DrupalEasy Podcast 237 - Donata Stroink-Skillrud (Termageddon)
[0:01] Hey now and welcome to Drupal Easy Podcast episode number 237.
My name is Mike Anello and in this episode I have an interview with Donata Stroink-Skillrud one of the founders of Termageddon dot com.
And I might add all for a very reasonable price.
In my opinion, this is an episode that everyone who owns, maintains or builds a Drupal site should. Here before I get to that, I want to mention Drupal career online.
[0:39] So 2021 is the 10th year of Drupal career online, and next semester begins on March 1st.
Drupal Career online or, as we call it, the D. C. O.
Is the longest running long form Drupal training program in existence.
Twice a week for 12 weeks, we focus on best practices for building and maintaining Drupal eight and nine sites.
We cover things like composer, developer, workflow, information, architecture, views as well as module and theme development, and more so if you're interested or if you know someone who's interested,
or if you know someone who needs it.
[1:19] Check it out at Drupal easy dot com slash d c o.
If you or someone you know applies, you can use the coupon code 10 years when applying and you'll get 5% off the cost of the course.
That's Drupal easy. Com slash d c o.
Interview With Donata Stroink-Skillrud
[2:01] I'm here with Donata Stroink-Skillrud, Donata, how are you? Hi, I'm doing well. Thank you. How are you?
Pretty good. So let me introduce you to everyone s So everyone This is Donata. This is everyone.
Uh, Donata is the president of Termageddon, which we're gonna talk about What Termageddon is in a few minutes.
But you're also a licensed attorney, a certified information privacy professional as well as the vice chair of the American Bar Association E Privacy Committee.
[2:34] So there's a lot there, So let's break that down a little bit.
Whatever that time period is is probably not the best thing. So it being around the holidays, Um, you know, my client load is kind of slow down a little bit, so I said, Okay, well, this is a good time for me to dive. Dive into it.
Um, and I was out there on Twitter and LinkedIn and just doing some searches and stuff, and I found Termageddon, which is a service on. I think maybe we'll talk.
[3:48] Yeah, that's kind of the point of this conversation, but let's go back and learn a little bit more about who we're talking to.
Um, S o do not know what is. What does it mean to be a certified information and privacy professional?
Sure. Eso certified information Privacy professionals are certified by the International Association of Privacy Professionals.
Um, if you ever want to learn about privacy, I encourage everyone to go toe I a p p dot or GTA and it is the largest privacy organization in the world.
I'm actually the chair off the Chicago chapter here, and the I P P has created a certification mechanism.
So essentially, what you do is you study about privacy laws and what they mean and how they apply on DWhite.
Somebody needs to do to comply with those privacy laws. And then you take a test Onda.
Once you take a test, you get well, if you pass, I guess, um, you get certified of as a certified information privacy professional and you know, we also have to keep our certifications up.
So every single year, I have to dio a certain amount of studying and a certain amount of educational events and privacy to keep my certification up.
But it basically the point of it is to show others that you're an expert in privacy.
[5:11] So is this something that's only available to attorneys? Or is this anybody? It's anyone that's interested.
Eso If you go toe i p p dot org's you'll see certifications on Ben. You can click on that and learn more about the various certifications that are offered.
Um, and they're offered Thio. Anyone who's interested in privacy, You don't have to be an attorney. You don't have to work in privacy.
Um, but if you are interested in it, it's definitely something that I recommend.
[5:39] And it sounds like a lot of it is probably geared around online activity. But not all of it, I'm guessing.
Yeah, that's correct. Eso it really depends on what certification you get.
You can also get a certification in a technology.
So if you're working in I T, you might want to consider that certification. Or if you're managing like a privacy team, there's a different certification that you can choose as well.
So it's really a lot of different choices and and flexibility.
But the one that I have is mostly focused on online privacy. Yes, so let's go ahead and compare and contrast that this will be like a college essay question with the American Bar Association E Privacy Committee that your vice chair off?
Yeah, So the American Bar Association for Anyone that doesn't know it's basically.
[6:39] A very, very large group of attorneys in the United States that are interested in keeping up to date with developments in law in their area that they're focusing on eso.
The Privacy committee helps other attorneys keep up to date with privacy developments.
Eso You know, we have different events that we plan, um, that help attorneys understand different developments or keep up to date with different developments.
Eso It's also group that's mostly for attorneys that are that are interested in privacy. So I guess the biggest difference probably is the I p. P. You don't have to be an attorney to join versus the A B. A is mostly for attorneys.
[7:20] All right. Very good. So, in reading about Termageddon a little bit, I learned that you and your husband founded the company.
You being an attorney and him having, um, run a digital agency for a number of years.
[7:36] So very much seemed like a chocolate in my peanut butter type thing where it was a good match for a site like this. Is that pretty much the genesis?
[7:52] Eso I was doing them one at a time, and I noticed that I was asking my clients very similar questions about their privacy practices.
So, for example, like, what personal information do you collect?
And I noticed that that process was very cumbersome on, but to be honest with you, very boring.
Um, it was very repetitive. Eso I wanted to figure out a way to automate it.
And for him, you know, he had his own Web design agency, which he's successfully sold to come over to Termageddon full time.
And he noticed that his clients would always ask him, like two days before launch.
But he wasn't really getting anything in return.
And he's like, You know what? That's not fair. I'm you know, I'm giving all this business to someone, and they don't even really care that I exist.
Eso That's how we came up with Termageddon So did it start off?
[9:20] Other policies that you can generate using Termageddon.
So we've had all four since the very beginning.
Um, but what's really interesting is that when we initially started the business, we thought that only U S based companies would be interested in working with us.
Um, which was a really big mistake.
Eso we actually started getting people reaching out to us from, like, Canada and the U. K.
Saying, hey, like, can we use your service? Um, so that was one thing that we learned was that, you know, we should not have thought of this is a product that only us cos we're going to use eso.
Pretty recently, we launched compatibility in Canada and the UK, which has gotten a great response.
Eso It's really interesting as US based lawyer to try to figure out, like the terms laws and other countries.
[10:25] Um, it's definitely been a very interesting experience from that point of view, right and Termageddon. And this is not a brand new thing that you have been around Termageddon since I think 2017. Is that what I read?
Yeah. So that's when we initially started. Obviously took a long time to get all of the policies engineered initially and, uh, you know, and to get the system built up.
And what's really interesting to is that with privacy, law changes were constantly re engineering things.
[10:56] Eso we're always adding new stuff and a new feature. So it definitely has not felt like three years.
Um, it's gone by a lot quicker than that.
[11:06] Yeah, that's, you know, you just touched on a point that I mentioned earlier.
And I think a lot of folks who either have their own sites or who build sites So you know, I'm from the Drupal community.
So a lot of folks who listen this podcast or building sites for for their for their clients And,
[11:37] But up until I started doing my homework a few weeks ago about how you know, you know, is there are service, um, that that can provide me with up to date.
Or like, how do I How do I wrap my arms around this? That was kind of one of those things I kind of worried about for a long time is you know, am I going to get burned one day? Because I'm not keeping things these things up to date.
[12:00] Um, so I've got a few kind of big questions around all this stuff that can hopefully answer.
Help some other folks out as well.
So do do all sites always need all four of those.
Or, like what are the in general broad stroke conditions under which a site might need one and not the other?
[12:54] Now P. I. Is any information that could identify someone.
So, for example, name email. I p. Address phone number.
[13:14] So when you're building a site and you're building that contact form, that's when the light bulbs should go off in your head.
And it's not necessarily sharing or selling or even using the P I that's collected.
It's just collecting it when it comes to a Terms of Service.
A Terms of Service is a document that basically lays out the rules of using a particular website, Andi.
It helps limit liability. So a great, um, kind of thing to look out for on websites is third party links.
So if a website that you're building includes links to Facebook, Twitter or LinkedIn or any other third party website, that's when you want a Terms of Service.
Because if somebody goes from your website to a third party website and gets a virus or scammed or something like that happens, they can come back to you.
Andi, you could potentially face, um, liability there. So you want to make sure every exactly eso pretty much any website You want them to have a Terms of Service because you want to limit your liability.
Another great example is e commerce. You know, you want to answer consumer questions about refunds and cancelation shipping those things air done in the Terms of Service.
[14:35] Um, if you're potentially worried about copyright infringements, Terms of Service can help protect you. There s Oh, that's a great point of which you should look out and have a Terms of Service.
A disclaimer. The best way that I can explain a disclaimer is like, if you've seen those exercise videos from the nineties and you know how at the beginning they'll have the,
please stop exercising if you feel faint or if you don't feel well, um, that's a disclaimer.
Eso You usually need a disclaimer if you are participating in affiliate programs if you are providing exercise or health tips.
Um, if you're providing any information that could be seen as legal advice, those are the main areas in which you would need a disclaimer and then, lastly, an end user license agreement or a U L. A.
You need that. If you're selling software like package software s O, for example, if I were to go on a store and purchase Microsoft office, I would get an end user license agreement.
And that's what that ISS well, how about if you're like a music artist and you're selling downloads of your music directly, is that would that require Ula as well.
No eso That's different. If you're that's a u L. A. Works for software.
Eso. If you're selling package software, that's when you need it.
[16:00] I was just making the argument that a like an MP three file or not. The argument. The question is an MP three file A.
You know, a piece of software in the eyes of the law, and it sounds like you're saying it isn't not really no.
So it sounds like if you have a just completely static site, meaning there's, like no forms, not even a contact form if you add Google analytics, for example, to your site.
Eso Google Analytics will collect an I P address, which is considered P.
[16:57] All right, so another question, This is something I thought I you know, it was kind of I figured it was true, but you actually confirmed it in one of our email exchanges a week or so ago.
Um, you mentioned a contact form. If you have a contact form that collects information, I was never 100% sure. Does that mean if that information is being stored, like in a database on the Web server?
Or what happens if that information is just, you know, put into a form, hit a button and it just sends an email on nothing else on?
And, um, I believe you explained it to me that it doesn't matter where that data stored.
And the reason for that is is because privacy is are relatively unique.
So a great example is the California Online Privacy and Protection Act, which applies to any website that collects the P I of California consumers.
Now, if you think about your website, and if you think about the contact form that you're building, anyone from anywhere could submit their information on your contact form,
meaning that California consumers could be submitting their information, meaning that callable will apply to,
virtually any website, which I think a lot of people miss.
So, you know, in the U. S. California has a couple of privacy laws. Delaware has a privacy law in Nevada, has a privacy law, so a lot of people will think.
OK, well, I'm not located in those states, so I don't need to worry about that.
But that's actually not the case. What matters is who's P I. You're collecting where you do business and where your customers reside.
So, for example, I'm here in Illinois.
Let's say I have a customer who's from Nevada.
That's sufficient connections to that state, meaning that I have to comply with Nevada's privacy law.
Even though I'm not located there. And let's say I've never stepped foot in Nevada, that doesn't matter.
[19:12] So you mentioned something which I don't even have a written down that I was gonna ask you. But it triggered something in my mind.
And I think that I read, you know, sometime in the past couple of weeks, while I was doing all this that the California Privacy Law does that Onley kick in for certain sites of or businesses of certain size?
Or wasn't there some criteria for that or my my off based on that?
Yeah, you're correct. Actually, it's so nice to talk to somebody who, like, did their research.
And I'm sorry that you had to do that because it could be frustrating for a lot of people.
So California actually has to privacy laws.
One is the one that I previously mentioned Kelapa, that one does not care about the size of your business or where you're located.
[20:00] The second one is the California Consumer Privacy Act, which is a law that was passed recently, and it was actually recently amended by the California Privacy Rights Act.
And I think just that combination of the three illustrates how complicated this could get on.
But you really want. An expert is taking a look at this, but the C C P A.
So if you have like a certain revenue threshold or,
if you sell 50% or if you receive 50% or more of your annual revenue from selling the P I of California consumers, or if you collect the P I of 50,000 or more California consumers per year,
so generally speaking, the CCP A will apply to larger businesses.
Onley. However, one big portion of the C c p. A s vendor management.
So if you're a developer and you're doing business with a large company like let's say you're building a website for a large company and you have access to their databases.
[21:05] Um, just through the nature of managing their site and you have access to that P I, your customer might actually require you to comply with the CCP A.
Because if you have access to their P II and you're not compliant, that means they're not compliant.
Eso It's important to check your contracts. Um, if you're doing business with larger companies, especially ones that are based in California, you should definitely check your contracts to make sure that they're not requiring you to comply with the CCP A.
Just because you're building them. A website.
And I'll give you I'll give you a great example. Just from my process over the past couple of weeks is I had no idea until a couple weeks ago that Nevada had privacy loss.
Exactly. E don't know when that happened, but, uh, it's not in my circle of like daily news where I would even like that would ever be on my radar, right?
Eso if I can illustrate an example for you right now, there's right now.
There's 23 proposed privacy bills in the United States, um, those air bills that I track on a daily basis through three different software programs that send me alerts.
So right now, we have a certain number of privacy laws out there.
There's a lot of stuff happening in California. So, for example, when a new privacy laws passed, the state attorney general will come out with regulations.
So unless you have alerts set up for the California attorneys, generals like Privacy Section, you won't know about this.
because you have all of these changes to existing laws and you have all of these states proposing their own privacy laws. And that's not even to discuss, like other countries.
So, for example, Canada has a privacy law, and right now they're considering changing that law to allow consumers to sue businesses directly for privacy law violations.
So and it's not just consumer, not just businesses that are based in Canada.
But it's really hard for small businesses to do that because it's very time consuming.
It's difficult because you have to read laws and interpret them and understand the cases and what the wording means and keep track of the regulations.
Um, you know, and that's what makes Privacies difficult for small business owners, and that's why we started. Termageddon is to help make that process less painful.
[24:11] Yeah. Sounds like a great business opportunity for someone who can get through all of that legalese and still be awake.
Yeah, I am not that person. We're very lucky that I love my job. Very lucky.
And you know the wide open question. Obviously, it probably,
three months, six months, nine months Like what's what's? Is there any advice there?
Sure. So you know, if you ask me this question like, five or 10 years ago, I will probably never, um, you know, down to three days every three days.
Regulators didn't really pay that much attention to it.
Um, no one paid that much attention to it. I mean, you copied and pasted some template, and that was it.
[25:25] Um because of the Cambridge Analytica scandal that all changed eso in 2018.
That happened, and consumers became very upset about their p I I being scraped and shared and all of that. So they pressured their legislators to create new privacy laws.
[25:44] Um, I can tell you that in the last year we've updated our clients policies.
I believe five times eso you had Nevada's privacy law was amended, so we had to make an update for that California Consumer Privacy Act.
And the regulations updates Brexit, which was a big update as well.
So in reality five years ago, the number would have been zero.
Now the number is probably five or six times over the year, sometimes less, sometimes more.
So if you amend your form and now you're collecting phone numbers and you never collected them before, if you want to use P I for new purposes. So, for example, if now you want to send an email newsletter.
Um, you should update your policy if any of your privacy practices has changed.
And then also, I think at a minimum you should definitely review it at least once a year to make sure that it's accurate.
[26:57] Okay, and that's kind of what Termageddon does, right? So this is a service that folks pay for on for.
I believe plan started $99 a year and correct me if I'm wrong on that $10 a month or 99 a year. Yes, yes.
[27:22] Um, you know, I went through the process with Termageddon and there's I don't know how many questions there were, but there are a bunch of questions about what kind of data we collect, what we're gonna use it for.
[27:32] Um, you know where we do business and questions like that. And then the policy was generated and it's kind of slip because its's generated, um, automatically.
So I'm assuming that if there's some tweaks the language that that you make in the next month or so there's really nothing I have to do.
Well, in some cases, there would be nothing that I have to do. I'm just, you know, automatically. I would get that the new text coming through the I framed I have that right?
We don't charge extra based on the laws that you need to comply with,
um, and essentially, when a new law is passed, we update your policy through that code eso Most of the time it is automatic.
We could just add some language or take some language away from our end.
But if a new law passes that require some obscure disclosure that we couldn't answer for you, we might send you a question in an email. So, for example, let's say new law passes that asks you to disclose whether you sell information.
[28:53] We just sent you an email asking you, Hey, do you saw information? You click yes or no, and then your policy is updated accordingly.
[29:01] Alright, so let's wrap this up. And this was the trickiest part for me personally, Um, was there was There were some things that we were doing. We're starting a ADC, an online ad campaign.
Um, in the next few weeks here and there are some privacy implications there. And it wasn't a so far as I could tell. There's nothing like in the questionnaire that directly corresponded to what we were doing.
Um, I ended up just just adding kind of like an addendum to the end. But that person almost not important what I want to talk about and, um, you know, we exchange emails about this. I'm pretty sure what I'm about to say is correct.
But please, you know, correct meter or add on as you see fit.
[29:58] Um, for the stuff that I had to add, which I think a lot of folks we're probably gonna you know, everyone's got weird edge cases here and there.
[30:15] Why is it being collected?
[30:17] Where is that data's going like, What is it go? Is it staying with your company, or is it being shared with other companies or other organizations?
Um, how can I opt out?
And I guess opt out was almost How can I opt out from you even collecting data on me?
Or how can I opt out? Say, Forget about me for GDPR which I can't believe we're 29 minutes in and this is the first time either of us has said GDPR One of things about GDPR is you have thio.
The consumer has to give consent before you can even start collecting data.
So that's, you know, I kind of figured all out all of those questions, and I wrote kind of our addendum based on those questions.
Do I have all that like it's faras broad strokes? Are there any big questions that I'm not answering? This part of that?
[31:07] Sure eso the questions that you just said are based on your business and exactly what you dio eso.
Eso, I think. Yeah. You know, if you look at it from a general perspective, Yeah, it's what information you collect. What do you do with it? Who you share it with.
[32:10] But, you know, certain privacy laws have very specific disclosures.
Well, I think that that's about all I you know I can think of to ask you at this time.
I mean, I know that you you know, you answered a lot of my questions online over the past couple of weeks, So I wanna say thank you for that.
[32:43] Um and I would just encourage I mean, folks, you know, I can't imagine that there's anybody who listens to this podcast,
[33:03] Um, so I encourage everyone to go and check out Termageddon dot com. So it's t e r m a g d d o n Donna. I want to thank you very much for your time here over the holidays. I appreciate it.
Of course. Thank you so much for having me on. I'm always happy to talk about privacy.
Ammand, help answer any questions that our customers have or that any of you have.
[33:28] Yeah, you saw me in a conversation on Twitter about it and you and your child in which was, which was very nice. And I appreciate it.
That always helps when, you know, you do have a couple of competitors out there that I saw and, um, you know, being ableto find someone who is willing to engage in a one on one conversation online is, you know, very helpful. So I really do appreciate that.
Thank you. Okay. You are very welcome. And thank you very much. Donata. Let's move on to the next segment.
Thank you for listening to the DrupalEasy podcast.
If you like what you heard, please subscribe to our podcast, and you can find us on any of the major podcast services.
Or if you use YouTube regularly, you can subscribe via youtube dot com slash Drupal Easy.
We also provide a transcript of this episode at Drupal easy dot com.
[34:32] Finally, if you have suggestions for future guests or topics, please let us know on Twitter at Drupal Easy or via the Drupal easy dot com contact form.
Thanks for listening, Seeya.