THE STARTUP CHAT

[0:00:00]

Steli Efti: Hey everybody, this is Steli Efti.

[0:00:03]

Hiten Shah: And this is Hiten Shah. And today we’re gonna talk about four letters, GDPR, that has affected a lot of companies out there, especially obviously software companies. And I think it really is all about privacy. And the reason we’re talking about it is we just think it’s interesting, not necessarily GDPR as a whole, but the fact that we have such a privacy conscious legislative bodies in Europe that have been pushing GDPR and it’s really interesting to hear a lot of the theories out there as to why and all that. But at the end of the day, it has to do with privacy and all of our privacy, basically.

[0:00:48]

Steli Efti: Yeah. I think there’s this growing … So to zoom maybe at the started the high level view and then zoom into the specifics of how do you deal with this as a startup, especially when you have less resources to deal with some of these things. But on a very high level, I think that there are kind of very big debates and a lot of political shifts going on around the world when it comes to how do we deal with privacy in a world where software companies can capture so much information about the individual users and customers and can keep that information indefinitely and could potentially use that information in all kinds of interesting ways, how do we protect consumers and customers from their information being misused in some way, or their information being not within their control in a sense of they’ve used a service 10 years ago and that company still keeps their data around and potentially uses that data or sells the data or whatever the hell they do with it? So there’s a lot of concerns around privacy and software, I think, going on. Politically, Europe is usually a hyper-conservative political sphere in the world, especially when it comes to privacy and data information. A lot of that, from my perspective, comes from Germany’s place in Europe and Germany being a nation that is hyper, hyper sensitive when it comes to privacy because of their history. And so there’s a lot of stuff going on politically of many big nations, but also interestingly on top of that is even as a software business in the US where you have nothing to do … Nothing, quotes … To do with Europe and European legislation and laws, because we live in such a global world and because it’s very, very rare that if you have a SAS company or a software company out there that you’re not gonna have any customers that are around the world or are in Europe, or you’re not gonna have any customer who do have customers in Europe, which in effect puts you in the middle of this law indirectly, because we live in such a global world, now these laws that are happening around the world can impact the way you run your business, the way that you have to administer and the amount of legal fees and precautions that you have to take, but also philosophically I think that up till recently, software business, a lot of us got away with not having to worry or think too much about how we deal with the data that we were acquiring about our users and customers. And I think that it’s interesting to ask the question “Will this stay this way? Or is there a shift happening that puts a lot more pressure on software companies on how they’re allow to deal with the data they have?” What does that really mean, at the end of the day? How do you navigate these waters, especially in the earlier days? In the smaller days, I know that companies like Salesforce, they had like an insane, like a 200 person team working on GDPR for like a year or something. Something insane like this, where millions and millions have been spent by a single company. I think generally I saw the number 7,000,000,000 in terms of the estimated amount of money spent for software companies to prepare for this law. And I know from our experience, I don’t know about yours, but I know from our experience, it’s been a huge pain in the ass for us to prepare for GDPR and do all the things required to be compliant. And so it’s a hot topic and I’m curious to unpack it, both kind of long-term philosophically, but also just tactically. How do you deal with it when you’re a smaller company? Dying to get your thoughts on this.

[0:04:37]

Hiten Shah: Yeah, we had to deal with it for a while. We’re an analytics company. I know that you guys are a CRM company. There’s differences between the two, but at the end of the day, we all have to deal with it, regardless of who we are, where we’re at to varying degrees. I have a new company that launched publicly that had to deal with it right after launch for the next two or three days because it was … We launched on the 22nd and the 25th, I think, is when it kicked in. So literally we went from launch, which was already pretty hectic … I wish it wasn’t, but it was because it was the first launch of that business. And then we had to go and pour ourselves into GDPR for a couple of days. Thankfully, my other company had been dealing with it for a month and a half, so I had a lot of heads up on what we needed to do on a minimal basis. So at least that’s my context. New company, super easy, relatively was able to pull it off really quickly. Old company took a lot longer because there’s lots of old data. It’s an analytics company, so there’s a lot of analytics stuff going on that requires cookie-ing and ability to delete users, and do we do it automatically, or abide by the 30 day request window and all kinds of stuff. So one of the key things about GDPR is I think it’s unprecedented because there were no real rules and every lawyer we talked to said “Hey, you can go implement this to a varying degree. It doesn’t matter.” And the reason they said that is as long as you’re trying to do something and make an effort, you’re fine. Because even the regulators and the people who are gonna look at your sites and all that, they’re not really looking for the little guys, so to speak. They’re really going after the bigger companies, and that’s what this whole thing was intended for. Again, that’s the theory. I don’t wanna say that’s any legal advice or anything like that, but that’s the theory. Another theory I heard is that … And this is important because then it can provide context as to what you do as a business. So what I like to do in these scenarios is really figure out from multiple people, what do I need to do, and what is their take on it. So another theory that’s out there is that the US was having a hard time regulating these tech companies. And so the EU was convinced, in a bunch of ways, to do that. And I think there’s some valid reasons why. For example, the lobbying that the tech companies do in the government, with the government spending money on it. If you look, they spend a ton of money lobbying the government. So the government is probably a little hamstrung, or their hands are tied because of the years of lobbying that these tech companies have done, which essentially means they’re giving money to various people who can make these decisions and the EU didn’t have as strong of a lobbying aspect to it, where these tech companies are lobbying the EU or foreign European entities and stuff like that. So I think there’s just this worry that people have, people meaning people who can impose these laws that privacy of the citizens across the world are at risk, primarily because of these companies that store data and then use it. It’s not just storing it, it’s also using it. But it’s not just using it, it’s the fact that they’re storing it, like you said, for 10 years or whatever, after you used the product and things like that. There were no rules. We’re in a whole new territory here. So I think for me, I like to understand all that. And once I understood all that, I’ve also dealt with a lot of privacy issues in past company, so I have a very good viewpoint on some of this stuff in terms of I just wanna learn. I wanna learn what the theories are, why this is happening, and then what do I need to do based on that. So what we did is we did the best we could in the shortest amount of time in both companies, considering what kind of businesses we were. Like Crazy Egg is a pretty widely used analytics tool, so us not having appropriate action there so that people feel comfortable would just not be good for business, but it also would put us at risk as a company because we rely on people putting Java Scripts on their websites and us tracking their users to some extent. Thankfully, we don’t have much if any personally identifiable information coming to our system, just because of what the product does, while a lot of another companies like analytics companies that are tracking that kind of info have that coming in and have different things that they need to do as a result of that. So what we decided to do was do as much as we could in whatever given timeframe and make sure that we can show and document that we’re doing that stuff. And it turns out that that was fine because of some of the things that I mentioned earlier. So I think context is super important and trying to learn that context is the first step in that. So I’d love to hear what you guys learned and what your story is. But that’s where I start with these things.

[0:09:33]

Steli Efti: Yeah, so I think very similarly. I think number one, you never wanna really … You wanna make sure that you don’t approach these topics emotionally, but you take them seriously. So in our case, we took a good amount of time to really do our research and do our homework and try to understand what is the law really saying, what are multiple different experts saying, and then talking to a number of lawyers and saying “What are they telling us?” And then taking a really good look at inventory of what are our practices right now and what about these practices is already kind of within the law, what are some of the things that we do that we could improve on, or that we could highlight better on what specifically we do? And didn’t end up being some kind of crazy thing, but what we noticed was what was even more interesting than just putting our privacy household in order and making sure that we document a lot of these things and clean up kind of a situation and make sure we’re in really good standing, what was interesting was even more interesting to a certain degree was to see both how a lot of other companies in our space were dealing with this. And even we were co-hosting webinars, so all of a sudden we’re saying “Hey, you other software companies that are partnering with us to do these webinars,” we tended to share. We tended to offer free webinars to the world. People could sign up with their email address and then every partner of the webinar would have access to that email and be able to send those people emails. How do we deal with this now moving forward? It was so interesting to see the variety of responses from companies in our space that were on top of their situation and really responsible, all the way to companies that were like “Well, I don’t know. We don’t understand what that is. It has nothing to do with the US. And we don’t really care.” Companies that were super unprepared all the way to companies that were really well-prepared, and then other companies that took it too far from our vantage point, where it’s like now they’re freaking out about everything. And they’re going so far in trying to implement this new regulation that they are going overboard, they’re almost in a panic. And seeing all the companies that would get in touch with us to make sure that we signed their privacy documentation because they’re using our product and vice versa and all that. It was just interesting to see how the other software companies were responding to this and kind of the wide variety from total carelessness to panic to a few of them that seemed to be in a space where we thought we occupied, which is the thoughtful, careful, responsible but not insane, in terms of going overboard in the reaction. And it’s also interesting for me because I travel so much back and forth between the US and Europe these days, just to see the difference in response in the US. Most of the founders that I’m talking to are like super annoyed by GDPR and like this is so dumb and this is just all this waste of money and time and energy and why do we have to deal with this and just being totally annoyed. And then when I’m in Europe, the founders are like “Yeah, this is a little inconvenient, but we think it’s the right thing for privacy and the right thing for our customers and we had to put these laws in place otherwise they are misusing people …” Just seeing the differences in how people respond to these things. I just realized the same thing is true with Alexa. A lot of our friends’ families use Alexa quite heavily in our household. We do and our kids constantly interact with Alexa to ask questions or to get music wishlists played from Alexa, so it’s kind of part of the household. Then when I’m in Europe, people freak out, families freak out by the idea of having an Amazon-owned device that listens to everything you say and that knows your family and listens in even when you don’t ask a question. People here are so much more sensitive to their privacy and to what technology companies can do with their data, than people are in the US. At least that was my experience in the last few months. Just interesting to see, but in terms of tactical and practical, I think it’s always good to do your homework, do some research. Don’t just read an article, one source of information that says you don’t have to worry about it, or that says that you have to absolutely panic and take it as truth. But read a variety of different opinions, do a bit of homework yourself, talk to a few different lawyers that have expertise and then sit down and come up with an adult, responsible game plan to make sure that your household is in order without letting lawyers run your business. I don’t wanna go off on this, but it might be a topic for a separate episode, but it’s always interesting when you deal with lots of lawyers is getting their advice, but then still making the decisions yourself, versus letting lawyers run your business. A lot of times, in my experience, lawyers tend to be so risk adverse that they’re gonna try to eliminate any kind of risk, no matter how unlikely it is. And if you go by that rule, it becomes sometimes very hard to run a business. But it’s interesting to see how the market is responding and I don’t see a unison response. I see a wild variety of how software companies are responding to this. Even some big ones. I’ve been surprised we use a marketing automation tool that’s really, really big and we pinged them and we’re like “Hey, GDPR is coming. We have all these forms. We have to make a few changes. What is your support in terms of making all these lead capture pages and all this stuff GDPR compliant?” And they were basically like “Well, nothing. I don’t know. We haven’t done anything. You guys have to figure this out on your own.” They didn’t even do their own stuff as far as I can tell, based on what you would expect a $100 million plus SAS company to do. So it’s funny to see a variety of responses in the market and it’s gonna be interesting to see in the next year or so on how this law is actually gonna be put in practice and how it’s gonna be enforced or what that’s gonna mean for different companies.

[0:15:47]

Hiten Shah: Yeah, I think you make a good point and what I’ve seen from talking to a lot of lawyers about this and getting a lot of data is that, depending on who your lawyer is, you’re gonna have a different level of compliance.

[0:16:01]

Steli Efti: Yeah.

[0:16:02]

Hiten Shah: And compliance on GDPR is one of the most interesting things about it is that the rules and laws are unclear. And they’re, just like many other things, they are an opportunity for lawyers to spend your money. Or they’re an opportunity for lawyers to help you be smart. And I like the lawyers that help me be smart versus the ones that just wanna spend my money, and/or take my money. And again, no offense to any lawyers, even if you feel like you had to do a lot of work for GDPR and you charge your clients a lot of money, that’s totally cool. It’s just not my kind of law and not what I prefer. What I prefer is when the lawyer is pragmatic and is like “Hey, here are your options on what you need to do here.” I’d rather pay a lawyer for that, than pay a lawyer to charge me a lot of money to implement something that might change. So the smartest lawyers, to me, are like “Here’s the three things you need to do. The other 10 things are possibilities if you wanna do them. Considering you’re this type of company, maybe these two things you should do. So five out of these 10 things, you should probably do sooner than later. The rest of the five, maybe be prepared to do them, but don’t worry about it too much.” I wanna hear that. I don’t wanna hear “Hey, there’s these 10 things. Do them all.” I wanna know what the priority is, right? And where my risk is, right? And I’ll pay you for that. I will pay you for that any day. That’s what a lawyer is supposed to do. I will not pay you to do those 10 things because you think I should do them and you have no context of my business, or you didn’t bother listening what my business is. And honestly, with GDPR, it’s very simple. Get your policies in place. No body had a cookie policy last I checked. Everyone that I see that’s compliant enough, from what I heard, has a cookie policy in place. And has a list of their cookies and is showing what trackers they’re using, or has language that says we might use other trackers, but here’s a list that we have for you right now. Those kind of things I was told are important because then the regulators come and they’re like “Oh, they’re revealing the cookies. They’re not trying to hide them from anybody.” And simple stuff like that, as a small company, is what I wanna hear I have to do. So I guess that’s my mini little thing, which is like be smart and know, talk to the lawyers in the right way and find the lawyers that are gonna help you be pragmatic, not ones that wanna make you check a bunch of boxes off the list.

[0:18:31]

Steli Efti: I think this is the perfect way to end this episode. Like a little bit of advice in terms of how to deal with lawyers, which can be translated into any kind of outside counsel you’re taking, is ask yourself, is this person giving me pragmatic advice? Is this person giving me the 80/20? Hey, here are the options, here is the priority. I think this is an absolute must. I think these things are nice to haves. Somebody that weighs things for you and helps you, guides you through it, versus somebody that says “Well, there’s 450 things that need to be done. I’m sending this list over.” And the expectation is you just do everything to make sure that you’re compliant to law. That is typically gonna lead to a lawyer that’s gonna A, make you work way too hard, B, is gonna charge you way too much money, and C, he is not gonna be that helpful because at the end of the day you could yourself just download a list from somewhere. You need somebody to give you advice and help you interpret and get context, versus “Well, I don’t know. Here’s all the things we could do to be compliant, so let’s just do all of them.” Now that’s just not pragmatic or practical. And that’s also not useful, right? So alright, with that being said, GDPR, take it seriously. Make sure you have your privacy household in order. If you need help with that, you know where to start. Just send us an email. Hitenshah@gmail.com. Steli . We’re not lawyers, we’re not giving legal advice, but we might just point you, share some links, give you a bit of advice where to find some good lawyers and hopefully help you not to waste a ton of money by getting really bad advice.

[0:20:09]

Hiten Shah: See ya.

[0:20:10]

Steli Efti: Bye bye.

[0:20:11]