289 – Legal stuff

[00:00:00] Nathan Wrigley: Welcome to the WP Builds podcast, bringing you the latest news from the WordPress community. Now welcome your hosts. David Waumsley and Nathan Wrigley.

Welcome. Once again to the WP Builds podcast, you have reached episode number 289 entitled legal stuff. It was published on Thursday, the 28th of July, 2022. My name's Nathan Wrigley. And before I'm joined by my good friend, David, Worsley a few very short bits of housekeeping. If you enjoy WP Builds the podcast and any of the other things that we do, I'd be most grateful if you shared it.

Our Twitter handle is at WP Builds. Alternatively, you could join our Facebook group. WP Builds.com/facebook and join 3000 plus very polite WordPress users, all exchanging thoughts and opinions. Alternatively, you could just go to our subscribe page. WP Builds.com/subscribe and join our email newsletter where we'll keep you up to date.

When we post content, typically that's two times a week, so that will be on a Thursday. That's the podcast that you are listening to right now. And also on a Monday, we do a live. WP Builds.com/live. It's called this week in WordPress and I'm joined typically by three other people. And then we put that out as a podcast episode the next day, if you enjoy the live show, please come and join us.

This week. We'll have some expert guests and analysis all about the WordPress space. If you like a good deal, may I, once again, recommend our deals page to you, WP Builds.com/deals, a searchable filterable list of absolutely tons of WordPress products, which are permanently on discount over at that page. So once more WP Builds.com/deals.

The WP Builds podcast was brought to you today by GoDaddy Pro. GoDaddy Pro, the home of managed WordPress hosting. That includes free domain, SSL and 24 7 support. Bundle that with The Hub by GoDaddy pro to unlock more free benefits to manage multiple sites in one place, invoice clients and get 30% off new purchases. You can find out more by heading over to go.me/WP Builds. That's go.me forward slash WP Builds. And we really do sincerely thank go daddy pro for their support, keeping the WP Builds podcast going.

Okay. Let's get on with the podcast. Shall we today, David Waumsley and I are having a chat in our WordPress business bootcamp series. We are on episode five of season three, and today we're talking about well complex title.

I know, but the title. Legal stuff. So this is all about our perspective and we are not lawyers, caveat mTOR about the responsibilities that we have as builders of WordPress websites for clients. So it's things like the legal consequences of GDPR accessibility, copyright, and all the other things that we might get ourselves embroiled in.

Do we need to be involved? Are we better off just handing all of that over to the clients and making sure that they know what their responsibilities are so interesting conversation, and I hope that you enjoy it.

[00:03:36] David Waumsley: Welcome to another in the business boot camp series, where we relearn everything we know about building WebPress sites and running a web design business from start to finish.

We're on episode five of season three, where we're looking at the technical build, and today we are discussing legal stuff. Nathan and I are taking contrasting approaches as we get our new businesses running. And our first client site built she's a new lawyer with no previous site called miss a and Nathan, as usual, we tend to recap on our different approaches.

[00:04:08] Nathan Wrigley: Yeah, just let's do this very quickly. I'm although, I don't know, actually, I don't know that this will come up so much in this episode, maybe a bit, but because of the nature of the topic, it's blanket across the industry, really. But anyway, mine has been the traditional approach with fixed pricing.

The idea being that I throw out a proposal give them some kind of contract and and then set a deadline and deliver the project. Whereas yours is.

[00:04:33] David Waumsley: Yeah, it's agile where we try and get out a minimal viable website and make ongoing improvements over time in collaboration with the client. So it's strategic and data driven.

[00:04:43] Nathan Wrigley: Now you make it sound so impressive. It's very good. yeah. So today the legal stuff, this is gonna be horrible. cause yeah, let's be honest. Neither of us are law experts. So should we just shove that caveat in massive neon letters right at the beginning? Yeah. we definitely don't know the law as well as one might, but this is what we think.

[00:05:10] David Waumsley: But we probably know more and have to consider more as we're relearning everything than we did when we started. So that's right. More, yeah. Around more legal consequences of the things that we do with GDPR accessibility and some things also, which I guess were always there, but related to rights and copyright as well.

So we'll try and take each of those in turn. Yeah, there,

[00:05:32] Nathan Wrigley: there was basically almost no law around the web when I started on it. If you could put it up there, that was it, there was obviously contracts around what you were delivering, but it was more about that, making sure that you did your job correctly, not about all the, cookies and stuff that we'll get onto later, it was about just, yes.

Are you gonna deliver what you promised to deliver and were paid.

[00:05:57] David Waumsley: So really the early days where kind of data that people can have now, just wasn't people didn't realize that's how you could use the web so much and the power of it. So yeah, it's progress. It's been a progression for sure. Yep. In terms of, it's very difficult, actually, we're both in WordPress communities and it's there's often lots of chat, certainly in the ones where in page builder type communities on this stuff, but it's very hard to pick it out because there's also products that go to solve a lot of these issues.

So a lot of it could be profit motivated and that's true outside of WebPress of course, as well. So I particularly, yeah, recently wasn't there on the Tavern, there was something about those overlays for accessibility things you can buy, to solve your problem. So there's always something like that.

Yes, we've given our caveat. Should we Talk a little bit about each intern. We've already said that we're not knowledgeable about even the legislation that there is out there and we can't give legal advice. But I think probably we decided early on what we wanted to get from this was the fact that our, our role is to make sure that we don't make ourselves responsible for things that are beyond our control which we're not knowledgeable about.

And we might want to do that.

[00:07:22] Nathan Wrigley: And that really sums up the conversation. Doesn't it? At the end of the conversation. Yeah. That's basically what we'll have tried to do is to figure out a way to make sure that you are not in control of things that you never intended to be in control, that you didn't actively wish to be in control of.

And the fact that there's so much conflicting and changing. In our Facebook groups and things like that is demonstrative. I think about how difficult it is to understand the nature of where we're at. And the law is changing. All the time new things are happening all the time. The public's tolerance for things is changing all the time based upon, the leaks of data and things like that.

It might become more important to, to understand all this stuff. Yeah. Yeah. But I think you've summed it up perfectly, do be, do, be knowledgeable about what you don't want to be in control of and make sure that you're not in control of things that you didn't intend to be sums it up.

[00:08:23] David Waumsley: Yeah, there, there is.

You mentioned there's not much difference and I agree with you between agile and traditional approaches, but there I think there is in a way it's changed how I approach these topics going from traditional to agile. So I think with the traditional approach if we're selling a complete product to the client and say, here are you're handing over the keys.

When you've built the site, there, there could be an implied expectation that you are sorting out these kind of legal stuff, for them, right about their website and accessibility. So I think there is that where with the agile approach, I find it easy to approach that side of it earlier on because of the fact that the agile makes the client remain the product manager throughout the whole building of the site.

So you are in collaboration, we're building it, but. Automatically inherit those responsibilities for staff. Yeah,

[00:09:17] Nathan Wrigley: I guess this is the point of the contract though. Isn't it is that you would make sure that you have got signed off consent for who is responsible for what, and yes. You just need to make sure that your contract is up to date and legally binding with the current state of affairs in the area of the world that you live in, because this, for example, if you will get onto it, but if you haven't mentioned things like GDPR and data controllers and things like that, then you potentially are in a world of hurt.

Should they come back over? But I totally concede your point. It's a bit like when you buy something from a shop, isn't it. You expect the shop to be responsible. Should you open the box? And the thing inside is broken. you would also, I think instinctively have a, an understanding that if you had built a site and paid for it and it was handed over, and then it turned out that there was some legal problem, let's say a data breach and emails get out and it's proven to come back to your website.

There would definitely, I think be some expectation that I paid for the website. I'm gonna go back to the person that built it and say, wow, why has this been allowed to happen? So I guess in my case, those conversations need to happen right at the beginning before they sign anything. And you just need to be really clear about who's responsible for what.

[00:10:43] David Waumsley: I think the difficulty may be with the traditional. There is that I know a lot of people are quite smart with this and will put it in their contract that they can't accept responsibility for this, that, and the other. And that's fine, but it's the small print thing. Isn't, it's the terms and conditions.

Yeah. Where I think, the agile in a way they can't escape the fact that they are in control of this. But on the other side, the anti kind of agile side of it is that because that tends to be a data driven approach. It's also, it in itself is encouraging more the kind of tracking which moves us more towards the privacy concerns of GDPR.

That's right. So it naturally leads clients in that direction anyway, where they might have more responsibilities. And also when it comes to, the idea I mentioned to getting a minimal viable product out there, it's easy for the. Challenges of accessibility to get pushed at the back when you're constantly changing stuff, because it is not like a product you build where you might think about all of these things, cuz you've got this final product.

So yeah. So both ways I think, but I think there is a distinction I think in approach and that plays into what we're talking about. Okay. So

[00:11:54] Nathan Wrigley: Just a real aside, but an important aside curiously the scenario that we've set ourselves over these last three series is that we've got a client, who's a lawyer.

So just in this one particular case, I think it, it's probably reasonable to understand that they would have an understanding of some of these aspects. Now they, they may not be expert in internet law and all of that kind of stuff, but you would imagine that this client uniquely, this client is going to be asking probing questions about who's in charge of this.

And who's in charge of that because. They would need to be very certain about where they stand and who's responsible, but this client won't be typical. It's unlikely that you're just gonna niche down on lawyers. So curiously I would feel much more certain going forward with this project than I might do with the, I dunno, the local shoe shop or something.

[00:12:51] David Waumsley: Yeah. Should we start with GDPR and those kind of privacy and cookie law and all of that kind of stuff. Yeah.

[00:12:58] Nathan Wrigley: Okay. This has kept everybody going for years. Hasn't it now

[00:13:04] David Waumsley: Yeah. And it's coming back again. Isn't it as well, because we've had recent court cases with Google fonts and Google analytics. And they've just been, they've been private court cases where, local judges are rolling here in two sides of an argument.

So I've been that's been given a lot of coverage, I think, in the communities I'm in. But when you look at where most of those articles are, they're on like hacker news and things like that. And and with competitors selling an alternative to Google fonts or Google analytics. I'm not quite sure it didn't make, as far as I can see the BBC, for me.

[00:13:45] Nathan Wrigley: Yeah. It is interesting. And it definitely did pop up into the news, it made it into. Things like the Tavern, again, as you described and onto, I think I saw it on search engine journal, but you're right. I don't think it made the mainstream news certainly in the UK anyway, but in my understanding the Google fonts, I think that was taken through German courts.

I don't know, on the back of it, what the fine was, or indeed, if there was any fine or if it was just a, you need to improve this. But essentially it was about the IP address. I believe being taken from a website, which was held on German infrastructure and that IP address had been sucked into Google analytics and therefore sent to the us.

So it's a fairly trivial example, but the GDPR definitely does see an IP addresses personally identifiable information. So you are in effect breaking the law. it's curious that I dunno how much I'm gonna be shot down in flames about this, but it feels like a lot of people on this side of the Atlantic that is to say Europe they seem to be a little bit more accommodating to GDPR and they seem to have gotten to the point where they can live with it and their understanding of what the purpose is.

Whereas I feel that on the other side of the pond, it's a much more difficult pill to swallow because you are being forced to consider law, which doesn't even have anything to do with the boundaries of the country that you live in. But because a lot of these giant companies are based in the us, Google, Facebook are the two ones that come to mind, then it applies.

And whether you like it or not, if you are getting visitors from anywhere outside of your own jurisdiction. And certainly if they're coming from Europe, this matters.

[00:15:41] David Waumsley: yeah, I moved forward a little bit, but we talked about this earlier and I think you're right. Certainly amongst the web designers, the us ones, all of us, I think when GDPR came out, thought, oh gosh, something to get heads around, some responsibility, something we need to know about.

And if you're American and if it's been done to you yeah, but the EU, I can understand that. But my, my theory is that this, I think just for the Western world and its values, we have to have some protection about. The kind of power that people have, who can take our data. And if it hadn't been the EU, I'm pretty sure the north Americans would have come up with something similar.

And I think there is something similar, isn't it? In the state of California or something as well. Yeah. So

[00:16:27] Nathan Wrigley: again, that feels like that's true, but I can't be certain, but yes, that feels true. I guess the principle here would be that when the internet came about, it really was just the set of HTML files living on servers and, things like cookies and all of that would, were just technologies to enable things to happen.

So the cookie was. To keep state to see if you were logged in or not. And the IP address was the obvious thing, which yeah. Told packets where to end up and so on. And that there was never, this never a hint that, okay, we could actually use the IP address and the cookies that we planted in the browser a little while ago to do other things.

And so now we've moved on, everybody's connected a hundred percent of the time via their phone, which is constantly phoning back and giving away data about your location and so on. And we just didn't see it coming. And now I think you're right. If it hadn't have come from the EU, it would've come from somewhere else.

And perhaps an interesting thought experiment would be let's imagine that a 10 years into the future, that the big corporations online are all based in, let's say China for want of a better word. Yeah. Would we be happy sending all of our data to servers in China? and I guess if you're a European, you could apply the same argument to north America.

Would you be happy for all of your data to yeah. Egress European union or in this case, Britain and go off to America and at some point there's gotta be a buffer to say, actually given that there's so much data going out now, maybe we do need some, because it can't just be a wild west. You can suck out whatever you like whenever you like about whoever you like.

That just seems like it had to come to an end and GDPR, was it?

[00:18:15] David Waumsley: Yeah. We've all joyfully given up our privacy, with the internet and, our values are as they are to protect that. And we do need governments to hold people accountable. So I think, it's inevitable.

We'll have this and we'll talk about it, a little. Later with the, there is a progress. It's not like this has just appeared suddenly that's right over these years. Yeah. We've moved towards it. Interesting. You mentioned about the fine for the Google fonts and that it was a hundred euros.

Oh, okay. Because just local courts and at the end of the day, I think when it comes to these court cases, it is just what a judge will decide on based on the information that they're given in court. Whereas I think, the wider conversations, the ones that we know Google are having with governments, we also know there's been some recent agreement between the EU with the us about sharing data, because that's one of the difficulties about GDPR.

The people legislating don't really know the technology and don't know the problems that might come with. One of the issues of that is, having information from one country on a server in another country, because the internet pretty much relies on that. Doesn't it?

[00:19:34] Nathan Wrigley: Yeah. I guess the, one of the problems is the likes of Google and Facebook.

They can totally modify their technology. so that they can comply with pretty much whatever comes along. So let's say for example, GDPR. Yeah. I would imagine it's not much of a decision for somebody in Google to say, okay, let's open a data center closer. Let's just open one up in the EU. Obviously, given the nature of Google, we know that they have those already, but you get the point that a big business can really get over this, these obstacles quickly, but the likes of you and I building websites on a very modest budget, and we're gonna be hosting them on infrastructure that we don't own.

We've got no real control over other than the fact that, we can buy it or not to buy it. We could possibly move it to a different part of the world, but we'll still be under their privacy policies and so on. We've gotta think about this a lot, really. And it, so yeah, you can't really sidestep it.

It's the future. It's what's gonna happen.

[00:20:41] David Waumsley: And I think I, I put down the stats that I saw them, which is actually, it's quite interesting. I was looking at built with, for those stats for Google fonts and, roughly it's used on about 50% of sites, although there is a slight dip off recently. And I think maybe due to that, and also a dip off as well with Google analytics, but it is six around 60% of the web.

And. It's 85.9% of all sites who have analytics. So that is huge, so if Google analytics is illegal, 85.9% of those who are collecting any kind of analytics are behaving illegally.

[00:21:22] Nathan Wrigley: So it's a really perfect example of how the web has evolved. Isn't it Google analytics, because the old adage that if you're not paying for it, then you are the product that strikes me as a real great example of it.

It must be, it's just such a superb suite. Of free stuff. You just drop a line of code in and all of a sudden it's telling you everything you could, more or less imagine you could ever need to know about your website, but you can you imagine the interest interesting data that Google themselves are getting out of this?

It must be astonishing. And whoever came up with Google analytics all those years ago I bet there was a dilemma. Do we really do? We, is this of any interest? We're a search engine, but now looking back, they must have been like, whoa, this is one of the best decisions we ever made. I don't know what the future is for Google analytics, because I really haven't followed that story closely, but it sounded from what we were talking about before we hit record that you've been following it a little bit with Google analytics for and how that's different.

[00:22:24] David Waumsley: Yeah. Yeah. It, the old analytics which we've had for pretty much, the last 10 years is due to end around, I think June or maybe July of next year, 2023. So we're going to get G4 and G4 is as I understand at moment is cookie Lu. But it's unclear. I, in fact, I tried to search and I couldn really not find much about how this relates with GDPR apart from the fact that it doesn't use cookies.

Yeah. I wonder

[00:22:57] Nathan Wrigley: what data points are gonna be lost because one would assume I don't know. I could be completely wrong. Maybe there are technologies which don't store GDPR data, data that would come under the auspices of GDPR, but can still get the same data out. It makes me think, for example how will they know if you are a returning visitor?

For example, if you are not storing any kind of cookie, are there other things which can be done if there really are? No, I don't know. It genuinely is baffling to me. I just wonder if the. The sophistication of Google analytics will be decreased, or whether they've got clever ways of size stepping the problem and still giving reliable, predictable data.

[00:23:45] David Waumsley: Interesting. Yeah it's much more about before it's about kind of numbers and visits and stuff. This is much more about actions that people are taking while they're on your site. That kind of data, it's a slight shift in the information that's providing, but it's still for me to learn about, but this, clearly it's changing and clearly how built up some of the privacy aspects, what they can, what useful information analytics what do people need to know about how people are using the sites?

This is the same as Microsoft has built clarity, which is also alternative to a degree, but it's focusing more on how people are behaving on your site, maps and so on. Yeah. That kind of stuff. But it's also gathering the basic analytics. And again, it's, it does drop a cookie in their case, but it's supposed to be GDPR compliant, but they all will say they will be in that sense.

And I guess that will be the aim, but it's interesting. I think for, this fear that it's illegal. But when you look at the reports from it, it's coming from people with perhaps a vested interest or people who that would be part of their news agenda anyway, are talking about it rather than it being global news

[00:24:53] Nathan Wrigley: about Google analytics.

Yeah. Are you meaning that the sort of scare stories, the people who are saying that the sky is falling in Google analytics yeah. Is evil. It must be avoided at all costs. Are you, I think that saying that maybe got an agenda with a rival product or something like that. Yeah.

[00:25:07] David Waumsley: Oh, yeah. Often I think that's the case, there is a arrival and it's used for that.

And often the fear is brought in. They tout the GDPR maximum fine of 20 million, 20 millions. Yeah. Yeah. Of which, it's silly because one thing is absolutely clear about GDPR is there is a very stringent warning process, so no one's going to suddenly find themselves with a 20 million Euro.

Fine. You really have to stick your fingers up at them numerous times. that's right before you can

[00:25:38] Nathan Wrigley: get these. Yeah. Yeah. So yeah, you don't need to live in fear just yet. Ju curiously, just going back to the Google font thing, the, there was a debate which was begun after all of that. And I think there's now talk about ways for theme authors to mandate the downloading of Google fonts.

I think most of the themes that I've come into contact with in the recent past have had a, an option to download Google fonts. Cause it turns out that you can font, you can host the fonts locally and they're free to download from Google. You just have to go through the process and then queue them in the theme and what have you.

But but that, so you can carry on using Google fonts. You just maybe don't wanna be taking them off their servers. That is to say calling them on the, on, in the HTML. And that seems to size step the problem and whether or not Google, sorry. WordPress core would wish to IEL people who are creating themes that this must always in the future be an option.

Seems like a fairly sensible default. I wonder what will be in it for Google apart from just being a. a good web custodian. I wonder if they'll continue to maintain that Google font's product, if it basically just turns into a downloadable thing, because you gotta imagine they were getting IP addresses and sucking all sorts of important data.

As a result, I don't really know.

[00:27:05] David Waumsley: No I dunno. It would be a big thing if the themes team in were press decide that they're going to band, those are gonna hook up to Google fonts. Cause I'm sure that's gonna have a huge impact. Isn't it? On the use of the

[00:27:20] Nathan Wrigley: service, yeah. But the themes that I've been using for the longest time, there's just a button in the settings somewhere, which says, do you want to just have the fonts local and you click the button and you're done.

[00:27:33] David Waumsley: I wonder if though you've violate another law because one thing is you are supposed to include somewhere your licenses for your funds, even though they are pretty much all the equivalent of creative, common zero licenses, the study is a legal requirement to do that. Hey, oh, you know this stuff now.

Yeah. This stuff can go on forever. I locally load my fonts manually as well. And I try and remember to include the little license somewhere, but even so I'm not sure where it is, but I do know it's a legal requirement to do that, to cover the license where your font came from. Yeah. And I wonder if the themes do that anyway.

[00:28:08] Nathan Wrigley: That's yeah. And

aside side. Yeah, that was good. Okay. Where are we going now?

[00:28:13] David Waumsley: Maybe you should just mention quickly the long history because the, we had, I remember this so clearly back in 2011, when the EU cookie Lord, which is officially called the E privacy directive came into effect, but it started in 2002.

I, so we

[00:28:31] Nathan Wrigley: haven't know. That is interesting. Yeah. That's a long time.

[00:28:35] David Waumsley: And it shows you about how easy it's to get cynical about governments doing this stuff. Because, that was one where it was a classic turnaround at the 11th hour, literally days before it was due to go out, which I think is always the same date with these things.

I think it's the 25th of May, same as the GDPR date was all right. I think so could be wrong on that, but yeah, usually seems to be made, but they had to turn around because the type of cookies that need, they needed to make some exceptions, otherwise people wouldn't be able to drop the cookies that would tell you where you was on a, on a route two with the shopping cart.

So it would've killed all eCommerce at that. Point, which kind of, shows you how, for good intent is behind all of these decisions. Yeah. The difficulty of implementing it the people making the decisions really don't know how that might pan out in the real world.

Yeah. Because they're not technicians, so yeah. But I don't think it's a reason to be cynical about it. I think the problem with that one, cuz we talked about is it just meant that everybody had these stupid pop ups.

[00:29:38] Nathan Wrigley: Oh my word. I mean I still see the stupid pop ups all over the place. Yeah. The latest round is just.

The sort of dark pattern around, are you gonna accept all the cookies or some of the cookies or the necessary cookies or the cookies that we don't really need, but we're gonna ask for anyway. And the, that seems to be everywhere still. It frustrates me. I can see the point I get it, but it also more or less every site that I go to, if I haven't been there before and accepted the cookies are really doubling down on.

[00:30:18] David Waumsley: Yeah. And then we have, which is still to come into effect. We have the ere regulation, right? The E privacy directive, which was first proposed in 2017. And we're supposed to come out with GDPR. So GDPR is really tackling the storage that kind of privacy. And this was, this was more about the tracking wasn't it?

Of the cookies. Yeah. So they should have come out together and part of, but the problem is it's an ongoing discussion. The last I heard is it's due to come. Next year two, 2023 . But who knows if it will, because it seems to have gone off for all different angles. One of 'em being, how do we get rid of all of these stupid popups, which you annoying that nobody is really giving consent because they just need to get around the web.

So they're just ticking yes. To everything. Yeah.

[00:31:06] Nathan Wrigley: Yeah. That's right. And that's what I feel I'm doing as well. You are somewhere, time is limited and you just can't be bothered to go through that process. So in a sense, like I said, it's the dark pattern. It's the inconvenience of not accepting all the cookies, because the popup comes up, you then have to click the button, which will then create some sort of other popup, which will then have a bunch of toggles to decline all the cookies you even got.

I wish you did, but that's a mess and every site's got a different implementation and different language. And so there's no kind of. A muscle memory that you can rely on, which says, okay given a choice of cookies, I'm gonna do this and this. And it'll be over in two seconds, you have to go through and read everything.

And it really does make a bit of a mess of the web. It's really stifling it a bit, I think.

[00:31:58] David Waumsley: Yeah. Are there any sites where you've put that on a pop-up no. What about you? No. I did for the cookie law, because was that back in the day

[00:32:13] Nathan Wrigley: or was that recently,

[00:32:14] David Waumsley: You back in the day?

Yeah, recently when I used to work with my colleague she was rather a fan of it, so she led it that way, but actually the, she did have some of her. Clients on the church who thought they needed to have it, there was another one as well, a few people had it, so we put them on or I put them on because they felt they needed it for the original cookie load before a GDPR.

But it's interestingly enough, most of them were only gathering basic details and I feel though, unnecessary net what I would say to the clients, cuz I want them to have they need to be the decision makers report. They need the knowledge, right? Yeah. Yeah. So it's up to them, for us in the UK, they, with the original cookie law they stopped actively pursuing it.

They don't have any staff for it at all. They've announced that. And they're only looking at the top 200 sites only if there's a complaint because they know it's gonna be, taken over by something else. So yeah. And also, when it comes to the ICO, it's really interesting website because we've had the Google.

Analytics being illegal. But they still use it themselves. They, and they're the body that would govern us in the UK. but interestingly enough, though, more recently they have done a tweak. So it does show that they've been making a difference. I've noticed now that it doesn't come on. If you come in from the EU, if I'm coming from India on my, where don't put my VPN on, then it pops up for me with Google.

[00:33:48] Nathan Wrigley: That is interesting. Okay. So they have tweaked it. Yeah. I feel there's a whole debate here about whether it's even worth it for a certain type of client. And I don't mean that in everybody go out and break the law. I just mean it in the sense of. What are the chances of any of this coming back to bite you and does that figure into the amount of effort that you put into it?

Because there is work to be done. There's things that need to be implemented. And for most people, typically most websites like our little lawyer. Yeah. Do we need all this or is it just an impediment to getting people onto your. .

[00:34:27] David Waumsley: Yeah. We have to make choices based on what we think we have to apply, but I think, for me I, a popup I think, needs to come up when it's covering the things that GDPR allude to.

So they track in, so the Facebook pixel or something, so you're gonna be advertised because you went to that site and that's gonna carry you through I think that's where you do need to give consent to that sort of stuff. Yeah. Or I can see the argument rather for that more and I can see why that law is there when it comes to I'm gathering just very basic, that I'm just taking forms.

So that's information, which people you would think when they're filling in a foremost already by the, their actions giving consent, that you wonder whether that's needed and yeah it's so I think there are levels and I think you have to decide and, The impact that might have on somebody else's privacy.

And I think ultimately these laws are only there to do that, to get us to think about all this data, which we now can easily gather, which has been a concern ever since we've had computers,

[00:35:33] Nathan Wrigley: okay. So look looking at it through that prism. That's quite interesting. The law is there to make us think yeah.

And to pause for thought and think about where's this data going, is it necessary? Do we need to collect this? Is this never gonna be looked at? So it's pointless or is it really worth having, so let's inconvenience the user a little bit and give them a warning or make them tick a box to say that they've read privacy policies and so on because that data is worthwhile.

And then, and obviously at the beginning, at the outset, having that conversation with the client, do you actually want any of this? Are you actually gonna look at any analytics. You actually gonna be driving traffic from Facebook. Here's another thing, to throw in. Yeah. Yeah. I wonder if we didn't talk about this in the preamble talk and it's not in the show notes.

I do wonder if some of this is gonna be taken out of our control anyway, in the, I wonder if the browser manufacturers, obviously Google is a slight exception because, they make the Chrome browser, but I wonder if the drive from people like apple and their safari browser and their, safari on iOS in particular, they're just blocking a lot of this stuff.

Anyway. It renders some of that, those arguments moot because it's not possible to do some of these things. And I do wonder if the debate is shifting towards. Privacy built into the browser and the fact that cookies can't be set, nothing can escape. You can't be tracked from one page to the other because Facebook set a pixel somewhere.

I wonder if that's gonna become the quickest way to solve this in the future. Sorry, complete aside. But I just thought, I thought, no,

[00:37:18] David Waumsley: but actually it's very relevant to the E privacy regulation that, because not that I follow all of this at all, but I know there were definitely people advocating that idea.

How do we get rid of these annoying puppets? Which, obviously the way people's psychology is it means it's not doing the job they expected to do. And one of those is to force the browsers to do this job for them, to say, okay, you set it, when you install your browser, the first say, it says, do you want me to just say yes to everything?

Or do you want me to block everything, and deal with it that way. Yeah. Or just block, block certain things and not others. And I think that does seem the sensible way cuz , the stupidity of this way is that it's. Dealing with road traffic safety for children or something by telling every individual driver that they must make the children aware as they drive past that.

So

[00:38:11] Nathan Wrigley: that's an interesting shift, isn't it? So imagine a scenario where every internet company was allowed to set any kind of cookie, do anything they wanted yeah. On a webpage. So you and I could build a website and throw any amount of crud in there that would track everybody all over the place.

And we totally know that imagine that scenario, that every webpage is a potential death trap kind of thing, but equally, we also know that the browser that we've got is not gonna allow any of it. And so it's an interesting shift because it, it puts the, as you've just described with the children, it puts the onus back on the end user to have technology, which is going to help.

The tracking to be stifled, as opposed to the people building the websites to not put stuff in which the legislation requires be kept out. Does that make sense? Yeah, I'm not sure. I articulated that very well.

[00:39:08] David Waumsley: No, I know exactly what you mean. Yeah. I think, but, GDPR was good for me, actually.

It did make me think about lot storage of information that we had, particularly just forms, yeah. You keep them forever. Every everybody who's is just stupid to love. You build it into your form, something that clears it up to help the client. Should we just move on to how our, how we might just get out of all of this because oh yeah.

because there is, and it doesn't get talked about much, but it's, responsibilities are clearly laid out by roles and we have the data controller and that person is responsible in the organization for all the GDPR, not just the website, cuz it's just not one thing. And I think my feeling is that we should always concentrate on this and make sure that we don't unwittingly make ourselves joint date controllers.

Unless of course we need to be. And I think making decisions on behalf of clients, such as. Changing their Google analytics for them kind of puts you in that role, I think.

[00:40:08] Nathan Wrigley: Okay. So just to go through that again, to drill down into it a little bit , you're you are talking about the fact that the data controller ultimately is the person who's gonna get the knock on the door from the the solicitor.

Yes. I guess you are talking about a scenario in which you may accidentally put yourself in being the position of the data controller, because you are offering something which perhaps on unwittingly to you means that you are now in control of it. Yeah. Your example was I'm installing Google analytics for you.

And I never handed that over to you. I've just, I don't know, given you access to my Google analytics account or something. So I am now responsible, whereas a different approach may have been to ask them to set everything up and you just copy and paste their 10 digit. Code or whatever it is.

[00:41:02] David Waumsley: Yeah, exactly.

There are some people we just go define, that's your responsibility. You have the expertise in this certain thing, and that's where we can easily fall into it. But I don't think we necessarily need to, when it comes to services, we don't control. We probably don't wanna put ourselves in the middle of that.

So I think it would be, if you were deciding I'm gonna put Google analytics on your website, it would be, shall we do this? You're the, so my way of dealing with it now is, and it seems so logical now, because as you need to have a defined data controller for a privacy page on a website, which you're going to provide for them, , you can have that conversation, say who it is, and then explain, look, the way I work, blah blah, is that you are always in control of these kind of basic decisions.

I will just suggest what are our options and Google analytics will be wonder or others, but it is yours. And that way you're just. Putting yourself where potentially from their perspective, if somebody, if the EU says you are violating, here they go. That's my web developer. He takes care of that.

You've already told them no, you are the data controller. I'm not a joint data controller with you. Okay.

[00:42:07] Nathan Wrigley: So given that is true. Couple of questions leading from that, the first one is, yeah. Do you only have to have that conversation once or do you have to have it repeatedly each time a new thing comes along and do you need to get all that in writing?

Does that need to be signed off to say, okay, David Walmsley is not the data controller, miss a is, and we're gonna put that on the privacy page so that it's very. Do you have to have that in writing? Do you think, I guess you do. No.

[00:42:37] David Waumsley: I do. I think not because I think, unless you, this would, the issue wouldn't be necessarily I wouldn't, it would be like everything is, if it became a friction, then it would be for courts to decide and we know that can go anyway.

But I think, in terms of there should be no reason why they think you are. Yeah. Or you should give them no reason to think you are anyway. Just see what I mean. Yeah. I do all I'm saying on that, I don't think you need to keep overly protecting yourself. Because then that maybe that might make them.

More conscious of their dis the decisions they make them do, but yes, . Yeah, for me, I don't feel like that. I just feel need, need to make sure that my service is not one where I provide them with this compliant product. That's what they think they bought. Got it. I just make sure we build in a site together.

You are the data controller, the decisions like this, which could impact legally other ones that you make,

[00:43:35] Nathan Wrigley: right? Yeah. That's an interesting way of putting it. Yeah. Okay.

[00:43:38] David Waumsley: Got it. Yeah. So yeah, that's it really? I think that's well, we've done. I think we've probably done it. Haven't you GDPR. Should we go to

[00:43:45] Nathan Wrigley: accessibility?

Sure. This is another minefield as well. Isn't it? Because and in one, which seems to have really grown in importance over the last year or so it seems to be, yeah, incredibly important. Now I was having a chat with Anne HEZ who ah, yes. Deals with accessibility a lot. And the, my current thinking on this is that it's not A hundred percent or nothing, in other words, if your website is not perfectly accessible that's fine.

So long as you're on a journey and you are getting yourself towards everything being accessible. But it does feel as if the ambulance chases might see this as a golden opportunity in the near future. So doing nothing might not be advisable, but not doing a hundred percent right out of the bat right off the bat is also okay.

So long as there's a flow in the right direct.

[00:44:39] David Waumsley: Yeah, that was the word I was looking for before ambulance chases. That's it? Yeah. There's a big wave that people profiteering on accessibility. And I think there's a couple of things which may have boosted it recently. I think last year, I think the us who really didn't have, I think, any official laws generally for the web on accessibility, I think now have it, but I'm not sure on that.

And we've got, we're also in WordPress as well, where accessibility come up a lot because there's a whole new UI for WordPress and there's been a lot of talk about that. So that's raised awareness as well. I think in our area about it. Do you, in your experience, have you had anybody made that a priority of theirs?

Oh, when they've come to

[00:45:25] Nathan Wrigley: Never, no. Yeah, no. I, I. It's still not even on the radar. It's for us to introduce that subject, isn't it. And for us to have an understanding that this really is going to matter. And in fact, it already does matter, but it's more of a conversation of look you do realize that we need to give this some thought and whilst there may be some hidden costs there largely to do with time spent making things work correctly.

You've gotta do it. There's no way of avoiding it, even if you. In your previous iterations of the website, it was never mentioned, never discussed, never thought about it, it does now. And you can really, you can see in the real world, examples of this, can't you can see in the real world infrastructure being put into buildings to make it so that people, for example, with wheelchairs have access.

If you go back 50 years, that never happened. And now it's just part of the cost of putting together a building. You've got to have that stuff. Yeah. It's not allowed to do it otherwise. And so the same would be true on the web. You've got to build this stuff in and there is a cost to it which can't be avoided, but no, never ever came up

[00:46:43] David Waumsley: now a tangent time again.

Now we've never discussed this before, but just an interesting thought here as we move and WordPress does as well towards this idea of DIY websites, non-coding solutions, no one needs a developer any longer. It's like it, this could be undone by increased accessibility laws because you are going to need more than what as what you get.

You just know what I mean? Yeah. So I could see a complete turnaround of that. And we're maybe moving into that direction. It, interestingly for me, do you know what I did have one client? Should I tell you about them? Yeah. Cool. Yeah the one who did come and it was when I was working with my colleague who accessibility was a big thing for them.

They got governments and arts councils funding, and they were charity. And it really interesting because they had one of these on their main site. This was a side project. They came to us about on their main site. They had one of these overlays, which had been criticized a lot. It was in the WP Tavern about accessibility advocates who had an open lettering.

People not to use that. That's right. Yep. Accessibility, et cetera. There's a load of these on there. So they had one of those. It was just so interesting about this whole responsibility with them because I wasn't interested. My colleague was cuz she was connected in other ways with them, but because they came with this and they had another developer who was too expensive and they didn't wanna use those, but they really required a legal level.

And I just said, Honestly, because they also had some really grand ideas about what they wanted this website to do. And I said, but the two don't go together, you can't do that and be accessible so I didn't really want to do it, but we helped them in the end. We put something up, which was actually reasonably accessible in the end.

Somebody just worked with us, but it's been an ongoing thing as there's a kind of passing off of responsibility, between client, because I hosted them for a while and then somebody lost a job. Somebody else came back in and they were wanting me to sign all sorts of things to the effect that I was responsible for things, which I clearly wasn't gonna be.

Cuz my involvement was a few hundred quid and I would be, you opened myself up for tens of thousands. Yeah, exactly. That's right. So I said there to move on, but it's just interesting. I just thought with the public body, which of course has more responsibility, particularly if government funded to make their site accessible to all it's.

But it, how that pans out in an organization like that wasn't very well, it really, for them, it was a job that they needed to, make somebody else's responsibility. I feel that

[00:49:23] Nathan Wrigley: the job is explaining isn't it to the client that this stuff matters. And then being able to dig out the appropriate documentation in your jurisdiction, which explains why it matters.

But also what absolutely is a kind of minimum really needs to be happening. Putting that in front of the client and saying, look, here's some guidance. And again, it's a bit like the data controller thing you then say, okay, you are now armed with this information. Where do we go from here? And yeah, I guess you are covering yourself.

You're protecting yourself. If you've had those conversations and it's decided that this thing can happen this quarter and this other thing can happen in the next quarter. And just yeah. See where that conversation goes. Yeah. I think it's the hot thing at the minute, and I think it'll continue to be, so you were talking about things like popups and these overlay technologies which have been reported about and I do wonder if in the WordPress space, because there's now a need for it.

I can't see what will be done, but I do, I would imagine that bright and interesting minds will be turned to this as a thing that they want to tackle. And I'd be curious to see if in the future plugins, which do a decent job may very well come along rather than having to use all the different browser, extensions and tools out there to scan your site and so on and so forth.

I wonder if the WordPress ecosystem itself will figure out how this might be done best.

[00:50:57] David Waumsley: Yeah. But I'm not sure. One of the things I always felt about this kind of off the shelf solutions and they're still there for. The popups for, is it miss rather misses the point? Doesn't it? Yeah. Yeah, because what you are supposed to do with the GDPR is you're supposed to analyze your business and how you gather 'em and justify your you are supposed to have done the groundwork to understand how you use your own data.

That's what they're aiming at. So when you go and buy these. That are pop up with it written for you. What they tend to do is they end up not really being legal, cuz they don't explain the use for the data because it's just that yes, they have this little logical loop of where it's used for whatever it might be used for, and so they don't, I think they move away from what the legislation is attempting to do. Yeah. And I think one thing that just crossed my mind when you, as we moved on to accessibility, you mentioned the GDPR popups. I wonder if they're accessible popups do you abide by one law break another at the same time?

That's fascinating. What

[00:52:04] Nathan Wrigley: interest? Yeah. We should go out and check that at some point. Yeah, but it's the new thing. It's the new thing and it's yet another it feels like almost like another sober industry. In website development, in the same way that you've got your SEO people and you've got your performance people, and now maybe you've got your accessibility people and they become another part of the solution.

You've gotta go and speak to them. And maybe if you're a big agency, you've got somebody on your team, who's making sure that's all happening. And if not, you might have to hire in some expert because honestly, there's, we're just touching the surface here. You imagine if we were to really dig down, we would have to be legal experts, accessibility experts, design experts, coding experts.

And at some point, I guess you've gotta think, okay, I'll let somebody else take some of this off my plate. Yeah, which speaks to the big, the bit, right at the beginning of the podcast where we said, just make sure that you are being very clear about what it is that you are in control of and what you can do and explain that.

[00:53:09] David Waumsley: And I think in all of these things, without taking responsibility, you can help people with all of this as part of your service that you give to people, which they wouldn't do for themselves. Like the simple example of auto deleting form entries or something off of the client. But also I think, when it comes to accessibility, perhaps you're not gonna make yourself responsible for, because you can't really in a way, because a large part of abiding by.

The Wang, the web content accessibility guidelines. It, half of it is really about the content, the media that you're putting on your side. And whether you have alternatives and stuff, you're not, we're not gonna be necessarily responsible for that, but we could be helping with it, but we can.

And I think, this is the nice thing about it. For me. I feel I'm more conscious because I do follow it, but it's just a natural part of learning a bit more about being a good UX designer. You start to think from the visitor's point of view and you start to think about, whether you're color, contrast and all the stuff, but I think in principle, most of it's just good sense, isn't it?

Yeah. Most of these guidelines and you will naturally follow them, but you couldn't take control because it, it relates to stuff that the clients will do. And if content management system mostly we're on that, so we can give clients control over publishing. Yeah.

[00:54:36] Nathan Wrigley: Do you. Do you think we are done with this today?

Or is it another section? Oh, you've got rights and copyright as the

[00:54:44] David Waumsley: last I know let's leave that and if we need to do it, we'll do another point. It's just too

[00:54:49] Nathan Wrigley: much, isn't it? Yeah. And I think basically the bottom line here is just get some TEFL on shoulders, develop this, develop the strategy of saying it's not me, governor.

I ,

[00:55:01] David Waumsley: Pretend not that I think pretending to be an expert is foolish. Isn't it with this stuff when you're not, you can just help him say, look, I'm aware of this stuff, but it's yours to really deal with. But let me just tell you what I know so far, if it helps, perfect, perfect.

[00:55:14] Nathan Wrigley: Let's end it on that perfectly perfectly cogent way of describing it.

Thanks for that, David. That was brilliant. Yeah. Lovely.

[00:55:21] David Waumsley: Should we say what

[00:55:22] Nathan Wrigley: we're doing next time? Yeah. Go for it. So we're on episode six, series three and is yeah.

[00:55:27] David Waumsley: We're talking about a launch, so yeah,

[00:55:30] Nathan Wrigley: finally, which is something potentially happening. Yeah, that's right. Yeah. Cause of course you never have a launch.

You've got nothing to say.

[00:55:38] David Waumsley: just drips in. Yeah, that's right. Yeah. All

[00:55:40] Nathan Wrigley: right. We'll see you in a couple of

[00:55:41] David Waumsley: weeks. Okay. Lovely. Thanks. Bye.

[00:55:44] Nathan Wrigley: I hope that you enjoyed that. Always a pleasure to chat with David Walmsley. We'll be back in a couple of weeks to chat with David once again, because we flip flopped between an interview one week and then a chat with David and I the following week.

So two weeks from now, we'll go on to the next, in our series, the WordPress business boot camp series. I hope that you enjoyed it though. I hope that there was some interesting information in there. If there was something that you would like to comment on, please head over to WP Builds.com and search for episode number 289.

Leave us a comment there. It's quite likely that some of the things that we said may not have resonated with you. There may be something that we missed out, something that you feel that we got wrong or possibly something that we got, we would love to hear your thoughts. And if you feel like sharing the podcast, we would love that as well.

The WP Builds podcast was brought to you today by GoDaddy Pro. GoDaddy Pro the home of manage WordPress hosting that includes free domain, SSL and 24 7 support. Bundle that with The Hub by GoDaddy Pro to unlock more free benefits to manage multiple sites in one place, invoice clients and get 30% off new purchases. You can find out more by going to go.me/WPBuilds. And we thank GoDaddy Pro for their support of the WP Builds podcast.

Okay. That is truly it for this week. Once again, I hope that you enjoyed it. See you next week. See you possibly on Monday for the, this week in WordPress show. Stay safe. Bye bye for now. And here comes some very cheesy music.