In this episode of Startups For The Rest Of Us, Rob and Mike talk about GDPR, preparing to be acquired, and technical debt. With the regulations of GDPR coming into effect, the guys discuss how it will affect small businesses and what you should do. Also an in depth discussion on things to have in order before you get acquired.
Items mentioned in this episode:
- Mike’s Indie Hackers Article
- Mike’s Interview on Product People
- Sherry Walling Interview on Mixergy
- FemtoConf Recap
Rob: In this episode of Startups For The Rest Of Us, Mike and I talked about GDPR, preparing to be acquired, technical debt and we answered more listener questions. This is Startups For The Rest Of Us episode 385.
Welcome to Startups For The Rest Of Us, the podcast that helps developers, designers, and entrepreneurs be awesome at building, launching and growing software products whether you built your first product or you’re just thinking about it. I’m Rob.
Mike: And I’m Mike.
Rob: We’re here to share our experiences to help you avoid the same mistakes we’ve made. What is our word this week, sir?
Mike: Why is it in Zencastr it says Chronomustard?
Rob: Chronomustard, that’s my name this week. I think that’s gonna confuse our editor. I’m trying a new thing, creativity. I’m trying to enter a different name each week just to see if I can make you laugh.
Mike: They usually do make me laugh, I appreciate that.
Rob: For sure. What’s going on this week?
Mike: I did a demo yesterday for a customer who’s looking at switching over from a competitor and they have a bunch of different users for the product that are in the competitor. When I went through and was doing the demo, afterwards he’s just like, “Wow this is way more advanced than what we’re currently using.” I’m just thinking to myself, “Is that a good thing or a bad thing?” Apparently it was a good thing.
They were looking through and signing up for it. Next week they’re gonna reach internally. Hopefully they’ll turn into a fairly large customer for Bluetick.
Rob: It’s always good to get off a demo and get that feeling that you’re gonna be making more money, it’s always worth it.
Mike: What was really interesting to me was just the fact that they had said how advanced it was in relation to this competitor because the impression that I get from their website and all the things that it seems like it does is that it’s probably more advanced than Bluetick but I got the distinct feeling that that was not the case.
I knew that they were having problems with it but I wasn’t clear until the phone call and exactly what those problems were and how they were dealing with them and what they were looking to do.
Rob: That’s awesome, man. Do you have any avenue if you sign this guys up that you’re able to find more customers like them?
Mike: I do but I think it’s gonna be more word of mouth relationship than anything else. This one came through a personal relationship so it’s not as if they came in through a marketing channel or anything like that. I knew who the person was and contact them and went from there.
Rob: You could also think about going to build with your Datanyze. Since they are using this competitor pulling down the list to people who are using the competitor doing the cold email thing, we talked a little bit about that last week. It’s obviously time consuming but that can be an interesting avenue if you do know that you are better than a specific competitor.
Rob: Probably be worth a few minutes. You have been busy, man. I was pleased to see an article on Indie Hackers, Starting and Growing a Conference for Internet Entrepreneurs, got quite a few upvotes. You said you spent several hours doing this, it’s one of the most in depth Indie Hackers Q and A I had seen.
Mike: I spent a lot of time on that, probably close to a day and a half to two days. I threw in the word because I was curious since how long it actually was, it came in at 6000 words.
Rob: It’s like a book chapter or two. It has screenshots and everything, you did a really good job. If folks are interested in hearing about the history of MicroConf, what it was like starting it, how it runs today. There’s just a ton of insight stuff, although some of it is projected revenue, I think you gave this year. Some years don’t include MicroConf Europe, it’s not all exact but there are graphs and everything that I think that Indie Hackers folks put together.
Mike: They took the attendance numbers and extrapolated with the revenue was from those numbers. It’s off a little bit but it’s not really that big deal, it’s more of the trajectory, I think, that’s important to see.
Rob: It doesn’t include sponsorships and all which are big chunk. It’s fun for me to read because I could be like, “Oh yeah.” I was nodding along like, “I remember that. I can’t believe Mike remembers this.” You are pulling stuff out, all the anecdotes that I had long forgotten.
Mike: Some of the things I had to go back. I looked through my email to see when it was that we first started talking about MicroConf and I traced it back to the exact day which I don’t know if we talked about. We had a name for it before then and we were talking about it separately and just calling it a conference or we had the name and we picked it on the day and went from there.
I don’t remember how long we talked about it before we decided to register the domain name and start looking forward or if it was just like spare the moment thing.
Rob: I remember being very spur of the moment. It just made sense, it was like, “Why don’t we just do that?” That’s cool. There’s a lot of engagement, a lot of really good comments and in depth discussion going on and 36 upvotes, I get the feeling that’s quite a few for most articles. Anyways, if you’re interested in hearing that story, we’ll link it up in the show notes but you can obviously go to indiehackers.com and give it a search. You also went on Justin Jackson’s podcast, MegaMaker. It was a couple weeks ago.
Mike: I think that was last week as well. We recorded it and then it went live either later that day or the very next day. It was all about MicroConf itself and what Starter Edition was about. We’ve announced that Justin Jackson is going to be emcee for Starter Edition.
We did that last year, Starter Edition as well, with Jordan Gal from CartHook. He was the emcee for that, we basically turned over the reins to him and let him run the show at Starter Edition which was really cool because it’s nice to be able to sit back a little bit and enjoy the conference a little bit more. I don’t know how you feel about that but it’s nice to let somebody else take the reins for a little while.
Rob: That was something that Zander, our conference coordinator, encouraged us to do because since Growth and Starter are back to back, we’d be solo energy by the fourth day of trying to emcee and run the conference that I think he knew that it would just wouldn’t come off as well as it could. Jordan certainly knocked it out the park as the emcee that was really, really good and to give them their style up there on stage is fun.
You know, with Starter, Justin is such a good fit for it because that is really the crowd that he is talking to everyday and interacting with so he knows that crowd perhaps these days, you know better than I do in all honesty. It was years ago that I was really knee deep in all of the transitioning from developer to marketer and talking about all that stuff. He just has his finger on the pulse of that. I think he’s a good fit to emcee. This year he’s also doing a talk which is cool.
Mike: How about you, what have you been up to?
Rob: I’ve just been working, kicking back a little bit. I have a spring break coming in a week or two. We are heading down to Florida, starting to warm up in Minneapolis but still in the 30s and we wanna get some sun. It’s an easy flight down to Miami and we rented up Big Ol’ Airbnb off of 80 and we’re looking forward to that.
I was enjoying, I don’t know if you’ve heard it but Sherry was on Mixergy. It’s actually her second time on Mixergy. Her first time, it was when she interviewed Andrew Warner and put it on ZenFounder and he simulcast that basically onto Mixergy. But this time it’s called Keeping Your Feet Together As A Founder and it’s Andrew Warner interviewing Sherry about the book and about the stuff she’s doing in the entrepreneurial communities. It’s really a pretty intense interview but it’s really good. Have you had the chance to listen to it?
Mike: I have not, no. I don’t get a chance to listen to Mixergy too often. I’m actually about two months behind on most of my podcast at the moment anyway.
Rob: I listen to select Mixergy interviews just because there’s a lot of them and they are long but this is one that obviously I jumped on, I just wanted to hear the content. It’s a good one, we’ll link it up in the show notes but you can obviously search for Sherry Walling Mixergy and find that in Google.
Mike: Awesome. What are we talking about today?
Rob: We’re gonna answer a bunch of listener questions and see how many we get through. It was cool, we were down to one listener question. When we announced it on the show, I think we’re up to 12 or 15 now and so we can hammer through. I feel like this cadence every other week answering these questions has become something that I’ve enjoyed and I’ve gotten positive feedback about it.
Voicemails are even better because it shows people that there are all these different people with different businesses listening to the show. You and I know we have tens of thousands of listeners but as a listener, you don’t know that. It would be hard to know or understand your fellow listeners and your fellow entrepreneurs doing it. I have enjoyed this and I think we’ll keep doing it as long as the questions keep coming in.
Our first question today is for me, it’s actually from a guy, Louis. He said, “The question I have is what would Rob wished he had prepared in advance in going through the process of selling Drip? Imagine there might be things like intellectual property who may have purchased the use with his own name but now need to be transferred to the company, manuals and processes, bank issues such as PayPal not being able to transfer, etc. The list could be endless, maybe a good topic for a book.”
I’ve actually thought about this. There are two thing I wanted to say here. The first is I’m gonna make an announcement but not really an announcement, Mike, I haven’t even told you this. I’ve started writing what I think may become a book. That’s the exact right response. I don’t know if it will yet. My goal for this year is not to tackle any big new projects.
There’s a lot to tell, there’s a lot of story that has happened since the last book I wrote. Maybe it’ll just be about Drip and the trials and tribulations, the last year of personal finance hell and being unable to fund the business and then the year of the acquisition and then the year of moving. As I started thinking about it, I was like, “Isn’t this interesting enough? Will anyone care?”
I sat down with a notebook and I just wrote out what were the most stressful parts of my life both personally and professionally since 2011 in essence. The list was crazy long. Each of them just shaped into this narrative and they link together in this very interesting way. Even if I were to write about acquiring HitTail and not use it in the book, it’s still […] for me to write about the process of growing it and then selling it. There’s a bunch of stress that went along with that sale.
I started just thinking about all the stuff that happened growing Drip. I made this big list, when I looked at it I feel like it’s interesting enough, at least worth sitting down and hacking some stuff out. I had like three pages of just bulleted list. About a week and a half ago, I just sat down one evening, I started doing it on a weekend. It’s kind of writing itself because it’s a narrative. I’m pulling out actionable things but I’m trying to get the grit of what it was actually like.
I have emails, I have Voxers, I have all this, I have my MicroConf talk from last year talking about the sale and my thought process, I started to listen to that and transcribing pieces of it. It’s cool in this day and age, all the digital elements that we have because I can’t remember exact dates but Gmail sure doesn’t forget. It remembers the exact date of this email that I sent to Derrick about this topic.
I’ve literally just been doing it on the side almost as a journal but trying to be very honest about everything, trying not to sugarcoat things. I’m about 7000 words in and it has just poured out of me, it’s all out of order, I just picked the next thing on the list that I think, “Man, I really wanna write about that today,” and I’m cranking it out.
I don’t know if it will be a book, I don’t know if I will ever release it but it’s something that I think could have the potential to be that. It’s always funny, when I got this question I started thinking, “Maybe that should be a piece of this.” Because I don’t just want it to be a narrative, I actually want it to be in typical or a podcast style and MicroConf style. I want it to have lessons that people can take away.
Whether they’re acquired or not, even just the growing part of it, the mistakes that they can avoid that I made or smart decisions that we made that I feel like people can learn from.
Mike: There are two pieces of that because there are people who would read that just because they know who you are or they’ve seen you speak and they just want the inside baseballs so to speak. They’re interested in the story, I totally hear what you’re saying about having the lessons but I think you could do both where you’ve got the story itself and then after each chapter or after each section you have a list of things that you personally pull out and be like, “Here are the lessons that you could take away from this, here’s the story piece of it and then here’s the lessons that go with each of these.”
Some of them may not have any lessons at all, it’s just something happened and you got lucky or unlucky and you just had to deal with the consequences or fallout. There may not have been anything that you could do about it. Maybe that’s the lessons, you can’t plan for everything but I think that it’s still going to be interesting to a lot of people.
Rob: I appreciate that. I kind of think of it as I think of any MicroConf talk I’ve ever given or at least the best talks that I’ve given tend to be a story, like a hero’s journey and then pulling out super actionable tactical things. That’s how I’m envisioning it. I’ve read only a couple books like that, I like it because it’s different, it’s not just a narrative. I want them to be not obvious takeaways, it’s not like work hard and persevere and you will make it. It’s not stupid stuff like that.
I realized that I think I’m telling myself that I don’t know if it’ll be a book so that I don’t feel in pressure or anxiety. I don’t want to feel forced to write it, I don’t want the writing to feel forced. I’m telling myself no one will ever read this because I wanna tell the story honestly, because there’s obviously a lot that went on that no one else knows that was very internal, that was between Derrick and I or between Clay and I or whatever.
Eventually, I’m sure I’ll have to edit some of that out but I’m trying to get it all out and then evaluate, is this worth doing? Maybe it’s an ebook or maybe it’s a series of blog posts that I’ll release or maybe it’s an audiobook, I don’t even know. It’s an interesting project. Hopefully it’ll turn into something.
Mike: Man, if it doesn’t, you did it for yourself and that’s not a big deal either. There’s something to be said for just doing things for yourself once in a while.
Rob: Exactly. That’s what I said, it’s like what’s the worst that can happen, I should just write this out. If nothing else, my kids can read it someday or something.
Mike: All of these aside and back to the question, are there any top level things that you can take away that you wish you had done that were probably a major things that you either overlooked or hadn’t thought about upfront that needed to be transferred or you wish you had done?
Rob: The prep work that I think everyone should do that you don’t think about is it’s far more mental prep work than anything else. I listened to the book Built to Sell three or four times, I listened to Finish Big multiple times, I did a lot of journaling, I did a lot of thinking. You have to know what your deal breakers are, you have to know probably what your drop dead price is. There’s a bunch of stuff that you need to think about and that it the prep work that I would focus on. I’ll just put that out there, first and foremost spend more time doing that.
The examples that the guy brought up, the guy who answered the question, most of these were not an issue. He brought up intellectual property, I had already transferred all of that into an LLC. If I hadn’t done that, it would’ve been disastrous, it would’ve been a huge pain in the ass.
One big thing that I do think you need to think about as you’re building your companies to have a clean IP, meaning that all of your contractors who touch your code, all of your employees who touch your code, you need to have them sign in their employee agreement, it should say, “Everything I do, the company owns.” I had that, I had only missed one contractor. I went back and asked him nicely, we still have a good relationship and everything was fine.
Had I not had that, it would’ve been really tough because when we went through the acquisition, they needed that. This funded company is not going to pay a premium for my startup if there are IP holes that someone could come back later and sue them or ask for ownership with the code or whatever. It’s not something you think about when you’re two, four or five person startup but it’s something that you should definitely have.
I signed to the same employee agreement, and Derrick signed, even us cofounders. We had to have agreements that basically Drip, the S Corp that owned everything own everything, that Derrick and I couldn’t walk away with that. That’s one thing I would think about.
The guy mentioned manuals and processes, that was not an issue because we were an eight person team and they’re acquiring the team. They weren’t looking to automate everything. I think if the team was walking away, yes they would want manuals and processes to hand off to the next team but there was zero questions about that. There were more questions about what our vacation policy and HR staff and employment agreements looks like than anything like that.
In terms of bank issues, they didn’t acquire the company, if you think about it. They acquired all the assets of the company and that’s typically how it’s done because they don’t want any of the liabilities. They left an S Corp that Derrick and I still own the same amount that we’ve always owned, they just bought all the internal assets of it including the code and the goodwill and the recurring revenue and employment agreements and all that stuff.
As a result, the corp still owns the bank account, they didn’t acquire any of that stuff. Thankfully we never had to setup a PayPal account or anything like that. Same thing with domain names, we just transferred them over. They were all in the GoDaddy account and we transferred them over to their GoDaddy account.
The only other thing I could think of as I was going through this list that I think would be interesting to think about it they ask for, this is typical, the standard due diligence stuff, all corporate documentation, your articles of incorporation, every single amendment you’ve ever made to them, everything. Have that all in one place because going out and finding it and scanning it is a pain in the ass.
Having record keeping doesn’t seem like a big deal when you’re a three person startup or when you’re a solo founder. But if you’re ever planning being acquired, you probably want all of this stuff somewhere so it doesn’t take you weeks to put these docs together.
The next thing is having really solid books, basically having income statements for every month. For me it was literally just a Google Doc with revenue, expenses and that kind of stuff. I also had Xero, the accounting software that they could look at. When they were asking for high level numbers, top line revenue and that kind of stuff, I was sending them Google Docs.
They’re gonna ask every single service you use, what’s every SaaS app that you pay for? Hopefully they’re all on a credit card, you could just go to credit card, that’s what I did and just started listing those out. Copies of leases and every contract you’ve ever signed for every service. Transferring the Stripe account did happen because all the subscriptions were in there.
That’s the high level overview, I think it’s something that I hadn’t thought about. When there’s a technology transfer, you think more about, “Boy, the tech has to be good and has to be automated and you want processes in place.” When it’s a company acquisition, it can be different. When people bought HitTail just as a product, they didn’t ask for articles of incorporation because they weren’t buying the team, it wasn’t a strategic acquisition. Those are my high level thoughts.
Mike: I hadn’t realized that they did not acquire the entire company itself and they were just acquiring the assets from the company. That’s the way that my wife had purchased the fitness studio that was in town. She didn’t acquire the business, she acquired the assets of the business.
I was very clear to her about just because the records of the business were obviously a little screwy and the person who own the business before couldn’t really explain certain things and was a little cagey about certain pieces of it where I’m just like, “Do not acquire the business.” Because let’s say she’s got a car, for example, that is owned by the business, if you acquire the business, you’re also acquiring the debts that go with it and any liens or anything else that goes with it. You will be on the hook for those things. If you don’t know about it, it doesn’t matter, you still have acquired them which may suck.
Rob: If you buy the company, you acquire the assets and all liabilities. That’s why almost without exception, anyone who knows what they’re doing, when they buy a “company” they’re just buying the assets of the business, that’s the standard. When Facebook bought Instagram, you can bet, their lawyers did not buy the Instagram LLC or C Corp. They bought just the assets of it.
As a result, you have to then list out what all the assets are which is interesting because you have to list out your code and the database and this, it’s just a big long list of stuff.
Mike: With my wife, there was a tax bill that ended up coming in. It was sent to her and she’s like, “No, this isn’t me because I didn’t acquire the business.” There was stuff that came up afterwards that had she’d acquired it, she would’ve been stuck with it and there is nothing she would’ve been able to do.
The other thing I find interesting is that when I worked for Pedestal Software and they got acquired by Altiris, the Altiris acquisition team came in and they handed us, all the employees, these documents that we had to sign that were basically more or less a copy of what our previous agreement with Pedestal had been for all the IP rights and signing them over to Pedestal but it was their version of it.
We’d already signed all the stuff but they said, “Yes that’s fine and everything looks good but you also have to sign these.” I think maybe there are updated ways of covering additional holes or something like that, I’m not sure.
Rob: I guess our agreements were perhaps good enough for their lawyers, they probably looked at them and said, “This covers everything.” Because it was recent, it was within the last year or something and everyone had signed. I broke everything out, Numa Group which is my umbrella LLC that owns a bunch of stuff, it owned Drip until maybe 9 or 10 months before it was acquired.
I was already in the process of ripping it out of Numa Group because that was when Derrick was taking some equity in the company and he essentially became cofounder. I was already in that process which was painful and agonizing and took five months and more money than it should have. Drip was already in an S Corp. I was very, very thankful for that because if it did not, then it would’ve been a fiasco to try it doing during the negotiation and the acquisition process.
When that all happened, I basically fired all of us from Numa Group, we all got new jobs with Drip, S Corp, Drip Incorporated. We all signed agreements at that point again even though some of us already signed up with Numa Group. Then, essentially when Leadpages acquired us, we all got fired from Drip Incorporated and all got new employment agreements with Leadpages.
I think they probably had some IP stuff in their employment agreement as well which is fine because then anything you do for them they own but they didn’t have a specific additional stuff we had to sign.
Mike: I wonder if it maybe it was because Altiris was a public company and they had additional things that they had to cover themselves, I don’t know.
Rob: I can see that, it makes sense. Thanks for the question, guy. I hope that was helpful. Our next question is actually not a question, it’s some kudos for us and it’s a voicemail.
“I just listened to episode 838 with the questions. It was great to have that interactive […] podcast, I just wanna give you guys some feedback, a long time listener. My name is Chris. I really enjoyed the episode, just hearing those questions and getting some more of your perspectives and your background and experience. […]. Take care, guys. Thank you again. Keep up the good work.”
Awesome. Thanks for calling, Chris. I wanted to play that because it’s good to hear feedback and folk’s opinion. He said episode 838 but I think he meant 383 which was just another one of these Q and A episodes. I specifically mentioned in that one that I like doing them more often and that I like getting voicemails because it shows it has the interaction. Thanks for that, man. I’m always happy to hear from folks.
Our next question is from Mr. Andrew Connell about GDPR. “Hey Rob and Mike, this is Andrew Connell from Voitanos, that’s voitanos.io. I do online training and I do it for everybody around the world or developers around the world. With the coming effectiveness of the GDPR for data privacy and personal privacy data at Europe, I’m curious if you guys can comment a little bit, of course not being lawyers, I’m not a lawyer either. I just think about what kinds of things developers really need to be paying attention to? What kinds of things you need to be careful of?
I’m asking these guys because it’s also very much in the way of how we’ve all be listeners of your show worked on doing email based marketing and collecting email addresses and potentially phone numbers and other information about users. What kinds of things you need to think about, I’ve seen things about privacy statements that you need to have on your site, how you’re collecting the data, what talent is being used, how you’re protecting it, all those kinds of things.
I’m just curious, what things do you really need to be paying attention to? There’s probably the gold standard but also what’s the standard that you can do where you’re at least defensible. Maybe you’re collecting data and the user finds out, they decided they no longer wanna be tracked by you. Can you just go back to them and say, ‘Yes I track you by your email address. Here’s all the information I have about you. If you want me to delete you, I can delete you.’ I’m just curious, do you guys have some comment there or maybe even have somebody who is a lawyer who can jump on the show and maybe comment? Thanks a lot. I love the show. See you guys in Vegas.”
The riveting conversation topic of GDPR.
Rob: Everyone is thinking about it so it’s important, it’s just such a fiasco. I’m gonna use the word stupid a lot in this conversation insight. Big parts of it, I think, are really dumb. There’s a 250 page doc or whatever and Brandon, our senior director product, went through the entire thing.
The end result is gonna wind up being something like we have to rewrite a bunch of internal policies and we’re gonna add a checkbox to a form for our users. That’s very similar to what MailChimp is doing and Active Campaign, all the ESPs. I’ll stop there and circle back because I’ve been talking a lot this episode. I know that you saw a talk at FemtoConf about it and I’m sure you have other thoughts on this.
Again couching it that we aren’t lawyers, we are not giving personal advice to anyone and certainly don’t have an exhaustive understanding of this but this is just our general thoughts on what we feel like folks might wanna do for GDPR.
Mike: The talk that I saw on FemtoConf, there’s a linkable posted in the show notes from Aleth, she’s the one who gave the talk. There’s a link to an overview of her talk as a recap from Christoph. He runs FemtoConf with Benedikt. You can go out there, there’s an overview of it but I’ll say it glosses over certain details that she talked about specifically.
With GDPR, the thing that you really have to make sure that you’re aware of is that if you touched the data in any way, shape or form, you’re on the hook for it. You have to make sure that you are both protecting it and if you are able to personally identify somebody, that you are complying to those GDPR policies.
If you have metadata about somebody, like custom fields or something like that, that’s not considered personally identifiable information but there are certain pieces that are. For example, an email address would be personally identifiable, an IP address would be personally identifiable, first name, last name, address, those kinds of things.
Rob: How is an IP address personally identifiable? That’s stupid. It’s not personally identifiable because IP address, a, can change constantly, b, you could have a single IP address for 100 people at a company, there’s so many ways that that’s not. I will stop.
Mike: You just have to be careful about what it is that you’re doing with that data. A couple of big things that I’ve seen that you have to really pay attention to if you’re selling stuff is that one, people have to be able to request a copy of all of the data that is associated with them.
If you’re running a SaaS app and it’s collecting the information, let’s say it’s Drip ESP, your customers are gathering information based on that email address, the person who owns that email address has to be able to come in and say, “Show me everything that you collected about me.” You have to provide them with the mechanism to give them that data dump. I’ve seen this recently, Facebook is doing this, Twitter is doing this.
You can go and you can request a download of all the information that Facebook has on you, the same thing with Twitter, you can get a download of it. I haven’t done that with mine yet but my understanding is that it is absurd and I’ve seen the amount that Facebook has on you, for example. There’s obviously backlash in the news right now about the amount of data and how personal it can be in certain cases. That’s something you have to pay attention to when you’re trying to comply to these, you need to give that to somebody.
Rob: Here’s what I would say, if you’re a developer, you don’t have to have an automated way. They can email you and you can go run a sequel query. I would not go and build something consul or anything especially it’s a small company. You know that you can do stuff agile and just do it when it happens, do it just in time, whatever.
They can also request that you have to delete everything, then at that point, the first time, it’s gonna be a pain in the butt but you’re gonna write that sequel query to delete it out, it probably gonna break something then you’re gonna fix it and then the next time you’ll have the same query. That’s how I would think about it. If you’re Facebook, that’s not gonna work because it’s not scalable. The odds of you getting a request when you have 1000 users or 5000 users, it’s pretty low.
Mike: The downside of that, though—I was just about to mention that—with deleting the information because you do have to comply to the right to be forgotten clauses.
Rob: Which is the stupidest thing I’ve ever heard.
Mike: I think you said it in the middle of the other comment as well, we’ll say it’s three. The right to be forgotten says that somebody can say, “Completely forget about me.” The problem I have with this is that where do you draw the line for that? I know that there’s a timeline that you have in which you can say, “We’ll get this taken care of.” You have a certain amount of time or this 14 days or 30 days to get rid of the data.
The question I have in my mind is that yes, I understand that that applies to backups but does that mean you have to go into your backups or you are only allowed to basically hold 30 days worth of backups? For the sake of arguments, say that it’s 30 days, is that all you’re allowed to maintain because that seems scary.
Rob: That’s why this is insane. It’s a legislation, it’s government getting involved in something that technically is a bad choice for a company or a bad choice for a business. We know as IT people, as developers, as professionals, as DBAs, you wanna have weekly backups or monthly backups for literally years probably. It’s not so you can hoard and use a bunch of information, it’s so if stuff goes sideways at some point and you realized you have this big error, you always go back, it’s a safety mechanism.
Mike: The other thing that bugs me about this is the right to be forgotten. I get the intent and I understand it but let’s say that somebody comes to you and says, “Rob, I want Drip to forget about Mike Taber.” What happens in three days if my contact information makes it back into Drip? How do you prevent my information from going back into the system without knowing who I am and keeping track of that? That’s a total chicken and egg problem.
Rob: None of that, as far as we’ve seen, is in GDPR. That isn’t addressed. The example is you say you want the right to be forgotten, you sign up for Rob Walling’s newsletter and you, Mike Taber, say, “I want to be pulled out of there.” You’re pulled out. What if you’re in 10 of our other customer’s accounts, are you only forgotten out of that one account? Are you forgotten out of everyone? It’s not specified.
Like you said, what if you then go to sign up to a new newsletter tomorrow and XYZ person is also hosting on Drip. There are so many edgy cases. The problem is every version is gonna be this much of a pain in the ass. If they do V2 in a year, think of how many personal hours and how many dollars have been pissed away by companies that would otherwise have been productive building products, doing interesting things, creating jobs.
Marketing alone on the Drip team which is not a huge app, we’ve wasted hundreds of hours and thousands, if not tens of thousands, on legal fees just having our lawyer’s advice and stuff. That sucks, that’s money that could’ve actually been productive and instead it’s sitting here dealing with what essentially is legislation.
Another issue I have is that in the US, they often will pass things, they’ll pass laws like this but they will exempt small businesses. If you’re 25 employees or less, you don’t have to comply to certain things. They do that because they don’t wanna put an undo burden on small companies because small companies are the ones that don’t have the budget, that don’t have the analysis council and that don’t have the bandwidth to handle a 250 page doc that’s completely opaque and everyone is confused about and freaking out. I think there should be an exception.
Isn’t this really meant to be for Google and Facebook and Apple and Fortune 1000 or Fortune 5000 Companies. How much do they care about these tiny little 3 person, 5 person, 10 person companies. They’re just trying to run a business, they’re just trying to make a living. That’s where I think they overlooked having some kind of exemption for small businesses.
Mike: There are certain pieces of it that are exempt; there’s the security officer, a dedicated security officer. Stuff like that, I believe is exempt. If you’re a small business below a certain size, you don’t have to have that. But the reality, at the end of the day is if you’re a single owner, that’s you anyway. It almost doesn’t matter. I totally agree, they’ve overreached is really what it comes down to. It doesn’t makes sense for much smaller businesses to try and have to comply to that.
Rob: Again, you and I agree, we understand the spirit of what they are trying to do. I don’t disagree with any of that, I disagree with the amount of burden that they’re placing on all the small businesses. Everyone is talking about this right now. It’s a waste of everyone’s time. When I say everyone, in our circles, in the startup circles. Yes, Facebook should worry about it but it’s so much wasted bandwidth.
Rob: I have not come across that, I don’t know about that. That’s an interesting piece.
Mike: Let me give you an example, if on your website you have Google Analytics, a Facebook Pixel, and a Drip Widget for example, somebody can come and say, “I don’t want you to track me using Facebook Pixels but the other things are okay, just not that.”
Rob: I had a guy who read all 250 pages of it and that is not on our list. I would look to see if perhaps there’s an exemption or there’s something in there that says you can otherwise not do that because, again, I haven’t heard anyone else talk about that.
Mike: The thing is there’s a piece that revolves whether or not you’re a data processor or a data controller. That’s the part that revolves on it. You mentioned earlier that there’s a question in your mind about whether or not if somebody is asked to be forgotten, is it just for that one account or is it for all them? My understanding is it’s all of them.
They could go to Facebook, you don’t have control over but they could go to Facebook and say, “Opt me out of everything, don’t track me. Forget me completely.” That has a trickle down effect on you running Drip because if you guys use the Facebook Pixel to track people, then you can’t track me, for example. Facebook essentially blocked it. Again it goes back to how do you keep track of that unless you know who the person is to not track them.
Rob: To be honest, I asked someone who I know is familiar with GDPR and had spent some time looking at it. He runs a small business, less than 10 employees. I was saying, “What are you actually gonna do here?” He said he is gonna handle things as they come in in terms of the request, in terms of deleting and in terms of giving a report of what they know.
He is seriously considering not creating all the documents because they basically say you have to have these 10 policies or 12 policies, all this internal documentation you’re supposed to have, processes to do this. He was going to say that his company is compliant with the spirit of GDPR and we’ll live up to the request but they do not have all of those policies in place.
It was like some verbiage of we believe in the spirit of it, we will comply as needed type of thing with the thought in mind that he’s not in Europe so he’s not European business so it would be very unlikely that the EU is gonna reach across the pond and come and try to take some little 10 person company out. Like I was saying, this is really more intended, my understanding is more intended for these larger companies.
A checkbox and them checking a checkbox is gonna make a difference, it’s like agreeing to a ULA, user license agreement with Apple, no one reads those things. You’re gonna put a checkbox with the link and it’s just gonna become this route thing that everyone does. It’s not gonna change anything but that is what it says technically. Consider if you’re asking for keeping your customer’s customers data somewhere, it gets more complicated.
In Andrew’s case, he runs online training. He has an online training, video training, people can sign in. He’s not collecting his customer’s customers data so it’s very much more simplified. I would consider a just in time or a simplified approach if I were in his shoes. How about you, Mike? You wanna talk about how every aspect of your business is not gonna comply and open yourself up towards the EU?
Mike: That’s the interesting thing is that for businesses that are not based in Europe, they don’t have the jurisdiction to force you to do any of that anyway. There’s literally nothing that they can do, they can’t sue you and say, “You are not complying to this.”
Rob: They could sue you in US court, they could. The EU could file a sue in Massachusetts court. You would have to fight it out, you would have to settle or you would have to fight. The odds of that happening, though, for you are almost non existent.
Mike: The thing is there’s a difference between them filing suit versus them having jurisdiction over. The sucky part would be you’re gonna have to comply to it just to make that lawsuit go away or you’re gonna have to fight it which you’ll win if you fight but you’re gonna incur a ton of legal fees over the course of doing that because they don’t have the jurisdiction and that’s what the court would rule.
I certainly wouldn’t recommend trying to fight it yourself and be your own lawyer there. I’m sure that somebody probably is skilled enough to be able to do that but I wouldn’t wanna be that person, I wouldn’t wanna risk it.
Rob: Here’s another option I heard someone throw out. They said EU customers are less than 10% of my business, I’m gonna reject, not allow EU customers anymore because I don’t have the bandwidth to do it. That’s what someone told me, that was really interesting. That’s a super bummer but at some point you have to throw your hands up and you gotta do IP detection or you just ask, “Are you in the EU, yes or no?” If they say yes, during the signup, you just say, “Sorry we can’t support you through the GDPR.” It’s pretty fascinating, I hope it does not come to that but I can imagine some businesses that’s just going to be easier and simpler to do that.
Mike: I’ve heard some people tried to, I think it came up at MicroConf Europe this past year about the legislation. There is someone there I met who was basically basing his higher business idea off of the idea that there were going to be US based businesses who aren’t going to comply to GDPR and they were gonna say. “You can use our service and you will be compliant.” I disagree that that’s a great business idea because all they have to do is comply and then suddenly your whole business value proposition goes off the window.
Rob: Obviously it’s complicated but I do think there’s a pragmatic way to approach this. As with any legislation, it will iron itself out, it will be more understood. You can watch companies like MailChimp or Drip Leadpages or whatever, GitHub, or Slack and watch how they handle it and then evaluate, “Do I need to do some other things?” You can also read that 250 pages doc and try to sort it out.
I don’t think it’s as bad as people make it out, I’m hoping it’s not gonna be that way. I do think if you’re in the EU, there is definitely more of a cause for concern if you’re running a business. Thanks for the question, Andrew. I think that was super helpful and a timely topic to discuss.
Mike: I think with that question, we’ll wrap things up for the day. If you have a question for us, you can call it into our voicemail number at 1-888-801-9690 or you can email it to us at firstname.lastname@example.org. Our theme music is an excerpt from We’re Outta Control by MoOt used under Creative Commons. Subscribe to us in iTunes by searching for Startups. Visit startupsfortherestofus.com for a full transcript of each episode. Thanks for listening. We’ll see you next time.