 All right, let's get started We're gonna talk about GDP are today, which is one of probably the most boringest topics. I've ever given a talk on so I Already understand just to be ahead of it, but uh one little bit. That's me My name is where I work. That's what I do. That's Twitter I recommend if you have any sort of content filtering or HR department to not load that at work And Actually, I want to go back here real quick because I want to point out two important things Notice how they're the word lawyer or attorney is not in that title. What's so ever? I'd also like to point out the lack of letters after my name indicating that I have a professional degree indicating I know the law I Am in no way shape or form an attorney a lawyer. I did not go to school for this. I'm a nerd that said We're gonna get into it because this Fortunately has nothing to do with the law the law is what it is and there's a lot of people with that spend a lot of time On that but what exactly is GDPR? Who here has never heard these four letters in a row sounds about right. It's been kind of a big deal lately and More importantly, I want this. Oh, there we go That's what it stands for now None of those words actually mean anything it is probably one of the most vague things that I've seen for something That's essentially this important. So I'm gonna break down. What is it about data? Everything about this is about data Personal data and that's why our data is worth a lot of money a lot of money and For years we've just kind of given it away all these companies essentially said trust us and we did and It was a terrible idea. I cannot emphasize how bad of an idea this was From the time it basically started All of these services we just started handing over our data They asked us for something. We said sure we just kept clicking numbers until I'm sorry I kept clicking buttons until it gave us what we wanted. That's kind of how we were trained to use the internet At least I was but I want to look at some numbers about what things are currently So the first thing now great 92% of people worry about their online privacy I can't think of a way to frame this question that someone would say no. I have no idea what this means Huh, okay. I have no idea how you could phrase this question that someone would say no So again, this does nothing Now the next thing is going to be Connection lost all right phone things not working. I'll just use this Now this is a better one 31% of company people actually understand how companies use their data I Do this for a living and I don't really know what they do with all my data I have a better idea than most and maybe I just stopped paying attention because it's scary The next thing is going to be now. This is a big one because this is where it applies to us 74% of people have limited their online activity due to privacy concerns If you're building anything remotely a website of any sort kind application What have you the whole idea is that you want people to use it? Otherwise you wouldn't be building it and They're not coming. They're stopping coming because they're worried about something. They don't understand So now the question is why Why is all this matter? What's the big deal all of these companies have one big thing in common All of them since 2014 have had a very large data breach And sorry, let me try and find the numbers here because this thing is Apologies, whoops, there we go. All right eBay 145 million people target 110 million people JPMorgan 83 million people Uber 57 million users and then 600,000 drivers Anthem, which is a health insurance, you know, health management company 80 million Equifax we remember that one. That's a hundred and forty three million And then we have Yahoo, which was the big one with three billion And now all you know users are not the same depending on where they pull that data from is how valuable it may have been However, how many people in the last year or two have gotten new credit cards in the mail without being told because there may have been a breach And you have to keep changing your numbers online. Yeah, that's why So users have a very good reason to not trust any of us with this stuff because we violated that trust and frankly we've ruined it So then he incomes the EU now the EU has always had More rights given towards users than the United States, which is surprising for many people in the United States And a lot of this boils down to the users have rights. They have rights that we have not given them in the past Now they have the right to be Informed which is essentially you have to tell them what you're doing with the data that you collect You have to tell them that you are collecting data Even if it's not important You have to make sure that they opt in Which means you cannot check those boxes anymore for them period Now they have the right to the access to the data now This is one of the bigger ones that you saw it probably saw some stuff come out If you have data on me I have the right to a copy of it at will at request in a human readable format. Now what that means is Very vague on purpose because what is readable a lot of times we depend on what the data is But you get it you have a right to it And you have the right to be forgotten now this is a fun little story so In 2010 I deleted my Facebook account Mainly because I didn't go to a college that had it so never really got into it like other people and then the first Privacy thing came out. I'm like, you know, I don't really use this and this is just another thing got rid of it Few years later. I was doing a client doing some client work and I Needed to check some face. I was taking all the meta tags and all that other sharing stuff But I had to be logged in Told my client. Hey, I don't I don't have an account. He's like just go ahead and use mine So I go to log in it pings me like hey You've not logged in from this state before and I'm like alright It's gonna ask me some questions whatever it's like shouldn't person's friends like who are these people like I have no idea I don't know this person's friends. So I made a fake account. That was fine And then a few years later. I needed an account to be able to access Certain websites and some stuff for my dad and I didn't want to use the fake account because I had a fake name and I probably would have pissed people off. So I Made a new one it would not let me use the email address that I had used when I created my first one 12 years prior I Do and this was back in 2010 when they said they would delete it like it didn't say deactivate it actually said delete It's not deleted If you really want to be worried about that Google Facebook shadow profiles, and that's how you can kind of find out stuff If you pulled nothing else from this talk know any ideas what not just you need to understand the data that you collect No longer belongs to you You could argue that it never really did But it's really important to know that it ain't yours the best thing you can think of is you're leasing it Because it belongs to the user now. What does that stuff mean? Why do you care? Why why is the developer does any of this stuff care to me this sounds like marketing this sounds like analytics This sounds like again stuff that I don't care about So the first part I want to this guy's James Lang does anybody know who this is Okay, he's in prison right now He got 40 months sentenced for better the Volkswagen emissions stuff that they got busted for okay He is not a CEO He is not a manager. He is an engineer He has the same title in his job that I have in my job He is in jail. He was not even and this is the important thing that came out The court even said he was not the mastermind He still got in trouble Which means that we're not Protected simply by saying I wrote what I was supposed to write or I just filled the specs. That's not gonna fly Which means they're coming you know like the reason I bring this up is not to point this guy out I'm sure he didn't really think he was doing anything wrong And I'm sure that he didn't decide to cheat the emission systems on his own But he's the one that took it which means we're the ones that have to deal with this I don't think the CEO for VW even got fined So maybe I have your attention hopefully possibly now. What do I do about this and again? Why do I care? So the first thing We have to kind of drill down to what data does this actually talk about? What does this stuff mean because it's such a nebulous word and you can call anything data, especially us They talked about it's personal data Now I want to first point out that the EU defines personal data differently than we do We just say personally Identifiable information that means one bit of data you can connect it to one person without any help You look at my email address. It's my name with a period in the middle. That's personal Identifiable The EU just says personal That's anything Not only that they look at context. They look at aggregation. They look at a whole bunch of stuff But the first thing's here. Okay racial ethnic political I don't think I have collected any of this data on a website other than maybe political opinions in a comment section So the first time I see this list. I'm like again, I still don't care You know none of this stuff matters But then the EU expanded what they meant by that All right genetic data. I don't even think I could connect collection. You know any of that data by a metrics a location Core collects your location when it shows you the upcoming events pseudomized data Okay online identifiers That last one that one How many of these things are not in the user meta table or the user table? So we're collecting personal data by default and That's it's not that you can't collect it and it's not that you can't have it It's just we can't just grab it. It's really what a bulls down to So this applies to everyone and now this is a caveat now We'll get into this in more detail who does business with the EU and what exactly defines doing business That does not mean doing business with the European Union as a governing body That means anybody Who lives is a resident of is vacationing in is vacationing from the EU So the question the first question I always get with this is can I just stop selling to people in the EU? probably not Because you can't automatically identify that like is anybody here a resident like a citizen of a country in the EU Okay, when I was in Orange County that there we go if you buy something in Michigan from a company in Idaho GDPR applies Because he's a right. You know, he's a citizen of the EU whatever country in the EU obviously So it applies to everybody Every business every organization. There's not a cut-off limit like oh you have more than X dollars or X numbers than it applies No, everybody blanket Now does that mean they're gonna treat everybody the same of course not what we don't know how they're going to be Now this is a big thing who's in charge of all this stuff who is supposed to be doing this work who monitors who does all of this They have no idea But there's two people that are involved and the way they define it is data controllers and data processors Now the controllers again more vague words that don't mean anything You know that a controller decides what to take in Where it's used Where it's stored and who else gets it so think of that as a gatekeeper Think about that frankly most of the time as us when you're collecting that data on the website You are a data controller now data processor is basically anybody else who touches that data Google analytics abandoned cart software anything, you know Recurring user anything that you might be doing with that that you're handing a sass Something like that. They're like, which one am I very possibly both you can be both So you have to start thinking about privacy by design. It's not something you add in later It's not something you sort of bolt on is like you need to start Building things with the idea of keeping user privacy first and that trumps pretty much that work But that trumps pretty much every other goal now In terms of data now, it's not visual designs. I but actual data privacy first So you need to know Everything which sounds like a lot But we're building it Which means you need to know what you're collecting you need to know where it's going You need to be able to articulate to someone what you're doing with it an Easy way to think about this and especially who you're giving it to because that's on you know That becomes your problem sort of as well, you know If you're thinking about using a data analytics program or anything like that like if they can't explain how they do it And like two or three sentences It's probably illegal For the most part Now everything again, it sounds like so much work and it's like great now I have another thing I have to care about But it's not really that bad you start with something called a privacy impact statement Heather Burns is a Policy legal policy expert over in over in the England She's been doing a whole bunch on this. She spoke at work. Can't be you about it You start with figuring out exactly And this by the way is this is required. This is almost the law thing You need to figure out what could possibly happen. What could go wrong and You have this that literally needs to be written down piece of paper Which again, of course the government wants paper so and that needs to be accessible to everybody who works on the project and Regulators if they ask for it So it's one of those things where they ask for it. That's not the time to make it The time to make it is when you start the project because again when you're doing scope and discovery You're sort of doing this already. You've just never put it in one place because you're again What are the scope? What are the specs? What do I need to collect because it's for the user? What do I need to do with it? Who's getting it? Like you're already doing most of this It's just been kind of piecemeal in different parts of your process most likely And again, I could give a whole talk on privacy assessment But this is the big thing. They're still evolving the law is not even done There's another part coming out There was a law that came out in 2002 essentially they called it the cookie law in the EU kind of a misnomer But that's the easiest way to describe it That's getting enhanced as well. They just didn't have time to get them both done before The GDPR came out so there's gonna be even more laws and rules about what you're allowed to connect collect and not collect And what you have to inform people about Now they but said whatever they do to that cookie law is going to work within the framework of GDPR They've already created so hopefully they won't put out conflicting laws I'm not holding my breath But this is a big thing ignorance is no longer in excuse As we saw with a you know with the guy from from BW He probably said oh, I was building what I was supposed to like I wasn't aware that it was you know again Whether or not he knew what he was doing doesn't matter you know, we can't be ignorant to what we're doing anymore because We're the one building it it's a hard argument to make that you don't know what you've just built I I've made that argument for cuz sometimes I literally didn't know what I just built but almost every single time I know exactly what I did. Maybe I wasn't aware of it Maybe I didn't think much of it because again when I was building websites, especially when I started doing this 10-12 years ago I didn't think about any of this stuff. I barely knew what I was doing So I'm sure there was stuff going on that was probably not good for a whole slew of reasons and What I want to get into we're gonna do a lot of questions because I know there's gonna be a bunch is This isn't hard and more importantly For us to think you know these laws are coming to the US California is probably going to enact this soon. I Imagine other states probably like New York Delaware or another ones are going to also enact this This is essentially going to be the law of the internet. I would say soon. I don't know how soon but soon This isn't like that that we can just ignore it Because I remember when that came out everyone was super concerned about it And we don't we have to pay all these taxes these weird companies never done that before in my life And I don't think anyone else ever since that happened. I have not heard another person talk about it This is different like This is people because people get upset. Yeah, whereas that was like accountants and nobody really cared Now Again, is there any question other than how can I avoid doing this? Because in Orange County, I had four questions about how can I just avoid this and the answer was you can't So that question was gonna answer anyway. You can't Okay, and again some of this is difficult to answer because they haven't enforced it yet They haven't actually gone like they filed against Google and Facebook and Amazon I think over the EU because that's that's love hanging fruit. Let's be honest so You very well both could be Like it's not a single entity like the whole idea of controller and processor It's not like you there's one like on the website there could be multiple data processors depending on what data is being processed I Would not just by them saying that they're doing it. I Don't believe would totally absolve you if something happened Especially because you built it you know, they may be collecting it, but you built the engine to collect it So you're there's something at it. No, this is legal Advice but you might be at least somewhat involved culpable whatever the word may be so but again, it's one of those If you know what's going on Then that shouldn't be a question because it would be like yeah, whether they're collecting or un-collecting it We know exactly what's being collected. That's the more important is who's doing it secondary What is happening very much primary you had a question sure? Yeah, she was asking about as an agency. What is your role in? drafting privacy policies and and things of that nature for individual clients Once at least you know if you're not managing the site because like there's plenty of stuff that I've built And I've never looked at again, and there are sites that I've still had my eye on or help work on for years So those are two very different things As terms of the privacy policy in terms of use that would be on the individual site owner only because Their privacy and their terms are going to be based on whatever it is. They're doing as a business There's boilerplate language. I think core now actually when you spin up a new site It gives you a privacy policy page as a draft So if you spin up a new sorry If you spin up a new WordPress site with four nine six or above it will create a privacy policy draft page as a draft Well, you know it makes sample page and like hello world. Well, now there's hello world sample page and privacy policy and The private it's a you know boilerplate language. There's a link in there to help write one I know and that's gonna they're gonna put more stuff in there like they're getting that out before the May deadline for GDPR So yeah, the terms of so in terms of use privacy policy That's gonna be a lot of stuff based on what the individual company is doing. You can definitely try to give them guidance I would not veer into the I'm giving you legal And because the onus is gonna be on them, I'm not sure your Attorney would be money well spent for them. Unless you're gonna just build that forward to them But yeah, it's it's one of those things, you know as you're building it make note of everything that you're doing and that way Because what very well may happen is you give it to the company the mid business. They're running it They're lawyers like oh, we need a privacy impact statement So even though you're not the one that has to handle the outcome of that privacy impact statement as the agency You're probably the only one Qualified to write it because they don't know like most of you know All when I ran an agency for a long time almost none of my clients ever knew what we built. They just knew that it worked That's all they wanted That's why they paid us. So yeah, I would I would definitely keep you know again keep all the notes of stuff and just Be ready to have it and hand it over like hey, this is what we have This is what I would give to your attorney or whomever else now again And they got to come after the person's selling you know selling handmade soaps. I don't know I don't think I don't believe that's gonna be the initial round of stuff. They're gonna go after some of the stuff I have a sneaking suspicion is gonna be if somebody complains and Someone could complain about their G you know their GDP our rights on a site that sells handmade soap Just the same way that they can do it on Amazon so The potential is there regardless of the size of your site. So like obscure being small obscure isn't necessarily going to protect you You know That's not anonymous Your IP address tells me where you are Now I know that and Google is a good example because Google being that they pissed off the EU for about 15 since the EU started they've never gotten along and They have pages upon pages of a how they're implementing GDP are and what you're supposed to do in your site to you know Essentially when you went to the work camp Grand Rapids site remember the little cookie thing you got in the bottom That's GDP are That's just the site informing you that they're collecting some data about you. It's again. This isn't a huge idea It's it gets more complicated depending on what you're collecting But it other than that and the analytics like that's a weird thing because they're at that point They're you know, you're the controller. They're the processor You're giving them this information by putting analytics on your site You were allowing Google to collect information which means that they collect something They're not supposed to that's still on you because you gave them the space So you can't just throw the biggest I think the biggest thing that's going to get taken down first of those shady ad networks The ones that just inject stuff into people like those are going to get hit first Because they're the ones that are collecting user data without the site's permission or the user's permission That's the like Google is not going to intentionally break the law You know bright Haven advertising very well may I don't know if that's a real company. I apologize if it is Actually you had a question that'll come to you. Yeah This is gonna sound rough, but I would tell her that I mean if it needs to be there and I don't know the policy I don't know her job. That's not important Get out Tell her it stays or find another developer Which sounds harsh? But it's one of those things where The people that are pissed off about this more than anybody else are marketing Because they've just been collecting all of this data They're not even sure what they're gonna do with it I've heard a bunch and I'm gonna upset marketing people and I'm totally fine with that Like things like net promoter score that literally means nothing. What is engagement? No clue. I engage with things all the time That's how being a human being works. So Again, it's going to be one of those things where you know, they wanted all this data They're not gonna have it Which means the people that are good at marketing are gonna be even better because I actually know how to do the job And the people that just make reports saying the people engage are probably gonna get fired So if the policy needs now what I would do is I was have you know in this particular case Are you an attorney? Cool is the person you've got this draft from an attorney Then I would say I believe this needs to be there You need to talk to your attorney because this is important if their attorney says no, then that's not your problem anymore Unless you still own the site because if it's for the client and it's gonna be them and I say ownership as in it's their site Then and those are usually the worst because they're hard to say no to Yeah, and some of this again like some of the stuff may be Yeah, I would you know again it'd be one of those things where yes long-term client But I don't know what culpability you individually would have but I would definitely make a note of the fact that you Said this should be there and they said no because yeah, you can't just ask people will you give up your rights under GDPR to use this site? That's not a valid pop-up. You can't people can't opt out of GDPR You can't just ask them. Hey, do you care and guess or no no cool. We'll keep going our thing Yeah, you can't just disregard it so Again without knowing the profetial there's probably a lot of nuances to this particular question So I would I would suggest at least like hey, I think this should be there You need to talk to your attorney But document that save that email whatever it is You know, I make sure it's in writing that you felt it need to be there just protect yourself And that actually has him and then I'll come to you there are some and I know there's a lot more being built I've built some stuff What you're gonna want to start with is to do a site audit and And again when I ran agency one of if we took on a client that already had an existing web property That we had to touch in any sort of way part of the part of the contract part of discovery and scope was doing a full site audit If they didn't agree to that we didn't take them on as a client Because how many times you've taken on a site and then you find out that it's like held together with duct tape and bailing wire And it's yeah, so by doing that site audit because it's gonna be it can be to agree degree site specific Do that audit that's when you figure out what you're taking in because at least on your you know If it's not in the database you didn't collect it That's a kind of a it's not a hard and fast, but it's a pretty good rule to think about it If I can't see it in the database. I didn't collect it Then the second thing and this is where client where you can things can get weird when clients start adding stuff after you've built it and Especially again ad networks. Oh tracking. I want to see what the heat map looks like You know again all of these things are cool, and there's not necessarily that you can't use them like none of nothing in GDPR prevents What we do? There's a few things like you can't sell the data to somebody else without informing somebody you know the user That's the only new thing technically that might impact you as a developer is that you can't sell somebody's data I've never sold anybody's data apparently is lucrative, but I've never done it So from that perspective it's like yeah figure out. What are you collecting? What are you collecting outside of the scope of like a core vanilla no plug-in no theme wordpress install if you don't have registered users? You're automatically collecting a lot less data You know the moment you're a logged-in user you can see if you look at you know Query monitor or any of the stuff you'll see all the cookies and everything else that gets collected You can look in the user and user meta table and see all the stuff that gets collected If they're not registered users you're not collecting much on them and then as part of that site audit identify any third party that has something on your site Even if it's not inherently collect is because again those ad networks So that's where they started getting in trouble was they would show the ad but they were scraping all this user data as people came Never telling anybody about it That's not legal But you had a very particular quite yeah So there's a comedy and that's one of the biggest things that I haven't seen a hard and fast rule about How do we get rid of somebody's data because that's part of it? You're the right to be deleted or erased or forgotten whatever words they want to use and that came up And I think I was skipping over quickly. I Have no way of knowing with Facebook I they clearly didn't delete my email address because they wouldn't let me use it again And that was ten years ago almost ten years ago So and they as of yet I have not seen anything that will indicate the proof that it's been deleted So some of that is still going to be on trust for now until they can figure out how to prove it When it's things like Google and you know by removing Google analytics You can you know hey you've removed the source but also and this is where a lot of it comes down to you I Have never looked at analytics on some sites that I've installed it on ever I have a site that I've had running for 11 years and had analytics since day one and I've looked at it twice I just deleted the analytics and Removed it from the site and I solved the problem now and going forward now I'm aware that you can't do that for all of your sites for most of your sites probably But go back into your Google analytics settings and make sure that you're following along with what they've outlined because again Google has pissed off the EU since the EU began They at least make an attempt to not be flagrant about the fact that they don't care about the EU, so I Would start there and then I know that again. I know Google analytics. I believe has a way for Delete a deletion request and it exists legally. It has to where they bury it now I couldn't tell you because they keep moving things but In that audit that I mentioned that's where you're going to identify what third party even exists because then it's like Okay, if it's this company, let me see if they have a thing on their website that says how to delete it If it's an API call if it's an email if it's a phone call And if they don't have anything I would possibly look at maybe replacing it because if you're using a third party that has not even mentioned GDPR That's probably a bad sign Because everybody has mentioned you know those 9,000 emails you got about updated terms of service. Yeah, that's why you got them GDPR and I say yeah, they don't know how they're gonna afford. I mean I wouldn't specifically because Google analytics and a lot of those packages Two people aren't collecting the same data Like how I have my analytics configured is probably different than yours So you may be collecting things at certain places at certain times and I'm not in vice versa So in particular, I would look at the service and what they provide some stuff It could be as simple as we just throw this information away after 30 days So there is no data to collect or we aggregate it in a way because again the EU cares about aggregation Whereas the US doesn't because the EU understands that 10 people collecting 10 bits of information makes a complete profile of a person Even if those 10 pieces individually don't Which makes sense. We just don't do that because we don't So yeah It's really look into the individual pieces that you're allowing on the site and how they are going to approach it because again It depends also what's being collected Yeah Yes And I kind of can make that a little bit concise the idea that as a developer I used to collect as much data as I possibly could Because I figured I might need a leader I didn't know if I was going to use it But I figured the more I had the better it would be so I could do something down the road and I would have a complete picture That's not how to do it anymore I only collect what I absolutely need and can justify having because if I can't justify having that data I Probably don't need it. I'll get time for one more question He had his hand up first. I promise I'll answer you later. Yeah, I'm sorry Drop shippers. Okay. Yeah Yep That's a great example of how you can be both by the way Maybe and some of this is gonna be like when was it collected because if you collected this data in 2014 I don't think there's a reasonable expectation that you would have been following a law that hadn't been written yet I'd like to think however In terms that you know and especially legacy software is gonna run into a lot of problems with this because Depending on that ERP system. It could have been written 10 years ago And most like most enterprise software I've written is not new So I would look at those you know because they again they have to be following this stuff Especially e-commerce I would just and you know if you're doing e-commerce implement this like it belongs to everybody Whether than the EU or not solves your problem now going forward So for that I would first review what you've got and be like alright Do I need that order from four years ago? Maybe maybe not I believe that like at the bare minimum I would Back up everything up until the day that GDPR went into effect, which was I think May 25th Save that somewhere like this was our pre GDPR data I don't expect it to be okay, and then see what you're tracking going forward And then I again talked to those drop shippers and vendors and be like what are you doing with this data? Because most of them are yeah, we have the address we make the thing we send it out. That's all we do And most of them that's pretty easy to follow because we have the stuff You know and then do they have a way for you to say hey delete this person out of your system Most of them maybe it's a manual thing right now until the software catches up So if you don't see anything on a website or you don't see anybody help them you can always be like What do you know email and recall? What are you doing about this because they variable could be like Hey, we have a plan. We're waiting for the nerds to finish writing software Yeah, that could be their answer and that's a valid answer like we're trying to get the software to catch up to You know cuz the cuz JPR was two years in the in the works We didn't start carrying till like a month before America baby Yeah, so we didn't know it's like we had two years to catch up to this and we were just like whatever Americans so Yeah, it's now something that like we had a lot of time to catch up and we didn't do it So yeah, just kind of look at what you're doing audit your stuff figure out where it is And then you know just be mindful of what you're doing because again It's a lot of it's gonna be good faith stuff where if you're like, oh, I didn't realize this was being collected But I bought you know as opposed to hey, I made a backdoor trojan for all my users to you know Scrape data like again very different goals and outcomes with GPR applies to both So thank you