Make Your Business’ Privacy Policy Compliant

Host Jon Penland, 

Donata Stroink-Skillrud is the President at Termageddon and the vice-chair of The Privacy Committee of the American Bar Association. In this episode, she explains why companies need privacy policies and emphasizes the risks if businesses don’t comply with the law. But there’s more: as a business owner, Donata faces many challenges, so she reveals ways of dealing with them.

Duration

48 minutes

Guest

Host

Never miss an episode & get tech tips straight to your inbox

Join Newsletter

Episode Summary

In this episode of Reverse Engineered, Jon Penland introduces Donata Stroink-Skillrud. Donata is the President at Termageddon. She is also the Vice-Chair of The Privacy Committee of the American Bar Association.

Donata explains why companies need privacy policies and emphasizes the risks if businesses don’t comply with the law. She also talks about Termageddon’s services, including policy education. 

As a business owner, Donata faces many challenges, so she reveals ways of dealing with them. The guest also says, having an investor is great because it ensures stability, especially in times like this.

Key Insights:

Today’s Guest: Donata Stroink-Skillrud, President at Termageddon

Donata is the Vice-Chair of The Privacy Committee of the American Bar Association and the chair of the Chicago Chapter of the International Association of Privacy Professionals.

Episode Highlights

Why Do I Need a Privacy Policy?

”Websites collect what we call personally identifiable information or PII, and that’s names, emails, phone numbers, IP addresses, anything that could identify someone. A lot of people don’t think that they collect PII. But, if you have a contact form, if you have a newsletter sign-off form, if you have analytics, you do collect that information.

Privacy laws require websites to have a privacy policy. If your website does not have a privacy policy or it has one, the last time you looked at it, it was five years ago, you’re out of compliance and could potentially be opening up yourself to fines and lawsuits.”

Don’t Pick Vendors Too Quickly

”When it comes to vendors, the first thing that I would do is I would look at their privacy policy and see when it was last updated. So privacy laws and requirements change so frequently that if you’re looking at a vendor and the last time they updated their privacy policy was 2015, that’s not the vendor for you.

I would also contact their support. In the privacy policy, you’ll see a contact email. If you don’t see a contact email, that’s a red flag. See if a vendor has a data protection officer on their team or even a privacy compliance specialist. Even search for lawsuits.”

We Started Very US Centric

”I think it was a bit naive on our part when starting this. We thought we are going to have customers in the United States only and that no one else will be interested in our product. Well, two years down the road, that was pretty stupid. So, currently, we provide compliance solutions for people located in the US, UK, Canada, and we’re working on launching in other countries shortly. Right now, we’re creating policies for our Australian customers. We’re launching into more and more countries and needing to focus on more and more privacy laws.”

The Gold Standard of the Approaches

”It’s a question in our privacy policy questionnaire: Do you want to provide GDPR rights to EU residents only, or to everyone that visits your website regardless of your location? We allow our customers to make that choice for themselves. But in reality, the best thing to do is to apply the most stringent standard to everyone. That’s fair, and also, you’re not going to spend as much time and money on compliance because everybody’s going to meet the same standard.’

Termageddon: I Would Call It My First Venture

”I was in private practice beforehand. I didn’t want to write privacy policies anymore, but people still needed them. Right before I went full-time for Termageddon, I worked for a company that did marketing for banks. 

We started Termageddon, and I was working full time. And we saw Termageddon take off. We saw more privacy bills, we saw CCPA coming around, and we just got more customers. And I was like, this is the right time for me to go into something that I’m really passionate about. That’s when I decided to go full time.”

The Biggest Challenge Is Mapping Privacy Laws Together

“My biggest challenge is mapping all of these privacy laws together. And as new privacy laws get added, you’ll get new questions and variations to the point where there are millions of different combinations that you can make.”

Having Investors Is Nice

”I’m personally more of a bootstrap person. But we do have investors, and I have to say having investors is nice. It can be hard sometimes. But having that kind of security and being able to draw a salary and take vacation days is very important. If you’re on your own and have no support from anybody else, it’s a lot harder to make it. I’m very happy that we went the route that we did.”

Transcript

[00:00:04] Jon Penland: Hey everyone. My name is Jon Penland and Reverse Engineered by Kinsta a Premium managed hosting provider. In today’s episode, I’m talking with Donata Stroink-Skillrud President of Termageddon. Donata, welcome to a Reverse Engineered.

[00:00:18] Donata Stroink-Skillrud: Thank you so much for having me, I’m very excited to talk to you guys about privacy today.

[00:00:23] Jon Penland: Awesome. We’re really excited to have you on Reverse Engineered. To get us started, can you introduce yourself to our listeners?

[00:00:30] Donata Stroink-Skillrud: Sure, so just like you said, my name is Donata and I am the President of Termageddon, which is a generator of privacy policies and terms of service and more for websites. I am a licensed attorney focusing my work in privacy and a certified information privacy professional as well.

[00:00:49] Jon Penland: Okay. Awesome. For any of our listeners who may not be familiar, you gave Termageddon a really brief plug, give Termageddon in a little bit more of an introduction. What’s Termageddon all about for our listeners’ sake?

[00:01:00] Donata Stroink-Skillrud: Yeah, of course. So basically what we do is we create privacy policies, terms of service, disclaimers, and end-user license agreements for business websites. And the way that we do it is we actually figure out what laws apply to you, ask you a series of questions, and generate a customized policy based on your answers.

[00:01:21] And we keep those policies up to date as well. So I think we’ll talk a little bit later about new privacy bills that are being introduced. So we actually keep track of all of those and make sure that your privacy policy does not get old and out of compliance.

[00:01:35] Jon Penland: So it’s rather than a set it and forget it privacy policy. It’s one that adapts as the privacy environment changes.

[00:01:44] Donata Stroink-Skillrud: Exactly, exactly. And that’s something that’s become a lot more important over time.

[00:01:50] Jon Penland: Yeah. Okay. So in this conversation, I really want to talk about two different pieces. So one would be the product at Termageddon and how all of that works. And then the second is just a little bit of your backstory, as a company founder, as somebody starting a venture. So let’s start by talking product. So, if we back up a step, big picture, I’m somebody who has a website, why do I need a privacy policy? What does that do for me?

[00:02:17] Donata Stroink-Skillrud: Sure, so so websites collect what we call personally identifiable information or PII, and that’s basically names, emails, phone numbers, IP addresses, anything that could identify someone. And a lot of people don’t think that they collect PII, but I’ll tell you right now, if you have a contact form, if you have a newsletter sign off form, if you have analytics, you do collect that information and privacy laws govern the collection of that information.

[00:02:46] So you don’t necessarily need to sell it, share it, or even use it. The moment that you collect that information, privacy laws can start applying to you and privacy laws require websites to have a privacy policy that makes some very specific disclosures. So, if your website does not have a privacy policy or it has one that the last time you looked at, it was five years ago,  you’re out of compliance and could potentially be opening up yourself to fines and lawsuits.

[00:03:15] And because of the amount of privacy laws and privacy bills in the US and across the world, it’s really hard for small business owners to keep up with all of that and make sure that their privacy policy is correct and up to date. So we solved that problem by providing an easy-to-use and affordable solution.

[00:03:35] Jon Penland: Yeah. Yeah. I can tell you, at Kinsta we have a lot of conversations around privacy and we’re not a really small operation and it is a major undertaking, even at a, maybe even more so at a larger company, trying to wrap your head around, what are the implications, what are we gathering, where are we storing it, all of these different details. 

[00:03:54] And I think one of the things that a lot of website owners might not realize is that even if you say this is purely a brochure site, I don’t have a contact form, I just have a phone number on my site, whatever, coming from the hosting side, you are still collecting personally identifiable information because your hosting provider is logging every visitor who comes to your site and they’re getting that IP address and they request information. So it’s almost impossible to have a website and not be gathering some sort of personally identifiable information. Is that what you found working with your clients as well?

[00:04:33] Donata Stroink-Skillrud: Yeah, absolutely. One of the questions that we ask when creating these policies is, “Do you share this information with anyone?” And anytime we ask that question, the gut reaction is to be offended, like, “How dare you ask?”

[00:04:47] Jon Penland: “I would never do that”.

[00:04:49] Donata Stroink-Skillrud: “I would never do that.” And then, it turns out that they use a hosting provider. Turns out that they have a mailing list on MailChimp or Constant Contact or something like that. It turns out that they share that information with our website designer. A lot of people are sharing information and not realizing it and I think it’s important to note that, when you host a website, it’s not just a Kinsta thing to collect this information, you have all the hosting providers collecting that. And, I think Kinsta does a great job with privacy. I’ve looked at your privacy policies and data protection agreements out of curiosity, which I’m sure I’m like the only person that’s done that out.

[00:05:33] Jon Penland: Yeah, out of curiosity.

[00:05:37] Donata Stroink-Skillrud: Yeah. I think it’s important to choose a hosting provider that’s privacy-conscious as well so that’s a determination that you should make as a business owner, too.

[00:05:45] Jon Penland: And we actually can move into, that kind of leads me into another question, which is when you operate a business, a privacy policy is not a magic bullet. Like you can’t just say I have this privacy policy and so I’m done, I’m covered, at least that’s my perception is that really the privacy policy is just documentation of what you’re doing.

[00:06:10] And what needs to happen is that your company practices have to align with what your privacy policy says you’re doing. And how do you talk to your clients about that balance or about making sure that the privacy policy reflects reality?

[00:06:28] Donata Stroink-Skillrud: Yeah, absolutely. So the privacy policies is really one of the first steps in compliance, right? So when consumers are looking to exercise their privacy rights, when States’ Attorneys Generals are looking for companies that are not respecting privacy rights, the first thing that they’re probably looking at is whether you have a privacy policy, because that’s the easiest way to determine if you are complying with the law.

[00:06:51] So you either have a privacy policy that has all the necessary disclosures or you don’t, right? So that’s the first threshold to pass, but privacy laws have also different requirements, too. It’s not just about having a privacy policy. So for example, let’s say you have a consumer visiting your website, from Nevada, and they want to opt-out of you selling their personal information.

[00:07:16] So when they contact you to opt-out, you have to respond to that request within a certain period of time. You have to respond to it properly, you have to honor their privacy rights. So, really what we do is we provide different compliance guides to our customers as well and a lot of different resources explaining what these privacy law laws mean and what they require.

[00:07:36] So if you go to our blog you’ll actually find a lot of different resources that we offer to everyone to read up and understand what these requirements are. And then, you know, as you said, you have to make sure that your privacy policy meets the actions of your business. And I think a lot of people that use templates or that take their competitor’s privacy policy and copy and paste it onto their website are making a huge mistake because the Federal Trade Commission considers that a deceptive act.

[00:08:08] So even if you don’t have to comply with any privacy laws, but you have a privacy policy that’s not accurate to your business, that can actually get you into a lot of trouble with the Federal Trade Commission. So when we ask the questions, your answers are used to generate the policy so that it fits exactly what you say that your business does.

[00:08:30] And then, if your practice has changed, you can always go into your account and then update that policy to reflect your practices. And then that policy will update to make sure that it’s accurate to what you do with that information.

[00:08:42] Jon Penland: So outside of Termageddon, I think you also just practice as a data privacy attorney. Is that accurate?

[00:08:53] Donata Stroink-Skillrud: I did. So before, yeah, so before I started Termageddon I was in private practice. And that’s actually how Termageddon got started. So I used to work with website developers and I used to write like website design contracts, website development contracts, marketing contracts, stuff like that.

[00:09:11] And my clients would say, all right I launched this website and now my client wants to have a privacy policy. Can you help them out? And that’s how all of this started is I was writing these privacy policies and terms, and I noticed that I was using very similar questions. I had five or six templates that I would Frankenstein together into a privacy policy.

[00:09:37] And it was just a really tedious, boring process. And I’m like, there’s gotta be a way to automate this. And then my boyfriend at the time, now husband, was working in web design as well. And his clients wanted privacy policies, but couldn’t afford a privacy attorney. And the generators that he would send his clients to, wouldn’t give anything to him, he’d just send them all this business and it was like, okay, thanks, bye. 

[00:10:05] So we added both of our frustrations together and came out with Termageddon which generates the policies. And we also have an Agency Partners program so we give agencies the way to make a recurring revenue with us too.

[00:10:17] Jon Penland: Sure. When you… I’m coming at it from the perspective of an operations person. And one of the things that I really wrestle with in the data privacy space is what I refer to as SaaS Sprawl, which is the fact that as a company, we’re constantly checking out a new tool, marketing will come and say, “Hey, we wanna look at this new tool, something that ties in with HubSpot or whatever.”

[00:10:44] And, in order for us to be compliant, it’s really critical that we be aware of what we’re using, what data it’s receiving, is that company compliant, or do they at least have a privacy policy that demonstrates that they’re compliant with relevant legislation? So, do you have any sort of framework that you would advise companies to think about?

[00:11:09] Because the privacy policy is really one piece, as you alluded to, one piece of a much broader compliance program or a much broader compliance issue. And I’m just curious, if somebody came to you and said, “Hey I run this company, thanks for the help with the privacy policy, how do I actually manage this?” Are there any tools or any practices that you recommend?

[00:11:33] Donata Stroink-Skillrud: Sure. So, I think when it comes to picking vendors, don’t pick them too quickly. So a lot of teams will find a new tool and it’s shiny and fun and nice. And all of a sudden, now you’re changing all of your processes and sending them all of your customer data without ever looking at what they’re doing.

[00:11:52] The first thing that I would do is I would look at their privacy policy and see when it was last updated. So privacy laws and requirements change so frequently that if you’re looking at a vendor and the last time they updated their privacy policy was 2015, that’s not the vendor for you.

[00:12:10] The last time they updated it, yeah, if they updated in 2020, 2021, maybe even 2019, that can be more or of a sign that maybe they’re more up to date with things. I would also contact their support and say, all right, so I’m going to send you all this data. Let’s say I get a request from one of my customers to delete their data. How do you handle those requests?

[00:12:39] Jon Penland: Interesting.

[00:12:39] Donata Stroink-Skillrud: And, when it comes to the privacy policy in the privacy policy, you’ll see a contact email usually. If you don’t see a contact email, that’s a red flag but I would email them and see how fast they can respond.

[00:12:54] Because certain privacy laws, you have a requirement to respond to requests within let’s say, 30 days. So if you email them and your email is never responded to, they’re not compliant. And see who’s on their team, see if they have a compliance person on their team, see if they have a data protection officer on their team, or even like a privacy compliance specialist. 

[00:13:19] And, it really depends on what you’re sharing with them and how much you’re sharing with them. You kind of do almost like risk analysis and maybe even see a search by company name and lawsuit. So if you go to Google and search, like for example, Iron Mountain lawsuit, you’ll see if they’ve been subject to any lawsuits in the past and what those lawsuits have been regarding. Those are some of the things that you should look out for when choosing vendors.

[00:13:50] Jon Penland: Yeah, that’s fantastic. I actually made a little list as you were talking, cause I think that’s really useful. For ourselves and for our listeners, when you’re looking at new vendors, checking things like the last updated date on the privacy policy, contacting support and asking them questions about how they handle requests for end users to exercise their rights such as the right to be forgotten.

[00:14:15] Checking out how their privacy team is structured. Do they have somebody dedicated to that function? Contacting the email address that’s listed in the privacy policy, seeing how quickly they respond, and then checking out lawsuits. Those are actually, having checked out quite a few vendors, those are things that you could do in 15, 30 minutes.

[00:14:38] This is not a significant investment of time to really make sure that vendor is at least paying attention to privacy policy. That’s a really useful list, I think, for all business.

[00:14:49] Donata Stroink-Skillrud: Yeah. That’s, I think that’s the first couple of steps that you can take to easily weed out vendors that don’t care about compliance. And then, if you get good results on those items, you can go in a little bit further and look further, but you’ll be surprised with the things that you can find just by searching company name and law suit. Some of those things can get funny, but…

[00:15:11] Jon Penland: Yeah, no, that’s really great I think that’s a really valuable list. So something that’s really unique to Termageddon, I’m not aware of anybody else who does this, is that when you use, if I understand it correctly, when somebody uses Termageddon for their privacy policy, and you guys do more than privacy policy, you do terms of service and other things, you guys update those policies automatically as legislation changes. 

[00:15:36] And I’m curious why you chose to go the route of updating those policies automatically, as opposed to say, notifying your customers “Hey, you should update your policy, here’s a new copy.” So why are you updating it? If I understand it correctly, you’re doing it in the background. Why have you chosen to go that route?

[00:15:56] Donata Stroink-Skillrud: So what kind of I do both, right? So let’s say there’s a new privacy law that passes that requires a new disclosure that we can’t answer for you. So for example, let’s say there’s a privacy law that says you need to disclose whether or not you sell the personal information that you’re collecting.

[00:16:11] Obviously we can’t answer that question for you. So what we would do in that case to send you an email, ask you that question, you’ll respond yes or no, and then the policy would be updated automatically to be customized to your answer. But there are also privacy laws that require new disclosures that we know the answer to because they were asked from previous questionnaires for previous privacy laws that were passed. In which case, we know your answer, and we can just make that automatic update for you, but we will always notify you and let you know.

[00:16:45] So it’s not just like we’re making updates to your policy and you have no idea what’s going on. But, what we found is that customers don’t want to deal with their privacy policies. Like we’re a service that you don’t necessarily really want to do. Like you have to do it, but it’s not like- nobody’s excited to wake up in the morning and update their privacy policy, except for me.

[00:17:10] Nobody else is excited to do that. So we tried to make the processes easy and seamless and to take the least amount of time possible for our customers because it’s just kind of like a task, chore that you have to do so I try to make it as easy as possible. So that’s why we chose the automatic updates, but we do include notifications every time, too.

[00:17:32] Jon Penland: Yeah. And I’m curious, one of the, one of the points of conversation on a regular basis, between folks who deal with terms of service and privacy policies, is notifications to end users, right? With a notification to an end user, should you be notifying an end-user via email every single time something changes? Should you, should updating the date, be sufficient? I’m curious how Termageddon approaches that question of updates to policies from the end-user perspective.

[00:18:05] Donata Stroink-Skillrud: So we don’t have access to our clients’ end users. So our clients who are the businesses that are creating the policy, it’s up to them to determine how they would like to notify their customers. Now, the privacy policy itself will ask you how will you notify customers of updates so you can choose whether or not you will just post it on the website or you will send an email or what you’re going to do. Now, what you’re required to do, it really depends on what privacy laws apply to you. So some privacy laws don’t require notification, some privacy laws say that posting it on the website is sufficient. Other privacy laws require you to actively inform a consumer, so send them an email or have some kind of a pop-up notification on your website.

[00:18:55] What you’re required to do really depends on what laws apply to you and then what you’re comfortable with. So some people will notify their customers only with material updates, so let’s say you decide to sell information where you’ve never sold it before. Others send an email every single time, even if it’s just like a grammatical change.

[00:19:17] Jon Penland: Right, or editorial change.

[00:19:20] Donata Stroink-Skillrud: That, yeah. But I think it’s important to remember that you don’t want to overload your customers with these notifications because they will stop reading them. So if you’re sending them an email every time you change one word that has no legal consequence, you might be overdoing it a little bit. But then, if you’re using information in new ways, or sharing it with new third parties, or you’re selling information, or doing something that’s drastically different from what you’ve done before, then I would say you should probably let people know because otherwise, they have to be able to make a choice, whether they want to do business with you, whether they want to give you their personal information and you have to be transparent about that.

[00:20:02] Jon Penland: Yeah. Yeah, absolutely. I can imagine, if you, just for myself, if I start using a vendor and then I show up six months later and I have reason to check their terms of their privacy policy and something’s changed dramatically without any sort of notification or warning that could certainly leave a just a bad impression.

[00:20:21] And that is our approach. Like we say material changes, we’re going to our documents say that we’re going to notify you by updating the date. In practice material changes we always email our customers, we always shoot them an email that says these are the material changes, these are the sections that were updated, and notify them in that way. And we do that, not just for the privacy policy, but across the board.

[00:20:46] Donata Stroink-Skillrud: Yeah. And I think that’s probably the right thing to do even if you’re not required to do it by law. To me, as I try to approach things as a consumer myself. If I was using the service, what would I want to know? And I think that’s, you guys are doing the right thing.

[00:21:02] Jon Penland: And I, I think the interesting thing about it is that those notification emails can feel heavy to write. The truth is that I don’t know what the percentage is, but I would venture it’s a significant majority of customers are deleting that email, the moment they see it. That the folks who are actually reading it, you do have a subset of customers who genuinely care and that’s who you’re writing it for. You’re writing it for I don’t know what the percentage is, 10% maybe of your customers, who genuinely care about what’s in the terms of service what’s in the privacy policy, and that’s really who you’re writing it for. Most of your customers, they care more about their day-to-day experience than what’s in the legal agreements that you’re working with.

[00:21:47] Donata Stroink-Skillrud: Absolutely.

[00:21:49] Jon Penland: So the data privacy legislation landscape is really complex and fractured, right? So you’ve got, I think the big ones everybody knows about are GDPR and CCPA, the two prime most well-known, but there’s data privacy legislation in Canada, Brazil, South Africa, there’s legislation in a couple of different states as well.

[00:22:11] Do you try to be an expert in all data privacy legislation? Or do you try to consider some of it out of scope? How do you approach just this fractured and complex legal environment that you operate in?

[00:22:23] Donata Stroink-Skillrud: So would the question be how I approach it or how our customers should approach it?

[00:22:27] Jon Penland: So well, let’s look at it from both ways. The question is how do you approach it? Because you’re providing a service to your customers where they are then indicating, providing information to you, you’re advising them effectively, or you’re providing a privacy policy that’s designed to comply with certain pieces of legislation. Do you ever say, POPIA from South Africa, that’s going to be out of scope for us, or do you consider everything in scope?

[00:22:58] Donata Stroink-Skillrud: Yeah, when we first started the business, we started very US-centric. I think it was a bit of naivety on our part when starting this. So, we kinda thought we were going to have customers in the United States only, and that no one else was going to be interested in our product.

[00:23:16] Two years down the road, that was pretty stupid. So yeah we focus on, so currently we provide compliance solutions for people located in the US, UK, and Canada. And we’re working on launching in other countries shortly. So right now we’re actually creating policies for our Australian customers, right?

[00:23:43] So as time goes on, we’re launching into more and more countries and obviously needing to focus on more and more privacy laws. For me, I’m an expert in privacy policies. So I don’t pay too much attention to the portions of the laws that talk about security and all that, except for when it comes to our internal security, obviously.

[00:24:05] When you focus your work on privacy policies, it’s very complicated, but it’s not as bad. Essentially, what we do is we pay attention  to the legislation that talks about privacy policies for business websites where, whether it be large businesses or small businesses, and information that’s collected by these websites.

[00:24:28] So these websites don’t really collect biometric information. So that’s a whole slew of laws that kind of falls away there that we don’t need to worry about too much. There are certain industries that we don’t cover. So for example, we don’t cover HIPAA compliance and we don’t cover COPPA compliance.

[00:24:47] So those are certain things that fall away as well. So, when it comes to these established privacy laws, those are the ones that we care about and the ones that I study and work with. And then also keeping track of privacy bills in the US and abroad. So, I’m actually very lucky to be a part of a couple of really great organizations.

[00:25:09] So I’m the Vice-Chair of the ePrivacy Committee of the American Bar Association and the Chair of the Chicago Chapter of The International Association of Privacy Professionals. And both of those groups are absolutely crucial in helping me stay up to date with these developments and I don’t really know where I’d be without them.

[00:25:28] The work that I do comes from a multitude of different sources so the ABA IAPP privacy bill trackers, software that helps me track privacy bills, and all of that. So my work comes from a lot of different sources and I understand that it’s unrealistic to expect a small business to purchase a subscription to LexisNexis State Net and read every single privacy bill, which I think there’s 25 now that are in play.

[00:26:00] So first of all businesses, it’s a lot more difficult to keep track of all of this than it is for a licensed attorney who has access to all of these different resources.

[00:26:10] Jon Penland: Yeah. Yeah, because you brought it up there at the end and you brought it up when I first asked the question, As a small business with limited resources, how should they be thinking about the Data Privacy Legislation Landscape, because it’s so complex and you’ve outlined the challenges. They’re not a licensed attorney that can spend their time digging through legislation. So how should they approach this problem?

[00:26:38] Donata Stroink-Skillrud: Sure. And maybe if I can speak to the problem a little bit more to help people get a background, if you’re not an expert in privacy law. So in Europe which is the European Union is a combination of a multitude of countries, instead of each country having its own privacy law, they came together and came out with GDPR, which is an overarching privacy law.

[00:27:02] In the United States we don’t have that. So we don’t have one set of rules. There is very little to no movement on the federal level, unfortunately, to pass an overarching privacy law. So each state is passing its own privacy laws. So we have ended up at this patchwork, right?

[00:27:22] And privacy laws are unique in the sense that they protect customers and not businesses. So they have a very broad application. So for example, when a California’s privacy laws, CalOPPA will apply to any website that collects the personal information of California consumers. As we all know, that’s every website with a contact form, right?

[00:27:44] Anybody from anywhere could submit their information. And that’s the issue. So as we see more and more of these bills being passed, we could end up with 20, 30 privacy laws that a small business is going to need to comply with, which is essentially impossible unless you want to dedicate your life to Privacy Law Compliance, which I’m sure no one wants to do that.

[00:28:07] What I would suggest as a small business is I would get a tool. I would get a tool that helps me with my privacy policy. I would get a tool that helps me with the rest of my Privacy Law Compliance. And I would make sure that those tools keep me up to date. So when there’s a new privacy law that’s passed, get that notification because otherwise you’re going to have to track every single state and that takes a lot of time.

[00:28:33] Jon Penland: Right. Now, as far as actual practices, like the workflows and the processes that happen behind the scenes that the privacy policy describes, I think probably Kinsta’s not alone, our approach has basically been to take the most demanding requirement. So whichever legislation that we feel applies to us, whether it’s GDPR, CCPA, or whatever the most challenging compliance pieces, we just go ahead and apply that globally and say, we have to do this for consumers in the European Union. It doesn’t make sense for us to have one practice for consumers in the European Union and a different one everywhere else. So we’re just going to do that everywhere. That’s going to be how we operate globally. Is that the approach you would recommend to your customers?

[00:29:24] Donata Stroink-Skillrud: I love that approach. I, I think that’s the gold standard of the approaches. And it’s funny because it’s actually a question in our privacy policy questionnaire. Do you want to provide GDPR rights to EU residents only, or to everyone that visits your website regardless of your location? And we allow, obviously allow our customers to make that choice for themselves.

[00:29:49] But in reality, the best thing to do is to just apply the most stringent standard to everyone. Because number one, you’re going to make sure that you’re in compliance; number two, you’re not going to alienate your customers. Let’s say I’m from Illinois and I go to your privacy policy and I see that EU residents get all these rights and I’m like “Man, I don’t get any of these rights” but if a company offers everyone these rights, I’m like, “All right, that’s nice. Like that’s nice, that’s fair.” And also you’re not going to actually spend as much time and money on compliance because everybody’s going to meet the same standard and you’re not going to have to bother with figuring out where people reside and what they do and where they are and all of that, it’s just going to be one standard. So I like that approach. I wish more companies followed it.

[00:30:38] Jon Penland: Yeah. We’ve just found that operationally we can’t. It’s just so much more efficient. So if somebody comes to Kinsta and says I was your customer, I’m not anymore and I want to be forgotten, we don’t even bother asking the question where are they from. They’re just like, okay, we have a process for deleting this user’s data and then a process for confirming that we deleted and then actually removing our communication. 

[00:31:01] So all we’re then storing is a record of the fact that we complied with their request and that’s it. And that’s just easier than making it complex by adding in a step where we have to figure out where they’re from and yeah, it’s an unnecessary complexity.

[00:31:17] Donata Stroink-Skillrud: That’s what we do too. Let’s say somebody is working at a company and their email changes, or they got married and their last name changes, like I’m not gonna bother with of that. Just I’ll just do it, it’s no big deal. I’ll just do it. And I think it’s really important to map your data as well.

[00:31:37] It’s gonna be way easier to get in compliance with these requests and just do them if you know where your data is. So if you have a map and say “Okay, I collect this at the website, this is who I share it with, this is where I store it, okay.” And then I can just go down a checklist and say, all right, delete that email, or delete that contact from SendGrid or contact this provider and ask them to delete that information.

[00:32:05] It can be a very easy process where you get a data deletion request and especially for small businesses where you don’t share data and don’t keep it in too many places. You go down this checklist and if for us, if we get a data deletion requests, the process is about 20 minutes long and then it’s over and then we’re done.

[00:32:23] Jon Penland: Yeah. It’s about the same for us. There’s one step that requires the involvement of somebody from our technical team. But with the exception of that it’s a 10-minute process, rope somebody in from the technical team, delete it and you’re done in 10, 15, 20 minutes and you can move on with your day.

[00:32:40] Okay, shifting away a little bit from the product of Termageddon, I wanted to talk about just your own experience as a founder. So is Termageddon your first venture, have you had other projects you’ve started before Termageddon?

[00:32:58] Donata Stroink-Skillrud: I would say Termageddon is yeah, I would call it pretty much my first venture. I was in private practice beforehand, that was for a couple years. I wouldn’t really consider that as a quote unquote venture. So I think so, yes.

[00:33:15] Jon Penland: Okay. What convinced you that it was time to make the leap and start, more of a startup less of a… I think of private practice, I was a freelancer for a while where I was a content producer. And I see those where you’re, you’re really just exchanging your time for payment.

[00:33:35] So it’s just, it’s really just you’re selling your time and moving from that to selling a product or a service. So, what convinced you that it was time to make that transition into the startup space?

[00:33:45] Donata Stroink-Skillrud: So, two things. One is I had a problem that I needed to solve, and that was, I didn’t want to write privacy policies anymore. But people still needed them and I was still being bugged 24/7 to write these things. And it was just boring and repetitive, and I was like, I don’t want to do this anymore.

[00:34:07] And then two when before I went full-time for Termageddon, I was actually working for a company that did marketing for banks. So, I’m sure everyone here has received that pre-approval letter for a credit card? That’s what the company did, and I was “What am I doing here?” Like I have personally opted out of receiving those junk mail.

[00:34:32] I see, yeah- I see like millions of people getting these letters, that everybody’s throwing out and it’s just garbage. I’m like, I don’t want to do this, this feels weird, it feels wrong. Like I work in privacy and I’m like working for a company that sends people junk mail. I don’t want to do this anymore.

[00:34:51] And we started Termageddon and I was working full time. And we saw Termageddon take off. So we saw more privacy bills. We saw CCPA coming around and we just got more and more customers. And I was like, you know what? This is the right time for me to be done with this junk mail nonsense and go into something that I’m really passionate about. And that’s when I decided to go full time.

[00:35:20] Jon Penland: Yeah, but it sounds like really the transition you made was to transition from writing policies to helping companies be compliant. Is that a good distinction to make in that, before you were writing privacy policies for people, now you’re doing more than that. You’re really trying to help companies be compliant with data privacy.

[00:35:44] Donata Stroink-Skillrud: Absolutely. And, I think now it all comes from an education perspective. So before I used to have people contact me, telling me they need a privacy policy and can you please write it. Now it comes more from like an educational standpoint of letting people know, “Hey, you need this.” And also it comes from creating a solution that’s affordable for small businesses because as much as we would all love to have our own private attorneys that write our privacy policies and terms, most small businesses can’t afford that. And it’s coming to the point where the cost of non-compliance is so high, but then also you can’t afford an attorney and you’re caught between a rock and a hard place, and I think it was very important at the time and now to have a solution that’s accessible to small businesses.

[00:36:38] Jon Penland: Yeah. Yeah, I know. It’s funny you say that. I feel pretty good about where Kinsta is in terms of our approach to privacy but I do remember when GDPR was first about to come into enforcement or into effect, and the company was much smaller and our resources were much more limited and I literally spent a week on the ICO website. Cause they had the best summary at the time.

[00:37:04] Donata Stroink-Skillrud: They have a great website, I love theirs.

[00:37:06] Jon Penland: I spent a week reading through the ICO and walked away going I don’t know how we can afford the comply. Because and it wasn’t a matter of like we needed to make large changes. It was just my perception of the amount of legal assistance we needed to get to a point where I felt strongly that we were compliant and at the time it’s just not something, it just wasn’t in the cards. And it was a really challenging time to make that transition. So, I can vouch for the value of something like Termageddon to help a business through that process.

[00:37:43] Donata Stroink-Skillrud: Yeah. And we have clients that are one person, right? Their whole company is one person. And they’re doing tax returns for their clients, 24/7 and working really hard. And there’s just no time and there’s just no resources and while other governments, like, for example, the UK, the ICO’s website is super helpful and they provide a lot of information and yes, it can be overwhelming, but at least they provide you that guidance. In the US, there’s very little to no guidance provided. And even when you look at regulations, sometimes the regulations conflict with the law itself and sometimes it’s just impossible to even know where to start.

[00:38:28] I would love to see more resources from our government being put forward as to how people can comply with these laws. But since that’s not provided, you have to figure it out.

[00:38:39] Jon Penland: Yeah, certainly a more rewarding business model than sending people junk mail.

[00:38:46] Donata Stroink-Skillrud: Yeah.

[00:38:46] Jon Penland: I have to mention this. I have a six-year-old daughter and she by and large checks our mail and our mailbox just out by the road. And she already knows to look for pre-sorted standard and stick that state and straight in the trash.

[00:38:59] Donata Stroink-Skillrud: She knows what’s up.

[00:39:00] Jon Penland: Yeah. It doesn’t even make it onto the counter. If it says presorted standard, it, we don’t even need to mess with that, yeah.

[00:39:05] Donata Stroink-Skillrud: Yeah, it’s funny. I don’t even list that job on my resume because yeah, I’m kind of embarrassed about it.

[00:39:10] Jon Penland: It’s just hard to be excited about it.

[00:39:15] Donata Stroink-Skillrud: Yeah.

[00:39:16] Jon Penland: What are some of the challenges that Termageddon is facing today, what are some of the hard problems you’re trying to solve today as a company?

[00:39:24] Donata Stroink-Skillrud: Yeah. So I’m a legal engineer. So I do the stuff that’s behind the scenes that you don’t see. So, when you go into the questionnaire, you’ll see a series of questions and it just looks like they just pop up and that’s it. But what most people don’t realize is that the questions can be completely different.

[00:39:43] So there’s hundreds and thousands of variations of these policies that we’ve created. So the first set of questions will help us determine what privacy laws apply to you. So if you need CCPA, the rest of the questions will change. If you need GDPR, you’ll get completely different questions and different texts.

[00:39>59] So personally, my biggest channel challenge is mapping all of these privacy laws together. And as new privacy laws get added, you’ll get new questions and new variations to the point where there’s millions of different combinations that you can make. So, I think that’s probably my greatest challenge, is figuring out how to map all of this and how to ask these questions in a way that makes sense to the layperson and explain what these things are. Like, if I ask you “Do you have a data protection officer?” you probably know the answer to that, if I ask Jess, who has a jewelry company, she probably doesn’t know what that even is.

[00:40:41] Explaining all of that to the customers providing adequate guidance and providing adequate explanations and education and things like that, I think that’s probably the greatest challenge, for me is combining all of these things together. And I think at a certain point when we get to 30, 40, 50 privacy laws in the US maybe my brain will be ca- It will be replaced by a computerized brain, maybe.

[00:41:15] Jon Penland: No, that’s a really don’t think challenge. I hadn’t really thought about just the degree of logic that has to go in and then, cause you don’t want to spit out something that’s not a high-quality end product. You’ve got to map all these questions to identify the different pieces and then the resulting product has to be something that you can be proud of and you can read and it makes sense.

[00:41:35] Donata Stroink-Skillrud: Exactly. And what’s really interesting is we actually have a lot of lawyers in law firms using our service. So, we’ll have privacy attorneys generate the privacy policies with Termageddon, review them, make sure that they’re accurate for their clients and then, that’s their end work product for attorneys.

[00:41:53] I have a lot of people checking what I do it’s very important to get those correctly because if you don’t, fines can be from $2,500 per violation to 20 million euros or more in total. So it’s not something that you want to mess around with.

[00:42:10] Jon Penland: Yeah. If you had one piece of advice to give to somebody else who was about to go out and start their own first venture, what advice would you give to a new would-be entrepreneur, something that you’ve learned over the last couple of years that you wish you had known when you started?

[00:42:31] Donata Stroink-Skillrud: Yeah, that’s actually a great two pieces of advice. One software as a service is where it’s at. Recurring revenue is extremely important and recurring revenue will make sure that you’re not as stressed out. It will make sure that you have something to a good base to fall back on.

[00:42:54] So, I would make sure that you have that and two, if you are starting a business, I’m personally more of a Bootstrap person. But we do have investors and I have to say having investors is really nice. It can be hard sometimes but having that kind of security and being able to draw a salary and take vacation days and all of that is very important. Especially now, we’re going through some tough times, the entire world and the entire country.

[00:43:36] If you’re just on your own and you have no support from anybody else whether it be your partners whether it be investors, it’s a lot harder to make it. And I’m very happy that we went the route that we did.

[00:43:48] Jon Penland: Yeah, I can say the recurring revenue piece was really foundational in Kinsta’s story as well is. Before my time but the four original founders, it was really getting from, getting paid for doing a job to recurring revenue that Kinsta was built on. That was the idea. They were doing internet marketing and they were doing, they were building websites for customers. And then it was like “How do we get some recurring revenue because we finish a project and we feel great” and two months later the bank account’s empty. So yeah, you can’t over, I don’t think even overemphasize the value of recurring revenue to a young company.

[00:44:27] Donata Stroink-Skillrud: Absolutely.

[00:44:29] Jon Penland: Sure. Okay, so as we wrap our conversation move it towards a close, I do have two quick wrap-up questions for you. So the first one is, do you have a go-to resource that you would recommend to our listeners? Now, this could be a newsletter, a blog, somebody that you follow, a book, an event, really anything. What’s something that our listeners should definitely check out?

[00:44:52] Donata Stroink-Skillrud: So I would say if you’re really looking to check out one thing, I would go to the International Association of Privacy Professionals. So go to iapp.org. And it’s a huge resource, so don’t be overwhelmed, but you can at least look at the news pages and that will tell you everything that you need to know about what’s going on in privacy and it’s a really great resource. They provide a compliance guide, some of my compliance guides have actually been published by them too in the past. And those are really good because they provide more information about what you need to do to comply.

[00:45:30] Jon Penland: So that was iapp.org?

[00:45:33] Donata Stroink-Skillrud: Yes. 

[00:45:33] Jon Penland: Okay. So if you are a business owner, somebody who has a website, or if you’re responsible for data privacy at your organization, using IAPP as a resource to stay abreast of what’s going on in the privacy landscape would be an invaluable resource, is what I’m hearing you say.

[00:45:41] Donata Stroink-Skillrud: Absolutely. And also they’re so nice over there, they’re like the nicest group of people, like the most helpful group of people, so it’s a great place to be.

[00:45:59] Jon Penland: Very cool, all right. And final question. Where can our listeners either connect with you or learn more about Termageddon?

[00:46:07] Donata Stroink-Skillrud: Sure. So, you can learn more about Termageddon at termageddon.com. That’s T E R M A G E D D O N.com, and that’s the same for all of our social media as well. Actually, now that I think about it, I thought of another tip. If you don’t mind. Have fun with it, right? So our name is Termageddon, which is terms and Armageddon.

[00:46:31] Unfortunately, terminator.com was taken, so we couldn’t do that. But we try to have fun with it as much as we can. And I think that’s what really helps us get through the day and connect with our customers too. Especially if you have a little bit more of a boring product, like we do. It’s important to have fun with it.

[00:46:51] Jon Penland: Absolutely. That name Termageddon immediately, I mean, I heard about Termageddon two years ago and if you say that name, I know what it is. I just immediately know what it is and it’s because it’s a fun name and it’s a serious product. Like it’s, the product is a serious work product, but the name really does make it fun and make it I dunno, it just it takes a serious topic and injects some positivity and lightness to it, so I really like it. Donata, thank you so much for spending an hour with me today here on Reverse Engineered.

[00:47:28] Donata Stroink-Skillrud: Thank you for having me, this is really fun.

[00:47:10] Jon Penland: Yeah, it’s been an honor. So that’s all for today’s podcast. You can access the episode show notes at Kinsta.com/podcast. That’s K I N S T A.com/podcast. If you enjoyed this episode, don’t forget to subscribe, to Reverse Engineered and leave us a review on Apple podcasts or the platform you’re listening on right now and we’ll see you next time. Awesome.

Join the newsletter

Never miss an episode of Reverse Engineered and get tips about speed, security, development and more, directly in your inbox.