This is the first of a four part blog series examining the issues that startups face with meeting their privacy requirements. This first blog post is a reprint of an article I published along with Frank Vargas of Rimon Law in the New York Law Journal discussing the subject. In the next three blog posts, we will cover some of the topics introduced in that article in more detail. In part two I will cover investor and buyer expectations for privacy. In part three, I will cover timing issues for startups and when they need to start thinking about privacy. Finally, in part four, I will cover some concrete steps that startups should take right away to assess their privacy risk.

Why startups can no longer afford to ignore privacy

Unlike larger more established companies, early-stage companies need to have simple and cost-effective ways to address their privacy risks.

By Francis Vargas and Joan Wrabetz | August 09, 2022 at 10:00 AM

Many of us remember the days when meeting the rules regarding personal information meant using the same privacy policy form for every client wherever they were located, wherever the operations took place and whatever the data.

For most of us who advocate for, represent, or work alongside technology companies, privacy policies were something we paid little attention to or ignored until the client grew to host a few thousand customers.

Those who represented non-tech companies mostly ignored the issue altogether and were lucky if they had a simple privacy policy on their website, since they did not consider themselves a “tech” company and did not feel they were using customer data, such as Meta or Alphabet.

However, when the EU adopted the General Data Protection Regulation (GDPR) in 2016 (which replaced previous privacy legislation adopted in 1995, The European Data Protection Directive (Directive 95/46/EC)), it established the first comprehensive privacy regulation pertaining to the use and protection of personally identifiable information. Until this point, it was typical for companies to monetize the personal information of its customers with little concern about regulations or regulatory overview.

Since 2016, the EU has further expanded its regulations and other countries have followed suit. In the United States, for example, although there is no uniform federal regulation relating to personal information outside of regulations related to minors, individual states have taken up the mantel to create comprehensive privacy regulations regarding personal information use by corporations on behalf of their citizens.

Until recently, because of the absence of uniform privacy regulations, many investors and acquirers in particular paid scant attention to privacy. However, the confluence of growing data breaches, ransomware attacks, and high-profile data misuse fines by the FTC and European Union, particularly among technology companies as well as new state level privacy regulations, have caused the venture capital and M&A communities to respond.

Further, acquirers are now requiring covenants as part of any purchase agreement that sellers obtain ‘cyber-insurance.’ Unfortunately, cyber-insurance is also becoming more expensive and more difficult to obtain, as the insurance industry responds to the increased frequency, cost, and risk of data privacy and security incidents.

A recent Fitch Rating found that cyber-insurance renewal premium rates have been growing consistently quarter on quarter since 2019, with growth of over 30% in Q4 of 2021 alone. Jake Holland, “Cyber Insurance Policies Grow Pricey Amid Rising Hacks, Lawsuits,” Privacy & Data Security Law, Bloomberg Law (May 31, 2022).

Smaller or indeed startup companies often also have the mistaken belief that their general liability insurance will cover data breaches and other data privacy violations. This is often not the case.

For example, wrongfully collecting or handling biometric data, which is subject to a separate set of laws, is often not covered by standard cyber-insurance policies. Worse yet, many small companies will find that they are not eligible for such insurance because they do not already have the appropriate policies and practices in place.

Accordingly, early-stage companies are more likely to need to address privacy early in their development.

When Startups Should Act

Legal counsel and compliance advisors working for startups need to consider when the best time is for their clients to pay sufficient attention to privacy concerns and data security. Given the expanded representations in financing documents, and the potential cost and availability issues with cyber insurance, we would argue that earlier is better.

Since the privacy regulations affect not just the external policy statements published on company’s websites but also the behind-the-scenes policies regarding software development, software and database hosting and data migration across international boundaries, money spent early can greatly save companies money later on.

For those governed by industry specific privacy regulations, early attention to the rules is a must, but keep in mind that even if the startup has complied with these specific regulations, state privacy regulations may also apply.

Software and technology startup companies for example, should also consider the stage of development of their products at which implementation of privacy requirements can be most cost effective. For instance, software companies implementing user consent screens as part of the account creation process or data capture process may find that the best time to implement the correct privacy practices is during the user interface development and review process. Often, changing the screens and any associated process changes can be much more expensive and time consuming (not to mention disruptive for customers) if done after the first release of the product.

Similarly, technology companies that are storing and transferring personal information may find that reviewing their data flows for privacy compliance is best done during the design of their product, so that changes to the data flows or to data organization, and changes to encryption and anonymization can be implemented during the development process.

Such changes could be very disruptive if they are made after the product has been implemented.

Unlike larger more established companies, early-stage companies need to have simple and cost-effective ways to address their privacy risks. They will not have a privacy team in place, and typically will not have a general counsel. Often, they will not even have an outside lawyer in place with specific privacy expertise. But there are some steps that the startup counsel can recommend:

(1) Review the startup’s business model, go to market plan, and product/technology in order to understand whether the startup falls into any ‘high-risk’ categories. Also, discuss the startup’s plans for financing to determine when the proper policies and practices need to be in place to avoid lengthy due diligence processes.

(2) Understand what legal regulations the startup will be subject to in its first year of product delivery based on its business model and go to market plan.

(3) Evaluate cyber-insurance early and determine when and whether such insurance is possible and what policies that startup needs to have in place in order to qualify for it.

(4) Perform a privacy impact assessment early to understand the privacy risks that are most likely for the startup and put a plan in place to address the highest risks.

(5) Understand and document the product/technology’s dataflows and assess whether there are high risks associated with these dataflows.

(6) Put customized privacy policies in place for website and software applications and ensure that customers and partners are consenting to these policies.

Because of the increase in regulation, fines and data breaches, companies need to focus on their data policies and protection much earlier than they have in the past. No longer can founding and management teams ignore data protection or rely on outdated policies that have not been updated in years.

A startup’s ability to ultimately get funded and potentially acquired will be impacted by the maturity of its privacy policies. Startups who collect personal information from consumers, those who collect sensitive personal information, those who intend to share and sell personal information, and those who sell to large corporations are most likely to need mature privacy practices early in their life.

Starting to become smart about privacy at an early stage is both smart and cost effective.

Francis Vargas is a partner at Rimon PC. Over the last 38 years, he has represented technology companies from startup through public offering, including angel and venture financings and mergers and acquisitions. Joan Wrabetz is a founding member and co-manager at Trust360 LLC, a privacy consulting firm. She has held C level positions at both early stage and large multi-national corporations over the last 30 years, where she has been involved in the purchase and sale of early-stage companies. The views expressed are their own.