At the start, the web was purely stateless – every request was the beginning (and every response the end) of a new conversation. Then we got cookies, so that servers could remember clients, and SSL so we could share information with servers that wasn't seen by all the servers it passed through en route. These two technologies enabled e-commerce and are so foundational now it is hard to imagine the web without them. The problem is the way we'e evolved the web has been down a path of increasingly aggressive data collection and reduced transparency for users. We should have always been doing privacy by design, data portability, data transparency, and the right to be forgotten. We should not have become dependent on invasive ad tech and aggregated third-party data; we should not have handed over ownership of our own social graphs and connections so cheaply to private commercial interests. While many (particularly in the US) may be uncomfortable with the legalistic and regulatory approach, preferring a more laissez-faire, self-governing model for virtually everything, the GDPR can be seen as an opportunity to start doing things right – applying the core principles of privacy by design not just where mandated by regulation but as a standard business practice.

1. G D P R F T W ! O R , H OW I L E A R N E D TO
STO P WO R RY I N G A N D LOV E
P R I VACY BY D E S I G N
@jeckman

2. N OT E : I A M
N OT A L AW Y E R
@jeckman

3. I N T H E B E G I N N I N G @jeckman

4. C O O K I E S
Photo by John Dancy on Unsplash
@jeckman

5. “One day in June 1994, Lou Montulli sat down at his keyboard to fix one of the biggest
problems facing the fledgling World Wide Web -- and, as so often happens in the world of
technology, he created another one.
At 24, Mr. Montulli was the ninth employee [at] Netscape Communications. . . he quickly came
up with an ingenious idea to address the problem and hammered out a five-page document
describing the technology that he and co-workers would design to give the Web a memory.
The solution called for each Web site's computer to place a small file on each visitor's machine
that would track what the visitor's computer did at that site. . . . It was a turning point in the
history of computing: at a stroke, cookies changed the Web from a place of discontinuous
visits into a rich environment in which to shop, to play -- even, for some people, to live. Cookies
fundamentally altered the nature of surfing the Web from being a relatively anonymous activity,
like wandering the streets of a large city, to the kind of environment where records of one's
transactions, movements and even desires could be stored, sorted, mined and sold.” - John
Schwartz
https://www.nytimes.com/2001/09/04/business/giving-web-a-memory-cost-its-users-privacy.html
@jeckman

6. P 3 P
https://www.w3.org/P3P/brochure.html
@jeckman

7. P 3 P
The Platform for Privacy Preferences
Project (P3P) is an obsolete protocol allowing
websites to declare their intended use of
information they collect about web browser users.
Designed to give users more control of their
personal information when browsing, P3P was
developed by the World Wide Web Consortium
(W3C) and officially recommended on April 16,
2002. Development ceased shortly thereafter and
there have been very few implementations of P3P.
https://en.wikipedia.org/wiki/P3P
https://www.w3.org/P3P/brochure.html
@jeckman

8. D O N OT T R AC K ( D N T )
https://www.eff.org/issues/do-not-track
@jeckman

9. D O N OT T R AC K ( D N T ) https://allaboutdnt.com/
@jeckman

10. @jeckman

11. John Eckman • @jeckman • #wcpub
– J O H N N Y A P P L E S E E D
“Type a quote here.”
https://www.betterads.org/
@jeckman

12. @jeckman

13. E N T E R T H E
G D P R
@jeckman

14. R E M E M B E R : I
A M N OT
A L AW Y E R
@jeckman

15. https://twitter.com/RebelEmG/status/988442580902989824
The General Data Protection Regulation
(GDPR) is an EU regulation that went into
effect on May 25th, 2018.
GDPR aims to give individuals (EU
citizens) more control over their personal
data, by requiring that businesses gain
more explicit consent from them to collect
and use it.
@jeckman

16. https://twitter.com/lesteph/status/988401663810723840
Understanding: At its core, GDPR is designed to
protect user data and empower users to have a better
understanding of:
1. What data is being collected about them.
2. How and why their data is being used.
Control: GDPR is also designed to give users better
control over their data. Users must be able to:
1. Tell companies what they can/cannot do with their
data.
2. Request a record of all data stored about them.
3. Amend any data stored about them if it is not
correct.
4. Request the deletion of any/all data stored about
them.
@jeckman

17. https://twitter.com/samnickerson/status/988673113109028864
Reach: GDPR is designed to protect all EU
citizens and residents. It doesn’t matter
whether the company capturing/
processing data is based in the EU, the
only thing that matters is that the data you
are capturing belongs to an EU Citizen.
@jeckman

18. https://twitter.com/AlbFreeman/status/988678211998449665
Individual Rights: All EU Citizens are entitled to
a series of individual rights under GDPR.
1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision
making and profiling
@jeckman

19. https://twitter.com/everylilbreeze/status/997381429322571776
5 Areas of Focus: There are 5 areas that
the GDPR focuses on. These provide a
framework for data capture:
1. Purpose
2. Limited
3. Accurate
4. Time Limited
5. Secure
@jeckman

20. https://twitter.com/klillington/status/997063126322434049
Purpose: there are six legally acceptable reasons that a company
can process user data. All data processing needs to fit into one of
these categories and should be documented.
1. Consent: a user has given clear consent for you to
process their personal data for a specific purpose.
2. Contract: the processing is necessary for a contract
you have with the individual, or because they have
asked you to take specific steps before entering into a
contract.
3. Legal obligation: the processing is necessary for you
to comply with the law.
4. Vital interests: the processing is necessary to
protect someone’s life.
5. Public task: the processing is necessary for you to
perform a task in the public interest or for your official
functions, and the task or function has a clear basis in
law.
6. Legitimate interests: the processing is necessary for
your legitimate interests or the legitimate
interests of a third party unless there is a good
reason to protect the individual’s personal data which
overrides those legitimate interests.
@jeckman

21. https://twitter.com/CamHamTT/status/99994671805256
Limited: No data should be captured or
stored unless it is specifically required for an
approved data processing activity.
Accurate: All data that is captured should
be accurate and kept up to date for as long
as it is stored. Users should be able to
submit amendments to any data and
records should then be updated
accordingly.
@jeckman

22. https://twitter.com/evankirstel/status/1000344045221228544
Time Limited: Data should only be stored for
as long as required to process the data.
Once you are no longer processing the data,
it should be deleted.
Secure: All data processing and storage
needs to be secure by design and security
practices should be well documented. This
includes both technical infrastructure as well
as access rights/policies.
@jeckman

23. https://open.spotify.com/playlist/5Pe51v0sHLybSEkX0m0JRf
Data principles:
1. Capture/store as little data as possible.
2. Document what data you are capturing/
storing, why where it is being stored and
for how long.
3. Encrypt data wherever possible.
4. Use anonymised data wherever possible.
5. Make sure that any data you are
capturing has an explicit opt-in.
6. Make it easy for users to make requests
of their data.
7. Make sure to keep your data up-to-date
and accurate.
@jeckman

24. P R I VACY BY D E S I G N Photo by Dayne Topkin on Unsplash
@jeckman

25. https://gdpr-info.eu/art-25-gdpr/
@jeckman

26. ST I L L N OT
A L AW Y E R
@jeckman

27. W H AT D O I D O?
@jeckman
Photo by rawpixel on Unsplash

28. Assess & Document:
What data do we collect about visitors
and customers?
How is that data collected, stored, and
used?
What is the purpose for which that data is
collected and used?
How do we inform users of the purpose,
intent, retention, and permissions with
respect to their data?
TA K E OW N E R S H I P
Plan:
What features on our site need to be
revisited?
Where can we limit our use of data, in
scope, in timeline, or in purpose?
Where can we limit our data gathering?
How long will it take to get us into
compliance?
@jeckman

29. D I V E R S I F Y R E V E N U E ST R E A M S
Photo by Maria Imelda on Unsplash
@jeckman

30. C U LT I VAT E T R A N S PA R E N CY &
H O N E ST Y
Photo by Kelli Dougal on Unsplash
@jeckman

31. Don’t Panic:
Enforcement of the GDPR will most likely
first impact businesses with significant
financial interests and assets in the EU.
If you have enough financial presence in
the EU, you can afford a GDPR
compliance consultant.
B U T I J U ST P U B L I S H A B LO G !
Have a Privacy Policy
Be clear about what data you collect,
how, and why
Most Likely Impact:
Third-party tools:
• Analytics
• Comments
• Newsletters
@jeckman

32. F O C U S O N
T H E S P I R I T
O F T H E L AW,
N OT J U ST
T H E L E T T E R
Photo by Maria Freyenbacher on Unsplash
@jeckman

33. D I D I
M E N T I O N I
A M N OT A
L AW Y E R ?
@jeckman

34. https://10up.com/about/ https://10up.com/careers/
@jeckman

35. Thank You!
Feedback Welcome: @jeckman or john.eckman@10up.com