In this podcast episode, Matt and Nasir breakdown the legal issues of the subscription industry's business on the internet.
- A good 50-state survey for data breach notifications as of July 2018.
- California Auto-Renewal Law (July 2018)
- Privacy Policies Law by State
- Why Users of Ashley Madison May Not Sue for Data Breach [e210]
- Ultimate Legal Breakdown: Subscription Box Businesses [e286]
- How Subscription Model Pricing Is The Gift And The Curse [e228]
- Guide to Terms & Conditions for Subscription Box Businesses (January 2015)
- GDPR v. CCPA
- Negative Options according to the FTC from 2009
- Negative Options according to the FTC from 2016
NASIR: Welcome to our podcast!
My name is Nasir Pasha.
MATT: And I’m Matt Staub.
We’re two attorneys here with Pasha Law – practicing in California, Texas, New York, and Illinois.
NASIR: This is where we cover business in the news and give our legal twist to that news.
Today, we are going to really focus on a subscription industry.
Pretty much every service product now you can get on a subscription basis. We’re going to do the ultimate legal breakdown on privacy, data protection, and terms and conditions.
If you really love the law, this is for you because we’re going to bore you to death.
MATT: Like you said, when people think of subscription-based things, I think – at least for me – the first thing that comes to mind is the subscription box model where you get an actual delivery of goods every month, but it’s way more than that.
I can imagine there’s one listener who doesn’t have at least one subscription-based service – like Netflix or anything like that or an Amazon account. It’s very prevalent and it’s pretty wide-reaching at this point. It’s just there’s a lot of rules that go into it, especially depending on where you’re located as well and where your customers are.
We’re not going to be able to cover everything, but we’re hoping to cover as much as we can.
NASIR: No, we’re covering everything. We’re going to be here for the next three days, nonstop, just buckle your seatbelts.
The subscription model is nothing new. I don’t know how far back you’d go, but you could go back to at least newspapers and periodicals. I think where you can start seeing the kind of subscription box kind of related aspect is – what was that back in the day where you’d pay X amount?
MATT: Columbia House?
NASIR: Yeah, exactly. That seems to be where things really started to transition into something a little bit more clever when it comes to certain products being mailed to you on a monthly basis.
MATT: Yeah, we’ll get into that as well. There was a little bit of trickery involved in that, but that’s definitely one of the earlier adopters. Like you said, newspapers, that’s what I said at the beginning. It’s something that people might associate with one thing, but it’s really across the industry – pretty far-reaching in terms of different services in addition to the goods.
NASIR: But I think one thing that has changed – I mean, we just have to say it plainly – it’s the internet. When someone would walk into your store, you would have an interaction with that customer. Even if you had all the legal protections and things like that, it was just different because it was face-to-face. If there was an issue with the product or service, there was that human interaction.
Now, on the internet, the stakes are just so much higher because, first of all, there’s this wall of a computer in front of you, so all your customers feel protected. Frankly, even businesses feel protected to be a little bit more flexible with how they do things. And so, if someone has a complaint and they’re upset about it, they’re going to blast you online. It’s very easy now. Any marketing material, once you put it up, it’s there forever. People can access it through archives and so forth versus, when you put it in a newspaper, it has a very limited distribution. And so, the stakes are just so much bigger.
That’s what we’re going to focus on – how this has created a whole different world of legal issues for subscription-based businesses.
MATT: We’re not breaking any news here that the online aspect is a gamechanger.
An interesting thing is from a customer service standpoint because, if you’re looking online versus in person, i.e. an actual physical store, somebody comes in and complains to you in the store, it’s probably something you’re going to rectify immediately. If you don’t, what’s the worst that’s going to happen?
MATT: Online, someone might complain, and you might not know anything about it immediately. You might not even do anything at all. But, if somebody wants to do something about it online, it’s probably worse than if someone in person is complaining about it. It’s an interesting dynamic with that.
Like you said, it’s really the rules now that are in place for any sort of online business in this industry – more than just your in-person retail store.
NASIR: Yes, and that covers a lot of different things, but I think that’s a good way to break it down.
Marketing compliance, the first thing that comes to mind – and you mentioned it, was it Columbia Records?
MATT: Columbia House?
NASIR: Something to that effect, but they’re a classic example. This was before the FTC really got involved in these kinds of businesses. Again, let’s just be plain about it. Their model was getting people to sign up for some free records here and there, and relying on that negative option – relying on that inertia that people are going to keep paying and, in some ways, making it difficult for them to terminate not being exactly clear as to how the auto-renewal works, and all that stuff.
Because of businesses like them – and then, later on in the early 2000’s when things started to go online – that’s when these auto-renewal laws really started to go into effect and where the FTC got involved and now pretty much almost every state has some kind of similar version to this, if not analogous to some kind of auto-renewal protection for consumers.
MATT: Yes, it is Columbia House, by the way, which filed for bankruptcy of 2015.
Like you said, kind of the negative option billing, and they weren’t the only ones that were doing it. I know, in the past where you’d go to a store and you’d check out and they’d offer you to go, “Do you want two free magazines?”
NASIR: That’s great!
MATT: It’s for free and then you sign up and then you don’t read through the terms and conditions and you get locked into some thing where every month they bill you X amount until you cancel and they might make the cancellation difficult to do and all these different things.
The rules that have been implemented since then are way more consumer-friendly than in the past where these companies could get away with that. I don’t think that’s the reason that Columbia House went into bankruptcy. I just think that no one was buying CDs.
NASIR: They corrected their practices well before then. It’s probably because of the CDs. But, also, another one of those was those free credit report companies. Basically, in order to access your credit report, there was the official version which you can access the credit reports from the three bureaus once a year.
But then, there was other ones that would say free, and then you would get it, but you would have to put your credit card number in order to verify what-have-you, but they would use that credit card number to then start charging you in the fine print for some service – who knows what it was – credit card monitoring or whatever. Of course, people wouldn’t discover it until later. “Hey, what’s this $40.00 per month charge on my credit card?” That’s their business model. That’s one example.
Also, the supplement industry really got into this quite a bit. They really exploited this hole in the law until it was really highly regulated.
MATT: You know, it takes those bad apples to get things corrected. Like I said, luckily, for consumers, it shifted. For businesses, it’s not like it’s significantly worse. It’s just that you have to be in compliance now. As long as you’re doing things the right way, there shouldn’t be a problem.
When I say, doing things the right way, going back to the three areas I said before, if you’re looking at marketing compliance, just be truthful. Don’t misrepresent things. Don’t try to be tricky in how you market it. That piece is pretty straightforward.
We’ll just go over this really quick.
Terms and conditions just need to be very craftily worded and they have to be very tight in the sense that you want to make sure that, from the business’ perspective, you want to make sure that you’re providing what you have to from a legal perspective for the consumer, but you’re also giving yourself enough room to operate in the way you want to.
For privacy policies, it’s just compliance.
Those are the three words I associate with those three different areas, but we can dive deeper into those.
NASIR: The major aspect of complying with the auto-renewal aspect in your subscription-based business is being clear and conspicuous as to how your subscription model works.
We’ve done articles about this. We’ve actually focused a whole podcast probably on this – I’m sure, at least once. And so, we’re not going to go into too much detail. But if you can remember two words – clear and conspicuous – then you’re pretty much most likely going to be on the right side of things.
Now, each state is different. There are some specifics here, but it almost seems obvious because, look, if your customer didn’t realize that they were signing up for a subscription, there’s going to be other problems anyway, especially nowadays with chargebacks being so prevalent – you know, these kinds of things and bad reviews – it’s in your best interest anyway, let alone being compliant with the FTC regulations and other state law.
MATT: It’s funny you say it should be obvious. I would say it should be clear and conspicuous.
NASIR: All right.
MATT: Whether your state uses those exact words or not, that is what to follow. It really doesn’t matter. If that’s California’s language and if you sell to a customer in California which you probably do, if your business has sales, then it needs to follow that standard. Like you said, it’s clear and conspicuous of the terms. Those terms are predominantly the auto-renewal terms, so consumers understand that their subscription is going to roll over every period – typically every month – for a lot of these; any material terms that are going to apply to consumers; and the cancellation piece as well. All of these would be in there.
The bottom line is they need to understand that every month they’re going to be billed for X amount of dollars and they need to be provided with, if they want to, how they can cancel that subscription. There’s way more to it than that, obviously, but that’s kind of the first level of compliance. If you’re not even doing that for a subscription-based company, then you’re probably off on the wrong foot – way off on the wrong foot, I should say.
You mentioned California. If you’re US-based, being compliant with every state, and there are some 50-state surveys that you can Google and go through, but we talk about California a lot on this podcast. There are multiple reasons why. One is that we obviously practice in California among other states, but also, California and I would say next is maybe New York, these states are always in the forefront when it comes to legislation. They pass a ton of law every year. Good or bad, that’s what it is, and so a lot of regulation.
If you want to have an understanding of where law is going, you tend to look at California. How the law works, if you are offering goods or services to California residents, you have to comply with California’s auto-renewal law which is going to be more restrictive than the laws – the federal law or the regulations of the FTC.
Are you going to have a different set of procedures for California customers and otherwise? No.
California is going to be the most conservative, and so they require a couple of other things. I still say it’s the same thing – clear and conspicuous – but Matt mentioned it like you need affirmative consent that that whole negative option is not going to work. You need to send acknowledgements with specific terms in it and all these different things.
Again, we can go into detail about it on another episode, but the point being is that it’s not as simple as just implementing something that you think is correct or seeing what other people do right. You have to actually take efforts to figure out what the law is.
MATT: Yeah, we’ll get to the other big California one later in the episode with the privacy act, but again, there’s way more to it than three steps, but the thing to always remember are clear and conspicuous, affirmative consent from the purchaser or the user, and then acknowledgement – acknowledging the consumer should be acknowledging acceptance of the terms, the cancellation piece of it.
Here’s another one that I don’t think we’ve mentioned yet, and this is relatively new for California, but if you offer any sort of free trial or any sort of discounted rate at the beginning, you need to have the consumer essentially agree or consent to being charged the full price – whether that be from the free trial or from a discounted price – before doing so.
It’s like I said earlier. I guess I wasn’t thinking about it – the magazine thing. “Oh, two free magazines? That sounds good.” And then, a month later, I’m not going to get billed $19.99 for some sort of magazine subscription. That can’t happen online anymore. You need to actually have very explicit terms of once this free trial ends or once this discounted or reduced rate ends, it’s going to transition over to this. They also need to consumers to acknowledge and consent to that.
NASIR: I think that’s part of the new restrictions California added within the last year on top of what’s already on there. That’s going to keep happening. Like Matt said, California is passing more law and – I’m telling you – other states are going to follow this trend, but you’re going to have to follow it anyway if you’re doing any business with California.
That’s what happened with eHarmony, right? I mean, eHarmony is a classic case. They obviously do business – I’m pretty sure it’s worldwide, if not it’s at least nationwide – and they got in trouble with California. California State actually went into a whole lawsuit. They entered into a settlement agreement where eHarmony paid at least a million dollars of restitution to California customers and another one or two million in fines, et cetera, they’re not the only high-profile company. Big companies get into trouble with this issue.
A lot of these state-specific laws do not have this private course of action if you violate these terms for the most part. That’s not true every time. And so, often, if you’re a small guy, it’s not going to be as big a risk.
But, as soon as you get bigger, you get a target on your back. It’s easy money to enforce for these states. If you’re in a growth period, for example, it can really kill your business. I’ve seen it personally. I’ve seen businesses really spend a ton of money on legal fees and so forth just because they made a mistake very early on in their business.
MATT: Yeah, you can type it into Google and find a handful of big companies that have had to correct this and basically change their terms of service here. It’s definitely something, no matter your size, you want to be in compliance, but it’s definitely not something that you want to just kind of think about for two seconds and move on. It’s really something you need to put some thought into – hopefully, before you start making sales, but I know that’s not always the case. Sometimes, it’s sales first, and think later.
MATT: Some general advice.
NASIR: We spoke about state law and how that applies. One thing that even attorneys forget to think about is other private contracts that you may be party to that may restrict on how you market and how you do business. The first thing that comes to mind is your credit card merchant accounts.
Do you accept Mastercard credit card payments? Because, if you do, Mastercard – I think, April 12 – the rules went into effect. We’re well past that. Mastercard gave their own rules as to how negative option marketing or services work. It’s not dissimilar to the law, but they require things like explicit consent, multiple acknowledgements, and ease of cancelation, and a whole handful of other specific rules.
Now, Mastercard is not any state government, but of course they’re a huge player in commerce. If you’re taking credit cards, you’re most likely taking Mastercard. I’m leaving out Visa just for the sake of simplicity, but Visa has its own rules as well. Mastercard just recently announced theirs, so it’s more topical.
And so, here and now, you have to comply with that set of rules as well. It can get very complicated but, at the same time – I don’t know, Matt, maybe because we’re just in it – a lot of it is obvious. It’s part of the customer service to just be very transparent with them as to what’s going on. You’re not trying to trick them for their money.
MATT: I don’t think it’s really that dissimilar from the rules – at least going back to the California ones, the rules are already in place. I mean, having to get consent for when you’ll charge the card, the amount you’ll charge, how to cancel service, how to be clear again. It’s not anything that’s really different what we were talking about before, but it’s just another consideration. Like you said, all these businesses, they have the card on file and they’re charging every month. They’re going to have people with Mastercard. There’s just no way around it unless you want to give up part of your business, I guess.
Going back to what I said earlier too, the free trial aspect of it, I think that’s another thing.
Let me just step back one second.
My guess is the reason they started doing this was Mastercard was probably dealing with a lot of chargebacks or contests on things because you have a consumer who didn’t realize that they had a free trial that had converted into a paid subscription. Whenever they discovered, they started chargebacks, the companies find it, et cetera.
They’re probably dealing with a lot of that and they said, “All right, we just need to change the way we’re going about things, and these are the new rules, so we don’t have to deal with this anymore. Now, we can just point to these rules any time that something like this comes up.”
NASIR: I think that’s exactly what happened.
The prevalence of chargebacks in this industry in specific, you know, we’re not going into details because we’ve had clients like this and we’ve seen it in different capacities, but we’ve seen it where literally companies had so much problem with these chargebacks because, frankly, their business model was such that it depended upon inertia of people signing up and just getting them to charge every month that they had to keep creating new LLCs with different individuals to create new merchant accounts in order for them to keep perpetuating their business because the credit card companies would shut them down and then they’d create a new LLC, et cetera. That was literally their business model.
It’s a little late, but it’s a reaction to businesses like those.
MATT: We’ve definitely had those conversations. I’m sure you can guess some of the goods that are probably getting sold on that. Or services. You know, you run into issues with your merchant account and then you have to find another way to keep doing business.
On the other side, we’ve definitely talked with companies too that were trying to do things the right way and were basically met with the opposite side of the equation of just consumers that were trying to scam businesses and try to get something for free.
I don’t know. This probably affects their personal relationship with their credit card, but they get something for free and they chargeback. They have a good feeling they can win it and just go about it that way.
There’s legitimate and not-so-legitimate cases, but I think this is definitely a step in the right direction. Again, I don’t think it’s too much more on the plate for businesses that are dealing with this sort of model just because, if you’re not already in compliance with these Mastercard rules, then you probably aren’t in compliance with the rules that are already in place from other states and federal law.
Let’s talk about privacy policies.
Again, this is a topic we’ve covered a little bit in the past. I remember doing old episodes or articles about this. I think we’ve always been kind of dismissive about it because it’s like the old rule of thumb was that you have one, just make sure you follow it. it’s become a lot more complicated than that.
Again, we’re going to stick to California. It’s an easy way to do a catch-all because there is no federal law on this to be able to tackle it from a global perspective.
MATT: Yes, no federal law. There’s some international law we’ll get into later.
You mentioned the inertia aspect before. I think that also applies here. I don’t know if it’s inertia. I think it’s just not blindness, but—
NASIR: I don’t know. Laziness, people don’t read what they sign, and lawyers don’t either. People think only lawyers read those terms and conditions. No, it’s the personality.
Only until maybe the last five years or so has Facebook and these other social media companies really received a lot of scrutiny over their privacy policies because, in the past, it was never an issue.
Some of these privacy policies are so convoluted in the sense of the length and the complexity that even an attorney who has a trained eye takes quite a bit of time to figure out what exactly is going on as well.
MATT: Yeah, and that’s nothing new, I suppose, but it steps in the right direction.
Obviously, there’s more to it than that, just to be 100 percent legally compliant. But, if you’re doing both of those things, you’re pretty far along in making sure everything is up to speed.
MATT: Which one do you want to do first – GDPR or the California Consumer Privacy Act that’s not in effect yet?
NASIR: Both stress me out, but let’s do GDPR first.
MATT: Since it’s live.
NASIR: Yeah. GDPR was around this time last year, right? Everyone was talking about it. A lot of very bad information or incorrect information was being sent out at that time. I don’t know how many calls we got asking, “Do I need to be GDPR-compliant?” And so, there’s basically two questions you need to answer.
Do you collect personal information – and personal information has a definition – from European Union residents? Or do you offer goods or services to European Union residents? If you do, welcome to the European Union because you have to comply.
MATT: I think that was a lot of the initial thoughts – like, “Oh, this is something that’s not even in my continent, so I don’t need to worry about this.” But, no, it’s not difficult at all to sell to somebody in the European Union – to have one customer in the European Union.
I think that all of our subscription-based companies that we’ve worked with have had sales there. I’m not 100 percent sure it’s the case, but I think most, if not all, of them have. It’s very easy just to fall into this. You have that and then you have to comply.
NASIR: It’s a whole presentation in itself just to go into GDPR.
The thing is, if you want to learn about it, I’m not even sure how worthwhile it is for us to do a podcast or article on GDPR because it is so technical and so specific to how you’re doing business. We’re going to go over some general rules, and I think you should be aware of this from a conceptual perspective. But, beyond that, I really do advise getting outside help for this. It’s not something you want to undertake on your own.
MATT: There’s plenty of people that work in this field – different companies. It’s definitely out there if you need that extra assurance.
Why don’t we just go over the basic rights under the GDPR?
One thing we should say too is this isn’t a situation where you don’t comply and who cares? You get a slap on the wrist. I mean, there are some pretty substantial penalties involved, depending on the circumstances, so I would encourage everybody to follow these rules or guidelines because it’s not just something minor. It could be pretty significant.
The basic rights of the GDPR – I’m going to go one way really quick, and then I’m going to highlight a couple that I think are the most important – access, forgotten, portability, informed, correction, restrict, objection, notify.
The right to be notified – the big one with this is, if there’s any sort of compromise or breach, the notification aspect of it – and we’re going to touch on this later, so I don’t want to go really deep into it right now, but those are the two ones I have really highlighted as kind of the tier one, but I don’t know if you have other ones you feel strongly about.
NASIR: Well, it depends.
From a consumers’ perspective, I think those are probably the most important.
From a business perspective, I think the portability aspect of making the data portable and also making it so that you can restrict processing or some kind of specific change in how you deal with data for a specific consumer, those two or three aspects of the GDPR makes it very difficult to implement just from a technical perspective.
Even the right to be forgotten and to restrict and all these things, you have to create a whole separate system – well, not a separate system – but you have to add to your system to be able to deal with these kinds of issues. If you have a lot of data, and if you get a lot of these requests, that’s not something that you could easily do manually. And so, there’s a technical requirement in that. That’s how I look at it.
But, of course, from a consumer perspective or a user perspective, I think you’re right. The right to be informed as to how my data is being used and to be notified if there’s some compromise. From my perspective, that’s a basic right. I think that makes sense.
I am a little critical of the GDPR. It is a pretty extreme legislation. I wouldn’t be surprised if it gets tailored a little bit as some of these concepts get started being implemented in the US, but the European Union kind of has its own culture when it comes to privacy.
But we’ve seen, for example, when Europa came out – which is that whole cookie compliance – all of a sudden, you start going to websites and you get this pop-up that basically says there’s going to be cookies on this website and most users are going to just accept it. Frankly, it’s more of an annoyance than anything. GDPR basically reinforced that. If anything, they made it more difficult. I think there’s literally one section that deals with cookies under GDPR.
If I recall, it basically specifies what kind of information can be stored and how that ties into the GDPR. Even these cookie compliance pop-ups aren’t even compliant many of the times because, again, if the European Union law applies to you – and we’ve talked about that – then, if you’re collecting cookies that’s storing private information or something to that effect, you need to give prior informed consent.
A lot of people don’t realize that, when they’re implementing this, they’re like, “Okay, I’m just going to do a pop-up for them to press okay and then we’re just going to automatically load the cookie.” No, you actually have to code in to make sure that the cookie isn’t loaded until there is consent which is, again, a totally different concept. Frankly, both from a technical perspective and from a user perspective, I find it very annoying. Most people don’t care about the cookies, but some people do.
MATT: It’s funny. I went to some countries in the EU earlier this year. It’s like every site you go to now, all that stuff pops up. You see here in the US, but it’s way all over the place there. It’s funny to see that, but that’s how it’s supposed to be.
Like you said, it’s probably more of an annoyance a lot of times, but they’re guidelines that need to be followed. Make sure it’s done correctly from the business perspective.
NASIR: I get it, but it’s almost ten years too late in the sense that, maybe ten or fifteen or even twenty years ago where people didn’t realize that, when you went to a site, they could save a file called a cookie in your browser directory or what-have-you, and not only that site but other sites could access that file again later, and that allows them to track you from site-to-site, if there’s coordination between websites, it could get really sophisticated to the extent that that’s how you get those stories where these websites know that you’re getting married before even you do or what-have-you.
I remember we talked about it. We started seeing engagement rings everywhere just after we got engaged. That was a long time ago.
Now, it seems to me that most people understand that. There’s plenty of apps and ways to prevent cookies being loaded to your computer and you can use private browsing and VPNs and these kinds of things. People get it, but I don’t know. I get annoyed because, from a technical perspective, I like to code in my free time or what-have-you, and it just seems like an extra step that’s so unnecessary.
Do we want to get into the California Consumer Privacy Act?
NASIR: Yeah, I do, really quick.
We did touch on whether GDPR applies to you, but one of the ways that you can think about avoiding it is that there are some guidelines on whether it applies to you. I know we made it simple, into two questions, but you should know that just having a website, for example, that doesn’t mean automatically just because European residents can access that. That’s not enough, but other things come into play.
For example, if you’re selling products or services and you specifically state that you ship to the European Union or you accept Euros or even languages, if you’re a US-based website, but then you also are able to access your website in French or Spanish or Italian or other European country languages, that also needs more that you’re actually marketing and getting access to your goods and services to European residents. Just something to think about.
It’s not automatic if you’re trying to make the decision whether you have to become GDPR-compliant and you want to try to avoid it, there are ways to do it legitimately. But, frankly, if you want to do business there, then you’re going to have to comply.
MATT: I would say err on the side of compliance. Well, I’ve never said, “Err on the side of compliance.” I don’t know why I said that.
NASIR: You always say that.
MATT: If you think you fall under it, then you probably do.
NASIR: You probably do.
Not to say that there might be a way out of it, it’s just that you probably do need to seek more counsel.
MATT: You’re right.
NASIR: Now, we can talk about the CCPA. If GFPR annoys you, CPPA is probably going to annoy you too – most likely because it’s more applicable to US residents.
We’re about six months out from it going into effect. We’ve seen some stuff. I haven’t seen a tremendous amount, but I think – like with GDPR – we got a huge push the last couple of months. We’ve just been flooded, so be prepared.
What is it? It’s the California Consumer Privacy Act. I think it is kind of a toned-down version of GDPR. Still, there’s rules in place, but that’s how I look at it.
NASIR: I keep reading the details and the fine print. I go back and forth. It’s definitely more narrow, but then sometimes it goes a little bit beyond GDPR. But, most of the time, it’s a variant. It’s a lesser degree, for sure.
MATT: Yeah, one of the big things are what sites it applies to is going to be far less than under the GDPR.
NASIR: That’s the saving grace, for sure.
MATT: If you fall in one of these three categories, you’re under it. You have to comply. Let’s see. $25 million in gross revenue, you process the personal information of 50,000 people—
NASIR: That’s 50,000. They define it but, just for simplicity’s sake, as users or profiles – 50,000 plus profiles.
MATT: Or 50 percent of your revenue is based on the sale of personal information. That one should be pretty obvious. Maybe more obvious, I suppose.
NASIR: By the way, we should specify, it’s personal information of California residents.
NASIR: This is California law.
The 25-plus-million gross revenue and the 50 percent of revenue based on the sale of personal information, that’s probably going to cut out most of our listeners. But the 50,000-plus personal information, it’s a lot, but I can see because, if you’re just collecting information, they may not be customers, I can see where you could get up there pretty quick.
MATT: Yeah, especially when you’ve been doing business for a certain amount of years, it’s just a numbers game at that point.
NASIR: Even from our law firm, we’ve been in business for ten-plus years, I can’t say these are all California residents, but we probably have a few thousand or so.
NASIR: We’re a small firm, and we’re not consumer based. We are business-based, so we’re not targeting consumers. I think that’s easy to get there.
MATT: Generally speaking, if it applies to you, here’s what you need to know.
For the users, what you need to provide – you need to let them know what personal data is collected; who it’s sold to or disclosed to, if it is sold or disclosed; you need to get them the opportunity to say no to a sale, so that’s a little GDPR; access, again, they do have access to their personal data; and then, equal service and price. I guess this might be kind of the trickiest piece.
If somebody opts to note a sale or if somebody opts out of the normal process of what you do, you can’t take it out negatively against them – I guess that’s what I should say.
NASIR: For example, you can’t charge them more or something to that effect. Or cancel.
MATT: If they’re saying, “Well, I don’t want my information to be sold,” it’s like, “Now, I’ve got to make up for the cost somewhere else, so I’m just going to have to charge you more.” That can’t happen. I would think that’s common sense, but I guess not.
NASIR: If you think about it like there are some businesses that provide free apps or what-have-you or free services in exchange, their product is you. Their product is the private information that they’re getting from you and they have to be able to sell that.
First of all, a couple of things. One is that even though the law has been passed, we still expect some possible amendments to it because it’s one of those legislations that happened really, really quick. And so, there are some drafting errors in it.
Second is that there are regulations that are supposed to be implemented and drafted by July 2020 which is, of course, after the legislation has passed which is kind of an interesting concept there. And so, we should expect that everything becomes a little more clear because there is a lot of unknown, and that may be why – unlike GDPR – there is as much information about it. That’s one aspect.
The second aspect is that, like GDPR, this is going to have a worldwide effect for companies, especially the large ones that fit into this category. Again, they’re not going to create a separate process for California residents – well, to a certain extent – but they’re going to implement this across the board and it’s going to have varying changes to specific business models.
The main one I’m curious about is these business models that are specifically relying on personal information to do their business in the sense that they’re not charging consumers or not offering something for free. I’m trying to think. There are different ones, but I’m trying to think of an example.
It may be businesses that still charge, but you don’t know. Some of these businesses make a ton of money just on selling. If, all of a sudden, they have to notify their consumers, that’s going to hit their bottom line. These consumers are like, “Well, I don’t want you selling my information,” and then they can’t.
At least, in that case, they’ll only have to comply with that request for California residents. Just because the law applies to you doesn’t mean that a non-California resident that requests the same thing has the same rights as a California resident. That’s not the case.
We covered privacy pretty extensively – GDPR, CPPA, and privacy policies in general – but what about data in general? When you’re storing this information, what if someone hacks into your account and there’s some kind of data breach? What do you do?
MATT: Blame someone else.
NASIR: Well, I was going to say, I don’t know a prominent website that has not been subject to some kind of data breach – at least, if not publicly, then most likely privately because, sometimes, there may be a data breach that they may not be required to publicly disclose, and the prevalence is extreme. Ask any consultant in the technical industry. Just follow the news. The ransomware is just increasing like crazy. We’ve had personal experience with clients. It’s not just big business. It is small business, too – especially because it’s a lot more crippling sometimes, and they’re easier targets, and they pay.
We’ve done some coverage on our social media and in articles about how even the most technical companies, they claim to be able to de-encrypt your data after a ransomware attack and this and that. But, oftentimes, their best solution is just to pay the ransom or pay some negotiated ransom in order to un-encrypt your files. It’s a horrible, horrible business. I don’t see any decrease in it. It’s only getting more difficult.
MATT: The answer is because data is only getting more valuable. I don’t see it going away. It’s really who can outpace who – you know, find a new way to protect data and new encryption is just going to be busted or breached. You can’t think about it from that aspect.
From a business perspective, what can you do?
Like you said, putting as much protection in place obviously is ideal, but let’s pretend that the worst-case scenario has happened, and your data has been breached, how do you need to respond? Do you need to disclose it? We can dive into that here.
NASIR: The first thing is that it’s incredibly complicated. Again, I think I’ve been repeating that over and over again for every topic.
MATT: This is the most complicated.
NASIR: The reason is because every state is different whether you need to disclose. If you have a certain number of residents or people or persons or personal information that their information has been leaked out of a certain state, then you may or may not have to do that.
Each state has its own definition of what a “breach” is. You would think that’s an unambiguous definition. But, if you think about it, if a hacker comes in and takes information and then posts it online, that seems pretty obvious. That’s a breach.
But what if they just come in, a program is run and it encrypts all your data and then it’s a ransomware attack, but you cannot prove whether or not a third party actually accessed the information? Maybe they just locked it up. Is that a breach? Well, in some states, it is; in some states, it may not be. That’s one aspect.
The second definition that you have to look at is data. What is personal information? What is data? If they take a list of names of your customers, is that a breach? It may not be in some states; it may be in other states. Some states require that it has to be a combination of first and last name with an email address or credit card numbers, and they’ll have a whole list of different things – you know, California is pretty developed in law of that.
Lastly, how many records? If it’s very few, oftentimes the breach notification requirements are not as stringent. Sometimes, there are different levels. For example, if you hit a certain amount of records, then you just have to notify the users. If you hit another threshold, you not only have to notify the users, but you have to publish it on a news source or on your website. If you hit another threshold, you actually have to provide them other services like credit monitoring or identity theft protection and these kinds of things.
MATT: Very quickly, off-topic but not too off-topic, the data piece – you don’t follow basketball, but there’s a post-game—
NASIR: I follow basketball. Test me.
MATT: I don’t know how many years ago, but it was a few years ago now. One of the coaches had a play-off game and they lost. He was complaining about the officiating and the number of fouls called. In the NBA, there’s been a big drive towards data analytics and all this stuff. He was reading something about how the foul discrepancy, you know, take that for data. There was some huge clip that gets used all the time now. Basically, it’s all these people pushing towards analytics and he brings up one very basic number. Not a very good story, but I just was reminded of that.
Going back to what you were saying, I think the first step is to try to figure out what happened. And then, you just look. Like you were saying, was it a breach? Go through the law, essentially. We can provide some sort of checklist of things to do, but it’s going through that system every time and figuring out what exactly happened and then whether you need to disclose it or not.
Even if it’s something mandatory to disclose, you still sometimes have to consider. “Should we disclose it?” Everyone has different opinions, obviously. But, if nothing serious was compromised and it was fixed pretty quick, you have to weigh the options. “Well, should we just disclose this even though we don’t have to and kind of get ahead of it? If we don’t and it leaks out through some disgruntled employee that gets fired or someone gets fired and disgruntled and leaks this out, then it’s kind of a PR mess.”
NASIR: Even worse.
MATT: You could get ahead of it. It can be a story for a day, and you could be done with it. This isn’t our space to tell people how to do things from a PR standpoint, but it’s just another consideration.
NASIR: We’ve had these conversations with clients. What’s funny is that these breaches happen so often now that I’m sure everyone who’s listening has received at least one email notification or something in the mail that your data has been breached. And so, it’s almost as if it’s part of doing business and going through it.
We’ve been in conversations too where it’s like you may be legally required to do so. But, if no one knows, then what’s the big deal? We’ve seen high-profile cases where companies knew months prior to actually disclosing. That’s another thing. There’s also a time requirement.
As soon as you discover the breach, how fast do you have to do it? I’ve seen as little as ten days. I think GDPR – I can’t remember the number of days – it’s a very short period of time which requires disclosure as soon as you’re able to find out. It’s very scary stuff.
I do have some tech background, so I may be speaking a little naïve here, but it seems to me that one of the best protections is not even legal protection but really beefing up your tech protection. Something I keep hearing often from tech people is that – I mean, this isn’t a tech podcast – for some reason, there’s this thought that, if you encrypt the data and your database is both in transit and in rest, as they say, there’s some kind of slowdown in your transactions and so forth, and it affects performance.
But, when it comes to sensitive data – social security numbers, even email addresses, passwords definitely, that seems like a no-brainer – little things like that need to be really considered highly.
MATT: I’m sure this applies to multiple instances, but there was one somewhat recently where it was basically found out or leaked that there was a data breach and they sat on it for a while. It was like, “When were you planning on telling everyone about this?”
NASIR: I feel like we’ve covered it. It’s happened multiple times because that’s what will happen. They’ll disclose it. If it’s a big breach, you may get some investigations – whether it’s from the FBI.
Speaking of what kind of information, for example, if you hold patient health information, then breach laws when it comes to HIPAA is completely different – above and beyond what attorney generals and other states require and state data breaches and so forth.
MATT: The other thing I want to say about this is let your insurance company know about it.
MATT: They’re your ally in this. You need to at least have it looked into – what your coverage is.
NASIR: Typically, you need to have a cyber policy in order to have coverage because, otherwise, most policies do have an exclusion.
I don’t think it’s as common but, sometimes, there is some limited coverage on certain aspects of the breach, depending upon what damages it has caused. In fact, we were just talking to a client this week. They have a lot of data online. Their website is based upon holding data online. And so, even though they’re a small business, they got a cyber policy. It was a no-brainer.
Like any insurance, it’s not a big deal until it actually happens to you. It’s incredible how much it can cost. Any significant breach, the costs are just astronomical. We’re talking about the cost to inform; the legal costs sometimes and further investigations, and legal defense when your consumers – if it’s a substantial breach – get upset. What did you do wrong? How were you negligent in causing the breach? And then, the technical cost in actually fixing the problem – whether it’s fixing the problem or remediation in the sense like, if you have to spend a bunch of money unencrypting a bunch of files or your systems are messed up, that has a cost. And then, adding additional costs and upgrading your systems to make sure that it doesn’t happen again, it’s just incredible.
Cyber policy is really a no-brainer for any business that has substantial data online.
MATT: No doubt.
NASIR: I tend to say they’re not as competitive as they should be. They’re usually high deductibles. Again, it depends upon what industry you’re in. It’s not a fun insurance to buy.
MATT: And so, that’s kind of the general rules and guidelines to follow. It’s kind of a case-by-case basis.
I guess the parting words on this are just err on the side of caution and also take it seriously and be responsive. Don’t put this off. If you have any sort of data breach, I think this becomes the priority item.
Like you were saying before, whether it’s the right thing to do or whether it’s legally required, you just want to make sure that you don’t miss those deadlines, if there are some, for disclosure and things like that. It’s a serious topic.
There’s no surprise that this would be a serious subject.
NASIR: We didn’t cover – and maybe, in retrospect, we should have – whatever your data recovery plan or breach reaction plan is in the sense that you should have one. you kind of addressed it like there’s a couple of things that you need to do really quick, and most of those have to do with people who you call and whether it’s your lawyer or whether it’s your tech guys and so forth, to figure out what happened and what you need to do – those things need to be implemented as soon as possible.
MATT: Obviously, we’re one of the first calls for these ones that have happened. It’s funny – well, not funny – but, oftentimes—
NASIR: It’s very funny.
MATT: It’s hilarious, yeah.
One of the first things I ask is, “Well, what do you know about the breach? Any specifics?” Usually, the very initial stages, they usually don’t know much, if anything. You know, there’s another variable to the equation there, but again it’s stuff to figure out.
NASIR: In my experience, the initial call, it just gets worse from there because it’s like, “We’ve had a breach.” And then, it’s like, “Okay, they’ve accessed this number of records.” “Oh, they’ve also accessed this server.” And then, “What did they do?” It gets worse and worse as time goes on, usually. Sometimes, it’s like, “They were only able to do this.”
MATT: Yeah, that’s exactly right. Most of the time it only gets worse.
I’ve had the opposite where people think it is way more far-reaching and it’s actually not as bad. Usually, you’re just digging into things, so it only expands from there.
NASIR: If you haven’t been breached yet, either you don’t know about it and you have, or you will be soon. Statistically, that’s where it’s at.
Going back to what I said earlier too, the bigger you get, the bigger the target is. That’s one of the perils of having a growing business.
I feel a little depressed with this episode. Oh, man. I feel bad for businesses for some reason. Really, we’re just talking about subscription-based businesses, especially online ones specifically, I think. It’s a little depressing.
MATT: Not too bad.
NASIR: I feel sad.
MATT: You’ll get over it.
NASIR: Thanks for joining us.
MATT: I think we gave a good summary here.
Hopefully businesses don’t have problems, but ultimately there’s probably going to be.
NASIR: Very good.
MATT: Keep it sound and keep it smart.