When you start an ecommerce store, you’re global from day one. That means that even if you are based in Toronto, you may have customers in the United States, Europe, or anywhere in the world. For this reason ecommerce merchants need to ask themselves if they are compliant with global data and privacy guidelines. That’s where Enzuzo comes in.
Mate is the founder and CEO of Enzuzo, and a serial entrepreneur. Previously Mate was CEO and founder of Avvasi, a big data analytics company, that was bought by NetScount (NTCT), and prior to that Mate was CEO of VideoLocus, a video streaming technology company that was bought by LSI (now BRCM). Mate has a bachelor degree in Systems Design Engineering from the University of Waterloo, and an MBA for Richard Ivy school of business.
Jay: Mate, it’s so good having you here. Thank you so much for coming on the show. Can you give us a quick introduction? Who are you and how do you pronounce it, Enzuzo?
Mate: Enzuzo, it means privacy, so that’s it.
Jay: Mate, it’s so good having you here. Thank you so much for coming on the show. Can you give us a quick introduction? Who are you and how do you pronounce it, Enzuzo?
Mate: Enzuzo, it means privacy, so that’s it.
Jay: In what language?
Mate: In the Ibo language, so it’s an African language based in Nigeria.
Jay: Awesome. Okay, give us a little bit on your background and what is Enzuzo.
Mate: Okay, my background is, I’ve been an entrepreneur for many years. This is my third company that I’ve started in all kinds of different areas, but for first time I’m jumped into eCommerce. I think it’s a super exciting space. I’m really excited about it, but I’ve been in the tech space basically for my entire career. And one of the reason I decided to start Enzuzo is I was speaking to a lot of my entrepreneur friends. And there was just a common sort of theme about people being concerned about data privacy, not really knowing what they needed to do. I think most people I talk to care, they want to do the right thing, but it’s so complicated that they don’t know what to do. So, thought this would be a great opportunity to start to really domestify and simplify data privacy and make it easy for merchants.
Jay: Yeah, merchants want to focus on their business, making money, marketing, getting traffic. And then in the last few years they’ve had all these data privacy, like laws and regulations thrown at them that they’ve had to scramble and figure out. So essentially you that’s… when did you found it? Is that when you came into the picture when kind of like the GDPR wave was a few years ago?
Mate: Yeah. Two years ago we found it. It was a little bit after, as the GDPR wave had already gotten, but just before the CCPA wave that’s come in since, and we’re kind of looking at it. There was a wave already in larger enterprises, but we noticed it hadn’t really hit smaller businesses as much, and so we saw the opportunity there.
Jay: Just for a bit of background. I think most of our audience will know these terms, but acronyms are always, I like to clarify. So GDPR CCPA, can you give us the quick Kohl’s notes on what they are and why they matter?
Mate: Yeah, so GDR is a European law covering all of Europe and of course the UK as well. And it’s the General Data Protection Regulation. And basically it’s a very broad law that basically says, consumers, your customers have the right, it’s their data. They have the right to control their data. So if they want to ask you to delete their data, to change it, to get access to what you have on them, to have transparency on what you do with their data, do you sell it? How do you store it? Is it secure? Any of that stuff, they’re in control and you have to comply. And probably the big thing about GDPR was that it actually has teeth. There is actually an enforcement body that had fines and there’s also lawsuits. And you either can go and be applied against it. And it really has teeth, and so that’s why everybody has to care whether, you know, some people care because they care, other people, you want to protect their business and the risks of fines. And so, that’s really was a game changer; everybody kind of had to really pay attention.
And CCPA, the California Consumer Privacy Act was essentially came in after. And it was kind of modeled after GDPR. It’s not quite as comprehensive as GDPR, but it’s got a lot of common elements. The elements of consumers having control; there are some thresholds, you have to have so many customers in California, so much revenue before it applies to you. But you know, the one thing about being an eCommerce store and being sort of, you know, if you put up an eCommerce you’re from day one, you can have customers coming in from anywhere. It’s always easy to lose track.
Sometimes one of the big questions we get from customers is like, what laws do I have to apply to? And what laws do I do affect me? And really to know that we have to look at where your traffic’s coming from and where your customers are buying from to really, and how much they’re buying to really understand. And that’s where you need something to help you figure that. And that can be changing at any given time. So a lot of times just GDPR is the most comprehensive law, so when you’re complying with that, you’re more than likely going to be in good shape for all the other ones. But you do have to pay attention because the other laws have some specific things that are slightly different as well.
Jay: So if you are in North America, you mentioned GDPR is mostly European. If you’re only selling within North America, do they need to be concerned with GDPR?
Mate: Yeah. So there’s still some ways of, if you have European visitors to your website, but you know, even if they’re not buying anything, you still have to be a little bit careful about that. That can still impact you. However, if you’re own selling, and part of it is let’s say somebody goes and fills out a shopping cart and then figures out, oh, you don’t ship to my country, so it’s in Germany. A lot of CRMs will still collect that personal information from an abandoned shopping cart and put it in, and now you own data from a European, even though they didn’t buy anything and maybe they got on your mailing list. And then all of a sudden they’re going to expect to assert their GDPR rights, right? So that’s an example where it still impacts you, even though you don’t sell. And of course, if you’re in North American, then laws like CCPA will impact you more, but it doesn’t mean you can ignore GDPR.
Jay: So what are some of the ways that, you know, you mentioned GDP are actually has teeth. What are some of the ways that brands are getting caught, if you will? Like, what are… I imagine there’s instances where people think they’re GDPR compliant or they maybe pay a little bit of attention to it, but not enough, or are the cases you’ve seen that the ones that have been fined are just completely ignoring it or do you see a bit of both?
Mate: That’s a great question. So I think the big public stories you’ll see around data breaches and a data breach can happen to anybody. It can happen to say a platform like Shopify, it can happen to an individual merchant. It can happen, let’s say to your Clavio account or something like that. Anyone can experience it. And usually when there are data breaches, then a bunch of stuff gets found out that shouldn’t have been happening. So if you’re non-compliant to data price log, there’s a data breach, that’s where a lot of stuff gets exposed, but then how that data breach is sanded as well. And that’s where you’ll see multimillion even sometimes multi-hundred million dollar fines and lawsuits that will happen. Now, that’s a little bit less of an occurrence for say a smaller to mid-size merchant that it can happen, but it’s one of those like black Swan events. And to protect yourself against those things is generally what you want to do is you want to be following the best practices around data privacy, because is generally what tends to happen is when there’s a big event like that, the regulars will go out and the lawsuits will go out after people that were doing the least or obvious targets, they want to make examples of a lot of times. If you’re sort of following best practices and you’re doing everything you possibly can, nobody can prevent a data breach if somebody wants to get in, they get in. But if you’re following the best practices, then you’re more likely than not to be in good shape.
Now, the other types of sort of fine is let’s say it could be a complaint base. So let’s say a customer comes on your site and you know, you put them on your mailing list. We see this all the time. You have customers that come in and they want to get off the mailing list. Merchants they’ll make it easy, so they submit a GDPR delete request, which is basically delete all my data. You have to actually fulfill those within a certain period of time. So under GDPR, it’s 30 days, under CCPA, it’s 45 days. If you don’t do that, they can report you. And we’ve seen fines of, you know, between two and 20,000 euros. So, between 2000, 20,000 euros, per instance, or companies that just ignore those, right? And that’s a different type of risk where you need to have kind of the tools and systems in place.
Most companies say you have a privacy policy, and then you put an email address on that privacy policy service or [email protected] But is anybody checking that email address? Sometimes we found those email addresses or sometimes dead, or are you looking at those requests and actually servicing them in the right amount of time. And the other bit is sometimes merchants don’t even have a privacy policy, don’t even have contact information and then you can get into even more trouble with that kind of approach. So, those are just some of the more common types of situation. A fairly prominent case just recently, a company called minted.com that actually had a banner on their front page saying, hey, we just settled the 5 million class action CCPA suit. And it ended up being something like, you know, $50 per customer or something like that. It was a big thing over their violation.
That was the first CCPA related big fine. That was actually a lawsuit that was settled, and they had, you know, our kind of view of it is, hey, better to have a cookie banner on your site than a, I just settled the lawsuit banner, that’s what they had. And they had, because they had to get the information to all their customers, so that was the way to do it. And of course, that’s just like really terrible for your brand if you have that on your website.
Jay: So obviously like, I mean, the, the email address is being collected and used in inappropriate ways is the obvious example. But I know at Bold, when we went through to become GDPR compliant, we had to look at a lot of the third party software we use as well too. And I think this is something that I think a lot of merchants don’t think about, so maybe they are handling data the right way. They’re not emailing customers, they shouldn’t, and they’re not storing their emails. One that actually came up, and I don’t know if they’re… I think they might be compliant now. So Grammarly is a browser plugin that helps you write with proper grammar and millions of people use it. We actually, I haven’t checked recently, but like a year and a half ago, our security team told us we weren’t allowed to have that browser plugin because in their terms, it says they store the actual copy from anything you use. A lot of people use note taking apps, you know, when they’re on a zoom call or Google meet call, it’s recording, even things like the software using to record this podcast has to be compliance as well too, to an extent if you’re sharing data in it. And that’s something that a lot of brands, I think they don’t think they think, and that’s, how can you get into trouble there? How many layers deep do brands need to think about?
Mate: Yeah, that’s a great question. So essentially under GDPR, which of course is the most comprehensive law. There’s this concept of data controller and data processor. So a merchant is a data controller, meaning you have the ultimate responsibility, like the buck stops with you for data that you collect. When you subcontract out data processing or storage to let’s say either a Shopify or Wix or Acalvio or some other app or AWS, whatever that is, those are data processors. And they have some responsibility on themselves as well, but they don’t have as much as you, you have more as a data controller. So it is your responsibility as a merchant/data controller to, for everything that touches your customer’s data, to evaluate it, to look at both the privacy and security risks around it and have policies and sort of processes in place is to make sure that that data gets handled really well.
So in let’s say larger companies, Bold commerce is a great example. You would have a dedicated security privacy team. And what they would most likely do is they would have these surveys. Every company that handles Bold commerce data would get this privacy security survey they would have to out. And then that person who’s dedicated that’s their job. They would look at all of, you know, how they answered that survey, and they would decide, okay, I can trust this company with our customer data, or I cannot. The example you mentioned is there was one company Grammarly was decided, okay, we can’t trust this company. You have to look at the company’s own. Of course, you start with looking at their privacy policy in terms of use and things like that. But you’re also going to ask questions about how they store your customer data. Now, when we get into the eCommerce space and let’s say you have a merchant that’s on Shopify and they starting installing all kinds of apps, most people don’t do this level of due diligence. Most people don’t look at apps, but the reality is, any app you install has access to a lot, if not all of your customer data, and that’s going to be a weak link. Now, that app itself will have share some responsibility if something happens, however that doesn’t mean you’re absolved. In fact, you have more responsibility as a data controller or merchant. And so, that’s where it’s really important to, if you want to be trustworthy yourself, you have to basically do business with trustworthy people and evaluate that.
Jay: Yeah, it’s such an amazing web when you actually go down and see where all data can possibly go. I was just thinking back, and I know there was actually a couple email apps that we weren’t allowed to use at Bold that had send later functionality, which is, seems like a simple, innocent thing. I think one was Spark and actually Superhuman, which is a really common one that a lot of startups use it. I know a ton of people that use it, I think they’ve since changed this, but at the time wasn’t GDPR compliant, because it stored the email on their servers and then would send it the next day or whenever you scheduled to be sent and they didn’t have… this was early on. So, it’s definitely an interesting exercise to go through and see where data actually, all the properties it touches. Okay, so how do you engage with brands at Enzuzo? You have software? Do you consult with them? Maybe explain where Enzuzo comes into the picture.
Mate: Absolutely. So we have the number one gap we saw when we entered the market was education. Just these privacy laws are fairly complex and distilling things down, what do you need to do as a merchant? So one of the first things we started doing is generating a lot of content on our website enzuzo.com. One of the first piece of contact we had out there was the privacy playbook. Here are the top 10 things as a merchant, you need to worry about data privacy, and just really distills it down for you what you need to think about. We also have an app, you know, Shopify app, as well as kind of a platform agnostic app on our website that you can install and gives you autogenerated privacy policies, cookie consent banners, and a lot of other capabilities to manage the data privacy workflow, such as when you get deletion requests, we can automate all of that, and the combination of content and sort of an easy to use app that’s really made for merchants.
The idea is we demystify a lot of, okay, what does this all mean? I don’t even know where to start to. Oka, here’s the top five things you need to think about and here’s some tools to actually help you actually do that. That really helps kind of get a merchant from, I don’t know what I’m doing, to, okay, I actually have some… I’m from following some best practices. Now, we can’t solve all data privacy problems, but we do a pretty good job of kind of getting you really good basics in place. And then as your business evolves, and as your data collection practices get more sophisticated, then we work with merchants to sort of, you know, either evolve or product, or sometimes we provide advice and consultation. If people have questions, we’re like super responsive on our chat about anybody that has any questions.
Like a great example of a question that came to us just recently was a merchant was trying to install a Google merchant product and Google was blocking them because they did not have the right privacy policy on their website. So actually it was interesting because Google actually is starting to enforce, you know, you don’t have the right privacy basics on your store, they won’t let you even use their tools. That’s not like a relatively new thing. So they needed our help how to configure their privacy tools to make sure that Google would do business with them. So that’s an example of something and, you know, we’ll then help that merchant configure their site. And of course they were off to the races within a few minutes. That’s basically what we do. We’re privacy experts, but we’re trying to make it simple and automated and self-serve so you don’t need a lawyer and you don’t need an expensive consultant. We’re trying to make everything super accessible and whatever, as much as possible in the merchant’s hands.
Jay: To really help e-commerce brands get like the fundamentals right, it sounds like.
Mate: Yeah, the fundamentals. Exactly, yeah.
Jay: I wanted to touch on you said, okay, there’s a few things I want to dive into, but one was you automate data requests. Did I hear that right?
Mate: Exactly.
Jay: How does that work?
Mate: So let’s say if somebody’s using one of our own autogenerated privacy policy, so, you know, like for example, Shopify has a privacy policy, the template that you can copy. Some people actually copy it and paste it, word for word with the “insert here” templates here, which is really, really bad, by the way, that’s like, you should not do that. You can get fined if you do that. So we actually have a privacy policy that you fill out a questionneir, you tell us something about your business, and we actually generate like legal reviewed language that’s proper, and really well-thought out properly done. And within that privacy policy, there is a form for requesting your data. That’s all baked in. And so when a customer goes on your privacy policy to go, oh, I want to request, you know, either find out what data you have or just delete my data.
We basically have a form that first authenticates that user. So first of all, we figure out if this is this a real person or user, do they actually can they authenticate by email or potentially 2FA. And then if they’re authenticated, we then, it’s kind of, we create a ticket within our app for the merchant. And we notify the merchant and we say, “Okay, this customer wants to delete all their data.” First of all, we’ll tell you what do we find, what data do we have on this customer, okay, here it is. And would you like to approve the deletion? And then all the merchant has to do is say, yep, I approve, and then we go handle everything else. We delete their data out of the CRM. And then we send a notification to the user saying, we’ve done all this compliant to GDPR. And we tell you, for example, we tell the merchant, okay, this person submitted this five days ago, you have 25 days under GDPR left to complete this request because after 30 days is your time, so make sure you do it in the right amount of time.
Jay: Are you integrated with specific CRMs to automate that?
Mate: Yeah, so right now we’re integrated with Shopify and we’re going to be adding other integrations as well.
Jay: And so is the goal… actually, you know what, well, I’ll ask it now. I have some questions around like what the future holds for Enzuzo, but I imagine the goal is to eventually have the ability to automate that across anywhere that data is stored or is it just CRM?
Mate: Absolutely. The goal is ultimately to automate that everywhere. Right now we have a combination of automated and manual. So let’s say if all your customer data is in Shopify, we can do that automatically. However, if somebody has a combination of other tools and whatever, we still do the automation, but it’s more, the actual deletion part that has to be done manually, but we still automate the process and the workflow. So you still want to keep track of the request, make sure you completed it within a certain period of time, depending on where the customer is. So, you know, if they’re a California customer, you have 45, if you’re a German customer, you have 30 days. So knowing all those things, we just kind of handle all of that. There’s still a lot of value. And then the other piece is you need to store that request somewhere so that if someone says, well, I asked you to delete my data, but you didn’t, you want to be able to prove it in case it gets challenged in court, but you want to store it in somewhere where it’s like really safe and it’s not going to then cause and other data privacy issues. So, we kind of handle that in a very specific way, in terms of, you know, we can generate compliance reporting that doesn’t have any personal information in it. So you can prove you kind of service the request without having any personal information in that report.
Jay: Got you. There’s still going to be some like work required from the brand. I mean, if you automatically delete it in Shopify, but if that store has done an export and has a CSV sitting on their hard drive with all the customers, they’re still in trouble, correct? Enzuzo can only do so much; there’s some responsibility on the merchants side.
Mate: Absolutely. And we’re trying to move everyone to a place where everything’s kind of what we call structured data and it’s automated. You know, structured data is like your customer’s data, say in Shopify and Acalvio, but unstructured data would be if it’s in a Google Doc or on a spreadsheet or it’s written down on a piece of paper somewhere, you don’t want to… this is like number one thing if everyone can do, don’t store your customer data in unstructured formats, you know, like a Google doc and spreadsheet or whatever, have it in a dedicated either a CRM, dedicated tool that has the right sort of privacy hooks in because then there’ll be people like us that will then automate it and keep track of all of that. People who’ve put customer data in things like Google Docs that I’ve seen in larger enterprises, they’ll then go and spend a lot of money on data scanning and AI and categorization tools to go and find it. And it just becomes a huge mess, and so avoid that. Just treat your customer data, really… like you have to start thinking about customer data like money. You wouldn’t just leave money around, you put it in a bank, you put it in very specific places and you take care of it. You don’t just leave it around anywhere.
Jay: Yeah, that’s important. And what constitutes…. at what point is it money? Is it when there’s an email attached to it or is just a first name and last name, if someone’s listening and they have like exported some data from whatever, their eCommerce platform, if they have just a list of maybe names and a state or a first name and maybe order revenue amount, is that data, or does it need to have a certain amount of information about a person to be trouble?
Mate: It’s a great question, and we get this question a lot. And I think the important thing to understand is that the data privacy laws are really, really broad to the point where even an IP address, which is like the internet address of your computer, which is just a number on the internet can be considered PII, if somehow somebody can use that to identify an individual person.
Jay: Personally identifiable information.
Mate: Exactly. So it’s not about asking which piece of data is considered, it’s about anything that can be used to trace back to a person is considered PI or personally identifiable information. So really, when you’re thinking about it, the way you want to think about it is the least you want to have just like absolutely nothing related to a customer in those unstructured unsafe data formats because you never know what two, three pieces of your information can be put together and then you triangulate an identity.
Jay: Yeah, it’s very eye opening when you deal with someone that really understands the importance of this. Like, if I ever have to email anyone on our team and if there’s anything, I mean, you sometimes legitimately have to share data between, it could be software, different things and our security team will be on top of it like that. Like, can this file be deleted now, can this be removed? Can this… like, they don’t want anything hanging around. It’s exactly like that. Like having money just - it’s a really good way to think about it. You know, one of the things I wanted to talk about was zero party data versus first party data and the difference and maybe what the impact of that to merchants are.
Mate: Yeah, that’s a great question. So this is something that has been a huge, huge shift in eCommerce in the last few months, although it’s been kind of telegraphed about a year ago when kind of Apple and Google has followed it, when they announced that they’re changing the rules of data collection on smartphones. And it’s now been implemented with both iOS and Android, where it used to be, there was a ton of personal data collected from apps, iOS and Android apps that ultimately would help… that stuff would trickle into Google and Facebook and all kinds of other places and would help with things like finding customers through ads, Facebook ads, Google ads, and that ultimately help merchants pop up a store and get customer acquisition really, really fast, and in some cases really, really cheap. So, a lot of the early days of eCommerce growth, those are really important tools.
What’s happened is apple and both Google decided, we’re turning off some of those taps, not all the taps are turned off, but for example, the personal data collection on apps has gone from default opt-out, to default opt in. What that means is that now an app user has to explicitly say they want to share data with an app by default, they’re not sharing it. And I believe I’ve that the default opt-in rate is like 4%. It used to be a hundred percent. So basically, you lost most, like 96% of that data you’ve lost. The knock on effect of that has been that attribution from merchants has really gotten impacted. And so, the cost effectiveness of Google ads and Facebook ads, that’s just coming a lot less compelling, especially as a primary way of customer acquisition. And in parallel to all of that, you’ve got this dynamic that there is an eCommerce model on Amazon where you don’t necessarily need those data, but then you’re at risk of being Amazon basic and it’s hard to build a brand there.
So if you are not going down that path and you’re building your own brand, the trend is personalization and kind of, you want to personalize the brand, but in order to personalize, you need customer data. So, merchants are now between a rock and a hard place because you know, very, very large eCommerce companies, let’s say it’s someone like Adidas, they already have a ton of customer data, so they’re in a great spot because they understand the market, they understand customers, they can just leverage. In this new world, they have enough data, they can leverage, but if you’re a small or emerging brand and you haven’t had a chance to amass yourselves data from a customer, then getting that data has become way harder. And the data you get to directly from your customer, from your own store, that’s called zero party data. It’s direct.
The data that you would have access to through a Google or Facebook, that’s third party data. So, what’s happened now is third party data is becoming a lot more expensive, a lot harder to access because of data privacy laws. And so, merchants are having to focus on collecting more zero party data. One of the challenges there is you have to convince your customer or perspective customers to give you data, but they may not trust you. And I have one report that came out very recently. It was a great article written that said that, you know, 57% of the eCommerce shoppers would rather protect their data privacy than have a personalized eCommerce experience. So, you know, slightly more than the majority of online commerce would want to take the data privacy trade off. So then now there’s an onus on merchant to provide more of a trusted experience for customers in order to get trust and get more of the data so they can provide that personalization and grow their business. That’s I think becoming much, much more important. And you’re just going to see more and more of that because there’s more of these data privacy laws coming into effect. The data collection practices are going to get even more strict and then the pain points around, how do you collect zero party data, that’s going to become more and more important.
Jay: So well, and I guess it’s going to be more critical. I mean, we’ve always said to have direct communication with your customers to own that relationship versus going through Facebook or Instagram or Google or whoever your advertising is to actually own the relationship. And actually just makes email, SMS and whatever way you’re legitimately communicating with them even more critical. If you were starting a D2C brand right now, what are some things, like do you have kind of a checklist of a few key things that you need to make sure you have in order to kind of set yourself up for at least for success?
Mate: Absolutely. So the basic sort of, I call it the data privacy frontend, which is what Google trust rank looks at every website and looks at, do they have a privacy policy? Do they have a terms of service? I believe they look at, do you have a Contact Us page and then a cookie banner? So those are the real, real basics of like looking trustworthy basically, you need those. And for merchants who might be tempted to let’s say, look at a Shopify data privacy or terms template, and just pop one of those in; unless you’re going to have a lawyer or an expert go and actually fill it out for you and properly format it, you don’t want to be doing that. You need to use either professional generated like Enzuzo or you go talk to a lawyer. And of course, it cost a bit of money to have them draft the custom one for you. That’s where your terms and your privacy policy.
These things matter, and people like Google look at them, but also your, your customers more and more will look at them. And it’s just becoming kind of like table stakes. Everybody has one, the big brands all have it. So customers are used to, you know, seeing that, that’s the real basics. What’s becoming a basic is also an ability to have the automated data control. Now, where you first started to see the ability for a customer to control their data, to like, let’s say, delete their data or find out what data exists on them, Apple, Google, Facebook, they all did it first. They all have portals where you can authenticate, say Apple, with your apple ID, and they’ll give you like all the data. I’ve actually done this once. I got five gigabytes of data just on me, all the services that I use and everything.
But recently, we’ve gone through the top e-commerce brands. And I would say about 30% of the top e-commerce brands have some kind of an automated data privacy request workflow on their site. So examples would be a Skims Kim Kardashian if you go look at their site. There’s a bunch of other ones, roughly 30%. I think this is going to go to a hundred percent fairly soon. So if you want to kind of like punch above the basics and really look like you’re following best practices, that’s the one thing you can add. And of course, our privacy policy gives you both out of the box. We just do that. So those are kind of the basics. Then the next steps after that would be more looking at your internal data collection. You know, which apps and services do you give access to your data?
Just look at, you know, without going through a lot of complexity, just take a critical view at those app brands. Do they look like trustworthy companies? You know, is there like an office and you know, is there a LinkedIn page where you can see like real people that look trustworthy? That’s like a good first level. It’s not enough to be completely compliant, but that’s a good first level. You know, if you download an app, give it access to all your customer data. And there’s like, no trace of that company anywhere. That’s usually a pretty bad sign. You can sometimes see, you know, it’s like one of who knows where, so those are some of the considerations that once you get that 1.0 stuff going, you can start thinking a little bit further along.
Jay: I’m always fascinated about the actual cookie notifications that I wanted to ask you, because I that’s part of your tool, right? Like, you can design cookie notifications. You’ve got some templates. I was browsing or around some sites earlier today and I’m just pulling some up here. Like some of them, it’s a simple one liner actually I’m on the awwwawards.com, which is the site has like different examples of websites doing cool things. Anyways, like, their cookie notification, which I imagine is legit because they are a legit company, but it’s a simple one liner that says “This website uses cookies to ensure you get the best experiences on our website.” And it’s got a link to the cookies policy and then a button that just says, “Got it!” That’s it.
And then I look at other sites and I’m going to pull one up here. It’ll be a big thing that takes a third of the page, “We store cookies on your computer to collect information about how you interact with our website. This information from these cookies helps us improve our customer experience, show you more relevant, blah, blah, blah. To decline this, you can accept your decline.” And then you see some that you can manage different cookies; so like, enable all, enable some, enable none. Is that just a choice that the brand can make, because it seems to me, why wouldn’t you want the shortest briefest message possible?
Mate: That’s a great question. We get this question all the time. Here’s the answer and it’s a little bit complicated, but I’ll try and make it as simple as possible. The GDPR is really the only data privacy law today that strictly requires cookies. And there’s been some additional, you know, laws and court precedents that have even said that you should not be allowed to navigate any of the site until you’ve actually accepted those cookies, to give you kind of that protection that like nothing about you gets captured until you’ve actually accepted cookies. Now, here’s the complexity with this. And then if you’re sort of like North American or anywhere else in the world, technically, it’s a best practice, but you don’t need to have a cookie banner at all. So, what some companies will do, they’ll put a really restrictive page and some of our customers take our cookie banner and configure it like this.
Well, they’ll put a really restrictive cookie policy like where you can’t even access the site, say for European customers only, but then if anybody else comes along, there’ll be no cookie banner. Some customers will decide to do that. But some are uniform experience for everybody and that’s why you end up seeing some of those things. So we find, you know, you think a cookie banner is a simple tool, but it’s actually quite complex because we find we have to look at the IP address of every visitor that’s coming into the store, geolocate them and then potentially display a different cookie banner depending on where they’re coming from, to give the sort of optimal user experience versus data privacy compliance for that specific country. So, that’s what you’re going to see out there.
Now, with all of that, there’s another layer of complexity, which is that a lot of like apps and things that use and generate cookies, they just flat out ignore all the cookie laws best practices. And so, you’ll see a lot of merchants will put a very restrictive cookie banner and properly configured and all that, but then they’ll have an app that has a cookie that completely ignores that cookie banner. So like you put a restrictive cookie banner that says you can’t browse my site until you accept. But then there’s a cookie that gets loaded before that cookie banner. And merchants don’t actually know sometimes because they don’t have the technical expertise to know when that’s happening. So, some cookie banners will try to act like ad blockers and block their own cookies for apps that the merchants has installed, which is like a really broken way of doing things. So where we’ve kind of landed on this is, we give maximum configurability and we make it easy to use and know, okay, do you want a cookie banner for GDPR? And do you want just for your European customers? Or do you want to put one that’s the same for everybody and then okay, that’s great. You can make that choice. It’s kind of a style choice.
But then if there’s things you’re installing on your website that kind of violate those rules, we’re going to go and give you some information and some analytics on that, but we’re not going to try and control that because that’s up to the merchant to figure out. Now, over time I think those things will get cleaned up, and Google and Apple are even talking about potentially getting rid of cookies altogether in a few years, but that’s going to take a long time to make itself out of the system. However, right now it’s a bit of a mess to be honest. And so, our recommendation is do the right thing for European customers and put a GPPR compliant cookie banner. And then for non-European customers, we still recommend putting something minimalistic that’s considered a best practice, but not going kind of like, you know, full restrictive mode because you’re not required by the law.
Jay: Yeah. So with Enzuzo, that is a feature to be able to geolocate and show different messages or no message by country?
Mate: Absolutely. Yeah.
Jay: Okay. It’s interesting. I just assumed actually we have it across the board. Our customers are from all over, but I actually thought even in the US, I thought you still had to have it, but that’s interesting. We’ve all just, I mean, it seems like we’ve kind of gotten numb to it. It’s the first thing I do when I, you just get on a site and you accept the cookies in a way, you go, it’s kind of yeah.
Mate: The US it’s recommended but not strictly, strictly necessary.
Jay: Yeah. I want to ask you two more questions. What is probably the biggest mistake you stores make as you’re shopping online and you just want to, and you put your palm to your face and go, “Ah.” What’s the biggest mistake?
Mate: Probably the one for us that drives us crazy is when people put a non-filled out privacy policy template, like you copy someone’s privacy policy or you copy a template and you clearly don’t fill it out and you put it. It’s worse. It’s better just to not do anything than to do that because that just shows you don’t care. And it’s actually worse than not having one, which, you know, you can say, hey, I just didn’t get around to it. But when I do it, I’m going to do it right. That’s probably the one that really drives us crazy.
Jay: And did you mention, if you copy a template and you left the template wording in there, you can actually get fined for that?
Mate: I would say here’s - let me be a little bit more specific about that. I think when you do that, it signals that you’re being sloppy and it just invites more scrutiny. And once you are not doing things properly and you invite more scrutiny, the odds of our fine increase drastically, that’s what I would say specifically. So you just don’t want to call attention to your yourself, you know, especially because that’s such a public thing, your privacy policy, anybody can go and find that. You don’t want to call attention to yourself like that. And by the way, it is almost impossible to perfectly be compliant to every data privacy law out there, like virtually nobody is. So, the game is about doing as much as you possibly can to follow all the best practices because the laws are so broad that you can’t possibly tick a hundred percent of the boxes and that’s where we try to go, okay, these are the top five things you want to do and that’ll get you in pretty good shape.
Jay: Are you seeing GDPR trolls out there?
Mate: Like a little bit, but not as much as something like ADA compliance, because I think Americans are far more litigious than say Europeans. And there isn’t a US federal privacy law right now, but I would expect once that comes into place, which I think it will because there’s a bunch of States putting privacy laws together, like Virginia is a recent one and there’s more coming that I think there’s pressures building for a Federal Law to come in because nobody wants to have 50 privacy laws that comply to. And at that point, I think you will start to see more and more of that, the trolls
Jay: It’s bound to happen. So just before the episode, you let out some exciting news. This is probably people might know about it now from when this goes out, but you just completed a raise, so you’re obviously doubling down on the company. Well, congratulations, first of all.
Mate: Yeah. Thank you. It’s great to have our investors have seen us kind of become a leader in this category in e-commerce data privacy and they see a great opportunity for growth and are backing us. And so, that’s going to allow us to expand our product offering and really deliver more value to merchants in terms of data privacy. And our goal is just make data privacy easy, make it simple for merchants, and that’s what we’re here to do.
Jay: That’s awesome. And merchants want to focus on making money, not worrying about all of this kind of stuff, so it’s a fantastic service. Where can people go to learn more or like how can they get started? It’s a SAS app they can just install, correct?
Mate: Yeah. It’s actually a free SASA on enzuzo.com. And then if you are a Shopify merchant, you can find us on the Shopify app store.
Jay: Awesome. Well, Mate, thank you so much for coming on the show. I learned a lot. It was a real pleasure having you on.
Mate: Awesome. It was a great pleasure, Jay, and I look forward to seeing this out live.