Next year, 6 new privacy laws go into effect requiring specific disclosures within a Privacy Policy if applicable to your business, and failure to comply with these laws could result in fines starting at $2,500 per website visitor whose rights you’ve infringed upon. Consumers are expecting website owners to respect their privacy, and non-compliance fines can be quite expensive simply for failing to disclose your own privacy practices.
If your website is collecting regulated data (like names, email addresses, phone numbers and IP addresses) through integrated waivers or by any other means (contact forms, analytics tools, security features, etc), you may have an obligation to provide specific details within your Privacy Policy so your visitors understand what you’re doing with their data.
During this webinar, you’ll learn:
Donata Stroink-Skillrud is an attorney licensed in Illinois and a Certified Information Privacy Professional (CIPP). She is the President and legal engineer of Termageddon, LLC, a software as a service company that generates Privacy Policies for website owners that automatically update with new disclosure when privacy laws change. Donata is also the Chair of the American Bar Association’s ePrivacy Committee, where she helps provide guidance to legislators on how to write privacy laws.
Hans Skillrud is the Vice President of Termageddon, overseeing sales, marketing and partnerships. An educator at heart, he uses every chance he gets to educate web agencies and their clients about the importance of website policies. Prior to Termageddon, Hans ran a web design and software development agency in downtown Chicago for 7 years, before selling it in early 2019 to focus on Termageddon exclusively. Outside of work, he enjoys beekeeping, gardening, woodworking, and tinkering with programming arduinos.
Brandon is the CEO of Resmark & WaiverSign and also co-owns and operates Western River Expeditions and Moab Adventure Center. Helping grow these successful businesses over the past 20 years has given Brandon unique insight as to what truly generates results. He is passionate about sharing those insights and helping other businesses succeed. Outside of the office, Brandon enjoys exploring the world by raft, bike, and foot with his wife and children.
“Quick, easy and convenient”
“WaiverSign is faster, easier to follow, and I can set the release form up how I need it. Guests fill it out before they arrive at the facility. It makes our process so much easier.”
“Look more professional”
“We absolutely love it for all of our waivers and other client onboarding documents.! It’s fast, it’s easy, and it actually makes the entire experience feel and look more professional!”
“Our planet is worth it!”
“Helps me advertise that my business is paperless! Our planet is definitely worth $10 a month! It’s so freaking easy for my guests to use. Small business owner invest in yourself!”
“WaiverSign is the best!”
“I've tried all the waiver systems and WaiverSign is the best. With others, there were always issues and no customer service on weekends when I needed them.”
Brandon Lake:
Good morning, good afternoon, and good evening. Wherever you may be joining us. We have people with us today actually from the United States, Canada, Jamaica, and as far away as Africa. We're very excited to cover this topic of privacy policies today. At the start of next year, six new privacy policies will go into effect. And failure to comply could actually result in fines starting at $2,500 per website visitor. So this is a really big deal. I think it's only going to get bigger and more complex as laws continue to change all the time. And I think everyone with us today collects personal information from website visitors, either through analytics, lead forms, booking or registration, or by the signing of waivers or other documents. So what we are talking about here applies to all of us. I'm anxious to get started, so let's give some quick introductions.
My name is Brandon Lake. I am the CEO of Resmark and WaiverSign. I am with you today from the winter wonderland of Utah. There's beautiful snow everywhere outside my window. And I am excited to have with me, it's an awesome powerhouse couple, Donata and Hans Skillrud. Let me just give you a quick introduction to them. Donata is an attorney. She's licensed in Illinois, and she is a certified information privacy professional.
That may be a title you haven't heard before. Donata is also the chair of the American Bar Association's ePrivacy Committee. And there she helps provide guidance to legislators to help write privacy laws. And Donata is the president and legal engineer of Termageddon, which is a software company that generates privacy policies for website owners. It's a really cool platform because it actually automatically updates with new disclosure when privacy laws change.
So that's pretty cool. Hans, we're happy to have with us today as well, is vice president of Termageddon. He is an educator at heart. He loves teaching businesses about the importance of website policies. Actually, prior to Termageddon, he ran a web design and software development agency in downtown Chicago for seven years. Outside of work, he enjoys beekeeping, gardening, woodworking, and programming Arduinos. Now, I don't even know if I said that right, Hans, but I really had no idea what an Arduino was.
Hans Skillrud:
You did.
Brandon Lake:
So I had to look it up. So for everyone's benefit, Arduinos help design and manufacture single board micro controllers for building digital devices. That's per Google. Now, I still have no idea what that means. So I'm going to add it to our questions at the end if we have time. And [inaudible] little factoid from Hans. So speaking of questions, everybody look down to the right side of your screen.
You'll see a little questions icon. When you have a question, as I'm sure you will as we go through this. Click on that, type it in. At the end of the presentation, we'll actually answer those questions. There's a cool feature there. If you see somebody else asked a question that you're like, "I want to hear the answer to that too." There's a little way to upvote those, and we'll see that on our end. And that'll help us prioritize which questions we answer first if we don't have time to get to all of them.
So we may answer a couple of those questions along the way as well. You'll also see down there in the lower right, a chat icon, you can go ahead and click on that now. Let everyone know where you're from, what you do. It's fun to see who we have on the webinar with us today. But I'm going to go ahead and turn this over to Hans and Donata to help us understand the brave and exciting world of privacy policies.
Hans Skillrud:
Well, we couldn't imagine, like anyone here... I'd imagine everyone couldn't be more excited to learn about privacy policies.
Brandon Lake:
Exactly. This is it.
Donata Stroink-Skillrud:
They're slightly more [inaudible].
Brandon Lake:
[inaudible] excited.
Hans Skillrud:
Yeah.
Donata Stroink-Skillrud:
They're probably slightly more excited to learn about privacy policies than they are about your Arduinos.
Hans Skillrud:
I don't know. I mean, you can compare both. They're both extremely entertaining. Well, thank you all for taking the time to learn about this stuff. I know privacy policies are not really the most exciting thing in the world, but the fact is they're becoming... Well, they're already currently legally required under multiple privacy laws. But there's a lot more coming. We're going to talk today about six new laws going to effect. But there's even more.
So yeah, this is a great time to get educated on the topic, understand when you need to have them, and understand how and why to keep them up to date over time.
Donata Stroink-Skillrud:
Absolutely. Yeah. Should we share our slides?
Hans Skillrud:
Let's do it.
Donata Stroink-Skillrud:
All right.
Hans Skillrud:
All right. Brandon, can you see our slides okay?
Brandon Lake:
Yeah. It all looks great.
Hans Skillrud:
Awesome.
Donata Stroink-Skillrud:
Awesome. All right. So welcome to New Privacy Laws Are Coming: How to Avoid Fines & Lawsuits. Before we start, we did want to note that any information that we talk about today is not legal advice. If you are looking for legal advice, we would recommend reaching out to an attorney in your area to help you with your specific legal issues.
Hans Skillrud:
We'll welcome questions too at the end of this presentation, but just note that is not legal advice either.
Donata Stroink-Skillrud:
So a little bit about what we'll talk about today. So Brandon already introduced us, so we'll skip that part. So we'll talk about why we're talking about this now? What is personally identifiable information PII? What is a privacy policy and why you may need one? What is the terms of service, and how it can help you? What is the disclaimer? Where to get policies? And we also have a special offer for everyone here. So Hans and I... So I'm the attorney, I'm the legal engineer behind Termageddon. I also spend a lot of my time reading privacy policies and privacy laws. And if you can't tell by our last names, we are married.
Hans Skillrud:
Yes, full disclosure.
Donata Stroink-Skillrud:
Why are we talking about this right now? So some of you who may have been in business for 10, 20, 30, 50 years, might be asking why is privacy coming up now? So if I can take you down a little bit down memory lane very quickly, if you all remember the Cambridge Analytica scandal. So that was a time where Cambridge Analytica took the personal information of millions of Facebook users and used that information for political advertising without their consent. So essentially what happened after that is that consumers started realizing, "Oh, I'm actually giving my information to these companies. And I have very little control over what they do with that information, who they share it with, whether or not they sell it to anyone else. And I can't really stop them from doing that, and I don't really know what happens with my personal information when I submit it to a company online."
So consumers started taking privacy a lot more seriously after that because they saw the consequences of what happens, and they started pressuring their legislators to propose and pass privacy laws. So in the United States, we don't have a federal privacy law. We do have federal privacy laws when it comes to health information, financial information or children's information, but we don't really have anything federally to protect the personal information of consumers online. Just like names and emails. So because we don't have a federal privacy law like that, a lot of states have taken it upon themselves to propose and pass these privacy laws. And really this year we saw a lot of movement. So in 2023, we have six new privacy laws that are going into effect. So the first one is the California Privacy Rights Act, which replaces the California Consumer Privacy Act. We have a new privacy law in Virginia, Colorado, Utah, and Connecticut.
And in Canada, we have a new privacy law in Quebec. So these privacy laws provide requirements for businesses that you need to follow if those laws apply to you. Meaning having a compliant privacy policy that has all of the disclosures that are required by these privacy laws. Offering consumers certain privacy rights such as the right to delete their information. Having restrictions on how personal information can be used, things like that. The most important part about these privacy laws is that you don't have to live in these areas for these laws to apply to you. So we're in Illinois here. That does not mean that we're automatically exempt from the Colorado Privacy Act, for example.
And that's because privacy laws are created to protect consumers and not businesses. So consumers can go online and they can submit their personal information anywhere, which essentially means that these laws are very far reaching and you don't have to be located in these states or in Quebec for them to apply it to you. And then these laws are also enforced via fines. So for these particular six, fines start at $7,500 per violation. Others start at $2,500 per violation. It just depends on the law. And in this case, per violation means per person whose privacy rights were infringed upon. So let's say I have 100 visitors from Colorado, and I don't have a compliant privacy policy, and I need to comply with their law, my fine would be calculated as 7,500 times 100. So you can really see how quickly these can balloon out to very, very large fines.
Hans Skillrud:
Yeah, that's right. No, that's absolutely right.
Donata Stroink-Skillrud:
So maybe Hans can tell us a little bit about what is PII.
Hans Skillrud:
I would be happy to.
Donata Stroink-Skillrud:
What if you're like, "No."
Hans Skillrud:
I'm good. [inaudible] you just do it.
Donata Stroink-Skillrud:
You've done that before.
Hans Skillrud:
I have. So we try to keep things down to as little things to memorize as possible, but we do need everyone to memorize one definition, and that is personally identifiable information. This is a big one because personally identifiable information is any data that could be used to identify an individual. We call it PII for short. And that's probably what you'll hear us call it throughout this presentation. But PII are things like people's names, their email addresses, their phone numbers, maybe their physical addresses, their IP address. Even their signatures could be considered personal information,
Donata Stroink-Skillrud:
Yeah. Especially if they have a signature that can betray their name. So a lot of us sign where it's just our name in cursive.
Hans Skillrud:
Yeah. Well, and I think it's important to understand that websites collect this personal information all the time. We obviously put waivers right at the top, but when it comes down to it, just about any modern website is collecting personal information beyond waivers. For example, if you have a contact form on your contact page, asking people to submit their name and email, that is an excellent example of when a business is not only collecting names and emails, but chances are you're actually sharing that data with your email service provider, assuming you receive an email in your inbox with that person's contact details.
Other examples of websites collecting PII could be newsletter subscription forms where people submit their email to sign up for an email newsletter. And then waiver completion confirmation emails where we're not only collecting email addresses, but we're sharing that data with our waiver software or email marketing systems to trigger and send emails automatically to these users upon signing waivers like this.
Donata Stroink-Skillrud:
And I think this is actually a good place. We have this as a frequently asked question, but I think it's a good place to bring it up right now, is that this information is considered PII and it is regulated even if it's voluntary to provide that information. So let's say I have a contact form where you can input your name and email and you're required to input the email to submit the form, but not the name. The name is still considered PII, even if it is voluntary to submit it.
Hans Skillrud:
Here's some visuals just to kind of reiterate what we just said. On the left hand side, payment information, whenever submitting payment information, that's such an excellent example of helping collect that personally identifiable information of that individual. We also attached a screenshot here of a waiver where people are submitting their legal name, their last name, birthdate. That's another good example of personal information. And then this signature email collection component where not only are they submitting that data, but that may also trigger emails. Meaning that data will be shared with third party email sending tools to send those emails.
Donata Stroink-Skillrud:
And as you can see from that signature, you can very clearly see what their name is from the signature itself. Which means that it's PII.
Hans Skillrud:
That's great. Yeah. And I think the important thing to understand is that while many businesses think that they do not share PII, sharing is very common. I just kind of shared those examples of how just easily companies not only collect PII, but they actually often share it too. Receive an email in your inbox of a lead submission is an excellent example. Or maybe when you receive an email when a payment gets made and you receive that person's payment confirmation message. Sending signed waivers. We discussed that as well. So in most examples, people are not only with their websites, most modern websites, they not only collect PII, but they actually even share that data too.
Donata Stroink-Skillrud:
And sharing PII, it's not the same thing as selling, right? So sharing PII means sending it or providing it to a third party. So anyone that's not you. So let's say somebody submits their email to my email newsletter list. And that email gets uploaded into MailChimp so that I can send them the email that they signed up for, since I'm inputting their PII into MailChimp servers. I'm sharing that information with MailChimp. Versus selling, much more rare, getting money in exchange for PII. Not very common.
But sharing PII, I would guess that 99% of small businesses share PII. And it's nothing bad. So collecting PII and sharing PII, it's not a bad thing. You're not evil for doing it. You're not a bad person for doing it. It's a very, very common business practice.
Hans Skillrud:
I'd argue it's necessary in this day and age.
Donata Stroink-Skillrud:
Pretty much. Yeah, I would say it's very hard to have a website without sharing PII. But what's really important to remember here is that collecting PII, sharing PII, totally normal, but there's just some rules that you need to follow.
Hans Skillrud:
That's right.
Donata Stroink-Skillrud:
So why does PII collection matter? So any website that collects PII needs to have a privacy policy. And that's because the collection of PII, such as names and emails is regulated by a variety of different privacy laws.
Hans Skillrud:
And many privacy laws start applying to a website owner the moment they collect personal information.
Donata Stroink-Skillrud:
Exactly. So you don't need to share it, you don't need to sell it. You actually don't even need to use the PII for those privacy laws to apply to you. It's the moment you're actually collecting it. So what is a privacy policy? So most websites have a privacy policy. You've probably seen them at the bottom of footers or had to agree to them when submitting a contact form. So you may be wondering what it is. So a privacy policy, it's an explanation of your privacy practices. So for example, the privacy policy will include what PII you're collecting. What do you do with that PII. Who you share it with and more. So privacy policies are, even though a lot of people think that they're just random disclosures, they're really not. So privacy policies, what's included in the privacy policy is actually dictated by the privacy laws that apply to you.
So that's the first step that you need to take is figure out what privacy laws actually apply. And then once you actually look at these privacy laws, you'll see that they have a section that says privacy policy disclosures. And that's where the disclosures in your privacy policy should come from. If your privacy policy is not based on the laws that apply to you, that means that the disclosures in there are pretty random, which means that you're not compliant.
So to figure out what privacy laws apply to you, you don't just need to ask where your business is located. What you need to ask is whose PII are you collecting? So who's submitting their information to your forms? Where are they located? Where are your customers located? So if you're doing business online, where do you ship? Things like that. To whom do you offer goods or services? Where do you do business? And who do you track online through services such as Facebook Pixel, Analytics, anything like that?
Hans Skillrud:
That's right. And what you're going to see here on this slide is a layout of privacy laws spanning the US, Canada, UK, and the EU and Australia. And really what we're trying to set as an example here is the fact that it's a reminder of what we said earlier, which is that these privacy laws are here to regulate the personal information of their people. Meaning that regardless of where you're located, what matters is whose information are you collecting, and do you have to comply with their privacy laws? Because each and every one of these privacy laws are different. And they have their own different disclosure requirements. I will note the EU's General Data Protection Regulation, number one. And the United Kingdom's Data Protection Act, 2018, technically is a mere copy of each other right now, once the UK left the EU.
Donata Stroink-Skillrud:
[inaudible] disclosures are still different because you'll say residents of the United Kingdom have these rights or residents of the EU [inaudible].
Hans Skillrud:
That's right. Well, also now we have a fork in the road with these two groups separating, the UK separating from the EU. So we will likely see these particular two privacy laws even change themselves. But regardless of that, just one off example, the privacy laws are unique and they have their own unique disclosure requirements. That is why it is essential to identify the laws that apply to you. And only then can you identify the disclosures you need to make within your privacy policy.
Donata Stroink-Skillrud:
Yeah, so a great example here is one of California's privacy laws, the California Online Privacy and Protection Act. So that one will apply to anyone who's collecting the PII of residents of California. So as you know, pretty much any website, once you go in there, you find a contact form, you can just submit the form regardless of where you're from. So you could be collecting people's information who are from California.
Hans Skillrud:
Or maybe just you have analytics installed into your website, and someone from California visits your website and you collect their IP address behind the scenes. Or maybe you collect their IP address for security purposes. That would mean the moment a single Californian visits your website, that privacy law is applying to you.
Donata Stroink-Skillrud:
Right. Or Nevada's privacy law, that will apply to anyone who's doing business in Nevada. So if you have customers there, let's say you run an e-commerce business and you ship to Nevada and somebody buys from you, well, now that law applies to you. So as you'll see here, there's some privacy laws here that are marked as 2023. These are the privacy laws that are going into effect in 2023.
So let's say you had your privacy policy written today. If it doesn't take into account these privacy laws and they apply to you, you'll need to update your privacy policy in 2023 to make sure that you're compliant. So as Hans said, you don't need to be located in these areas for these privacy laws to apply to you. And also these privacy laws have similar requirements in the sense that you need to have a privacy policy. Each of them has different rules for what a privacy policy needs to include.
You need to respect consumer privacy rights and make sure you respond to consumers in an appropriate period of time and make sure that you're following certain rules when it comes to collecting and sharing PII. One common question that I get a lot is... I actually have seen this from other lawyers, very surprisingly. A lot of people think that if they meet the requirements of the most stringent privacy law, that they're meeting the requirements of all other privacy laws. So let me give you just one example. GDPR, which a lot of people consider to be the most stringent privacy law, does not require you to disclose how your website responds to Do Not Track signals.
But CalOPPA does. So if you're compliant with GDPR, your privacy policy does not have that disclosure, which means that you're not compliant with CalOPPA. And there's a million examples like that. So I definitely want to make sure that people are cautious, that they don't just take a template that they found online that's GDPR compliant and think," "Oh, well, that's the most stringent so I'm in compliance with all other privacy laws." Because you're not. It just doesn't work that way. Each privacy law is different when it comes to privacy policy disclosures.
Hans Skillrud:
California Consumer Privacy Act just kind of came to mind with the fact that that one-
Donata Stroink-Skillrud:
Toll free phone number. Yeah.
Hans Skillrud:
Toll free phone numbers. But that, nowhere mentioned in GDPR. Also, CCPA has a disclosure of whether or not you offer financial incentives based on people exercising their privacy rights. And that's nowhere to be seen.
Donata Stroink-Skillrud:
Yeah. There's a million examples.
Hans Skillrud:
It just goes on and on. It's really unfortunate that I think a lot of people think, "Oh, I'll just go the most stringent route." That, it just doesn't work.
Donata Stroink-Skillrud:
Yeah, it just doesn't work.
Hans Skillrud:
Yeah. Yeah.
Donata Stroink-Skillrud:
So fines. So non-compliance fines can get very expensive, as we talked about. Anywhere from $2,500 per website visitor to 20 million euros or more in total. One thing that a lot of people don't talk about is another consequence of privacy law non-compliance, which we basically call data disgorgement.
So data that's obtained illegally. You can be required to actually just delete it from your systems in general. So if you have an email list of 50,000 people and that information was collected without compliance, that can actually mean that you lose your entire list immediately.
Hans Skillrud:
And that could be a huge asset loss for a business.
Donata Stroink-Skillrud:
Right. Exactly.
Hans Skillrud:
Absolutely huge.
Donata Stroink-Skillrud:
So privacy policies, they're not a stagnant thing. So because we don't have a federal privacy law, we see these states proposing and passing their own privacy laws. So these are the bills that we're tracking right now that are proposed in the United States at least. This used to be a really nice grid where we kind of talked about the requirements, the privacy rights, who everything applies to.
Unfortunately, the grid got so large that it just does not fit on slides anymore. But you can find it on termageddon.com. If you go to our blog and search privacy bill tracker, you'll find the grid there. But these bills all have very common similarities.
So first, they would apply outside of the state in which they're passed. So if you're not in any of these states that are listed, that does not mean that you're good to go. Two, they would all require businesses to have a privacy policy that makes certain disclosures. Three, they provide certain privacy rights to consumers. So the right to delete, the right to opt out of direct marketing, the right to opt out of sales of PII. Things like that,
Hans Skillrud:
The right to sue.
Donata Stroink-Skillrud:
And then lastly, we have the private right of action. So some of these bills would allow consumers to sue businesses directly.
Hans Skillrud:
And just like Donata said, these privacy bills, like all privacy laws, they are not designed for businesses located in those areas. Privacy laws protect people. They don't care where your business is located. And therein lies the broad reaching nature of what's happening here with these privacy laws.
So I think that in summary, the best way we can put it is that you don't just need a privacy policy that complies with today's privacy laws. What you also need as a strategy to keep your privacy policy up to date with new disclosures as new laws pass and as existing laws get amended. So that's really the new era that we're all in as website owners. Which is, you have to have a strategy to keep your privacy policy up to date, otherwise you run the risk of being non-compliant with changes in privacy laws.
Donata Stroink-Skillrud:
Exactly. So privacy policy disclosures. As we talked about, those depend on the privacy laws that apply to you. So your privacy policy might have all of these, it might have five. It just all depends on what laws actually apply to you, but it goes anywhere from the effective data of the policy to whether or not you use cookies or other similar technologies. Are you using analytics? How are you actually protecting the PII that you're collecting?
Hans Skillrud:
That's a good one.
Donata Stroink-Skillrud:
How do you use the PII that you collect, and how long do you store it? How people can complain? There's a ton of different disclosures that your privacy policy needs to have. But really the most important part to remember about this is that your privacy policy will depend on the privacy laws that apply to your specific business.
Hans Skillrud:
So that kind of concludes our thoughts on the privacy policy component, but we wanted to put into bonus discussions about other policies we often see in websites. And just a reminder, if any of you have questions along the way, feel free to ask them. We usually need one brave attendee to ask a question. And then usually everyone else kind of joins in with questions. So feel free to have questions and upvote the questions you want to get answers to.
And yeah, we'll go from there. But next is the terms of service. So another policy that is very common with websites is a terms of service. And it is also known as the terms and conditions, a terms of use, or just the statement terms. You've probably seen this in various different ways, but really what this document is trying to do is trying to state the rules of using your website in order to limit your liability as a website owner.
And do you need a terms of service? Well, it can help protect you and your business. I mean, that's really the best way to put it. Because the terms of service can help you answer commonly asked questions by customers and move them along the purchasing path. This is very common with e-commerce websites where maybe you need to explain your refund policies and your cancellation policies and refund policies and shipping policies.
Donata Stroink-Skillrud:
Yeah. And for a lot of consumers when shopping online, especially when buying things that... The sizing varies. So let's say I'm buying shoes online. I know that when I'm buying shoes online, I know my shoe size. But every once in a while the shoe will be slightly different just because of its style or whatever. And when I'm buying shoes, I want to know, "Hey, can I return this if it doesn't fit me?"
And if the business doesn't tell me that, if there's nothing in the terms of service that tells me that, I'm not going to email the business and ask them about their returns policy. I'm just going to go somewhere else that does provide a terms of service that does answer my questions. And if the terms of service says, "All right. Well, yeah, we offer refunds." Or, "No, we don't." Great, then my questions answered and I can just go in and purchase what I need.
Hans Skillrud:
And then... Yeah, maybe you can take the next couple, Donata.
Donata Stroink-Skillrud:
Yeah, and lessen your liability by spelling out what warranty, if any, you offer. So let's say I'm buying household goods online. I want to know what warranties apply. Let's say I buy a toaster and it breaks within six months. Do I get my money back or not? Your warranty, if it says that you don't provide any warranty, that means that you're not liable for that. But if you don't have a warranty section, that means that you are offering what's called implied warranties.
So those are warranties that are implied in any contract unless you specifically disclaim them. So if you don't say anything about a warranty, you do offer one. Protect your intellectual property. So essentially saying that anything on this website is our intellectual property and you can't steal it. You can't try to reverse engineer it, things like that. It can also help you in certain cases of copyright infringement.
So there's something on your website that someone believes is infringing on their intellectual property. The terms of service will include a DMCA notice, which basically just says, "Hey, instead of suing us, contact us here." And that can help prevent lawsuits in certain cases as well. Save costs by specifying where you will resolve disputes if they should come up. So if there's a dispute, you could potentially be sued in your area or the area where the consumer is located. So we're located in Illinois. Let's say somebody, a consumer from New Zealand wants to sue us, well, I'm not going to travel all the way to New Zealand to resolve that dispute. I can say, "You have to come here." Lessen the amount of damages that you may be responsible for in case of a dispute. And then generally just maintain control over your website by spelling out the rules of using that website.
Hans Skillrud:
And all of these examples are non-exhaustive lists. Another one I like is third party link disclosures. Just the simple statement that says, "Hey, we offer links to third party websites. Because we don't control those links if you click on one of those links and that website gets hacked and you get hacked and you lose all your data, you can't come back and sue us." That one little disclosure is just why I like a terms of service for virtually any website, because I mean we all offer third party links in this day and age. To our social media pages, to resource pages, maybe payment portals, all that stuff.
Donata Stroink-Skillrud:
Absolutely. And I think that brings us into terms of service disclosure. So what should your terms of service include? Again, that can depend on the laws that apply to you. So if you're in a country like the UK or Australia and you're selling goods or services or digital products to consumers, not to other businesses, you may have to comply with consumer protection laws, which dictate can you offer refunds, can you charge a cancellation fee? Things like that.
If you're offering automated renewals, so subscriptions, you'll have to comply with California's automated renewal laws and the Federal Trade Commission guidance on what they call negative option offers, which is basically the same thing as automated renewals. So that's really interesting to me at least, because... I'm sure no one else finds this interesting. But if you're offering a subscription and your terms of service does not include certain disclosures, the goods or the services that are obtained through that subscription are actually being considered a gift to the consumer.
So you will have to refund them if your terms of service does not include those disclosures, which can be a really big issue. Also, if you're selling internationally, there are certain things that apply by default, unless you specifically say that they don't apply. Which is the United Nations Convention on contracts for the sale of goods. The Uniform commercial code, and incoterms. Which can be pretty, not advantageous to businesses. So they may require you to offer refunds or prohibit you from charging a cancellation fee or a restocking fee.
So unless your terms of service specifically disclaims those, they do apply. But your terms of service will depend, right? It will depend on the laws that apply to you. It will also depend on the nature of your business and what you're doing on your website. So if you don't sell anything on the website, it doesn't make sense to have a refund policy. But if you do, it does make sense to have that. Right? So it just depends on what you're doing with the website.
Hans Skillrud:
Right. All right. So that's a high level overview of terms that we often see with websites. The other one we're going to cover today is the disclaimer. I will note if anyone wants to have us talk about cookie policies or cookie consent solutions, obviously Termageddon offers that as well, but just happy to answer any questions you may have around that one. But a disclaimer is a document that helps limit the liabilities that a website owner may be responsible for. So have you ever seen those commercials, like Super Bowl? You know, you watch those Super Bowl commercials and you see a commercial for a medication like a prescription or something like that.
Donata Stroink-Skillrud:
Yeah. If you take this, you will die.
Hans Skillrud:
Yeah. They end their commercials, in the last five seconds it's someone talking like a 100 miles an hour saying, "Don't take this if you're pregnant. Don't take this..." All of these.
Donata Stroink-Skillrud:
And also the workout videos that used to have like, "Oh, if you're going to faint, stop exercising."
Hans Skillrud:
Those are all disclaimers.
Donata Stroink-Skillrud:
Yeah, great example too. It's like what we said at the beginning of this talk. Nothing here is legal advice. That's an example of a disclaimer.
Hans Skillrud:
That's exactly right. So if your course... So when do people need disclaimers? So if you have advertisements going on where you are displaying ads from third parties on a blog, maybe, perhaps you'd want a disclaimer. If you're selling any health products like diet pills, supplements, essential oils, like anything where you're promising some sort of weight loss or muscle gain or...
Donata Stroink-Skillrud:
Yeah, any kind of health... Yeah.
Hans Skillrud:
Yeah. The next one, which gets people a lot often, which are affiliate links. If you offer affiliate links where if someone clicks a link on your website and then makes a purchase on a third party website, if you receive a commission, you should have an affiliate disclaimer just explaining to people, your website visitors, the fact that you have an affiliate relationship and may receive a financial incentive for offering that link. That just builds transparency. And it's just a great disclaimer to provide. If your course lists health or fitness advice.
Sorry, we wrote course. If your website lists health or fitness advice, perhaps in your blog posts or just anywhere on your website, a disclaimer can help protect you in case an individual gets injured by taking your advice and getting screwed up or messed up or something. You want to have a health and fitness advice disclaimer in there.
Donata Stroink-Skillrud:
Yeah, same thing with legal advice too.
Hans Skillrud:
Exactly, that's right. Yeah, legal advice as we just had for ourselves. That's very popular with law firm websites, for example. Who may blog about legal decisions and things like that. All right, so we covered some of the most popular policies. Hopefully that's beneficial to you all and you're kind of having some takeaways on what you may need for your own website. And you may be asking yourself, "Well, how do I get policies?"
So we think there's two great options and I will start by saying what I don't think is a good option, which are templates. Privacy policy templates in particular, I really struggle with. Because as we mentioned earlier, if you create a GDPR privacy policy template, you're missing all the other disclosures that are required under the other potentially applicable privacy laws.
Not to mention I have yet to see a template that's actually compliant with even the privacy laws that claim to be, but that's just a personal opinion. But even if you've somehow found a template that matches all the exact disclosures you are required to make, it still doesn't answer the question of how do you keep that policy up to date over time. And therein lies my concern with people thinking they can just get a template and move on in life.
Because I think that doesn't help the website owner and I certainly don't think that respects the rights of the website visitors whose rights are infringing upon. So we don't recommend templates, but what we do recommend are two options. Option number one is hiring a privacy attorney and a contracts attorney. So surprise, surprise, this is easily your best option because nothing beats having your attorney draft and continually update your policies when the laws change while providing you legal advice.
This is the best option of course, because you get legal advice. The con here though is obviously it can be quite expensive, especially for websites where policies are important but they're not like the fundamental crux of their business. And when getting quotes for not only drafting policies but monitoring privacy laws, expenses can quickly exceed $5,000 a year. Not to mention we have... There's not too many attorneys on this world that want to take care of this stuff in the first place, but either way the con would be that it's obviously expensive.
If you are reaching out to attorneys and asking for quotes, I would recommend checking out the IAPP.org website. That's where Donata got her certification. That's where also 65,000 other attorneys and certified information privacy professionals have gone to and they have a directory of attorneys that you can maybe reach out to and ask for pricing.
You also want to make sure that they understand that to draft a good privacy policy, you got to first find out what privacy laws apply to you. And only then can you identify the disclosures you need to make. You also want to ask your attorney upfront what the cost will be to monitoring privacy laws and keeping your policies up to date. If your website targets children or has a financial component to it, you're going to probably definitely want to use an attorney in those situations. Because those tend to get much more complicated with FINRA and COPPA privacy laws.
Donata Stroink-Skillrud:
Yeah. And I'd say, I would try to talk to someone who has been working in privacy. A lot of business attorneys, while they're great, they don't necessarily have the breadth of knowledge for this. So talking to somebody who focuses their work in privacy is probably going to be your best bet.
Hans Skillrud:
Yeah, any attorney that's taking an active role in privacy, that's great. That's the person you want to work with. The second option is a website policies generator. So a website policies generator is a piece of software. It's usually a website that you log into, answer a series of questions and generate policies for you. Full disclosure, I'm a bit biased in my opinion here because I'm married to a privacy attorney and I run with her a website policies generator. But basically website policy generators are an affordable alternative to a privacy attorney.
Typically website policy generators will be about $99 a year and they can fit most small business models and their needs. Termageddon for example, I think is a good representation of a website policies generator. It's $99 a year, you get a set of policies and a key component of a good website policies generator is that they take an active role in monitoring these laws, notifying customers of changes and even have the ability to push automatic updates to the policy pages with new disclosures whenever they become required.
So if you're looking up website policy generators, I would definitely look at that component. Do they have a true strategy to keeping up to date with privacy laws and changing laws that impact policies? I'd also recommend looking up who their founders are. Do they actually have an attorney that's working there that hopefully founded the company at the very least. And going from there.
Donata Stroink-Skillrud:
Yeah. But the con to website policy generators is that they're not a legal service provider and they cannot provide you with legal advice.
Hans Skillrud:
That is easily the biggest downside. And therein lies why they typically are able to charge $99 a year instead of five to 10 grand a year for such a service. So yeah, just research who's behind... Whether you choose a privacy attorney or a website policy generator, just look behind, who is behind this company or this law firm. Make sure you talk to them and make sure you work with somebody you like.
All right, so I was offered the ability to make a sales pitch, so I did it in one slide. But then we'll go right into Q&A. But I do want to note if any of you are interested in Termageddon, our service is $99 a year. It includes a set of policies to make for one website. So a privacy policy, terms, disclaimer, cookie policy, cookie consent solution, and even more.
And you will get 20% off your first payment of the $99 per year license if you use the promo code, WAIVERSIGN at checkout. And on top of that, you'll actually receive an automated email if using that promo code. Where you'll receive a video where I walk through the WaiverSign starter pack, which will be added to your account, which has a bunch of pre-answered questions within the generator along with a walkthrough video where I kind of just talk about what would a typical waiver website use when answering this questionnaire. Obviously you want to answer the questionnaire based on your own business needs, but this can just help expedite the setup process and hopefully help you move along. So if that interests you, feel free to go to term termageddon.com/waiversign. Yeah, and let's go into Q&A.
Donata Stroink-Skillrud:
Awesome. All right, so we'll stop sharing this. Okay, let's see if there's anyone left here.
Hans Skillrud:
Hey, we got Brandon.
Brandon Lake:
Hey, I'm here. Thank you both so much. My mind is spinning with a lot of things here. Questioning some things on my side even. With some of our... We took... I don't know, it's probably been 10 years ago or so, we did an update to our privacy policies and took the attorney route. Back then I think we spent about $3,500. It's obviously gotten a little more expensive since then, but the big challenge for us is, I don't think we've ever updated it.
This is on one of our tourism based websites. And they did a very thorough job I think going through it. But how many laws have changed since then?
Hans Skillrud:
Quite a few.
Brandon Lake:
And I haven't taken the initiative on my part to go back and I imagine some attorneys are good about coming back and saying, "Hey, let's review." But in our case, we haven't had a lot of that. So I do like that aspect of something that will automatically keep itself up to date. That's pretty cool.
Hans Skillrud:
I think a lot of people look at us and think like, oh, we must judge people based on their privacy policies, but we're normal people. At least... Well, we're not that normal. But I mean normal in the sense that we're not judging, we understand this stuff is new. And it's just the fact that privacy is becoming more important, not less important over time. So we're just trying to tell as many people now because, well, there's already legal requirements. But it's just like the writing is on the wall. Things are going to get more intense, not less intense with this stuff. So you might as well just get that strategy in place and move on in life.
Donata Stroink-Skillrud:
I think that's why it's important if you are working with an attorney, making sure you let them know that you want to know about updates. And asking them how much is that going to cost? Because some attorneys assume that maybe you don't want this, you don't want a continuous relationship with them. So asking them, "Hey, will you update this? And how much is that going to cost?" If you do end up going that route.
Hans Skillrud:
For the record, Termageddon is lawyer friendly too. So you can share your license with your attorney and they can review what you generated and they can customize it however you wish. And if there's any attorneys listening, we do have a law firm partner program at the bottom of Termageddon.com I'd love for you to check out.
Brandon Lake:
Cool. Okay, let me... Before I jump into questions, I just want to show we actually use your service on one of our sites and I just want to show it here. Let me just share my screen. All right, first of all, this is a link. I just placed this in the chat, so if you want to go there and click on the link in the chat, you're going to land on this page. And this is where you can get access to this. We appreciate the deal they're giving for all of those who are listening today. That's awesome. And the fact that it comes with a starter pack and everything, I think it's an amazing value to be able to get something on your website right away.
Hans Skillrud:
For the record, just if I so may, just the fact that we cover disclaimers, I do want to note that WaiverSign may receive a commission on any time you use the promo code. They actually didn't ask for one. That's just how our system works. To set up a promo code, I have to have them register. So I think they'll receive a commission off the sale. But if you don't want to give them any kickback, just don't use the promo code. That's all.
Donata Stroink-Skillrud:
But use the promo code because you get money off.
Hans Skillrud:
Yeah. But you get a discount. Everyone wins.
Brandon Lake:
You get a discount. Yeah.
Hans Skillrud:
Yeah, yeah. Everyone wins.
Brandon Lake:
Well, that's great to know too. We hadn't talk about that.
Hans Skillrud:
Yeah, we didn't. So that's all right, Brandon.
Brandon Lake:
Yeah, that's just fine with us. So on here, on this... So we have a website called Resmark Web. Many of you are familiar with that. That's where we've helped a lot of you create websites for your own businesses. And the Termageddon piece integrates really nicely into this. We can take that code and have your privacy policy pop up right up. So we've actually done it ourselves on our own website. So of course if you're interested in getting a website, you can come here and click that too.
But if you want to see an example of one, you can actually come down here and just click on privacy policy. And you'll see here, this is pretty cool. It actually says it was updated yesterday, 6:09 AM. That's pretty cool. If I go back to some of my other stuff it's going to have years ago was the last update to this thing. So that's kind of fun to see. And then you can just see, just as an example, if you're curious, what are we really talking about? What does a generator end up looking like? It has all of these sections in here and these are getting answered according to the way that I answered certain questions in terms of where our clients might come from and things that we collect on our website and so forth. That's where all of this is coming from. So kind of cool.
Donata Stroink-Skillrud:
So yours will, if you do create yours with us, it might look completely different just based on how you answer the questionnaire and what your privacy and business practices are. Which is how we're different than a template. Which is that no two policies that we generate are the same.
Hans Skillrud:
Yeah.
Brandon Lake:
Yeah. So [inaudible]. What's that?
Hans Skillrud:
Thanks for sharing that.
Brandon Lake:
Sure. I mean, think it's helpful to see, I think a lot of people are like, "A generator? What does this end up looking on the website?"
Hans Skillrud:
[inaudible].
Brandon Lake:
I just thought [inaudible] an example because it's really easy. So again, if you want to see that it's Resmark Web. Maybe Bob, you can stick that in the chat as well. Resmarkweb.com. If you just want to go somewhere and see an example of what a privacy policy looks like. And of course if you're thinking along the lines of like, "Gosh, I want to put this on my website. I don't have someone to do it." We're happy to help with that too. If you have any questions, we can help you get it there on the web agency side of our business as well.
So let's jump into some questions. We've got a bunch coming in here. Feel free as we start going through these, everybody, if you have more that are like, "That brings up another question in my mind." Feel free to go ahead and plug it in there and you can click the little icon off to the side to upload things. So let me just scroll down a little bit.
Okay, so here's actually one with a bunch of votes from Bill. He says he builds a simple website via Wix for a motorcycle club. There's a member only section, photo section, and a contact us section. And this is kind of the question about Wix, I guess. But does Wix provide a generalized privacy policy or terms of service?
Donata Stroink-Skillrud:
So first of all, you don't want a generalized privacy policy or terms of service. So a generalized privacy policy or terms of service, it doesn't help you. It doesn't help anyone. Because it's not going to be based on any privacy laws. So if the reason why you're looking for a privacy policy is to comply with privacy laws and to avoid fines, generalized privacy policies aren't going to do anything for you. Some website building platforms like WordPress, WordPress does provide a template, if you can call it that.
Hans Skillrud:
[inaudible].
Donata Stroink-Skillrud:
It's mostly just headings with no text afterwards that again, doesn't comply with anything. I don't believe that Wix provides that, but either way, even if it did provide a template for every business that it serves, it just really wouldn't do you any good to use it. So I personally wouldn't use it, but yeah.
Hans Skillrud:
Well, and we'll put in that example, like I said earlier, does it ask you the question, do you offer financial incentives based on if people exercise their privacy rights or not? Or do they ask you about toll free telephone numbers and providing one? Because that's not even necessary for some website owners, but it is necessary for others. And therein lies the complexity of this stuff. So just to reiterate Donata's thoughts, what's the point of a privacy policy if it's not compliant with the laws you're required to comply with? You first have to find out the laws that apply to you, and only then can you identify the disclosures you're required to make. So I'd keep that in mind, Bill. And just a few other thoughts. Obviously, please note none of our answers here are legal advice, but you mentioned a members area where people can post images.
Immediately, I kind of think about the benefits of a terms of service and a DMCA disclosure. The Digital Millennium Copyright Act, which basically says, "Hey, if anyone posts any imagery or content or logos that they weren't allowed to, rather than suing me, the website owner, just let me know and I'll remove it from the website." That is an excellent reason to have a DMCA disclosure. Because it just prevents bad actors from doing bad things.
Another thing with the terms of service is being able to prohibit content that could be considered abusive, swearing, name calling, sexually explicit, exploitive of children. If you want to have the right to remove comments or posts that are being made in your member area that could be considered that, I would certainly consider her terms of service as well.
Donata Stroink-Skillrud:
And also the simplicity of the website. The privacy laws do not take the simplicity of the website into account at all. So I could have a website that's just a contact form with literally nothing else. The same privacy laws would apply to me even if I had a 1000 page website. So the complexity or the simplicity of the website unfortunately does not take into account.
Hans Skillrud:
And Bill, I'd imagine you're probably sitting there being like, "Well, that's really annoying." And I just got to reiterate, I get it. I'm a small business owner. I understand that this stuff is very intense and intimidating, but I think it's just important to understand, do you want to try to your best to avoid it and just hold out with that mindset for as long as possible? Or do you want to just embrace privacy, give people their privacy rights, follow these laws, and move forward with that kind of strategy. And I think as time goes on, more and more people are going to just have to accept the fact that people's data is being regulated with very specific rules.
Brandon Lake:
Okay. Bill has a follow up question on that. And another person kind of referencing something similar. Let me see if I can combine these together. So again, this relates to WaiverSign. Okay? So he's using WaiverSign for his annual release of liability for the motorcycle club [inaudible]. They [inaudible] on private property and so forth. So they're signing that waiver, a release of liability.
Is there a general privacy policy or terms of service for the data collected from the releases of liability? Now I'm not a 100% sure if this is saying, does WaiverSign provide... Chris kind of chimed in on this too and said, "Is Resmark's WaiverSign document hosting already compliant with general terms of service or is it up to the text of a waiver document that we upload to include this info? Pretty much the only data we collect is through the WaiverSign release of liability forms."
So yeah, I mean with that, although it's coming through the WaiverSign liability form, I would say... And I'll just add my answer to this and you can even correct me if I'm wrong or add to it, but WaiverSign has its own terms of service and privacy policy and so forth as to how we handle the data collected on behalf of our clients. But that doesn't preclude a client from needing their own terms of service or privacy policy because you now own that data. And it's in your database technically, even though it's on our servers and so forth. But you have access to it. What are you doing with it? Are you exporting it? Are you utilizing it within the tool to fire off emails?
I mean, you can do a lot once you have that information. And it's kind of, you're responsible for it, I would say. Even though it's in someone else's solution. Do you want to add to that?
Donata Stroink-Skillrud:
Yes. So exactly, right? So let's say I take the information from the waiver and I upload it onto MailChimp or something like that. Well, that information, I'm the one that's controlling that information now. So I'm the one who's deciding where that information goes, who I'm sharing it with, whether I sell it or not? And that has nothing to do with WaiverSign, right? So it's anytime you are sharing that information with any vendor, you're still responsible for making sure that you have the right disclosures for those particular consumers.
Hans Skillrud:
And based on what laws apply to you, you may have to actually even disclose the fact that you share that data with your waiver management software so that you can provide customer service. And I think a lot of people get kind of concerned, "Oh, I'm storing my data with these third parties." Every modern website kind of has to do that.
Donata Stroink-Skillrud:
What are you going to do? Build out your own email marketing service, build out your own payment platform, build out your-
Hans Skillrud:
Your own email server.
Donata Stroink-Skillrud:
Yeah, that's just... Yeah.
Hans Skillrud:
Sharing data, extremely common. It's just the fact that we have to disclose it. And that's such a good example of being able to say, I share my data with my waiver management software. And even in that course creator starter pack video we go through, we actually talk about that very exact thing. And we see this example throughout. It's not excluded just to waiver management softwares. No, this is email marketing systems where you share emails with MailChimp or Constant Contact or ActiveCampaign to send email marketing. Or your email inbox when you receive leads or orders or notifications of waivers being signed. You're sharing that data with your email service provider. So you just got to disclose the fact of when someone submits their data to you, where is it going?
Donata Stroink-Skillrud:
And you need to have your own policies for doing that.
Hans Skillrud:
Yes. Yeah.
Brandon Lake:
Okay. So even if WaiverSign is just a dead end, so to speak. That you're having people sign waivers and you don't even touch. It just sits over here. Because it was initiated through your business to go over here and sign the document, you still need to have your own privacy policy and potentially terms of service.
Donata Stroink-Skillrud:
Well, technically you would still be touching it, right? Because you would know when somebody signed the waiver. So you would still be touching that data and it's the point of collection that matters, not the point of use.
Brandon Lake:
So the fact that you have access to it, even through your account that you can get to it. Which you have to be able to get to it because if you ever have an issue with a lawsuit or something, you need to be able to go access the waiver and all of that. Okay, excellent. Great question.
Hans Skillrud:
Great question.
Brandon Lake:
Yeah. So here's another question on this. And this would be true I think for a lot of transactional type systems. So this would be someone who, say they sign a waiver. They bring up the fact that, "Hey, I want you to delete my data." Right? Because they can request that under certain privacy laws. Well, we have a document now that has been signed, that's a legal document that has their information and signature on it. Would that company be required to delete the waiver, thereby not protecting themselves from a lawsuit anymore? It would almost be a back door to say, "Hey, I don't want my information there, delete my waiver." And then they sue you and they say, "Now you have no recourse."
Hans Skillrud:
Excellent question.
Donata Stroink-Skillrud:
So privacy laws do have exceptions to rights? So the rights are not absolute. So in some cases you can say no to a request to delete. So let's say I collected your personal information to send you email newsletters and that's it. And you asked me to delete your data, I have to delete it. But let's say I collected it as part of a legal process, as part of a compliance requirement, as part of a contractual requirement, as part of a safety requirement or something like that. I can say that I will not delete your data. However, you would have to make sure that you still respond to that consumer and explain why you're not deleting their data. And the reason has to be legitimate. So you can't just say, "Oh, well, it's a compliance requirement that I send you email newsletters." Well, no. It isn't. You know what I mean? It has to be a legitimate legal reason. And you do have to still explain that to the consumer.
Hans Skillrud:
Really good question.
Brandon Lake:
Would that be true in the case of say, transactional data related to a purchase? So for example, Resmark has a reservation system that's associated with WaiverSign. It does, and others on the call may have this question too. So in the same way I've collected information from an individual because they made a booking for a future event, now they're saying, "Hey, delete my information from that." However, the tour company or the activity or experience provider needs to have that information to facilitate the activity for which they booked. Or, and this is the other half of the question, what about afterwards? As a reference for financial reasons or different things like that. Is that justification for saying, "I can delete these pieces of your information, but this stuff has to stay intact because it was part of the transaction?"
Donata Stroink-Skillrud:
So each privacy law does have different criteria. So it again, just depends on the laws that apply to you. But usually yes, because it's indication of a contract that was being formed. So like a consumer paid for a particular service and then that service was delivered to the consumer, meaning that the contract was fulfilled. But afterwards you might not be able to use that information for different reasons.
So let's say I collected your email address to send you the waiver, which is part of a legal requirement. You asked me to delete it and I say, "Well, no. Sorry, I can't. Because I have to keep it for these reasons." You can't just take that email and then send them spam emails afterwards. You might be restricted in how you can use that information afterwards, or you might have to delete it after a certain period of time has expired. So let's say the statute of limitations on that contract has expired. So it really doesn't matter anymore what happened there. You might be required to delete it then. But really the best option is to know what privacy laws apply to you and then to check that particular privacy law to see what reasoning it gives for how to deny a request. And then what the restrictions are on the use of that information afterwards.
Brandon Lake:
Okay. Excellent. Couple other questions. Do municipal government websites need to have a terms of service?
Donata Stroink-Skillrud:
For government websites, what we recommend is speaking to your legal team. So usually government websites will have an attorney in their area, their state or their territory or whatever that takes care of all legal matters for the government. And they're the ones who will be able to write a terms of service and a privacy policy for you. Because government websites are subject to different privacy laws and contractual requirements than private businesses. And you'll be able to save the taxpayer some money just by going through to your team, to your legal connection in your area. And they'll be able to... Usually they have ones that are pre-written.
Brandon Lake:
Okay. Here's one that got a lot of votes here. Do any of these policies apply to non-profits? This is from Saskia. How do non-profits navigate privacy since there is not a great deal of clarity about requirements for non-profits?
Hans Skillrud:
That's a great one. So some privacy laws don't take non-profits into account. Other privacy laws do. So it still goes back to the root of what we've kind of shared today, which is you have to identify which laws apply to you. Correct. Many privacy laws are just for for-profit entities, but many are not. So that's what you need to keep in mind. You still need to find out the laws that apply to you.
Donata Stroink-Skillrud:
So for example, Canada's federal privacy law, PIPEDA, does not apply to non-profits, but Quebec's privacy law, which is within Canada, does apply to non-profits. So each privacy law has a list of exemptions and some of them will list non-profits and others will not. Like GDPR for example, does apply to non-profits. So it's kind of a very similar process to for-profit businesses where you look at who these particular privacy laws apply to and then you see if you fit that particular criteria.
Brandon Lake:
Okay. And then just as a follow up to that, how does Termageddon's policy generator handle non-profits? Does it? Does it work?
Hans Skillrud:
Oh, yeah.
Donata Stroink-Skillrud:
So when you're answering the questionnaire, you'll be asked about your legal entity type. So if you select non-profit, you will receive a different set of questions than if you selected a for-profit type of entity.
Hans Skillrud:
And that's why every policy generated is so different because the first 10 questions of Termageddon dictate all the remaining questions and then those questions may dictate other questions. So it's a conditional system. That's why everyone has a different experience with the tool.
Brandon Lake:
That's cool. Okay. This was a question I asked. It got a handful of votes. And I'm just curious about this. Who most often decides to formalize a complaint or a lawsuit around a privacy violation? Is it generally always like an individual consumer who's just up to speed on all this stuff? Or are there actually agencies or attorneys out there searching around for non-compliant businesses, trying to find people that are vulnerable and then hitting them with a lawsuit or fines?
Donata Stroink-Skillrud:
So it depends on where you're located. So let's say you're located in the United States. So complaints can come from two places. One is the state's attorney general, and the other one is consumers. So what happens a lot of times is the state's attorney general will have a separate form on their website for complaints. So a consumer will file a complaint there saying, "Hey. I booked a meeting with this business, and all of a sudden now I'm getting marketing text messages at 3:00 AM."
Hans Skillrud:
That's a good one.
Donata Stroink-Skillrud:
The state's attorney general will compile those, and let's say they see multiple consumers complaining about the same business, that's where the investigation will start. So that's what happens in the United States a lot. In the European Union, slightly different. But consumers will submit a complaint to data protection authorities. And again, they'll compile and see how many consumers complained.
But in the European Union, we also have consumer protection groups. One of them is called None of Your Business.
Hans Skillrud:
Yeah, NYB.
Donata Stroink-Skillrud:
Which basically kind of seeks out and looks at different websites. And sometimes they'll run software through those websites to see if they're compliant or not. And that's when the consumer protection group itself will file a complaint with a DPA. So it kind of depends on where you're located. Most complaints come out from consumers and they come from a couple different places. But it really comes from actually one place, which is consumers are surprised by what's happening.
So they either are tracked through analytics where nobody told them that they were going to be tracked. So they never got the chance to consent or say yes or say no. They did not get adequate information about privacy. So let's say the business did not have any privacy policy or any privacy information. Or they contacted a business to ask to exercise their privacy right. So for example, they asked the business to delete their personal information and they never got a response or they got a response that was not satisfactory.
So usually privacy complaints come from the idea that a consumer goes onto a website expecting a particular experience and having something happen to them where they did not expect that happening.
Hans Skillrud:
I'd also just add the fact that, Brandon, you kind of mentioned, well, are there attorneys getting together and filing lawsuits? And private right of action is something that is in existence under privacy bills right now in the US.
So New York has a privacy bill that if it's passed, it's going to enable New Yorkers to sue any website owner located anywhere for collecting as little as their email address on a contact form without proper New York privacy law disclosures. Once one of those bills passes where consumers can pursue private right of action, I personally think it's going to be an absolute mess.
And obviously that's why Termageddon is getting the word out now. Hopefully we get some attention because I think it's only a matter of time until that happens. And that's why we keep telling people to have a strategy for this stuff. Because one day that thing is going to pass. Probably no one is going to be paying attention to it. And then all of a sudden people are going to be looking at lawsuits down the... I mean, it's going to be easy. I mean, you just scan a website to see if they're not compliant. They don't provide your disclosure and then submit the lawsuit right on the contact form. I mean, it's going to be nasty in my opinion, but...
Donata Stroink-Skillrud:
Well, you wouldn't submit a lawsuit on a contact form.
Hans Skillrud:
Why not? I'd be like, "Hey, I submitted my data on the site. You don't have the right-"
Donata Stroink-Skillrud:
That's not a submission of a lawsuit.
Hans Skillrud:
Oh, okay. There you go. So I guess there's a more formal way of doing this. Send a pigeon messenger.
Donata Stroink-Skillrud:
I remember for my first lawsuit.
Brandon Lake:
So you did cover this, but I just want to reiterate it. Because there's a question. I think this was asked kind of early on, so you may have answered it. But say I'm in Canada, any province of Canada, and I am doing business with anyone in the United States. I still need to, even though I'm outside of the country, do I still need to pay attention to all of these various state laws and so forth?
Hans Skillrud:
Yeah.
Donata Stroink-Skillrud:
Yeah.
Brandon Lake:
Or I facilitate something for a consumer. I provide a service for someone in the UK or Australia or anywhere. I have to understand and make sure that I'm accounting for those.
Hans Skillrud:
That's exactly right. And I'll give you an example. Visit enforcementtracker.com.
Donata Stroink-Skillrud:
GDPR Enforcement Tracker.
Hans Skillrud:
I think it's just called enforcementtracker.com.
Donata Stroink-Skillrud:
Is it really? They changed it? Okay.
Hans Skillrud:
Yeah. Ricky, we have one of our employees in the chat today. Ricky, if you happen to maybe get the right URL, you can pop it in here. But that particular website tracks just GDPR enforcements. But what you're going to see is there's companies listed there that are US businesses that have been fined hundreds of thousands of euros in some examples. Even though they're US businesses, they just happen to be, they monitored the behavior of residents of the EU and that's what got them dinged for not being compliant. But it's not that, it's the failure to comply with laws, but that's what forced them to comply with their law.
Donata Stroink-Skillrud:
And also, if you're located in the United States and do business in Canada or collect the personal information of Canadians, Canada's government has specifically said that businesses outside of Canada need to comply.
Hans Skillrud:
So privacy laws, they don't care about where your business is located. What they care about is protecting their people's data. And at some point in time, it's just like, do I embrace it or do I keep trying to run away from it? But that's a decision I think website owners need to make.
Brandon Lake:
Well, and here's a great... I mean, this is kind of reiterates this, I think from Martin. But I do, and I appreciate Martin, what you're saying here. Because this is sort of mind blowing. He says, when you create a website, you can't restrict who visits it.
Hans Skillrud:
Yeah. Well, yes you can. But yeah.
Brandon Lake:
But generally you would be accepting visits from anyone in the world for, I would say most websites. They're not going to have... I've never run into one really that says, "You can't visit us because you're from Utah." Or something.
Donata Stroink-Skillrud:
[inaudible]
Hans Skillrud:
That will be coming.
Donata Stroink-Skillrud:
I have seen that. When we were in Europe and there were a number of websites that I tried to visit where it was like, "Nope." Yeah.
Hans Skillrud:
Exactly. Me too. [inaudible] I'll share a little tidbit of my personal life, which is I actually love looking at storage units for sale. And storagetreasures.com. I was in Europe trying to look at storage units in America, and they just blocked me. Because I was in Europe at the time.
Donata Stroink-Skillrud:
Thank God. I might set up some kind of firewall in our own house that just blocks [inaudible].
Brandon Lake:
Yeah, you love this [inaudible].
Hans Skillrud:
She's not pleased.
Donata Stroink-Skillrud:
And it generates any kind of random reason, "You're too bald to visit this website."
Hans Skillrud:
But just to also just echo my thoughts, which is, don't get me wrong, I love the fact that people are getting a right to their privacy. I do think that is something worth fighting for. We don't realize what life will be like if we don't have privacy rights. So I'm not discrediting privacy laws. But yeah, I'm sitting here as a small business owner, I think it's an absolute joke that I just want a website. Now, I have to comply with a multitude of ever-growing, ever complex privacy laws. Yeah, that kind of stinks.
And that's why we created Termageddon. It's like, let's try to offer at least something, the first step any website owner can reasonably take to take action and start trying to comply with this stuff. Because I hope it's not a hindrance to small business owners, I guess. That's my biggest concern, because that just goes against other things I believe in.
Brandon Lake:
Sure. Well, and I mean, the rest of Martin's question here is, does that therefore mean it's your responsibility to adhere to every single privacy law in the world? How is that even possible?
Hans Skillrud:
No.
Donata Stroink-Skillrud:
Just the ones that apply to you.
Hans Skillrud:
Yeah, because...
Brandon Lake:
But if you're potentially... Like we have some tour businesses. We provide rafting trips with the other side of our business, and people can literally come from any country in the world to participate in [inaudible].
Donata Stroink-Skillrud:
So let's take GDPR as an example, right? GDPR specifically says, the mere fact that somebody may stumble upon your website does not mean that you need to comply. So you need to actually offer goods or services to residents of the European Union. Meaning an actual offer. Meaning that, for example, your website needs to be available in French or German or something like that. Or you need to have a German phone number that people can call. Or if you monitor the behavior of EU residents online.
So if you have analytics. So if you're not doing those two things and somebody could just randomly stumble upon your website, that doesn't mean that you need to comply. So some privacy laws are basically just anything goes. If somebody could submit their information, you'll need to comply. But others have very specific criteria that you need to meet.
Hans Skillrud:
Yeah, it's really important to understand. A lot of these privacy laws have qualifiers. Meaning that just because you do business in that area or process the data of people in those areas, that doesn't necessarily mean you have to comply with those laws because you have to have 25 million revenue or more, or process the data of 25,000 individuals from that state.
Donata Stroink-Skillrud:
But some don't have.
Hans Skillrud:
Yeah. Some are just like, "Hey, the moment you collect our data is when that law applies." So again, it all comes down to just going through a series of questions to find out what laws you need to make disclosures for.
Brandon Lake:
Okay. No, that makes sense. And I mean, gosh, I think about how much there is to take into account, even just within the United States. I mean, I imagine most people [inaudible] are doing business just with people across the United States at least, and there's already a list on one of your slides of all of the things that you have to think about just across the states.
And it seems like every year we're going... Now that there's more states participating every year saying, "Hey, I want to protect our residents, and we have our own unique set of opinions about what privacy means." It's like, it's only going to become more and more until probably every state has their own variations to this, and we have to keep track of it. And that's a tough job for attorneys. And I think that's one of the value to the solution that you guys offer where, gosh, I don't have to keep thinking about this.
Donata Stroink-Skillrud:
Yeah. I mean, that's the negative of not having a federal privacy law. If we had a federal privacy law, we wouldn't be in this situation. But we don't.
Hans Skillrud:
But that's a key thing about, if you are going the privacy policy generator route, make sure that the tool is designed to first ask you what laws you need to make disclosures for. And obviously, that's included with Termageddon with every license, including the starter pack we do. We walk through every single one of those. Because it all starts there. And if the generator you use or the attorney you're reaching out to isn't starting by having you figure out what laws apply, you might want to look for another attorney or another generator.
Brandon Lake:
Excellent. We've got a handful other questions here, but I think we can handle those after the fact. We'll make sure that we get back to you if one of your questions wasn't answered. And we've gone over a little bit on time, but there's so many good questions here. I just wanted to...
Hans Skillrud:
Really good questions today.
Brandon Lake:
I wanted to take [inaudible] that. I'm going to ask one last question before we conclude here that has been on my mind. You touched on it just for a moment in our... And we're actually looking at some of this on our own website, so I'm curious. Just cover this very briefly. But you mentioned cookies. So you see, when you go across the internet, we all see it. And what I'm talking about is the little message that pops up, "This website collects cookies [inaudible]."
And some of them have just a simple, "If you continue to browse, you're agreeing that you're okay with our cookie policy." And then you kind of just close it. Other ones have the same kind of thing and you click accept. Other ones have accept and decline. Other ones have accept or adjust all my settings.
And you can open this thing up and you're like, "What does all this mean? I don't know." Uncheck, check, check, whatever. And it gets confusing. You see so many variations. Is there a right and a wrong? If the business was saying, "Look, I don't want to overcomplicate." It's like, "I want people to visit my website and I want them to fill out a lead form to make a booking, to register for my service." Whatever it is. That's the goal of the business, right? To make money. So how do we do that in a way that is the least obtrusive? What do you suggest?
Hans Skillrud:
Yeah, absolutely. So there are only certain people on this planet that have these types of rights where people have to...
Donata Stroink-Skillrud:
The special people.
Hans Skillrud:
Yeah. Special people. Where they have to consent prior to you putting non-essential cookies on their browser. And what that basically means is, by default, you can't trap people. That's really probably the simplest way to put it. Certain people. So people in the EU, the UK, Canada, and even California, if California Consumer Privacy Act applies to you. And that's a different kind of consent solution.
So there are so many cookie popups that are non-compliant with any privacy law. It's actually kind of wild. And there have been companies that have been fined millions of euros for having inaccurate or deceptive cookie consent solutions. So when you talk about how do we build... We want to have a website that converts and makes money and all that stuff, a 100%. I'm not in disagreement with that. It's just the fact of, do you want to do it under the lens of compliance? And if you do, well, then you do need to present that consent solution, at least to the people that have those rights. So I think that's just... You were like, "Hey, one final quick question." This kind of opens up Pandora's box.
Brandon Lake:
It's a whole new webinar, isn't it?
Hans Skillrud:
Yeah. But [inaudible].
Brandon Lake:
[inaudible] next week.
Donata Stroink-Skillrud:
[inaudible] good question though.
Brandon Lake:
How not to lose a million dollars.
Donata Stroink-Skillrud:
It needs to have an accept button and a deny button
Brandon Lake:
Okay.
Hans Skillrud:
Yeah.
Brandon Lake:
[inaudible] I guess, too. Right?
Hans Skillrud:
And it has to work. Yeah, there's so many cookie consents I see that don't actually do anything.
Donata Stroink-Skillrud:
But it needs to give people an actual choice. So they need to be able to say, "Yes, I want these cookies implemented." Or, "No, I don't want these cookies implemented." So anything that says, "By visiting this website, we're assuming you're okay with cookies." Not compliant. Anything that says, "We use cookies, click okay." Not compliant. It needs to have a yes and a no option.
Hans Skillrud:
And Termageddon's questionnaire will walk you through what privacy laws apply, and then later on the questionnaire, you'll be alerted if you actually need a cookie consent solution or not. And if you do need one, we partnered up with an awesome company called Usercentrics. They're EU based. That probably means nothing to anyone here, but for us it's very important because that's ethically the right thing to do.
Donata Stroink-Skillrud:
Well, it's not actually the right to...
Hans Skillrud:
Well, it's legally the right thing to do.
Donata Stroink-Skillrud:
But they're Germany based.
Hans Skillrud:
But long story short, our tool will alert you if you need one, and you'll be able to have it basically preanswered. You just add a few more details and then boom, it's ready to go. And it actually controls the third party scripts that trigger cookies that get put on users browsers.
Brandon Lake:
And is it smart enough to only show to those people that it applies to? So you're not popping that thing up when you [inaudible].
Hans Skillrud:
Yeah, that's an option under some plugins and stuff. But yeah, long story short, yes.
Brandon Lake:
Okay, cool. All right. Okay. Well, I just want to point out before we wrap things up, just going to put this back up on the screen. Again, if you are interested in this, signing up for Termageddon, I recommend it. I think the process, like I showed you, we put it on our own website, and this is a really great deal. So we're talking like $80 for instead of the $99 normally.
Hans Skillrud:
Yeah. I really appreciate you letting us... We typically just do educational webinars, so I really appreciate you letting us offer our business. If you want to do business with us, you don't think we're too weird. You're like, "All right, I'm going to throw Donata and Hans a bone and get signed up with them." Obviously we'd welcome you.
Brandon Lake:
I think it's cool. And I just shared as a resource for our clients and all those who have joined us today, because I know there are so many that are like, "Oh, my gosh. I don't have $5,000 in the budget to go... And I'm not sure where to find an attorney."
And so this is quick and easy and looks very comprehensive. I mean, what you shared today. And again, you can check out that example on Resmarkweb.com. And just see what an example of one of these looks like. And kind of cool that it stays up to date. So I hadn't really ever seen anything like that out there until I ran into you guys. So I was excited to be able to share this with everybody else. Because I think there are a lot of companies that are like, "Oh, my gosh. An affordable solution to this that keeps itself up to date. Wow, that's really cool."
So go there. We did have a question on the thing was, how long this offer is available? It will at least be... So yeah, absolutely. We'll keep it up there at least through the end of this week. It may go on farther than that, but if it's something you want to take advantage of, I would particularly jump on it. Because you do have a lot of this stuff changing January 1st.
Donata Stroink-Skillrud:
January 1st.
Hans Skillrud:
[inaudible] 17 days from the time [inaudible].
Brandon Lake:
[inaudible] get ahead of that. You can have this thing in place and on your website before that. Again, if you have any questions about website stuff, you're welcome to bring that up with Resmark Web. You can go on here and we're happy to help you with that. Or any other website questions that you have just to make sure that you get these resources that you might want to use. And you're able to get them on your website and protect yourself and your business.
So thank you very much Hans and Donata for all your time today. We really appreciate you joining us. A lot of great information shared around really important stuff. [inaudible]
Hans Skillrud:
I know I said it like three times, but-
Brandon Lake:
[inaudible].
Hans Skillrud:
Sorry, what was that, Brandon?
Brandon Lake:
I said it was kind of exciting in the end.
Hans Skillrud:
Good, good. I just want to reiterate too, seriously, good questions. Sometimes we don't get as good a questions. These were really good ones. So thank you for everyone who participated.
Donata Stroink-Skillrud:
Yeah. And thank you for having us.
Brandon Lake:
Absolutely. So we will take what we recorded today. We will have a replay if some of you want to go back, maybe share this with others in your organization that you think need to hear it. Or you want to just go back and watch it again to hear the answer to a certain question. You'll be able to go back to the WaiverSign website, click on the replay.
In fact, we'll send an email out to everybody here today with the replay, the link to the offer, all of that stuff. You'll have it. So you'll have all the resources that you need to be able to protect yourself. So thank you very much and we look forward to having you back again sometime in the future.
Hans Skillrud:
Sounds great.
Donata Stroink-Skillrud:
Sounds great. Thank you.
Brandon Lake:
All right. Yeah.