every that's both a statutory requirement and just practically it makes everything you're doing easier So, you know, if ask a privacy regulator, we'll probably want to see your privacy policies and your justifications of things And also maybe users would like to know as well, but it'll also make it easier for you Once you start writing things down all those other ones about being transparent and getting only the data you need The practice of writing it down helps you answer all those questions Aren't you supposed to tell your users? Are you supposed to do their data? Yes, you are supposed to tell your users what you do with their data But you don't necessarily want to overwhelm them with every last detail because then they're not going to understand So you want some internal and external documentation? Really the more you can write down the better if you take nothing else away from this talk Go home and write like a plan or some outline of what you're doing with data and what your plans are So what does that mean for your site? Well, I can't really tell you because every site is different. Every business is different. Every constituency is different You know a a bank, you know a ski resort a cowboy hat maker a coffee shop a doctor's office In 2018 all these are really internet businesses But they all have different customers with different needs and different relevant legislation And your customers understand things in different ways You know if I go to the coffee shop and give them my credit card I don't expect them to hand me like permission to ask the credit card company to you know Some personal data if it's a fraudulent charge. So you need to pick what's appropriate for you and your customers And that's easier said than done. That's why you can't just unfortunately can't just download a plugin I can't tell you to go just get this thing from the repository running on your site privacy is all done We can only help you ask the right questions and you're going to need to come up with the answers for yourselves for each each site and business that you work on and The last real point we want to make about this is privacy is a process It's not something that You attain. It's something that you maintain It's a practice that you do every day through everything that you do You can't just do it once and forget it you need to continually do it and build it into a process And that's the way that you truly protect privacy for the long term and are ready for any legislation or regulation that comes your way Which is important because there really is a rising tide of regulation For tech not just in privacy putting kind of every area of what we do and we just need to be ready for it And if you have good processes, you will be ready for it Also, we want to ask well, why do we care? We don't care just because we want to avoid lawyers or fines or breaking laws. All those are all those are very good things But privacy is actually good. It makes your products better makes clients happy It makes the customers trust you more As well as reducing your legal liability And you'll see that in every little piece along the way that you that we're going to look at today I also want to editorialize a little bit and say it's really key to the open web The closed web is not built with privacy by default But if you go back all the way back to like the early days of free software getting started pre-internet popularity The autonomy of the end user was always a big goal was always central You know the four freedoms of software freedom number one is The freedom to study how the program works and change it to make it do what you wish Well, if you you place program with website in that It's pretty close to a robust and user-centric privacy policy So if we care about the open web and WordPress and I think everyone in this room does We should really really care about making sure that our privacy practices are good And that we make these beautiful principles of open source Real and visible to the end users and to the customers in a way that they can understand So that they know that hey the open web is better than the closed web To try to suck up all my data and control and exploit as much as I can I like open web because it puts me in control And you do that again not by a single thing but Having privacy by design is the buzzword from legislation from the gdpr Put it in all of your process all of your design It's not just what your web developers do. It's what your customer support does It's what your documentation looks like. It's you know, what's your business people do day to day So you need to design it into everything. It doesn't have to stop or take over everything It's just everyone needs to think a little bit. How do I design what I'm doing day to day for privacy It's legally required under gdpr to have some showable way that you've designed privacy into your system And will probably be in other legislation going forward. Plus it just makes sense and makes their products better But how you do that in particular leo is going to go over that in a good Operation life cycle keeping that process going So privacy It's a big topic. It sounds scary. I promise it's as easy as four things And really like one thing mostly protection, but we'll get there Um Why as americans do we care about privacy like all we care about is free speech Like that's like the fundamental blockers to everything else or like well free speech matters more than anything else And everyone's got to have their free speech The practice is sometimes the way that privacy is constructed in terms of legal frameworks in terms of technology Can come at the cost of this and we're seeing quite a big trend Across the ecosystem as people move toward a more universal understanding of how these things mean And if you look at the difference to the way that europe views these things The idea that privacy is a fundamental human right We have the ability to opt out of things communication should be open and protected But we have personal abilities to be be quiet be private to ignore to opt out This is the trend we're seeing across the entire ecosystem This difference is why we may feel that tension. It's why I mean you may not feel like this is a big deal to you But this is actually something that is core and critical And you'll see that as we start to break into this actual life cycle Chances are you're probably doing a lot of these things If you're a developer a lot of this is going to feel quite familiar to you But you'll also see there's a lot of gaps probably And you'll you'll see that quite a bit of this is about how you can reflect on this process So in the assess phase, there's a lot of maturity that you need to recognize inside What are you actually collecting you need to stop and recognize at the very base level Who you are what you do why you do it and why do you even collect data in the first place Does this actually help your business and once you have a good lay of the land You're like, okay. This is how I approach things. We can then start to move into A more appropriate phase where we can respond to the way data works inside our platforms So in the protect phase, we actually start to unpack and understand the entire Platforms that we work with the tools we work with And the main tool that we work with because we're at a word camp is probably WordPress, right? But that's probably not the only tool The laws don't care about WordPress the laws care about the entire ecosystems They care about business requirements. They care about how we respond to the needs of the ecosystem as a whole They say you have to follow your contracts. You need to have these agreements. You need to follow cookie laws You need to be able to understand third-party agreements. You need to have privacy policies These are things that you actually have to do As you understand what these things mean, it's best to plan way ahead so that you don't actually have to deal with the Lawsuit you have minimal exposure by default There's a great quote that I came across That sort of thinks about how you might be doing this already. So this is about An ad publisher who spent some time unpacking like how they wanted to respond to gdpr But really this is just about privacy as a whole We've heard a publisher simply turning off eu traffic or to ensure that they won't run a fallow gdpr On the other hand of the spectrums bearing their hands in the sand doing nothing Mediavine is not interested in either extreme. We take user privacy very seriously But what content creators to build sustainable businesses as well Especially in the event that this experiment ever extends beyond the eu right now a very small percentage of most publishers traffic We want to make sure as always that mediavine and its publishers are prepared for an ever-changing landscape Right like that to me is cool Like they have found a way that is bridging those two ideas free speech and free privacy all together You have the ability to opt out of these things And as we start to march forward we're going to see this trend happen Um, so what does that actually mean? It means that legally you need to be reading these things So once you've read things and these things look good, you probably have a developer an engineer An architect is what we call my next wp that person then gets this set of requirements. You're like, okay So what do we do? This is all quite complicated Well, it's probably security related PSA this is now going to turn into security talk for the next like 15 minutes But this is actually a really critical thing to understand security has a lot of overlap with how privacy actually works when the rubber meets the road So base zero, um, raise your hand here if you have a site that does not have ssl Anyone going to admit to it? That's okay That's a requirement every single site should have ssl And even if you can hsts Things like permissions if you don't know how permissions work in your databases or sorry your your file systems This is critical data backups are really important. You should be testing your backups You should be maintaining backups for a very long time. These are records of how these things work You can compare two backups and understand what's happened from then to to that point You should be having source controls part of what you do the minute you include things like get to your workflow You enable cicd pipelines all of this allows us to really start to think of the future Out of the box for these other tools that we'll get into in just a few minutes And also of course staging which you've probably heard many times at other work camps about This is a requirement to be able to do these things right to have the right testing as a baseline And of course things like two-factor authentication ip filtering and secure passwords. These are things that are required If you don't have 2fa if you don't have a secure password on all your sensitive things Leave this talk right now go outside the hall and do it That's like more important than anything that we're talking about And if your host or your providers don't offer 2fa and good security practices and ssl Find new hosts find new third-party providers And to be fair we're arguing for best practices. So if you're not quite there yet, this is where you should be attaining to I strongly feel the same way. There's a lot of reasons why we can do this better And once you start here, we can get in some of the interesting nuances that go from here So this is from the developer handbook on the section around section security And I have to call out my favorite xcd cartoon. This is the story of little bobby tables I'm sure everyone knows the story bobby tables So robert dropped table students who you know eliminates the records in the school In practice, you should never assume that any data is going to be safe You should never assume anything about a data platform and you should never become complacent Right, this sounds like the fundamental principles of democracy and software development, right? It really should be And this is actually how we should be approaching security. It's how we should be approaching privacy We should be trying to make sure that we can respond to this And this sounds a little fuzzy and a little like crazy angry in the corner But that's actually how we need to respond to these things So in practice, how do we do the thing? This means as you unpack data streams apis Software functions Look at these things understand what they mean and if something looks too complicated ask yourself There's the way to make it simpler And even as you start to ask basic questions if you're not a developer and you're you just have a contact form You have a bunch of questions on this contact form Do you need to ask someone their birthday or their name or their phone number their social security number? Or you just get their email address or just even is their email just even necessary? You can abstract the kinds of questions that you ask so you never even have exposure to begin with And that's actually part of these things that we should be thinking about Additionally, uh, you should only be working as much data as needed So a couple years ago was working on a project with the school's api data And as we unpacked all this data was like I can see social security numbers and birth dates and cities And I can get all these transcripts So what we had to do to prevent any kind of exposure is server side rendering of that api And then watering down that api to only make certain things available That's the responsibility you should be moving toward. Otherwise, you're going to accidentally expose yourself if the wrong things happen Um, and of course, I'm not going to get too much in the weeds of this But all data that coming in and out of your browser should be cleaned you have responsibilities If you know about escaping sanitizing great double down on it If you use core functions, they probably do this right if you're not sure look up the source code WordPress's source code is open source. You can look on track. You can look on github. It's all there There are definitely lots of things there that get into the weeds here that describe what this is supposed to look like If you're not comfortable with it So for example, like if you're worried that some random JavaScript that you're calling in is not going to do what you want it to do Escape it. Check it. Make sure it can't do the things you don't want it to do Um, and more critically don't trust anyone Like I don't trust anyone. Would you give someone your house key? Would you give someone your car keys? Would you give someone your route password? Would you give someone a PEM file? What would you do? Right, uh, I love this comic too. It's another xkcd one Like, you know, the suitor incident is reported in Santa Claus is keeping a naughty list, right? The you really need to get at the end of the day an understanding of who has access to things So whatever your keys are whether this is like a master email that you guys all share maybe this is A list of super admin passwords or google app suite whatever that is keep that number as small as possible So if you can do this in the protective stage a lot of the concerns you have might be able to be mitigated by default And this also goes a couple steps further as you start to build into your workflows Ideally, if you're a developer or you're working with developers, you should be asking questions that surround these things So if you aren't already you should be comparing your code to coding standards pslint phpcs WPCS And if you're not using a standards code editor, which I really hope everyone is you should be and The four code editors that I called out here all of these have tools that are built into the browser that check for code that breaks That check for standards that aren't met There's quite a bit of energy around this that is critical to unpack Why your stuff isn't working or why your stuff may not actually meet basic security requirements that don't meet basic privacy requirements Additionally going a couple steps further This work extends into the whole ecosystem because we're not in a vacuum Our sites are across many many platforms if wordpress is the third of the internet This means that your site is going to look like someone else's but how much better or how much worse are you in comparison to someone else's So you need to lean on tools like tide hbt archive lighthouse that actually start to unpack some of these requirements at scales You can understand how you're reflecting these things Additionally, you can spend some time getting into Other validation services. So there's a couple tools like code climate and code beat that as a service will provide code validation So if you want to prevent for deployment code shipping out that may have met for whatever reason certain pieces You can still have multiple guard rails that say no more bad code shipping even to staging Even further you should probably be reading the manual to everything We spent a lot of time writing documentation around code So if you write plugins you write themes you write components you write modules You're probably writing something about it And so if someone has written something take the time to read it chances are we probably have explained all the Problems to the stuff already And if you're using dependencies, which you probably are or using software that has dependencies know what they do And as you start to build into these things understand what these things mean at scale So as you start to get into this you will recognize that things will fail So what does reading and if I may if you're not a coder That's a lot of code stuff If you're not a coder you can do something very similar to that which is Go and look at the documentation of the plugins and third party services you use And see if you can understand what they're doing with your data and where it goes Get out a piece of paper draw a little map And if there's something that you don't understand from their manual Ask the service and if they're a good service they should be able to answer your questions The way you know somewhat in a way that you can understand now that you need to know Every single database call, but that you have some idea of what data you're sending in and getting back And what's done with it and if it's safe Yeah, thank you for that the this in practice Like we literally launched a plugin released yesterday at wordcamp us and php 7.3 came out and no other software came out yesterday I promise don't read the news So we also shipped a product site for our plugin, which is super cool And we wrote a bunch of technical documentation, but we also our documentation for end users Like we really want people to understand this stuff. So they want to use it That's a basic requirement. It can look like a website Sometimes it doesn't look like a website. Sometimes it's stuff that sits inside a composer library that can be viewed on a place like Packagist And that's sometimes not even available, right? So in the work case the WordPress project a lot of things are written strictly in line as dock blocks So if you can't find something look in the places that you think they might be and if they don't exist Ask someone why they don't exist keep prodding someone wrote this code to begin with You should try to get and understand why these things exist the way they're supposed to So plugins modules codes themes. Okay a lot of stuff Why are we using them? That's really the the point here if you're going to use these things understand what they do And as you start to look at them, you should be asking questions. Are they simple and straightforward? Are they well scoped or are they huge? Are they well supported? Are they widely adopted? Are they well documented? If they're not maybe you should consider using a different plugin Maybe you should choose one that maybe have a has a better version of that exact piece to it And if you have the engineering supports it makes sense to spend time looking at the at the source code closely To actually read the documentation and to actually consider what's actually there Um, I would urge at least in this current state of things to be really considerate about not auto updating Not auto updating plugins and really understanding what diffs look like For some people you might have different appendices on this exact fact But if you actually have the resources you can start to break these things Additionally, you should probably be testing code If you really do care about what things look like at scale You probably have lots of tools to do this for you or you might have a host that works with you to do this Additionally, you can do this with integrations as we talked about before So, okay, all those understanding stuff. What does this actually look like when it goes wrong? Well, things break So npm had a bunch of packages that started doing things they weren't supposed to Started taking the ability to call home and doing weird things That's weird, right? You should ask what this thing does and whether we need it And you might have opinions. I know like the classic discussions around npm packages has been a long long piece to it To what we do This is also a question around plugins that we choose as as a whole If you don't use the official plugin, right? So in the case of the amp plugin that I was working on the last year or so There was a plugin that has almost the same name that had a major security vulnerability We Don't do that. We spent a lot of time focusing on how to make our things better. We have an entirely different approach We don't have to do emergency releases We have an entirely different approach if you know that there might be two things really close Be sure that you're using the right one Um, and even if you are using the quote-unquote right one Occasionally really large plugins have major vulnerabilities that might Get exposed so in the case of woo commerce a few weeks ago There was a really kind of funky thing that happened like a shop manager could inject a page payload that Deleted the plugin that turned a shop manager into an admin and then they could wreak havoc on a site Kind of a crazy scenario, but it could have happened So sometimes these things happen. So if you are reading the general tech news of things Whatever you get your news about technology and wordpress Read these sources closely because these things tend to get reported quite widely Additionally nothing is sacred. So quite famously a gdpr plugin a few weeks ago had a pretty major vulnerability found out Um, so it's quite critical to test read and review But just as kevin said tools don't do anything. It's about processes And in many cases, I would probably not recommend using this plugin I'd recommend considering what's in wordpress core because we spent a lot of time unpacking that Additionally going one step further We spent a lot of time talking about performance across the wordpress ecosystem I'm not going to say who this was but this happened right around gdpr Really kind of funny thing that happened. So this publisher Has a 30 second page load here and a lighthouse score performance score of three Which is bad if you don't know So this is really bad. So may 25th comes around and in europe, this is what happens They go up to 86 because they decided to stop doing that And a bunch of naysayers on twitter were like, but that's just I just have ad blockers I don't see privacy things and I know what I'm doing and well No in practice because of server side rendering and alternate layouts. This is what your site looks like with an ad blocker It's still pretty bad. So performance score of 11 and a 15 or sorry 21 second Load for interactivity like that's still not great Right. So in practice, you have to ask yourself what does your actual thing Overall mean And if you can argue for less your users will actually get more out of your whole site And if you have a manager who's like, I don't care about this legal stuff for privacy Why are we spending so much time on this performance could be a pretty good argument too And as a whole the way that we approach software development XWP tends to think about performance as a key metric to user experience So this is part of the angle that we take as we start to unpack the requirements for privacy So you have an ecosystem in your site. What's going on? You should understand what that data means and whether you actually need to keep it So there's a couple of things that have happened over the last few months that you may not be aware of A lot of things that you can do involve anonymization Once you've collected data, you actually don't even need to keep that person's information lined up with that data set So google analytics offers some automatic Anonymization add network to start to offer similar tools And this means that you can keep some of this information in summary, but you don't actually expose any information So if you leak a report or you share with a third party, guess what? You don't break the law potentially Ask a layer and there's things are usually deep in the settings, but a lot more of them exist post gdpr than existed pre gdpr Additionally, if you have no idea what's going on within your data sets, it's also going to be critical for you to probe those data sets So if you've never once looked at your php myadmin settings or you've never once unpacked what these things look like do it Um, if you haven't played with wpcli do it. It's a great project Um, if you're using third party integrations, would you probably are you should be using tools to unpack? What's actually inside those apis what you get on a response? You should understand all the endpoints available as you work with these third party integrations So dataminization in theory says that data safety is key and that data must be gathered approach appropriately Which sounds kind of cool, but in practice it means you just don't want to get stuff You get the things you ultimately need you get rid of the things you don't need It means you'd have less transit less performance concerns and you just run through and live with a wonderfully more minimal approach Um speaking of minimal, um, definitely don't do this. This is probably, uh, the worst thing I've seen in the last few months So, um, someone just poking around a website, uh, ebay's japan site Um, was able to expose at ebay.co.jp slash .git slash head the entire source code of ebay japan Um, this is because someone simply didn't follow coding best practices They didn't include the .git file in the .git ignore file really straightforward They exposed all of the data as deployed to production in a deployment pipeline So if you do have coding best practices, you should be checking on your own to make sure that what this stuff looks like Especially in the protect phase the the worst thing to do is to get through this entire life cycle and then end up with a banana you slip on So work best core is only beginning probably for you You probably also have third party tools marketing tools ad scripts cdns integrations And all these other places where data might live But at the end of the day you have to ask yourself Am I okay with how these things work? Do I understand how to use them? If someone asks me to remove stuff, do I understand how I actually can work with these tools? And if you're not comfortable with it spend time doing the other steps we talked about to be able to become more confident The core tools do get most sites though most of the way there So before you go looking for other things look at core tools first. They're quite good yeah, so those core tools involve things like export erasure and Hooks for plugins. There's lots of documentation around plugin developers and core and theme developers There's also tools written for purely non developers So if you just have no idea what we're talking about up here Go look at the privacy docs that are available for press core because they do make it as simple as possible for non for non developers Additionally, there's a bunch of things happening in the roadmap things like multi-site support localization support for sites who have a lot more complex setups WPCS support as well as consent logging tools Currently a lot of the tools that people are using on top of wordpress core involve third party tools are in set logging But in the roadmap, we're going to start to have a lot of requirements that are built inside the database So we can track what privacy collection looks like up close So that little checkbox thing that happens that whole thing will be coming to core Um, there's also identified we've also identified a few things in the future that are happening That are going to be quite critical things like ccpa. I know that kevin is like it's not important to worry about We think it will be eventually maybe We think it's critical to prepare as far ahead in time so that we don't have to rush close to it Like we had to do for gpr strong decree So once you've done all that You need to document everything ideally along the way you need to keep this document living You need to make sure that's up to date and you need to make sure that you have stuff ready for people Who might join your team who might leave your team If you have one engineer leave suddenly you like lose 30 of your company's knowledge that shouldn't be the case Right ideally you should be having a system in place that allows for collective knowledge And also exposure of the things that aren't right and you respond to the things that aren't right So you're you're more comfortable so that when you get into the next phase Of the privacy life cycle You don't have to worry right you can go and say like hey charlie. You should learn about privacy I can train you look at this document. Let's walk through it together You have systems to be able to monitor these things in real time You also have really the need At a high level to not worry about these things anymore You can start to think about these things as normal operations for your business and less about things So you have to respond to like no one likes fires that you have to put out But data privacy doesn't have to be one of those things So okay once you're all good you're like, okay, we're all hanging out training every you know Once a quarter for privacy and you know things are looking really good Then you get like an email that says hey, we got to do something Well, they're they're legal requirements or technical requirements of how you respond to those privacy pieces These are these are things like information requests erasures and corrections as well as breach notices So if something might happen, you need to be able to know what you're supposed to do legally Ethically probably and technically there you have little things that you should be able to do to be able to respond to these things So, um, Kevin how bad was GDPR? How bad was it? Yeah, like what happened since GDPR? Oh, nothing everything went smoothly all the sites are perfect, right? Yeah, so since GDPR we've had 27,000 reported data breaches. It's a huge deal Uh, it's not small So that's that's what's reported. There's probably more that are doing things like it's hard to write software It's hard to write good software. It's hard to write perfect software software is full of bugs software is full of vulnerabilities And this is a process So what happens when you actually end up in the situation? Do you scramble? No, you're not supposed to scramble You're supposed to be able to respond to this with the process So in your assessment phase for breach you should define whether there is a breach understand what that means legally based on your locality based on your requirements federally locally And also understand the event that actually occurred So if someone says something happened understand what that actually means So you don't have to run and respond to it And once that actually happens you say, okay, there was a breach this happened Someone's got data or several people got data or just it was exposed You got to figure out was there harm there might not be harm You might not know if there was harm and if there is harm you should decide what you need to do to respond to it besides reporting Additionally, if you're lucky you might have things like safe harbors might have exemptions You might have defenses you might have encryption Right SSL is a really good way to worry a little bit less not a lot less But a little bit less about some of the problems if someone is exposing Or worried about exposed data inside the whole piece Additionally, if you are in a locality you're going to have to ask this question around what your responsibility to notify people might be So in the case of South Dakota like 250 people information out there you have to respond in Colorado. It's 500 When you might have to respond is extremely different So if you're in South Carolina 72 hours if you're in Louisiana, you can wait two months Like you don't have to do anything. We can take a holiday come back Go to the beach Go to Mardi Gras. Yeah And they're like, oh, yeah, by the way, we like leaked a bunch of people's email addresses like No big deal. No, we deal Um and as a whole like that variance is going to be quite challenging So you don't necessarily need a lawyer today tomorrow next week But you should definitely understand what you're doing and if you have a data set each of these localities you're working with May have special requirements So if you leak customers data in california, you may be required to report it in South Carolina Understanding what that actually means is where you might want to seek counsel And the the more sensitive your data the more you have to be concerned about this Exactly. So social security numbers definitely a thing to be concerned about birthday. It's definitely a thing to be concerned about Uh, someone's favorite, you know color Probably less worried, but you never know someone might say that might be a version of coded information or something else So that's the life cycle a lot of information But it's pretty simple. You want to understand things you want to respond to them You want to make sure that you don't have anything happen to it? And uh as you move through the sustained process, you really don't want to feel like anything is on fire So ideally you sit and sustain as long as possible But as you need to and you hear about things you in the sustained process move back through assess and protect So Kevin So what are we learned? We're all the uh, hopefully a lot hopefully someone that's stuck in I know at the end of the day Uh, but we were learned that um us privacy and EU privacy laws have existed for decades And are continuing to evolve and there's a rising tide. So it's something we should all be concerned about And hopefully you've learned that you need to integrate best privacy practices into all of your workflows And uh plan to review these things continually and if all this made sense to you if you're like, hey great I got all this old news fellas like please join core and help us write better privacy tools That will Be useful for millions of people all over the world And it's just going to be a continually growing need over the years. So check it out More people make more better software And of course, I'm going to call back out the principles that Kevin had mentioned earlier It's important to be transparent. It's important to collect little data. It's important not to store things that you don't need It's important to keep your data safe. It's important to be accountable. It's important to write stuff down I promise that's probably about that simple Oh, yeah easy peasy, right? And uh, most importantly you don't attain compliance. You maintain compliance Uh, so with that we'll take any questions in the few minutes we have left if your brain isn't totally melted Yeah, yeah and step right up to the mic so that live stream can hear us You talked about uh, wordpress core tools and all that Do you know if The privacy team on wordpress has anything planned for like cookie policies and stuff like that Yeah, we spend a little bit really briefly in that slide about core talking a little about this. Um, it is on the roadmap Um, we have some competing priorities because people have a lot of opinions on what we should do next So if you're interested at contributor day, I'll be talking about privacy come find me and we can talk And if you're using some tools that collect a lot of cookies like say jetpack Like jetpack has a cookie policy builder that you can use And hopefully we'll see more of those not just in core, but with all of the big tools that people use in wordpress Hey, um This is not a philosophy talk, so I know that this might be out of scope But I was just curious like if you could go into a little bit more about what you see as the conflict between Free speech and privacy and like why why you presented it as that kind of dichotomy So this is a common framework within how people talk about privacy in the United States We tend not to prioritize priority privacy. Um in practice. We need to prioritize both So I think free speech is just as important. Uh, I went to journalism school and worked with publications I care about the topic of free speech probably even more than I care about privacy and I like privacy a lot Um as a whole what we need to do is to protect the space of free speech It's why I work in wordpress. That's why I think we all work in wordpress to an extent And I think we need to continue to democratize publishing and whatever that means So what makes wordpress better? I think at a core level are things like privacy tools are things like exposure of information of how these things actually work It's training. It's keeping things in basic simple language. It's documentation It's it's preaching the stuff up here on my soapbox. Hopefully it's not a soapbox Uh, but you know, it's at the end of the day It's hopefully getting you just as excited about the same exact things that I'm excited about And hopefully you incorporating this into your agency workflows or your your personal sites Telling your own local meetups telling your own local word camps and hopefully making an actual impact that changes the things we really care about um, but yeah, it's like definitions of what's personal and what's private and what's You know public interest and what's speech Very but like the gdpr tried very hard to grapple with that and the people who wrote it There's a lot in there about exceptions for public interest and in journalism that it's about personal control and not about censorship But it's a question we're gonna have to continually answering. They're not in conflict necessarily directly But they do definitely overlap and bounce back and forth Yeah, and calling it out There are quite a few questions around who gdpr and ccpa serve and how the lobby structures work And it's messy Like this is not a simple topic and if it's something that really affects you I would say unpack ask the questions try to learn about what the big companies are doing what the small companies are doing What the actual responsibilities are question over here Do you have any resources for setting cookie policies that that we could go look at to set our own cookie policies? For instance, I'm just about ready to release a plug in that sets two cookies with utterly Anonymized information about A user generically Nothing In any way relates back to the user no ip's no nothing just to record When they viewed the site and if another person uses their browser It would act as if they were The first person and I need to know do I need to to set some Policies about this cookie usage and I have no idea where to go look That that's a good question To not get into uh, specifically you know if I see her as hard But in general like the more anonymous your data is the fewer requirements you have for things like You know opt-in and checkboxes and things in the eu But it will definitely help you to write the things down And that will also Will be something that your users of your plugin are probably looking for it's like hey, what are these cookies exactly? If you can honestly say Hey, like we only know the browser fingerprint, then it's good to say that publicly somewhere. Okay And additionally sometimes there are things like shadow data So recording times might actually indicate when someone logs into a profile that might be useful for someone that could be exposure Understanding that data means something more is also quite critical And I think we have time for one last question and we need to wrap up Um So i'm coming at this little sideways. I work for a web accessibility company and you know the parallels between privacy Thank you and accessibility are always very striking. I mean Listening to the presentation. I was just like yes, but um, you know and in the accessibility community We like to make the parallel because we assume That of course everybody accepts that privacy and security like you have to do that And but you know you had the example of if your manager doesn't think it's important or you know in the us We don't really care about it so much. I mean do you find that that's the case that that convincing People to get behind these practices is kind of a struggle It depends I think this is like the key driver for so many people like there's like I am a small business or I'm an agency And a client comes to me and says I have x dollars or like this is what I need Or maybe i'm working for that company directly, which I've done in the past And they say we only have this time on a roadmap. What do we do? And they say we want to make more money. That's what they always say But making more money doesn't do anything Right, the question is what value will you ultimately deliver to a user like making money doesn't mean anything The question is what will actually do the things that really move the needle So if you're talking about performance, right like this I mentioned this earlier Performance is the topic that we tend to lead with but a long way we say why do you really need to collect this It's silly like it's not really going to help your users. It's going to make you become the slowest site in your vertical In the case of accessibility as you would know quite, you know Dramatically if you have all the requirements for wCag you rank much higher Google also indicates that when you follow these things you rank much higher as well So I usually lean quite heavily on positioning and ranking as part of the factoring performance as part of the factoring And also like at the end of the day ethically We don't need our websites to suck like we really don't And we have the opportunity to argue for the things we care about and if we do it by design It won't be that way by by design. Sure. Um, yeah, and I think, um There's always like a bare minimum you could do to just kind of get by on accessibility or privacy But I think um early investment means that like iterating is really easy and really cheap So, um, and I think for a lot of firms like the gdpr has been clarifying It's like oh, it's really like dive deep on compliance here And so that the next thing will be less and I think um, if you just kind of like doing the minimum You just kind of like floating by and reacting that can actually like slowly be like a big time suck And so, you know, if you have the time, of course, you know Time is in short supply. It's start-ups and things But uh, if you have the time like if you can make an early investment in these things It pays dividends for years And it's funny because the amount of times I've heard of someone saying I heard about section 508 Not need to do accessibility stuff. Oh my god, everything's on fire. I'm like, well, you know, you've always had to do that You just aren't following the rules Additionally, like you've always had to follow span cam. I've always had to follow furpa of your work in education I always had to follow hip of your work in health like this stuff is the law So once someone finally realizes it's the law, they usually respond to it quite clearly And it becomes the highest value business priority because shutting down your doors because you're breaking the law Is much worse than not making more money. Sure All right, thanks. Great. Uh, thank you very much. Thank you everyone for coming and caring