Episode 399

podcast photo thumbnail
1x
-15
+60

00:00

00:00

Keeping up with data protection and privacy laws is exhausting. Nearly every month, new legislation is being introduced state by state to help keep users’ data protected online. And while this is overall a good thing, it can get really messy if agency owners aren’t educated and informing their clients about what this means when they build out their websites.

Luckily, our guest today, Hans Skillrud, has collaborated with his wife to create an easy, self-updating tool that agency owners can implement on their own websites and the sites they build for their clients. He has committed himself to ensuring that data protection tools and documentation are easily accessible for anyone without needing a legal degree to make sense of it all.

In this episode, you’ll learn why you must educate yourself and your clients on the most current privacy policy and data protection laws, why not to cut corners in this department, and why you should never collect more data than you actually need.

Even if it doesn’t seem like a big deal right now, with the constantly changing environment of privacy laws, you never know when you could end up in a mess, even five years later. Don’t delay on this, and get your documentation in check today.

A big thank you to our podcast’s presenting sponsor, White Label IQ. They’re an amazing resource for agencies who want to outsource their design, dev, or PPC work at wholesale prices. Check out their special offer (10 free hours!) for podcast listeners here.

data protection

What You Will Learn in This Episode:

  • What is Termageddon?
  • What agencies are required to provide to their clients in terms of documentation
  • The risks for smaller businesses and agencies for not practicing good data protection
  • Why agencies should embrace data protection policies, even if it seems complicated
  • Can chatGPT write our policies for us?
  • Why copying and pasting someone else’s policies is a bad idea
  • How data protection lawsuits happen
  • How the Termageddon team keeps up with constantly changing data protection laws
  • The confusing future of privacy law
  • Three best data protection practices for agencies and website builders

“I think that the era is changing, and having proper policies in place is a good way to avoid fines or lawsuits and respect your website.” @DeepSpaceHans Share on X
“I'm a big advocate for not feeling like you have to have a law degree just to tell your clients you think website policies are important.” @DeepSpaceHans Share on X
“When it comes down to it, it’s the website owner that's responsible for complying with applicable laws.” @DeepSpaceHans Share on X
“Noncompliance fines start at $2,500 per website visitor whose rights you've infringed upon.” @DeepSpaceHans Share on X
“The real question is not, how do I get a privacy policy as fast as possible? It's, how do I get a privacy policy that's compliant and comprehensive, so I'm not getting fined or sued?” @DeepSpaceHans Share on X

Ways to contact Hans:

Resources:

Speaker 1:

If you’re going to take the risk of running an agency, shouldn’t you get the benefits too? Welcome to Agency Management Institute’s Build A Better Agency podcast, presented by White Label IQ.

Tune in every week for insights on how small to mid-size agencies are surviving and thriving in today’s market. We’ll show you how to make more money and keep more of what you make. We want to help you build an agency that is sustainable, scalable, and if you want, down the road, sellable. With 25-plus years of experience as both an agency owner and agency consultant, please welcome your host, Drew McLellan.

Drew McLellan:

Hey, everybody, Drew McLellan here from Agency Management Institute, back with another episode of Build A Better Agency. And we are going to talk about all things legal and privacy policy, and cookie, and all the things that we have to think about on websites and really have a fascinating guest that I’m excited to introduce you to.

But before I do that, I do want to remind you that we have created a Facebook group specifically for you, people who listen to the podcast. You don’t need to be a member, you don’t have to have ever given us a dollar. Just head over to Facebook and search for Build A Better Agency podcast, and it’ll show up with the Facebook group. And you have to answer three simple questions. Do you work at an agency? And what is the URL? So, you have to give us the URL, because we’re going to verify that it’s a legit agency. What do you want to get out of the group? What do you want to learn? How do you want to grow? And the third one is, will you be nice? Will you follow the rules?

Lots of interesting conversations going on there. Everything from project management tools, to bonus programs, to commissions for employees and all kinds of fascinating conversations happening, that you are all generating, that you’re all participating in. We jump into the conversations as well. So, it’s just a really robust place to be if you want to connect with other people who understand your world, who are walking in your shoes, and who are really, really ready and generous in terms of being ready to help you and answer your questions. So, head over there, join us, join in the conversation. We would love to have you.

All right. So, my guest today is a gentleman named Hans Skillrud. So, Hans used to own an agency and then married an attorney who specialized in privacy policies and law, and they created a product called Termageddon. And basically it’s code that you put on a website, that constantly updates with all of the world’s privacy policies and other things.

So, I’m going to ask him all about it. We’re going to find out how they get their data, how they keep it current, but more importantly, what we need to be thinking about as agency owners, whether we use their tool or not, in terms of protecting ourselves and our clients. So, with that, I have lots of questions because this is an ever evolving field. I mean, really when you think about it, we didn’t worry that much about privacy policies not that long ago. We might have had one for a client, but it was a template. We probably had built it 10 years before and it was fine.

But then as the world started changing and as the internet started being more sophisticated in terms of the information that it could and does gather, and the more we use websites as that workhorse of a tool for our clients, all of these things came together and there was this big privacy concern, and as we know, all kinds of privacy laws cropping up all over the world. So, the question is, how do we protect ourselves, protect our clients, and do the right thing? And so, that’s the topic for today, and I think Hans has the answer. All right, without further ado, welcome to the podcast. Thanks for joining us.

Hans Skillrud:

Thanks for having me, Drew.

Drew McLellan:

So, give everybody a little bit of your background, starting with your former life as an agency owner and how you came to be doing the work that you’re doing now. And then, I want to dig into all of the nuances of, how do we protect ourselves and our clients when we’re producing digital assets and websites and landing pages in today’s constantly changing legal environment?

Hans Skillrud:

Yeah. It really is changing. And I’d be happy to. So, my name is Hans Skillrud. I’m the co-founder of Termageddon. Termageddon is a website policies generator, but where I started in agency life was running my own agency. So, I started a web development agency in 2012. I built it up to a 12 person team. And in 2019, I ended up marrying a privacy attorney. We ended up building out Termageddon, and as difficult as it was, I made the decision to sell my agency, to go full-time Termageddon. So, a lot to speak on the agency front, of course.

Drew McLellan:

Right.

Hans Skillrud:

And I know everyone is listening to us, but I’ve lost a lot of hair figuring out proper ways to run an agency, but marrying a privacy attorney, running Termageddon, that company really took off. And yeah, now I focus exclusively on that. So, Termageddon is website policies and it’s really built for agencies and their clients.

Drew McLellan:

I was going to say, you really took your experience of being an agency owner, recognized an ongoing challenge, which we’re going to spend our time this hour talking about. And then you and your wife built a product, in essence, a service. It’s really a software as a service product, that allows people to resolve the problem, right?

Hans Skillrud:

That’s right. Yeah. She was charging five figures for complex privacy policies with her law firm practice that she was running. My clients were not interested in paying those types of fees, let alone the ongoing fees for maintenance and monitoring of privacy laws. And my clients would always ask me, “Can you just copy a privacy policy from one of our competitor’s sites?” Which felt unprofessional and very uncomfortable doing it.

Drew McLellan:

But a lot of people do it.

Hans Skillrud:

Yeah, a lot of people do it. And I think we got by for a little while, but I think that the era is changing and having proper policies in place is a good way to avoid fines or lawsuits and respect your website visitors’ privacy rights. And we just felt like there was some middle ground between copying and pasting a legal document from someone else and paying 25 grand for a privacy policy. And there lies why we created Termageddon.

Drew McLellan:

And just really briefly, before we dig into the issue of privacy policies on websites and all of the crazy things that have happened in the last few years that make this such a hot topic. So, with Termageddon, the way it works is, I subscribe in essence to language that as laws and things change, the language automatically changes, right?

Hans Skillrud:

Yeah, that’s right. So, at Termageddon, we give web agencies a free set of our policies forever, via our agency partners program. We do that in the hopes that they’re willing to take the time to get comprehensive policies for their own business and if they like what they see, they can refer or resell our solution to their clients.

And what’s key and fundamental about Termageddon, is that our tool helps you figure out what laws apply to you. And then our questionnaire adapts and asks you the necessary questions to make the disclosures required under the specific laws and disclosure requirements your specifically required to make. And then you copy and paste our imbed code into your body of your policy pages and that’s what allows us to push updates when new disclosures become required.

An excellent example being that in three months from the time of this recording, we have four more privacy laws going into effect with new disclosure. So, we’ve already updated our customers and taken care of that months ago.

Drew McLellan:

Yeah, it’s crazy. So, I think there’s a lot of confusion around privacy policies, terms of service, cookie policies, consent forms. So, just give us the lay of the land of what all as agencies, assuming both for ourselves and more important, as we build out some sort of web or digital presence for clients, what do we need to be thinking about making sure we provide, what’s required, why do we have to do it and what are the risks of not doing it?

Hans Skillrud:

Yeah, no, that’s excellent question. So, I’m struggling between, do I define the policies and what each policy is about? Or, do I go into explaining what agencies need to take into consideration? I’ll start with definitions.

Drew McLellan:

Okay.

Hans Skillrud:

Oh, you know what? My wife’s alarm bells are going off internally now in my head. Please note, this is not legal advice, Termageddon is not providing legal services today, nor am I. It’s for informational purposes only.

Drew McLellan:

Do you have to cross yourself or anything when you say that?

Hans Skillrud:

I might as well. I say it about 50 times a day at this point.

Drew McLellan:

I’m sure.

Hans Skillrud:

So, a privacy policy is a document that exists to comply with laws, and it is to explain to your website visitors what personal information your website’s collecting, what you’re doing with that information, who you may be sharing it with, and a series of other disclosures regarding your privacy practices.

So, privacy policies exist to comply with privacy laws by stating your privacy practices. A terms of service otherwise known as the terms and conditions, or terms. Those are all interchangeable words. They all are one document to explain the rules to using a website. So, I like a terms of service for virtually any website in this day and age, because you can have little disclosures in there, like, “We offer links to third-party websites. We’re not responsible when you click those links.” That little disclosure can help prevent a lawsuit.

And a terms and conditions statement is just a series of those types of disclosures. A terms is also needed for e-commerce websites to abide to consumer protection laws. But when it’s all said and done, privacy policy is to comply with privacy laws, terms is to limit your liability as a website owner by explaining the rules to using the website.

There’s also cookie policies and cookie consent solutions. Those are required under some but not all privacy laws. And they’re an extension of a privacy policy as it relates to the use of non-essential cookies. And a disclaimer is a way to further limit your liability if you’re in a unique business where you’re offering health products like diet pills or nutrition supplements, or offering anything that could be seen as legal advice, or health advice, or fitness tips, or participate in affiliate programs. So, disclaimers help you further limit your liability when you have a unique offering for your website, where you need to make a disclaimer.

So, these policies, we just defined them, and hopefully that’s a good takeaway for people listening, because I didn’t really understand why each of them existed, but they have very specific purposes. And I think the big thing to agency owners is that learning the fact that when you’re building a website that includes a contact form, where you’re asking people to submit their name and email, you’re building something for a client where they may be now collecting regulated data. Privacy laws are protecting and regulating the collection of names, emails, phone numbers, IP addresses, device information, anything that can be used to identify an individual. So, that’s when alarm bells should be going off that like, “Hey, probably best to educate my client about this stuff because they may now be required to comply with multiple laws from the website I just built them.”

And I can go on. I really don’t want this to be a plug because I genuinely believe that this is just a discussion agencies need to start having with their clients. What I’m a big advocate for is not feeling like you have to have a law degree just to tell your clients, “I think website policies are important.” So, we offer a free waiver over at Termageddon. You don’t even have to become a customer of ours. It’s a free website policies waiver, which is, you’re welcome to use it however you wish, but it can educate clients on what website policies are and let the client sign off acknowledging what they want to do about it. They can hire their attorney, they can use a tool like Termageddon, or they can choose to do nothing. And that’s what I’m saying-

Drew McLellan:

I was just going to ask you, who’s responsible? So, the waiver is a great way of saying, you need to document what the client decided to do. So, we’ve had some agencies that have built websites, that even had some sort of a waiver in place, and three, four, five years later somebody’s coming back to sue them. So, it’s either accessibility or it’s a privacy thing or whatever. And if they didn’t have the paperwork, the agency was going to be on the hook at the very minimum to fix the problem, let alone there may be legal ramifications as well.

Hans Skillrud:

That’s right. And when it comes down to it, it is the website owner that’s responsible for complying with applicable laws. There is an asterisk there though to that statement, which is, unless you have a contract with the client, where your web services contract states, “I’m going to build you a website compliant with all laws, or X, Y, Z laws.” I personally would not recommend that unless you’re charging like seven figures or more for websites.

Drew McLellan:

Right.

Hans Skillrud:

And even then, I’d be very cautious. So, number one, make sure your contracts don’t offer something that you’re not guaranteeing.

Drew McLellan:

Right.

Hans Skillrud:

Because by default it is the website owner responsible for complying with laws, but the reality is, we’re the ones in the space, we’re the ones seeing all this privacy become a bigger deal. So, that’s why I like the waiver, which just lays the land out and just sets the facts for what it is. “Hey, I’m not responsible for your compliance. Please sign this waiver acknowledging where I told you that and let me know what you want to do.”

And you can give them the option to choose to do nothing. That’s their decision if they want to comply with laws or not. But I really feel like having documentation in place is just such an easy way to get that doc, just to protect your agency while providing that education to clients.

Drew McLellan:

Well, and it really is, if nothing else, a conversation we have to have. And back in the day this was very different, but now with all of the laws, not only US-based laws, but international laws, a lot of people will say, “Well, my clients are small local businesses, so I don’t have to worry about this.” It doesn’t matter. Correct me if I’m wrong, but anyone from anywhere in the world can go to your website, therefore, you have to be compliant with some of these rules.

Hans Skillrud:

Yeah. Drew, you have the right mindset, which is that privacy laws, for the most part, there are some privacy laws that are for bigger businesses, but for the most part, privacy laws start applying to a website owner the moment they collect a single piece of personal information from a resident of a particular state, country, or territory. And a lot of people think, “Oh, well, small businesses don’t get hit with this stuff.” And unfortunately that’s a misconception, and I think it’s because the news covers Meta or Google getting fined billions of dollars, that makes the headlines.

Drew McLellan:

Right. Right. Right.

Hans Skillrud:

But what doesn’t get discussed are one-person marketing companies getting fined 50,000 euros for changing the email address of one of their subscribers without their consent. So, there’s actually a website for this too, enforcementtracker.com that tracks GDPR, which protects residents of the EU and the EEA. Enforcementtracker.com is an excellent resource to validate what I’m saying here, which is, sure there’s big companies getting fined, but there are absolutely one business companies getting just absolutely rocked as well. Yeah, so hopefully that answers that question.

Drew McLellan:

Let’s talk about the risks. If I scrape somebody else’s policy off of their website, or I don’t have anything at all, or I just say to my client, “Look, we’re going to build it out, it’s a WordPress site, you can get on the backend and put whatever policy you want.” What are the risks to us? Tangibly, what kind of fines or consequences are being talked about on enforcementtracker.com or other places, businesses just like ours?

Hans Skillrud:

Sure. Yeah. So, non-compliance fines start, start at $2,500 per website visitor whose rights you’ve infringed upon. So, we mentioned I’m based in Chicago, if I was infringing on CPRA, California’s latest privacy law, which replaced CCPA, the fine would be $2,500 per website visitor from California whose rights I’ve infringed upon. So, if I had, I don’t know, 50, or let’s make it 100, just to make the numbers easier, but that’s like what? 250 grand. Or, is that 2.5 million?

Drew McLellan:

Yeah.

Hans Skillrud:

Yeah, 250 grand. And so, it shows how quickly things can add up. And so, I think it’s certainly a real risk. Not to mention there are privacy bills that are being proposed right now that have passed, they’re going to enable consumers of that state to sue any website owner located anywhere, just for missing the disclosures required under that particular privacy law, if your privacy policy doesn’t include it.

New York is a great example. New York has two bills out right now. If any one of them passes, any New Yorker will be able to sue any website owner for collecting as little as an email address on a contact form without proper New York privacy law disclosures. So, we saw accessibility lawsuits come out of New York originally, and now in privacy is just a few years behind, basically.

So, I personally think it’s only a matter of time until that happens. And I think that speaks to the concerns of copying other people’s legal documents. Outside of that being copyright infringement, which I don’t think any professional agency should be advising a customer to do, copying legal documents or using templates doesn’t answer the question of, “How do I update my privacy policy over time?”

Drew McLellan:

Right.

Hans Skillrud:

And that’s what’s so important to understand is, Drew and I were talking right before this recording, over the last week, Iowa passed a privacy law and now Montana and Tennessee have just passed the Senate and are likely to pass their own laws as well.

Every single privacy law, every single one doesn’t care about where your website’s located. Every single privacy law is there to protect people’s data. And it’s like, “If you’re collecting our people’s data, you need to comply with our laws.” And that’s a new concept for us. We have to have a strategy to keep policies up to date over time.

Drew McLellan:

Again, I’m thinking, if I build a brochureware site for a client or I build a landing page for a client, so there’s not a form and I’m not asking for a name or an email address, behind the scenes though, I’m still gathering data, right? The website itself is grabbing IP addresses and other things. So, it’s really, is there a website on the planet that is exempt from these privacy laws?

Hans Skillrud:

I think it’s technically possible to build a website that doesn’t collect any forms of personally identifiable information. Logging IPs though, seems like a fundamental part of how a website works. So, I don’t really know, but I’d like to think that, yeah, you don’t need a … What I can say is you don’t need a privacy policy if your website’s not collecting any personal information. I struggle to understand an example where that is the case, because even websites that don’t have contact forms could be collecting things like IP address behind the scenes, for not just analytics purposes, but for security purposes, for example.

Drew McLellan:

Right.

Hans Skillrud:

So, yeah. I mean, maybe blocking people from all states and countries that have a pr