Q&A with Privacy Expert Donata Stroink-Skillrud

Anyone using technology should read the fine print in privacy policies, especially legal professionals. The tools used in the business and practice of law have access to confidential client information—and we’re obligated to protect that information. To adequately protect client confidences, we must know which questions to ask, and understand the risks and benefits of using technology.

In this enlightening interview, privacy expert Donata Stroink-Skillrud explains how to assess privacy policies and which questions to ask when you’re considering new software. Donata also draws attention to potential privacy issues that are often buried within privacy policies, like third-party permission to access data. This interview is the playbook for responsible privacy assessment. Read on for Donata’s helpful advice.

What is your role and how is it related to privacy law?

I am a lawyer licensed in Illinois, and I have been practicing in privacy and technology law for about five years. I am also a Certified Information Privacy Professional, and the President and legal engineer behind Termageddon. Termageddon is a Software as a Service company that has generated thousands of privacy policies and kept them up to date with changing privacy legislation. As the legal engineer, I have drafted policy questionnaires, answer options, and millions of variations on text, so I am very familiar with the privacy policy requirements for privacy laws all over the world. I am also the Vice-Chair of the American Bar Association’s ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals. I am also the Chair of the American Bar Association’s ePrivacy Committee, member of the ABA’s Science and Technology Council and the Cybersecurity Legal Task Force. I am also the Chair of the Chicago Bar Association’s Privacy and Cybersecurity Committee and an American Bar Foundation Fellow. 

What prompted your interest in privacy law?

Serendipity. My first brush with privacy came in 2013 when my personal information was breached in the Target data breach. That breach opened my eyes to the consequences of sharing personal information online and what can happen once personal information is breached. When I was in private practice after law school, some of my clients would ask me about privacy policies and Terms of Service, and whether I offered these policies as a service. I started to look into it and fell down a rabbit hole that I haven’t gotten out of five years later. I noticed that when I was drafting policies for my clients, the process was repetitive; I was managing a slew of templates I would copy and paste from. I asked myself whether this process could be automated, and that’s how Termageddon was born. Personally, I think that privacy is or should be a fundamental human right, and I feel very fortunate to help companies honor that right.

What’s the difference between privacy and data security?

To me, privacy is about collecting, using, and sharing personal information in a responsible and compliant way. Security, on the other hand, is protecting personal information from unauthorized access and disclosure. I think that to meet and maintain compliance requirements, companies need to focus on both. I see a lot of smaller businesses laboring under the impression that if personal information is secure (through, for example, having an SSL certificate) on the website, that privacy requirements are met. However, this is simply not true, as privacy is a related but separate field that ensures that your company itself is using and managing personal information correctly. A lot of education is still needed on the importance of privacy and security, and the relationship between the two.

How is privacy connected with empathy for end users?

As a lawyer, data professional, or a privacy professional, I think that you should always try to put yourself in the shoes of the consumer. You should also pay attention to privacy practices whenever you sign up for a new service. For example, have you ever received a marketing email from a company you have no prior relationship with? What does that feel like? For me, it’s annoying. The trust I otherwise would have had in that company decreases, thus the chances of me purchasing anything from that company decrease. It’s almost a cliché, but I think that you should treat others the way you’d like to be treated—that applies to privacy practices as well.

What are some red flags in privacy policies of consumer apps?

As someone who writes privacy policies for a living, I’ve read quite a few of them myself, and below are items I would consider “red flags."

  1. A privacy policy that starts out with stating that the business does not sell personal information, but if you scroll down to “California consumer privacy rights” it clarifies that, according to the CCPA, the business does sell personal information. This is confusing to consumers and conflicting, which is never a good sign in a privacy policy.
  2. Privacy policies that state that your personal information will be shared with third parties and that you should read those third parties’ policies to understand your rights—but it does not enumerate who those third parties are. It is literally impossible to read the privacy policy of a third party if you do not know who they are.
  3. A privacy policy that enumerates privacy rights but does not specify who gets those rights or how to exercise them. Again, this is confusing to consumers who rarely know what privacy rights apply to them. Furthermore, having to jump through hoops discourages consumers from exercising their rights, which is not a good thing.
  4. Privacy policies that do not clearly state what personal information is collected. You can often see privacy policies that state, “We may collect personal information from you when you use this website, such as your name or email.” A privacy policy should clearly state the personal information collected. An incomplete or non-inclusive list of examples doesn’t help a consumer determine what personal information is collected.
  5. A privacy policy that refers to old mechanisms that are no longer compliant, such as the Privacy Shield for transfers of data, is also red flag.
  6. Lastly, while not directly related to the contents of a privacy policy, I find that the practice of combining a privacy policy with other documents, such as the terms of service, is also a red flag. This practice is non-compliant with multiple privacy laws and does nothing more than confuse the consumer.

What are some surprisingly good privacy protections you’ve seen in legal tech or other apps?

I am a big fan of Apple’s recently released update that prompts consumers to choose whether they would like to be tracked by a particular app before you use that app. The notice itself and the options presented are all very clear. In addition, the choice defaults to “do not track,” which I think is an excellent example of privacy by design. I know this update is very controversial as it may allow Apple to grow a monopoly around data; Apple is still collecting all of that data while discouraging other companies from doing so. However, I do believe that allowing consumers to actively choose whether they would like to be tracked is a positive step forward.

What are some dangers of using a freemium consumer app in legal practice?

You know the saying, “If the product is free, then you’re the product"? That is the case with many freemium apps, whether or not the app is created for consumers or for lawyers. The truth is that developing an app is a time-consuming and expensive process that can take years, and developers and creators of apps need to be paid for their work. If the app is free, then the payment usually comes from the sale of personal information or the use of that information for machine learning and other purposes not related to the provision of the app. Your personal information could be sold to other companies, meaning that you’ll receive unwanted emails, phone calls, or other intrusions into your privacy. In addition, the information you put into the app that concerns your clients could be sold or shared. As a lawyer, you must guarantee the confidentiality of the confidential information of your clients; thus, I would recommend reading the privacy policy of any app that you use for your legal practice. This is especially relevant when considering new tools such as ChatGPT – a lot of Bar Associations are advising attorneys to not input client information into ChatGPT because that could violate attorney-client privilege. While freemium apps are more likely to sell personal information, you should also not assume that paid apps keep information confidential. Investigate any app that you use for your legal practice.

What should lawyers know about the new privacy laws from the past few years? Do they apply to law firms? If so, how?

With privacy laws, there are no exceptions for lawyers or law firms. Privacy laws have a very broad application in the sense that they protect consumers and not businesses, and therefore can apply to businesses outside of the states in which they were originally passed. For example, one of California’s privacy laws, CalOPPA, applies to any website operator that collects the personal information of California consumers, even if the website operator is not located in California. Thus, as a lawyer, you should comply with the privacy laws that apply to you by implementing the following: Have a privacy policy that makes the required disclosures; honor consumer privacy rights; and be transparent about your privacy practices. In addition, there are currently over 20 proposed privacy bills in the U.S. right now; keep track of those requirements and update your privacy policy and privacy practices as new laws pass.

When you’re searching for new software, what’s the most important privacy-related question to ask vendors?

When choosing a new software, I like to check their privacy policy to see if there is an email I can use to contact them with privacy-related concerns. Then, I will email them and ask them a general question and see how long they take to respond. With privacy, certain time limits are placed on responding to a data subject request or a data breach, and you want to make sure that any vendors that you use respond quickly and efficiently. You also want to make sure that the vendor will provide an answer that is more helpful and robust than just “Please read our Privacy Policy." Asking them a question will determine whether the response is efficient and helpful, and it can show you a lot about the vendor’s privacy practices.

If you are looking for a question to ask, I would ask them, "When is the last time you updated your Privacy Policy?" Companies that are serious about privacy will update their privacy policy every time their practices change; whenever a new law is passed that applies to them; or whenever an existing privacy law that applies to them is amended. If they have not updated their Privacy Policy in a few years, that’s a red flag.

What are the top 3 privacy-related questions lawyers should ask about access to confidential data granted to consumer apps?

  1. How is the confidential data used?
  2. What pieces of confidential data are shared with third parties, if any?
  3. What third parties are the pieces of confidential data shared with?
    I apologize but I simply can’t resist adding a fourth question here, too:
  4. If confidential data is shared with third parties, why?

How many layers of data-sharing should lawyers investigate when considering purchasing an app that will have access to confidential information?

When it comes to apps that have access to confidential information, I believe that you should investigate all layers of data sharing. If you are a lawyer, you are subject to ethical requirements to keep client information confidential; if you fail to do so, you could run into an ethical issue and even lose your license. That’s why vendor due diligence is critical, especially for lawyers. Read the vendor’s privacy policy and any related documents; search the company online to see if they have been sued or fined for privacy issues in the past; read reviews; and speak to their team on how they ensure the security and privacy of confidential information. Since privacy policies usually lump in the privacy practices of the front-facing website with the privacy practices of the app itself, it is also important to clarify which information is shared with what parties.

What resources do you recommend for laypeople wanting to learn more about privacy?

If you are a resident of the United States, unfortunately, there are very few government resources on privacy rights. However, these websites can help you determine what privacy rights you have, how to keep your information private online, and what to do if a company fails to protect your personal information:

  1. Privacy Rights Clearinghouse Online Privacy Guide: https://privacyrights.org/consumer-guides/online-privacy-using-internet-safely
  2. Protecting Your Privacy Guide: https://www.usa.gov/privacy
  3. Thomson Reuters Internet Privacy Laws Revealed: https://legal.thomsonreuters.com/en/insights/articles/how-your-personal-information-is-protected-online
  4. Consumer resources regarding identity theft: https://idtheftinfo.org/consumer-resources
  5. EPIC Online Guide to Privacy Resources: https://epic.org/privacy/privacy_resources_faq.html

About Donata Stroink-Skillrud

Donata Stroink-Skillrud is a privacy and technology lawyer licensed in Illinois and a Certified Information Privacy Professional. Donata is the President and legal engineer of Termageddon, a Software as a Service company that has generated thousands of privacy policies and kept them up to date with changing legislation. Donata is also the Chair of the American Bar Association’s ePrivacy Committee, member of the ABA’s Science and Technology Council and the Cybersecurity Legal Task Force. She is the Chair of the Chicago Bar Association’s Privacy and Cybersecurity Committee and an American Bar Foundation Fellow. 

About the Privacy and Security Interview Series

This interview is part of a collection of interviews about privacy and data security. By producing this series, we hope to prompt legal professionals to think about the privacy concerns that arise in everyday tasks like word processing and selection of document creation software.

WordRake is clear and concise editing software designed for people who work with confidential information. The software improves writing by simplifying and clarifying text, cutting legalese, and recommending plain English replacements. WordRake runs in Microsoft Word and Outlook, and its suggestions appear in the familiar track-changes style. Try WordRake for free for 7 days.

Our Story

WordRake founder Gary Kinder has taught over 1,000 writing programs for AMLAW 100 firms, Fortune 500 companies, and government agencies. He’s also a New York Times bestselling author. As a writing expert and coach, Gary was inspired to create WordRake when he noticed a pattern in writing errors that he thought he could address with technology.

In 2012, Gary and his team of engineers created WordRake editing software to help writers produce clear, concise, and effective prose. It runs in Microsoft Word and Outlook, and its suggested changes appear in the familiar track-changes style. It saves time and gives confidence. Writing and editing has never been easier.