Episode 207:

Many agency owners are struggling to not only understand laws like the CCPA and GDPR, but more important — determine what your agency has to do to be compliant and avoid liability. What laws apply to your shop and your clients? What does compliant even mean in terms of practical do’s and don’ts? What is the chain of responsibility if clients make bad choices? What are mistakes we should avoid?

My guest Ruth Carter is an Arizona-based business, intellectual property, and internet attorney; a best-selling author who literally wrote the book on the legalities of blogging; has been living and breathing the new CA privacy law and works with agencies every day to help them manage the hype and interpret the laws accurately.

Ruth and I had a lively conversation about privacy laws and what they mean for agencies. Ruth is a wealth of legal and privacy information for agencies and a brilliant navigator for this tricky subject.

A big thank you to our podcast’s presenting sponsor, White Label IQ. They’re an amazing resource for agencies who want to outsource their design, dev or PPC work at wholesale prices. Check out their special offer (10 free hours!) for podcast listeners here: https://www.whitelabeliq.com/ami/

What You Will Learn in this Episode:

  • What determines which privacy laws an agency and our clients need to follow
  • How agencies can protect themselves if clients don’t follow privacy recommendations and get into legal trouble
  • Privacy disclaimers, policies, and declarations needed for an agency’s website
  • Whether your agency has to abide by the California Consumer Privacy Act (CCPA) and/or the General Data Protection Regulation (GDPR)
  • Privacy mistakes that get agencies into hot water
  • The importance of transparency when adding clients to your email list
  • Why most agencies can take a deep breath – they’re probably already complying with the law

The Golden Nuggets:

“Be aware of where your audience is and do your homework accordingly.” - @rbcarter Click To Tweet “If I'm an agency, I would say have a solid privacy policy and clear policies about what information you collect. How are you protected?” - @rbcarter Click To Tweet If you already have integrity and transparency, you're probably most of the way there.” - @rbcarter Click To Tweet “I prefer that people be upfront and say, yes, you're adding me to your list, which is different than if you want to send me an email about the product or service I bought.” - @rbcarter Click To Tweet “Make sure you have proper security and be transparent about what you're doing, even if it's obvious what you're doing.” - @rbcarter Click To Tweet

Subscribe to Build A Better Agency!

Itunes LogoStitcher button

Ways to Contact Ruth Carter:

Speaker 1:

Welcome to the Agency Management Institute community, where you’ll learn how to grow and scale your business, attract and retain the best talent, make more money, and keep more of what you make. The Build a Better Agency podcast presented by White Label IQ is packed with insights on how small to mid-size agencies survive and thrive in today’s market, bringing his 25 plus years of experience as both an agency owner and agency consultant. Please welcome your host, Drew McLellan.

Drew McLellan:

Hey everybody Drew McClellan here, with another episode of Build a Better Agency. This is going to be an episode that answers questions that have been sort of worrying. We are going to talk about all of the privacy laws, the GDPR, the new law that’s coming into law in California, and sort of all of that. What do we do? What kind of notices do we have to have on websites? How do we handle clients that don’t want to comply with these rules? What is our liability on that? So I met an attorney named Ruth Carter at last year’s Content Marketing World. And they are everything you wouldn’t picture a lawyer to be, that is Ruth. And they speak in common man language, they make things super easy to understand, and best of all they dive deeply into the topics of privacy law. Also literally wrote the book on the legalities of blogging and some of those other online activities that we do.

So a true expert in the field, somebody who focuses on it every day, all day. And so I knew that I wanted Ruth on the show so that I could dig deep into this topic because I know it’s something that’s keeping a lot of you up at night. That you’re worried about the liabilities, and I want to get some answers for you, so that’s why I invited Ruth to be on the show. Before I turned to Ruth and start peppering them with questions, a couple of reminders. First and foremost, if you have not gone to iTunes or Stitcher or any of those places and left us a review for the podcast, it would be awesome if you did. Take a screenshot, send it to me because I love poodles one, one, one. I don’t know who that is so oftentimes your usernames amuse me, but confuse me.

So if you could send me your screenshot, so I know it’s you then we’ll put you in the drawing. As you know we are giving away free workshops, either the online on demand course or one of our live workshops. Every month, we’re giving one of those away. So we’d love for you to be in the drawing for that. And also want to remind you of some workshops that we have coming up. Money matters, where we’d spend two days talking about financial metrics, why you’re not making money even though you’re super busy, do you really need to hire someone else? How can you get prospects and clients to buy the proposal at the right price that you think it really should be at?

We’re going to talk about tax strategy. We’re going to talk about what your agency needs to look like if you ever want to sell it. All kinds of money stuff, and we are going to dig into those October 16th and 17th in Orlando, Florida. And then we’ve got a pair of workshops that is really going to be awesome in January. So January 23rd and 24th is build and nurture your agency sales funnel. So we’re going to talk about how do you earn the attention of prospects that you want to know about the agency, and you want to begin to court.

Then what do you do for that period of time bee it a day or a decade to keep them interested, and engaged and to make sure you stay relevant to them? So that on the day that their current agency ticks them off or they decide they’re not going to do it in-house anymore, or they need some help and they’re like, “I’ve got to call somebody.” You are who they think of and they pick up the phone or shoot you an email. So that workshop’s going to be all about that. Building and nurturing a sales funnel, and everyone is going to leave with a built out sales funnels. We’re not going to just teach you how to do it in the workshop, you’re going to do it. Because otherwise I know you won’t go back to the shop and do it, so you’re going to just do it with us while we’re there coaching you all through the process.

So that’s the Thursday, Friday. Then the following Monday, Tuesday, Mercer Island Group will be with us, and they have done some amazing, I would call it sort of journeymen research. So they didn’t go out and interview a bunch of people. They just have gathered up data from all of the brands that they work with and all of the agencies they work with. And they’ve mapped out what a prospect’s buying journey looks like. They’ve identified the big milestones in that buying journey, and they’re going to show us how to win the prospect’s hearts and attention at each milestone. So that’s going to be fascinating.

Brand new content, brand new workshop, and that’s Monday, Tuesday January 27th and 28. So here’s a little suggestion I have for you. What if you came down, and you built out your sales funnel on Thursday and Friday, then you spent the weekend, Saturday and Sunday playing at Disney World and remember Star Wars will be open by then. Then you went to the workshop on Monday, Tuesday with Mercer Island Group. It’s just a suggestion, but I got to tell you, I think it’s a pretty good suggestion.

All right. That’s what’s going on in the AMI world, you know about the summit already. Hopefully you’ve got your ticket, but I want to talk about privacy and GDPR, and all the things where we could be in trouble and figuring out are we actually in trouble. And what we need to do to stay out of trouble. So with that, let’s talk to Ruth. All right. Ruth, welcome to the podcast. Thanks for joining us today.

Ruth Carter:

Thank you so much for having me.

Drew McLellan:

So this whole privacy thing is so confusing to agencies, and a lot of it is around I don’t think we know what we have to do, what we’re supposed to do. So let’s kind of break this down for folks, and if I am an agency of 13 people in a small market in the middle of the US, how much of this am I obligated to obey?

Ruth Carter:

So the answer to every legal question starts with it depends.

Drew McLellan:

Of course. Right?

Ruth Carter:

Of course. And of course I also have to come with a disclaimer that while I am a lawyer, being on your podcast does not create an attorney, client relationship with any listener. I’m merely providing information, not legal advice. So, which rules do people have to worry about? Well it actually, it doesn’t depend on who the agency is or who their clients are, it’s who their audience are that matters. Because the laws are based on the personal information of the people that the content is going to, or whose information that your clients, or your client’s clients are entrusted with dictate which laws apply to you.

Drew McLellan:

Okay. So let’s say I’m a small to mid-sized agency in the middle of the US, and my client is a bakery chain of five bakeries that are all in my zip code, but in theory. We have recipes, and we do cooking shows and all that. So is it just because anyone on the globe could access that data? I have nothing in place to say, “Sorry if you’re from the UK, you can’t come in.” Then am I obligated to know this stuff and live by it?

Ruth Carter:

Potentially, yes. So if you’re creating content or you have an email list and there are people on it that are not within your zip code let’s say, they’re in the EU then you have to be cognizant of the GDPR. Starting in January, if you do business with people from California, you’re going to have to worry about the California Consumer Privacy Act. I will start saying these laws properly, the California Consumer Privacy Act, CCPA, that goes into effect on January one.

Drew McLellan:

So, at the end of the day, and unless I’m going to gate all of my stuff, the reality is my best bet is to protect myself and my clients, yes?

Ruth Carter:

I think so. I can understand why some people do what I call GDPR light. It’s people who want to comply with the European law, because they may have somebody on their email list who is from the European Union. But they don’t want to pay thousands of dollars a year to comply with all the elements like joining the EU, US Privacy Shield. But if you’re willing to do everything else and update your privacy policy, and comply with certain requests. I understand why people may not go full board and comply completely, but comply substantially and just hope that they don’t get caught, don’t get investigated. If they do that, they just get a minor slap on the wrist.

Drew McLellan:

Yeah. So with California coming up with the CCPA, granted California is a world unto itself. But with them doing that if I have an agency in the States, is it safe to assume that sooner or later that this pattern is going to trickle through more States in the US?

Ruth Carter:

I think California passed this law to either inspire other States to follow suit, or to hope that the federal government would pass a nationwide law. Because it is complicated if every State has a separate privacy law that we have to follow. It’s just too complicated and there’s just the risk of conflicts and headaches for the rest of us. So that’s what I think is happening, but I will say California at least wrote this law so that a lot of people are exempt from it. But even if you are exempt from complying with the law completely, a lot of the things they require are things that companies should probably be doing anyway.

Drew McLellan:

Right. So a lot of our listeners are not in the US. So if I’m an agency in Australia or I guess the UK, obviously probably, or Asia or someplace else on the globe, how much of GDPR… So basically whatever you’re saying for the US-based agencies is that the same recommendation. If I’m an agency in Sydney, Australia for example?

Ruth Carter:

Yes. I would be aware of the privacy laws that apply to your audience. So if you are in Australia, but you do a lot of business with Singapore, I would be aware of Singapore’s privacy law to see if anything that you need to add to your privacy policy or review. If you have EU clients, check their law. It is rather complicated to have to think about not just where you live, but where your audience is. And it might move, and it makes my brain explode. But yeah, I would say it’s not just where you live anymore that you have to be aware of, it’s where your audience is, or at least a bulk of your audience. I can understand that a company may not want to change everything just because they have… They’re in Australia and they have one person in Romania on their email list. I completely understand from a business perspective that they may not want to change everything for that, but they should be aware of the risks they’re taking when they make that decision.

Drew McLellan:

Yeah. So I want to come back to what the mother of the things that we absolutely must do regardless of size and all that. So I want to come back to that, but one of the challenges that I know a lot of my agencies are facing right now is that they’re making recommendations to their clients. Let’s say they are developing a website for a client, or they’re doing email marketing or whatever. They’re making recommendations to their clients that they comply with all of these rules, but there’s a cost associated with all of that. The clients are saying I don’t want to spend that money. So how does an agency, if the agency suggests it, and the client goes, “Nope, not doing it.” How does the agency protect itself so that if that client were to get into legal trouble, that trouble doesn’t splash onto the agency? What do we have to have in place, the documents that we tried and they said no?

Ruth Carter:

I think you hit the nail on the head, and it is about documentation. The way that you write your contracts with your client, and the scope of what are you actually being hired to do. If you’re being hired just to create the website, but not the terms of service, and not the privacy policy then that’s on the client to do that. If the agency wants to make recommendations about maybe who to use to get those drafted properly, that’s fine, or if the agency wants to have maybe some type of like cheat sheet prepared by a lawyer. That said these are the recommendations that we have for your privacy policy, but how you run your business is up to you. Because that’s the difference, is that you are the PR ad content creators. You are hired by the business. You are not the business. They have to make those decisions for themselves.

Drew McLellan:

Right. So do I need to have a client sign a document that says I provided them with this data. Either it’s on them to decide what to do, or we made recommendations and offered to do it, and they chose not. They chose the cheaper option. Do I need to document the conversation in essence?

Ruth Carter:

I think it depends on what you were hired to do. If you were hired to create their terms of service, and privacy policy, then I would have that in there. But if you are just been hired to create the website or content for them and not those documents, I would probably have it put in the contract that we were not hired to create terms of service, privacy policy. It is up to the client to take care of those things themselves. So, that way it’s crystal clear who was responsible for what?

Drew McLellan:

Okay. So same thing, client already has HubSpot or SharpSpring or some email marketing tool, Marketo, whatever it is. We get hired to write the content for it. Again, we would want to have a document in our scope of work that says, “Here’s the dotted line of where our responsibility ends. You didn’t ask us to do these things. You just asked us to do this bullet pointed list of items.”

Ruth Carter:

Yeah. It doesn’t necessarily even need to be a separate document. Just a provision within the contract. It’s like saying like, “You hired us to do X, Y, and Z. You did not hire us to do A, B and C.” And there may be other things in that list besides terms of service and privacy. There may be issues with like photos, or other content that you’re like, “No, we didn’t create it. We didn’t provide it. We’re not responsible for it.”

Drew McLellan:

Yeah. My guess is that most agencies, their contracts or scope of work list all this stuff they’re supposed to do, they probably in many cases haven’t done the due diligence of listing the stuff that they were not asked to do as sort of a CYA move, especially around as you said rights to photos and all of this privacy stuff.

Ruth Carter:

The good news for your audience is it’s really easy to add in a single provision to their contract templates.

Drew McLellan:

Right. So when it comes to our own websites, most agencies have sort of a sphere of influence, but many agencies are creating a lot of content, especially if they have a subject matter expertise in a vertical, or a niche, or an audience that would allow them to be interesting to people from all over the planet. So in that case, if I’m a 25 person agency, anywhere on the globe, what do I have to worry about for my own shop? What do I have to have there?

Ruth Carter:

So are we talking about the content that the company is creating for themselves, or the content they’re creating for their clients?

Drew McLellan:

I’m creating this for my… So my agency website, what kind of privacy, or disclaimers, or declarations do I need to have for my company’s website when I am using it as a biz dev kind of an attraction tool. So I don’t want to say, “Well, I don’t want people from Australia to come or whatever it may be.”

Ruth Carter:

Right. So I would take a look at who your audience is, look at your email list. If you can even tell where they’re from.

Drew McLellan:

Right. That’s part of the problem, right?

Ruth Carter:

It is the problem. So, I tell people unless you know otherwise assume that everybody is from everywhere. I know with when GDPR came out I put something throughout in my email list that said, “GDPR goes into effect. Consent the stay on the list, otherwise I am dropping you.” And I dumped two thirds of my list. So that way everybody who’s on my list reconsented to stay on. So there are certain disclaimers you have to give under GDPR that I think the easiest way to do those is either in your privacy policy or in the double opt-in email when people add themselves to your list. I definitely tell people do not add people to your list without their consent. I recommend actually that companies don’t add people to their lists, that let the audience add themselves. If you’re that good, they will want to be on your list. I know company that that’s how they operate. And then be thoughtful about what information you are collecting from people. Only ask for what you need, which if you’re just having a simple email list, it may only be like names and email addresses.

Maybe even only just email addresses. You don’t need to ask for a mother’s maiden name, social security card, first pets name, things like that. And then if it is a situation where you can have like clients information, again, only ask for what you need, and when you don’t need it anymore, dump it. One thing I’ve seen, I saw crystal clear with the the Marriott breach. I think one of their issues was that they were keeping information longer than they needed to, not protecting it, and then when they had a data breach, people’s unencrypted credit card numbers, and passport numbers got out. And they ended up getting a multimillion dollar fine. Now, if you’re just an agency, you have names, and email addresses, what’s the worst thing that’s going to happen if there’s a breach. Probably not a whole lot of damage. But you want to take reasonable steps to protect that information that has been entrusted to your care. Don’t sell it without permission even though most it’s rare that I run into companies that sell, or give information away unless that’s your business. But if you’re just an agency, that’s not what you do.

So chances are, you’re not the ones who are going to be getting into trouble, but you do want to take reasonable steps to protect the information in your care. Limited access to only people who need it, keep another password. If you’re using like HubSpot, MailChimp, things like that, those things are pretty much already built in. You just don’t like leave your password on top of your desk.

Drew McLellan:

Right. So, for most agencies, I think when GDPR came out, what they did for themselves and their clients was basically, they did the pop-up, “Hey, we use cookies warning.” And maybe they changed the language around the privacy policy. When you talk about GDPR lite, is that kind of what you’re seeing?

Ruth Carter:

Yeah, that’s pretty much it is. We updated privacy policies. We did the cookie pop-up, but that’s about all. We may have added up provision to the privacy policy that was specific to GDPR. But otherwise it didn’t change much. It really was for a lot of companies putting it down in words things they were already doing.

Drew McLellan:

Right. For many companies right now, is that enough? Or are we missing some things that we absolutely, wherever we are on the globe… the reality is we all live in a global economy, and the internet means that odds are we’re talking to people from all over the planet. So I think your point is just assume that you have somebody from every country on your website, on your email list. And if that’s true, what is an appropriate thing for me to have on my website if I’m an agency?

Ruth Carter:

I would say have a solid privacy policy. Add clear policies about what information you collect, how you protect it, under what circumstances will you release it. There are some what I call magic phrases required by GDPR. I actually had a client who did the full nine yards GDPR compliance, and we actually had to revise his privacy policy a little bit just so it wouldn’t had certain magic words. We had the meaning for like, “No, we want the exact phrase.” Was like, “Okay, fine.” So if you want to hire a lawyer who to absolutely for certainly this is a GDPR compliant privacy policy, and have them write yours, or start with that one as a template and tweak it down to GDPR lite. Then that’s fine.

I would double-check as the California law is about to go into effect. See if you have to comply with it because that one also requires magic words including a link on your home page that says, let me make sure I get it right. Because it is an exact phrase they want you to have on your homepage that says, “Do not sell my personal information conspicuously on your homepage.” That includes the link to where people can opt out of having their information shared with others.

Drew McLellan:

Okay. I look at the cheat sheet that you sent me, and it looks like the two have to comply with the CCPA. I have to be a for-profit business that sells goods or services to California residents, or people domiciled in California even if my business is not there. So if I have a client or a customer in California, and then I have to fit one of the following three. Which is I get half of my annual revenue from selling consumers’ personal information. I possess the personal information of more than 50,000 consumers, households or devices. I have more than $25 million or more in annual revenue, right?

Ruth Carter:

Or $25 million in revenue.

Drew McLellan:

If any of those three are true.

Ruth Carter:

Yes. And you’re for-profit with California clients.

Drew McLellan:

So the reality is for most of us as agencies and for our clients, odds are most of them are for-profit businesses. And hopefully if we’re running our business right, we are too. And odds are whether we know it or not, we are interacting with people from California. So that part of it, I can see where everyone would go, “Well, so far I’m at risk.” But then if one of the three, half of my annual revenue, the possession of information of more than 50,000 consumers households or devices, or have twenty-five million more in revenue, that would knock out a lot of business, right?

Ruth Carter:

Exactly. When I started reading this law and anytime I had, like the one eyebrow would go up like, “What? Why did they write it that way?” I would stop and think, “How does this law apply to Facebook?” And then it was like, “Oh, not good.” I think what worried about, I really want to interview the people who actually wrote this law to see what their motivation was, but that’s what I think it was. So it was written to go after the bigger companies. The people entrusted with a lot of information. Who sell information as their business. It’s really not to be going after mom and pop businesses, smaller businesses. They’re not worried about you.

Drew McLellan:

Okay. So for most of us, then it really is the GDPR that we have to pay attention to in theory?

Ruth Carter:

Yeah. It’s GDPR and also Wheaton’s Law. You know what Wheaton’s Law is, right?

Drew McLellan:

I do not. Tell me what Wheaton’s Law is.

Ruth Carter:

Wheaton’s Law was coined by Wil Wheaton years ago. It is very simple. It is “Don’t be a dick.”

Drew McLellan:

There you go. Right from Star Trek, The Next Generation. You get it right. Okay.

Ruth Carter:

Yeah. Integrity, transparency, and then follow the applicable laws. But if you already have integrity and transparency, you’re probably most of the way there, there just may be some magic phrases you need to add to your privacy policy. But it’s probably things you’re already mostly doing anyway.

Drew McLellan:

All right. So, I want to get into Wheaton’s Law. Let’s take a quick break then I want to go into that a little more. In terms of just best practices that we should all be thinking about. So let’s take a quick break and we’ll come on back. I want to take just a quick second, and remind you that if you head over to the agencymanagementinstitute.com website, one of the things you’ll find there in our effort to support agency owners is some on-demand training. We know that many of you want to attend our live workshops, but for some reason that doesn’t work out. Maybe you’re outside of the US or maybe you have little kids, and it’s tough to travel.

It may just be that our calendar, and your calendar do not align. So what we’ve done is we now have three courses that we either regularly, or occasionally offer as a live workshop. Now we’ve got them in an on-demand training version. So you can now find a biz dev workshop, our agency, new business blueprint course. You can also find our AE Bootcamp, and our most recent addition the Money Matters Workshop. So all of those are available. If you head over to the website and you go under training, you will see on demand training under that tab. You can check out all three of those courses. And obviously those are courses that you can take at your leisure. You can get through the whole thing in a weekend, which I don’t recommend, or you can space it out over time. You can do it individually. You can do it with your leadership team, whenever serves your agency best. We just want to make sure that you know that they are there and available for you. All right, let’s get back to the episode.

All right. We are back with Ruth Carter, and we are talking about privacy laws, and GDPR, and the new CCPA and all of that stuff. If you’re just joining us, which I can’t imagine how that would happen in a podcast, but you might’ve missed the Wheaton’s Law which is basically where we will be saying don’t be a dick. So let’s go there. In terms of our clients are looking to us to help them stay safe, to make good choices. In your law practice, what gets people into trouble specifically around this issue?

Ruth Carter:

People get into trouble when they misuse people’s information. So that’s not protecting it is the big one, because most of the time we find out that people get in trouble after there’s a data breach. So make sure that you are properly protecting the information entrusted with your care, and really think of it as like somebody is trusting me not to screw them over by giving their name, their email address, credit card number. You have to really look at it as a position of trust that we’ve put in. So make sure you have proper security, be transparent about what you’re doing even if it’s so obvious about what you’re doing.

But just have it as something that you put in on your privacy policy about, “We understand. You’re trusting us with your information. We don’t sell it. We keep it protected. We only let people who need it have access to it.” Actually, that’s how you run your business. Don’t be like what Facebook did a little while ago, and tons of passwords were just in a file that anybody in the company could access. Which doesn’t seem that bad until you realize how many people work for Facebook. So many things are just common sense.

Drew McLellan:

So if an agency is mostly using third parties, like HubSpot, MailChimp, SharpSpring, WordPress, those sorts of things, is it safe to assume that they have their ducks in a row? And if not, what questions should I be asking, or what should I be looking for? If I’m partnering with a software as a service, which many agencies do to solve their client’s website and email needs, how do I know that they’re protecting the data?

Ruth Carter:

So remember when GDPR came out and we suddenly had our inboxes flooded with updates and notices for every company we were subscribed to of, “We have a new privacy policy.” Yeah, that’s going to happen again. So read those emails, and just see what they’re doing. I would expect that the HubSpots, and MailChimps and all those types of companies would put out. Not just like we update our information, but also like more information about what they’re doing and why it’s protecting them. At least that’s what they did under GDPR, which I found impressive and helpful.

So I would look to them. If you hit December one, and you haven’t heard from them, I would maybe ping them and say, “California’s new law goes into effect in T minus one month. It’s the holiday season. I know, but what’s going on over there.” So, yeah. So are you probably safe if they maintain their track record for GDPR? I would expect them to continue the same.

Drew McLellan:

Okay. So mistake one that gets us into trouble is that we don’t protect the data. What else are we doing wrong that puts us at risk?

Ruth Carter:

One of the big issues with GDPR is you have to get consent to use people’s information. So that means you can’t add people to your list without consent, explicit consent. Which for a lot of people, the way they handled it was they just added a tick box that said, “I’m okay with you adding me to your list, or I understand that all your activities comply with your privacy policy.” I prefer that people be upfront and say, “Yes, you’re adding me to your list.” Which is different than if you want to send me an email about the product, or service I bought from you because that’s good customer service. That’s separate. That’s good business. That’s not a GDPR issue.

It’s if I turn around and tell me I’m on your list, or worse. This one time a company emailed me looking for information about my legal services. And suddenly I was on their newsletter list. It’s like, “Are you kidding me?” It wasn’t like I didn’t talk to you first. You called me.

Drew McLellan:

Then you kept calling me.

Ruth Carter:

Yeah. So I would say be transparent. One thing I’ve noticed with conferences is when you register for the conference, one of the tick boxes is that by registering for the conference, you were also agreeing to have your information shared with all the vendors who can then send you advertising. I even saw it on like a pop-up poster at a conference that said like warning. Before you got into the vendor expo area, if you let a vendor scan your badge, you are consenting to receive marketing information. Before I always just thought like, “Oh, scan your badge.” Just say keep a count of who stopped by.

Drew McLellan:

I might get some free stuff.

Ruth Carter:

Yeah. I want a pen, I want a cookie. I want to play with the toys you have at your booth. One group had like this liquid balance board thing. I’m like, “I’m not playing on that.” And then suddenly, “Can we scan your badge?” Yeah. Sure. Lets play the game. This is the barter. And then suddenly I’m getting emails. It’s like, “Why? I’m not your demo. I’m not your ideal customer. Why are you contacting me?” That I realized I’m like, “Oh, I opted in without realizing.” It’s a part of on the audience to be aware of what you’re opting in. But for the company, it’s be transparent as much as you can. It’s not your job to like scream at your audience, “You’re consenting.” I get it. Sorry to your audience. I just yelled at you, but-

Drew McLellan:

That’s okay. That just helped them move on the treadmill a little faster as they’re listening to us. So, the checkboxes or the sign before you go into the expo hall or whatever, those are all the institution, whoever it is trying to be compliant and saying, “Hey, is it okay if we understand what it’s about to happen to you. Are you okay with it?” Right?

Ruth Carter:

Exactly.

Drew McLellan:

Okay. So where do you think all of this is going? I know lawyers don’t like to guess about the future, but in three years, five years, how is this going to be impacting agencies, and their clients? Is it just going to be that we’re all living by these rules regardless of how big we are, where we live? Is it just that?

Ruth Carter:

In a lot of ways, I think these are the types of rules we should already be following. Maybe not down to like the fine detail fired by some of these laws, but the general gist of it of don’t sell people’s information without their consent is really simple. That’s kind of like not too far down from don’t kick puppies. So having integrity, be transparent. I think it’s going to create changes in terms of how we access our audience, and because people are going to have more opportunities to opt out. So agencies abilities to reach an audience may become, or at least the size of the audience, you might be able to access, may become smaller.

So there may be an opportunity to shift tactics, but I think it’s going to become more the norm that you have to respect people’s privacy. I think we may be moving into an era where selling information isn’t going to be a business model.

Drew McLellan:

Yeah. So I have a lot of agencies that are freaking out about this stuff, and they’re afraid and they are feeling exposed. And they’re worried about sort of the chain of responsibility with their clients, but everything you’ve said so far makes me sort of think what you’re saying. And I just want to make sure I’m being clear that I’m understanding is like kind of chill out. Like this is not as big a hairy deal as maybe the media made it, or that agencies are creating in their own head. It really is about having some protections in place, being clear about the protections, delineating what you’re responsible for versus your clients. And then if the client says, I don’t want to do any of that, really none of that… as long as we have a documented, none of that should splash up on us. Am I right in my interpretation of what you’ve been saying?

Ruth Carter:

Yeah. Especially once I read the CCPA, and thought how hard it is to be in the club of people who have to comply. There’s going to be a massive sigh of relief amongst companies, because a lot of them aren’t going to have to comply with it. Because they don’t make $25 million a year, which I think most of us don’t. I know my bank account’s not that big.

Drew McLellan:

Right. And even most of our clients probably don’t.

Ruth Carter:

Exactly. I think this is a good time for clients and companies to just take a step back, and just kind of look. Like, “Okay, how are we handling people’s information? What are we doing with it? How are we respecting our audience? How are we communicating that for our audience?” I think that’s going to be an opportunity for people to differentiate themselves by not just we provide quality care, or a quality service, but we take good care of our people. So I’m curious to see what happens down the line with that. But in terms of what we have to do now, it’s just kind of go back to integrity, transparency, protect the information reasonably. It doesn’t have to be Fort Knox if the only thing you have is a list of email addresses, but reasonable precautions.

So password protected using things like HubSpot and MailChimp if they continue to provide the level of protection that they have, then you’re probably fine. So yeah, I think that for a lot of people it is calm down, take a step back, educate yourself, and just make sure that your practices are generally in alignment with what’s required. If you want to go the full nine yards and fully comply with everything, that’s as much of a legal decision as it is a business decision. Because I will say most of my clients who came to me asking for GDPR help, ended up going GDPR lite, because they said, “What are the chances that I have a European person on my list?”

And in the event of a data breach, what’s the harm that’s going to happen. And if you take really good care of your audience, even if they know that you’re not fully GDPR compliant, what’s the chances that they’re going to report you. Because if you’re just a little mom and pop shop, they’re probably not going to just randomly single you out for an investigation.

Drew McLellan:

Right. It feels like it’s really more about being better about disclosing odds are what you’re already doing. It’s really more about language in contracts, scopes of work, privacy statements, on the website itself, at the bottom of every email, all of that. It feels like that’s really what this is about is not just assuming that everyone knows what you’re doing, but being overtly clear and detailed about what you’re doing so that there is no question that you are operating under best practices.

Ruth Carter:

Exactly. Like I said if I looked at CCPA, I started asking, “What does this mean for Facebook?” Most companies do not have a model similar to Facebook. So they’re not really even in a position where they have to worry about the issues being raised through these laws, because they’re already complying with most of the expectations.

Drew McLellan:

Right. I think part of what fuels all of this is you read or hear in the news about the fines. Whether it’s GDPR or somebody else, they’re ginormous, they’re millions of dollars or billions of dollars. An agency owner in small town, middle of the US or in any country on the planet, who’s got 10 employees. Maybe they’re making a million, five, they look at that and go, “I would be crushed by that.” But it feels like it’s not about us. This is not really about us. So we sort of need to get over ourselves a little bit. That we’re not the target for this.

Ruth Carter:

We’re not the target, and I also look at, when I see the news stories with the big fines, I also look at what did this company do to get themselves this fine. And asked myself, could I even do that? Like Marriott, they-

Drew McLellan:

Like I don’t have my clients passport numbers.

Ruth Carter:

Passport numbers, credit card numbers that were unencrypted. And even with CCPA that does allow a private right of action. So if you screw up your customer, or the person on your list could sue you directly for a violation, which I think scares some people. That right of action is only limited to situations where you have a breach, and the breach happened because you didn’t take reasonable security measures, and information that should have been redacted or encrypted wasn’t and got out. So if you work backwards from that, you can see you may not be at risk of even being a target of somebody who just might say, “Oh, I want to sue you.”

I will say one thing with CCPA, it does allow California residents to request their information. So they want to know like what information you’re collecting, what you’re doing with it, what categories of information you share with others. You can get an exact copy of the information that you’re holding about them. So you have to be ready for those questions if they come. But if you’re in the middle of it, US, you’re kind of a smaller shop. You maybe have a handful of people who are in California, you’re only going to get at most, a handful of requests because they can only make the request twice every 12 months.

Drew McLellan:

So what if I am a small shop in the UK? I know you’re not a UK based attorney. So I’m just asking you to interpret. What we’ve been talking about in terms of take a breath, it’s really about just being more clear about what you’re already doing. Is that true for them as well, or do they have an additional burden because they are based in Europe?

Ruth Carter:

Well, UK has its own problem with that whole. Is there going to be a Brexit or not thing? [crosstalk 00:43:06]. I know that. I would say UK is like any business. Educate yourself before you freak out. When you hear about a new law, okay, step back, get quality information. Whether it’s from a reliable source, you have a lawyer who provides you something like a cheat sheet, and decide what does this mean for my business? So I’m not saying go a laws ain’t fair, put your feet up. We’re probably fine. It’s like, no, get educated and know what you’re expected to do. Then you can make a business decision about how much you want to comply with a law, if you have to comply with the law.

Drew McLellan:

So I know part of your role is that you’re sort of always looking out over the horizon of what’s coming next. So GDPR is here, the CCPA is all intensive purposes here. I’m sure you were watching the CCPA as they were talking about it and discussing it. What else is on your radar screen in this space right now that you’re paying attention to that. Maybe we should start at least setting up a Google alert for, or paying attention to.

Ruth Carter:

So I still have a Google Alert on GDPR, just so I can see what’s coming down the pike, who’s getting in trouble, what’s going on, are there any changes? I have a Google Alert on the California Consumer Privacy Act because they are amending that thing. I really hope there is a deadline where they have to say no more changes at least until it goes into effect please, thank you. So I can advise my clients properly. And beyond that, I’m just keeping my ears open to see what’s going to come down the pike next. Because until something actually happens, I don’t put a whole lot of value in rumors or what might be. But kind of like when a client calls me and says so-and-so says they’re going to sue me. “All right, well, I’ll believe it when you get served.”

So, I hope that there are discussions going on amongst the people in power who put passed laws about privacy. Because I think it doesn’t make sense for just California to have it. I think we should have a nationwide law. Otherwise it’s going to get excessively complicated fast for no needlessly. I look forward to the day we have global laws. I don’t know if that’ll happen in my lifetime, but we’re a global community now. So we really should have… I wish there were more laws that just even if they are technically separate, that mirrored each other in terms of expectations for things like privacy.

So yeah, I can’t say I’m watching anything specifically at this point. I’m just keeping my eyes and ears open for what might be happening. Actually, then really started paying attention when actual laws are written and passed.

Drew McLellan:

Are any other countries other than the US and the GDPR folks, are there any other countries who are sort of kicking this around thinking that they too need to jump on board with this?

Ruth Carter:

I know Canada has a privacy law that if you’re GDPR compliant, you’re probably compliant with the Canadian law.

Drew McLellan:

They’ve had that for a while, haven’t they?

Ruth Carter:

Yeah. We’ve had castle for a while now. It’s relatively easy to comply with that. A lot of us are already doing it. I know I’ve heard of that there are some privacy laws over in Asia. I don’t work with a lot of Asian countries, so I haven’t had to fully educate myself on that. Which is why I tell my clients be aware of where your audience is and do your homework accordingly. I have heard within the US that a couple of other states may be considering a similar law of California, which makes and kind of want to go, “Yay. People care about privacy.” And then pardon me goes, “Oh God, what is this going to mean for my clients? How much more complicated that their privacy policies is.” Are they about to get, if I have to make a GDPR section, the California section or Wyoming section. Yeah, but I would rather take that onto my clients so they don’t have to try to muddle through on them on their own.

Drew McLellan:

The big takeaway for me is take a deep breath people and odds are you’re already compliant. You just need to be more blatant about what you already have in place in nine out of 10 cases.

Ruth Carter:

Exactly. Like take a breath. You’re probably substantially on the right path, get a little bit of education so you know how to get all the way there.

Drew McLellan:

Yeah. Okay. This has been fascinating. I think a lot of people right now are breathing a little easier than they were at the beginning of our conversation. Because I just think this stuff freaks us out.

Ruth Carter:

Oh, yeah. I completely had a moment when I heard about California’s law, and then I read it and I went, “Oh, my clients are going to be so much happier once they realize that most of them don’t have to comply with it.”

Drew McLellan:

I know that you produce content around this stuff and that you are a well-respected well-known thought leader in this space. If folks want to follow you, learn more from you, track what you’re talking about and thinking about, what’s the best way for them to find you and to start doing that?

Ruth Carter:

So I’m rbcarter on Twitter. I’m really easy to find. If you Google Ruth Carter lawyer, I will pop up everywhere. If you do adjust Ruth Carter, you’re going to find me and the Oscar winning costume designer from this past year. She did the costumes for black Panther. She’s fantastic. She’s also black. So it’s really easy to differentiate black costume designer, white lawyer.

Drew McLellan:

There you go.

Ruth Carter:

[inaudible 00:49:02] Carter Law Firm has a YouTube channel, but if you follow me on Twitter, you will probably see the bulk of my content because I tend to blast it all out there.

Drew McLellan:

Yeah. Well, and your content is great. It’s very easy to consume. And like this interview, hopefully it’s reassuring to folks that they can just take a deep breath and odds are they’re doing more things right than they think they are.

Ruth Carter:

Exactly. Thank you. I do try to present my content in English versus legalese as much as possible.

Drew McLellan:

Yeah. I always appreciate an attorney who speaks regular people English. Absolutely. Thank you so much for being on the show. Thanks for sharing your expertise. We met last year at Content Marketing World, and I’m looking forward to seeing there again. But I knew I wanted to get you on the show, because you do speak in a way that people can understand and wrap their arms around. So I’m super grateful that you clarified all of this for us because it’s a worry spot for a lot of folks. So thank you.

Ruth Carter:

It’s my pleasure. And thank you for getting the word out about this issue and helping people understand what their obligations are.

Drew McLellan:

So, appreciate it. All right, guys, this wraps up another episode of Build a Better Agency, a couple housekeeping things. First and foremost, thank you for listening. Always grateful that you stick around. Remember if you leave a rating or review, if you take a screenshot of it, and send it to me I will email you back, and we can have a little conversation. Also then you are in a drawing. I don’t care what the review is. You can say bad things or good things. But we will put you in a drawing for a free workshop either live or one of our on-demand courses.

Of course a big thank you to our sponsor, White Label IQ, who makes this possible. If you are looking for partners to outsource design, dev, PPC, they are amazing. They are good people. They’re in Colorado. So depending on your time zone, they’re super easy to talk to, and they deliver incredible results. So check them out. They have a special offer for you as a podcast listener. So if you go to whitelabeliq.com/ami, they have a special offer just for you. So check that out.

I will be back next week with another guest, like Ruth to kind of get you thinking differently about the business and things that I think you need to know to run a profitable shop. In the meantime, if you’re looking for me, you know how to find me through at agencymanagementinstitute.com. Until then I will see you next week. Thanks. That’s a wrap to this week’s episode of Build a Better Agency. Visit agencymanagementinstitute.com to check out our workshops, coaching packages, and all the other ways we serve agencies just like yours. Thanks for listening.