 Thank you, Steve. Hi, everybody. We're talking about GDPR today and how much fun it could possibly never going to be. And in particular, I'm going to focus on how developers need to think about and start interacting with what they do with users. And if anyone's curious, I'm not going to do any deep dive code stuff. That's not what this is about, because we don't even know how to think about this correctly yet. So we can't really code it. But that's me. That's what I do. That's where I work. That's the Twitter thing. If you have any sort of content filtering at work, don't open it ever. But actually, I want to jump back real quick. I wanted to point out what the title says and the lack of letters after my name. And that's on purpose, because I'm not a lawyer at all. This is not legal advice whatsoever. If anything, this is a primer because we don't know how to think about this yet. And we've shown that, and we'll go into some of that stuff. But first off, what the hell's GDPR? When you start it, you look at it, you're like, OK, general data. Those words are so nebulous, they don't actually mean anything. That could mean whatever you want it to mean. Like most laws that are super vague and they make it that way on purpose. But really, data. Data is the only thing that they're talking about. And why? Very easy. Money. Data is worth a lot of money. And we've seen some of that stuff happen recently with all the stuff going through. But essentially, that's what they want. This is all about personal data. This is all about user data. The problem was all these companies said, trust us. And we did. And it was a terrible idea. I can't emphasize enough how bad of an idea it was for us to just blatantly hand over all of our information so we would know when somebody's birthday is. Because that's really what we did. And we did it knowingly, sort of. Now the first question that there's been a whole bunch of studies getting ready for all this stuff. Initially it was saying that 92% of people care about their online privacy. I can't imagine a way of framing that question that you would get a no. Because that doesn't actually mean anything. Because, of course, everyone's concerned about their privacy in some way, shape, or form. I don't know what those 8% were. Maybe they live off the grade or something. I don't know. But this one is bigger. Only about 31% of people understand how companies are collecting and using and sharing their information. If they even know it's happening. Some of them are vaguely aware that it happens. And if some reason it's like, oh yeah, I was talking about this with a friend. And then I saw it on Facebook. And it's like maybe not quite like that. But sort of. But they really don't know what happens to it. And this one is kind of big for us. Because, obviously, we're building websites. And whether it's e-commerce or anything else, we want people to show up. That's why you make the site. So yeah, 34% of people, and I have the links. And I can give that stuff later out to where all these numbers came from. I promise I didn't make them up. But they're already limiting what they do. And now looking at these, all these companies have in common. And if you're wondering about it, yeah, they've all had large data breaches from the last two, three years. eBay had 145 million. Target had 110 million. JP Morgan Chase had 83 million. Uber had 57 million users and 600,000 drivers. Anthem, which is a huge insurance company, had about 80 million. Equifax, which we all remember that one. That was about 143 million. But that was all financial data. The user number only tells part of the story because it really depends on what they were holding on to. And then we all remember Yahoo with 3 billion user accounts hacked. Many of these we didn't find out about until years later. Like some of these ones on that list happened in 2009, 2010, and it came out in 2015 that it happened. Usually because somebody else mentioned something. So there's a reason why they're concerned about their privacy. There's a reason why they're concerned about their data is because none of us can do anything good with it. Like nobody involved is doing anything about it. So we look into it. Here comes the EU. EU comes in and they take an existing law. It was the, which again, I'm not a lawyer, which law wasn't really important. But the point being is that they extended what was already a framework in place. And they made it more robust. And they made it more, they made it cover everything, really. But again, the whole point was now users have rights. I know for me, and I'm not going to speak for anybody else, I have never really thought much about the data that I was collecting as I was building something. It didn't really cross my mind that it was a thing that was even owned or had any value or something that I would even worry about. Analytics, sure. People pay attention. I don't, but people do. E-commerce data, sure. I mean, again, it makes sense. But I never thought of data as a tangible thing. And that's the biggest thing that we aren't really quite there yet. And it's really surprising for people is to even think about data that way. Because there's three rights. And the first one is the right to be informed. Essentially, this means you have to explicitly tell every person on your site what you're collecting, how you're collecting it, where you're putting it, what you're doing with it, who you're sharing with it, all of these things. They have a right to know that. And again, and none of this is going into whether or not you should. I personally, I love these rules, but I get not everybody does. But that's for you. You have a right to know what's going on. Because it's you. And again, that's the whole mind shift, where it's like it's you as a person. You have a right to know what's going on. Whereas in the US, we don't treat users as people. They're numbers. They're IDs. They're aggregated data of something else. But in the EU, they're people. So the second part is right to the data itself. And this is something that Core started to introduce a framework in 496, is if I've given you any data, I have a right to a copy to it in a human readable format. Now that is vague on purpose, because depending on the data would be depending on how readable it might be. And comments, reviews, order data, obviously. Analytics, tracking data, cookies. It gets into a whole lot of stuff later. We'll go into what some of those things actually are. But if you have it about me, I have a right to a copy of it. On demand, basically. And it has to be all of it. You can't pick and choose what stuff looks nice. And you can't make it so nebulous that it doesn't make any sense. Like it has to be something that you could pick up and be like, I have an idea of what you're doing with this. And the third one is a huge thing. It's the right to be forgotten. And this was the thing that the original rule that they began to extend from the late 90s was essentially the right, we all think once it's on the internet, it never goes away. Not always. You have a right to go to a site that has information about you in the EU. If you're in the EU, I need to focus on that. Not if the websites in the EU, if the person is in the EU, to say, delete everything you have about me, gone. You're probably thinking, how can I verify that? You can't. I have no way of knowing that they've done it. However, I do know that I deleted Facebook in 2010. And there's a little side story. I didn't go to a college that had it, so I got on late, and it was never really dealing for me. So after the first privacy thing back in 2008 plus years ago, I got rid of it. A couple of years later, I had to make a fake account for doing web work to test all the meta tags and all that stuff. So I made it with a fake name, fake picture, the whole nine, all the data. And then another two years later, so it's probably like 2015, 2016, I couldn't log in to certain services without Facebook. And they're ones I wanted to use. And there are services I wanted to try out that you could use Facebook so I don't have to make a new account, so I'm like, all right, I made an account. It's me. It has zero friends. It has everything turned off. I have to constantly log in and read disable a whole bunch of stuff. However, when I went to sign up, it would not let me use the email address that I had made my first account with back in 2006, 2007, whenever I had, because it was still in their database eight years later. And this was before it was a deactivation, where they actually said we're deleting your account. But apparently they didn't, because they already knew that I had an account and thus couldn't use the same email address. I had no clue that they still had this stuff. And if you really want to start feeling weird about it, just look up the article about Facebook shadow profiles on people. Essentially, they have one on everybody that has nothing to do with your real profile. But the point is everybody's aggregating this stuff. Everybody's collecting this stuff in the US. And we don't know what they're doing with it. So if you remember absolutely nothing, and I mean nothing about this talk other than this, is that the data simply doesn't belong to you anymore. It never really did. We in the US have treated data as something you're giving me. It is mine now. I can use it, sell it, repurpose it for whatever I want without telling you anything. That was the biggest part. It wasn't that I was doing everything with it. It was the fact that I never had to tell you about it again. And that's just simply not the case anymore. You can't do that. And it's not how the US thinks. It's certainly not how marketing departments think. When we get to the question part, there's going to be some stuff coming up. And it's just one of those things where you think about it, you never had it. You collected it. You sent it this way and the other. You barely, if ever, validated it. You didn't run it through against anything else to figure out if it was relevant or if it was accurate or if they were running a VPN or if they had something that cleared cookie. We just accepted all this data and just passed it on to everybody and never really looked at it again. We never considered the ownership of the data we were collecting along with our software. We just figured we needed this to do something else. So at this point, you may be saying, why do I care? Why does this matter? This sounds like a bunch of legal stuff or some marketing stuff. None of this applies to me. And I thought exactly the same thing. I think everyone remember VAT, the thing that none of us care about. Yeah, probably as we'd be wrong about this. So that's James Lang. I may have mispronounced his last name. He's an engineer. Is anyone familiar with who this is? He is in jail because he was one of the main engineers for Volkswagen who created the system that was cheating all the emissions tests they all got busted for and they had to recall stuff. He's doing 40 months in real prison. He was not the director. He was not the CEO. He was not even the lead developer. He's in jail. Now obviously we're not trying to commit fraud, hopefully. But he wasn't exempt. He didn't necessarily make the decisions that he implemented. But he implemented them. So he's liable. And even in the point, they made it a point in the thing to say he was not the mastermind. Whatever that may be. So maybe I have your attention. Again, it's after 2 o'clock. I'm tired. I could use more coffee, but not stuff here. So what am I going to do about it? What do I do? It's all right, great. All right, now I'm worried. How do I handle this? What do I do? Do I revamp everything I have? Do I have to totally throw away everything else? And probably not. Earlier I talked about data and personal data. Now the EU defines personal data differently than we do. We say personally identifiable information. That's a very narrow definition of what falls into that category. Essentially, you can look at one piece of information and know it's me. Whereas the EU simply says personal information. They leave it vague on purpose because they understand context and they understand the aggregation of stuff. Yes, everyone's taking one piece, but they're all taking it to be able to build one big thing. You should know about the big thing. So these first things, you're like, OK, racial and ethnic, political. I don't have data on this for any site I've ever built. I don't think. Unless maybe it was a site where they political stuff and they were commenting. But again, none of this data is anything I'm collecting. So I'm like, cool, I still don't care. But then GDPR expanded it. And they added this, genetic data. OK, I don't have that. But there's stuff that does. Biometric data. I've never built a fingerprint reader, but I'm sure they do. Location data. Oh, I store some location data. Data with pseudonyms mean like a username on a comment thread or the word online identifier. Some of my tattoos could be considered online identifiers because I've had them long enough. But what does that even mean? Don't worry, they went into it. IP addresses, mobile address. Mac addresses, RFID tags, user IDs. How many of these things are stored in the user table in WordPress right now? Probably at least three of them, depending on what you're doing, maybe more. Or at least in the user meta. So this does apply to us. And I wanted to focus on saying doing business with the EU. That does not mean the European Union as a governing body. I've never sold them anything in my life. However, I have sold plugins to people that live in the EU. By accepting their money, you're agreeing to what they're doing. Now, to answer that question right away, in theory, right now, yes, you could prevent everyone from the EU from buying something from you. And you wouldn't have to care about this yet. Eventually, you probably will. And again, it will get a lot harder to figure out who's in the EU. Hey, I'm not even sure what countries are in it anymore. But also, just because people running through VPNs and they especially if you're not collecting address information, it's like, remember the whole thing when we were kids? Like, yes, I'm 18. Yes, totally. You can't just throw up a pop and be like, are you in the EU? And you say, no. It's not going to apply. And it applies to everybody. And this is very, very specific. They say, it does not matter how big you are or small you are. One employee, 100,000 employees. You made $20 selling a coffee mug. You make billions of dollars and make people work in sweaty factories. You could be Amazon or you could be somebody else. It doesn't matter. Literally, the same rules apply. There's not even grades of difference for size. 100% same rules. So there's two main parts. There's data controllers. And that is who is deciding to collect the data. They're holding the data. They're passing the data on. They're doing something with it. The other half is going to be data processors. And that's something that you, as the data controller, pass the data along too. And again, think about most analytics platforms or retargeting, things like that. If you're curious about which one you are, very likely both, some more than the other. But you're most likely involved in both of this to some degree. Now, this is the biggest part about it. It's called privacy by design. Now, this is not just a nice, cool thing. This is literally a document that exists. It's a seven-point development methodology that was put together that essentially outlines how you're supposed to build something with privacy in mind. It's not added after the fact. For a lot of things that we do, we build what we want to build, and then we're like, oh, yeah, we better make sure it's secure. Oh, we better make sure it has privacy. Oh, we better, no. You turn it the other way around. And there are whole articles on exactly what that means. Heather Burns, who lives in the UK, a member of the community, has been doing fantastic work on it. And given that she lives in the EU, at least for now, with Brexit, but even actually, we're a side note. Even with Brexit, the Britain has already said they are going to follow along. They have an identical law in place that will match GDPR. So they're still doing it even if they end up leaving the EU. But the point being is that she's doing some fantastic work. She did a whole thing on this privacy design. It's worth reading if this is something that is relevant. I'm looking at a lot of the stuff she's wrote in the EU. She is a lawyer. She's a real lawyer. But as far as you need to know, again, like I said in the beginning, I never really paid much attention to what I was collecting, to what I was doing. If I had an ad network running, I didn't necessarily ask them what they were doing with data. I just was oblivious to it all. And you can't be oblivious anymore. It's not an option. So one of the biggest things to do, because again, I'm not going to deep dive because what data you're collecting influences how you need to treat this whole process. So the very first thing that I would ask, and you need to ask by looking internally, is what are you collecting? Do you even know? Many people, the answer is no. Or they know some of it. From there, you need to think, do I need this data? And this is where you might run into some disagreements with other, especially in larger companies. Again, I'm not going to disparage marketing people regardless of opinions. However, they want that data really bad, because that's how they figure out a lot of the metrics and scoring, which I know nothing about because I ignored on purpose, but they want that data. They might not get it anymore. And if they do get it, it's not going to be complete. Again, there's no real way to scrub it and verify it because you have to ask everything. The other thing you need to realize, you can't opt in people automatically for anything. You can't auto-check those boxes. You can't put them on your mailing list. You can't send them news and updates about new products. You can't do any of that stuff unless they said so. And they can turn it off whenever they want. Now, someone asked me a question earlier. Could you get around this by essentially forcing people to agree to ignore it? Kind of like you go to a site, by using the site you're agreeing to the terms and service that you're not going to read. The answer is for all of Ten's purposes, no. You can't say by using my site you're agreeing to ignore the laws of where you live. You can't do it. But again, this hasn't been tested yet. But you need to know everything that is coming into your site because ultimately you are responsible for it. Now, this is a big thing. This is called a privacy impact statement. Again, it's a very nice, corporatey word that doesn't really mean a whole lot. Who here has done any sort of larger discovery process for clients or for internal projects, whatever the case may be? Think of this as another part of scope and another part of discovery. This is something that, especially, I mean, they say it's a requirement for data intensive projects, but they don't define what intensive means. So essentially, if it's data about people, it's probably data intensive. But it needs to have, it has to be actually documented before the project starts. Everyone involved with the project has to have access to it. It's essentially supposed to be a quote unquote living document. And regulators can ask you for it if something happens because one of the other parts of GDPR with the right to be informed was kind of like a subnote is if there's a data breach, you have to tell them. Like basically right away. You can't hold on to it and try to massage it and figure out like, or worse yet, do what Uber did and try to hack the hackers to get rid of it. But I can give an entire talk on just this topic. Because again, it goes into what are you collecting? How are you collecting it? It would be even more boring than this talk is. So I'm not going to. But the whole point being is you need to know, again, what are you collecting? How are you collecting it? Who are you giving it to? What are they doing with it? So this includes your mailing list signup. This includes any sasses that you're running stuff to. Obviously your analytics. Once you actually start looking at it from that level, you realize how much data we really collect and just as a pass through. So by doing this statement, you can do these sort of things on existing, you probably should, do these on existing sites as well. Is kind of go back and step through like, okay, what am I actually doing? And figuring out like on one of my sites, I forgot that I was testing what used to be called Pickwick, that analytics program. I don't know what they call it now, it changed names. But it was still running. I forgot about it. Years, like I don't even think I ever logged in to look at it. But I installed it and set it up. But I had no idea I'm clicking this data. Now the solution for me was to delete the tracking script. I didn't need the data. I got rid of it. I deleted the entire, because it was self hosted analytics, I deleted the whole thing. It doesn't exist anymore. Furthermore, I go through and make sure, I just keep an eye on things. What are you collecting? Contact forms, that's personal data. How are you storing your contact forms? How are you storing, again, we don't think about it that way. We've never thought about it that way. The EU has always thought about it that way. They just have a fundamental difference in what they view as privacy compared to what we do. And a big thing about it is, oh, well, can I just ignore it? Probably not. You're gonna see a lot of large companies that do business everywhere that are just going to implement this for everyone. Because essentially it's more work to try to segment out all these different people and create tools for one group, but not for another. Because the development time is the same. If you need to make an export tool, you make an export tool. It doesn't matter if you have 10 users or a million users. It's the same export tool. So the biggest thing again is gonna be e-commerce, because that's where you're collecting the most data. So if you haven't done one of these, or anything, again, probably not called this, but if you haven't actually run through your e-commerce site, or any site where you have a lot of users, and you don't know what you're collecting, you should, because they're gonna start asking for it. We don't know how many people actually care about this. Because again, that whole 92% thing, it's such a vague number and essentially a baseless question that we don't really know how many people care. We don't really know. Because also GDPR is still evolving. They're not done. They, remember the cookie law? It was from the 2002, basically the whole thing, anytime you go to a site, a UK site, you go to the Guardian. It's like, we're using cookies, they're extending that law as well. They just weren't done with it yet when GDPR was getting enacted. So they've already said it's going to work with that framework, but they're still writing it. Now again, who knows how long that'll take. But they're not even done. So they're still finding more ways to give users back to their privacy. Because we took it. As a developer, I'm culpable as everybody else. Whether I thought about it or there's no Malice involved, I'm still culpable. I still collected and most likely passed off onto Google and Facebook and everybody else. And we can't undo that. We can't just immediately take it all back. I mean, Facebook, what was it? Thursday or Friday, after they'd said they ended that program in 2014, they're like, oh, but then there were some other companies that we had arrangements with that we sold it to, but then we shut it off. Like, I don't trust them as far as I could throw them, but it's still personal data, it's still mine, it's still me. And this is a big one. Ignorance is simply not an excuse anymore. You can't say you didn't know. Can't say you didn't realize. If you're running ad networks, do you know what they're collecting and doing? Do you know what tracking scripts they're putting on your site? It's your site. Doesn't matter if it came from them. You allowed the ad network in. It's your house now. Do you know what data you're just storing unencrypted or encrypted? Do you know what parts are accessible to who? One of the big things in doing that privacy impact assessment is who has access to the data internally? Most people don't need, we have user roles in WordPress, so not everybody by default has access to everything, but you need to actually outline that. You need to figure out, okay, this is Salesforce. Who has a login to Salesforce? Who can see what things where? Again, there's so many different ways that this could be turned in depending on how you're running your site. There isn't one blueprint that says, do X, Y, and Z and you're done. I have no idea what you're collecting. I have no idea what you're doing with it, but the first thing really is you just start to dig through and figure out what you need. Figure out what you don't need. Get rid of as much as you can. I mean, the side bonus is you're almost guaranteed to have better site speed because you're probably removing JavaScript and get rid of the rest and then you have to start, act as if we're in the EU, which is hard. Yeah, we don't get the socialized medicine or any of the other perks, but treat every visitor like an EU visitor. There's no reason not to. I don't want data about people. I'm not doing anything with it. For some people, it's important information. Find out why. Is it marketing? Is it, these are the people I have to send things to. These are the people that I need to be informed. Again, it's all about consent and it's all about information and transparency. You're still allowed to collect every bit of data that you're collecting right now. There is nothing involved that says you can't. You just can't not mention it. You can't just put a script on a site and just kind of go about your day. You have to always tell people what they are doing, what you are doing and what they're agreeing to because that's part of the thing is that, yeah, we have 48 page terms of service where one line essentially says they can do. I don't know what I've told Apple I'm willing to do to keep using their software. I have no idea. Hopefully it's nothing bad. But we tend to ignore a lot of this stuff because we're smaller sites and we kind of, not our problem, not our thing, but no, I don't know how they're gonna come after us. I have no idea. One of the questions I've heard a lot of people say is how can they enforce it? I have no idea. And they haven't really said how they're gonna do it either. However, I would not. And this is totally opinion. Have you ever seen the IRS go after somebody? It's never a good thing, ever. And what has been mentioned is essentially something along those lines. There's going to be departments in the EU that are going to look for this stuff. Not to mention, if you're dealing with people in the EU, they're gonna expect this stuff because they don't care that your server's in Virginia. They don't care at all. And they don't have to. By you selling to someone in the EU, you are agreeing to those rules. That's, I mean, again, not a lawyer, so I won't go into the legal mumma jumbo about it, but we'll go into questions here in a minute. And he was the smarter one too. That's the shame. So again, I will answer whatever questions I can within the framework of not being a lawyer in any way, shape, or form. We'll start with you. Most likely, yes, and his question was, if it's someone like Google Analytics or some of those third-party sasses and a user requests the data, how do they get it? Well, they can't log into your analytics, so it's on you. For most things, you kind of think of it that way. Who has access to it is the person that has to provide it because they can't go get it themselves. They literally have no way of doing it. He's asking with, once you have all this data, correct, he's asking like how do you know the deletion requests, how do I do that? And yeah, for your own sites, that's a lot easier because you should know what you have, which means you should know how to get rid of it. Companies like Google and some of the bigger ones already have tools in place for that. I know in the analytics talk, I believe she mentioned that as well, because obviously they have to care about that. Like some of these laws are in direct result of what Google and Facebook have done in the EU. 100%, this is not a revenge law, but like this is because we screwed up. As a US company, we screwed up over there and we're paying for it. So it's one of those things where again, some of the smaller ones, that's where you need to go is like how important is this data? Things like login buttons and all that, delete them. They don't really work half the time anyway. Like we have to push back to people who want every little bit of data because it makes them feel good. Like show your work is what I've told, I mean I've told this to clients before, like oh we wanna add this, I'm like okay why? Well we want the information, why? Like be a toddler about it, like show your work. Figure out like why do you want this data? What is the value, like essentially you're asking me to take on the risk of pulling this data in and doing something with it. What are you doing with it, is it worth it? Is the risk worth what we might get out of it? So, but again this stuff is still getting implemented so how they're gonna do it is probably gonna change. I'm just curious how you're running your own business. Well yeah, I mean like remember that guy went, I'm gonna move on, but the guy went to jail. Remember the Volkswagen guy went to jail, not CEO. No letters after his name either, John. I divorced one. Wish I was young. John's question was things that you built in the past maybe you have a small retainer or they get a hold of you every now and then you go in and you fix something, you update it, whatever. Where does the liability lie? Ultimately it lies on the site owner. At the end of the day it's their site, it's their problem. Now who owns the site? Yeah it can get a little nebulous and if the EU goes after them I would imagine you're getting roped into it too. So those things where if I built a site five years ago and I've never touched it, like I'm not gonna be liable for that. I can't imagine being liable for that because I didn't implement something against rules nor did I have control or access to something to fix it. But yeah there's stuff where you're always involved those long-term clients like it's having a conversation figuring out what are you collecting, what are you, in that case there's the added layer where if you're kind of sort of watching a site asking the actual site owner, what did you install that I don't know about? What are you testing that I didn't hear about? If it's one of those things where they're expecting you to help them out on the other end we're like you know, how much liability you have sort of depends on how much you've been involved with getting it there. If I get in trouble for this by the way I'm kicking your ass. I like, I know him longer. If you do business with people in the EU you have to follow these rules. What if you're not selling something directly to them? You were late, weren't you? I'm sorry? You walked in late didn't you? No. You didn't hear the part where I said it doesn't matter what we do, if they're in the EU it's relevant. Okay. I just wanted to... Yeah, yeah, like they were crystal clear, they were crystal, please excuse me, they were crystal clear about that. If they're in the EU it's relevant. Like no gray area whatsoever. I mean again like it's a weird term because we use personal information and personal identifiable interchangeably they are not the same thing. But yeah. So cookies like Google Analytics cookies are personal information and if you're going to collect and process personal information you have to get explicit opt-in first. So as a developer what do you recommend as far as technology to delay the deployment of cookies like Google Analytics tracking cookies until you get that opt-in? Would you use Google Tag Manager or is there an easier way with WordPress? I would usually look at again what you're tracking and what you need the explicit information for because it could be very simple as adding a very small bit of JavaScript that says fire this when button clicked. I mean yeah, I mean whatever you're already using. Like again like Google has written a lot of information for developers on implementing some of these things. Mailchimp has drawn up a bunch of documentation about how to implement some of this stuff. Like they're taking it seriously which is usually a joke phrase but they are literally taking it seriously. So they are doing some of the heavy lifting. But yeah, dig into like whatever you're using see what they offer first because they probably have something to do that already and you won't have to go through and recreate everything. Pushing that on a couple of websites within the last couple of weeks. I'll go there and they'll have a little pop-up box for the settings and they'll have like a little message to you like hey you should look at X, Y, Z. How are they using that to get around this? Or have you seen it? A lot of that would be platform specific and I wanna emphasize one thing with GDPR they mentioned nothing about programming languages, frameworks, database schemas. Any of the things that we usually care about that is in no way referenced. They don't care. They have some UX and UI guidelines essentially like you can't use dark patterns, can't hide stuff but otherwise they don't say what language we have to write it in. So whatever platform you're using is what I would look at. I mean like I've seen, there's probably some WordPress plugins out there already that do it. There's, you know, if it's a SaaS they probably have a little thing you can drop in there. It could be as simple as adding a check box on the settings of that SaaS, whatever that may be. And a follow up, yeah. Actually I was coming about it from the user end. So as a user, I just was like, I don't have time for that. That's how we got where we are now. Yeah, but I'm just saying, no, no, exactly. And so, I don't remember, I don't remember what product I was using of Googles, but they did. They had a little box saying, hey, you need to check all these things out. And I'm like, I don't have time for that. So yeah, I'm here to get a gift, I don't care about that. So then have they unchecked everything? Do you see what I'm saying? Like, how is this? Probably not. Yeah, remember all those like 9,000 emails, and then it'll be time for this to be the last thing and we'll wrap up. Remember all those like 9,000 emails you got in the last month and a half? That's why. This is why. Some of the stuff, I doubt they opted you out of things because inherently you already opted in, but they have to give you the mechanism to easily opt out of every channel, essentially. It can't just be like yes or no. It's, oh yeah, you can use it, you can email me about this thing, but not this thing. You can give it to Google, but you can't give it to Woopra. Like, you can get that fine-tuned with it. So that's why it's like, again, you really need to look at what you're collecting and why you're collecting it. And streamline it as much as possible because that's just less risk at that point. And I'm sorry, we were out of time, we gotta wrap it up. So I'll be around, you can feel free to ask me any questions after this. No, they don't have to. Yeah, they don't have to, they don't have to retroactively go fix everything. They just have to do it going forward. Yeah. Can I get a round of applause for Andrew Norcross? Thank you.