Bonus Episode: Safeguarding Customer Data the Right Way with Donata Stroink-Skillrud

Donata Stroink-Skillrud is an attorney licensed in Illinois, a Certified Information Privacy Professional, and President of Termageddon, a SaaS platform transforming how eCommerce businesses handle legal compliance. Built at the intersection of privacy law expertise and technology, Termageddon helps online businesses stay compliant with ever-changing privacy regulations, without needing a legal team.

After years of working directly with contract law, consumer protection, and international privacy regulations, Donata saw firsthand how fragmented, outdated, and risky privacy compliance had become for Ecommerce websites. What started as manual legal work soon evolved into an automated solution that identifies which privacy laws apply to a business and generates up-to-date, accurate website policies in minutes—not weeks.

Donata brings a legal insider’s perspective to the realities of online selling, breaking down complex regulations into practical steps for founders. From helping brands avoid FTC fines on subscription renewals, to clarifying why state privacy laws apply to your store, Donata explains the hidden legal pitfalls that quietly erode Ecommerce growth and how to protect against them.

Whether sharing how generic privacy templates leave stores exposed, why recurring billing pages are the newest legal battleground, or how to future-proof your policies against incoming U.S. state laws, Donata delivers a tactical, no-nonsense playbook for reducing legal risk and building customer trust.

In This Conversation We Discuss: 

• [00:42] Intro
• [01:04] Breaking down contract laws for entrepreneurs
• [02:02] Explaining why Shopify won’t cover your compliance
• [03:57] Breaking down real costs of ignoring privacy laws
• [06:53] Clarifying why location won’t shield your store
• [08:10] Highlighting false refund claims that trigger fines
• [11:54] Identifying which privacy laws apply to you
• [13:36] Turning repetitive legal work into automation
• [14:55] Updating policies before laws take effect
• [16:29] Receiving automatic updates without extra effort
• [17:15] Saving weeks of legal work with automation
• [18:12] Staying compliant as privacy laws keep changing

Resources:

• Subscribe to Honest Ecommerce on Youtube
• Protects business from fines and lawsuits termageddon.com/
• Follow Donata Stroink-Skillrud linkedin.com/in/donata-stroink-skillrud 

If you’re enjoying the show, we’d love it if you left Honest Ecommerce a review on Apple Podcasts. It makes a huge impact on the success of the podcast, and we love reading every one of your reviews!

 

Transcript

Donata Stroink-Skillrud

Some platforms like WordPress or Shopify may provide their own privacy policy templates for you. The issue with that is that those templates are not based on any privacy laws. 

Chase Clymer

Welcome to Honest Ecommerce, a podcast dedicated to cutting through the BS and finding actionable advice for online store owners. I'm your host, Chase Clymer. And I believe running a direct-to-consumer brand does not have to be complicated or a guessing game. 

On this podcast, we interview founders and experts who are putting in the work and creating  real results. 

I also share my own insights from running our top Shopify consultancy, Electric Eye. We cut the fluff in favor of facts to help you grow your Ecommerce business.

Let's get on with the show.

Chase Clymer

Hey everybody, welcome back to another episode of Honest Ecommerce. I'm your host, Chase Clymer. And today I'm welcoming to the show  an attorney licensed in Illinois and a certified information privacy professional,  Donata Stroink-Skillrud. Welcome to the show. 

Donata Stroink-Skillrud

Thanks so much for having me. Great to be here. 

Chase Clymer

I am excited to chat. Alrighty. So I've had a few attorneys on the show, but it's quite rare. But what is your expertise? How does it play into Ecommerce and what my audience expects? what is it that we're going to really dive into today? 

Donata Stroink-Skillrud

Yeah, absolutely. So I guess, first of all, being an attorney, this is not legal advice. But I've been working in privacy for quite a few years now and as she said, have the SIP designation. So obviously, Ecommerce websites collect a lot of personal data, whether that be names, emails,  shipping addresses, billing addresses, payment information, things like that. 

So I've worked with that for a long time. And I've also worked with contract laws as well as consumer protection laws in various countries, which determine what needs to be in the terms of a website.

And it just so happens that I'm a legal engineer behind Termageddon, which is a policy generator for businesses, including Ecommerce websites. 

Chase Clymer

Absolutely. And yeah, you are so right. There is so much data. If you have a successful Ecommerce business, you're collecting a lot of data. And well, first of all, I think a lot of founders  and let's just call them merchants in the Ecommerce ecosystem, kind of just assume that's taken care of by the tools that they're using. 

And they almost skirt the responsibility. Maybe as I say it out loud, it doesn't seem like the most valid perspective to take here. What's the difference between my business having considerations for this privacy and these databases and whatnot versus is it the responsibility of the tool per se like a Shopify or a Klaviyo?

Donata Stroink-Skillrud

Yeah, absolutely. A lot of people will assume, let's use the example of reCAPTCHA, right? When you implement reCAPTCHA on your forms, on that reCAPTCHA box, there will be privacy and terms. These are the privacy and terms of reCAPTCHA or Google, the provider of reCAPTCHA, not your privacy policy and not your terms of service. Same thing with Shopify, businesses would never assume the risk, you know, especially businesses that have millions of merchants using them.

They would not assume the risk of privacy or contractual or terms compliance for the merchants that use their service. That just makes no sense. You would get charged a lot more for those services if that was the case, because there is a lot of risk because there's a lot of privacy fines and lawsuits and lawsuits and complaints regarding website terms and things like that. So they work for them. 

They don't work for you. So your own website is required to have its own privacy policy in its own terms and comply with its own laws that apply to you. Shopify or Google or Facebook are not doing that for you. 

Chase Clymer

Absolutely. And it's funny, as we're talking about this, we are building quite a few net new  websites for brands. It's been happening a little more often for us. But within that process, we are specifically saying, you need to generate these terms and services. 

You need to generate this privacy policy. And now if you're using Shopify as a solution, it will give you a boilerplate to start with, but they don't input any information. And quite often, we will notice after the fact, we're like, hey, you're not done. You didn't do anything here except click a button. And so if I'm a merchant that may have accidentally overlooked that stuff. How big of a deal is that? 

Donata Stroink-Skillrud

Sure. So guess first of all, I do want to say that some platforms like WordPress or Shopify may provide their own privacy policy templates for you. The issue with that is that those templates are not based on any privacy laws. So they don't actually comply with any privacy laws. And they're also not based on your business. So they're not based on your privacy practices or your business practices. It may be saying completely incorrect information.

And one of the requirements of those laws is to have policies that include the disclosures required by the laws that apply to you and fit your actual business or privacy practices. So unless you have a lawyer changing these for you, it's really usually not a good solution for anybody. Privacy fines can start at $2,500 per website visitor. 

So let's say I have 100 website visitors from California per month who submit their data to my site or who shop on my site, that fine would be calculated as 2,500 times 100 if I didn't meet those requirements. And there's also lawsuits. So we've seen a lot of lawsuits under the California Invasion of Privacy Act, which applies to anybody tracking  people from California on their site, regardless of where their business is located without consent. 

So, you know, we've seen businesses, the smallest one person businesses, getting sued for tens of thousands of dollars because they track somebody from California through, for example, Google Analytics or Facebook Pixel without their consent. So those can be really big consequences.  

Another consequence is that consumers are actually looking for this information now. So, you know, five, 10 years ago, consumers didn't really care about this too much. Nobody really went through policies to look to see if a merchant had them.

But consumers are looking at these now and they're likely to leave a website if they feel like their privacy is not being protected, or they won't purchase from you or they won't input your card information on your site, which can lose sales and can lose trust between you and the potential customer too. 

Chase Clymer

Yeah, absolutely. I think that especially how it's been in the news, obviously, the California laws in America are super new and they're always cutting edge when it comes to the privacy for individuals and being pro-consumer.  

But you've seen this all over the world. Obviously, GDPR is something that anyone in the Ecommerce space is probably familiar with. But there's going to be similar trickle-down laws, I believe, that impact America here soon as well. 

Donata Stroink-Skillrud

Yeah. So a lot of states. Because we don't have a federal privacy law that governs the personal information collected by websites. We do have healthcare privacy laws or financial data privacy laws or laws for students and education, but we don't really have a federal comprehensive privacy law. 

So you see a lot of states propose and pass their own laws. California, Utah, Colorado, Connecticut, you have all these states proposing and passing their own laws, which creates a kind of patchwork of compliance.

And these laws don't care where your business is located. What they do care about is where the consumer is located. So if people from other states or countries can visit your website and submit their data or be tracked, that's really where you need to be paying attention. 

Chase Clymer

Absolutely. And now I know that we wanted to get this recorded sooner rather than later because there are some changes coming down the pipeline. So the Federal Trade Commission has made some updates and or changes that are either happening right now or have just happened specifically around Ecommerce websites and subscriptions.  

Donata Stroink-Skillrud

Yes, that's right. So the Federal Trade Commission governs what they call negative option offers, which are basically things where a consumer doesn't take any action to receive goods or services.

So what we wanted to talk about today were subscriptions that automatically renew, even if the consumer hasn't specifically said, yes, please renew the subscription, which is very common in the Ecommerce world. 

Chase Clymer

Yes, I know that that was a practice that a lot of people were doing. For the record, we never recommended it to people. But yeah, it is something that folks were doing. And then also just beyond that also was making it more difficult or obfuscating the way to cancel that subscription. It's another bad practice we'd see out there in the industry.  

Donata Stroink-Skillrud

Right. Yeah. So I mean, there's a lot of businesses that do automatic renewals of subscriptions. Netflix doesn't email you each month saying, would you like to keep your subscription? Click yes and it'll stay there. It renews automatically unless the consumer cancels it, which is a pretty common business practice.

But now the FTC has created new rules for these practices. So the first aspect of this  is  misrepresentation of any material fact in marketing. So for example, costs, you can't tell somebody that the subscription is free and then charge them $10 each month. Right. You can't make misrepresentations regarding shipping fees. 

So you can't say that shipping is free versus it actually costs something. You can't say the wrong information about billing information use. So this one's very important for the privacy policy. So for example, some privacy policies will say your billing information will not be shared with anybody. 

But actually that's not true. It's almost always shared with the payment processing vendor or it's shared with email marketing vendors because you send them the email to let them know that their subscription has renewed, things like that. And then also refunds or cancellations. 

You can't say that you are offering refunds where you're actually not. And you have to allow the consumer to cancel the subscription, which comes into play in the terms of service. And there's also other important terms that must be included in the privacy policy and the terms. And then also you must provide certain information to the consumer before obtaining their billing information and before charging them.

So usually, you know, we'll have this information in the terms of service, but you'll also want to have it in a way that's unavoidable by consumers. So if you have an Ecommerce site and you have a checkout, your checkout now needs to have a separate consent that says that the payments will be recurring, how frequently they will recur. So for example, like every month or every year, what is the cost that consumers will incur at every renewal?

Then also where to cancel those recurring payments. And you need to provide or obtain affirmative consent. So in your checkout, there needs to be a separate checkbox now that's unchecked by default  that includes all this information and you need to have the consumer agree to that. 

Chase Clymer

Absolutely. And a lot of that just sounds like best practices to be consumer-friendly. 

Donata Stroink-Skillrud

Yes. 

Chase Clymer

But now there's a law that is requiring it. Now, you mentioned earlier that these privacy policies. Let's just say privacy policies specifically. Every state is passing new laws and you need to have new considerations for each thing. 

And it's specific to your business. It's specific to the  apps that you have integrated within your business. It sounds like a lot of work to do it the right way, especially if you're not a lawyer.  

Donata Stroink-Skillrud

Yeah, absolutely. When it comes to these privacy policies, the first thing that you have to do is to figure out which laws actually apply to you. So not every single privacy law applies to every single business. Some laws may apply to larger businesses only. Some laws may not apply to nonprofits. Others do. 

And the privacy law is what dictates what is within your privacy policy. So all those templates out there that are like, just create a privacy policy and nobody knows which privacy laws they're actually covering or anything like that. None of those will be fit for you because it's based on the laws that apply to you. So that's the first step. 

And then the second step is to figure out what disclosures those laws require and then write up those disclosures in a way that accurately represents your business and your privacy practices. So yes, it can definitely be complicated. And in addition, you have to keep that policy updated. There's new laws coming out all the time. And there's also existing privacy laws that are changing too. 

Chase Clymer

Now, it would be pretty cool if there's a way to automate this.  

Donata Stroink-Skillrud

Yeah. So that was my thought with Termageddon. When I was a lawyer in private practice, this was before all these extensive privacy laws. We didn't even have GDPR at the time.

So I noticed that I would ask my clients very similar questions and I had like 10 templates that I would Frankenstein together and the process was just horrible, even for a lawyer. 

Chase Clymer

How many hours do you think it took to make one of those manually back then?  

Donata Stroink-Skillrud

It would take about 5 to 6 hours depending on the complexity of the business because you would have to add all these things together. And again, this is before all of these privacy laws came out. Now it's probably like a multi-week process at the very least.

But I noticed that the process was very repetitive. I was asking my clients similar questions. I'd have all these templates that I would put together  and I thought, let's automate this. And that's where we came up with the idea for Termageddon, which generates privacy policies for businesses. 

And what we do is we ask a series of questions. So the first set of questions helps figure out which laws apply. So we have a privacy law identifier that literally tells you which laws you've activated. And then the remainder of the questions are based on those disclosures. And then your answers are used to create your policies for you. 

Chase Clymer

Absolutely. And now how long would it take me to do this?  

Donata Stroink-Skillrud

Probably 30 to 40 minutes, roughly, to answer the questions depending on which laws apply.  So if you have a bunch of laws to apply, it's probably about 40 minutes. If you don't have that many, it's probably 20 minutes. And then as soon as you answer the questions, your policies are created.

You get the policy text and then you also get embed codes. The embed codes are what you put on the site. And that's what displays the policy text. And that's also what allows us to make updates is loss change too. 

Chase Clymer

Yeah, let's not skirt over that. So not only did you automate this process to generate a more proper policy, now you go as far as to. You have their answers and then you will update it in real time as the loss changes.

Donata Stroink-Skillrud

Yeah, absolutely. So the updating is not, I wouldn't say real time. So there's a big difference there. So privacy laws have a certain effective date. So for example, if a law goes into effect on January 1st, we're not making updates on January 1st because it's too late then in my mind, we make updates in December or before then, before the effective date, because the moment that the law goes into effect, that's when you need to comply. 

And you might be fined if you're not compliant. So we do those updates prior to the effective dates. But yes, that's what we do. So sometimes we may need to ask clients a couple of yes or no questions. If there's some kind of odd disclosure that the new law requires. But once you answer those new questions, the policy is updated for you through the embed code. 

Chase Clymer

Absolutely.  And now let's say I want to use this in policy. This sounds like a great idea to me. What is the value there? What should I be expecting from an investment perspective? 

Donata Stroink-Skillrud

Sure. So you do get a couple things with us. So one license covers one website or an application. And that includes the privacy policy, the terms, disclaimer, and ELA if you need one, as well as the cookie policy and cookie consent tool.

And then you also get the updates. So it'll save you a whole lot of time and a whole lot of worry in terms of researching these things and keeping track of these things and getting these things put together. And then we'll also update it for you too. 

Chase Clymer

Absolutely. Also, this is in 2025. This might change if you're listening to this 5 years later. Just putting that out there. 

Donata Stroink-Skillrud

Yeah. So it's $119 per year for one website or one app. And it includes all of those things. So we don't charge per law. We don't charge per disclosure. You just pay that one fee per year. And then you get all the policies that you need as well as the updates. 

Chase Clymer

Yeah, that sounds like less than an hour rate of a normal lawyer. 

Donata Stroink-Skillrud

A lot less. Yeah. 

Chase Clymer

And you already said this is going to take at least 6 to 2 weeks of lawyering to do manually. 

Donata Stroink-Skillrud

Yeah, absolutely. So it's a lot less than that. But the one downside to using us or any generator is that we can't provide you with legal advice. So lawyers can do that. We can't just based on the nature of our business where software is a service business. But yes, it will definitely save you a lot of time and a lot of money too. 

Chase Clymer

That's amazing. And then obviously, my audience is super ecommerce and Shopify focused. And you and I spoke before this and I just want to throw it out there like, yeah, like the way that these embed codes can be embedded right into the policy pages within Shopify and I'm assuming it does the same thing for most major other CMSs.

Donata Stroink-Skillrud

Yep, exactly. So it's CMS agnostic. So it works on all of them. And I do want to note that we specifically have disclosures in the terms for Ecommerce businesses. So, you can select what you are selling on the website and will include things about refunds, cancellations, shipping policies, payment processors, all those things that you're concerned about as an Ecommerce business. 

And then we also have extensive disclosures for subscriptions. So like how long is the initial term? When does it renew? How do you cancel all those types of things too? 

Chase Clymer

That's amazing. Now, if I  am listening to this show, right? You know what? I don't think my policies are that on par. And maybe I want to just talk to somebody on the Termigaden team. Where should I go? What should I do? 

Donata Stroink-Skillrud

Yeah. So you can go to our website, https://termageddon.com/ and click “Contact Us” and submit a form there. And we'll definitely get back to you as soon as we can. And we'd love to answer any questions that you have or anything like that.

I do know like this year, there's 8 privacy laws going into effect. We have these FTC rules changes going into effect, things like that. 

So policies update very, very frequently just due to legislative changes alone, not even speaking about the changes in your business. So if it's been a while since you looked at your policy or had it created for you, or you got it from an area that you're not necessarily confident about, definitely submit a contact form. I'd love to chat. 

Chase Clymer

Absolutely. And just as an aside, it's such a good name.

Donata Stroink-Skillrud

Thank you. Yeah, we try to have fun with it. Policies and compliance is a non-lawyer, pretty boring topic. I love it. I think it's really fun. But everybody else thinks it's super boring. So we try to at least have a little bit of fun with it. 

Chase Clymer

That's amazing. Thank you so much for coming on the show today. If folks are curious to learn more about you, where are you hanging out on the internet?

Donata Stroink-Skillrud

Sure. So you can find me on LinkedIn. You can find me on X.  You can also send me an email, donata@termageddon.com. I love to connect and I love talking about policies and compliance.  

Chase Clymer

Awesome. Donata, thank you so much for coming on the show today. 

Donata Stroink-Skillrud

Yeah, thanks for having me.  

Chase Clymer

We can't thank our guests enough for coming on the show and sharing their knowledge and journey with us. We've got a lot to think about and potentially add into our own business. You can find all the links in the show notes. 

You can subscribe to the newsletter at https://honestecommerce.com/ to get each episode delivered right to your inbox. 

If you're enjoying this content, consider leaving a review on iTunes, that really helps us out. 

Lastly, if you're a store owner looking for an amazing partner to help get your Shopify store to the next level, reach out to Electric Eye at electriceye.io/connect.

Until next time!