How to build your privacy policy and stop breaking the law

Good evening, and welcome to the Data Privacy Week Baltimore WordPress meetup for January 24, 2023.

The Baltimore WordPress meetup is an informational meetup. Please use the information, products and services that we show at your own risk. Just because we show a website, plugin, theme or anything else is not an official WordPress endorsement of that item. Keep it family friendly. As most of us are attending from home.

The Baltimore WordPress Meetup does our best to follow the community standards. That means if you break any of these rules, I will boot you from the meeting. No spamming or spammer like behavior. We have people of all different backgrounds and skill levels, so no judgment for those who are at different levels than where you are at. And generally, don’t be a jerk.

I’m Gen. I’m a WordPress developer who’s been building and managing WordPress sites for over a decade. I’ve built, remodeled, cleaned up, fixed, added functionality, and done security work on hundreds of sites over the years. And I have taken over the organization of the Baltimore WordPress Meetup.

If you are looking for help outside of meetup times, please visit my website at anphira.com/help.

Some quick administrative items before we get going. We will use the Zoom chat for questions and to queue people up. So please go ahead and find your Zoom chat and open it up. We start with everyone muted and everyone’s cameras turned off. And that way we don’t have to worry about people who have less than ideal internet connections because they won’t have to worry about extra video streams showing up. And of course, no one knows everything, but we’ll do our best to try and help people out.

Now, because this particular meetup covers privacy law, it’s very important that we start with a disclaimer.

This is general information. I am not a lawyer. This is not legal advice.

Now that that’s out of the way, as an overview of what we’ll be discussing tonight, it will be what kind of demand letters businesses are receiving, what you don’t know can hurt you financially, what international laws affect your website, what U.S. laws affect your website, what kind of terms of services that you’ve agreed to affect your privacy policies, why you shouldn’t talk to a business attorney about Internet privacy law, and what kind of attorney you should ask about internet privacy law. And of course, we will briefly discuss how to actually build a privacy policy that complies with the appropriate laws.

So the first thing we’re going to address is an ongoing trend. This trend has been going for over a year now, and businesses are receiving these kind of letters. Typically, it says something like: To whom it may concern: my name is (Removed), and I’m a resident of somewhere in California. I have a few questions about your process for responding to General Data Protection Regulation GDPR data access requests, and it continues to ask about various GDPR protections and whether they would apply to someone in California.

So what should you do if you receive one of these?

Well, first, don’t panic. Read through your existing privacy policy for answers to their question and make sure that your privacy policy actually does cover it. In your privacy policy, it should both list out what protections people have and exactly to whom those protections apply, and then just reply with a link to your privacy policy.

Financial Risks of Privacy Violations: Different laws come with different fines, and depending on the law, what you don’t know can hurt you quite a bit. On some laws that are currently in existence, fines can reach $2500 to $7500 per website visitor. Over a dozen states currently have legislation in progress for privacy laws.

New privacy laws are being passed literally every year. There are six that go into effect in 2023, and some of the new laws will actually include funds being allocated to actively find and prosecute violators. So these are some important things to worry about.

Now for privacy laws in the US.

As of January 2023. So the laws that apply to pretty much every website are going to be the California Online Privacy Protection Act, also known as CalOPPA, the Nevada Revised Statutes, the Delaware Online Privacy and Protection Act, and these apply to nearly every website. Additionally, there are a number of U.S. Privacy laws that apply to certain websites. The California Privacy Rights Act. CPRA replaces CCPA, which was the California Consumer Privacy Act because, of course, California doesn’t have enough privacy laws.

The next one is the Colorado Privacy Act, the Connecticut SB6 , the Utah Consumer Privacy Act and the Virginia Consumer Data Protection Act. Now, in California, we have these two laws. One applies to pretty much every website that’s CalOPPA, and the other one, CPRA, applies to only some sites. CPRA, you basically need to worry about it if you’re discussing revenue north of $25 million, or if you have certain legal agreements with large companies that it does apply to. So it’s always best to check your contracts when you have contracts with large organizations.

The Nevada and Delaware acts apply to nearly all websites. The Nevada Act applies to websites that collect personal identifying information of Nevada consumers, and it includes fines. That basically means if you have collected any information about a Nevada consumer which includes their IP address, then your website falls under Nevada.

So basically, if people from Nevada can visit your website, there you go. Delaware basically is the same as Nevada. Just it discusses Delaware residents and again, it includes fines. And as a reminder, this is the Baltimore meetup. We are in nearby Baltimore, Maryland and Delaware is very close by, so it is quite possible that we could have visitors to our website from Delaware.

Now we’re going to discuss Colorado, Connecticut, Utah, and Virginia. These four acts are very similar. A couple of them do exempt nonprofits. They only apply to for profits. But the general guideline is you need to worry about these four states if you have 25 million or more in revenue, you control or process the personal data of 100,000 state residents or more, and or you derive 50% or more of your annual gross revenue from the sale of personal info and processing of personal data of more than 25,000 residents.

We just had a question in the chat regarding contracts. Is the use of a premium plugin considered a contract with a large company?

The answer is: You should read the terms of service that you agreed to when you purchased the plug-in for the answer to that question, because it will depend on the terms of service that you agreed to.

Now for laws around the world again as of January 2023.

International privacy laws: the General Data Protection Regulation, or GDPR from Europe, the Personal Information Protection and Electronic Documents Act, or PIPEDA from Canada, Quebec Bill 64, also from Canada and the Australia Privacy Act of 1988. So GDPR you’ve probably heard of, at least in reference, is a large privacy law out of the European Union and it is extraterritorial, which means that if you have traffic from the European Union, then yes, it does affect your website here in the US.

Now, are they going to come after really small potatoes? Probably not, unless someone makes a complaint. So going back to those demand letters, if you were to receive a demand letter and you did not reply, someone might make a complaint and in which case their regulatory authority would come after you.

It applies if you offer goods or services to EU residents or monitor the behavior of EU residents. So basically, if your website receives traffic from Europe, Canada has both Personal Information Protection and Electronic Documents Act, as well as a Quebec specific law.

The Canadian privacy laws are extraterritorial, so they do affect US websites. The US does get quite a bit of visitors from Canada, less so since COVID but we do still allow Canadians in for travel and visiting. So basically the overall Canadian law applies if you collect Canadian personal information during the course of commerce.

So the overall Canadian law basically applies if your website sells something, including services. Your website does not need to be ecommerce, it just needs to be for the purpose of business. The Quebec law applies if you collect any PII while carrying on an enterprise. And that could be any enterprise for profit, not for profit. So that will apply to the vast majority of websites.

Australia Privacy Act of 1988 is significantly more narrow than the previous international laws that I’ve talked about. It focuses on those who do business in Australia, goods and services. So for many websites, the Australia Act will not apply as probably not selling goods and services to people in Australia. For further reading and I will include this link in the chat as well as in the email after this meet up.

There is a great article from Termageddon on the six new privacy laws that go into effect in 2023. Now talking about tools in terms of service that require privacy policies.

So many tools and scripts when you start using them, especially if they collect information about your website visitors such as analytics or Heat Map software. These tools require that you disclose their use in your privacy policies. Some of them even have specific language that you are supposed to use. And if you use the tool and you do not disclose that you are using it, that’s actually a terms of service violation of those analytics providers.

So it is important to actually check over all of those terms of service that you have agreed to. I can tell you that Google Analytics does specifically state in their terms of service that you need to disclose their use, and they have specific language that they want you to use.

Now, speaking of Google Analytics, there is Google Universal Analytics, which will be ending this year in June. And there is Google Analytics 4. Google Universal Analytics, which is the one that is ending soon, is not GDPR compliant, which means that it is a violation of European Union law to use it to monitor people from the European Union. So far, Google Analytics 4 is an unknown. It hasn’t been tested in court, although many people have said that it is significantly more privacy compliant. But until it really gets tested in court, we won’t know.

Now, how do you get a privacy policy?

The first option is to hire an attorney.

You do not want to go use a general business attorney. General business attorneys are great for lots of general business needs. However, they generally don’t know anything about online privacy law because it is a very niche area of the law and it is changing quite regularly, as we pointed out with six new laws. An example of general business attorneys that don’t really know anything is- if you go look up most attorneys websites, they don’t even have a privacy policy, which means they’re in violation of several laws.

If you do want to get an attorney to write up a privacy policy for you, or to review a privacy policy created by an available online generator, you should specifically look for one who is IAPP certified, that is the International Association of Privacy Professionals. These are people who are accredited and are actively keeping up to date on international privacy laws and their changes.

Now, a budget-friendly way to get your privacy policy is a company that I use Termageddon.

The president is Danata, and I’m not even going to try to pronounce her last name because I always screw it up. She is a licensed attorney, certified Information Privacy professional, and very exciting, the Chair of the American Bar Association’s ePrivacy Committee, she literally provides input and feedback on both national and international privacy laws. She is extremely active in this space. And very highly respected.

So the reason why we recommend Termageddon is because Donata writes the policies, writes the frequently asked questions, writes the blog posts providing new information about laws and that is just a great endorsement for their program. So the other reason is Termageddon policies are regularly updated. In fact, they even send you an email when there are new privacy laws that have come out and there are new questions that need to be answered within the privacy policy so that your policy is kept up to date.

Their support is great. I have asked them a whole bunch of various questions and they have provided very thoughtful answers. But as it is not actually an attorney client arrangement, they can’t actually give you legal advice, but they can answer a lot of general questions. And they are available for websites that are based in the US, Canada, Ireland, the UK and Australia.

If you are looking for more information on laws and your privacy policies, I have a 20% off link that they gave me because I run the Baltimore Meetup and so they give me nice discounts and I will put that link into the chat. And they also keep a running log of the laws that require privacy policies and the current bills that are in progress in various states.

So if you want to see what is going on in what states and what might be coming down the pipeline, you can check that. So this basically sums up the privacy questions for now. So I will go ahead and open up the chat for if people have any questions about these new privacy laws. But please remember, I am not an attorney, this is not legal advice. And I will also put a link to our Meetup Groups page into the chat. No, no questions.

Yes, Greg?

Greg just asked a question in the chat. I did see the question from Eagle at the top and I addressed that earlier in the meetup. All right, well, if there are no other questions, our next meetup will be in February. It will be an open Ask Me Anything, which basically means anything WordPress related. Bring your questions, the group will do our best to answer them and you can RSVP at the Meetup group webpage.

So I got a follow up on my question, if that’s okay. Sure. You said read the terms of service. Yes. It kind of answers the question, but what kind of terms would trigger a need for disclosure of that company’s? It basically is if the company is monitoring the behavior of your website visitors. So, for example, a heat map tracking tool which tracks what visitors are basically where their mouse is going, where they’re hovering, that is tracking a whole bunch of data about the visitors of your website. So that tool might require that you disclose the use of that tool because they are collecting data about your people. So that would probably include any of the plugins that are using the freemium payment method because those premium plugins require that you allow them to collect data about whatever. I don’t know what kind of data. So it depends on exactly what data they are collecting.

So again, it is best if you either check their terms of service or if you contact them.

Sure. Okay. I got it. So much fun. Yes. Thank you.

All right, Princess Allen asked a question about what type of attorney people should speak with if they have questions about privacy law. And the answer is you should look for an IAPP certified attorney. I will just pop that note into the chat and of course, I didn’t get it. There we go.

Greg asked a question regarding: recording IP addresses means that certain laws can apply. Does that mean the IP address in isolation or only when associated with other data?

And the answer is it depends on the specific law. Some of the laws say that the IP address alone is sufficient information to identify, but not all of them. And no, I don’t happen to know off the top of my head which law is which. Were there any other questions?

Yes, I have a question. I’m just trying to type it in. I’m just sending it right now. Thank you.

All right, when you say if you are selling things on the website, you sell CDs on your website, but they are purchased by sending a check through the mail and filling out a paper form.

Yes. You are basically advertising goods for sale. So that is a website advertising goods for sale. So, for example, you could be a car wash website and be advertising your car wash for sale. You have to purchase it at the point of purchase. You can’t purchase anything online. But the fact that it is selling; that means it’s offering goods for sale. Okay, so if that’s the case, then what are we supposed to be doing then, exactly? Just we’re selling things. So we are collecting people’s data even through the mail form. Mailed, regular mail, old fashioned mail. So it depends on what information the website collects. Do you have a form on your website that people fill out to indicate interest? Well, there’s a form where they can fill out what CDs they like and how many, and then they put in a total for the price that they’re going to write the check for, and then they mail their check back to the person who… Essentially you are performing commerce on a website.

Okay. Yeah, I understand. I just wondered if it made it any difference that we’re not doing it through an online collection versus something that’s being mailed through the mail. But I just wondered but we are collecting people’s names and addresses.

Yes, you’re collecting a bunch of personal information about them in the course of commerce. Okay, so that just means that we disclose that we do sell CDs on the website, in addition to using Google Analytics and offering some… We also do Amazon Smile,

Which you won’t be doing for much longer because that’s ending.

Yeah, that’s what I heard. Yeah.

So, again, different laws have different definitions of commerce and what specifically needs to be done. I would say for your website, you need both a privacy policy and a Terms of Service. But again, I’m not a lawyer. This is not legal advice, but I would say that your website needs both a privacy policy and a Terms of Service and that you should get those in place.

Yeah, we do have a privacy policy and we did put it together ourselves, but it’s okay. I just want to make sure that it’s covering I’m not sure if it covers the CDs, but I’ll just make sure that it does.

Yes. If you actually look up the various laws, such as the Nevada and Delaware laws, they actually itemize out a whole bunch of information on exactly what you have to disclose in your privacy policy and how it needs to be disclosed. Okay. And that link where we can read these laws, did you give us a link for that or was that something that.. The Termageddon? Again, there is not actually going to be a link. Okay. You just have to look, the law is a long, complex document. You need to go to the state’s website in order to actually get the individual states and provinces and countries and all that fun stuff. You have to go to their sites.

Again, that’s part of why I recommend using Termageddon, is because they have all of this. They basically ask you questions and then you provide answers, and it figures and the system figures out what content needs to be written out based on the laws.

Okay, I see. Okay, I understand.

That’s why I personally use them. I recommend them to all my clients because I have had several actual business attorneys go through it and just they have been floored with how comprehensive it is. Okay, all right, that’s important to know. So thanks a lot. Yes. Well, if you do want to look at it some more, again, 20% off link. Everyone can always use saving a few bucks, but honestly, you attempting to duplicate what you can get done in half an hour with them, you’re probably going to spend 10 hours.

Yeah, I see what you mean. It’s way more than we people have really understood. Thank you. Yes.

Okay, next question is: If your privacy policy, do you need to include all plugins, cookies, et cetera? And if the website includes a confirmation button that people confirm that they are okay with the Terms of Service indicated, is the website in compliance with privacy laws? It depends on your Terms of Service and your privacy policy, whether or not you are in compliance. If people agree to the terms, but the terms are not legal, then, no, you are not in compliance with the law.

In general, if you are doing ecommerce, then you should definitely have a check mark that requires people to accept your Terms of Service and Privacy Policy. But again, your terms of service and privacy Policy need to follow all the laws before they can be considered legal. Do I have any recommendations on further reading to understand the laws?

Yes. The Termageddon blog, which I had linked to and is also currently being shown on the screen, it talks about the different laws that require a privacy policy, and that is a pretty comprehensive list. It gives you a decent primer on getting started on the laws, and then you can branch down the rabbit hole from there.

They also have several articles on their website talking about a number of the different laws, what they require, who they apply to, which is quite helpful. So, again, I will drop that link into the chat.

All right? Were there any other questions? All right, then, I will go ahead and wrap the meetup. Thank you, everyone for coming.

Our next one is on February 8 7:00 p.m. It’s an Ask Me Anything, which means just bring your questions. We have a form where you can presubmit your questions, but you still need to actually show up to the meetup to get them answered. So please RSVP at the meetup page.

And Greg asked a quick question. Any recommendations for policies for hobbyist sites? Yes, Termageddon. That is my blanket recommendation.

All right, thank you, everyone, and good night.