Episode 207

podcast photo thumbnail
1x
-15
+60

00:00

00:00

Many agency owners are struggling to not only understand laws like the CCPA and GDPR, but more important — determine what your agency has to do to be compliant and avoid liability. What laws apply to your shop and your clients? What does compliant even mean in terms of practical do’s and don’ts? What is the chain of responsibility if clients make bad choices? What are mistakes we should avoid?

My guest Ruth Carter is an Arizona-based business, intellectual property, and internet attorney; a best-selling author who literally wrote the book on the legalities of blogging; has been living and breathing the new CA privacy law and works with agencies every day to help them manage the hype and interpret the laws accurately.

Ruth and I had a lively conversation about privacy laws and what they mean for agencies. Ruth is a wealth of legal and privacy information for agencies and a brilliant navigator for this tricky subject.

A big thank you to our podcast’s presenting sponsor, White Label IQ. They’re an amazing resource for agencies who want to outsource their design, dev or PPC work at wholesale prices. Check out their special offer (10 free hours!) for podcast listeners here: https://www.whitelabeliq.com/ami/

What You Will Learn in this Episode:

  • What determines which privacy laws an agency and our clients need to follow
  • How agencies can protect themselves if clients don’t follow privacy recommendations and get into legal trouble
  • Privacy disclaimers, policies, and declarations needed for an agency’s website
  • Whether your agency has to abide by the California Consumer Privacy Act (CCPA) and/or the General Data Protection Regulation (GDPR)
  • Privacy mistakes that get agencies into hot water
  • The importance of transparency when adding clients to your email list
  • Why most agencies can take a deep breath – they’re probably already complying with the law

The Golden Nuggets:

“Be aware of where your audience is and do your homework accordingly.” - @rbcarter Click To Tweet “If I'm an agency, I would say have a solid privacy policy and clear policies about what information you collect. How are you protected?” - @rbcarter Click To Tweet If you already have integrity and transparency, you're probably most of the way there.” - @rbcarter Click To Tweet “I prefer that people be upfront and say, yes, you're adding me to your list, which is different than if you want to send me an email about the product or service I bought.” - @rbcarter Click To Tweet “Make sure you have proper security and be transparent about what you're doing, even if it's obvious what you're doing.” - @rbcarter Click To Tweet

Subscribe to Build A Better Agency!

Itunes LogoStitcher button

Ways to Contact Ruth Carter:

Speaker 1:

Welcome to the Agency Management Institute community, where you’ll learn how to grow and scale your business, attract and retain the best talent, make more money, and keep more of what you make. The Build a Better Agency podcast presented by White Label IQ is packed with insights on how small to mid-size agencies survive and thrive in today’s market, bringing his 25 plus years of experience as both an agency owner and agency consultant. Please welcome your host, Drew McLellan.

Drew McLellan:

Hey everybody Drew McClellan here, with another episode of Build a Better Agency. This is going to be an episode that answers questions that have been sort of worrying. We are going to talk about all of the privacy laws, the GDPR, the new law that’s coming into law in California, and sort of all of that. What do we do? What kind of notices do we have to have on websites? How do we handle clients that don’t want to comply with these rules? What is our liability on that? So I met an attorney named Ruth Carter at last year’s Content Marketing World. And they are everything you wouldn’t picture a lawyer to be, that is Ruth. And they speak in common man language, they make things super easy to understand, and best of all they dive deeply into the topics of privacy law. Also literally wrote the book on the legalities of blogging and some of those other online activities that we do.

So a true expert in the field, somebody who focuses on it every day, all day. And so I knew that I wanted Ruth on the show so that I could dig deep into this topic because I know it’s something that’s keeping a lot of you up at night. That you’re worried about the liabilities, and I want to get some answers for you, so that’s why I invited Ruth to be on the show. Before I turned to Ruth and start peppering them with questions, a couple of reminders. First and foremost, if you have not gone to iTunes or Stitcher or any of those places and left us a review for the podcast, it would be awesome if you did. Take a screenshot, send it to me because I love poodles one, one, one. I don’t know who that is so oftentimes your usernames amuse me, but confuse me.

So if you could send me your screenshot, so I know it’s you then we’ll put you in the drawing. As you know we are giving away free workshops, either the online on demand course or one of our live workshops. Every month, we’re giving one of those away. So we’d love for you to be in the drawing for that. And also want to remind you of some workshops that we have coming up. Money matters, where we’d spend two days talking about financial metrics, why you’re not making money even though you’re super busy, do you really need to hire someone else? How can you get prospects and clients to buy the proposal at the right price that you think it really should be at?

We’re going to talk about tax strategy. We’re going to talk about what your agency needs to look like if you ever want to sell it. All kinds of money stuff, and we are going to dig into those October 16th and 17th in Orlando, Florida. And then we’ve got a pair of workshops that is really going to be awesome in January. So January 23rd and 24th is build and nurture your agency sales funnel. So we’re going to talk about how do you earn the attention of prospects that you want to know about the agency, and you want to begin to court.

Then what do you do for that period of time bee it a day or a decade to keep them interested, and engaged and to make sure you stay relevant to them? So that on the day that their current agency ticks them off or they decide they’re not going to do it in-house anymore, or they need some help and they’re like, “I’ve got to call somebody.” You are who they think of and they pick up the phone or shoot you an email. So that workshop’s going to be all about that. Building and nurturing a sales funnel, and everyone is going to leave with a built out sales funnels. We’re not going to just teach you how to do it in the workshop, you’re going to do it. Because otherwise I know you won’t go back to the shop and do it, so you’re going to just do it with us while we’re there coaching you all through the process.

So that’s the Thursday, Friday. Then the following Monday, Tuesday, Mercer Island Group will be with us, and they have done some amazing, I would call it sort of journeymen research. So they didn’t go out and interview a bunch of people. They just have gathered up data from all of the brands that they work with and all of the agencies they work with. And they’ve mapped out what a prospect’s buying journey looks like. They’ve identified the big milestones in that buying journey, and they’re going to show us how to win the prospect’s hearts and attention at each milestone. So that’s going to be fascinating.

Brand new content, brand new workshop, and that’s Monday, Tuesday January 27th and 28. So here’s a little suggestion I have for you. What if you came down, and you built out your sales funnel on Thursday and Friday, then you spent the weekend, Saturday and Sunday playing at Disney World and remember Star Wars will be open by then. Then you went to the workshop on Monday, Tuesday with Mercer Island Group. It’s just a suggestion, but I got to tell you, I think it’s a pretty good suggestion.

All right. That’s what’s going on in the AMI world, you know about the summit already. Hopefully you’ve got your ticket, but I want to talk about privacy and GDPR, and all the things where we could be in trouble and figuring out are we actually in trouble. And what we need to do to stay out of trouble. So with that, let’s talk to Ruth. All right. Ruth, welcome to the podcast. Thanks for joining us today.

Ruth Carter:

Thank you so much for having me.

Drew McLellan:

So this whole privacy thing is so confusing to agencies, and a lot of it is around I don’t think we know what we have to do, what we’re supposed to do. So let’s kind of break this down for folks, and if I am an agency of 13 people in a small market in the middle of the US, how much of this am I obligated to obey?

Ruth Carter:

So the answer to every legal question starts with it depends.

Drew McLellan:

Of course. Right?

Ruth Carter:

Of course. And of course I also have to come with a disclaimer that while I am a lawyer, being on your podcast does not create an attorney, client relationship with any listener. I’m merely providing information, not legal advice. So, which rules do people have to worry about? Well it actually, it doesn’t depend on who the agency is or who their clients are, it’s who their audience are that matters. Because the laws are based on the personal information of the people that the content is going to, or whose information that your clients, or your client’s clients are entrusted with dictate which laws apply to you.

Drew McLellan:

Okay. So let’s say I’m a small to mid-sized agency in the middle of the US, and my client is a bakery chain of five bakeries that are all in my zip code, but in theory. We have recipes, and we do cooking shows and all that. So is it just because anyone on the globe could access that data? I have nothing in place to say, “Sorry if you’re from the UK, you can’t come in.” Then am I obligated to know this stuff and live by it?

Ruth Carter:

Potentially, yes. So if you’re creating content or you have an email list and there are people on it that are not within your zip code let’s say, they’re in the EU then you have to be cognizant of the GDPR. Starting in January, if you do business with people from California, you’re going to have to worry about the California Consumer Privacy Act. I will start saying these laws properly, the California Consumer Privacy Act, CCPA, that goes into effect on January one.

Drew McLellan:

So, at the end of the day, and unless I’m going to gate all of my stuff, the reality is my best bet is to protect myself and my clients, yes?

Ruth Carter:

I think so. I can understand why some people do what I call GDPR light. It’s people who want to comply with the European law, because they may have somebody on their email list who is from the European Union. But they don’t want to pay thousands of dollars a year to comply with all the elements like joining the EU, US Privacy Shield. But if you’re willing to do everything else and update your privacy policy, and comply with certain requests. I understand why people may not go full board and comply completely, but comply substantially and just hope that they don’t get caught, don’t get investigated. If they do that, they just get a minor slap on the wrist.

Drew McLellan:

Yeah. So with California coming up with the CCPA, granted California is a world unto itself. But with them doing that if I have an agency in the States, is it safe to assume that sooner or later that this pattern is going to trickle through more States in the US?

Ruth Carter:

I think California passed this law to either inspire other States to follow suit, or to hope that the federal government would pass a nationwide law. Because it is complicated if every State has a separate privacy law that we have to follow. It’s just too complicated and there’s just the risk of conflicts and headaches for the rest of us. So that’s what I think is happening, but I will say California at least wrote this law so that a lot of people are exempt from it. But even if you are exempt from complying with the law completely, a lot of the things they require are things that companies should probably be doing anyway.

Drew McLellan:

Right. So a lot of our listeners are not in the US. So if I’m an agency in Australia or I guess the UK, obviously probably, or Asia or someplace else on the globe, how much of GDPR… So basically whatever you’re saying for the US-based agencies is that the same recommendation. If I’m an agency in Sydney, Australia for example?

Ruth Carter:

Yes. I would be aware of the privacy laws that apply to your audience. So if you are in Australia, but you do a lot of business with Singapore, I would be aware of Singapore’s privacy law to see if anything that you need to add to your privacy policy or review. If you have EU clients, check their law. It is rather complicated to have to think about not just where you live, but where your audience is. And it might move, and it makes my brain explode. But yeah, I would say it’s not just where you live anymore that you have to be aware of, it’s where your audience is, or at least a bulk of your audience. I can understand that a company may not want to change everything just because they have… They’re in Australia and they have one person in Romania on their email list. I completely understand from a business perspective that they may not want to change everything for that, but they should be aware of the risks they’re taking when they make that decision.

Drew McLellan:

Yeah. So I want to come back to what the mother of the things that we absolutely must do regardless of size and all that. So I want to come back to that, but one of the challenges that I know a lot of my agencies are facing right now is that they’re making recommendations to their clients. Let’s say they are developing a website for a client, or they’re doing email marketing or whatever. They’re making recommendations to their clients that they comply with all of these rules, but there’s a cost associated with all of that. The clients are saying I don’t want to spend that money. So how does an agency, if the agency suggests it, and the client goes, “Nope, not doing it.” How does the agency protect itself so that if that client were to get into legal trouble, that trouble doesn’t splash onto the agency? What do we have to have in place, the documents that we tried and they said no?

Ruth Carter:

I think you hit the nail on the head, and it is about documentation. The way that you write your contracts with your client, and the scope of what are you actually being hired to do. If you’re being hired just to create the website, but not the terms of service, and not the privacy policy then that’s on the client to do that. If the agency wants to make recommendations about maybe who to use to get those drafted properly, that’s fine, or if the agency wants to have maybe some type of like cheat sheet prepared by a lawyer. That said these are the recommendations that we have for your privacy policy, but how you run your business is up to you. Because that’s the difference, is that you are the PR ad content creators. You are hired by the business. You are not the business. They have to make those decisions for themselves.

Drew McLellan:

Right. So do I need to have a client sign a document that says I provided them with this data. Either it’s on them to decide what to do, or we made recommendations and offered to do it, and they chose not. They chose the cheaper option. Do I need to document the conversation in essence?

Ruth Carter:

I think it depends on what you were hired to do. If you were hired to create their terms of service, and privacy policy, then I would have that in there. But if you are just been hired to create the website or content for them and not those documents, I would probably have it put in the contract that we were not hired to create terms of service, privacy policy. It is up to the client to take care of those things themselves. So, that way it’s crystal clear who was responsible for what?

Drew McLellan:

Okay. So same thing, client already has HubSpot or SharpSpring or some email marketing tool, Marketo, whatever it is. We get hired to write the content for it. Again, we would want to have a document in our scope of work that says, “Here’s the dotted line of where our responsibility ends. You didn’t ask us to do these things. You just asked us to do this bullet pointed list of items.”

Ruth Carter:

Yeah. It doesn’t necessarily even need to be a separate document. Just a provision within the contract. It’s like saying like, “You hired us to do X, Y, and Z. You did not hire us to do A, B and C.” And there may be other things in that list besides terms of service and privacy. There may be issues with like photos, or other content that you’re like, “No, we didn’t create it. We didn’t provide it. We’re not responsible for it.”

Drew McLellan:

Yeah. My guess is that most agencies, their contracts or scope of work list all this stuff they’re supposed to do, they probably in many cases haven’t done the due diligence of listing the stuff that they were not asked to do as sort of a CYA move, especially around as you said rights to photos and all of this privacy stuff.

Ruth Carter:

The good news for your audience is it’s really easy to add in a single provision to their contract templates.

Drew McLellan:

Right. So when it comes to our own websites, most agencies have sort of a sphere of influence, but many agencies are creating a lot of content, especially if they have a subject matter expertise in a vertical, or a niche, or an audience that would allow them to be interesting to people from all over the planet. So in that case, if I’m a 25 person agency, anywhere on the globe, what do I have to worry about for my own shop? What do I have to have there?

Ruth Carter:

So are we talking about the content that the company is creating for themselves, or the content they’re creating for their clients?

Drew McLellan:

I’m creating this for my… So my agency website, what kind of privacy, or disclaimers, or declarations do I need to have for my company’s website when I am using it as a biz dev kind of an attraction tool. So I don’t want to say, “Well, I don’t want people from Australia to come or whatever it may be.”

Ruth Carter:

Right. So I would take a look at who your audience is, look at your email list. If you can even tell where they’re from.

Drew McLellan:

Right. That’s part of the problem, right?

Ruth Carter:

It is the problem. So, I tell people unless you know otherwise assume that everybody is from everywhere. I know with when GDPR came out I put something throughout in my email list that said, “GDPR goes into effect. Consent the stay on the list, otherwise I am dropping you.” And I dumped two thirds of my list. So that way everybody who’s on my list reconsented to stay on. So there are certain disclaimers you have to give under GDPR that I think the easiest way to do those is either in your privacy policy or in the double opt-in email when people add themselves to your list. I definitely tell people do not add people to your list without their consent. I recommend actually that companies don’t add people to their lists, that let the audience add themselves. If you’re that good, they will want to be on your list. I know company that that’s how they operate. And then be thoughtful about what information you are collecting from people. Only ask for what you need, which if you’re just having a simple email list, it may only be like names and email addresses.

Maybe even only just email addresses. You don’t need to ask for a mother’s maiden name, social security card, first pets name, things like that. And then if it is a situation where you can have like clients information, again, only ask for what you need, and when you don’t need it anymore, dump it. One thing I’ve seen, I saw crystal clear with the the Marriott breach. I think one of their issues was that they were keeping information longer than they needed to, not protecting it, and then when they had a data breach, people’s unencrypted credit card numbers, and passport numbers got out. And they ended up getting a multimillion dollar fine. Now, if you’re just an agency, you have names, and email addresses, what’s the worst thing that’s going to happen if there’s a breach. Probably not a whole lot of damage. But you want to take reasonable steps to protect that information that has been entrusted to your care. Don’t sell it without permission even though most it’s rare that I run into companies that sell, or give information away unless that’s your business. But if you’re just an agency, that’s not what you do.

So chances are, you’re not the ones who are going to be getting into trouble, but you do want to take reasonable steps to protect the information in your care. Limited access to only people who need it, keep another password. If you’re using like HubSpot, MailChimp, things like that, those things are pretty much already built in. You just don’t like leave your password on top of your desk.

Drew McLellan:

Right. So, for most agencies, I think when GDPR came out, what they did for themselves and their clients was basically, they did the pop-up, “Hey, we use cookies warning.” And maybe they changed the language around the privacy policy. When you talk about GDPR lite, is that kind of what you’re seeing?

Ruth Carter:

Yeah, that’s pretty much it is. We updated privacy policies. We did the cookie pop-up, but that’s about all. We may have added up provision to the privacy policy that was specific to GDPR. But otherwise it didn’t change much. It really was for a lot of companies putting it down in words things they were already doing.

Drew McLellan:

Right. For many companies right now, is that enough? Or are we missing some things that we absolutely, wherever we are on the globe… the reality is we all live in a global economy, and the internet means that odds are we’re talking to people from all over the planet. So I think your point is just assume that you have somebody from every country on your website, on your email list. And if that’s true, what is an appropriate thing for me to have on my website if I’m an agency?

Ruth Carter:

I would say have a solid privacy policy. Add clear policies about what information you collect, how you protect it, under what circum