Legal Engineering: Automating Privacy Policies Across States and Nations

Kyle McEntee:

We're joined today by Donata Stroink-Skillrud, president of Termageddon, a legal technology company that works with small business clients, helping them create their privacy policies in terms of service for their websites.

How did you land on this idea as a potential business?

Donata Stroink-Skillrud:

I finished law school and during law school, I was working at a software company. So we built websites and applications for clients. And that's really where I learned about technology. And at the time I went into private practice. So I was helping my clients with contracts, LLC formations, corporation formations, things like that. And they would have websites and they would ask me, hey, can you write my privacy policy or write my terms of service? And, at the time, I kind of realized that I was asking them very similar questions. So this was before all the privacy laws and stuff. And I would ask them like, “what information do you collect? What do you do with that information? Who do you share it with?” You know, “do you sell it, anything like that?” And I had all these different templates that I would kind of Frankenstein together.

I noticed that it was a very repetitive process, at least for me. I'm sure anybody listening who's part of that process knows that as well. And I thought, hey, there's gotta be a way to automate this. I also noticed that a lot of my clients couldn't afford that service either. So they were more looking for legal advice versus just the drafting of these website documents. And I thought, let's automate this. Let's create something where it's affordable for small businesses, where they can just set it up themselves. So they can answer these questions and then the software would generate their policies and then they would be all set.

Kyle McEntee:

So can you say a little bit more about that generation process, how that works.

Donata Stroink-Skillrud:

The first thing that you have to do is you have to figure out what laws actually apply to the client. In privacy, privacy laws dictate what disclosures privacy policies have. So a lot of people think that privacy policies or terms of service. It's just random legal jargon that nobody reads and you just put random stuff in there and everything's all good.

But that's not really the case. Each law has a list of privacy policy disclosures that it requires businesses to make. So the first thing you do is you ask a series of questions to figure out what laws apply. Where do you do business? Whose personal information are you collecting? What amount of revenue are you getting? And the other factors that comprise what laws actually apply to you.

And then you take that list and then you use that list to ask further questions about the business privacy practices. For example, some laws may need you to disclose whether you sell personal information. So you ask them, do you sell the personal information that you collect? Other laws may ask you, where do you get the information that you collect? Like, do you get it directly from the consumer? Do you get it from a data broker? And then their answers are used to generate their policies. So if I say, no, I don't sell personal information, then my privacy policy will have that disclosure versus it'll have a different disclosure if I do sell personal information.

Now that's really simplifying it. Obviously there's a lot and a lot, a lot of different disclosures and different logic flows that we use. Some of them are really long. So if you answer yes to one question, you might get 10 additional questions.

So it all kind of interconnects. So you have to create it for each law. And then you have to combine multiple laws together because most businesses are subject to multiple laws. When the customer answers all the questions, they get the text of the policy itself. And then we also give them an embed code. An embed code goes onto the website's policy pages. It displays the policies and it also allows us to make updates. So like when new laws pass, existing laws are changed, guidance is issued or something like that. We can actually go in through that embed code and update client policies accordingly if needed.

Kyle McEntee:

So tech wasn't in your background before law school. How are you able to identify a tech solution to this problem that you'd identified? One where small businesses couldn't afford the services, but they had this huge need and it was something that scaled.

Donata Stroink-Skillrud:

So it was kind of a combination of a couple things. When I was in law school, the person sitting next to me was my friend and he was working at a software development company and he said, “hey, we need somebody to help us with operations. Do you want a job a couple hours after school each day?” I was like, “oh yeah, I need money for rent. So I'd love to do that.”

And so that's how I learned about technology and how software and websites are built because we had quite a few different projects there. And then a portion of that is my husband. We were talking about this over dinner, he was working at a software company as well. And he was telling me, “Oh, you know, I copy and paste privacy policies from competitor websites from my clients all the time.” And I was like, what are you doing? That's not a good idea at all. And, you know, they're like, well, these people can't afford, to pay a lawyer and we kind of melded our problems together and that's how we came up with the company. He was a huge help on the software development side as well. So we kind of use both of our skillsets to build a company.

Kyle McEntee:

It's so interesting that, but for this tech experience from this job during law school, you may not have been able to identify this need within the small business community or identify a technological solution. You say that one of your roles within the company is legal engineer. What does that mean?

Donata Stroink-Skillrud:

I'm the one who comes up with all the questions that we need to ask to figure out what laws apply and to generate the policies. All the logic flows of what questions need to be asked when, all the answer options. And then we have tens of thousands of different text combinations as well. So I'm the one who writes the text originally and then the software combines all of it together.

People say, well, LSAT, I never used any of the skills in LSAT afterwards. I use them every single day to come up with these logic flows and with the text as well. So it's kind of wild thinking back on taking that test.

Kyle McEntee:

I have a software development background. I also did analytic philosophy in college. And the parts of my brain that work for software development and philosophy and law, it really feels like it's all the same thing. Just a slightly different application. It's just logic flows, trying to figure out what something means, what something means when you make a slight tweak, and then making sure that what you get at the end is what you intended.

Donata Stroink-Skillrud:

Mm-hmm. Yeah, absolutely. It's wild. I do the same thing pretty much every day here.

Kyle McEntee:

So what distinguishes this from providing legal advice, which you would not be authorized to do in a lot of the jurisdictions in which your clients operate?

Donata Stroink-Skillrud:

Yeah, so we're very clear that we don't provide legal advice. That's the thing we make sure all of our clients understand that. We do provide general information. We have blog posts on certain things, like let's say there was a new enforcement action or something, or a new law will provide general information about it. But when clients ask us questions like, “hey, I'm not sure if I'm doing business in these areas,” or “I'm not sure if I'm actually tracking people from the European Union,” or “I'm not sure how to delete data,” or “how do I create a data minimization plan or something like that?” We refer them to attorneys. We actually have a group of attorneys that we know that work in different areas, like for example, HIPAA or FINRA. And then we refer them to the attorney saying, “hey, we can't provide you with legal advice, but here's somebody who can.”

Kyle McEntee:

You get a cut?

Donata Stroink-Skillrud:

No, we do not. We actually have a lot of law firm partners as well who use our service to generate policies for their clients. But we don't get commission from referring anyone to an attorney, just because I would much rather just not run into any of those ethical rules, you know, I'd much rather just avoid that thing entirely, versus make a couple quick bucks here or there. Because as somebody with a law license, I'm very serious about not losing that law license. So we're very clear that we're a technology provider and not a legal services provider.

Kyle McEntee:

Privacy disclosures are an important part of your business and anyone doing business. And those laws vary not only from country to country, but also state to state. How are you keeping on top of how those privacy laws are changing?

Donata Stroink-Skillrud:

It's really interesting because I just created a presentation like a week ago for a different talk and I already had to update it because Kentucky passed their privacy law. So it's a lot to keep track of, but it comes from several different sources. So LexisNexis StateNet, not an affiliate, so I don't get a kickback for saying this. But yeah, but they basically have a service where you can sign up for alerts for different bills.

So one of my search terms may be privacy policy or privacy or personal information. And they send me an alert whenever something is proposed or moves along the legislative cycle to the International Association of Privacy Professionals. So I'm certified as a certified information privacy professional there. So they have a whole slew of resources, one of which is a newsfeed. They'll post about different things that are happening in privacy, including new laws, bills, rules, regulations, guidance, all that kind of stuff.

And then also the American Bar Association's ePrivacy Committee, I'm the chair of that committee. So we'll send out a newsletter every month with the top privacy news there, which include all new laws or any new changes or anything like that, as well as different CLEs or brown bag programs that I take, all those things kind of come together to help me stay up to date.

Kyle McEntee:

One of the challenges that privacy lawyers have is the inconsistency of definitions of similar terms between different regulatory schemes. So say the term “sale,” it means one thing in one place, another in another place, even though it might seem like that should be the most straightforward thing in the world. How do you solve that problem? Or are you not trying to solve that problem?

Donata Stroink-Skillrud:

We solve for that problem by figuring out what laws apply to the client. So for example, if California's Privacy Rights Act applies, you have one definition of sale. And if you have Nevada's privacy law applying, you have a different definition of sale. So for people who aren't aware of this, some laws will define sale of data as what you would normally think of it as, which is taking a list of emails, for example, and selling it to a data broker in exchange for money.

But other privacy laws like California will define it as the exchange of anything valuable. So it's not necessarily just money. If you exchange data for improved analytics or improved advertising, that may be considered a sale. We know what laws apply to the client. Let's say California applies to the client. We'll ask you sell the personal information that you collect. And then the support article that we provide for that provides the California definition versus if Nevada applies provides the Nevada definition or if both apply, we'll provide both definitions. So people can kind of read about what these questions mean and what these things actually mean and then answer accordingly to their business and their privacy practices.

What I see a lot of lawyers in privacy do, I think we're kind of moving away from that, but we've seen a lot of privacy policies that have the whole privacy policy, and then they'll have the California section, which basically restates what you've already stated, which is really problematic. I mean, it wasn't problematic when there were three privacy laws, but now that there's 20 of them, that's going to be a lot harder. You can't just have, can't restate the same information 20 different times.

So we combine all of those disclosures together into one privacy policy. So you don't have to have like 20 of them and then update them each time. And sometimes it can be hard, right? Like some laws will provide 30 days to respond to consumer requests, other laws will say 45. So we'll say, we'll respond to your request within 30 to 45 days, depending on where you reside. So you have to come up with really creative ways to combine these things. And I think every privacy lawyer on earth just wants one federal US privacy law, but we're not there. So kind of doing the best that we can.

Kyle McEntee:

Are we going there?

Donata Stroink-Skillrud:

There has been a bill that has been proposed a couple of days ago that seems to show some promise. But through my work at the ABA Cybersecurity Legal Task Force, we have a legislative liaison who's on the Hill, kind of on the ground telling us exactly what's happening. And he really just doesn't have much hope for it because we have a hard time just keeping the government open, much less like passing any serious comprehensive legislation. So, I mean, we are very hopeful, but it doesn't seem like that's going to come anytime soon.

Kyle McEntee:

And also it probably would only provide a floor and the states would still be able to make additional requirements on top of it.

Donata Stroink-Skillrud:

Yeah, so preemption is definitely a big point of disagreement, right? So some states don't like that, specifically California. They want to provide the most rights that they can to residents of their state, which I definitely understand, versus the federal government wants to standardize everything, which I can also understand. But that's where all the disagreements come from. And that's why we're having such a hard time getting a federal privacy law in the United States.

Kyle McEntee:

So when changes happen, how long does it take for you to update the terms?

Donata Stroink-Skillrud:

It really depends on the change. So sometimes we'll have multiple years to update. So for example, like Kentucky's law just passed, we have until January 1st, 2026 to make an update, which is great, gives us plenty of time. Other times, like for example, California's regulation, they said you had seven days to make the update and it was over winter break. So it was over like Christmas and New Year's. So all of our holidays were absolutely ruined. But we made the update in those seven days. And then the California Attorney General's office was sued, saying that there wasn't enough time to make updates for the regulations. So they pulled back the regulations and then they just put them into effect just yet again. So thankfully, we didn't pull any of the work that we did. We just kept it in place. So sometimes you have a couple of years to make updates. Sometimes you have seven days. It just really depends. Usually when a privacy law is passed, it takes us a couple of weeks just to get everything into the system, get everything done correctly, test, and then update client policies as well. But sometimes we have to do that much faster.

Kyle McEntee:

So are you only making changes when there are statutory changes? What happens when there are regulatory interpretations or there's a different emphasis from a regulatory body or you see that there are some investigations going on from those regulatory bodies?

Donata Stroink-Skillrud:

I guess there's two ways in which changes can occur. So one, the client's privacy practices change. So let's say they weren't sharing personal information before with third parties, but now they want to sell and ship products. So they have to share personal information with shipping companies. So they can go into their account and update the questionnaire at any time and changes are applied immediately by the software.

Two is any legislative changes, so new laws, rules, regulations, new guidance, new cases, all of this kind of stuff. So that's where we go in and make updates for them. Great example, California Invasion of Privacy Act. So that law was passed prior to the internet to protect residents of California from eavesdropping on landline phone calls. Now, what we saw in the last couple of months, is that there are increasing lawsuits that are applying that to business websites saying, if you have analytics, that communication between the individual and the website is being intercepted by analytics or is being intercepted by advertising or other different trackers. So we saw these lawsuits coming out and that's when we took the step to update our cookie policy and cookie consent banner generator to work as opt-in consent, meaning that individuals would have to affirmatively consent to being tracked by these different tools if they are from California to hopefully protect our clients from these types of lawsuits. So it's not just new laws or new rules or new regulations. It's also what we see in the industry. So if we see lawsuits coming out over a particular topic, we'll update the necessary policies or tools to make sure that our clients are ready for that. And obviously we send everybody an email about it and we allow them to decide as well. If let's say you're a business that has nothing what to do with California, you know, or there's nobody from California ever visiting your website, obviously that choice is left to you and your attorney to make, like what's your risk level? We don't provide advice on that because I think that would be legal advice, but we just say, “hey, you know, there's been some lawsuits. We're trying to be cautious about it. We're trying to help you. Here's an update.” You know, if you don't want this update, let us know and we can remove it.

Kyle McEntee:

So one of the reasons people trust their own lawyer is that there's a fiduciary relationship. The lawyer has the obligation to do what's in the best interest of the client. Here, there is not a fiduciary relationship. Why do you think it is that so many of these clients of yours are trusting you?

Donata Stroink-Skillrud:

Because I think even though we're not a law firm, we still have to earn the trust of our customers, right? None of our clients have ever been sued, thank God, but let's say 10 Termageddon clients are sued because we didn't update policies accordingly. Well, we're gonna lose a lot of clients if that happens, right? So we still have a vested interest in making sure that our clients are protected.

And I think our main goal with the company is to provide education. So we work with a lot of small businesses. And this is not something that they teach you in school. That's not something that they teach you in business class. So a lot of businesses will think, well, I'm not sharing personal information at all, right? I don't give it to anybody. And then you ask them and you're like, hey, are you using MailChimp or Constant Contact to send email newsletters? And they're like, yes, I am.

Well, that's sharing because you're sharing that data with that third party. And I think that education really helps them understand what this is all about and how to fill out their privacy policy questionnaire correctly, because otherwise they don't really have a ton of experience with this. So I think that builds a lot of trust that helps the clients do things correctly. And then we also make sure that we're very communicative of any updates or any new requirements or anything like that, so we don't leave our clients in the dark. And obviously we have a vested interest as a business in that clients pay us and we have to fulfill our contracts with those clients.

Kyle McEntee:

You mentioned earlier that when a client comes to you and they have a legal issue that you refer them out. And there's all kinds of reasons, mostly ethical, with the way the rules of professional responsibility are. So, as a result, you can't have your own law firm within Termageddon, but you could have your own software consulting firm to help them actually implement, whether it's keeping track of which other users have actually consented to changes to the privacy policy. Have you all looked at doing that?

Donata Stroink-Skillrud:

So we provide all of that for free, actually. When you generate policies, some clients may not know how to add an embed code to the website or how to create a privacy policy page or how to implement the cookie consent banner. So we actually provide videos. We provide articles. We also get on calls with customers to help them make sure that everything is implemented properly. Because again, we have a vested interest in doing that. If somebody generates their privacy policy and never puts it on their website, it doesn't actually help them to have that privacy policy. And also it's much more likely that they will cancel our service. Same thing like if they try to put the cookie consent banner on the website and it's really difficult and now your Google Maps is not working or your ReCAPTCHA is not working or something like that, because those cookies are blocked.

We have a vested interest in making sure that they understand why those cookies are being blocked and understand how to implement the tool correctly so that they are using our product correctly.

Kyle McEntee:

So it strikes me that a lot of what motivates you is very mission driven, that you wanna be able to provide an affordable legal solution for a small business. But as a business owner yourself, it is important that you are able to keep your doors open so you can continue to help these clients. Can you talk a little bit about the business model itself in terms of how you actually are getting paid?

Donata Stroink-Skillrud:

Our clients pay us directly. We have clients who find us on Google or social media or watch one of our webinars or listen to a podcast and just sign up directly through our website. We also have a law firm partners program where lawyers purchase licenses from us and use them to generate policies for their clients. I think initially we were really nervous that lawyers would see us as competition. In reality, we're a tool that lawyers can use to help them expedite that process. And then the lawyer charges the client whatever they want to charge. We're not a part of that. We also work with a lot of website designers and developers, so people who build websites. And then we also just do a lot of different education. So we'll do podcasts, interviews, webinars, industry events, things like that. And that’s where we get a lot of clients too.

Kyle McEntee:

So these kinds of clients are very different than your clients when you were working at a law firm. Do you miss working with clients in that way?

Donata Stroink-Skillrud:

You know, not really. I don't want to make it seem like I hated my clients. I didn't. I had great clients. But I really love the job that I currently do. I love the technology aspect of it. I love the engineering portion of it. I mean, we'll still work with clients like, hey, I need to update my email address, or can you send me my invoice because I don't see it in my account or whatever. You know what I mean? But I really like the structure that we have right now.

Kyle McEntee:

So the overlap with your experience as a lawyer, it's really important to being a legal engineer. I don't think it's possible to do what you're doing without that background as a lawyer.

Donata Stroink-Skillrud:

Well, some people do try to do it. I think it'd be really hard because with this, you have to track bills. So you have to understand the legislative cycle. You have to read them and understand what they say. It's not always a clean list. Sometimes, laws will say your privacy policy needs to include these five disclosures. And other times, it's peppered in throughout the entire law. So you have to parse all that out and you have to understand regulations and guidance and you have to understand how to make the flows and make the text and read cases and all this other stuff. So I'd say it'd be really hard to do this as a non-lawyer.

Kyle McEntee:

So what's interesting about your client base is that, they're not only the businesses and the web developers, but it's also lawyers because you're having them resell your services, more or less. And I know you mentioned earlier that you are the chair of the ABA ePrivacy Committee.

Donata Stroink-Skillrud:

I've been very fortunate to work with the ABA for a number of years now. I started off as the newsletter editor of the ePrivacy Committee and then vice chair and then chair. I'm also a member of the Science and Technology Council and the Cybersecurity Legal Task Force there. I'm not there to pitch our services or anything like that. I see it more as developing relationships with people in the legal community. So that helps me stay up to date with laws. It also helps me when I have certain questions. So let's say a law is written in a very confusing way. I have a couple hundred of attorneys that I can ask, “hey, what do you think of this? You know, what are your thoughts on this case? What are your thoughts on the way this particular clause is written?” So it's very helpful in that. And it's also helpful to just be part of that community. So it doesn't feel as lonely, I would say, because I'm in a pretty non-traditional legal role. It's not like I work in a law firm where I can just knock on somebody's door and say, “hey, can you help me with this?” You know, I work by myself at home. So it's nice to be part of that community because I get to develop relationships and friendships and we kind of just help each other, right? If I have a question, I ask them. If they have a question, they ask me and it's kind of a reciprocal relationship.

Kyle McEntee:

What is next for you and your company?

Donata Stroink-Skillrud:

A couple things that we plan on doing in the next few years. This year we're launching a completely newly redesigned interface of our app. And then we're obviously going to be making updates for a lot of privacy laws in the next three years. I think we have like seven or eight on the books right now that we have to make updates for. And then we're going to expand into different countries. So we're planning on expanding into South Africa, New Zealand, and then also the European Union as well.

Kyle McEntee:

The EU, that's gonna be fun.

Donata Stroink-Skillrud:

Yeah, yeah, it's a lot. It's a lot for sure, because we don't just need to account for privacy policies, right? We've been covering GDPR for years. So we already have that all set up. But the difficult part about that is actually not the privacy aspect. It's the terms of service because each country has its own contract laws. We also cover consumer protection laws as well for businesses that sell directly to consumers. And that's the most difficult part actually because privacy laws, you'll usually have just one law, consumer protection and contract. You'll have a bunch of different requirements, a bunch of different laws, and the EU actually just changed their consumer protection law. That's the part that gets really, really tricky.

Kyle McEntee:

Does that mean you're going to have to expand in a number of legal engineers that you have on staff?

Donata Stroink-Skillrud:

That would be nice. Yeah, I would love to do that. It's hard to do all of this by yourself, right? So we are hoping on hiring more legal engineers in the future too.

Kyle McEntee:

What's your work-life balance like these days?

Donata Stroink-Skillrud:

People always expect me to be working like 80-hour weeks and that's really not the case. I really try to be efficient. So I'll wake up, I'll work out, have breakfast. So I'll get to work at eight and then I try to finish at five usually. Sometimes that doesn't work out, but usually it does. And I have a lot of hobbies outside of work. My husband and I are actually setting up our garden right now, which I'm really, really excited for. I started a bunch of seeds and they're not doing well. So I might just have to buy everything at Home Depot, but that's fine he doesn't need to know that. We go hiking and we have two big dogs, we have two cats, and we're going to go camping a lot this summer. So my life is not nearly as stressful as people think it would be.

Kyle McEntee:

So that really means that when you are looking at expanding the number of legal engineers that it's not about improving your work-life balance, it's just about positioning the company to be as strong as possible as the world gets ever more complex.

Donata Stroink-Skillrud:

Yeah, exactly. So it's help with keeping track of bills and laws and help with making updates, as well as help with launching in additional countries. We do need help with engineering when it comes to whole new countries that we're trying to cover. So it’d definitely be help with that, not necessarily about making my own life easier, but about improving the company and improving the product.