S2 #11 Futureproofing your organization’s privacy policy

S2 #11 Futureproofing your organization’s privacy policy

S2 #11 Futureproofing your organization’s privacy policy

Guest:
Guests:
Donata Stroink-Skillrud

Donata Stroink-Skillrud

Donata Stroink-Skillrud is a licensed attorney and a Certified Information Privacy Professional. She is the President and legal engineer of Termageddon, LLC, a software as a service company that has generated thousands of Privacy Policies and kept them up to date with changing legislation. Donata is also the Vice-Chair of the American Bar Association's ePrivacy Committee and the Chair of the Chicago chapter of the International Association of Privacy Professionals. 

Too many digital and marketing teams treat data privacy as a mere compliance issue, looking to their legal colleagues to track and address each new legal development. That is certainly an approach you could take, but it requires constant revisiting of the privacy policy, rethinking your partnerships and practices around privacy, and making redundant changes. In this episode, privacy expert Donata Stroink-Skillrud helps us understand the privacy landscape, how to break the cycle of constant privacy updates, and how to refocus your team on what really matters – the business of digital.

Keywords:
data privacy, online privacy, privacy policy, Saas policy, CCPA, GDPR, POPIA, information security, cookies, combined data, third party data, 3rd party data
Season:
2
Episode number:
11
Duration:
35:18
Date Published:
July 1, 2021

INTRO: [00:00:00] Welcome to The Power of Digital Policy, a show that helps digital marketers, online communications, directors, and others throughout the organization balance out risks and opportunities created by using digital channels. Here's your host, Kristina Podnar.

Kristina Podnar, Host: [00:00:19] Thanks for joining me again today for The Power of Digital Policy. Today's an opportunity to geek out a bit and learn a lot about digital policy from Donata Stroink-Skillrud. Donata is a licensed attorney and certified information privacy professional, who by the way, is the founder of Termageddon. And she's solving the problem we all face around keeping our privacy policies up to date with changing legislation. Donata, it is such a pleasure to have you here today. Thanks for joining.

DONATA STROINK-SKILLRUD, Guest: [00:00:46] Thank you so much for having me. I'm very excited to talk to you about policies and privacy and what's going on.

KRISTINA: [00:00:53] So ready for this geek-out session. I have to say that for a while, I've been hoping that we could finally connect and talk. And I think one of the really key things to say before we even start our conversation is you certainly are a licensed attorney. But you are not giving us legal advice today. And that feels like a statement everybody makes at the beginning of any conversation, but I thought I would just put that out there before we kind of dive in. Does that sound right?

DONATA: [00:01:17] Yeah, that does sound fair. Thank you for adding that in. It's always important to me to be upfront with people about,

what it is that I offer, and today that's not legal advice.

KRISTINA: [00:01:27] That sounds good. We won't take you up on your legal advice, but we will mine you for all of the insights and the knowledge and experience. Let's talk about privacy policy. A lot of folks don't understand what it is or why they need one. So can we start with a 1 0 1, can you kind of break it down for everyone and explain what it is? Why does everybody need one? Or are there folks who don't need it?

DONATA: [00:01:48] A privacy policy is basically a document that explains your privacy practices to your customers or your potential customers. So examples of what's included in a privacy policy are what information you collect, what do you do with that information, and who you share it with if you share it with anyone. Now, obviously, there's a lot more that goes into it than that, but those are kind of the meat and potatoes of what a privacy policy is. And without going into a three-hour lecture about this what we say is that you need to have a privacy policy if your website is collecting personal information. And a lot of people don't think that they collect personal information, and it turns out that they do if your website has a contact form, like a form where people can contact you about your goods or services or what you're offering to the public. If you have an email newsletter, sign up form, things like that. If you have analytics, you're collecting names, emails, phone numbers, and IP addresses, and those are all examples of personal information. And that's when you need to have a privacy policy. And it's not just because I tell you that you need to have one. Once you're collecting personal information, that's when various privacy laws can start applying to you. And those privacy laws require websites to have a privacy policy that makes very specific disclosures. So it kind of in a very quick way, if you have a contact form or you have an email newsletter sign up form, or if you have analytics, you're collecting personal information, and you need to have a privacy policy.

KRISTINA: [00:03:16] Do we also need to have a privacy policy for our mobile applications, or can we kind of roll that all into?

DONATA: [00:03:22] Anytime you're collecting personal information. So if you have a mobile app and you have a website, you need to have a privacy policy for both. Now, whether or not you want to combine both of those together really depends on how confusing it would be to the consumer if you were to combine those. For example, if your website is collecting names and emails, but your mobile app is collecting social security numbers and physical addresses, combining both of those into one policy could potentially be confusing to consumer because they wouldn't know which portion applies to them. If your privacy practices are different from your app to your website, usually I'd recommend having two separate policies to make sure that the consumer is very clear about what's going on.

KRISTINA: [00:04:03] So oftentimes, I run into people who just copy and paste another organization's privacy policy, or they just roll everything under the sun into single privacy. Bad idea? Take it from a competitor and use it on your own site?

DONATA: [00:04:17] Yeah, we see that every once in a while. And I think what that means practice stems from is a lack of understanding of how privacy policies are actually written. So people assume that a privacy policy is just a bunch of language, put together a bunch of random words that lawyers string together, and that you can just use anyone's privacy policy for yourself because it's all the same thing. And unfortunately, that's not true. So if a privacy policy is written correctly, it's based directly on the privacy laws that apply to you. So each privacy law has a different set of disclosures and a different set of requirements, and some of them overlap, but a lot of them don't. So if you are copying your competitor's privacy policy, that privacy policy is not necessarily compliant with the privacy law that applies to you. So you could just be out of compliance immediately there, or it might be compliant with privacy laws that don't apply to you, which means that you're subjecting yourself to a lot more operational costs of maintaining that. And it might not be up to date with the privacy laws that are in place right now. If they created that privacy policy five years ago, that's probably not compliant with the laws that have recently passed in the last five years. And then lastly, it might have a bunch of practices that you don't actually do. So the Federal Trade Commission, for example, has a standard say what you do and do what you say. And if, for example, your competitor's privacy policy states that they do not sell personal information and you copy and paste that and don't change that. And you actually do that's considered a deceptive act under the FTC Act, which could potentially get you in trouble as well. So you need to make sure that your privacy policy is up to date. Compliant with the privacy laws that apply to you and actually based on the privacy practices that you have, because if it's not, you could potentially be opening up yourself to fines and lawsuits.

KRISTINA: [00:06:11] Smart advice taken from a lawyer who's not giving legal advice. You just mentioned varying regulations and laws out there. I start looking at various acronyms from GDPR to CCPA, to LGDP, to POPIA it's enough to make our head spin, especially when it comes to keeping up our privacy policies up-to-date. Tell us a bit about how do you see the space evolving? And what's really the biggest challenges for organizations right now, given the fact that all these acronyms are popping up day in and day?

DONATA: [00:06:40] I think from my personal perspective, one of the biggest challenges is engineering the privacy policy. So there are kind of two schools of thought. One school of thought breaks everything down into each particular privacy law and then has separate privacy policies for example, California residents or the privacy policies mentioned the privacy laws by name. So if you're a resident of California, you get these rights under the CCPA. You're a resident of the EU. You get these rights under GDPR, and that's how you usually end up with privacy policies that are 50 to a hundred pages long and very confusing. And then there's another school of thought, which I'm more of a part of, which is combining those requirements together into one. So not necessarily naming each privacy law, but making sure all of those disclosure requirements are met in each privacy policy at the same time. So a great example would be, let's say you have a privacy policy that mentions the CCPA. Well, that's wonderful and great until the CPRA goes into effect, and then you have to update it. Right? And right now, there are over 20 proposed privacy bills in the States. If you have a separate privacy policy for residents of each state, you're probably going to go insane and rip your hair out, trying to update all of those at the same time, then making sure that they all fit your business practices. So, there's has to be a way to combine all that things together and to keep track of all of these things as well. And I think that's one of the greatest challenges that privacy professionals or compliance professionals, or policy professionals face today is making sure you stay up to date on all of those changes. And that's really difficult because, each day, there's, seemingly, a new privacy bill being proposed. We saw Virginia's privacy law. It seems like Colorado is going to be the next one that passes. So we're going to have to find the patterns between all of those and figure out a way to combine them all together because otherwise, compliance is going to be impossible.

KRISTINA: [00:08:37] What should organizations or privacy professionals do when the different laws have a level of conflict, especially with some of the standing kind of outdated regulations that we have around the world? What to do then?

DONATA: [00:08:51] One big conflict that I see is the amount of days that it takes to respond to data subject access requests or something like that. Some privacy laws will allow 45 days. Others will allow 30. So that's kind of the biggest conflict that I see. It was just a matter of smart drafting. At that point, you could have your privacy policy say we'll respond to your requests within 30 to 45 days.  

Each privacy law has different privacy rights that it provides to consumers. So for some organizations, it makes more sense of, instead of providing one set of rights to California consumers and another set of rights to EU consumers and, and another set of rights to Canadian consumers, some organizations that are fighting success combining all of those rights and providing them to everyone regardless of where they reside. So instead of having these crazy lists of privacy rights and very much confusion from a consumer standpoint of what applies to me and what rights I have. You provide all of the same rights to everyone so that you're compliant with all of the laws at the same time. But then you're also kind of going a step above and beyond those laws and showcasing to your customers that you care about their privacy, and you're willing to go a step beyond what's required. So that's one of the things that I've seen lately that I've really enjoyed seeing.

KRISTINA: [00:10:05] That makes me think about data breach laws in the US where we have the 50 different states, the 50 different flavors of data breach requirements. And sometimes, having a superset is a good answer because it allows you to meet all of the regulations and not have to worry about, oh, where's this user from and what law applies to them versus what doesn't. But how does that work when you get into the weeds? And I asked that because I recently ran into an organization that's trying to apply GDPR concepts to everybody that they serve around the world. And the problem there is that a lot of banks, for example, in the US, don't understand GDPR laws yet; they don't understand the requirements. And so what we run into is that banks as processors, for example, don't want to necessarily comply with some of the requirements. How do you resolve that on the back end, beyond the privacy policy itself?

DONATA: [00:10:57] Potential flaws that I see in how people approach compliance in that sense is number one; they assume that if they meet GDPR, they will meet all other requirements, which is simply not true. So other privacy law requirements that go beyond GDPR. So if you're using GDPR as the standard, you should not assume that you're compliant with all privacy laws because chances are you're not. And then two, I see a lot of organizations trying to impose GDPR terminology on vendors or customers. So, for example, having the whole data processor and data controller thing for whatever reason, I find that a lot of people bristle when they see those words, oh, I'm a data controller. I'm a data processor. Now, I don't want to think of myself using different terminology. What I personally like to do is strip that terminology and keep the requirements, right? So instead of calling a vendor, a data processor, we just call them a vendor and impose all of the same requirements without necessarily mentioning GDPR. And it's a matter of doing business. So, for example, if you are doing businesses of the bank, let's say you hire a marketing firm for them. You're going to audit them. And you're going to make sure that they're compliant with specific requirements, but you don't necessarily need to disclose what laws those requirements apply to. You can just say, all right, these are the requirements of doing business with us, and it doesn't necessarily need to be GDPR centric. You can still have all of those requirements without making somebody feel like they're complying with an EU privacy law for no reason. So that's what I would do is I would strip that terminology and make it a bit more clear as to what the requirements are without the whole philosophical explanation behind it.

KRISTINA: [00:12:43] Donata, I feel like I should title you the purple unicorn. You're one of the very few people out there that I've run into, probably a handful if those who are lawyers, but have this very practical view on the world, able to understand the legal aspect, but also really understanding, getting business done. And so that makes me wonder when we talk about privacy policy. Is it legal, always the right place to place privacy policy within an organization, or should it sit with other folks like IT or marketing?

DONATA: [00:13:14] I think that legal has to be some standpoint when it comes to the privacy policy, right? Because you need to know the requirements of each privacy law to meet it. So without having that kind of drawn-out, your privacy policy will probably not go anywhere, but at the same time, if you don't have it and marketing involved, your privacy policy is not going to be compliant and is not going to go anywhere either. Because as attorneys, yes, we understand that. Our company does some marketing, right. And usually as it attorneys that's, as far as we go and understanding that. But when you talk to the marketing department, it's like, okay, we actually do email marketing, and we use MailChimp. And we also do ads on Google or ads on Facebook. We use tag manager; we use analytics to understand how people use our website and to increase conversion rates and things like that. So, It has to be a collaborative process between those departments because if it's not, your privacy policy is going to be incomplete. And that's what I see a lot of companies missing and a lot of privacy officers missing. And then a lot of attorneys missing is the whole concept of this being a dynamic policy that has to actually fit the business. It doesn't just have to meet the privacy law requirements. It has to actually meet the business as well. And you had to have good explanations as to why you're sharing data or why you're using it or how you're using it because consumers expect that right now. So it's no longer just, oh, we'll just collect your name and email for this marketing list, and then we'll never use it. It's the attorney's responsibility to say, then why are you collecting it? You shouldn't be collecting it if you're not using it. But then it's also the marketing department's responsibility to say, well, we have this campaign planned in the future, and this is how we will use it in the future. So there has to be good reasoning behind this data collection and data use and data sharing. So I think it is a collaborative process that kind of needs to happen more.

KRISTINA: [00:15:11] You are making my heart go pitter-patter because I'm such a believer in bringing folks together, including HR, because HR needs to play such a role in terms of building awareness and educating so that areas of the organization where we see data loss or slippage is decreased. Oftentimes, I'm amazed when I go and talk to organizations around their data practices; they say like, oh, we're doing this right. It's all good. And then I'm like, oh, how are things going with your Google Drive or One drive? And what's getting pushed out to vendor Dropboxes and it's like, oh, never mind, just don't look over it.

DONATA: [00:15:43] And one thing that I would like to see from organizations is, we see some organizations that do have privacy training, but usually it's a third-party purchase. Some video from the eighties. That's very cheesy, and that's like, don't share your password or don't write down your password and put it on your laptop or something like that. And I think we're beyond that now, I think. That information is very important, and people shouldn't be doing that. But I think we're a lot beyond that now when it comes to using sharing and collecting data, and I would really like to see better training offer to companies and to employees that's actually real-life training, not hypothetical scenarios that they're probably never going to run into, and they just click through the training, and then you're done, I think it has to be more interactive, and it has to be actual scenarios that they're going to run into. And actual hypotheticals and actual training sessions. When I used to work in compliance, we actually did a fake phishing attack on our staff because we were supposed to have training that morning on IT, and I sent everybody a fake email. It wasn't very clearly fishing, but there were some hints, saying, if you want to see the notes for this morning, so IT training, please click on this link. And it was interesting to see how many employees actually fell for that. Even though my email was wrong, my name was misspelled. Such things like that, actual active testing and active training where somebody learned something in the real world, instead of just hypotheticals, I think I would love to see more of that.

KRISTINA: [00:17:17] That's a really important point, which is how do we actually connect the privacy policy and the information that gets put into a privacy policy with the actual practices? Because a lot of times I think people write the privacy policy with this ideal notion in mind of like, this is how we ought to be doing it, or this is what we should be saying versus what they're actually doing. How do you reconcile that? Or what's your advice?

DONATA: [00:17:40] My advice to at least our customers is only select the things that you actually do because if you don't select if you do select the things that you don't actually do, you could potentially get in trouble later down the line. So there are a lot of cases out there talking about how a company potentially formed a contract with our customers through their privacy policy by promising certain security features. Those cases don't usually go very far, but as we all know, litigation is very expensive in the first place. So if you say certain security features that you do, but you actually don't do them, that could potentially be an issue down the line when it comes to data breach and things like that. And you want to make sure that you're honest with your customers because right now, we're kind of moving a little bit beyond the point of just privacy law compliance. So obviously, you want to comply with those laws and not get fined and all of that, but consumers are caring more and more about their privacy online. So you need to make sure that you're meeting those expectations and that you're honest with your consumers. If you're not, people aren't gonna find out, and we live in a world where things come up very quickly. It's important to make sure that you're very honest about what you do in your privacy practices and that you review your privacy policy on a frequent basis to make sure that you're still doing the things that you said that you were going to do.  

KRISTINA: [00:19:03] That brings me to this question around templates and privacy generators. We've already established that you should not be taking another person's or another organization's privacy policy and copying and paste it to your own. But there are templates out there. There are privacy generators or privacy policy generators out there. Termageddon is one of those. You founded that company. What should individuals be looking for if they want to use a generator or a template? There is a distinction between what's available in the marketplace. Tell us a little bit about the space and what you do.

DONATA: [00:19:32] Obviously, I'm a little bit biased here, but the thing is, so when you look at it, I'll start with templates, I guess. So when you take a look at a template that's being offered online, your first question should be what privacy law is this template complying with. And if you're very, very lucky, you might find a template that complies with one privacy laws, such as GDPR. Just because the template says it's compliant with GDPR doesn't mean that it is, but let's say hypothetically speaking, you do end up finding a template that's compliant with GDPR. The next question you should ask yourself is, is it compliant with all of the privacy laws that apply to me? And that's the issue with templates at best. They are compliant with one privacy law, but as we know, because of the broad reach of privacy laws, you could have the privacy laws of other states or potentially other countries apply to you, even if you're not located there. So a privacy policy that complies with one privacy law is probably not compliant with all the privacy laws that you need to comply with, opening up yourself to find some loss. Now, when it comes to a privacy policy generator, a lot of people don't know what that is. And basically, it's a series of questions that are asked, and your answers to those questions are used to customize a privacy policy for you. So when you're choosing a privacy policy generator, the first set of questions that you should ask yourself as number one, does it figure out what privacy laws apply to me? Because if it's not based directly on the privacy laws that apply to me again, fines, lawsuits, all of that, non-compliance, that's a big issue. So whenever you're looking at a privacy policy generator, that's the first question you should ask is does it figure out what privacy laws apply and does it build a privacy policy based on the privacy laws that apply. Two, you should ask yourself who the company was founded by. So is there an attorney on staff? Is there a privacy attorney on staff, things like that? Somebody who knows what these policies are and what the requirements are, and then you should also ask yourself, do they keep these policies up to because having a privacy policy now that you've just put on your website is not sufficient anymore. With over 20 proposed privacy bills in the U S multiple privacy laws changing across the world, you need to make sure that you have a strategy in place to keep that privacy policy up-to-date with privacy law changes. So you need to make sure that that privacy policy generator actually makes those updates. So I would look at their website. I would look at their social media. How often are they talking about the proposed privacy bill? Are they telling their customers about it? Are they actually making updates to the policies when new bills pass or existing laws change? Things like that, or like when the regulations change, as we know, the CCPA regulations have changed like five times, have they made updates for that? Have they talked about that? And what kind of resources do they provide? Because like with our company, We don't just provide updates to the privacy policy. And we can do that automatically as well. In most cases, we actually provide compliance guides as well. Privacy compliance is not just having a privacy policy. There's more to it than that. You need to know what privacy rights are given to individuals, how those can be exercised and what you need to do. So make sure that you're using a privacy policy generator that kind of provides more information to you than just, okay. Here's your privacy policy. You're good to go. Goodbye. You know, there's a little bit more to it than that as well.

KRISTINA: [00:22:52] That's a good point. I actually just had somebody reach out to me the other day to ask me a question. I thought maybe you and I should hash this one out, but it's a really great question because their privacy policy talks about all of their digital channels. So it's talking about what they do on their website, what they do in their mobile application and also what they do with things like their chatbot and what they do with the messenger apps that they use, what they do in terms of SMS texting, what they do in WhatsApp texting. And so, they came back at me and said, oh, you know, we have all of this, or we're putting this into our privacy policy, but it's a different issue when it comes to implementing what you're saying, you're doing. Which is that bigger compliance piece that you're alluding to, things like, do you actually have opt-in for your Whatsapp? Is that distinct from the SMS option? Are you actually tracking the user rights to those channels? So it's not just, again, lip service, but it actually covers what you're doing and reflects reality and provides that user trust.

DONATA: [00:23:49] Exactly. And a lot of people think, okay, I'm just going to post this privacy policy here, and I can just do whatever I want. And in some areas of the United States, that might be the case, but usually, that's not the case. You still need to get consent. You still need to make sure that your cookie consent checkbox is compliant. You still need to make sure that you are using data responsibly and sharing it responsibly, and not collecting it if you don't need it, things like that. And I think a lot of that gets lost in the shuffle, and with companies that have bigger budgets, that have a privacy staff, or can afford to hire a privacy consultant, those things come to light and end up being resolved, but for smaller businesses, it doesn't. So it's very important for them to receive that education and to receive that guidance which, unfortunately, the US government is not providing right now. So it's, it's a very important area that I think education goes a very, very long way.

KRISTINA: [00:24:41] And you do a really great job of that because I was looking at your site and what you offer from Termageddon perspective. And it's not just about the privacy policy. It is about the disclaimers. It is the terms of service, and it is about having the range of disclosures and policies you need to have. So I know we've spent a lot of time talking about privacy policy, but are there these complimentary artifacts that folks also need to have in place?

DONATA: [00:25:05] Absolutely. A disclaimer or terms of service to protect your business. And, even just to answer commonly asked customer questions, like, do you offer refunds, cancellations? What is your shipping policy? Things like that that I think go a very, very long way with consumers in terms of moving them forward in the purchasing path. Because if I go on a website and let's say, I'm hypothetically, I'm looking at shoes, and I'm worried that maybe the size isn't going to fit me right, the first thing that I do is look for a refund policy and terms of service to see what the refund policy is and what my options are as a consumer. And if that's not present, I'm probably not going to buy from them. Because I don't feel secure enough to know that, okay, if the shoe doesn't fit, I can return it and exchange it for a different one. Not having that information can actually impede customers from buying from you.

Having that information available is very valuable, both from a legal protection perspective, but also from a customer service perspective as well.

KRISTINA: [00:26:07] I find that a lot of agencies in webshops that are supporting especially small and medium-sized businesses are trying their best. It's not with any ill intent, but they oftentimes forget about those terms of service, that disclaimers, et cetera. Is there a way to automate the inclusion of that into the products that they're creating for their consumers? What is your advice?

DONATA: [00:26:27] We actually have an agency partners program. So we work with agencies all the time, people who build websites, run marketing campaigns, with us, they actually get a free license for policies, for their own website to try it out. And what they do is they actually build it into their quote, or they build it into their proposals, or even before. If they didn't do that in the quote or the proposal before the website is launched, they just send them a simple email saying, Hey,we built you this website, it's collecting personal information. I think you need to have a privacy policy. And here are some solutions for that. And then the customer can kind of decide what they want to do because it is true. That a lot of people who have websites built for them who have a new business don't necessarily realize that this is a thing which is very unfortunate, but they don't realize that they collect personal information. They don't realize that they share it. They don't even realize that they have analytics which could potentially subject them to GDPR and other privacy law. A web designer is a great place to bring that up and say, Hey, we built you this website, it has these forms. You need to have a privacy policy. And we work with a lot of web designers who do that for their customers. And you'd be surprised how many times the customer was like, oh man, I had no idea that. So much for letting me know, and they're actually super appreciative of it. So it's a great thing that a lot of web designers provide now is just kind of that information, that education piece.

KRISTINA: [00:27:53] That's great. It's interesting because a colleague of mine is moving to the EU next month. And we were chatting about the fact that even the smallest of the smallest companies that she's interacting with are sending her these transparent GDPR privacy notices. They're really kind of upfront about data collection, very much into the digital signature realm. And she lives in the US; she lives very close to me in the DC area. And she was saying, we're so many light-years away, yet GDPR has been in effect only since May of 2018; we've seen these EU shops, even the small companies evolve quickly. Do you see the same thing happening in the US or where do you think we are in terms of adoption of these concepts?

DONATA: [00:28:34] I dream of living in the EU. I'm originally from Lithuania. But I live in Chicago now, and I have pretty much no privacy rights unless it comes to my biometrics. But other than that, I have pretty much no privacy rights. And I will confess that I sometimes try to exercise my privacy rights under the EU section. And I'm upfront with that, the fact that I'm located in Chicago, but sometimes I slipped through the cracks there, and people allow me to exercise my privacy rights, even though I'm not from the EU, which is kind of cool. But you know, I think that in the US we have a fundamental problem. So in the EU, they have GDPR one set of rules. Yes, there are some very small differences between countries, but they're pretty minor. So there's one set of rules that everybody needs to comply with. There is a ton of government guidance on every possible question that you could possibly think of. That guidance obviously is imperfect. It's not a perfect world, but it's very cool, right? There's a lot there. If you're a small business, you can call your data protection authority, and they will help you. In the US we don't have that. So we don't really have a federal privacy law that governance business websites unless it's healthcare or finance, very niche industries. And what we're seeing is this increasingly complex patchwork of privacy laws that are based on each state's requirements and, and almost whims at some point. So we don't have this consistent standard. We have a lot of different privacy laws, and that number is growing and growing and growing, which is making compliance very complicated. So yes, we're seeing some companies that are going above and beyond or meeting the requirements, but we also see a lot of companies that are just very, very confused as to what those requirements are. And you really can't blame them because there are a lot of different sets of requirements. So I think we're sort of moving in the right direction in the sense that privacy is starting to become more important to consumers, and consumers are pressuring companies and legislators to care more about their privacy. But I think we're also stepping a little bit backward in the sense that there are a lot of different requirements, and it's a patchwork, and it's just becoming increasingly difficult to comply with everything that applies to you.

KRISTINA: [00:30:48] So for every person who's listening today and they want to pull their hair out, what would you say to them, as their first step of what they could do? Because a lot of times, people say to me, I just don't know. I don't know if I'm compliant; I'm not compliant. Like where's the north star? What should I do? What are the tips that you have for them? What should they do?

DONATA: [00:31:05] I would say, find the right tools. It's going to be impossible for you to do this on your own unless you're ready to pay a lot of money to a lot of new staff members. So a great example is keeping track of privacy bills. I do that for my job. Hours and hours and hours of my week to keep track of privacy bills. So instead of doing that manually, like I do, because I have to make sure that I get it exactly correct. What I would do is I'd use different resources. So, for example, I have a privacy bullet tracker on our blog at Termageddon dot com. The international association of privacy professionals has a privacy bill tracker that you can use. And the American bar associations E privacy committee. We also share a lot of different news in our newsletter, including what new privacy bills have been proposed that month and what privacy laws have passed or changed. So make sure that you're using a few different resources. And make sure that you're using the right tools. So I would first start with figuring out exactly what data do you collect, what do you do with that data and who you share it with, kind of doing a data inventory and a data map to understand what your current situation is like. So where is everything? What are you collecting? What are you doing with it? Doing a data inventory and doing a data map is a great way to see where you're at right now—and then figuring out what privacy laws apply to you. And what the requirements of those laws are, getting a privacy policy that's actually compliant with those laws and that's based on those laws, and that's based on your actual practices and then making sure you have the right procedures in place for responding to consumer requests, making sure that you're adequately protecting the data and that you are honoring those requests that you get from consumers and kind of just starting there and then building your program from there—that where I would start.

KRISTINA: [00:32:55] Donata, what I'm taking away from this conversation, and I'm sure a lot of folks will share the sentiment, is that this is an incredibly complex area, certainly evolving by the minute. But what I appreciate is your ability to break it down into some practical aspects and the ability for us to take some steps to move forward and get ourselves unstuck because I feel like that's where we need to be. We need just to be moving forward. And as long as we're moving forward, I'm sure we can collectively get there at some point, but we can't stay stuck.

DONATA: [00:33:25] Yeah, I think you have to start somewhere. And if you think about it, if I think about spring cleaning my house, if I just sit there and think about spring cleaning my entire house, like top to bottom, I will get extremely stressed out, and I will probably never do it. However, if I think about cleaning a window in my office, I can do that. That's no big deal. So I make a list of the things that I have to do, kind of break it down into small tasks that are manageable, and then just start there and go from there because you have to start somewhere and you have to do something because in reality, doing nothing is going to be much worse. So don't get it overly overwhelmed and bogged down and making huge plans. And then, never assigning those plans to anyone, break it down into small manageable chunks, and get to where you need to go and do what you can do because doing what you can do is much better than doing nothing.

KRISTINA: [00:34:23] Wonderful advice there. Folks, do something even in small increments, better than doing nothing. Let's get started—lots of information out there. I'll share those in the resource tab for the podcast on the site. Including Termageddon's website, I'll include some of the other resources, including IAPP that Donata mentioned, but thank you so much for your time today for helping us get started in delving deeper into the privacy policy crucial aspect of digital policy. Keep us up to date and honest and help us move forward. We greatly appreciate it.  

OUTRO: [00:34:54] Thank you for joining The Power of Digital Policy. To sign up for our newsletter, get access to policy checklists, detailed information on policies, and other helpful resources, head over to the power of digital policy.com. If you get a moment, please leave a review on iTunes to help your digital colleagues find out about the podcast.

You can reply to this podcast here: