Everybody you’re listening to the drunken UX podcast? This is episode number 36 GDPR launched and I

I you know I I’ve been thinking about this Aaron and we’ve talked about it a lot and I think the the trick is I need to stop introducing myself as the host. I should also that I am one of your co hosts Michael fienen. That way it levels that playing field, right? We’re not hosting co

If you’re listening this week, you should thank our sponsors over at New cloud run by their website@truecar.com slash drunken UX that will let them know that you heard about them from us and make that all be worthwhile and we would appreciate it but they do good stuff, maps and things. Such.

I if you’re following us on Instagram I’m actually recording this episode on the microphone that I shared on there this week. I find a nice my god like I got my holy grail microphone Finally, which was sure SM seven be you chose wisely. I have wanted one for a long time. It just randomly came up for sale locally from a fella and had to snatch it up. So we’ll see how this sounds. Hopefully everybody enjoys it. If it sounds like garbage when I get it out of the mix, then I guess he’ll just have to suffer me for an episode until I switch back but I like it. So I’m departing a little bit from my normal drink this evening. I I don’t I like bourbon, but I’m picky. I’m still like, you know, finding the Bourbons I like and I don’t like jack daniels. I don’t like jack daniels. Unknown Speaker But

I have a bottle of gentlemen jack. Because it came highly recommended to me and I must say it is quite excellent. It’s not super like interesting, necessarily. Like it’s it’s a What does the band here say? It says it is double mellowed. And I feel like that is probably a relatively accurate way of describing this. Like, it’s just sort of kick back. Relax. You know, it’s not super fancy. It’s not super crazy, but you can definitely enjoy a glass.

I feel like that probably is not part of their culture. But sure. Yeah, okay. What Yes, drink. You have a drink. What do I do? I have

Um, did it curdle, when you mixed

a cement mixer is isn’t a cement mixer, tequila and and oh, cream, is it?

that hurdle though. Yeah, that’s why I was asking maybe a vodka? I don’t know.

Fair enough. If you like it, that’s all that really matters.

earlier today about this chat. I say chat software, quote unquote.

Yeah, I made the joke earlier. And we’re talking about and then I went and looked at his read me and I’m like, oh, you’re already beat me to that choke? Though your scientists were so preoccupied with whether or not they could they never stopped to think if they should?

made this argument before with some of this stuff. That’s, you know, it’s sort of the the proof of concept CSS sort of things like the one thing I always remember is the guy that made Homer Simpson in only CSS. Okay. And like it, it looked good. It looked correct. And but it was, you know, this huge thing of like, Dibs, crazy CSS, it’s like, you would never make an image that way, that is not a thing you would do. Right, right. And I used to always think about it in those terms. And I’ve kind of as I’ve gotten older, and more mature about it, it’s become one of those things, I realized that it’s an exercise, it’s not about the result. It’s about how you got there and practice it takes to do that.

Man, I haven’t had a math class since college?

That the thing that just came up the other day that I’ve that this made me think of and and this application of these ideas. So this guy, rich Harris, he’s on the New York Times. He’s on their investigations team, and they have this article on Trump’s taxes. All the politics aside, if you’re into web development, will have a link to this in the show notes. Go look at the article, scroll down about a third of the way. There’s a bar graph.

this is a bar graph with a it’s the bars are aligned along along an X axis, but they go down. Yeah. And what they did was they built this bar graph with the story text blowing around the bars, to really the explanation was that it was to really kind of accentuate the because the scale, is

Yeah, yeah, it’s, it’s a case of where the bar graph itself, like at one end, it’s, you know, it’s pretty shallow, and then you start getting really, really long, and it would take up a ton of vertical space. Yeah, and you have a lot of white space, then on the left hand side. So they came up with this idea, using a bar graph. Now the bar graph is done with like SV GS and stuff. You can go into that if you want to. But what they figured out was, by using a little bit of CSS overflow, which isn’t a big deal, but using then before pseudo selectors and a fancy shape outside, saying, they basically made a clipping path along the overflowed section of the chart to make it look like and this is really exactly what you were just saying here. Yeah, it’s not flowing around the bar graph, right, flowing around the clip path they created, right, which just happens to approximate the shape of right, our graph line close enough that it looks correct. Yeah. So it’s like, it isn’t the exact they probably, you know, it’s not the way it would look if it was a perfect kind of low. But yeah, it’s certainly the kind of outcome that you would want from that. And it’s that kind of like, it’s a super creative solution to making that text flow in a way that isn’t just, you know, cut off, or floated.

You were basically creating a really low resolution outline. Yes,

The chat thing reminds me a lot to have that the old malicious CSS story, remember? Yeah, right. People use it figured out, you could use CSS to track people, right? Because of, you know, using the background images and things like that, that you could create behavior triggers, basically. And that’s, that’s kind of what the CSS chat is doing. It’s exploiting the same kind of technique, just not maliciously, but that is how the if you go in and read the GitHub that will have linked he’s got in the read me like kind of how it works. And we sat here ourselves and, and mulled over, its I kept reading it. And I kept saying over and over. That doesn’t work that way.

But it does, because it’s really almost novel The way they accomplished it by leaving the page in a loading state, Ryan, because I was like, Oh, I see how they’re receiving data. But like, you can’t send it CSS doesn’t send data, right? Does. They use a server sitting in the middle of that to translate these GET requests and feed it to both pages that are receiving data? It’s real wild, quite frankly,

One of these days, somebody gonna message us and be like, you guys are idiots. You’re now I want to design a shirt. For us. It’s just like Jay Z across.

Jai for life. So if you’re interested in all of this stuff, the CSS hover, how data is getting passed back and forth and all of this. There was one other guy that you found Aaron that Oh, yeah, it was just Davey on Twitter.

it when you see because he’s got a video of this in action. And that was where the light bulb went off for me for ya how the chat was accomplishing. Right? Right. Seeing it done, like unit directionally, then made Yeah, make sense by directionally. So go go check that out. It’s, it’s cool. It’s absolutely not usable, like you would never, in your life build a chat system this way. It is purely proof of concept. But it’s I could see like no experiment. Maybe other data being transferred. This I don’t know. Like, I think that if it says have an application, that’s going to be something kind of maybe oddball, or haggis, or dangerous. Yeah, problem. I mean, probably dangerous. That’s why we say like all of this reminded me of the militia tracking stuff. And that’s I don’t like that.

I want to get into our main topic first, by doing one of these standard boilerplate disclaimers that I am not a lawyer, Aaron, is definitely not a lawyer, my God, put a shirt on once in a while, man, we we are not giving you legal advice. The bar exam that we take is not

That’s clever. I like that. But we are going to be talking about GDPR. Tonight, it is the one year anniversary of the launch of GDPR on May 25. And so we wanted to take this time, we had Episode 11 was when this first came up, that was on right it was May 28 of last year. So GDPR had just launched. And so we were like, Hey, here’s a bunch of stuff. So you can get started. And now is one year later. And so I thought it would be neat to sit down and kind of look at some of what’s come out since then, where we are at and where you should be as a developer. So and I will apologize in advance because this will be more of a policy show for lack of a better term. But if you want to jump in the later in the show and just get the dictionary bits, but you should listen to the whole you should listen to the whole thing. I think Yeah, there will be definitely agree Michael

Thank you for giving me that opportunity.

there’s a quote in a CNBC article I came across, which is kind of what said, Oh, yeah, we need to talk about this because it’s it’s funny. It is that among some consumers, GDPR is perhaps best known as the bothersome series of rapid fire. Privacy notices. Those astronomical fines have failed to materialize. The law has created new bureaucracies within corporations and with those tension and confusion. And it’s unclear if the EU data authority that oversees the law is adequately staffed to handle demands. Like it. The thing is, just like Mike Tyson coming into the ring, middle finger to GDPR. It’s like this thing sucks for everybody.

Oh, yeah. And that has been a big part of the problem. And we’ll get into this a little bit more here in a little bit that staffing is a problem, quite frankly. And it’s in part because you’re trying to staff up, not just hit the companies, but within the government organizations for something that didn’t exist before 2016. And so corporations are going to lawyers and asking how do we comply with this? There aren’t a lot of lawyers that know it? Well, and the lawyers that just read it and try to interpret it are don’t understand. They don’t have have somebody to go to to ask questions, because most of the places are already, you know, getting buried by actual work related to this. Right? It has created a big problem. So there’s this article from the International Association of privacy professionals say that three times fast, but I sure as hell can’t.

they they put out an article looking at one year of this, and one of the things that they noted is that a lot of the problems and challenges folks have faced with GDPR have been very logistical in nature, not technical, not like on the development side. It’s it’s problems with like, Who needs to know what collect what and have access to what,

of these issues do very much cross apply, as far as you know, where the where the problems lie. And it makes for an interesting tug of war over whose needs went out. Now, folks in the EU and in the GDPR offices would tell you, the consumer always wins out in these in these arguments, because, man, there was there was a good quote on this in one of the articles in the show notes, but I couldn’t tell you which one, but it’s this idea that businesses don’t exist to process data. They they process data to do business.

It’s, it’s it’s sort of like that. But it’s this idea that the businesses need to come to this realization that they can’t just hoard all this data on the hopes that they may need it later kind of thing is right driving it right. Even though a lot of businesses do work in that mentality. And sometimes they don’t even realize they’re doing that, you know, sometimes they’re collecting data, just because they think it’s reasonable.

but and so a corollary question to this head that is getting raised at a lot of places is, how do you adapt? Not the technology, but the business processes? You know, there are a lot of organizations and I’m even with our company, where I work at one of the big challenges has been this idea of getting everybody to understand that we can’t just collect all the information we want, because we want it and we can’t keep it if we’re not using it. Those go against GDPR. And right as a as a consequence, it’s leaving, especially marketers, because marketers, at least US based marketers aren’t thinking about this a lot, right? The people who are thinking about it are the legal offices, the HR offices and the web developers, and you’re left with these groups constantly, you know, sort of talking to each other occasionally, and trying to patchwork these solutions together. But more often than not trying to explain why they can’t do something or how to, you know, change the way they’re doing something even though the business doesn’t want to.

Well, so so far, like, from a website standpoint, if you go over to Lex ology, they’ve got an article that kind of breaks down some of this. And one of the things they noted was that a majority of the complaints are non named websites. Hmm. They noted like, they’re the complaints that are coming to data protection authorities were things like complaints about telemarketing complaints about getting promotional emails that they didn’t request. And, you know, and this is something that’s maybe a little more specific to the EU than the US but requests to meet to have, like, surveillance and CCTV data.

oh, because that applies, like right APR is not just based on websites, it’s based on

Data covers a huge umbrella of information. And so a lot of those requests have been coming into that. One of the problems that, like businesses have found as a consequence, is that, like, they’re supposed to have a data protection officer so that when data protection authorities come to them there, is this person responsible for executing on these requests, okay? Okay. This is how, because you will have, you inherently have to hire somebody who might be working against the business interests of your company. Because this is the person they are there to be an advocate for the consumer, not for the business, they can you can outsource it a business, you can hire out the the role of a data protection officer to a service, certainly. But a lot of companies want that in house because that person may have to deal with, you know, proprietary information, or you know, this other. That’s a challenge, because let’s say, you know, marketing is sitting on a database of, you know, 10 million records that they’ve collected over the last 20 years.

it’s the DPS job to go in there. Look at that, and say, we need to delete every record over like, five years old. Yeah. Because we can’t retain data indefinitely. If we aren’t using it. Now, let me be clear, you know, let’s presume that that’s just a database of stuff they’ve collected, they aren’t using. Sure. Because we’re digital hoarders, you know, we there, there isn’t really a cost or hasn’t up until now been a cost to just keeping data in case.

Interesting. side effect of that is there was an article see if I can find I hadn’t thought about it before this, but there was an article about AI training. Ai inherently needs it was something because it was it was an article dealing with like Alexa and Google Home and the way Yes, I just said Alexa, and it came on. Sorry, Alexa, don’t Don’t mind me. I’m not talking to you. Hey, turned off it, but they use like all the voice recordings that they save up to, okay, be continuously training the voice models. And of course, this right, freaks people out, they hate the idea that their voices are being kept and all this stuff. I personally have my own feelings. Not important. But that there is a valid thing there to say, Yeah, but we need large data sets of historical information to train against.

they they’re supposed to like on it?

calling robots. And, and so there’s this very real sort of thinking in the business world that well, we may need that later. But most data doesn’t fall into that, like, those are, I think, very specific cases, a lot of them and in many of those, you can anonymize it do other things that would allow, you know, strip it of its personally identifiable, you know, information, if you just need like an archive of images, you know, you could have that blur out the faces or whatever, but still use it to do like road recognition or things like that.

So there’s also this confusion that I mentioned between like the technical and the legal and the business responsibilities. And the GPO is that person who sort of needs to be able to speak all of those languages to pull those people together?

yeah. Cuz they have to have a foot in several of those worlds. Because if you know, if somebody puts in a GDPR request, like they, they want to have their stuff deleted. And the technical people haven’t built the stuff. And the business can’t respond within 30 days. And then legal gets a letter that says you have not complied. You know, the GPO is the person who kind of gets on the hook for whether or not those three parts of the wheel are working together. So let’s talk about enforcement of this, because that’s really where we get into, like the boondoggle of all of this.

Let’s, because one of the things you haven’t heard a lot of right, are things about fines. Yeah. Where all the fines that because you were asking, Is it effective? Has it done what it was set out to do? On one hand? The answer is yes. We’ll talk about that here in a little bit about like it, the mandatory reporting component of it. mandatory reporting has worked extremely well. But the fighting aspect of it, the part that is meant to make companies be more considerate of user privacy hasn’t really worked. One of those reasons is that there are five different you nations that still haven’t ratified it.

So see, Bulgaria, Czech Republic, Greece, Portugal, and Slovenia, Libya.

None of them have ratified GDPR yet, so there’s a giant space of gray.

Oh, man, I couldn’t back that’s getting into the EU politics that I don’t have the slightest idea.

guess is it doesn’t matter. Well, no, I, you laugh, but it thinking about it. Like, if somebody you know, if there was a proposed amendment to the Constitution in the US two thirds of the states ratify it, it doesn’t matter if the other third do or don’t ratify it.

It’s still going to become the law. And so I think that’s kind of the case here is whether or not they individually ratify it is probably irrelevant to the fact that they’re, they’re going to be required to still meet it. Okay. And then if they don’t, it becomes an internal EU affair, like that has nothing to do with the data side. Unknown Speaker The

so far, fines have been in the area of 58 to $60 million US. Sounds like a lot, doesn’t it?

Which is Google gotta change Adelina that. Yeah. So Google, one find to Google was like 90% of the total finds in 2018.

it’s point 04 percent of their revenue. Thank you. I remember that number. Yeah, Facebook got fined. Folks probably heard about that a whopping $645,000.

Now granted, and this was this had to do with I think AdSense or AdWords, one of those. And how they were processing data and not getting consent or something, is there something there and that that becomes problematic? There’s a quote from ODI, Kagan, the chair of the GDPR compliance program for Fox Rothschild. And she said, I still feel like unless there is a very significant increase in staffing, they’re probably going to have to pick and choose the enforcement actions that they bring.

that is a terrible way to apply law. Like that is the worst way to apply law. And that’s, I think, where like I see these fines. And while you know, it’s only a handful, I think, you know, I think it’s less than a dozen fines and total have been levied.

don’t I don’t remember what the nature of Facebook’s fine was. Because all there’s mitigating factors that come into play was intentional, was it ongoing? Right one time, you know,

this still, you know, half the cases that have been filed, like half of them are still open. Because again, and just back to this quote, that there is a staffing problem, what we were saying earlier, that the nations themselves are still working to try to figure out how to get enough people into these bureaucracies to handle the volume of stuff that’s coming in. And it’s a vault that is only going to increase over time. And right, that’s that’s a huge problem, because it creates inconsistency, and sends no clear messages to companies with respect to how to apply this law to their processes. And more to the point, it becomes a huge problem because it like it the way it’s being applied. Now, it’s getting thrown at the big companies and none of the small ones, basically. Yeah, I remember and the Facebook one had something to do with Cambridge Analytica, by the way. Okay, I do remember Oh, right. Yeah, it was like an ancillary component of that. We’ve seen some of the reverse of that in the US when it comes to like copyright and patent trolling. Right? A lot of that gets aimed at the small companies, you know, they’re they’re going after the the little, you know, bite sized chunks trying to get settlements and they cast a wide net?

Because here’s the thing, keep in mind that at least my understanding is the fines under GDPR. They don’t go to the person making the complaint, right, that’s just money the government is collecting.

So and I’m, that’s one of those, I’m going to reserve the right to be wrong on that. But, you know, it’s that as far as like, people cashing in, that’s just not a thing. So the incentive is actually reversed there. They want to get the big settlements and smack down these giant corporations that are kind of wanting the law, there’s nothing to be gained by the work that would have to go in to policing all the small ones.

a problem, as you know, because it’s it’s creating two sets of standards where there isn’t. Now there is an article over at align calm that and this is actually it’s I’m going to share their article, but it’s mentioned in all lot of them that pretty much everybody does think that stronger enforcement is on the way. Yeah, everybody’s kind of referred to this. When France issued their fight against Google. They mentioned like, this is a transition year. This is Yeah, year one of GDPR. We’re all figuring it out. We’re all getting our processes and people and steps together. So they’re all looking towards the next two to five years of really figuring this out. And once you do, that’s where they are going to see strong reinforcement. And we don’t know what that looks like

Back then, if you’re talking about like, literally back then? And not like, totally, but third, or like not not saying like, let’s jump ahead to, you know, 2050 and look back?

I mean, for lack of a better term, it does. I mean, I know realistically, there is a negligible, yeah.

until now, there’s just never been a consequence.

think about I think about in the US every time target announced a data breach, you know, think about all of these companies that have had, you know, Adobe, LinkedIn, all these companies that have had user data leaked out and stolen? And what are the consequences of that ever been?

right? I know, there have been a couple cases that were buying some happen. Let’s go, let’s go to the big one. That was recent Equifax.

They were one of the companies also have been fined under the GDPR. Not a lot. But they, they were one of the few that have gotten fines in the last year. But you know, that that too, though, that cost to them was effectively, you know, 50 bucks worth of credit monitoring the people? Unknown Speaker Yeah. And you know, if it if they often,

yeah, if they opted into it, and then it’s, you know, it was that classic joke of, I don’t want to give Equifax more of my data to get to do that. Now. Why would I trust them to do that? Now?

And it also comes back to this idea, and this isn’t a cop at the end of the show about having to retro actively apply. Now is a huge problem. Most of these systems were not built from the ground up to comply with things like you know, right to be forgotten. Right, right, right to data, transportation, all these things. Because they weren’t built to support it, trying to retroactively go back and build this stuff on is just like to go back to the other comment you made accessibility is so hard to retrofit these things on the these giant data silos and companies that have had think about a big organization like Google or Microsoft or Facebook, and

it’s not like, your information is in one table in one’s right. Like it’s scattered across systems. Yeah. And how to unify that like they, you know, have internal things that unified into your Facebook page or whatever, but to be able to go in and delete that, you know, from other people’s mistakes and things because on your right to be forgotten is absolute across their system, not just your account.

This is a great segue into our next section, which is the catch 22 of GDPR.

So here’s the thing about all of that. Let’s talk about the people side, because GDPR at its heart and soul is about us. Or right more accurately, are you specifically you? And you and I yes. Yeah, you and me are we actually wrote the law, so blame us. Yeah,

us. People are inherently untrustworthy of corporations and the way they handle our data. I can’t

yet. We absolutely fork it over to them. Even though, I’m going to say something that may be unpopular, by and large, I think corporations are relatively trustworthy. I, I am not. I am not a firm believer that things like you know, data retention policies and stuff would significantly reduce the risks of data leaks and breaches and things like it, yes, it would mitigate some of it, but I don’t think it would mitigate much of it. I was just, I was just thinking, how you were saying how we readily fork over our data to the these companies and to remember, before social media existed, you could get those tool bars for your browser.

they sent me a check every month, man Shut up.

I still remember the name, I used a tool called all advantage was the name of the one I had. And yeah, you and I did the thing where you got the tool that moved your mouse around the screen randomly so that it would track your usage of the computer, even when you were there. Because they were, you know, they paid you a dime an hour or whatever, for letting you run it. I was a kid I didn’t care to check every month, I got like, 30 bucks a month out of nice. got those whole thing collected on me during that period. That was the 90s I don’t even know what their was useful to get out of that at that point.

as a kid, that was awesome. Yeah. No, they just sent me a check. They

I mean, long story short, I mean, I know there’s the whole argument about Yeah, our companies really trustworthy, whatever the reality is, you know, I don’t care if they market to me, I don’t care if they know, when I poop, I don’t care if they know what my house temperature is set to. That’s not useful data to me. And, frankly, I don’t really see the point and being protective of it. And by and large, I don’t feel like I’ve ever had that abused by a company. Sure. I’ve had gotten like a mailer when I’ve looked at something on a website. And then something came in the mail. It’s like, I don’t know, I even got my address. But it’s not like they’re a criminal.

where your people are, I think was 23andme is the thing you’re thinking of?

does come down to a lot of different factors. And to your question about like, you know, the people side of this, one of the challenges is actually that it’s good to put the user in control of this stuff. But that doesn’t mean they get it. Yeah, and one of the things that has come up, and you’ll hear this again, later, is privacy blindness. And we’ve been hit with so many of the emails, because of the launch of GDPR. We’ve been hit with so many of the pop ups, we’ve been hit with so many of the consent checkboxes that you’re not paying any more attention to what consent you’re giving most of the time, then, when you hit the accept button on Terms of Service. The eu la they Yeah, they nobody is paying attention. And even if they were, I would reckon that most people wouldn’t know the actual details of the things they aren’t aren’t giving authorization to, especially at a company where they may have 10 1215 different consents that they ask you for.

this makes it incredibly hard to build a solution that is right for those users. There’s an article over at payment source that broke down a couple different surveys that were sent out to evil corporations and one, they said that 20% of the companies thought they were compliant, and another 50% had started work on it. You know,

I hate the way it sounds. I mean, I’m not going to try to sugarcoat it. It sounds terrible. That sounds like a internet. I don’t want to use.

can I use your location? Do you want to get notifications from us? I hate all of them. They’re annoying. Yeah, I don’t, because if I’m going to your website to read an article, how to build something, or what happened in in Alabama yesterday, or whatever, that information doesn’t impact your ability to complete the thing I need to do.

The thing is, I don’t think that that is the crux of the problem. Because we know, the thing is that the the whole consent issue deals with the things each individual company is doing, and every company is doing different, you know, different things, that the other stuff that was in this payment source article said that 20% of companies don’t think compliance is even possible.

Because, like with what you’re describing? Yeah, I mean, that’s all well, and good for like, services. Yeah, we’re not necessarily I mean, services certainly are included in that. But it’s definitely not the deep end of the pool where everybody is, is swimming at,

a name for this, and I’m going to save it, because I’ve got it here towards the end. So I’m gonna I want to let me get into one more stat. And then Okay, talk about that. The other stat comes from Tech radar real fast. That is, they were looked they asked a bunch of corporation or not, they didn’t ask corporate corporations, they were reporting on a study done. And a guy went out and put out GDPR requests to a bunch of companies and then measured the outcomes. And what he found was that only 17% of his requests were in compliance with the requirements GDPR with nine percent of them coming that came back on top of that, delayed or incomplete. Wow. So a and incredibly small 25. To 26%. You know, yeah, met the request. But to what you were saying earlier, and to the idea of the catch 22. How, as a user, do you even know?

there there is a measure of trust that has to happen there. And there’s a gap in coverage that I don’t know how to cover? And I don’t know, I maybe maybe it doesn’t need to be maybe there’s no value in trying to solve that particular problem. Because the thing is, if they say, Oh, yeah, we scrubbed you from our system, and then next week, you get an email from them, then right, when you have immediate and instant information that they didn’t scrub you from their system, or or worse, if if they said that they scrubbed you from their system, but then they have a data breach? Maybe let’s say a year later, oh,

The Scarlet Letter version of this is the Ashley Madison hack from what, three years ago? Oh, yeah, that’s all man, that would be a good example of that. Like it. Obviously, this wasn’t an effect then. But if something like that were to occur with a site like that, especially. So the end of the show is this big section called Why do I care as a developer? And if you’ve got part two, because you’ve heard us talk about some of this, and some of this will be repeated, but it’s because it’s still important. And I think people still need to hear it. Step number one, I do not care. If you are a developer based in the US, the GDPR still affects you and stop pretending like it doesn’t. It is dangerous to take that mentality. Unknown Speaker I’ll

tell you and Aaron, I don’t know if you are in any, like Ruby subreddit or not. But I kick around some of the WordPress credits and things like that and watching conversations about GDPR. Makes me want to cry the way people talk about it outside the you because it’s dangerous.

It’s tough because people are anchored to this idea of well, it’s, it’s, you know, if it’s in the EU, why I don’t have to care? Yeah, you do. Because a, you may work for a company someday that does business in the EU. And now you got to care about it. But more importantly, this idea that Oh, the EU laws don’t apply to the US is extremely bad advice to give somebody because that’s not the way law works. The US has things called trade agreements. And with those trade agreements, comes a, a reciprocity component for certain laws, especially as they apply to anything related things like intellectual property, trademark, and data privacy. Now, as far as I know, this has not been tried in the US yet. Right? There hasn’t been a fine levied against a purely US company, Facebook, Google, Uber, these are companies that have a presence in the EU. But that doesn’t mean that it couldn’t work. It just means nobody has pushed it hard enough. But they totally could. And they would very likely be able to win it. And that’s something telling people not to worry about it is terrible advice.

so you’re only dealing with us based entities purely.

let me ask this question, though. If I’m in France, and I want to set up a night Burbank I could still download diaper bass and run my own version of it. Good night?

I mean, it’s a it’d be interesting to see that theory tested. Yeah, if somebody wanted to set up a diaper bank in another country using your software, now you are you are processing the data of you people and you are now. Yeah, then then it would apply or under the umbrella. So what what I would think there is you either need to, like build in a hard limitation to the US into the tool?

got a finite and manageable number of hours. or build the tooling into it that allows, you know, proper, proper compliance. And I don’t think it would be hard in your case, but

That’s kind of what WordPress is added. Yeah, they’ve added that ability to, I forget, I haven’t used it yet. So I don’t know how the implementation itself works. But it’s basically a way you can flag things you add to the database as being like GDPR tag the so to speak to, because they have a tool now in the back end, where you can go into delete people out of your system and to facilitate requests.

And you can do it in a way, like if you get clever. For instance, if there’s user contributed data, like posts or something, you know, you could pull off the personally identifiable pieces without getting rid of like the like comments, I think are one of those spaces. You don’t necessarily want comments to be deleted, because it would break the flow, you know of that. But you can remove all of the personal identifiable pieces to that still huge problems when it comes to what if I type my name into the comment, right? Because that is still subject to a DD GDPR right to be forgotten. From a

your homework is to bring that back come out and tell us how.

The last point on why you should care in the US is because it’s coming to the US next year. Because if you haven’t heard of the California consumer Privacy Act in covenant 2020. And it’s the California version of the GDPR. And you may not do business in France or Germany, but a better probably have a good chance of doing business in California.

Yeah, I really don’t. And for all the reading, I

everything I’ve read about GDPR. And how deep my nose has gotten into it with the work we’ve been doing. I don’t know much about California is version they they have if you go to their website, they’ve got like a 10 point list of all the things that it’s supposed to do, which you know, it stopped me if the sound familiar but right to know all data collected by business on you, right to say no to the sale of your information, information security, right to delete data that you have posted, right to not be discriminated against if you tell a company not to sell your personal information up. Interesting point about that. Because this comes back to what like what you were saying with like the browser bits and pieces, nothing. This idea that if I say no to things, I should still be able to get a minimum amount of service from your application, right? Like if I don’t consent to the way you want to use my data. And that lack of consent is irrelevant to the action I’m asking to take. Yeah, I should be able to take that action. And that’s

Joe Schmo if your forum needs your birthday,

at all. Let’s try not at all, we’re just

at well, as part of that. It’s funny, you mentioned that number seven on the list is mandated opt in before sale of children’s information under the age of 16. Books. So there’s this whole list and all of these will sound very familiar as far as that goes. So if you think the US is safe, and we didn’t we just mentioned what two or three shows ago, I think one of the the warmer topics that we started with was the deal going through Congress that they have been given the green light to pursue legislation that would mimic what the GDPR is doing. Right. Yeah, that’s right. So the wild I mean, that does nothing has been written yet. The door was kicked wide open that said that he was the CEO or one of those are one of the one of the watchdog organizations came back and said, Yeah, cool, go for it.

as a developer. And we I run into it a lot. And there was something I was talking to somebody about the other day that fell into this, this idea that HTML and CSS is so easy, like, it’s so easy to become a web developer and it’s like, Yeah, okay. But being good at being a web developer is incredibly hard.

And that’s are going to describe

with the screwdriver, you don’t screw the screwdriver. We need to keep you away from tools.

else but you can’t guarantee you can get a wheelchair through the door you can’t be certain that your electrical won’t start a house fire or that you won’t die of oxide poisoning. We didn’t put this in the show notes but before the show Michael and I were looking at weird things on the internet and we found was a garden house What did they call it? Yeah, garden house that’s for sale and

little hot but like sunroom

But it’s it is that idea, though? That? Sure, yeah. Okay. If Joe Schmo down the street can go get their, you know, $10 a month, web flow account or whatever, and set up a website, but they don’t really know what they’ve done. And they certainly can’t do the hard stuff thats related to it. Where GDPR fits into this is, these are the skills and we made a comment. I don’t remember which episode was on but I remember this conversation about like CSS animations. And this idea that Yeah, learning basic CSS is incredibly easy, quite frankly. Yeah. But when you sit down and start looking at, or Well, for instance, what we started the show off with, yeah, building a chat system with CSS. Yeah, tell me CSS is easy, please. I you know,

Knowing things like how to build privacy aware systems, and how to make something GDPR compliant, is what will set you apart as a developer. It’s the thing that when you apply for that job, I’ve got a job application that right now I think I’ve gotten in my inbox, a dozen different applications for at this point. And I’m going to go through them and figure out who’s going to get an interview, a first interview, let alone a second. And the thing that is going to set people apart is if they can do the little things and show me that. Yeah. And if you can put in there Oh, yeah, I have experienced or at least an understanding of privacy concepts that will set you apart from the people who are just like, heck, yeah, I built websites in high school. It’s like, Yeah, that’s a good starting point. But if you want to be a professional, if you want to be, you know, in this industry, if you want to be a contractor, you know, you want to build houses, you have to know how to deal with legal compliance and things like that. It’s boring, and it’s not interesting. And it’s hard. And it’s counterintuitive, but we still have to do it. An example here is like if you’re building something with a database, it’s not just good enough to know walking through a table in that. Yeah. Okay, making a table on a database is easy. You know, how to include you know, salts and encryption for user data? Do you know how to do pseudonym ization on data? Do you know how to do data warehousing? And siloed? I got it didn’t I said it. You nailed it. It’s the man. Gentlemen. JACK has been talking about a gentleman What can I say? Right now, gentlemen, jack has has me talking proper, like a lady. Joke. I don’t know. The other side of this is not just building but fixing. I think we’ve mentioned this earlier that a lot of places you’re going to get a job and you’re going to walk into stuff that already exists, you’re not gonna have the opportunity to build from scratch as much, you’re going to be helping maintain or build on a system that has existed before you.

you asked before, like, Is this working? And I said specifically, let’s wait till the end of the show, because that’s where I feel like you’re almost setting me up for these. I’m not sure if you are. So there were and I don’t know why this number varies, because I feel like this is a number that should be known. But there was a range that I was able to find there were between 40 and 60,000 data breaches reported last year, the GDPR records show. Yeah, talk about if you were to guess I should have asked you to guest guest before I said that, um, is it 13? It’s more than 13. Actually, it is 40 to 60,000.

answer is yes to everything. So, okay, one. Prior to this, we you know, as far as the EU goes, there wasn’t like a place to report it really, you know, when it to report a data breach, some countries did have like Germany was one that comes to mind that did have a mandated reporting for a data breach. But it was a totally ad hoc burn per country. And who knows. So with the introduction of GDPR, you had mandated reporting and a place to report it to so obviously, reports went up on top of that, in the same way, what constituted a data breach was normalized. You know, they went through and explained like, for instance, if a database table leaked out with IP addresses in the US, a data breach in the US, because I understand I IP addresses are not considered personally identifiable.

in weird court cases, which I still don’t understand. They still used in court as personally identifiable sometimes, but it’s not from a privacy standpoint concerned, personally identifiable in the EU it is. And that’s been a fun question, go look up some things like website access logs and GDPR compliance if you really want to have your brain hurt, because IP addresses are personally identifiable. So that’s that number 40 to 60,000 is a two to three fold increase in the number of data breaches that have been reported as a result. And that is generally viewed as a positive because it means people are getting notified that their stuff is getting out there. Unknown Speaker Yeah, also, that’s a huge like

that that number is crazy is in my eyes. Like that’s a lot of data breaches.

they started like 1800 a month, and it went up from there. So yeah, talking about like understaffed departments, you know, Unknown Speaker that level of volume. That’s, that’s an average of 1500. Every day,

a lot lot of lot of data breaches. And

you as a developer every few seconds, you don’t want to be the person getting blamed for one of those,

But that’s the thing. And like you were saying, you know, learning security learning these things? And believe it or not, we’ve had an episode on web security. Wow, it has happened. Like, because these concepts are important for you not to know inside now. But sometimes you need to know what you don’t know. Because one of the biggest problems is our this need to say yes, if somebody comes and says, Hey, would you build the site for me, I need it to do X, you say yes. Oh, well, we’ll just make a forum for that and store the data in a database. You can make it work, you can make it technically work. But that isn’t good enough. And you need to know when that is not good enough and when to say, Oh, yeah, we got to do that. But we need to make sure these things are taken care of, you know, it’s going to cost you know, a little extra, because we have to build it this way. And it’s no different than when you have to get your permits to build your house, you know, or, you know, to rip an electrical system out or to get lead remediation. Like you have to go through steps than Yes, it’s bureaucracy. And yes, it’s getting in the way of stuff. But there are good reasons for that. You know,

where where this kind of falls from a, like front end standpoint, in particular, is caring about all of this from a UX standpoint. And that comment we made earlier about like, like, people don’t trust companies, but they also aren’t smart enough to know how to handle all of the consent stuff that’s thrown at them. And I, I mentioned this phrase privacy blindness, we just start clicking buttons. And it’s like, you gave me a pop up and I see the word consent. I just want to read my damn article, I hit yes or no and half the time, right? Oh, yes or no is what I need. Right? Understanding that a as a developer, you need to avoid dark patterns, to trick people into giving consent, you should never be tricking people into giving consent. It should be clear and affirmative what they’re doing. But also making sure that you are building your consent tools and privacy tools in a way that makes it easy for people to understand and know what they’re doing. You know,

right talk about the the Golden Nugget out of this epic. So, man, I love that idea.

And the funny part about that is like that, when cookie compliance came up in the EU, they tried that, and at least in that case, because I don’t think they executed it well. And the Yeah, the way it was done was bad. Like, it was done in a way that was legally correct. But in a way that gave any kind of consideration to user experience. And then they kept changing the rule on top of like what constituted you know, acceptance of cookies and whatnot. But there’s an article over at UX design by Claire Barrett called What does GDPR mean for UX? Go check that out. One of the things she brings up there, and this is kind of an answer to one of your questions earlier about like the what you could do in browser Chrome, right, and the concept she brings up is just in time consent, which is like if you’re let’s take the app analogy you are giving, if you download an app, and you go to use the camera, a lot of apps and pop up a thing that says hey, we need permission to use the camera that’s just in time could send if you install the app, and then it says, Hey, we need to use the camera. But you haven’t even asked to use the camera yet. That’s Yeah, not that.

and and that you know, that again, gets into all this UX of privacy, like how do you conveyed a people that we need the thing we’re asking for for x y&z because there are cases like file system, let’s say and mobile device, I think is a good example. Because there is at least a privacy model on them. That’s fairly standard that people are used to, like, I need access to your files. And like at a very high level, especially when you’re installing it, it’s like, No, I don’t want to give you access to my files. But the reality is they need that because they, you know, they’re going to allow you to attach, you know, a picture to something or whatever. Like, there is a reason for it. Now, asking with a just in time consistent message gives people at least some context to realize, Oh, I’m asking to do this. You’re confirming with me that it’s okay. So I can connect those things. I can think of better ways to handle those. But that’s neither here nor there. Yeah, just in time, consent fixes part of that. I like that,

asking people to consent to like 12 things when they’re signing up for an account or whatever, is you’ll see this phrase thrown around its consent, fatigue, or privacy fatigue. Like, yeah, yeah, asking for a bunch of stuff all at once, is it goes back to what I was saying, You’re tricking people into giving you consensus what you’re trying to do, and I don’t care about GDPR. At that point, you are making a bad decision. As a designer, if that’s what you’re doing, you know,

right? Yeah, the idea is, like, just in time consent solves the problem of ask for the thing that you need when you need it. Nothing else? Yeah. If you look over at the prolific, interactive, broader ego has an article over there, that also gets into this idea that there is no such thing as implied consent anymore, either. Which is an important note, again, in terms of GDPR, you can’t just say, click Yes. And you also agree to our terms of service, and to get marketing emails and all of that. That doesn’t work. You can’t do that that’s illegal. You have to say, I agree to get marketing emails, and it has to be an affirmative, checkbox kind of consent. Okay. And, yeah, what you’re just saying, at the end of this, it all comes back to encouraging people to do the thing that I love, any opportunity to say this, it’s do less, better, less better. Don’t try to collect every piece of information on the planet about somebody, don’t try to get them to sign up for every single thing. Whether or not that’s what they’re there to do. Let people do the minimum amount of stuff they want to do and give them an awesome way to do it.

Does this data bring you joy? Yes, it does. I get to know everything about their personal life. I was going through their recordings. Let me tell you about what I heard there. I think I liked us better. And I think that, you know, if, if you’re concerned about this, I think step one is evaluate what you’re already collecting. And what can you not collect anymore? Do you really we need the name of the users. And every corporation doing business in the EU or with you people is required to have a data protection officer, the data protection officers role is to be an advocate for the users and their requirements and their privacy. But that doesn’t mean that that responsibility begins and ends with them. developers and designers and UX professionals and UI designers and QA people can all take part in that role and shouldn’t be taking part in that role. I said, I don’t know if it’s the last episode of the episode before about this idea that one of the things our industry is missing is sort of an ethical code of conduct for our users. Last episode last episode.

it felt awfully fresh.

Yes. But that’s the thing that we’re missing. And and it’s that argument of we have to do right by our users, regardless of the business interest, because at the end of the day doing right by your users is in your business interest. Yeah. And I don’t know I guess a better way to end I actually I think the the joke about the data joy was probably and Alexa recording people having joyful things. Hey, Alexa turned on again. Hi, Alexa.

Folks, we’re gonna take a break and stop for just a moment and we’ll see you back here in about 60 seconds.

Everybody, thanks for sticking with us. We’re gonna round this out. Get out of your hair. Thanks for joining us this week for episode number 36. Hey, if you’re in Missouri by chance, at the end of the month, I’m going to be at the web accessibility summit in Springfield, Missouri. I’m doing a talk on transcripts. Ironic, I know because we’re behind. Don’t worry, we’re gonna catch up. I swear. I know we’ve said that a lot too. But trust me, we are in fact working on that. But I will be talking there and we’ll have a table set up and whatnot. And if you stop by Say hi, I might have some, some little stickers and swag to give away. Also, be sure to stay tuned. We have a killer episode coming up for Episode 37. Oh, we’re gonna have Rachel cherry on from WP campus to talk with us about the Gutenberg accessibility audit. I cannot be highly enough about Rachel about WP campus about the work they’ve done for accessibility and Gutenberg. So be sure to stay tuned, because that is not going to be a miserable episode. So we’re excited about that.

Congratulations. Yeah.

baby did it. You know, you’ve made it big, right. It’s like making the front page of imager.

everybody. If you want to find us jump on Twitter or Facebook at slash drunken UX or Instagram slash drunken UX podcast, we’d love to chat with you hear what you think of the episodes or what you’re enjoying. You can chat with us on slack at drunken ux.com slash slack. And that will get you to our Slack channel. Connect with us say hi. I one thing I always get a kick out of is when I see somebody Follow us on Twitter. And then like, yeah, follow my personal account immediately after that. That always makes me feel a little good. I think so. Everybody, stay tuned. Join us in two weeks for the Gutenberg accessibility audit review. Otherwise, thanks for listening this week, take care build great things. And the only other advice I have left to give is one single thing. It’s small, but it’s big and its impact and that’s the keep doing better or what? Well, yeah, let’s better die for life and keep your personas close. But your users closer Bye bye.