This podcast episode is a couple of firsts…
Firstly, it’s our first BREAKING NEWS style episode because if you haven’t seen or heard, there are a lot of crazy things going on with privacy lawsuits namely between Google and the EU (European Union) which are now affecting websites globally.
Secondly, it’s our first 2 in 1 guest interview!
To help shed some light on what the heck is going on with all this, Hans and Donata, the husband-and-wife duo behind Termageddon (my go to software for auto-updating website privacy policies) are here to help us out.
In this special episode, we dive into what’s happening NOW with these privacy lawsuits, the strange emails that Google has been sending out, how these privacy law changes affect our web design businesses and more importantly, what we should do about it.
This is an IMPORTANT ONE shedding light on the legal implications on the way so be sure to clear some time to listen or watch!
In this episode:
00:00 – Introduction
03:03 – Greeting to Hans & Donata
04:23 – What is Termageddon
07:10 – Current event summary
08:53 – What is GDPR
10:11 – How does it apply to you
19:19 – A compliant alternative
22:58 – Consequences
27:56 – A developer pain-point
32:36 – Why is Google scared
41:42 – EU, UK & US
48:21 – When tracking seems odd
52:13 – Your responsibility not fault
54:18 – Privacy forward thinking
56:13 – Cookies
1:00:47 – Increased enforcement
Connect with Hans & Donata:
Featured links mentioned:
- Consent Management Platform (CMP) | Usercentrics
- GDPR Enforcement Tracker – list of GDPR fines
- Website analytics without compromise – Fathom Analytics (usefathom.com)
Disclaimer: Whatever is discussed during the interview is just for informational purposes only, and it should not be considered legal advice. If you are looking for legal advice, we recommend talking to an attorney in your area.
Episode #169 Full Transcription
Hello, friends, welcome into Episode 169. This is a breaking news style episode. If you are not aware there is a has been a lot going on with Google and more specifically Google Analytics, and privacy laws and fines and lawsuits and a lot of which have been dealing with just the overall privacy policies that are different between the US and the EU European Union. I wanted to bring on a couple experts onto the podcast to see basically what the heck is going on right now with Google Privacy in these long lawsuits, and then more importantly, what we as web designers can do about it and what action steps we might need to take right now. And what type of proactive measures we should be taking moving forward. So for this talk, I have none other than the founders of term again.
And without further ado, we’re going to jump right into this one. Again. This is a bit of a short notice style episode. This is releasing on what would normally be one of my solo episodes. But there have been a lot of changes going on. And in fact, I got a very interesting email from Google today at the time of recording this, which you’ll hear about that. We talked about that and so much more so you can figure out what the heck’s going on with Google and the measures you can take as a web designer and for your clients to make sure you are compliant and proactive with staying up what’s going on. So without further ado, let’s talk to the founders a term again and get a pulse for what’s going on. Enjoy
Hans and Donata. Welcome to the podcast. Great to have you both on thanks for taking some time to chat.
We’re pumped to be here.
Thank you for having us.
I was just saying before we went live this is my first ever interview with two on the other side. So I’m really excited about this. I mean, how on earth do you guys feel? Have you been on before but to have the better half on this is gonna be cool.
It’s yeah, I mean, after watching the first video, she’s like, I better just take over from here.
No I did watch that I can’t my brain can handle that amount of frustration.
Yeah, so I’m the president and legal engineer of Termageddon. So Termageddon is a website policies generator. So we generate privacy policies, Terms of Service, disclaimers, and more, and keep those policies up to date with changing legislation. So I’m a licensed attorney licensed in Illinois and a Certified Information Privacy professional. I’m also the chair of the American Bar Association’s a Privacy Committee, and my share of the Chicago Bar Association’s privacy and cybersecurity committee. And my job is to basically engineer all of the lovely questions that you get asked generate your policies, all of the different answer options, and matching those up to create your policies. And I also keep track of privacy laws and bills as well.
We even have the ability to push automatic updates to the policies with new with new disclosures as they become required. And yeah, what we do is we give web agencies a free set of our policies forever, for their own website, in the hopes that they like our product and are willing to take the step and to learning all about the website policy stuff. So that they can help assist their customers when building out things like contact forms for their clients, or, you know, installing analytics tools or setting up email newsletter subscriptions and so forth.
Yeah. And speaking of legal, I did want to say that, whatever we’re gonna be talking about today, we’re just doing that for informational purposes only, and it should not be considered legal advice. And if you are looking for legal advice, we recommend talking to an attorney in your area.
I was gonna ask if I needed to put a disclaimer before the intro. So there we go. We’re all set ppreciate. And I just like said, I love what you guys are up to mainly, because I just don’t want to deal with this stuff. I like this stuff drains me. So to have you guys as target and being in my corner and all of my students and colleagues. It’s awesome. And now we got to talk about what the heck is going on with Google, trying to think of the best place to start like, was there? I guess for those who don’t know, is there any? Is there any sort of like, beginners 101 summary of what is happening right now? Have either of you want to sum that up?
Yeah. So I think it kind of comes from two points. Right. So point one is what’s happening in the United States. So in the United States, we don’t have a federal privacy law that governs personal information being collected by regular business websites, so like names, emails, phone numbers, stuff like that. We do have privacy laws surrounding health information and financial information. But for websites that collect other information, like names, phone numbers, and emails, there’s no federal law.
So we’re seeing a lot of states proposed and pass their own privacy bills. So Virginia, and Colorado recently passed their own privacy laws. And one of the aspects that concerns Google, when it comes to these proposed and passed state privacy laws, is the ability for consumers to opt out of targeted advertising, right. So a lot of the services that Google provides provides targeted advertising. So you can track consumers across different websites. And there’s numerous laws that have been proposed that would allow consumers to opt out of such uses of personal information.
And then point to is what’s going on in the European Union. So the European Union has a privacy law, the general data protection regulation. And there’s been recent decisions that have held that Google services like Google fonts and Google Analytics, the use of such services violates GDPR. So violates European Union’s privacy laws. So I think that’s kind of a general gist of what’s happening.
And Hans, you and I talked about GDPR a lot on your the episode that you were on previously. So maybe did you want to just highlight what that is, for anyone who may be new to web design isn’t sure what GDPR is?
Yeah, so GDPR want to not share the General Data Protection Regulation protects the data of residents of the EU and EEA. So if you are a resident, like let’s say you live in Germany, you’re a resident of Germany, you have privacy rights as a German resident, or as a French resident or Italian restaurant, they’re all under the EU’s GDPR. So that’s great, you know, people are getting a right to their privacy. That’s pretty cool. But the problem here is that one of the several way, there’s several ways where a business is forced to comply with GDPR. But one of the ways in particular that grabs a lot of the attention is when you monitor the behavior of residents of the EU, meaning that you’re using like an analytics tool or something like that, to track the user as they visit your website. And to dive into the more recent do
I do so GDPR can apply to you if you have an establishment in the European Union. So let’s say you’re located in the EU, if you’re offering goods or services to EU residents, or like Han said if you’re tracking the behavior of EU residents or like cookies, animals Little things like that. So it’s a definitely a privacy law that can apply outside of the European Union. So just because you’re in the United States does not mean that you’re automatically exempt.
Yeah, yeah. Would it be helpful for us to talk about Google Analytics first?
Oh, for sure. And I just want to say this is one reason why I had first when I heard about all this, I was wondering, is this gonna apply to me? Or is this just you know, UK or EU businesses, anything over there? Then I realize I’ve got a lot of students, like over half, maybe probably almost 50% of my students are outside of the US. So I realized, I think this is probably something I should take seriously. So yeah, let’s because because Google Analytics is obviously the main tool that is tracking everything. Before we get to that there real quick question. Does this what’s going on right now? Does this apply to all the Google tools like Search Console business listing? Like? Or should we just hone in on Google Analytics? I guess, the top I see smiles,
It really depends on how you look at it. Right? So like, are you taking more reactive approach? So if you’re taking a more reactive approach, then you’re just seeing which decision what services the decision has been made about? Right. So the decisions right now are made about Google fonts and Google Analytics, right. So if you’re kind of being more reactive to this, you would just essentially remove those services, or it will kind of talk about what you can do to try to make them more GDPR compliant, if possible, you know, so it depends on your approach. But if you’re more proactive, this actually can affect all transfers of data from the European Union to the United States, regardless of the service that you’re using. So this could potentially affect like Stripe, MailChimp, Constant Contact
That you potentially use? Yeah. So it just depends on your approach.
The implications here are very vast, and it’s to a certain degree, almost overwhelming. Like,
I’m completely overwhelmed. I, I think maybe, you know, it goes back to the quote that your worst fears lie in anticipation. So when I heard about this, I was like, Oh, my gosh, are all the tools that I use gonna be screwed up because of this? And am I gonna have to change? Like, my entire business model? All of my courses? And are all of my students going to have to change all of our tools? Yeah, that’s definitely like, the fear I have right now.
Yeah, I think to try to prevent that, like complete overwhelm, right? Because in reality, like, what are we gonna do shut down all of our businesses and just say, you know, we’re done here. Let’s try to kind of hone in on these two decisions and what they mean, agree, because in reality, you know, if the regulators are looking at Google services, that’s the first thing that we should be concerned about, then we should see what what comes after that. And then, you know, maybe slowly improve other practices over time. While right now just focusing on exactly what those decisions were and the services that maybe we should take off of our websites.
Yeah. Cuz I mean, I don’t know the numbers. But how many sites are running Google Analytics, like, like, millions, billions?
My guess would be in this is a complete guess. But if a website has Analytics installed, I’m guessing 95% of its Google Analytics, maybe your Shopify or Squarespace has a default analytics tool. So maybe like not so much your Squarespace sites but feel like any other CMS platform out there. If you’re, you’re installing analytics, you’re installing Google Analytics, at least, that’s what we estimate.
The other day that with Google Fonts, I saw somewhere in that it was 50 million websites, they use Google Font.
To be honest, I think that that sounds low to me, if anything, here.
I mean, I gosh, I just don’t even know it’s a process. And while I don’t even know how that can be tracked, per se. So yeah, let’s hone in on Google Analytics, then I say that to say, I mean, pretty much everyone is using Google Analytics. So this isn’t something that’s just affecting, you know, like my niche of Divi web designers using WordPress or WordPress designers using going to themes. This is like everybody. So yeah, let’s start with Google Analytics. I think everyone knows Google Analytics is what’s tracking. I mean, you can see pageviews Google Search Console is where you’ll see the keyword terms and stuff like that. But analytics is where you’ll see the behavior acquisition all that so yeah, maybe. Donata. Do you want to talk about that and what those implications are, and then maybe we can talk about what to do because the real question is, okay, what the heck do I do about all this?
We have an answer to that. So okay. Yeah,
Yeah. So Google Analytics to track a user collects IP address, right? So collecting IP address and IP address, the European Union considers that to be personal data, because it could potentially identify you and where you are, right? So when a website has Google Analytics installed, that analytics pose, the IP address of the user, and transfers that data to its servers, which are located in the United States. Right, so they take the data of European Union residents and transfer it to the US. There’s a lot that goes behind this but long story short, is that because data that’s housed in the US is potentially accessible to US intelligence agencies, like the NSA, FBI, CIA, all of that the European Union found that it actually violates GDPR, because it violates the privacy rights of individuals.
So people who are located in the European Union that have really nothing to do with the United States don’t want their personal information to be accessed by US intelligence agencies, which makes sense. So a couple years back, there was a framework for transferring data from the European Union to the United States, as we discussed before, United States does not really provide many privacy protections for individuals. Most people who reside in the United States don’t have the right to ask companies to delete their personal information to correct it to opt out of certain uses of their information. We don’t just simply don’t have the rights that residents of the European Union do.
So the European Union found that the United States is a quote unquote, a country that does not provide adequate privacy protections for individuals. So that means that when data is transferred from the European Union to the United States, there has to be certain standards met to bring that protection level up. So a couple of years back, we used to be able to use something called the EU US Privacy Shield. And that was created by the Department of Commerce working with the European Union. And basically you had to meet certain standards, so like, provide certain rights to consumers, things like that, to be able to transfer data.
And then an individual by the name of Max Schrems in Austria. His data was transferred by Facebook, from the European Union to the United States, and they use the Privacy Shield and he said, Hey, all of my data is still accessible by intelligence agencies. So in reality, I’m still being surveilled. And I don’t want that. So the European Union agreed, and they struck down the Privacy Shield. And essentially, what replaced the Privacy Shield is standard contractual clauses, which is basically a contract that provides standards of what how to protect data, right.
And because of this case, they found Okay, Google uses these standard contractual clauses. But it said that’s not enough. Because that data can still be accessed by the NSA and the FBI and the CIA, right? Those surveillance agencies, they don’t really care what kind of contracts you have in place, that data can still be accessed. So that transfer is illegal.
So essentially, how that all all users of Google Analytics violate GDPR because that data is transferred and accessed by us surveillance agencies. And one of the items that, you know they talked about is saying, Hey, can we adjust our Google settings? Can we adjust our Google Analytics settings to like truncate the IP address, or shenana Mize the IP address? And the court found that there is no, there’s no setting that you can do in Google Analytics to make a GDPR compliant. Even if you truncate the address, even if you anonymize it, the the surveillance agencies can still access all of that information, they can still anonymize it, they can still track down IP addresses.
So it essentially said there’s nothing that you can do to make Google Analytics GDPR compliant. And it was actually one of about 101 complaints. So we’re gonna see a lot more data protection authorities in the EU looking at this in the future, too.
Yeah. It seems like there is a lot of changes that are going to be happening over the coming years. It’s going to be very interesting. And, you know, I think Donata laid out the depths of it. But you know, okay, great. I’m a web agency owner, what on earth do I do? A question that interests me. And I have a simple answer. And I have no affiliate relationship to this company. I like the website Fathom the website is used fathom.com They are a privacy focused, analytic solution. So rather than harvesting IP addresses and selling that data or anything like that, use fathom.com They don’t do anything like that. They charge $14 a month, I believe, for 50 websites. For 100,000, pageviews, or something like that. So if you have 50 clients, you’re talking about 28 pennies per month per website seems very affordable, especially when considering what the fines are for for GDPR non compliance. So
I do what I do want to talk about those fines because yeah, my Well my question with that Hans, so Fathom is the only difference between that and Google Analytics is that they’re not actually tracking the IP. So they are they tracking still pageviews and user journeys, but they’re not tracking actual IP is that am I understanding that?
I don’t think user journeys? I’m not exactly sure. But all I can tell you is that we we interviewed the co founders of Fathom happy to introduce them to you as well. I’m not like fully knowledgeable about their product, but they, it seemed that all I know is that it’s a very easy implementation process. It took us like seconds to switch over. I’m not kidding with that, like, I think 90 seconds were completely switched over. And the insights they provide are GDPR compliant, that’s what they state on their website. Okay. And that’s, those were the two things I was most interested in easy and compliant.
Though so the ends, but but I’d say check out their website for like details on what exact information they provide. There’s some q&a where they talked about, like, UTM tracking with AdWords and like, how that’s still workable, and you can still do it that way. So yeah, that I would say like, check out their website for more information on those details. But in particular, what I’m most interested in and what my recommendation would be to any agency owner, and I don’t care if you’re in the US or anywhere else, like if you’re in Europe. Well, I mean, this is like, of course.
But I mean, if you’re in the US to you, chances are you’re going to have customers, I get traffic from Europe. So rather than me trying to decide on a per customer basis, I do Google Analytics or fathom. I personally as an agency owner, would feel like I have a responsibility advocate for privacy focused tools, first and foremost, and say, Look, we do Fathom by default, this is the fee you charge them, whatever you want. And, and if they’re like, well, we want Google Analytics, great, just so you know, it’s not compliant with GDPR. And if you still want it, I can install it for you just know that I’m not responsible. But
Gotcha. So almost like a liability clause, where it’s like, if we do this, there are there are potential consequences. I want to hold on that. What are the consequences like ours? Is a SWAT team gonna come at my door and say, That’s him? He’s got Google Analytics. Co. Is that what’s gonna happen? Or is it like a fine? Like, here’s what I love to really focus on? What are some of the consequences of what’s going on now?
Well, if SWAT teams were to come into the house is that our sales term again? Would like go through the roof? Like I think. But yeah, the only answer,
Yeah, so um, fines for GDPR non compliance can be up to 20 million euros, or 4% of annual turnover, whichever is higher. So they kind of use a sliding scale. They’re just based on the extremity of the violation, how many people’s privacy rights were violated, things like that. So that’s one potential consequence. Another potential consequence of GDPR non compliance is what we call data disgorgement. Meaning that you’re required to delete the data that you collected. So in addition to being fined, you could also be required to delete all of the data that you collected illegally as well.
Yep, illegally. So let’s talk about that real quick. Trying to think of the I mean, it seems like a fairly black and white situation, I don’t know, there’s too much ambiguity here. Pretty much everyone who’s running Google Analytics, are we essentially collecting data illegally if we have Google Analytics?
So according to that decision? Yes.
There’s from residents of the EU. Right?
Yeah, obviously, that’s, yeah, um, one thing that the decision did not talk about was consent. So in that case, the company did not obtain the consent of the person to track them via Google Analytics. So that’s kind of one remaining question is whether the cookie consent pop up would save you. Right. So if you had Google Analytics disabled by default, but enabled it only if the user consents, would that potentially save you? We don’t know from this decision, but it was gonna ask about that. Yeah, but the way it was worded, it does not seem like it would save you because that data would still be transferred to the US without the right protections in place. So it doesn’t seem like having the cookie consent pop up would save you but that’s something that the decision did not really discuss.
So either way, it would probably be best practice for every site to have that. Even though we don’t know it’s I mean, it can’t hurt to at least have that too try to cover one.
The best thing in my opinion is not use Google Analytics anymore. That’s my you know, again, not legal advice. I know that’s painful for people in digital marketing and stuff. But like, my risk tolerance is very low for that stuff. I would rather just have Fathom and move on in life or, or matomo, or any other respectable privacy focused, analytic solution.
Well, even if your risk tolerance is high, it’s very clear that this service was was held to be in violation of GDPR. Right. So it wasn’t just Oh, any kind of random service or, you know, it wasn’t very broad. It was very specifically like having Google Analytics violates GDPR says very, very clear. You know, there’s not much to argue there really, for having analytics.
Yeah, if you google search GDPR enforcement tracker, you’ll find a website that tracks all GDPR enforcement cases. And, you know, obviously, the big names are in there, the Facebook’s the Googles, the ones who make the headlines, but you’ll also see single business owners like one person businesses being fined 60,000 euros for changing the email address of one of their subscribers without proper consent. So it’s very real. And it’s just these smaller stories don’t make the headlines. I think a lot of people don’t think it’s like happening, but like, there’s a lot more cases than just Facebook and Google getting into trouble with GDPR.
Well, and the reason I wanted to have you guys on too is you are in this world of funny Hons, you mentioned earlier, when we were emailing that you said a lot of fun stuff in the privacy world like I am not in that world. So I am not I am not privy to what’s going on there. But you guys are, which is why this is important. But it’s not like we are saying something that is unrealistic here, either. I mean, you just said it or not. It is like that is actually what was said and what is going on.
And I’m not going to read this whole thing. But I got an email from the Google today that basically says this. We’re recording this what is today, the eighth February 8, we’ll probably get this episode out within a week of us recording this. So February 2022. As of right now, this email said the Senate Judiciary Committee recently voted to move forward a bill that would have unintended consequences for businesses like yours that use digital tools to reach customers. I’m terrified already.
A similar proposal has already made its way through the US House Judiciary Committee. So the threat is real. If passed, and this came from Google, for everyone listening, I think a lot of people probably got this, yes, these bills could disrupt many of the digital tools you rely on every day, including Google ads, analytics, Gmail, and Docs. Ah, I love Google Docs, I am so upset by this, in your business listing on Google Search and Maps that is crucial for local businesses, these changes can make it harder for customers to find your business, or your productivity and cost your business time and money. And then there’s a link where you could get, you know, stay informed.
So I guess the question I have is, I would think that Google would be making some sort of ramifications on this or remedies. So they would stay GDPR compliant? I mean, my question would be if Fathom is doing this, what’s gonna stop Google Analytics or Google in general from creating those same type of precautions to make it GDPR compliant?
So, There’s so much and what you just said there. But to answer the last question, no, no, no, it’s all it’s like, my favorite question. So the latter part of the final question just answered? Or the final question that you just asked, I think it’s important understand that Google makes us money by harvesting data and then selling it to advertisers. So if you if I was Google, and I no longer have analytics as a means to drive IP addresses to me, so I can make inferences on who this person is visiting this website, and what are their interests and I don’t have the ability to now sell that data, I would say that Google has a fundamental problem.
Because they can’t just if they launch fathom, it’s like a if they launch a version like fathom, that’s almost like doing a public PR courtesy, because it certainly wouldn’t be helping them consolidate IP address data, and then sell that data to other people. I think this is really going to hurt their business and being able to sell data to advertisers. So that’s concern number one I’m in Does that help answer that final question?
I mean, I guess the the better question to that. Or my concern would be to turn off Google Analytics on all of our sites make all these changes and then two months from now Google come out with the GDPR you know, like I don’t want to like blow up my analytics and then have to reinstall it and I’m you know, I don’t know too much about fathom, but I trust you Hans, and I caught some of the webinar you guys but then they seem very savvy on this stuff. But at the same time, I want to use Google I want to use Gmail I want to use Doc’s I want to use analytics. I want to use Google Search Console, I want to use all my tools under one roof. So I by golly, I’m going to try my hardest to stick with Google if I can. I guess that’s that was the point there.
What I like about you, Josh, is you’re sharing the feelings that I feel like every web developer feels because I, as a former web developer, I know exactly that pain point. And I think personally, you know, for someone who’s in privacy a lot more these days, it’s really coming to me is like, well, what are we defending? Like our own mental ease of use? Like all this is just easier. So I want to fight for what’s easiest, are we fighting for right yet for people to have rights to their privacy? Because that’s legitimately what’s going on right now. And if I could add another variable, there’s also a concern of us surveillance been like, that’s kind of the main issue is that US surveillance? I don’t want to say anything too long, because I, I hope the algorithms aren’t hearing this as like, alright, shadowbanned. Josh,
You know, what, if the Josh Hall Web Design Show Goes Viral because of this episode, we’ll have to meet up and have a drink to cheers on that.
But yeah, I mean, the three things I see is one, the email that Google sends telling all these business owners like, you’re about to be screwed over by the government. Like, to me that’s, it’s true. I mean, it’s it’s like these privacy laws will massively impact businesses, what they are saying is not incorrect. I just feel like there’s another side of the story, which is that like, this is in lieu of people having a right to their privacy, and like, I’ve seen enough black mirror episodes. No, I don’t want a dystopian future for this world. And like, I feel like having privacy rights is a solid step in avoiding like half of the Black Mirror episode.
Well, and Hans, you talked about this the first time you were on which I look back, that was episode 48 if you can believe it. You guys, I think will be in the late 160s right now. So it was a while ago, but you said that was one of the points that stuck out to me is you said the privacy stuff is at heart and that nature good. Like it comes from place of we want to protect our privacy, which is a good thing. I think everyone would agree that’s a good thing. I think we’re all used to being retargeted and sold to and I think I don’t think it’s shocker. Now everyone realizes all these tools are made for some sort of advertising. That’s what’s running the whole the whole ship.
But to your point, I think that is a good thing to remind myself and other web designers is we do need to think about the privacy of the people viewing our site. So I appreciate that. Hans, I feel like you were calling me out on that. And that’s cool. I appreciate that. It is it is a different mindset. It is a different mindset. Because yes, I I am somebody, I’m a busy entrepreneur, I don’t want to deal with this crap. But I have to so it is a good point that I think to make it a little easier. Maybe we just didn’t realize what’s going on at heart. What do you have any thoughts on that? Do not as far as maybe, you know, at the core? What’s going on here and why that’s important?
Yeah, so the email that you received from Google is not related to the GDPR Google Analytics decision.
Google Analytics decision that was made in the European Union, what this email from Google talks about is privacy bills that are being proposed in the United States, because they’re talking about the House and the Senate, which are US entities, right. So what they’re talking about is certain bills that have been proposed that number one, the Senate and the House have been trying to bus the Google monopoly for a very long time.
And Google is is a monopoly by definition, really, because you can’t get away from their services. And they quash competition. And that’s why they’re able to collect the amounts of data that they collect and have the practices that they have. And in addition to that, there’s been certain bills that have been proposed, that would allow consumers to opt out of targeted advertising, and a lot of targeted advertising. Google Services provides that targeted advertising to businesses, right. And if consumers can opt out of that, technically, it hurts Google’s business because they can’t make as much money as they did if more consumers opt out.
Same thing too. If the Google monopolies busted, they can’t make as much money as they do right now. So this is more concerning what’s happening in the United States. Now, whether or not we’re going to see a federal privacy Bill soon? I don’t think so. I don’t think that’s very likely. And a lot of people in the privacy community would agree with me just because of what’s happening at the federal level, it’s very hard to get an agreement, we’re most likely see a patchwork of state privacy laws where every state has its own law until the Feds get tired of it, and then they pass around.
But in reality, Google’s behavior in response to these bills and in response to consumers fighting for privacy rights, because what these consumer rights rights groups are saying is not that you can’t do targeted advertising, it’s that you need to give consumers a choice whether they want to be tracked across websites, right?
Banning it completely. But what Google’s behavior shows to us is that they see privacy rights as a threat. And they’re willing to kind of switch the narrative in their in their minds and to their customers saying this will affect small businesses. In reality, most of the privacy laws that target that target targeted Advertising, they apply to large businesses only. So in reality, this wouldn’t even hurt small businesses at all. It would hurt Google. And what they’re saying is that small businesses will go out of business if Google loses money. And that’s just not true.
Their lobbying efforts are really being taken to a whole new level, because Google never sent emails like, yeah, you would never receive an email like this from Google five years ago, ever. So to me, it shows that they’re scared because consumers are finally fighting for their rights. And they see this as a threat to their business. So they’re making it seem like it’s a threat to small businesses everywhere, which it really isn’t.
Yeah, that’s why that was so timely that this email came through like, two hours before our call here, was there. There’s obviously some big things at play, and some huge changes coming up.
That’s a good point. Yeah, I’m since I’m syncing some strong feelings towards Google. Do you guys use Gmail or anything? I’m just curious. Yeah. So
I personally, we use
Google products, right. And I do enjoy the Google products, but I don’t enjoy is narratives that scare small businesses. And that scares small businesses to the point where small businesses need to be worried about Google losing a couple billion dollars a year, which is like a drop in the bucket for those people. You know, I just don’t like the manipulation portion of this email. It to me, it’s very manipulative. It’s it’s wrong. You know, and it doesn’t provide you with the facts. I just think it’s it’s not a good email.
I love Google. I love Google Docs. I love Google Sheets. I love it all. i It’s, I’ve used all my probably every component of what Google has to offer this world. And I love it. I also personally like targeted advertisements. For the most part, it gets creepy when I’m like, Wait, do it. I was just talking a lot about this. Now I’m getting ads for it. it weirds me out. But I would say in general, if I go to a website, and I’m thinking about buying something, and I get ads for to buy it later, cool. I get it, I get why you’re advertising to me.
What I get scared about personally is like those us surveillance laws that we were talking about, like why GDPR? and the EU are saying no, like you can’t send data to the US because of the US surveillance laws. I think that’s not part in particular the exact issue I have. But it sets the example of what concerns me which is that yeah, we don’t know what we don’t know. And with privacy, that’s one of those things that once we lose, like when if we don’t gain these rights to privacy, I think we won’t know what we’ve lost until it’s already been lost. And it’s it, there’s no going back from it.
And in because I can’t predict the future. I can’t give an exact example. But I think there’s a lot of negative like theories, you could kind of think of a negative things that could result from people not having a right to their privacy. And that’s what I think’s worth fighting for. It’s like, you just need to have a right to your privacy. And I think, as small business owners will one if you get an email from a vendor, and they’re telling you about how this is gonna ruin your business, and it’s super open ended, there’s no links to any laws, there’s no reference, there’s not an alternative opinion. It’s just super heated and like, aggressive that your business owner, you should be seasoned enough to have that raise some red flags and be like, some doesn’t feel right here. I mean, that’s
Well it was interesting that there wasn’t like, help us, you know, stand for your Google stuff. It was like stay informed. It was kind of it. To me, it seemed like the beginning of something. That’s definitely how I read that email, because the call to action is stay informed, which I need you to think about that but do not have you’re totally right. There was no like, acceptance or anything. It was just like, Alright, you’re signed up
Breaking all the rules, or emails, right. Like I could be clicking stay informed, just because like, I think maybe it leads to more information about what this is not that I’m going to be signed up to some lists. Yeah, yeah.
I mean, I get it that they could probably argue, well, that’s consent, you click stay informed, but that’s like, super shady. Practice
Yeah, no, that’s true. Yeah. So something else that’s interesting. And you talked about some stuff so far that has been happening like over the past few years. It sounds like I mean, I don’t know what happened at the end of 2021. But it’s Seems like this year and the beginning of 2022. This is like forefront of the discussion. I’m in a lot of online groups and communities and circles with web designers, web professionals. I’m seeing this more and more. However, I know a lot of folks who don’t know anything about this.
So it’s one reason I wanted to bring this to the attention of everybody, like I just one of my buddies is in the UK. And he’s an agency owner. And I asked him about some of this stuff. And he didn’t really seem concerned at all. And they’re, they’re in the UK, and they’re running Google Analytics and everything. So yeah, I just kind of wondered, like, I guess I’m kind of wondering, is everyone aware of the, Su, the seriousness of all this? And obviously, I think, what would you say we’re still at the beginning of all these changes? Is that fair to say? Yeah, so
So for Google Analytics, it was one of 101 complaints being filed. So what happened was NOYB, which is a group in Austria, and it’s basically stands for none of your business. And the point of the group is to essentially enforce privacy laws where governments have failed to do so in the European Union. So what they did is they filed 101 complaints, scanned websites, whether or not they use Google Analytics filed a bunch of complaints across Europe. This is just the first one that was decided. So we’re going to see a lot more of these coming out from different countries in Europe regarding Google Analytics. So for Google Analytics, this is absolutely just the beginning, we did see a couple of data protection authorities saying it’s probable that Google Analytics just will not be able to be used in Europe soon. So I mean, it seems like that’s the trend at which we’re going with a Google Analytics case for sure.
And I just want to note, your friend who’s an agency in the UK, the UK is separate from the EU. So that’s important to note that UK has the UK Data Protection Act of 2018. Which technically is a mirror copy of GDPR. Just change it
We can easily see the same decision coming out in the United Kingdom. I don’t know if one of the complaints filed was in the UK. And they just mentioned the EU at the time. But I mean, it’s basically a mirror copy of the law. So I don’t see why wouldn’t be the same decision.
Okay. I did not realize that. That’s interesting.
So yeah, and that that’ll, that in itself will become interesting, because the UK Data Protection Act and the GDPR. With the UK now being separate from the EU, we’re gonna we’re seeing a cross divide now. And one path is the one group’s going down one path and other groups going down another they’ve, they’ve split off. So you know, it will be interesting to see how that plays out for everyone. Really,
Can we just do one episode a month for the next like year?
Lots of bedtime story? Here we get on privacy policies as you go to sleep.
Yeah, there we go. Um, I do want to get back to these other tools, though, around outside of Google Analytics, but in the Google Suite, because Google Search Console is LinkedIn with that, that tracks keywords. I know, it’s a little bit different than I don’t know if you can see IP addresses in Search Console. But there are these other tools that play. So I know we kind of talked about this a little bit ago, but my concern is, like if I had to go without analytics, I could do that. It would suck definitely. Because I’m like, just now getting into more intentional targeting, as far as the for me, it’s just like my master classes. Like if somebody goes my website, I would love to make sure they know I have a free training when they go to Facebook that way. They don’t forget about me, that’s, that’s, you know, the, the the I’m trying to think of the right word.
That’s the integrity that I have with it. Like, I’m not a sleazy marketer, which most most everybody is, and we just we’re trying to grow our businesses. But there is the personal aspect is like you were talking about Hans, but my concern are these other aspects, too. Is there anything as of now that has talked about good Docs, Google ads, Search Console, anything like that? Or has analytics been the focus of the turmoil per se?
There was another case in Germany about Google fonts and GDPR compliance. All right, but none of the other Google products. Now, when you look at privacy enforcement, Google and Facebook have been kind of the poster child for privacy, law enforcement, right. They’re the ones that the regulators are looking into the most, because they have the most wide spread tracking practices on the internet. And they’re the ones who have repeatedly repeatedly refused to comply with privacy laws and have fought compliance in every chance that they get. So it is very likely that we’ll see more of Google’s products being caught up with us. But the Google Fonts decision, so a court in Germany, basically a website had Google Fonts embedded, right so when Google fonts is embedded on a website, IP addresses are being collected to show the user Google Fonts.
I was just gonna ask what the deal was with fonts? Because there’s like, it’s a font, who cares? So it’s actually collecting data? If you’re looking at that, is that right?
Yeah. And what’s really interesting is that the Google fonts and the Google Analytics decisions were not related. So a lot of people think that, oh, it’s the same thing, you just transferred data to the US. And that’s why it’s a problem. But it’s actually different. So under GDPR, you can’t just collect data, you have to have a specific what they call legal basis to collect data. So one of the legal basis is consent. The other one is performance of a contract or entering into a contract compliance with a legal obligation. And then there’s a legal basis called legitimate interests. So if a business has a legitimate interest to collect the data, that means they can collect it right, and you have to document your legitimate interest.
So this business said that we collect your IP address to show you fonts under the legitimate base, legal basis, right. And the problem was that the fact is that you do not have to embed Google Analytics, you Google fonts. So you can host Google Fonts locally, meaning that you don’t actually have to collect IP addresses, which means that you have no legitimate interest for collecting it. Right. So basically, it said that that usage of Google fonts and embedding it on a website was in violation of GDPR, again, did not talk about consent. So we have no idea whether consent would have solved this issue. But essentially, it’s not a valid basis for collecting IP address to show fonts, that was very easy to solve just host fonts locally. And that’s literally what the court said, you know, to bypass this decision, post Google Fonts locally, and then you’ll be fine. And I guess, in theory that circumvents the Google Analytics decision to because if they’re not collecting IP address, or not transferring it to the US,
So just to take that just to reiterate to web dev speak, like, basically, Google Fonts illegal with GDPR, don’t use any more if you are installing Google fonts. And whenever a site loads, like whenever you have a page load, it makes a call to Google which then comes back and delivers those fonts. That’s what’s not allowed. What you want instead is to store Google Fonts locally, on your website server. So and there’s plugins that do this, this is not a super techy thing. This it’s like, typically like an Enable button. It’s like you store them locally. And let’s talk about what that means.
What that means now is when someone visits your website, you’re no longer making a call to Google to populate the fonts, you’re actually just loading it right from your website server. So in theory, you’re loading your website faster, which we all know it helps with SEO and helps with user experience. So it’s not only a great way to avoid a GDPR non compliance issue. But it’s also a great way to give users a better web experience. It’s just have Google font, you can still use Google Fonts, you just have to have them load on your server, you just can’t share data with Google with that transaction.
Yeah, I actually have my site like that I have my fonts in a folder on my server and a custom gosh, I did that, like years ago, I kind of forgot I did that. But yeah, it was the font that Divi my theme didn’t have at the time. So I just have a fonts folder and called it like that. So I go ahead, Donata.
I think, you know, this is all very complicated. But if we look at the decisions together and forget about like the very, very specific reasons why things happen, the way that they happen. In reality, what these courts are saying is put yourself in the shoes of the consumer and think whether or not a consumer would be expected to be tracked or their information collected in this way. Because when you’re a consumer, you’re just a regular person, not a website designer, what consumer would say you need to collect my personal information to show me a font. Any consumer be like, That’s strange, right? Like that’s so beyond what I was expecting.
And I think that’s where a lot of these complaints are coming from is that these websites collect information in ways that consumers are not expecting in ways that they don’t think there is going to be collected and they just don’t want to be tracked. So if you have let’s say you have a payment portal, right, and somebody can purchase shoes from your website, and your address is shared with a shipping company. consumers aren’t going to complain about that. Because when I purchase shoes, I’m going to expect that they’re shipped to me, right? And I’m going to expect that FedEx is going to have my information to ship them to me or else how am I going to get the item that I purchase? It’s something that’s very expected, versus being information being collected to show fonts is bizarre. It’s unexpected, and it irks consumers, consumers don’t enjoy that. Right? So maybe going through your website and seeing what things do I have on here that unexpectedly collect data or that reasonable consumers would expect to not be collected.
I was just gonna Ask about some just practical things we could do to simplify some of this for everyone who’s terrified. And, you know, just wondering what the heck to do now. So that’s a great idea. I mean, one of the things I was curious about probably later last year was when I started seeing some stuff on this was, like, if I have a site that I’m not doing retargeting ads, or we’re just a simple brochure site with a contact form, like how important is this, but I mean, I guess, if you’re taking any sort of email information, which most websites are even it was just a contact form, that’s a biggie. But with Google Analytics, Google Fonts, those are literally track, you don’t have to put in an email to be tracked.
So that’s a great point, disclosing that and trying to limit any extra additional tracking we don’t need. I was just trying to think some of the other intricacies for just like your standard brochure style sites, because obviously, if you’re running ecommerce and stuff, it’s pretty clear, you’ve got customer data that’s going to go to ConvertKit or MailChimp, and then to the shipper and everything else. But for brochure sites, a lot of this is just as important, right? It’s just a brochure style site with one contact form.
Yeah, exactly. So anytime you’re collecting any kind of personal information, names, emails, phone numbers, IP address, all of that information is regulated by privacy laws. And that’s when you really need to think about this, you don’t just you don’t have to use it, you don’t have to sell it, you don’t have to share it, the moment you start collecting it, that’s when privacy laws can start applying to you. And I think even one thing that a lot of people are concerned about is they might have some security plugins that pull IP address to, right. So in that instance, if you’re using that for security purposes, that is an actual legitimate basis, you know, so that’s okay. It’s just when that is if when it’s not necessary, and when it’s not expected by the consumer. Right?
Yeah. And just to make sure to help remove that overwhelming feeling. Look, the two decisions that have been made over the last couple of weeks have been GDPR, not compliant with analytics under the Austrian data protection authorities
Rather analytics, not compliant with GDPR.
And I’m glad you caught that, that I just write in my head,
And Google Fonts not being compliant with GDPR, per the German data protection authorities. That German car, thank you. So those are the two things, those are the two biggest issues that I would say web, we have a responsibility to inform our customers of and make changes. And you all should be billing for this, like, this isn’t your fault that these changes came in. So slap a $200 bill up for your customer, or whatever, it’s charged for two hours of your time to switch them from fat or analytics to fathom and switch Google Fonts to just Google Fonts loading locally on the server. And that’s it, and then you’re done. And you’ve been you should be charging for your time for this too.
So I you know, one of the things we have a term again, is rather than trying to fight privacy, we really encourage embracing it, because with it, it’s really not that bad. It is but it isn’t. It’s not that bad. And, and when you get down into just website policies, which is what agencies typically want to talk about, more than anything, it’s like, you just got to make the disclosures you’re required to make and you got to be responsible with the data you’re collecting from your consumers. And that way you get to be on the side of history, that’s pro privacy rights for human beings, rather than I’m just going to ignore and pretend and just keep doing things. And just hope I don’t get in trouble.
Like, that’s not professional in this is an opportunity to represent being professional and thoughtful and forward thinking and like advocating privacy for rights for everyone, but also just being like, look, it’s illegal, I’m not installing it unless you really want me to, and I’m not responsible if if I get in trouble.
And for future clients do maybe taking that out of your standard operating procedures. So like, you know, if you build a website, and every time you build a website, you just install Google Analytics by default, and no matter what the client actually wants, you know, maybe taking that out and maybe not doing that, or maybe talking to them before you do it, or letting them know that you did it. Because a lot of customers, a lot of your clients, they don’t know that you’ve installed Google Analytics. So they don’t know that you could potentially subject them to GDPR enforcement, right?
So at least letting them know that you’re doing it and not just doing it by default. And picking a different provider can definitely get you a long way. So like Josh, like you said, years ago, you put your your hosted your Google Fonts locally, right? Like years ago, for whatever reason, you decided to do that. And now you just don’t need to worry about that problem anymore. Right. So like kind of building that privacy forward thinking and what we call privacy by design into building websites. So like picking vendors that are privacy forward, just so that you don’t have to deal with these problems in the future can save you a lot of time and headache, too.
Yeah, I can’t speak on my forward thinking genius. It’s just You know, I don’t know, it’s, it just happened that way. Yeah, no
Mastermind he knew exactly what was going to happen in January of 2020. To host these fonts locally, because I know it’s up.
A lot of people, myself included, up until the past few years did not realize how important it is just to have a terms and conditions with disclosures on, hey, if you send the contact form and your email goes into my CRM, just just disclose what’s going on with your site in a very simplistic manner. That’s, that’s the other big thing. We kind of talked about cookies. I mean, it sounds like that’s still a gray, kind of a fuzzy area as far as the consent, but I would assume it’s probably just best that everyone has cookies, just to make sure if you are running any sort of tracking to have consent on there, right?
Yeah. So if you have any non essential cookies, so any cookies that are not absolutely essential to the running of the website, and you need to comply with US and UK is privacy laws. We do recommend the ABA cookie consent checkbox, or cookie consent mechanism. The two decisions did not talk about consent specifically, because it just wasn’t an issue. So it’s unknown whether that’s a workaround. But you should have one just, you know, in general, yeah. You have one by those.
John’s point to it probably as a consumer, it probably just shows that you’re trying like you’re, we’re figuring all this out, but at the least at the very least, you know, do you consent to, you know, going on my website and the tracking stuff we have in place, I think that’s probably an integral move for any website for its users.
So if if you’re taking this step to have a cookie consent popup, which let’s be real, it’s intrusive, especially when you’re focused on like conversions and like getting as many signups as possible. One more layer where people have to like think like, wait, what cookies, what are you doing? Like, that’s stressful to everyone, and I get that. But if you do, if you feel like okay, I do have to track people. And now they have to give me consent. Like if you’re focused on tracking people go into your website, then having a cookie consent pop up, where you’re getting that as that consent to install marketing cookies, or non essential cookies into the browser is very important. Where do you go from there? It’s, it’s really up to you. I kind of lost my train of thought a little bit here. But
Well, I gotta say real quick. It’s funny, you mentioned that Hans, because like the distracting aspect of that, I think just yesterday, I saw a meme where it was like, going to a website in 2022, except a block all cookies, goes down the pile up, close the chat widget, and then consent to something else. And then forget why it came to the website. It was like the checklist of things you got to exit out or accept.
I see. So if you’re gonna have a given option, instead of just saying, Hey, by the way, we’re checking your cool.
It can’t say click Yes to accept cookies not compliant. It needs a bit say accept or decline or yes or no. So it needs to be very clear on those terms. Because in reality, if you’re doing this to try to show consumers that you’re trying, you may as well give them an actual choice, because number one that’s required by the laws and number two, that shows that you actually are trying and not just shoving this down down people’s throats.
Gotcha. What’s your favorite spot for digital cookies? Of course,
I’ll start so turma gutten.com We will be offering a cookie consent solution for free for all ptarmigan customers. So we are going to be implementing user Centrix they use that cookie consent platform based in the EU and that will be available right within the term again dashboard.
Awesome. What timeline on that?
Okay. Okay, so we’re close.
Yeah, so if you’re a tournament getting customer, you’ll obviously receive an email and all of that and how to implement it onto your website. But if you’re looking for something in the meantime, we would definitely recommend that you check out user Centrix. Because their solution is the most comprehensive one that we’ve seen, and also because they’re located in Germany, whereas a recent hand, other recent court decision found that any cookie consent providers that use US based companies to collect data to show the cookie consent form are located in the US are not compliant with GDPR. Because again, data is transferred to the US accessible to the NSA, CIA and all of that. So if you’re using a cookie consent provider, make sure you’re using one in the EU. And user Centrix is the one that we recommend, and they’re located in Germany.
Okay, gotcha. That’s good stuff. I did want to ask real quick as we get ready to wrap this up here. Again, round one of 12 for 2022. For these, like penalties in fines, how common are these? I’m just wondering, like, obviously, this is something to be taken seriously, especially with analytics. But are you I mean, I’m sure there’s no way to say a percentage or something. But I mean, are these becoming more and more common, even for small business owners or entrepreneurs who have online brands?
Yeah. So if there’s been hundreds of fines that have been issued so far, but if you are interested in taking a look, it’s GDPR, enforcement tracker.com. That’s a website that breaks down all of the fines by country amount, and the reason for the fine. That one’s a very helpful website. But, you know, as time goes on, we’re seeing these privacy laws being more and more enforced, right? So in the US a place where privacy was never really a big thing. We’re seeing more privacy laws being passed. In the EU. I mean, GDPR, has been around since 2018. So you have the government enforcing the laws, and then you have also the group so that just NoIP filing cases, imports with the DPA is to enforce these laws as well. So I mean, we’re seeing more and more enforcement as time goes on. That’s, that’s for sure.
And yeah, even though in the US there hasn’t been nearly as much of a push for privacy rights for people, individual states have implemented laws, and the amount of privacy bills right now in the US is just, there’s so many. I mean, does
I mean, Colorado and Virginia just pass true privacy laws. Sure. Well, there’s a couple other states that are very, very cool. Go back pass, there’s a new privacy law.
So I would say based on the way things are going, it’s going to continue, I would I would only imagine enforcement’s are going to continue to increase, because there’s going to be more privacy laws out there. Therefore, there’s more people complaining and more authorities finding. Yeah, impossible block bills that have passed are going to enable consumers to sue businesses for collecting their email address on the contact form without proper privacy law disclosures for their specific privacy law. Personally, I think that’s when it’s going to get very interesting. We’re already in interesting times, it’s going to get very interesting if consumers can sue. Similar to accessibility, I’d imagine.
Oh, yeah. My gosh, are you guys glad you found each other? I’m just trying to imagine like, if you had a different spouse, and you weren’t, you know, if you were like, Oh, my gosh, babe, this new legislation came out and they’re just like, shut up. I can’t.
You know, I think if we didn’t meet Termageddon would not be in existence. Oh, yeah. What? Okay. I don’t think that we’d be even in this industry really that much. I mean, I was always in compliance and legal, but not as much in the privacy space until like five years ago. Agency, you were an agent. We would have talked our other spouses ears off about web design, just regular compliance.
Yeah. Well, thank goodness, thank goodness, you guys did make meet and make what you’re doing right now a term again, because I was interesting. I was just thinking like, I remember hearing about privacy years ago, but I think you talked about this earlier. Initially, the assumption is like Google and Facebook, those are the you know, they’re worried about it’s not something I’m personally dealing with. And then you’re like, oh, shoot, actually, I am using all those tools. And if I am doing retargeting are anything that is that’s me, too, even though it’s just little me selling online courses for web design. I’m still tracking too. So it is, I think I think it’s just a kind of I just wanted to kind of wrap this up with that idea that, you know, we’re all implicated in this for sure.
And that’s how these two complaints started. Right. So the initial complaints were not against Google, there were against the companies that were using Google Analytics and Google.
Gotcha. Yeah. Yeah.
It’s just look where we’re all heading into a world where privacy rights are important. And I think five years from now we’re going to look back at these times where things were unknown and scary and new things were coming out all the time. We’re going to look back at this time and be like, remember when companies used to just take your data and do whatever they want with it? Like there will come a time when that happens. Think about the SSL certificate. I probably said this on their own. No, we did.
You know, five years ago, an SSL certificate was like a nice thing to have you get it for E commerce. But like other than that, like I don’t need an SSL. But now as a consumer, when I visit a website that isn’t SSL secure, I don’t feel secure. And I think we’re gonna see the same thing with privacy. Like if you visit a website that isn’t respecting your privacy rights, you’re gonna be like, I’m not doing business with these people. And that’s it. We’re not all there yet. Like,
There’s a lot of there consumers that are there. And there’s a lot of studies showing.
There’s more coming. And that’s it. That’s a great point direction is going towards more people want privacy rights, not less. So
Yeah, that’s a great, great point. Well, I legit would like to have you guys back on maybe after the cookie feature rolls out. Maybe we talk a little bit about that. So maybe like, you know, like April or something. Yeah. Maybe we could talk about that a little more, because I’m kind of curious about some of that as well, which could be a great addition to this. And I’m sure a lot is gonna change in a couple months. So actually,
A couple months go by I have like a tattered shirt, and I like lost all my hair. But like, Josh so much. Illegal.
He’s got the tinfoil hat. And he’s like living you know. He’s living in the woods somewhere. Yeah, email, he mails me a letter with what’s going on. Not gonna trust zoom over a call.
Letters clipped down.
I’ve got to decode it. Only do I have to turn Google Analytics off now. I have to decode Hans’s letters from no internet living out in the woods. Yep.
Well, I’m looking forward to it. April.
That’s right. Awesome, guys. Well, hey, thank you again, for coming on a short notice for sharing kind of where you’re at with all this. And I think the theme of this, I would say is to be proactive, instead of just reactive. Is that fair to say?
And locally store Google Fonts. Yep. There we go. Our matomo are another privacy focused analytics tool. Yep.
Yeah. Awesome. All right, guys. Well, thank you so much for your time, see in a couple months and keep on doing what you do.
So good. See ya, Josh. Thanks for having us on.