all right well Good afternoon everybody and welcome to another live I think training event it's day two of the website policies masterclass with Han skill route and denial destroying skill root of Carmageddon. Welcome back, guys. How are y'all?
Thank you. Yeah. Thank you for having us back doing well. How are you lately?
I'm well, I'm well. I am super excited about today. I learned a lot yesterday, as one of the better instructional events we've had in a while a lot of great engagement from the audience. Lots of great questions. I'm hoping for the same today. So give us an idea of what we're going to cover over the next couple hours.
Yeah, well, before we do that, I do have to thank everyone who participated yesterday that was wild like you know, it's not an eye preparing for this presentation, putting together four hours of a privacy deep dive, like I don't know if I would want to even attend that you know, and just to have the level of participation we had yesterday was just the best like it was awesome and, and just a thank you to all those who attended yesterday and and thanks for those who who are willing to do another day with us. So thank you for that.
Absolutely. Absolutely.
Yeah, so today we're gonna be talking about two things. How to design websites with privacy in mind. And then also cookie consent solutions and how to make sure that you are picking a compliant cookie consent solution.
Very good. We got a lot of very practical things to talk about today. I've just once again dropped the link bundle in the chat that's got yesterday's slides. And today's slides the link to the course hub, and the two PDF downloads the cheat sheet and the website policies waiver for clients. The course have already does have the replay from yesterday. If you want to go back and rewatch the replay from today. It'll be up within an hour or so after we wrap and if you're watching this on the replay the buttons for all those things are in obvious places around the course webpage. So with that, let me just remind everybody to pop open the q&a box, ask your questions there rather than in the chat and keep that box open because if you see a question that's asked that you want to see answered, just upload that question, and we'll get those over to Hans and Donato as we get to the wrap up at each hour today. We will be taking a break in the middle as usual. So with that, I'm going to disappear and let's get started.
Awesome. All right. Um, so thank you for joining us again today. So the first thing that we're going to be talking about for this first hour is how to design websites with privacy in mind. So before we start, just again, our regular disclaimer, anything that we talked about today, it's not intended for to be legal advice. So it's intended for informational purposes only and should not be considered as legal advice. If you are looking for legal advice. We would recommend to speak to an attorney in your area for help with your specific legal issues
and look at the third to last slide on our first presentation where we show you how to ask the right questions to attorneys.
Okay, so why privacy by design? So a lot of you that have been designing websites for years and years and years. Usually privacy was not one of the concerns when it came to the website. Security obviously has been a concern for a very long time, but privacy not so much so why are we even talking about this? Why should you consider this when building websites. So consumers they're being they're increasingly being interested in their privacy online? So the Cambridge analytical scandal really showed the dangers of sharing PII online and really exposed to consumers the fact that if you give your PII to a company, they might do stuff with it, so they might share it with someone else. They might sell it, or that information might be stolen or it might be used in any number of ways.
And just a reminder PII is personally identifiable information. That's the stuff that privacy laws regulate. So things like names, emails, phone, numbers, IP addresses. That's the stuff that these privacy laws regulate.
Exactly. And as we develop more technologies that affect privacy online, as more of these privacy scandals come through, what we see is new privacy laws. So a great example is next year, six new privacy laws are going into effect. And as more privacy laws passed, we're going to see the privacy requirements for websites as increasing. So right now we have several privacy laws, such as the general data protection regulation in the EU, and the United Kingdom Data Protection Act of 2018. And those laws require data protection by design and by default. So these laws as we discussed yesterday, they can apply to businesses outside of the EU and outside of the UK, and non compliance can lead to heavy fines. So apart from the fines there's also another reason why you know website should be designed with privacy in mind is that having a privacy conscious website can be a competitive advantage to your clients. Like a great example. Here's a recent study by Axios, which found that 98% of Americans would switch to a company that prioritizes privacy. So if your clients have websites that are privacy forward, privacy focused, they respect consumer privacy rights, give them the appropriate choices. They may win business, when business and when customers over their competitors that don't do that. So I think one of the key takeaways here is with over a dozen privacy bills that are proposed in the US right now, privacy requirements are not going away. So really, these requirements are only going to increase. It's not something that is just going to be swept under the rug. And you know, nobody has to worry about it anymore. We really think that privacy requirements are just going to increase in the future. So maybe Hans can tell us a little bit about what is privacy by design?
Um, yeah. It essentially ensures that the privacy of users is protected by integrating considerations of privacy issues from the beginning of the project into development. And basically there are seven foundational principles that and Kevorkian produced that has kind of served as the standard for how to design websites. And we're about to get into the thick of it going through each one of these and just a reminder, you know, you may be like completely overwhelmed. But I just want to note we will be you know, wrapping this up with some actionable items that I think any web designer can take in to in house into their business and ensure that they're doing best by their clients by helping ensure that some or hopefully all of these practices are being implemented.
Yeah. So what we're gonna do now is we're gonna look through each of these seven foundational principles and explain them and then we're actually going to go through some real world examples of things that are good privacy practices and things that are bad privacy practices. So you can see what this looks like in the real world and be able to quickly spot issues as we go through the examples
fun fact for you too. I will say once you really get acclimated with privacy, you start to get to websites, and you're just going to naturally be like, Oh, wow, they're not compliant, like at all. And like, you just can't help but you'll be able to notice those from a mile away after this presentation.
And so first, privacy by design. It's proactive, not reactive and preventative, not remedial. So privacy by design, it tries to anticipate and prevent privacy invasive events, before they actually happen. So let's say for an example, let's say you're designing a website that allows people to create an account. People forget their passwords all the time. So you'll need a way for people to reset their passwords as they forget them. On the Reset Password page, the screen should not notify someone that they registered with a different email address and then list that email address. So for example, let's say I registered somewhere as did not a skill word at Trump mageddon.com And then I tried to reset my password before I forgot it that patient say that my email address is actually denied a term again in.com Because then scammers could easily run a list of emails through this page to determine who does have an account and who doesn't and try to hack those accounts. So that's an example of being proactive and using design to actually prevent privacy violations before they ever happen. Yeah, and
I don't know about anyone listening here, but I get offered all the time to buy a list of our competitors and like all the people using those accounts and like, obviously, I have no interest in buying that. But that's the type of stuff that people will do if you kind of give this type of access.
Exactly. Yep. So Hans, maybe you can talk a little bit about privacy as the default setting.
Sure, I'm going to read verbatim, but then I will expand so privacy by design seeks to deliver the maximum amount of privacy by ensuring that personal information is automatically protected without the individual having to take any action to preserve their privacy. So for example, users should not be opted into email marketing lists by default, they should have to affirmatively opt in if they would like to do so. So you know what it's basically what you're wanting to do is ensure that you're designing websites where you are giving the user all the options and you know, available to opt into things. Let them know that they're subscribing to a newsletter. Let them know that they're submitting their data to you through a contact form and then that data may be shared with third parties. Have the can be focused on the website visitor and giving them the option to choose what they want to agree to or not in terms of exchanging their information. Just like how like if you went to a store, imagine going to a store do you like, you know, basically, the store clerk takes money out of your pocket? before you've even taken anything out? You know, that's kind of the concept with privacy is like, why should you have the right to take someone's information and do stuff with it that they haven't actually given you permission to do? So that's a good analogy.
Maybe Yeah, and all defaults should be set to the most privacy focused option.
Yep. So you're unsubscribed you're not subscribed at all, per day by default? Yeah.
Privacy embedded into design. So privacy really needs to be an integral component of the core functionality being delivered and should not be bolted on as an add on after the fact. So let's say you're choosing third party integrations or third party plugins or third party services. This is where we kind of move back a little bit into that list of services that you would provide to a customer that collect PII. But you know, when choosing third party services, do not pick those services at random, without concerns of the privacy impacts of such services, and then slap on a cookie cutter consent mechanism and say that everything's fine. So you should provide a list of any third party technologies that you intend to use to the client, and they should have the opportunity to evaluate their privacy practices before they're used on the website. So a great example here is let's say you were to integrate third party analytics company on the website without saying anything to the client or anything like that, without you know, taking care to make sure that they are compliant. All the data that is collected by the analytic service. If it was collected illegally, you might have to delete it. You know, or you may you know, your client may get in trouble and may get fined for the use of that particular service. So it's really important that privacy is the core functionality being delivered. So you know, make sure that you know what third party services are being used, and make sure you tell your client what they what those are and enable the client to perform compliance checks if they would like to do so.
You know, another example there, maybe you embed Calendly onto your booking system where someone uses a link to book you for a call. And now all of a sudden you've been subscribed to their newsletter, we're now they're hitting you with marketing all the time. Like, that's not cool. I mean, who who's like pumped to have that happen? Very few people, I would bet. And it's just like, man, if you just offered a checkbox where people would knowingly agree to receive those emails, you're gonna have probably way higher open rates, weigh more interaction, because you're subscribing people that want to be subscribed, subscribed, like people who don't want to be subscribed to something they don't subscribe, so when they start getting that stuff, if anything, it's irritating.
Yeah, it's bizarre, especially the ones that are integrated with text messaging. That's a violation of the TCPA as well as the Telephone Consumer Protection Act. You can't just text people without their knowledge or without their permission. You know, and sometimes Calendly does offer that integration, where if you submit your information to schedule an appointment, then you get texts, not about the appointment, but about marketing stuff. And that's really bizarre to the consumer. Because if I am submitting my information to book an appointment, I don't I would never expect to get a text selling me your stuff. You know, that's not what I wanted. That wasn't the purpose of yes,
it's just like to send a checkbox like allowing you to text him and another checkbox to agree to the privacy policy exam. No, all of a sudden, everyone's happy. It's that simple.
Yep. principle for full full functionality positive, some nonzero sum. So privacy by design, its whole purpose is to show us that it is possible to have privacy and security and you can create a win win scenario. So I won't name the company that does this. But I feel like some of you may have heard about this because it was in the news a lot. But if you're enabling two factor authentication, for example, so let's say you're enabling that for security. You can also preserve privacy by not adding the two factor authentication information to an email marketing list. You know, consumers again, you know, if I submit my information for two factor, I want to make sure that my account is secure, but then you add that to an email marketing list, I mean, that's just completely the opposite of what it should be. So you know, making sure that those user choices are respected. You know, you can have privacy and you can have security at the same time. I'll let you take the next one.
And, and security full life cycle protection, and I'm so sorry, I will have to read verbatim because I'm not the expert, but I will be able to expand out there. So privacy privacy should start prior to the information being collected and should continue throughout the entire lifecycle of that information through collection use retention and destruction of that information. For example, a lot of companies keep information forever, which can violate multiple privacy laws and put company at risk of data breaches, as well as such breaches being much more costly. You should talk to your clients about automatic data deletions. After a certain period of time has passed from the collection or upon certain events taking place. So I'm actually going to start off with an anti example of this, which is an e commerce website. If an e commerce website takes transactions, you're not supposed to delete those transactions, you of course have to keep them there for tax purposes. So you know, if someone were to ask for their data to be deleted, you know, you got to remember there are certain things you can't delete because of other legal obligations. But you know, ensuring that you're not keeping just a laundry list of people's emails and phone numbers just sitting there unused. That's why this these types of laws exist, because a lot of data will just sit in places and then someone comes over hacks the site and now has that data to then harvest and sell off to other people. And that's the type of stuff that's why this type of foundation is such a good idea. And I you know, it's funny, I'm sitting here thinking I don't have an answer this I'm sure anyone we could all Google searching no plugin to auto delete data for certain plugins like form submission plugins and stuff. I'm sure those are probably baked in to a lot of plugins, if not already, where you can just auto delete data after X amount of years or something like that.
Yeah, I think a lot of businesses keep PII forever because they might need it someday. But that can actually get you into a lot of trouble. So let's say somebody were to unsubscribe from your email newsletters and you keep their information just in case you might need it later. Well, next thing you know you're sending an email campaign late at night and you're accidentally emailing them violating their privacy rights, you know, so having that information that you don't need, first of all puts you at risk of data breaches, because you're keeping a ton of information, which makes you more valuable target. It makes breaches more costly, because then you have to notify more and more people that their data was breached. Even though you never needed to have it in the first place and can get you in trouble because you could accidentally email them or accidentally resubscribe them or something like that. So really the the point of data deletion is you know, well, I guess first when you start you collect the minimum amount of information needed. So let's say I don't I have no need to collect addresses, I will never ship anything to anyone or I have no reason to collect their birthday. You know, don't collect that data to start off with you know, that's gonna save you a lot of time and deletion later. You know, and then going through destruction, you know, make sure you delete data once you no longer need it. And if you don't have a specific purpose in mind for why you would keep that information of what you'll do with it, you don't need it.
And let's be real, like Can anyone really say that you've read you went back 10 years found a form submission and we reached out to that person, they still do business together, like let's be real, that's not a reality. And that's as a season salesperson. I'm saying that like, it's just not no one's going to be happy to get that email. So
absolutely. Principles six, visibility and transparency, keep it open. So this is very important on websites. So any features any settings that concern privacy, they should be easily accessible to users. They should be visible, they should not be hidden. They should not be hidden behind you know, different color text or same color taxes the footer or shouldn't be hidden behind, you know, 1000 pages they have to get to click through to get to the privacy information. It should be easily visible and easily accessible. And companies also need to have a comprehensive privacy policy that is easy to find, and then provides all the relevant privacy information to the user and also contains all of the disclosures required by the laws that apply to that particular company. If you missed yesterday's presentation, and I'm not sure what you're what I'm talking about, I would just go back and look at that because we do talk about comprehensive privacy policies there. So examples. So a privacy policy should be on the homepage voter in a color, font and size that is easily easily visible, and should not be hidden via illegal page or another descriptor. That does not include the word privacy.
And by homepage footer. I think a better wording here would be the Global website footer, so it's available on all pages. So if someone gets to your website on a blog page, they can still access your privacy policy in your global footer. Real quick, another visible and easily accessible to users for settings. An excellent example which we'll be talking about in the next presentation, Cookie concern so cookie consents, we all love them. There are banners that you know, allow people to opt into the collection and use of cookies on their browser. Sorry here's my first guest appearance. That's Dora kitty, so come on, Dora. So we'll be talking about this in the next presentation. But you can spot a noncomplying cookie comes in solution so quickly by after you click your settings in the consent banner, do you have the ability as a user to change your consent settings at a later time somewhere else on the website? So you know a lot of consent solutions will have like an icon that you can click on Change your consent settings, or link saying privacy settings and your footer where you can click that and change your privacy settings. Those are clearly visible and easily accessible features that allow users to change their privacy settings at any time.
Yep, exactly. And then lastly, we have respect for user privacy and the importance of keeping things user centric, sorry. So privacy by design Yeah, she's got a lot of opinions on privacy by design, mostly on whether certain doors are open or closed. privacy by design requires designers to keep the interests of the user uppermost. So what you would need to do here is offer strong privacy defaults. appropriate notice and empower user friendly choices. So to do this, you need to make sure that the website gets consent for the collection use and sharing of PII, that you provide accurate and up to date privacy information, and also comply with all applicable privacy laws. So whenever designing a website and you're thinking about privacy when designing a website, you should should think about it from the user's perspective. You know what a user understand what this is, would they be able to see privacy information easily? Can they select privacy options or change their settings if they want to and how easy is it to do that? And really, the main question that I like to ask myself, is, you know, whenever it comes to any privacy feature on our website, would a user be surprised by this? And this is kind of difficult because you have to think about it from the place of somebody who's not a website designer, right? So your website designer yourself, you kind of expect a lot of these things to happen, right? You know, you submit your information you almost expect to get added to an email newsletter list. But I would encourage you to talk to somebody who's not in your space and ask them Hey, like if you book a calendar appointment with someone, do you expect them to send you text messages for marketing? You know, and a lot of customers, a lot of individuals will say, Well, no, I would never expect that. And that's a great indication that that's a bad choice.
That's awesome. You know, it's interesting. This is a zinger. Ferdinand, I put you on the spot here, but I'm surprised one of the principles is not data minimization.
So it is that's that's the concept of respecting privacy from the start to the from start to finish. Okay, data minimization comes in the store.
Okay, so from that start to finish, you know, just ensuring you're not collecting more than you need to do your job as a business.
Exactly. Yep. Exactly. And a lot of privacy laws actually prohibit you from collecting more than more than you need. Yeah, yep. All right. So this is my favorite part of this talk, which is examples of what not to do. And these are shockingly very easy to find. It was a lot more difficult to find good practices. So here we'll see a basket right so somebody's purchasing a vehicle check. And they're paying 1499 for that vehicle check. And if you'll see on the left, here's the checkout form. And it has a button saying I've read and understood the terms and conditions. Great. Yeah, that makes sense terms and conditions is linked everything seems fine. And then you have more info. So more info, usually to the consumer. If I was thinking about it from a consumer standpoint, if I were to click More info, it probably includes the the text of the terms and conditions, maybe some tax information or something like that. But if I look at this, and I click More info, you'll see it says by submitting your details you can send to this company keeping you foreign by mail and email of exclusive offers and services from us and from carefully selected partners. So that's really interesting, because if you click More info, that's only when you would find out that your PII is actually going to be shared with other companies or sold to other companies that are then going to send you email marketing. As you can see here to your also, the box is pre checked. So that means that unless you click More info and uncheck the box, you are opted in to having your information shared and receiving email marketing from completely different companies. So this really violates privacy by design principles in a couple of different ways. So first, it hides privacy information, under More info. It doesn't have me agree to privacy policy or anything like that. It doesn't actually provide me with like comprehensive privacy information either. Like I have no idea who these third parties are you know, and I'm automatically opted in. So unless I opt out, I am going to receive these emails and my PII is going to be shared. So that's a great example of a privacy by design fail because it just fails to really respect any of the principles and really fails to respect the user and their ability to make the choice of what they want their PII to be used for.
You just want for the screenshot on the left. I actually in addition to more info being real shady practice because you expand it and see that you've already somehow already consented to having your data shared. I would also note that if you were to have the checkbox pre selected for I have read and understood the terms and conditions. That's also a bad practice. It has to be unselected by default, and user has to select that so
Exactly. Yep. So here you have a contact form, and you see a lot of pretty much this exact form everywhere. Let us know how we can help you submit your name and email, which are examples of PII, you select that you're not a robot for reCAPTCHA and privacy information is not provided anywhere. So a lot of people think that okay, so reCAPTCHA the logo has privacy and terms. Isn't that providing privacy information that's providing privacy information for reCAPTCHA only, not for the website itself that's actually collecting the PII using it and potentially sharing it as well. So the form here it actually violates privacy by design principles, because it does not obtain consent for a collection of PII does not provide any privacy information, right where PII is being collected. So one of the important things about privacy by design is providing in time notices. So whenever somebody is submitting their PII, that's when usually their privacy will be impacted because they're giving you their PII. So that's where it's recommended to present them with privacy information. And a lot of privacy laws will actually require you to obtain consent to collect PII. So here, they could have completely avoided this by having just an unchecked checkbox that says, you know, I agree to the privacy policy, the privacy policy is hyperlinked, and then the user needs to check the box to actually agree to the privacy policy before they're able to submit their information.
Yep. I mean, for the website owner, this gives you an exact timestamp, the moment someone agreed to their privacy policy. That's a very good piece of data to have if someone were to try to put up a false claim about you, you know, not not following privacy best practices like nope I have a timestamp the moment you consented to the our privacy policy.
Exactly. Yeah. And a lot of these forms will prevent you from clicking Submit unless you you select that, which I think is a good practice to. So here we have a so here we have a newsletter subscription. So I've hit the logo. I actually did one of these talks several years ago and one of the companies change their practices. So I will keep the logos in okay. But so here this is an example of a company where to purchase a product you're required to submit to subscribe to their newsletter. And if you want to purchase the product, but don't want to subscribe to the newsletter, it's impossible. Like you literally have to subscribe to get the product, which is a really big problem right? So number one, that's a problem with sales. You know, if people are not purchasing things from your website, because they don't want to submit you know, subscribe to your newsletter, you're losing out on sales, first and foremost. But secondly, you know, that's not giving the user a real choice, because I don't need to subscribe to a newsletter to actually get the product. Those are completely unrelated things. I don't need the newsletter to learn how to like operate the product or something like that. So here you definitely want to make sure that you're not stopping users from doing certain things just because you want to market to them or just because you want them to subscribe to the newsletter. Here too. I will say this runs a little bit into dark patterns as well, which is one of my favorite topics, but dark patterns and they sometimes interact with privacy. Sometimes they don't. They're basically design choices that try to trick the consumer into making a particular choice. So here's you can see you have a red CONFIRM button and then you have no so the confirm button it looks clearly like a button. No doesn't actually look like a button and makes me not think that I it makes me think that I can't click that and I can't see it. For a while. Yeah, and I can't say no, no is pretty hidden on this page like it's in red tax versus the rest is white. That's a great example of a dark pattern to where you're trying to trick the consumer into subscribing to newsletter as well which isn't good.
You don't I don't know if you can see this, but like for me, I don't know. Maybe it's just I've been in this industry now for years. But like, you start to see businesses operating this way and it's like, that just seems kind of sleazy. It's yeah. Yeah. It's like, do you really have to push this hard to try to force people into things like
how bad is your newsletter? Yeah, no kidding. So here, this is this is great. This is one of my favorites. And so choosing how we send you marketing messages, tick this box if you don't want us to tell you about offers rewards and information and other products and services by blank. So it really violates privacy by design because it's so confusing. So I need to click a box if I don't want to receive marketing messages, you know and users should be opted out of marketing messages by default and should receive those messages only if they opted in. But here you're clearly opted in by default and you have to tick the box to unsubscribe, which is really strange. Another thing here is will never share your details with anyone else without your permission. I love these statements because nine times out of 10 the company actually is sharing your PII so if you are you know let's say you subscribe but to email marketing your your your they're probably using an email marketing vendor to send those messages and you have to share it with an email service provider to actually send the message a text messaging service. Exactly. So like they have to be shared. But here you're saying, well never share your details with anyone else without your permission. But you know, you're clearly already abusing my privacy by the swarm. I'm gonna guess that you do share it. And that's just wrong. It's inaccurate information, if anything just linked to your privacy policy and say if you want to learn more, click here.
We think about the people who actually wanted to receive text messages from this group. They probably check text messages and then never got a single text message, but did get emails telephone calls and posts whatever posts are.
Think that means mail mail, snail mail,
yeah, it's just it's it's it's gonna be a terrible experience for all parties, like the people who want to receive stuff and the people who don't yeah,
it's definitely a mess from like a UI UX perspective, too. But you know, since we're talking about just privacy, it's a mess from a privacy perspective as well. So here we have another example. So this says our and subscribers get the best offer from Ryanair via email, SMS, push notifications, phones and posts. If you don't wish to receive these offers, please opt out. Well, okay, if I want to opt out, how do I actually opt out? It's checked by default. So do I need to uncheck it? Or do I need to leave the box checked to actually opt out? So it's extremely unclear about how to actually opt out of receiving offer messages. So it doesn't actually provide consumers with an actual choice. Because if you're confused about how to opt out, you might be clicking this you might be unselecting it and you don't actually know which which is which. And the box is checked by default. But that's not clear if that means that I'm opted in or opted out.
Our subscribers get the best offers. Okay, my checking the box. Okay, I understand this factual statement you've provided me Yeah, it's not giving you any insight. It's
very confusing about what to do here or how to exercise your choice. Next, we have a cookie consent banner here. So this is basically a cookie consent wall, and it says a green enter. So if I want to visit the website, I have to agree to cookies and click enter. Right. So we'll talk about cookie consent banners in a bit here. But this one violates privacy by design and multiple privacy laws because it does not give users an actual choice. There's no decline button. And because it also forces them to consent to cookies before they're being able to actually view the website.
Consent to non essential cookies
right and then we have this cookie consent banner. So you know we have measure ad performance, develop an improved product store and access information on a device so has on buttons and off buttons. So because of the way that this is designed, it's actually very difficult to tell what's actually on or off because the gray box on off becomes white if you click on so here it's like you know which which part is this because you know at the beginning the gray boxes off the on boxes. White I'm going to guess that this means it's on but then if I click on then the on box is white. So is it is it offer on it's very confusing. So it really doesn't give the users the ability to make an actual choice because they might just be too confused by this design. To actually be able to make that choice and to accurately express that choice when it comes to the settings. And here we have a footer. So this footer here says terms and privacy. So this footer violates privacy by design principles and multiple privacy laws by combining a terms of service and a privacy policy under one link and one page. So those need to be separated. So there should be a link that saying Terms of Service, and there should be a separate link that says privacy policy. Or privacy. Okay, here we have an integration with clubhouse. So here we have an integration between clubhouse and Twitter. So if I allow this integration with Twitter Clubhouse, we'll be able to see and I don't use this app. This is just an example that I found online. I don't actually use any of these services. But the app will be able to see tweets from your timeline. See your Twitter profile information and Account Settings see the accounts you follow mute and block. So this is a big problem because it doesn't actually explain why clubhouse needs to have access to my Twitter account. And by doing this, you know clubhouse gains a lot of access to PII without explaining why such access is needed. Now if they were like okay, we need this access to be able to you know, help you tweet or some something like that. That would make a lot more sense. But here user might assume that they're not able to use this app without linking it with Twitter, where that's not necessarily the case. So they're kind of tricked into sharing all of the information from their Twitter account with this company, you know, without actual reasons to do so.
You know, before termI gotten whenever I had to like connect things that I would get a prop like this that always made me feel weird. Like Wait, yeah, why do you have to see all this stuff? And I'm sitting there being like, oh, do I let them have it? Do I not? And I imagine a lot of people listening are probably feeling the same way like and that's that uncomfortableness, that. I think it's going to be increasing. I think more people are going to be thinking that way.
But by good design, you can actually make sure that people using the websites or apps that you build don't feel that way themselves. Exactly, you know. Yeah, there's a lot of what not to do is so here we have an unsubscribe. So this is from an email newsletter and I know you can't see this and that's the point. This is the actual screenshot. So at the beginning, there's like a whole whole newsletter, whatever. And at the bottom, it says click here to unsubscribe. Well, this is almost impossible to see it has so little contrast with the background. There's no way anyone is going to see this. And there's no way that anyone is going to be able to exercise that choice. So the fact that they can't see this is in violation of multiple privacy laws. So you have to make sure that there's adequate contrast.
I don't know why I am on this tangent today in this presentation. But like, I mean, let's look at this. Like, I guarantee five years. So now we're going to be looking back at the people who did this stuff. And this seems like you know, like, what blackhat seo is like where they try to, you know, hack their way and get into the top of search engines. This is just poor business practice, like Yeah, who wants to work with a company that's doing stuff like this
I'm gonna I'm gonna save these maybe we'll look at these like five years from now and give
our we also timer Paul gonna use to set a timer five years from now.
All right, so now we have good practices. So here you can see the footer of our website. So here you can very clearly see that, you know, here's our privacy policy. Here's our terms and conditions. Here's our disclaimer. So the footer clearly shows the website policies, they are separated by policy, and they're easily visible because of the highly contrasting text. So they're not all lumped under one link. People can very easily find them can very easily see them and can say Alright, here's my here's my privacy information. Here's, you know, if I'm worried about my privacy, this is what I'm going to click to read. Yeah. So definitely make sure that when you're designing websites when you're designing the footer that there's very high contrast between those two things and that'll will also help website accessibility as well. But it's
a lot of things that people look at when making decisions on if someone's guilty or not. Right. Like how easily did they make it available? Exactly. Black and white. That's gonna make it pretty. Yep, you know, clear.
So here we have a contact form. So you'll see that the form so first, it only collects the personal information that's needed. So it's collecting names and emails, it's not collecting a bunch of random stuff that's not needed. You are required to agree to the privacy policy before you're able to submit your PII. It provides a checkbox that is not checked by default, and then provides a clear link to more information about privacy practices before you submit PII. So here you can clearly see All right, here's their privacy policy. I can read this if I want to make sure that my PII is being is being respected things like that. Also, this form uses required fields in an interesting way. So in the contact form, you don't necessarily need name, but a lot of people like to provide it but they don't necessarily need to. So you can just provide the email so the business can get back to you. If you'd like to provide your name. You can but you are not necessarily required to hear here we have a cookie consent banner, actually, I think this is from the Information Commissioner's Office of the United Kingdom. So here you'll see that necessary cookies are enabled by default. Great, that's awesome. And analytics cookies are turned off so you can clearly see that they're off and you can clearly see the toggle to turn it on. So my privacy is being respected by default. And then I can make an actual choice whether to turn it on or turn it off. And it's very easy to see whether it's on or off as well. This was great. I am sure a lot of people experienced this, but this is the new Apple notice. So it's an example of best practices. Because at the right point, the user is provided with a choice allow tracking or ask the app not to track me. So here's a great example again, you know, give consumers a choice and they can choose whether or not they want to be tracked. Here's another example. So this is a some kind of travel website. And you can see at the bottom you can check to receive our tribal deals newsletter. The box is not pre checked but if I do want to receive the newsletter I can check the box and then I'll be opted in some opted out by default and if I want to be opted in I can here too um, so this has a form that says you know, opt in to our newsletter. So that means I'm not opted in by default. But here you can enter your email address it can it says sign up or you can click No thanks like I don't want this I'll click No thanks. Or I'll click the little checkbox and then leave it but if I do want to I can actually agree to that as well.
Do you think those the fact that no thinks is a different button color? It's less it is technically I would say less popping out? Do you think that's a dark pattern?
It's like slightly less popping out. But I would say it's within like reasonable realms here. Would I do it this way? Probably not. But I'm like more extreme than others. Sure. But it's
we were talking about organ harvesting yesterday. Yeah, reasonable
enough where people can like reasonably see no thanks. They can see this little little checkbox. Here we have Discount Tire everyone's favorite privacy website. But here you can see it in their footer. It's very clearly privacy policies, email preferences and unsubscribe. Actually, this is from their newsletter, not from their website itself, but you can very clearly see where and subscribe Do you remember that previous one where it was? You know black background and dark dark grey texts where nobody could see unsubscribe? Well this is the the flip side of that where you can clearly see it is given prominence you don't like this newsletter fine, you can unsubscribe it's no problem. Here we also have another another newsletter as well. So here you can see at the top unsubscribe, privacy and security policy and customer service. So here unsubscribe is also also very clear. It's very easy to find. They actually repeat it again here as well so you can make your choice if you'd like. So in practice, compliance checks. So we have you know, we talked about listing the third party technologies on your website. So you know, providing your clients with ample time to review compliance practices, and make sure that they have those right compliance checks as well. That's part of a privacy by design as well. And there's those are the things that you know, people should pay particular attention to when running those compliance checks as well. Data retention, so discuss data retention periods with your clients and set a recurring reminder to go in and remove data that is no longer needed. So really, you know, remove form submissions, clear sitewide cache or send a templated email to your client or on a recurring basis, reminding them to delete data from users that they no longer need to reach out to.
Yeah, and I one little note, I would say clients should like you know, what their data retention period is. Sure. Yeah, maybe like you have to be the legal provider obviously,
like in the ideal world, they would let you know that but you know, you can't discuss this with them if you'd like. And provide your clients with a way to exercise privacy rights. So if somebody contacts them asking them to delete PII or to unsubscribe or something like that, you don't want the client to have to be dependent on you to be able to do that, you know, so if they're using MailChimp, for example, you know, give the login to them, make sure the account is under their name and show them how they can access delete or download the PII that was collected by their website. Because privacy laws have a certain number of days within which to respond and let's say you're on vacation or something like that. And you just, you know, everybody hates getting those emails from clients where it's like, it's everything's an emergency kind of thing. You know, having allowing them or teaching them how to do that beforehand. And obviously charge for your time. You know, it can help them take care of those kinds of issues themselves like they should. So final tips, a little bit of a cheat sheet here. So make sure that the website does not collect more PII than what is needed. Make sure that you're ready to help your clients in deleting PII and other honoring other privacy rights. Explain to your clients what services the website will be using that will collect PII. Offer your clients plenty of time to conduct compliance checks on those services. provide a way to gather proper consent so much check the box before submitting information provide a cookie consent solution if you need to provide clear links to policies that are accessible on all pages and keep privacy requirements in mind when designing and developing websites. So we have some commonly asked questions but I think maybe Nathan we can go into the q&a Because I think there's a bunch of questions there.
Oh, yes, there are questions. There are many questions. So folks, if you are not looking at the q&a screen, pop that open and upvote any of the questions that you would like to see answered and while you do that, I'm going to ask a few of my own. So Hans, as a former agency owner, how would you navigate the conversation with a client who insists that the opt in checkbox is checked on for mailing list
I'd have an email thread or I'm not I'm giving my recommendation, I get their response. And then I do as they please, because I can only do as much as I am building their website. It's their ownership, it's their property. So if they don't want to comply with us, that's okay. They're the business owner they get to make that decision. So so long as I have an email history, I haven't recorded where I was trying to do my best.
That's great. Number two is something I think I talked about this in one of our office hours earlier this year, but in political season, especially here in Alabama, we just get a flood of political texts, right and where the heck are these candidates getting my information? And I did some research and the voter registration form both on the web and the print version, make it appear that you have to provide your email address and mobile phone number, but it's not required. It's really sneaky. It's almost a black pad or what did you call it? dark? Dark pattern. Yeah. And then the Secretary of State's office is required by law to sell all this information to candidates so you just get spammed it's ridiculous. One of my most favorite
things. The thing I'm the most excited about with all the because we talked about yesterday, all these privacy laws come in and it's going to be hitting small business owners can be stressful. I love that. Governing Bodies are going to also have to abide to these rules. Actually, no,
no, they'll exempt themselves like they are
all the time. Oh, it's ridiculous. The government follows a different set of privacy rules, which are kind of like I'm gonna do whatever I want.
But I just learned something. You know, one of
my favorite, favorite websites of all time is if you Google search, dark patterns Hall of Fame. You'll see so many of these that that pertain to design that are so solid, they're so solid, they're great. And you can actually submit submit yours. submit any ones that you see on there as well which is which is really cool.
So Wow. Yeah, so deceptive design Hall of shame. Love it. Yeah. Okay, one more question. We'll get to the other post questions. So I found myself really questioning the form that standard example of the standard contact form and needing to ask for consent. Isn't the very fact that I'm entering my information and hitting a button? Is that not implied consent,
you would think but actually, some privacy laws require you to even disclose the source of the information where you have to wow type out. This is information submitted by the consumer, it's wild.
So consent is it has to be informed, right? So let's say Hans and I are going on a date. And he asked me hey, denied, do you want to go out and date and I say yes, well, it turns out that part of this date is Hans driving 150 miles per hour down the highway. Well, I didn't want to do that. Since I already said that. I've gone on date. That means I'm cool with him driving 150 miles down the highway. I often you know what I mean? Versus if he told me ahead of time that that's what was gonna happen. I would tell him no, and we would never be married. But you know, here we are. But part of consent is being informed as to what's actually being done with your information. And that's where the privacy policy comes in. So you know, if I submit my information on a contact form, I'm going to assume that it's not sold like why would you sell it, but if the privacy policy tells me that it is being sold, you know, and then I can say all right now I really don't want to give it to you, you know, or now I'm okay giving it to you so has to be informed. People need to know, you know, what you're doing with that information, who you share it with? Do you sell it things like that to actually be able to get consent because you can't get consent without it being informed consent?
I follow your logic 100% Like he's because it's a regular person, I submit an inquiry I'm expecting to get a call back or email or something. So I totally get that but the fact is, it is required under multiple privacy laws to provide that and let's be real, a lot of people will use those basic contact forms. And I know we all have on our own websites, where maybe with some people, you submit that information and now you're in their newsletter. Now you are getting text messages. Some people abuse it, all of us now have to do it. situation.
So simply a link to the in the footer of the contact page. There's a link to the privacy policy. That's not enough.
No. So when it comes to the privacy laws where you do need to get consent, that's not enough. Um, so again, this kind of goes back to the whole figure out what privacy laws apply to you first, because not all laws require consent. But if a law applies to you, that does require consent, then you need to have that little checkbox so but I would say, you know, even if those laws don't apply to you, it's probably best practice to get consent anyway, because eventually there will be a change hires you to do that. And then you're going to have to change stuff. And then you're going to have to ask the old people for their consent retroactively, and it's like a whole mess. So I probably do it right away.
That's kind of like do you want to go figure out all those privacy laws and which ones require the consent, which ones don't and then you get to make a decision if you put the chat box or you just put the chat box, put that best practice forward. And some people may be like, you know, I hear it from marketing all the time, or the more buttons I add to a form, the less conversions I'm gonna get. And I always counters like if you're dealing with millions of submissions, sure, like I get that but I don't think that happens. Yeah,
I've never really had anyone complain that they have to check the checkbox. Yeah. Being in the cookie consent. Yeah. Like you complain about that. But the checkbox on the form I've never heard of, so.
I'm sure there's other people that is it. And I don't want to monopolize everybody's time here, but I think this is a question that applies to everybody. Is it enough to maybe state on the contact form by submitting this form your you know, your green card? It has to be a checkbox that they check?
Correct. So consent has to be a clear and affirmative act. So just by the nature of visiting your wet this website by the nature of submitting this contact form, you're consenting that doesn't that doesn't work that doesn't meet the standard, it has to be an actual affirmative act by the individual and that's also why you can't have the box pre checked.
Got it. Okay. Well, let me move on to other questions here, folks. What we'll do is do like two or three minutes of questions here, take a break and the ones that remain will, there'll be time at the end of the next session for q&a. Cool. All right, Stacy. I get so much spam to my website, email, and it is is it necessary to have my phone number and email address on my privacy policy?
It depends on my privacy laws apply to you. I'm so certain press sorry. I'm so certain privacy laws don't require that and others do. It was just the way that the privacy law itself was written, which was kind of unfortunate. What I would recommend is looking into getting like a Google number or something like that. Or if you don't want to list your address, maybe getting a Pio box or something like that. I know this is a requirement for attorneys in certain states to list that information too. Just by the nature of being an attorney and Somebody contacted the state and they were able to get an exemption. So that might work for you as well. But yeah, with the privacy laws if those laws apply to you, there's no way around it usually it's
really unfortunate right now, and I think that's an important thing to remember right now. This is our situation but I think as time goes on and and governments hopefully realize a lot more people are working from home and our small person shops and they have their phone number, you know and they have their email and they don't want to get spam like I have. I'm trying to remain positive about it. I think eventually that will get figured out but currently right now it is. It is a requirement under several privacy laws.
Wow. Okay. That's what oh, sorry. No,
no, go ahead. We have more questions. We need to answer more questions.
Beth wants to know if there's a privacy checklist magic checklist somewhere that she can use to make sure all the i's are dotted and T's are crossed.
So that cheat sheet we just provided on that like second last page that was kind of like our that's really like, a really good place to work off of like we tried to balance out complexity with simplicity. And we feel like those are pretty actionable items to consider. It's funny that you say that Beth, were actually thinking about like some branding, calling it a privacy prepper list, where like, we're going to do some branding like you're a prepper privacy prepper and we're going to actually create more take these cheat sheets and kind of expand on it so if you've liked that idea, I would love to hear some comments. This
is one of Hans ideas that he came up with the he will do that I will 100% end up have to do entirely by myself so
awful. It's terrible. Terrible idea. Yeah. Okay, Paul, if someone requests an opt in gift, can follow up emails regarding that gift be sent can additional offers be sprinkled in with those emails? What is the limit this can be done without being shady? That's a hard question though.
It depends on what the person consented to so let's say I have a lead magnet and the person consented to receiving that lead magnet and nothing else. Right at that point, I would just send them the lead magnet and not send them anything else after that. But if the person consented to receiving the lead magnet and then receiving additional marketing materials, then it's fine to send them additional marketing materials. So it's really whatever the person agreed to. That's what you should be going by and you know, make sure to structure your forms that way too. So if the form says you know, you're submitting this information to receive this meet lead magnet perfect you're just getting lead magnet magnet, you're not getting anything else. But if the form says you know, you're getting the lead magnet and check here if you'd like to receive additional marketing materials and they select that great then you can send them additional marketing materials
and let's be real, like the people who do check that box. Those are the people that are most likely to buy in the first place the most likely to upsell in the first place. i You said it years ago, but it's like would you rather have a million subscribers that no one really likes your brand and no one really opens it? Or would you rather have 1000 subscribers who absolutely love your brand, want to open your emails and actually want to look at what you have to offer? Yeah, you know, I take 1000 in that situation. So
yeah, but it's all about just presenting that information to the individual allowing them to make that choice and then respecting that choice.
Very good. If you feel and if you're feeling stressed right now just saying, oh my gosh, I got to reinvent everything how I do and stuff. I just want to just remind everyone like as a former agency owner, I know what that stress is. I felt that stress but I'm telling you, you get through that hump and you finally accept because I think it's just not accepting that these are laws yet. You will get through that hump and you're going to start to see things differently. You're going to start to appreciate like just quality leads rather than like blanket leads like trying to throw a wide net like rather we're fishing with one lower, but it's a darn good lower.
I would also say like weird analogy. Don't spend too much of your time throw the shoving this down your clients throats, right. So you know if they're setting up their lead magnets, and they're like, Okay, great. I'm gonna start texting this person day and night. Well, you can say, well, that's a terrible idea. And you're you could get fined or sued, talk to a privacy lawyer and they're like, No, I still want to do this anyway, that's on them, right? Like that's their business. They can make their choice. You know, you choose to run your agency or your business the way that you want to and so do they. So if you're getting a lot of pushback from your clients on this, I would just let it be you know, make sure that my contracts airtight and let them make their own choices.
Yeah, very good. All right, folks. Let's take a pause right there. Maybe a five minute break. It's we're just a little bit before four minutes after let's come back at nine after. So just a little over five minutes. We'll be quiet until then see everybody back again nine after Yes.
The next presentation will probably be a little shorter with the intention to answer more questions. Yeah,
plenty. There's plenty of time for questions to end today.
Awesome. Let's see. You said
Okay
Alright folks, we're back for the final hour of the website policies masterclass. And we're talking about cookie consents. Sounds like fun I'm gonna disappear. Let's just get right into it.
Awesome. Yeah, so we're gonna be talking about cookie consent solutions and how to pick a compliant one. I really think that cookie consent banners are probably the most hated part of the internet.
I think a lot of people dislike them. They're actually in my opinion, they're very powerful, awesome tools. I just think a lot of people will see like, people I think will see them and think, oh, this company sells data or something like that. And there's just so many misconceptions right now about them, but they are certainly I think as time goes on, people will become more understanding of them. And it certainly starts by having a proper one in place so people can really better understand what's going on with them. Exactly. Yeah. And we'll kind of so sorry, our dog scratching at the door. So I guess she
wants to be part of the webinar. You know, we'll talk about who needs them and why and how to actually make sure that it is compliant. So something happened here, okay. So we have, there's certain features on websites. So you have maps, embedding, video, embedding spam prevention, and website analytics. So all of these features utilize cookies. They're not essential to the operation of the website, and all of them share data with third parties. Oh, also, the information provided today is intended for informational purposes only and should not be considered legal advice. So let's start off by talking about what are cookies. So cookies in general, it's a small piece of data sent from a website and stored on someone's device. So for example, on their computer or their phone, by a browser. And really there are three types of cookies. So we have essential functional and marketing. So essential cookies are those cookies that are necessary to view and browse the website and use its feature. So without essential cookies, the website would not work great examples of those types of cookies. Those cookies that are used for maintaining security, authenticating users and preventing fraudulent actions. Then we have functional cookies. So functional cookies are cookies that allow a website to remember the choices you have made in the past. So great examples of functional cookies are cookies that are used to remember your language preferences, cookies that automatically log you into your account or allow you to share posts on social media. And then lastly, we have marketing cookies. So those are cookies that track online activity for marketing or advertising. purposes. So these cookies may limit how many times you see a particular ad or show you the most relevant ads to you. Really, when it comes to cookies, the cookies that kind of caused all of this trouble are the marketing cookies. Really not a lot of people had issues with essential or functional cookies. It was the marketing cookies that bothered people so the fact that you know, they visited a particular website, and then all of a sudden they get ads for a product that they looked for on Facebook. You know, so for people like that, you know, for people who are not necessarily as experienced with the internet as all of you here, you know, that really freaked people out. You know, how does Facebook know that I was looking at tables the other day or how does Facebook know that I'm looking at mousetraps or whatever, you know, you know, those were the cookies that really caused caused all of the problems here. So there's a number of privacy laws that regulate cookies, or necessarily regulate the ability to place a cookie on someone's device. So we have the privacy directive, which is the European Union, privacy law that governs cookies also called the cookie law. That applies to anyone placing cookies on a user's device if that user is an E resident. We have the General Data Protection Regulation GDPR and the United Kingdom Data Protection Act 2018. So those will apply if you have an establishment in the EU or the UK. If you offer goods or services to EU or UK residents. Or if you're tracking the behavior of EU or UK residents online. We have Canada's PIPEDA which will apply to anyone that is collecting using or disclosing the PII or residents of Canada for profit entities. Yes. And then we also have the CCPA, the California Consumer Privacy Act. So those are the laws that regulate cookies and things like that.
So well, I guess going back real quick. So if one if none of these privacy laws apply to you, congratulations, you don't need to have a cookie consent banner. And what a lot of people don't realize is under GDPR, or UK DPA. If you have for example, Google Analytics on your website. You're tracking the behavior of EU residents online through the nature of having Google Analytics and just Google Analytics. So that will subject you to those laws, but that will also require you to have a cookie consent banner. So if you were to spend some time in research other analytic services out there, for example, Fathom analytics because it doesn't actually track the behavior of users because it doesn't actually collect PII. You wouldn't have to have a cookie consent banner if you use that particular analytics service in the same in the same kind of step as well. If you don't have any functional cookies, or marketing cookies, you don't need to have a cookie consent banner either. So there are ways to avoid this. So if you really don't want to have a cookie consent banner on the website, you know, make sure that you're not subject to these particular privacy laws. Use tools that don't make you subject to those privacy laws or don't use functional or marketing cookies, and then you won't have to have one. So there's a very clear set of rules that you need to follow. If one or more of those privacy laws apply to you. And if you need to have a cookie consent banner, and maybe Hans can discuss those a little bit.
Yeah, so cookies must be categorized correctly. So is it of essential functional or marketing cookie? So Google Analytics is a marketing cookie. Whereas being able to comment on a blog on a WordPress website would be more of an essential cookie.
Yeah. So you can just take Google Analytics and say that it's essential and then say, Okay, well, I don't need this, you know what I mean?
But I will note there is a bit of an asterisk with this, which is Google Analytics for which does claim to be compliant with GDPR and UK Data Protection Act. There's a there's some mixed opinions on that one. So we're waiting for time to take its course and for decisions to be made on that particular new update. All other cookies must be disabled by default. So this is the thing that I think really rattles the cage of web designers, especially web designers who have been designing sites for years and years and years. By default, you cannot track people anymore. You just can't. At least for the people who have these privacy rights. So by default, you can't put these cookies on there. That's why these banners exist. Because it allows it's usually the first thing you see when you visit a website. Because what those websites want to capture whether you're willing to consent or not, so that the website if you do give consent so they can properly track you and understand how do people use the website?
Yeah, so you really can only do essential cookies are allowed by default. So essential cookies are fine. Nobody saying anything about those. If you have essential cookies, those are allowed by default. That's great. All other cookies must be disabled by default,
you must obtain consent of the user before allowing any other cookies. And therein lies why when you go to a website and this says like, we use cookies and you just say okay, like that's that's I mean unless it's just essential cookies, but then why even have the banner in the first place? Because you'd have no you don't need to have capture consent, you capture consent, so you can place cookies on the browser and then receive, you know, hopefully, you get the proper consent to allow you to track them possibly remarket to them and so forth.
Yep. So again, you must obtain consent before placing functional and marketing cookies on a user's device. So what is consent and we kind of talked about this a little bit in the in the previous lesson, but to define consent is a clear affirmative act establishing a freely given specific informed and unambiguous indication of the individuals agreement to the processing of their PII.
PII is personally identifiable information. That's the one of the first slides of the first presentation
Yeah, so when it comes to cookies PII is usually IP address device identifier. Online identifier and information as to how someone interacts with the website or with ads. So we'll kind of break down each of these consent elements. So first, consent needs to be freely given. So for consent to be valid, the individual needs to have a real choice as to whether or not to allow the processing of their PII. So here's some examples of where people are not provided a free choice. So if they feel compelled to consent, I saw this in the chat where somebody said, you know, you, yes, I want this or if I if it says no, then it says no, I'm lame. Or no, I'm stupid. So I don't want this. You know, that's, that's compelling. You know, that's being compelled to consent. Somebody will endure negative consequences if they don't consent. So for example, if they don't consent to being tracked online, you're going to charge them more for the services or products that you offer. Consent is Bill built bundled as part of non negotiable terms. So if I consent to the privacy policy or the cookie policy, and the terms of service at the same time, that's not a real choice, or individuals are not able to withdraw consent without detriment. So people need to be able to withdraw their consent at any time. So if they can't withdraw consent, that's not freely given consent. Then
just a reminder, if anyone's like already being like, oh, man, I'm feeling overwhelmed. It's just like whenever I start to feel overwhelmed in this presentation, I just want to remind errantly I just I just want to remind everyone you know, we'll have some clear takeaways as well with this presentation. The good news is you find a good consent solution. That's what the whole purpose of this presentation is to understand how to identify a good consent solution so that you can move on in life you now know a good consent solution and you now know what to implement. And then move on to the next project.
So consent is a clear affirmative act, right? So for that it needs to be specific. So the individual must be able to view the purposes for which their PII is being processed. So let's say you have a cookie consent banner, they must be able to see that their information will be processed for ads, and must be able to choose whether they would like it to be processed for ads or not. And that's where a lot of cookie consent mechanisms get it wrong. So we'll let's say accept all cookies, and they have no choice to be able to specifically say okay, well, I don't want marketing cookies or I don't want functional cookies. They need to be able to specifically choose which cookies to allow and which cookies not to be allowed. informed so they must know what they're consenting to. So the cookie consent banner needs to list the purposes of the cookies and needs to link to a page that provides more information as to the actual cookies that will be used. That's where the cookie policy comes in a lot. So the cookie policy will say exactly what those cookies are, what their classification are, where they're coming from, how long they're lasting, things like that. That's what provides informed consent and that can be done through the privacy policy as well. Yep, so unambiguous indication of wishes. So for that to happen, the consent must take place via the means of a statement or by a clear affirmative action. So you must be able to show that they actually agreed. So silence, pre ticked boxes, inactivity, all of those things are insufficient to demonstrate consent, because you're not able to show that they actually did something to consent to being tracked online. You need a clear and affirmative action. So when we talked about the forms, too, you know, if the form has a pre check box, and I did nothing, that's not an actual indication of consent. And most importantly, you're here to withdraw and consent should be just as easy as it was actually providing it. So let's say today, I go on a website unnecessarily, right. I'm cool with you track tracking marketing cookies, and I'm cool with you advertising to me. And then tomorrow, I decided, well, you know what, actually, I'm not cool with this. I need to be able to see something on the website where I can easily make my choice to not be tracked anymore. So withdrawn consent cannot be hidden. So if I were to need if I needed to click on two things to provide my consent, I shouldn't have to click on 1000 things to withdraw it. It should be just as easy as it is to provide consent. So noncompliance examples. So there's a lot a lot of cookie consent banners out there that are not compliant. And I'll give some examples here. So first banners that automatically enable functional and marketing cookies regardless of what the user selected, or that enabled those cookies if the user did not make a selection. So make sure that those are disabled by default and enabled only if somebody actually makes the choice to enable them. Cookie banners that say by using this website, we assume that you're okay with cookies. Again, we just talked about all the factors for consent that does not meet those consent factors because nobody's actually taking a clear and affirmative action saying that you're okay with being tracked. Cookie consent banners that only have an accept or an okay option without a decline or no option. So really, you need to have a yes or no option. So if there's no no option, then users are not provided with an actual choice. Cookie consent banners that hide or obscure the decline or no option that's also an issue as well. Goes back into dark patterns, and cookie consent banners that do not allow an individual to withdraw their consent after it has been given. So Hans, maybe you can talk a little bit about why these particular cookies cookie consent banners are not compliant.
Um, yeah, I mean, the first thing you see are giant I agrees and then very hidden preferences. And then looks like one has a reject option. But these are all examples of dark patterns where you are trying to get the user to select the button you want them to click, which is to, you know, give you all of their data so that you can understand how they use your website and so forth. And I'll just know for the record, I actually like ads that target me, that doesn't mean I don't still like the right to privacy, because there are websites I don't want to be tracked on. So just keep that in mind when designing these banners, which is that you know, if you try to be mischievous about it, and try to like hide the things you're legally required to do. First off, you're gonna get dinged, you could get dinged for dark patterns, but in the same breath, it's like, why are you pushed? Like, if you're the consumer in this situation, aren't you gonna feel a little bit icky if you're like, Okay, if you just click it blindly you click it blindly, but you start to look around you see, wait, there's these hidden and reject buttons. I'm going to reject because I already start to feel uncomfortable. That's how I personally feel.
Yeah, so the one on the left, the Accept button is absolutely giant, it's green and then reject is kind of hidden off to the side. The one in the middle, you can see I agree, and then it has managed settings, so does not have any actual No. So if I want to refuse to give consent, I have to click manage settings, then I have to figure out what that page says and how to opt out there. Versus it really shouldn't be I agree or I reject. And the one on the right has an I accept button. And then it has a show purposes button, which I'm going to guess would show me why those cookies are being collected but there's no reject button so I can't actually make any choice always
funny when you see we care about your privacy as their opening statement. Yeah,
and then clearly violating privacy laws. In the same page. So
many privacy policies that start off we really care about your privacy, but not enough to actually care that do not actually care. Yeah, not to mention privacy policy should be as small and weak as possible. Saying we care about your privacy is not really necessarily
necessarily have any issue with that. It's kind of when writing privacy policy. It's kind of hard to come up with a decent opening sentence. But
you've been striving to provide the right yes, your requirement page
like that. I really wouldn't. I really wouldn't. You know, so here it says, you know, it has your right to object or legitimate interest is used. You know, but it doesn't actually say how to exercise that right to object, you know, just has an eye an eye except so none of these are compliant. None of these should be used
with any privacy law.
No, no. So again, the cookie consent banner needs to have an accept and decline button. It's very important that it has both. If it doesn't have both, it's not compliant.
It doesn't have to be verbatim except I can
say okay, or no or deny and accept but jet, you know,
yes and no, yeah.
So cookies and transferring data, doesn't matter where your cookie consent banner provider is located. So this is a really interesting case. So on December 1 2021, there was a German court that decided that companies cannot use a cookie management provider that relies on a USB service to collect data, regardless of whether that data actually ever leaves the EU. So that court found that the cookie consent banner provider collected IP addresses the URL governed by the user's preferences, and a unique random user key assigned to the user. That part was fine. You know, you do need to track people's actual consent preferences. But the company used a US based content delivery network. To collect the data. So the court said that the mere use of a US based provider to collect PII was an unlawful transfer data to the United States as that data can be accessed by US intelligence agencies. And this is regardless of whether the PII actually comes into the United States at all. And that runs into like a whole another can of worms, which is transfers of data, which we won't get into. But the case was actually later rejected. So they recanted on this, they said it was fine, but we do expect to see more and more of this. So data transfers from the EU to the US are subject to high scrutiny right now. It's a very popular topic amongst like regulated circles. So best practice is to use an EU based cookie consent provider that does not use any US based services to collect PII. So that's something to keep in mind as well. So if you are looking for a cookie consent provider, we would recommend looking into EU based ones so that you don't run into any data transfer issues.
The big reason why we actually partnered up with an EU provider for our consent solution at Target and rather than building it ourselves. Because we were ready to build it ourselves. I mean, it was gonna be an undertaking Yeah,
but we kind of knew the data transfer was gonna be an issue so we just decided not to do it. So some takeaways. So first, you need to find out if your website uses non essential cookies. Then you need to find out if you need to comply with privacy laws like the E privacy directive GDPR, UK, DPA, PIPEDA or CCPA. Or you know you can decide to just add one to your website regardless of whether you need to comply that's up to you
and decide not I was the one who wrote in or just respect people's privacy. I'm not trying to be sly, they're like, they're just poor wording like, but it is an opportunity. call it an opportunity.
Yeah, you can tell which slides are done by me. Make sure that the cookie consent solution clearly offers the ability to accept and decline the use of functional and our marketing cookies. Make sure that those cookies are off by default, and that they're only turned on if the user consents and make sure that website visitors can change their consent settings at any time. That's another
big one people you know, you you click it noncompliant cookie banner and then there isn't any option to change what Well, you probably didn't even have that option in the first place. Yeah, yeah, that's a shirttail sign that, you know, there's that's non compliant as well.
Yep. We have some commonly asked questions that I'd like to run through real quick before we get to the q&a. So do we have any recommendations for cookie consent banner tons?
Yeah, well, yeah, I'm user centric. That's, uh, you know, we've added quite a few consent providers, to say the least when we partnered up with user Centrix we went with user centric primarily because not only was their consent tool compliant, which I just say that in a simple sentence that took a very long time of vetting just company after company, but they have a dedication to constantly monitoring privacy laws like we do. So. I'm a big fan of user centric sets, the first one that comes to mind
What should I do if my client does not like how a cookie consent banner looks on their website? Well,
the agency side of me is always balancing out like trying to tell my client best practices and then letting them make the decision. So I would just make sure to note you know, hey, this could result in dark patterns. Which is a privacy noncom privacy compliance issue, or it could be an accessibility issue. It depends what they don't like and what they want to change about their consent banner, but their consent banner is there to comply with laws and to give users the right to change their privacy settings in the future. So, you know, I would always as an agency, provide my advice. Let them make the final decision and then I take action.
Exactly. Yeah. If your client wants to take it down, that's on them. Yeah. Um, are there any ways to get around providing a cookie consent banner, so yes, you know, remove functional or marketing cookies. And trackers so that you don't have to get consent? You know, see if there's any way to avoid having to comply with those privacy laws. So if the only reason why you're subject to privacy laws is because of your tracking, you know, maybe don't track
it just to put this into like a straightforward, like example. Here. GDPR applies to you if you have a place of business in the EU, if you offer goods or services to Bresson into the EU, or if you monitor the behavior of residents of the EU. Well, if it's only that third option, where it's like, well, I'm in the US and technically my website could get traffic from the EU. And I am then technically tracking them with Google Analytics, flip out Google Analytics with fathom, and now you're not tracking those users and may not even have to comply with that law if that's the only thing that was causing you to have to comply with that law in the first place.
Yep. And another thing that a lot of people do as well is they set the location for where the cookie consent banner appears. So it can only appear from people from the EU, UK or whatever, any of those countries or states that require it. So all of your other customers won't see it. So maybe that will lead to less friction as well.
Sorry, I don't mean this to be a sales plug but I will there's just so many partners listening to this. We do now have a plugin, a WordPress plugin, I would target and where you can make those selections, where you can choose to show the consent solution based on location.
Awesome. All right. So I think there's a lot of questions from the audience. So we'll stop sharing our screen and then get into those questions.
Yeah, lots of questions, many questions. So I'm just going to while we're on that same subject, Beth would ask to please tell us about ptarmigans. Cookie banner tool.
Okay. Um, yes. So ptarmigans questionnaire on page one of Turner guns privacy policy questionnaire helps you figure out the laws you need to make disclosures for. Once our tool figures that out, we then know the type of consent solution to provide and we basically everything comes ready to go. You just have to put in the link to your privacy policy and scan your website. So what's really nice about it, and like it doesn't get discussed enough, but did not I did quite a bit to make sure that this happened because too many people surprise a consent banner for CCPA is different than a consent banner for GDPR. So our article helps figure that stuff out. So
Assam Hans No, tell him to slow down way too fast.
So in that same regard, I've seen the term again cookie banner that pops up. How does that work with screen readers or how does it address other accessibility concerns folks? might have?
Yeah, so users Centrix has a W three double A certification, I believe it's called where they have passed certain accessibility guidelines for their further consent solution. The other thing is they're very adamant about it constantly. Improving the banner. So if like, people have feedback and stuff, I would welcome sending it to me and I'll send it off to them or sending it to them directly. They are very aware of accessibility needs and are very focused on that.
Good. All right. Next question also from Beth and by the way, folks, we're taking questions in the order of up votes. So pop up in that q&a, ask a question if you haven't, and upvote the ones that you would like to see answered. That says when users sign up for her project managers Academy they agree to be added to the email list. They get the academy and marketing emails that's part of the deal to get access. Is that a problem with privacy?
So again, we can't provide legal advice on specific legal issues and I think this would run into that. But generally speaking, you know, you cannot predicate the purchase of a product by signing up to email marketing lists. So if I were to go out and buy tires, I wouldn't have to submit my information just to subscribe to their email list about tires just because I want to buy tires. Now if that email marketing list is specifically about the tire that I bought, and how to install it, you know, that's a lot different because it's specifically geared towards my purchase and what I need to do and if I can send it to that, that's fine. You know, but it can just be general marketing predicated on on purchasing a product. Now if people want to sign up for an email marketing list on the side, you know, and they're like, great, I purchased this product and this product is awesome. I want to know more about what these people are talking about. And I'd like to sign up to their email list. That's great. But it shouldn't be. They shouldn't be forced just by the nature of signing up. Or but just by the nature of purchasing a product to sign up for an email marketing list.
Now if this offer and this is best next question, which is in the order here, if it's a lead magnet, like we're giving away something in exchange, for example, for your email address and signing up to our list, which is actually the first level of her Academy that she's talking about? Did those rules still apply? Or is it just for the purchase?
Yeah, so it would, so the rules there are a little bit different, but you would still want to get somebody's consent. So when somebody submits their information to a lead magnet, usually they're just submitting that information to get the lead magnet. So let's say I have a lead lead magnet that says Small Business guide to privacy right. So when somebody signs up they don't usually know that this is a lead magnet, right? So like lead magnet between us like we've all heard of lead lead magnets, everybody has them. But your regular consumers when they see ok, download the small business guy to privacy. I'm thinking in my mind that all I'm doing is submitting my information to download that guide. Like I don't think that I'm actually going to be signed up to this whole list of emails that I'm going to receive. That's not something that consumers normally expect. I know we expected but normally consumers don't. But you know, if a consumer says okay, great, I'm gonna submit my information. But I also want to consent to receive other email marketing emails, right? They can consent to that and then you can send them other marketing emails but if they consented just to receiving the lead magnet, then they should receive just the lead magnet without any follow ups.
I would also just say you're in marketing figured out a clever way to word this so that people are pumped to receive more things from you. Like, don't let privacy be like this thing that Oh, I have to respect people's privacy. Now. I can't run my business correctly. No, you figure out a way to word it correctly and inspire people to want to get more from you. Those people are going to be more activated, more interested in your brand and what you have to offer.
Yeah, I mean, you know, I know that we're all calling those things lead magnets and that's what makes sense to us. But they're not necessarily lead magnets to the general public. Like I'm just downloading a resource. I'm not getting anything. I'm not expecting to get anything else. But if you want them to expect to get something else, then have them consent to marketing.
That just take a big breath, you'll be fine. You're good at marketing, you'll know how to word this word, right? Just
getting appropriate consent and telling people what you're gonna do.
So, just so I understand this correctly, could you for example, I mean elite lead magnets and again, that's that's jargon in our world of here's the thing you sign up for it, you get put on a list, there's a sequence right? Every I mean, this is widely 1000s that right? 1000s of companies are is what you're saying that if they that they're doing this wrong? Is everybody doing this wrong?
So depends on the privacy laws that apply to you. But if the privacy laws that apply to you, if they require specific consent, and you're not getting this specific consent and sending people emails without their consent, then yeah, you're doing it incorrectly. I mean, it's just literally another checkbox. So I agree to the privacy policy and, or you can have them agree to the privacy policy or have them say like, Yeah, I agree to the privacy policy, and please sign me up to your email marketing list. That's it.
Yeah. And we'll Yeah. So, again, the caveat to all of this is to which privacy laws are you constrained? Yeah. And understanding that right, so
Exactly. So if I don't have any privacy laws that apply to me, I knew whatever I
would prepare yourself to understand that that is a dying industry. That's a dying concept. Yeah. If you're going to try to circumvent privacy laws I all I have to say is just know that there's going to be an end date with that kind of model because more privacy laws are coming. I think it's a much healthier, long lasting strategy to sit back. Take this in and like realize, okay, how do I you know, possibly it sounds like there's some stress in this chat here a little bit, like, how do I take what I currently have and just add that lens, add that privacy layer that ensures that people know what they're signing up to? Because, you know, I don't want people to I personally don't like douches stuff. I don't want to sign up for something that I gotcha. Now. I'm gonna start hitting you with this, like, people love that. You know, and all the time out here. It's just having them agree and understand that that stuff's coming. And like, what a great thing.
Yeah, I mean, it's kind of like buying a car, like you buy a new car and then you open the door and there's a snake inside while suddenly some people are gonna be like, great free snakes. Awesome. This is great. But other people are like, Man, I wish I would have known about this. You know what I mean? I'd be pumped. Yeah, I would not be really upset.
So just a thought here, right? Like, I will frequently not like well, I also I know what a lead magnet is and what people are after, but I will often not sign up for those things because I know what's going to happen on the other end of this and I don't want that. So it would actually what if I'm just thinking, you know, blue sky here, right? What if your lead magnet had all the pitch you were going to give in that stupid eight email sequence that nobody ever reads? Anyway, they're just going to swipe it out of their inbox. What if you just put that puts your pitch in the thing that they're going to download the first time like that solves all of this issue,
or like your lead acid eight week program where you're gonna get emails telling you all about all about these great things.
Yeah. Nathan, if you're not signing up to lead magnets, because you're gonna get other emails, if how great would it be if it said don't sign me up for marketing emails, then you would still get the lead magnet, and maybe you would contact the business yourself then saying, hey, I'm interested in your service.
Yeah, exactly. So they right there's there are I think my mind is changing about a lot of this. I never liked lead magnets to begin with, but that's a whole other story. Okay, moving right along here so soon as a question how do you turn off a third party plugin cookie like we, for most of us, I think who are in this on this call? We you know, we are assemblers. We put together things in plugins, we solve a problem. We build a website that does the thing that the client wants, right? I don't know what cookies plugins are. I don't know what's going on there. And I've been doing this forever. I don't know exactly right. So when we talk about okay, I have to opt out of not all non essential plugins. How do we do that?
Yeah. So you know, I think the perfect word to use is we're assemblers. That's what I was. When I ran my agency. I took things that already were invented. I helped drive down the cost of having us rather hand coded and you know, I don't think anyone I mean, very few agencies are dealing with clients that it would make financial sense to build out a consent solution that like custom manages all this stuff. I mean, it can be done. Of course, it's an inexpensive custom endeavor. That is why there are so many out of box cookie consent providers out there proper ones, will already have a database of all those third party cookies and all that stuff, and will scan your site, identify those cookies, embed your script, the script at the top of your header, and that controls all the cookies below it. And that's it's really that simple. From there on out. So really, you're not don't think you have to reinvent the wheel people there are people dedicated to ensuring that they have the most comprehensive consent generators, consent platforms out there, leverage their technology and just assemble it to the website.
Yeah, I would say before you're signing up for the cookie consent tool. I believe user centric, so is a free cookie, cookie scanner. You can just search that online and then you just basically put in the URL to the website and it scans it unless you know what all the cookies are in there. And that's the time at which I would take the time to say okay, so we have Facebook pixel on the website. My client has never advertised using Facebook and never will. Let's just remove that. You know, that'd be a great way to do it without actually having to like necessarily sign up to
after a lot of you who've been partners together for a long time. You probably remember me talking about cookiebot Back in the day like I always would recommend cookie by cookie bot was bought out by user Centrix. Hence what brought us to user centric why we got to talk with them. So just a little footnote there.
Interesting. Okay, so just to make things perfectly clear, the the cookie solution that term again provides which is it comes from user centric, you said right you based user centric, see Yep. Yeah. So that will do what you just talked about. It's look at the website, see what cookies are being loaded, prevent those from being loaded unless the people opt in?
Yep, exactly. As long as you embed the code correctly.
We're not special in that sense. There are many comprehensive consensus solutions out there. But yes, that's exactly how we work Yeah,
but what the the helpfulness of term again, solution is that because of all these questions we've already answered, it's going to present the correct cookie banner to people.
Yes, and it's gonna so first of all, it's going to tell you if you need one or not, and then it's going to present the right one based on the privacy laws that apply to you. So
yeah, cool. Yeah, that's one thing that we try not to over harp on, but like it's a pretty big deal. It is a big deal that a consent tool will help you figure out which laws you need to make disclosures for. Because what's the point of current privacy policy if you're missing disclosures? Like I just don't get that so? Yeah, sorry. I don't mean to be
no no, that's, that's no, that's really helpful. too passionate. Okay, next question from Sue. Do you usually set tools like Gravity Forms for your form plugin? To never keep entries on the website? How do you handle that? Oh,
good question. So, um, personally, I like storing gravity form submissions in the backend of my WordPress website. And just acknowledging in my privacy policy that my web my third party web developer may be able to see that data. So Gravity Forms and the reason why I like storing the backend of the website is because let's be real sometimes those email those form submissions Once submitted, it doesn't trigger it like it doesn't arrive in the website owners inbox. So I like having a backup in my WordPress website, just in case the client didn't receive the lead. And that's why in that, you know, in all it is it's just a matter of disclosing that. Fact. So yeah, for the record, I like storing form entries in the backend of my website, as well as sharing that data with my email service provider to also receive the lead in real time.
And Stacey just mentioned that that's not good for Gravity Forms, but I'll tell you if you're trying to meet HIPAA, if you're trying to hurt it's not good for HIPAA. Yeah, this is like you shouldn't this is you shouldn't be using gravity forms if you have to meet HIPAA compliance.
HIPAA is a whole different ballgame that's protected health information. That's a whole different class of
Yeah, yeah, you should avoid HIPAA as much as possible. We get clients asking us about HIPAA like I don't want to touch it with a 10 foot pole and neither does any attorney that I know. My best advice for HIPAA is to get a third party portal that is compliant with HIPAA to collect all that PHSI and put it on them. Well,
my other recommendation is if you are building websites, or like physicians or things like that, just ensure that you you ensure that they have like a third party patient portal where patients submit their data. Oh, does that mean?
Sorry. I thought he did. It's in the transcript. No. All right. Okay, so John has a question about past keys. And John, I'm gonna just jump into this question. I think the nature of your question is, you know, what about my biometric information being passed, or the nature of past keys keeps that information on your device that that never leaves your device. So that's not an issue with this. And I would just invite you we're in a couple of weeks. We'll have a webinar here with Timothy Jacobs from the lead developer of I theme security, we're going to talk all through past keys again. So that's I think that's it's not on the calendar yet, but it will be by next week. It's coming up in a couple weeks. All right, Beth Livingston, is it okay if you don't activate the submit button until the consent checkbox is ticked. In other words like there you tick but you can't submit unless you've agreed?
Yeah, that's usually how those are set up. Okay, so
that's fine. Yeah. Okay, good. Ben. Ben says I finally changed my opinion and understand about a cookie consent tool now. Thank you. Cool. However, do you think having the whole of the web with Cookie consent notifications is a bad user experience, despite privacy being well respected? Cookies cookies?
Yeah. So this is actually a really interesting conversation, because when they initially wrote the law, like when you think about it, and like a hypothetical scenario, it makes perfect sense, right? Like you need to consent to these cookies for them to be on your device, you're not going to be tracked unless you don't want to be tracked. But the way that everyone implementing it, it just became like an absolute nightmare. So what the legislators are saying now is that a lot of people are getting fatigued from these notices. So they see them all the time they see them everywhere. So now they're everybody's just clicking Accept or clicking reject, not looking at it and not actually understanding what's happening. So that's a really big problem. And I think what future privacy laws are going to do to solve it is that they are going to have a universal opt out mechanism. So like, Do Not Track came about in like the 90s. Yeah, like late 90s, where basically it was a setting set on your browser, where no one could track you if you had that setting. Well, the law was never enforced. Initially. So nobody would really paid any attention to it. The LOD didn't say that you had to respect it. It just said that your privacy policy needs to say how you respond to it, not necessarily that you need to actually respond. So I think what we're going to see in the future is instead of these cookie consent banners what we're going to see more of is a universal opt out mechanism, where somebody says do not track on their browser, and every website is required to to abide by that do not track and you know, maybe it'll be called something else. Maybe the technology will work differently, but I think that's what we're gonna see in the future because yes, a lot of people are getting that fatigue where they don't actually you know, pay attention to it anymore.
Well, let's be real here. A cookie consent banner is not required by law. What's required is collecting consent prior to putting non essential cookies on a browser. So maybe we you know, and the only reason why banners are so popular is because right when you visit a website, that's right, when you want to understand how people are using your website, that's why people are putting those banners right up front, but you don't have to if you're not putting cookies on until they maybe hit page three, you can do that. You just have to get consent prior to putting those numbers or
maybe we'll see a lot more companies go into like cookie loss tracking. That's been in the works for many years, but it always just keeps on getting pushed back. So they haven't been able to fully figure it out yet. But it's something that's coming coming around soon. I think
that's good stuff. All right question from Stacey. If a site provides location services using Google Maps, in this case, a pharmacy locator where the service is provided, okay, then isn't that essential? Like in order to use this page, this locator, we must load this API, the page is of no use at the location can't be provided.
Yeah. So that that depends, right? So like whether a cookie is essential or not, that ends up being off to the website owner a lot of times. So I think if you want to classify that cookie as essential, you would have to have a good explanation written down somewhere that you could use as evidence, in case it is ever brought up. But usually essential cookies are that the website itself would not be operational, not necessarily like a particular feature. So I would probably see this more as a functional cookie. But if the business owner has like a good document and reason and like an actual assessment as to why they believe it's an essential cookie, that might help them get through it as
Yeah, that's a fair call. You know, the cool thing with like, proper consent solutions to that do the scan if the scanner didn't pick up the fact that you have like a store locator where you're collecting geolocation information. When you go to that page, it will say, hey, you need to add this to your list of cookies. So then you just add it and click submit and then boom. Now if users deny all cookies, but then they go to the store locator, they'll get a prompt within the Embed saying Hey, is it cool to accept to use this feature, and you just click accept and boom, it starts working? So yeah, and I think it's, I personally think it is proper consent solutions that are going to help users understand because I think it's the BS, like the bad consent solutions that are causing the confusion, because he's good, the proper consent solutions are going to help ensure that people understand like, oh, I can't see this YouTube video I have to accept first before I watch it, like ah, I think people will figure out the true power of consent solutions if people start using
Yeah, I think also to something to look up as well. So the Information Commissioner's Office of the United Kingdom ico.org.co.uk, I believe or ico.co.uk, any of those, I believe they have like an A list of factors that you can go through to see whether like how to classify those cookies. So that might be something to look into as well. Interesting. People will do this right after this call.
Matthews calm
with the proper words you can get out of anything. That's why attorneys are around right.
I have a picture saved on my phone of a billboard for an attorney advertisement added on not if this person actually practices law or like if they still have their license, but it said just because you're guilty. No just because you did it doesn't mean you're guilty.
Or I have heard about this. Yeah,
like a criminal defense attorney.
Horrible, horrible. But you know, one thing that would help you with your biggest takeaway is with proper words and a reasonable effort towards privacy, then you can get out of
Yes. Okay. Earlier you said that Beth is asking you could you can get dinged for dark patterns. What does being mean, actually?
Yeah, so that's where you could get into issues with privacy regulators or the Federal Trade Commission. So anybody that governs dark patterns, so when it comes to dark patterns, and privacy, that would be the regulators that enforce the particular law that you're in violation of that prohibit dark patterns and privacy or with the rest of the business? That would be the Federal Trade Commission, which can issue fines.
Yeah, there's an example that comes to mind I believe. It's like an eyelash company that had dark patterns for their cookie consent solution and they got fined millions of dollars, millions of dollars.
Well, actually Sephora for just, yeah, millions of dollars as well, because it did not provide consumers with adequate explanation as to whether or not their information is being sold. And now provide a way for consumers to opt out a sales of information.
Okay, good questions here from Sue. Do you think a federal privacy law that states can add little policies to is a good or bad thing?
It'd be very nice for me, I'd save me so much time and so much effort and so much trouble if we just had one set of rules. But you know, so let's say we were to have a federal privacy law, which is like a huge ask, like, I don't know if that's gonna happen anytime soon. It seems like everybody in the privacy community, we're all kind of holding our breaths. And crossing our fingers that it does happen soon, but I don't we don't think it will. But you know, you'd still have other countries. So you'd still have that interaction between your privacy law and the privacy law of other countries as well. And you also run into issues of states right. So if California has a really robust privacy law, they provide a lot of privacy rights. But the federal law doesn't obviously California would oppose that because they don't want to weaken the protections that consumers have. But really, you know, I've been saying this for years that the ABA is you you should have one law that split into two parts. Part one is for large businesses that collect a lot of PII, make a lot of money and part use for small businesses that don't collect PII, a lot of PII and don't have a lot of money where, you know, maybe small businesses just have the notice, you know, they just are required to tell consumers what they do with that information, versus the big businesses need to have the cookie consent and all of that other stuff. But unfortunately, not a lot of people are listening to me on this point.
I will say I too, just would love a federal privacy law. I think Donatas concerns are very valid. I like the idea of a federal law to slow down other states from having to implement their own versions. That's why I kind of appeal to it. But unfortunately, it's not promising from like, what didn't Odyssey
at least this year definitely won't happen. You know, maybe next year or the year after that. We'll see something. Something more interesting.
Okay. I saved my favorite question for last. This is from Ben, why don't you just don't you get a warning before you get a big fan? Can't you just implement things then? I love that question.
So some privacy laws do include a right to cure. So some of them that have recently been passed, they will include six months where you have a right to cure. So let's say you're in violation of the law. It's within the first six months that he contacts you says hey, you're not compliant. You fix this particular issue or we're going to give you a fine, great, and then you fix that issue and then you're not getting fined. But a lot of the most privacy laws don't have that right to care. So there is no right to say, Okay, I got a warning. So I'm gonna fix it and then it'll all be fine. No, usually the fine is just being issued. But what I can tell you is that there are ways to prevent being fine. And there's two places where we see fines come through the most for privacy in particular. So security, most fines come from data breaches, but for privacy in particular, not responding to consumer requests to exercise their privacy rights. So somebody asks you to delete their data and you never respond to them or you're, you know, not doing what you're supposed to be doing, or to not providing adequate information and adequate choice to consumers. Those two things is where you'll see most of the privacy violations happen. That's where you'll see most of the fines. So if you do want to circumvent the fines and beat the system, that's what I would do.
Very good. All right. That's all the questions. Look at that. straight up, straight up three o'clock. We can do that any better. Very good. Very good. So wrap us up here give us a few takeaways, as we're as we're closing down here.
Yeah. So I think my main takeaway for everyone is that privacy requirements are a thing. It's a thing that's not going away. It's a thing that's confusing, but there are certain steps that you can take to kind of put yourself lower on that enforcement totem pole. And that's really where I would start.
I would say it is. You as a web agency owner, have an opportunity to be a thought leader in the space and be able to say to your clients, look, I'm not an attorney, but I do see this becoming a bigger deal. I think you should take privacy seriously. I think you should look into this and let the client make the decision if they want to comply with laws or not. Offer them on the ability to go to their attorney and draft policies, offer them an affordable alternative like a generator, and then offer them the ability to consent saying I understand I still don't want policies, there business owners, they get to make those decisions. You have the wonderful opportunity of providing insights so that they can try to make the best decisions they can for the business.
Yeah, protect yourself first. Yeah, for sure. Yeah.
Yeah. Yeah, that's that is a great takeaway. And the waiver that we dropped just again, the links in the chat if you're watching this on the replay, it's one of the blue buttons to download that waiver, you should have all your clients signed just to make sure that you don't find yourself responsible as a web provider for not the client says, Oh, that you didn't inform me it was your duty, blah, blah, blah, you know, or this can be integrated into your contract. So and and by the way, I've talked 100 tonight about this, we're going to be integrating that language or something very, very similar into Monster contracts. Keep everybody covered on that as well.
License and that in our terms of service.
Yeah, it's awesome. So yeah, this has been great. Some of the highest praise was just given in the chat. This was not only informative but fun. Okay, y'all made privacy fun. Like that should be we should give you a plaque of some honestly
I am honored how many people are like it means the world to us. We were like four hours, man. I don't think anyone will be watching this. So thank you. Thank you all.
Very good. All right, folks. Thanks for hanging out with us. Last couple of days. It's been really good. I've learned a ton. We're back for office hours tomorrow, one o'clock Central as usual. Until then, have a great rest of the evening. We'll see you back here next time on iThemes Training where we go further together. Thank you so much.