 Hey everybody You haven't even heard me yet. Don't don't get ahead of yourselves. So We're gonna jump right in because this is an incredibly boring topic. At least it is for me And I don't is anybody here an attorney. You might find it in string. Oh No, no, but like you might find it in string, but I don't think anybody else does so but we're gonna talk about GDPR and How many people here are familiar with it at all? all right, cool because When I've given this talk in the past it was right when it got enacted and people kind of knew what it was But you know really wanted to get into this is me. That's what I look like. That's where I work The Twitter thing is just it's a placeholder at this point because they can't seem to get their white supremacy under control But I want to go back to something very important here I want to point out what my title says so more importantly what it doesn't say and I also want to point out the lack Of letters after my last name and those are important because while I'd like to think I'm fairly knowledgeable of what I'm talking about I'm not a lawyer. This is not legal advice if you have any questions regarding this topic that you need to implement for yourself Please talk to the appropriate legal counsel for you or your company Now that we've done that great. So really first off the hell is GDPR because when this first came out I thought it was just another four letter or three or four letter acronym. I didn't have to care about remember that But really GDPR That is a great government name for something that says absolutely nothing But there's really one word that we care about and that's data. This is everything about this is about data user data in particular and That's why data is worth a lot of money to a lot of people and in particular We're going to talk about user information. We're going to talk about personally identifiable information And the way that you describes it and we'll get into that a little bit later is Any information relating to an identified or identified natural person? Okay, we'll get into that But we need to get like where why are we here? Where we get here? How do we get here? So some of you may remember some of you don't but Long time ago about 25 years ago When the web as we know it Started to begin and everyone started building websites Almost everybody had a focus on connecting people with other people because up until that point if you wanted to talk to somebody that you knew in The past you actually had to put forth effort and you had to know where they lived and you had another phone number and their mailing Address and you had to contact them in ways that were slow and hope they were home and You know, you didn't have to just search and click a button But to do all that they had to collect all this data and they had to figure out Everyone just started handing all this stuff over and long story short They've all these companies basically said trust us with your data and we believe them and That was a I cannot emphasize how terrible of an idea that actually ended up being Because none of us knew what we were doing with it and I put myself in this group So let's talk about the people that care about this stuff So there's 92% of people and I have the numbers and links for all this stuff But they care about their online privacy. Okay, who's the 8% like I don't know anybody who would answer no to this question If they use technology at all So a great that doesn't help us This one's better Only about 31% of people understand What we do and how that data is collected? They don't understand what that data even is they might understand email addresses They might understand pictures or address or credit card, but they don't understand cookies They don't understand any of this other stuff And this is a big one About three-quarters of people have limited their online activity because of privacy concerns So if you're building websites and you're creating client sites The idea is that people are going to come to them and do whatever it is you want them to do on your site To do that they have you they have to trust you and according to this that might not be the case and We're gonna go into this because All these come we all know who these people are Everyone's seen these companies and they all have exactly one thing probably more things But one thing in common is that all of them have had large data breaches. So we have eBay had 145 million accounts hacked We had target with 110 JP Morgan Chase with 83 million uber with 57 million and 600,000 drivers Yet Anthem, which is a health management like a health insurance company. That's 80 million Get aquifax with 143 million remember that one Yahoo with 3 billion people and the thing is the numbers only say part of it because someone like aquifax They had everything about us So that's a lot of information that the other gets out there Nothing really happened any of those companies by the way I don't maybe they had to pay a fine But so in steps to EU now the EU is always in Europe in general has always had a very different idea of privacy than we have There was an existing law in the books and the name I didn't write down and it's a lawyer thing But they took an existing law and they started to build on top of it The whole idea is that users have rights that you as a site owner cannot take away and For some of us that is an amazingly bizarre concept because it's like it's my website. I control not really So the first one is the right to be informed This one is what you probably notice visually on a lot of websites that you go to part of it was that cookie law Which is a terrible name, but you know, yes, I agree to this. Yes, I know what I'm doing You know all those terms of service that you don't read and then agree to The idea that you have to now explicitly tell people what you're collecting What you're doing with it Who you plan on giving it to if you're gonna give it to somebody later you have to go back and tell that person I'm gonna do something new with this information that I didn't ask you about last time so on and so on Also, and we'll get in this a little more later if you have a data breach you legally have to tell The people affected they don't have to find out you have to tell them Now the second one is the right to data access and this is some of the stuff that we might have probably touched more at least in the development side If I have data about you you have a right to a copy of it More or less on-demand I think the 30-day window maximum of something like that, but it has to be in a human readable format And that word is kind of vague on purpose because depending on what the data is is what would quantify it being readable But you can't just give them this huge database dump You can't just give them a whole bunch of numbers on a spreadsheet and say figure it out Like you have to give them what they ask for All of it you can't pick and choose you can't be like oh well this data We want this one for back here, but you you can look at this stuff. It's like no all of it is you have to show This is a big one. There's a right to be forgotten So another little story is I deleted my Facebook account in 2010 on their first privacy bug We find out now that's a feature but The So I didn't go to a college that had it so I never really got into it and so when the first thing happened I was like I'm whatever I'll get rid of it like my parents have closed by so they already see my son and So I didn't have one for years and I made a fake account at one point So I could do testing certain stuff when I was doing all the meta tags and all their open graph stuff And then a little while later, so probably 2015 maybe 2016. I needed an account that was me So I could use certain I needed to log in the stuff I needed to be able to use it to access other data that I didn't want to make another user account for another service I might not ever touch again and all that other stuff So I go to make the account and it will not let me use the email address that I'd use on that account I deleted and mind you this is when Facebook actually said they deleted things now They don't even bother saying that lying about it But it wouldn't let me use my email address because it was already in their system From an account that I deleted at that point say six years prior Still there I Had no idea. I had assumed that when I said yes delete this They would agree to the thing that I just asked for Apparently that was not the case So long story short the idea the idea that something lives online forever is no longer true You have the right to tell somebody get rid of everything about me Analytics data comments reviews Even to a degree or you know anything that more you know order history Yeah, you need the data for your books, but you don't necessarily have to know who bought stuff anymore On going on going basically anything about me and you have it I have a right to a copy of it. I get a right to see it and I get a right to make it go away Now some of the stuff ends up in court, but you know the long story short is like data isn't yours Doesn't matter if it's in your database. It doesn't matter if it's in your cloud It doesn't matter where it lives. It does not belong to you at best. You're leasing it And that's the thing and this is actually a philosopher is also a good friend of mine But that's things it was never ours to begin with we collected all this stuff. We never scrubbed it We never verified it. We never validated it. We just started collecting it. I know for myself as a developer I would just collect stuff. I'm like this might be useful. Yeah, I didn't think about it really But we want to talk about why does this matter like why should I care? And this is always one of my big questions is like I have a limited mental bandwidth Tell me why I care about the thing you're talking about so who here knows who this guy is All right, so this guy's name is James Lang. I probably mispronounced his last name He I'm sorry. He's sitting in prison He is a developer. He worked for Volkswagen He was one of the developers that built the systems that was cheating emissions testing for years. They got caught notice Yeah, he is not the lead developer. He is not the CEO or the CTO He was not even the decision-maker According to the New York Times. He was they made it a point to emphasize. He was not the ringleader He was quote-unquote doing his job and that job put him in jail So the fact that we're just building what we're asked to be billed isn't a valid excuse to be building what we do So cool. Maybe hopefully possibly I might have a little bit of attention So what are we gonna do about it? So like how do we approach this? Why do we think about it? Because again, it's it's a different way of thinking it's something that we've never really approached So the EU defines data differently than we do In the US we say any information relating to identify, you know, but very specific. It's like it's got to be You can look at this one piece of data and know that it's me So like my email address is my name. You can probably figure out that's me Maybe some other stuff, but you know very specific. Where's the EU? Understands contacts and they understand data aggregation. So they say anything that pertains to me Which might in and of itself be something that you wouldn't even imagine is Useful, but again all this stuff getting rolled up So when I look at these it's like, all right Maybe political opinions or beliefs Some of that stuff might end up and maybe I don't know comment threads But more or less like I'm not collecting this day. I don't want to know this information about people frankly But now we get into some secondary stuff because they again, they added on top of this we're like genetic data I don't have any of that. I have my own like 20 that 23 and me. There's genetic data, you know Biomech a lot of people especially corporate stuff. They have fingerprint readers. They have you know, you be keys and all that stuff. Oh location data Well, I store that Every time you log into the WordPress dashboard it pulls an IP address and that's why it shows you events in your area a pseudomized data I Probably got that but it's pseudomized. I'm not sure but the last one there and that's the big one online identifiers because Again, that's another word that doesn't mean anything. It's like, okay, why? What about online identifiers, why do I care about this one because we're gonna dig in IP addresses mobile device IDs RFID tags Mac addresses cookies. Yeah, how many of these things are on the WordPress tables right now? I think all but RFID tags And we're and again, this is just being collected when you log in this isn't even being used by anybody This is core WordPress. This isn't a plug-in. This isn't Google Analytics. This is this is the stuff we hold on to Email addresses avatars again all of this stuff gets pulled in and we're holding information about other people So yeah, this applies to everybody. This is the first big thing people like oh, well, I don't have to care You know that I'm not a big thing. It's if you do business with the EU Anybody in the European Union? So a side note of that is I get this question every time Can I avoid this by simply not selling to somebody who lives in the EU? technically, maybe Good luck figuring out where they live We have route. You know you have tour you have VPNs you have people that are on vacation Any number of things if they live in the EU? You're abiding by that rule by selling to them And then the other question I always get is can I have people just agree not to do this kind of like you know We're like oh, yeah, sure. I'm 18 No, you cannot ask somebody to willfully break the law in a place that they live That is not a valid thing that they can do so no you can't really get around this and furthermore We'll probably see this in the United States Soonish Because for certain companies it doesn't make any sense for them to segment their users It doesn't make sense to build development stuff for one group of people but not somebody else You have to build an export tool you build an export tool period Some other companies, you know, we'll get into more of it later how they're applying it, but uh But yeah, it applies to everybody They have gone out of their way to say it doesn't matter how much doesn't matter the size It doesn't matter any of that stuff it matters to you So the first part is being a data controller because there's two main parts and I'm not gonna go too too deep into this because You know, it's basically data controllers is gonna be you decide what gets collected you decide how it's used you decide how it shares The other one is gonna be a processor and that's basically everybody else that they do analytics on it They do you know Jill glue, you know follow-up drip emails all this other stuff And you're trying to figure out which one you are you're probably both in some in different arenas You're gonna be one and others you're gonna be another You know, you're very well doing both of these things in some way shape or form Now this is where everything boils down is we need to start building things with privacy first Not added on after the fact. I've been as guilty of that as everybody else in that Oh, I've finished the thing I need to do now. Let me make sure it's secure now Let me make sure it does this no the other way around now. This is not just another nice cool word This is actually a seven-point design methodology Sorry development methodology and this is actually required by the EU for what they call data intensive projects Again, I don't know what intensive means because depending on what you're doing is how much that is you have to have this document It's a living document It has to outline who has access to data what data is being collected. It has to be done before you start So this is basically part of your scope now and part of your discovery and furthermore Regulators can ask you for it and you have to have it ready So yeah, you need to know everything if nothing else matters if everything else I've said is boring That's fine But you need to know what data you are collecting if you are developing a site You are responsible for knowing what comes into that site now Yes, obviously people can install plugins and do stuff after the fact that you have nothing to do with not understood But as a site owner especially you have to care about this you need to know what comes in You need to know what goes out you need to know what's being stored where it's being stored who can see it What can be done with it? everything and I mean everything So this is the other thing that you have to legally have and this is a privacy impact statement And he's this is what the thing that needs to be documented everything basically you need to say what could possibly go wrong In terms of data collection and privacy you need to say this might be bad and Outline what could be bad and outline what you're gonna do about it and everything from there now I can give an entire talk on this thing and it would be even more boring than this one So we're not going to But again the important thing is this is not done There's this law as they've written it is still evolving because they understand the technology moves at a pace that law does not keep up With so they've written the law in such a way that they can constantly add and modify pieces to match what the technology is now Doing so like they've now added in parts about voice data that they never had before because when they wrote this thing Voice search didn't exist yet. Who knows what the hell the eyeball search could be a thing lately. I don't know None of it, you know, I wouldn't have bet half the things we have now We're gonna be things so I'm not gonna guess what it is and neither are they so you can't loophole out of it like oh Well, it was this one other thing now. They're still trying to collect everything in there Now some of you probably like well, yeah, they're not gonna enforce this stuff because why they make these laws and they go They do it to punish Google and that's fine But yeah, they do enforce it in January of this year France find Google 57 million dollars which again to Google's nothing but If I'm a 57 million dollars for not you know for not complying and That was not the max that they could have charged them. They could charge them more They can charge you up to I think 4% of your gross or like some number like they can really really hit you hard If they want to and mind you this is France. This is not the EU So individual countries can all come after you for GDPR if they really want to and if you're big enough to touch That stuff, but then you're like all right cool. I'm not Google. I'm not Facebook. I don't care. Well The first company that got a fine and this was in Germany they got fined 20,000 pounds, which were I mean a euro were those in real money and This is a data breach That happened in the summer of 2018. They did everything right They notified their users right away They locked down all the data that came out They had been they had their impact statement. They did they followed the letter of the law and they got fined because of a data breach Because apparently whatever the data breach was was something that they possibly could have avoided or I don't know again I don't you know, there's whole companies that focus on this stuff But the point being is they're gonna come and they don't care who you are They don't care how much money you make or don't make they don't care how many things you sell That is irrelevant to them. The only thing they care about is User data and the only thing they care about is keeping that protected And this is the fat last thing We you cannot claim that you just don't know There's no There's no way to be working in technology and not be aware of all the issues surrounding security and privacy It's literally impossible Furthermore many of these tools and again, I could put myself in this thing. We built them We had a hand in it so we know how they work. I mean we know more than most We have to care, you know again It's another thing on a list that I have to care about that I didn't have to care about before That list keeps getting bigger and bigger, but this is one of the ones I actually kind of agree with because I Want my stuff secure. I want my stuff safe. I want to choose what Information is made available to other people I don't like the idea that Facebook knows more about me than I know about me and I don't even use that service If you ever want to get really creeped out Google Facebook shadow profiles That'll make you feel good So first off I wanted to say thank you But then I want to get into questions because I usually get a lot of specific questions Maybe I want this time, but who's got any? Yes, I think I know what you're getting at so The idea that we have to keep getting ongoing consent that is a again This is a totally different idea from the US to the EU. I like their idea better How many you like because every single time Facebook changes something I have to log back in and turn it off Because I don't use it. Yeah, you are not allowed to opt in people automatically at all for any reason any war You cannot check a box for them period to what that's the question That that says you cannot just say here's a blanket terms of statement that I might change at any given point You're just blanket agreeing to see that's what you can't do anymore That's you say I want your information for x y and z and that's so if you add A B and C you have to go back and get their consent again You cannot opt them into new choices based on what they signed previously Okay Okay, okay Have you changed your terms of service between today and tomorrow then you don't have to opt in again See the cookies thing is different because those get set every single time you go and load a browser So that stuff needs to get consented every time because you're literally changing the data every time and those cookies now Theoretically contain different information based on what you've been searching and going site previously But otherwise yeah, you just can't you can't opt in people for your stuff anymore Now I do want to be clear none of this law says you can't collect it you can still collect all the data you want But you have to tell them you're doing it You have to ask permission Just like we I tell my son if you want something you have to ask permission first even if I've let you do it in the past Same idea you have to do the same thing you have to keep asking permission You don't have to ask them permission to do something they've already agreed to But you cannot use that previous agreement to do something new if that makes sense so So the idea being is like what and her question was what are your responsibilities in terms of collecting data and Knowing what you're doing with it The biggest question you want to ask yourself is first off a after you figured out what data is coming into the site What's being stored because I'm guaranteeing there's something sort that you don't know about I Learned that myself too after you get past that is Do you need it after the fact if you're running a little giveaway to you know You're collecting a name and an email address to give away, you know saying give away a book Once you've given away that book Now if you had them going on to a mailing list They would have had to do all the consents up for a mailing list But otherwise delete that information you don't need it anymore Like holding on to all this data about people that you're not even using is a privacy issue waiting to happen That you could have avoided by simply deleting it like one point. There was a open-source Analytics plur that I put on my own site. It was used to be called pickwick. I think they changed the name of it I forgot I set it up. I installed it. I promptly forgot about it. It ran for five years Until I realized it aired out because they'd finally discontinued the thing that I was using and that's when I realized like Oh, wow, I have all this data So I just deleted it deleted the tracking script and I deleted the entire cell posted platform that data no longer existed I now remove the privacy issue that could have happened because now the data doesn't exist So yes, there's the you know, only keep what you need and Make sure you need it like validate why you need it I mean if they're doing you I mean most of the time There's some specific language that you'll see in a lot of the forms now We'll even add that for you But if you're only Putting them in a bucket to pick one and then you're deleting the bucket. I would again not legal advice I would say you're fine. Now if you're adding people to a mailing list, you're gonna try and market to them later That's a whole different story and that's something that yeah, you would need to make sure that you have the ongoing consent Any other questions So so Her question was she had used a plug-in that had kind of gone like a walk through like a wizard saying you know Pointing out where she may or may not be vulnerable or what she has to do. That's a great start Honestly, I did not know that existed and I'll talk to you afterwards. I'd like to see that But anyway, yeah, well we'll go late, you know later on but um You're probably better off the most I'd say that right up right off the bat You're probably better off than at least 80% because most users have no idea but after that, you know, you're you know You're running analytics. You're running all these things, you know, if you're aware of it That's you know, cuz yeah, you can't control what Google does with the data. That is not your responsibility You have to make sure that people know you're giving it to Google That's where your liability comes in for something like that It's not that you have to tell Google what to do because yeah, I don't think I can pull that off either But I have to tell people hey, I'm letting Google know what's going on on my site And again, most people don't care like we're still waiting to find out if people actually care Because there's a whole lot of things we're like, yeah, I care until I actually have to do something about it Maybe my hand goes down a little bit more. So this could be something that only a few people care about but governments care about it They have a lot of money and they can make people pay and that's really the only things like I mean I would not want to you know, I don't like dealing with anything legal This is another thing I'd rather not deal with for information that I could you know for things that I could very easily avoid You know, just know what you're doing. Don't just throw scripts on a site cuz someone asked marketing asked for something not to disparage marketing people but Make sure they validate why they want something whoever they may be Push back a little bit Be like why just just say why? You know, we need it for the net promoter score like I don't even know what that means But yeah, okay But just make sure that they also understand this is the liability. We're taking on as a company To have this information. Is it really worth it? Because I think for I can only speak for myself But a lot of the data that I've collected and tried to figure out what to do with it's just not good data It's scrub, you know, it's coming from every which way. It's not clean. It's not Yeah, I can't validate that it's actually accurate. So I end up throwing it away anyway So it's like yeah figure out what you want figure out We're trying to decide what you're trying to figure out because then you know what to collect like again We always just grab stuff in the beginning and hope maybe we can piece together when we're done It's got to be the other way around, you know figure out what you need ask for it And then just make sure you know you have that you know now sites know. Yeah, this is what I'm doing Will people keep just clicking yes always you give them a button that says yes people will click yes Doesn't matter what it says in the box. So like I don't know what I've told Apple I've agreed to have no idea Hopefully, it's nothing bad, but is there any other questions? I think a big part of that problem is and I'll use Facebook example because they're really easy They have that they have a whole set of data about me There's a recent article another recent article talking about it where the the designer from Google from Facebook Right talked about it is like a voodoo doll every bit of information. They get about you is Adding into this little doll so eventually they know what you're going to do so they're not listening to you on the phone yet you're just that predictable and And it's creepy to think about it that way the voodoo doll really kind of makes it a extra level creepy, but I can't request that data to get deleted because I didn't give it to them They got it from somebody else So I think a lot of the bit like the data that I want gone most I have no access to and the you still hasn't figured out how basically they still haven't figured how to crack Facebook yet They're working on it But they don't know how to get the data about you back in your hands because you didn't give it to them They collected it on their own using whatever means they used which means Maybe you gave them my information because you can sell Facebook messenger and it synced your contacts So now you have and so now Facebook has my name picture address and email even though I never gave it to them So now Facebook knows where I've lived probably in my entire life They have every phone number I've ever had every email address I've ever had because somebody had it in their phone and turned on Facebook messenger So I think I think what will happen is Once that data once people realize this they can do something with it because right now it's like yeah I know get all that information, but I can't be the only thing I do is I pull my Amazon stuff because I'm curious how much money I'm wasting and But otherwise most that information is not relevant to me I don't care, but some people do but I think once that information and data actually has some relevance people can do something with it They'll start asking for it a lot more or if there's a big thing news breach or somebody You know somebody uses information to find somebody they don't you know stalk somebody which is a terrible thing Now people like oh wait what information exists on me You know like I think a lot of times people will start caring when it starts like hitting home Or speak otherwise they're like yeah, that's a problem, but I gotta take the bread out of the oven. So Z's Oh, but uh, thank you. I will take yeah, we'll take a look Probably what you're already in his question was like, how do you handle taking incoming stuff to do ongoing like drip marketing and things like that? Probably what you're already doing Because you're like if you're using anything like constant contact or mail champ or any of those ones They're putting in unsubscribe links. They're taking the information about you know If you unsubscribe be like why like I never signed up for this they keep they see enough of those They will shut down your account Usually I'm by submitting this. I'm agreeing to your privacy policy and there's a link to the privacy policy That's that should be sufficient And again, it's like if you're telling people what you're doing I think the way that you tell them as long as that's not opaque By design is probably going to be fine Like there's not a lot of language about the particulars of how you need to present something to somebody It's just that you have to do it because that for us, that's the big hurdle. It's not what words to use. It's to even bother asking And I think it's last one now Well, that's um, and they're she's asking A lot of websites you go You have the consent to cookies that was a law first again from the eu that was the what they called the cookie law Which was kind of a dumb name, but it was that was where it started and that's that they're already expanding on That's why a lot of all the word prep all the word camp sites you go to have the same thing Because it's built into dot com Yeah, you're basically saying that yeah a cookie is going to get said it could be a login cookie. It could be whatever You can set your browser to clear those every time you close it. You can have them delete over 30 days like That again, you're going to see those everywhere But then you come There's probably there's probably plugins there's price stuff I wouldn't be surprised. I would not be surprised if core turns that into a feature I know that they're just making sure that they build the structural stuff for privacy before they build the bells and whistles Because I've been working on that stuff for core as well So like they've already they've been working on the stuff for a couple versions now But I know that they're focusing on making sure they actually structurally build it right Before they make it pretty or even visible So Oh, yeah, yeah, there's stuff about purging people out and everything else. So there's actually ways in there But but otherwise yeah, again, you're going to see start seeing a lot more of this stuff Coming up and it'll be like, oh, yeah, I have to agree to one other thing. Just just pay attention to what you're clicking on Yeah, I think we have Cool. Yeah, you all can talk about talk about that afterwards. Thanks. Any other questions? Yeah So, yeah, I apologize. I um, this question was about the privacy by design. I apologize. I mixed the two There's the impact statement. That's what's required. That is the document that has to say who has access Where the access is where it lives what you're going to do mitigate these problems. That's the impact statement I apologize. I got the two the privacy by design is the methodology and that's basically approaching something By privacy first Figuring out what you're going to do to protect users before you write a single line of code because otherwise It's a it's an add-on at best It probably won't work that well. So I think that's it. So thank you very much