At a time when the majority of transactions are taking place online, ensuring the security of your clients’ personal information is critical to not only maintaining their continued business, but also avoiding any serious legal consequences. So, how do you create a business page that protects customer data? In this episode, Gene Marks and Donata Stroink-Skillrud, President of Termageddon and the Chair of the American Bar Association’s e-Privacy Committee, discuss how small business owners can update their websites so that they comply with current privacy laws.

Podcast Key Highlights

  • How Can a Website Policies Generator Protect My Small Business?
    • A website policies generator ensures that your small business’s website is compliant with all our current privacy laws.
    • It also protects you by continuing to monitor the existing privacy laws and update both your policies and disclosures whenever the legislature changes.
  • How Does Termageddon Work?
    • First, the software will ask you a series of questions to help it determine what privacy laws actually apply to your small business.
    • Next, it will ask you another set of questions that are based around the disclosures required by those particular laws.
    • Based on your answers, the software will generate some text as well as an embed code that will go onto your website’s policy pages. (The code is what displays the text and allows Termageddon to push updates as legislation changes.)
  • Are There Different Privacy Laws for Each State?
    • Since there is no federal privacy law that protects regular website information, each state has to propose and pass its own privacy laws, according to its specific needs and preferences.
    • That being said, once you figure out which laws apply to your client base, you’ll need to create a policy that combines all the disclosures required by each of those laws; otherwise, your new policy is not going to be compliant.
    • It’s not enough to use a GDPR-compliant template since that only applies to EU’s privacy laws.
  • What Does Termageddon Do When a Privacy Law Gets Changed?
    • Termageddon will send you an email letting you know that there’s a new privacy law.
    • Then, it will ask you a few additional questions to see if there’s some new disclosures that weren’t asked before.
    • Afterwards, it will automatically update the text through the embed code.
  • When Do Privacy Laws Become Relevant to Your Business?
    • Most privacy laws start to impact your business as soon as you begin collecting data.
    • Other laws become relevant when you start doing business in a particular state or country.
    • There are also laws that become applicable once your business reaches a certain size or revenue threshold.
  • How Do Privacy Laws Impact Your Business’s Social Media Accounts?
    • Due to recent privacy laws that regulate targeted ads on social media, any business that runs Facebook ads needs to provide consumers with a way to opt out of being tracked.
    • Having a cookie consent banner on your site is one way for people to choose which cookies they accept or decline.
  • What Are Some Consequences of Disregarding Privacy Laws?
    • Business’s that fail to adhere to privacy laws may incur fines for privacy, non-compliance that start at $2,500 per website visitor.
    • Lawsuits could also become another risk in the near future due to the newly proposed privacy bills that would allow consumers to sue businesses directly.
    • Client loss is another possible consequence of ignoring privacy laws since consumers will switch, leave, or withhold their information from a business they no longer trust.
  • How Should You Present Your Policies on Your Business Website?
    • Most small businesses place their policies at the footer of the website.
    • Your policy should be clear and conspicuous, preferably in contrasting colors and a larger font so that it’s very visible.
    • A privacy policy should not be combined with any other documents because this will make it more difficult to obtain your customer’s consent.
    • Your cookie consent banner should appear as a popup, usually at the bottom of your website.
  • Where Does Termageddon Find Its Leads?
    • Web Designers
    • Attorneys
    • Marketing Agencies
  • What Recourse Do Small Business Owners Have if Termageddon Makes a Mistake?
    • Termageddon takes strong preventive measures to make sure their clients never have to deal with these type of situations.
    • After generating their policies with Termageddon, business owners are encouraged to share this license with their lawyer.
    • In the event of a customer complaint, business owners should remember that Termageddon also keeps a record of what their privacy policy looked like from one point to another as evidence.

Links

Transcript

The views and opinions expressed on this podcast are for informational purposes only, and solely those of the podcast participants, contributors, and guests, and do not constitute an endorsement by or necessarily represent the views of The Hartford or its affiliates.

You’re listening to the Small Biz Ahead podcast, brought to you by The Hartford.

Our Sponsor

This podcast is brought to you by The Hartford. When the unexpected strikes, The Hartford strikes back for over 1 million small business customers with property, liability, and workers compensation insurance. Check out The Hartford’s small business insurance at TheHartford.com.

You’re listening to the Small Biz Ahead Podcast presented by The Hartford.

Gene: Hey everybody, it’s Gene Marks again, and thanks for joining us here on The Hartford Small Biz Ahead podcast. I’m really thrilled to have you here. I’m also thrilled to have our guest today. It is Donata Stroink-Skillrud. Did I pronounce your name right? Donata, is that right?

Donata: Yes. Yeah, you’re good.

Gene: Yeah. Very happy to do that. I’m terrible at that and I’m glad that I did that. I’m just going to call you Donata for the remainder of this conversation so I don’t get into any trouble. But thanks so much for joining us. Donata is the president of Termageddon and the chair of the American Bar Association’s e-privacy committee. Termageddon first of all, tell us a little bit about your firm.

Donata: Sure. So we’re a website policies generator. So what we do is we help our clients create privacy policies, terms of service, disclaimers, cookie policies, cookie consent banners and things like that. So we help them make sure that they’re compliant with the existing privacy laws, and then we also monitor privacy laws for them. So if a new law is passed or an existing law is amended, we actually can automatically update our client’s policies with newly required disclosures.

Gene: Fantastic. So first of all, the name of your firm is awesome. How long have you been doing this?

Donata: Thank you. So we’ve been doing this since 2015 and we tried to combine terms and Armageddon together and unfortunately Terminator was already taken, so we ended up with Termageddon.

Gene: That is really cool. It’s a really good name so I want to say. And your website is?

Donata: Termageddon.com.

Gene: Termageddon.com. That’s great. And you’re also chair of the American Bar Association’s e-privacy committee. Tell me a little bit about what that committee’s activities are.

Donata: Sure. So our purpose is to help attorneys stay up to date with changes in privacy laws. So there’s a lot of changes, there’s a lot of bills, there’s a lot of new laws, there’s a lot of decisions and fines and all those things. So we create events, we have a newsletter, all those things to help our members stay up to date. And at the ABA, I’m also part of the Science and Technology Council, so that’s where we vote on official ABA positions on different laws and different initiatives including providing guidance to legislators on privacy laws. And then I’m also a member of the ABAs Cybersecurity Legal Task Force. So that’s where we help attorneys stay up to date with the latest news and happenings in cybersecurity.

Gene: So are your clients at Termageddon, are they attorneys or are they mostly businesses and other commercial entities?

Donata: Actually both. So we have a lot of small businesses using our service, so businesses that normally could not afford an attorney or an attorney’s help turn to us. We have larger clients as well, but our main kind of bread and butter is small business, but we also have attorneys using us for policies for their own website as well as policies for their clients. So we have a law firm partners program as well.

Gene: So Donata, so okay, so I run a business outside of Philly and I’ve got 10 employees. I’ve got two websites. I can guarantee you that they are not in compliance with many of the rules that you would want me to be in compliance with because I’m a dope and I don’t pay as much attention to this stuff as I should. Tell me like, so say I hire you, what do you guys do? And if I can ask if you’re comfortable, what kind of cost is that? I’m interested in what you guys do.

Donata: Sure. Of course. So we’re created to help small businesses comply. So our costs are reasonable. So it’s $12 a month or $120 a year.

Gene: Wow.

Donata: And the reason as to why that’s a recurring cost, the subscription cost is because we track legislation and make updates to policies. So the way our service works is we ask you a series of questions. So we’re not a legal services provider. We’re rather a tool that helps people create their policies. So the first set of questions that our software will ask you will help the software determine what privacy laws actually apply to you. Because what a lot of people don’t understand is they think that privacy policies are just random legal mumbo jumbo that lawyers add in there, and a lot of privacy policies are created that way, which unfortunately is not compliant. But each privacy law has a set of disclosures that it requires a privacy policy to make, and those disclosures are different compared to each law.

Donata: So that’s why we first ask to figure out what privacy laws actually apply to you. And then the remainder of the questions are based around the disclosures required by those laws. So a great example, like California’s privacy law requires you to disclose whether or not you sell personal information. So we ask you, “Hey, do you sell the information that you collect?” And you say, yes I do, or no, I don’t. And then after you answer the questions, the text is generated by the software and then you also get an embed code. So the embed code is what goes onto your website’s policy pages, and that’s what displays the text. And that’s also what allows us to push updates as legislation changes.

Gene: That is awesome. And I’m assuming, it’s funny because when we’ve addressed privacy issues on our sites, I’m turning to my web designer who was basically some kid working out of his basement in Nevada. So there’s no way. I mean, I’m relying on him, I’m thinking of this now, like what am I doing here? I need an actual outside firm like yours to be making that analysis and making sure that we have the right disclosure. Then of course I can turn the embedded text over to him and let him post that to our pages. You had mentioned California’s privacy law being different. Do different states have different disclaimers that a website has to make? Like if I make a general disclaimer that might not be in compliance with California’s requirements. Is that correct?

Donata: Yeah. Yeah, that’s exactly correct. So because we don’t have a federal privacy law that protects regular website information. So we have HIPAA for healthcare, we have financial privacy laws, we have educational privacy laws, but nothing federally that protects names and emails and phone numbers that is collected by websites. So that’s why in the U.S. we’re seeing each state propose and pass their own privacy laws. So this year we have six new privacy laws going into effect just this year, and each of them has a different set of disclosures that it requires website policies to make. So for example, California might ask you to say whether your website responses to do not track signals and Virginia’s privacy law might say, how can users opt out of targeted advertising? So you have to make sure that you first figure out what laws apply to you and then get the disclosures required by each of those laws combined because otherwise your policy is not going to be compliant.

Donata: And that’s the problem that we see with a lot of templates. They’ll say, oh, we’re GDPR-compliant. That’s EUs privacy law, but there’s a lot of privacy laws in the U.S. that require more disclosures than what GDPR requires. So if you just get a template that complies with one privacy law, you’re not compliant with all the other ones.

Gene: So and your software itself, which is I’m sure a cloud platform, you go through that initial answering of questions, you’re paying on a monthly basis. But that means then that anything that comes that might impact my business, you’re letting me know about and giving me whatever updates I need to make as part of that service. Is that correct?

Donata: Yes. So for example, let’s say a new privacy law is passed, we’ll send you an email letting you know that there’s a new privacy law.

Gene: I see.

Donata: We also include a compliance guide that kind of lays out the requirements of that law. Then we may ask you a few additional questions if there’s some new disclosures that weren’t asked before. And then once you answer those questions, click submit. We automatically update the text. So we don’t send you a snippet of texts that you need to manually input anything or we don’t tell you what the disclosure is. And then you yourself have to write the disclosure. We do all of that for you. And that’s through the embed code.

Gene: Got it. Is the rule of thumb Donata, about whether or not I’m accepting data from somebody and I am. People come to my site and if they want to download a white paper or request an ebook or whatever or sign up for a webinar, they’re filling out a form and they’re giving me, and I’m only asking for basic data, but it’s name and company and email and all that. So that would mean that if I’m asking for this data, I’m accepting data into my sites coming into my CRM system, I’m somebody that should be paying attention to these privacy laws. Is that sort of the rule of thumb?

Donata: So privacy laws can start applying as soon as you collect data, but each law has different requirements for who it applies to. So some will apply only as soon as you collect that data. Nothing else. So you don’t need to use it, you don’t need to share it, you don’t need to sell it, anything like that. Other laws require you to do business in a particular state or country. So if you have customers there or if you offer goods or services there, or if you track people online through services like Google Analytics and things like that. And I did want to note that there are some privacy laws that apply to bigger businesses only.

Donata: So for example, the California Privacy Rights Act, you have to have a certain amount of revenue or process the data of certain number of people while there are other privacy laws that apply regardless of your business size, including to nonprofits as well. So that’s why we ask those questions to figure out what applies to you because a lot of people will just assume, oh, GDPR applies to me. Well, does it really? So we ask those questions to make sure that you do actually need to comply with those laws and actually need to have those disclosures. But generally, yes, as soon as you start collecting personal information, that’s when you should be paying attention to privacy laws.

Gene: I got to tell you something, as soon as we’ve done this conversation, I got to talk to my wife because she’s going to have a heart attack when she hears this. She runs a little nonprofit and she has a very active website and is collecting information from students and parents and whatever, and she’s not doing this and she’s literally going to have a heart attack. Okay. Other question I have for you, we talked about websites. What about social media? Is there anything that we should be concerned about there, and is there any services you provide to help?

Donata: Sure. So social media is becoming increasingly regulated. So there’s a lot of privacy laws that have been passed very recently, actually this year that go into effect next year or the year after that. And what they really are trying to regulate is targeted advertising. So if you run Facebook ads and any of those laws apply to you, you would need to allow consumers to opt out of being tracked for Facebook ads. And one of the things that we do that really helps with that is a consent banner. So I know, people absolutely hate consent banners and honestly, I kind of do too. They’re really annoying. But one of the requirements is to allow people to opt out of targeted ads. So what we offer is a cookie consent banner where people can choose what cookies they accept or decline so they can decline, for example, the Facebook ads cookie if they don’t want to be tracked, things like that. So that’s something to be aware of. Targeted ads are increasingly being regulated.

Gene: But that would be something we could rely on, the social media platforms, I’m assuming, to protect us from that because, right, it’ll be part of their responsibility, I’m assuming. And can we assume that?

Donata: We cannot assume that. So…

Gene: I knew you were going to say that.

Donata: Well, the way that social media companies are structured is they try to take care of their own compliance needs first.

Gene: Yeah.

Donata: Right. Because that’s what gets them fined or sued. And because they’ve been fined or sued so many times and the fines are actually kind of a drop in the bucket compared to their revenue, they’re very well known for violating privacy laws. So when it comes to opting out of target targeted ads, Facebook does not offer anything for your website. They can help you help your website visitors opt out of those ads. So that’s something that you have to obtain from a third party like us, because Facebook does not offer that, and I don’t believe that they ever will offer that because it doesn’t really make sense for them to cut off their own ad revenue. Right.

Gene: Yep. Makes sense. That makes sense. You mentioned about being in compliance with different states and different countries. So I want to just make sure and have you reiterate the fact that this is not based on where you’re located, it’s based on where the visitors are located. Correct. Can you expand on that?

Donata: Exactly. Yeah. So privacy laws are a little bit different than other laws, right, in the sense that they protect consumers and not businesses. So they’re written very, very broadly. So for example, if you’re not located in the European Union, but you’re offering goods or services to residents of the European Union, you need to comply with their privacy law GDPR. And that’s because you’re taking advantage of making money off of residents in that particular state, in that particular country. Sorry. And the same applies to U.S. states as well. So they do apply to businesses located outside of that state. Because of the broad nature of the internet, anybody could submit their personal information to anyone. So legislators want to make sure that the residents of their state are being protected even if that information is being collected by a business outside of that state or country.

Gene: Okay. So Donata, listen, you’re an attorney, so it’s your job to scare us. So let me ask you to scare us. I run a small business, there’s only 10 of us, we’re nothing. Who cares? Scare me into understanding what the repercussions are of not being compliant with these rules.

Donata: Sure. I’m not really here to scare anyone.

Gene: Yes, you are. That’s your job. That’s what you’re supposed to do.

Donata: There’s kind of two aspects of this that I would want businesses to be aware of. So first is the potential for a fine. So fines for privacy, non-compliance start at $2,500 per website visitor. So if you have 30 website visitors from California, that’s 30 times 2,500 of the fine amount, which could be very, very high. Also, there are privacy bills that are being proposed that would allow consumers to sue businesses directly. So if businesses have been following accessibility once it became clear that individuals could sue them directly, like the amount of lawsuits just exploded. Right. So that’s another potential risk in the future as well. But another aspect that I think businesses should be aware of is that consumers are increasingly interested in their privacy. So because they saw these large companies violate their privacy like Facebook and Twitter and all these other things, they’re increasingly interested in their privacy.

Donata: So they’re looking for a privacy policy, they’re looking to see if you sell data, they’re looking to see if you share data and what that actually looks like. And there have been a lot of studies showing that consumers are willing to switch companies or not do business or not submit their information when they don’t feel safe online. So for small businesses, I think it comes down to fines, which small businesses have been fined. You can look up GDPRenforcementtracker.com that lists all the GDPR fines to date, which there have been one or two person companies that have been fined. But it’s also about respecting your website visitors and respecting your customers and making sure that they have this information so that they can make the appropriate decision and that they’re not scared to use your website and they’re not scared to buy from you, that they feel comfortable doing that. So I think it’s kind of twofold.

Gene: What’s your recommendation for where the policy goes on a site? Should it be a pop-up? Should it be just a completely separate page? What do you normally tell your clients?

Donata: So regarding the privacy policy itself, usually where we see it is at the footer of the website, the standard is you need to make sure that it’s clear and conspicuous. So first, a privacy policy should not be combined with any other documents because then it’s really hard to get consent. So if you get consent for a privacy policy that includes a terms of service, a consumer can say, well, I agree to the terms of service but not the privacy policy, and there’s nothing you can do about that. So you should separate them from any other policies and make sure that it’s easily visible at the footer of your website. So larger font than the surrounding font, contrasting colors so that it’s very visible. So if your footer is dark gray, don’t make your privacy policy link slightly lighter gray where it’s impossible to see. Make sure it’s very easily visible. For the cookie consent banner that comes up as a popup, usually at the bottom of your website.

Gene: Where do you get your leads from Donata? In other words, and I ask this because most businesses, I mean, listen, I’m sure millions of people will be watching this conversation, but assuming not, most businesses are like mine are probably not in compliance with these privacy. I mean, it’s clearly that’s an issue. So they should be, and if it does come to their attention, if they’re not aware of Termageddon for example, who would they normally be asking? Their web designer, their attorneys, their IT firm, who do they normally go to?

Donata: So normally from what we’ve seen is people will ask their website designer because the website designer is the one that created the website. So they know a lot of things about websites. So they’ll probably know somebody that can help them with their policies. And that’s actually who we work with a lot. So we work with a lot of website designers kind of teaching them best practices because as a website designer, you shouldn’t be the one providing the policies, right? Your job is to make the website look nice, make it function well, but you’re not an expert in privacy laws. So we work with a lot of designers on educating their clients about the importance of privacy, and some people will go to their attorney and their attorney will send them to us because privacy law is a very kind of subset of law. Right. So if you’re a business lawyer, chances are you’re not an expert in privacy law either. So we do get a lot of referrals from attorneys, but most of our referrals come from website design and marketing agencies.

Gene: Okay. That’s a great answer. This is clearly going to be something that’s going to be growing. I mean, you and I both know, I mean, I could clearly see every state having rules and obviously a lot of countries as well. So don’t take this the wrong way, but I’m relying on you for $12 a month to being on top of all of this. And what if you’re not, what if something slips through the cracks, or what if we’re found not in compliance somewhere or some consumer somewhere or whatever, but we’ve relied on you for your service? Just from a Termageddon standpoint, your company, what type of, I don’t know if guarantee is the right word, but what type of recourse does your customers have?

Donata: So I do want to say that most privacy complaints come from two sources. So one is not having a privacy policy at all.

Gene: Yeah.

Donata: So you have no information on the privacy policy, and two, consumers want to exercise their privacy rights and you don’t respond to them. So having that privacy policy in place is a great first line of defense. So when it comes to privacy law compliance, you have this entire world of things that you can do and it’s extremely overwhelming for most people I would say.

Gene: Yeah.

Donata: But you have to look at it from a risk perspective. Right. If somebody’s visiting my website, what are the things that they’re looking for? They’re looking for a privacy policy and usually they’re looking for a cookie consent banner if they have those rights. So just having those things in place definitely helps protect you. Now, in terms of what businesses can do to protect themselves further, what some of our clients do is they generate their policies with us and then they share the license with their lawyer.

Donata: It costs significantly less to edit a privacy policy if needed than write a new one from scratch. So it’s a great way to save money, and also we store the records of what your privacy policy looked like from one point to another. So let’s say it’s 2023 right now. Somebody sends you a complaint where they agreed to a different privacy policy that you had on your website in 2020. It’s been updated since. You can let us know and we can pull the records and provide those records for you and things like that. I do want to say that fortunately none of our clients, as far as I know, have been fined or sued so far, which I think just illustrates that this is a great first line of defense.

Gene: That’s great. Donata, great answer. Before I let you go, is there anything else I’m not asking or that you just wanted to bring to attention to our audience regarding these privacy laws on websites?

Donata: Sure. So I think really the importance of keeping your privacy policy updated. So a lot of people had their privacy policy written when GDPR went into effect 2015 and then haven’t looked at it since. But what’s really important here to know is that there are a lot of new privacy laws. So like this year, there’s been seven privacy laws that have passed, six privacy laws that are going into effect this year that passed in previous years. This thing needs to be updated. So you don’t just need to have a privacy policy that complies with the privacy laws of today, but you also need a strategy to keep that policy up to date as well. And I think that’s my number one tip.

Gene: Excellent. Donata Stroink-Skillrud, her company is Termageddon. Again, give us the website again, termageddon.com.

Donata: Yep. Termageddon.com, and you can also find us on social media anywhere at Termageddon as well.

Gene: That is awesome, Donata. Thank you so much for joining us. Great information and we appreciate it. And like I said, I’m going to be signing up for this. I got to talk to my wife as well, so I’m sure we’re going to be in touch pretty soon about that.

Donata: Awesome.

Gene: But thank you. It was a pleasure having you on.

Donata: Thank you for having me.

Gene: Yep, everybody. You have been watching The Hartford Small Biz Ahead podcast or are listening. My name is Gene Marks. Hope you’ve enjoyed this information and got some help. If you do need help or advice or any type of tips for running your business, please visit us at smallbizahead.com or SBA.thehartford.com. Thank you for joining us. We will see you again soon. Take care. Thanks so much for joining us on this week’s episode of The Hartford Small Biz Ahead podcast. You like what you hear, please give us a shout-out on your favorite podcast platform. Your rating, reviews, and your comments really help us formulate our topics and help us grow this podcast. So thank you so much. It’s been great spreading time with you. We’ll see you again soon.

Download Our Free eBooks