Why Startups Can No Longer Afford To Ignore Privacy:(Part 3 of 4)
This is the third of a four part blog series examining the issues that startups face with meeting their privacy requirements. The first blog post was a reprint of an article I published along with Frank Vargas of Rimon Law in the New York Law Journal discussing the subject. In that article, we discussed a number of factors that might influence when startups start on their privacy journey. The second blog post covered some of the privacy issues for startups around financing and acquisition. In this third blog, I will cover the types of startups most at risk and the timing issues for when they need to start investing in privacy in more detail. Finally, in part four of the series, I will cover some concrete steps that startups should take right away to assess their privacy risk.
Who Is Most At Risk
Some early stage companies are more likely to need to address privacy early in their development because the data that they collect, or the way that they use it is addressed under one or more privacy regulations. These companies fall into several categories:
1) Startups offering products/services to consumers
The first category of startup that will need to address privacy early are those who target consumers at scale, or whose business- to- business customers do so. This is because capturing personal information from hundreds or thousands of customers will cause a company to be subject to most of the state privacy laws and the data breach laws. Under both US state privacy regulations and under the EU’s General Data Protection Regulation (GDPR), large scale collection of consumer personal information is considered to be high risk and potentially subject to higher requirements for data protection. Since so much of consumer data collection is subject to consent of the consumers and the ability to opt-out or the requirement to opt-in, the appropriate notices and consent screens must be in place before the product is first released.
2) Startups that plan to Sell Globally
Privacy regulations across the EU, UK, and Asian countries restrict the transfer of information outside of their jurisdictions. These restrictions make it difficult and expensive for early-stage companies that want to sell globally to comply. Either they must enter into complex legal agreements with each of their business partners in those countries, or they must offer duplicative infrastructure in each jurisdiction to avoid data transfers.
Startups will be subject to GDPR if they offer their products to customers in the EU and must start their privacy work immediately. In addition, because of data transfer restrictions, it is often most effective to start planning privacy while the product is still in development. In addition, most foreign data protection laws provide for more extensive consumer rights than US data protection laws, such as the right to be forgotten and the right to portability of data. These rights must be supported from day one (though manual support in the early stages is often sufficient).
3) Startups that are Selling to large businesses
Large businesses are difficult customers for startups. They typically require mature privacy and security processes because they are already subject to global privacy regulations and are legally required to ensure that their startup partners also meet those regulatory requirements for data protection. Any large business that operates internationally is required to ensure privacy in all of their contracts, whether or not the partner is a startup or a big company. For example, under GDPR, companies must put all of their vendors under contracts that specify privacy and security requirements and must ensure that all of their processors can meet their GDPR requirements.
Companies selling to large businesses may be required to develop and document mature privacy and security practices even prior to the release of their products in order to win the business. In some cases, even beta testing their products at large customers will require a legal agreement committing to extensive privacy and security practices.
4) Startups that are Selling or Sharing Personal Information
Startups that are planning to share and sell information as part of their business model should address privacy early. Most privacy regulations restrict a company’s ability to share personal information of consumers, and they require notice and prior informed consent for the sale of consumers’ personal information. Active enforcement in this area has led to high profile violations of these requirements, such as the recent FTC settlement in which Twitter agreed to pay a $150 million fine after federal law enforcement officials accused the social media company of illegally using peoples’ personal data over six years to help sell targeted advertisements.
For startups with selling or sharing of personal information as part of their core business model, it is absolutely essential that they understand and work within the privacy regulatory framework in order to get investment and to build their businesses. Similarly, these policies should be in place for high-risk companies prior to, or coincident with, the release of their products.
5) Startups in Highly Regulated Industries
Startups that are collecting the type of information already regulated by industry specific privacy regulations must address privacy early. This includes companies collecting health information covered by the Health Information Portability and Accountability Act (HIPAA), companies in financial services covered by the Gramm-Leach-Bliley Act (GLBA) and Dodd-Frank regulations, companies that are involved in collecting or processing consumer credit information covered by the Consumer Credit Protection Act (CCPA) and Fair Credit Reporting Act (FCRA), and others. This list also includes industry compliance standards such as the Payment Card Industry Data Security Standard (PCI DSS), which regulates use of credit card payment information.
For those governed by HIPAA and other industry specific privacy regulations, early attention to the rules is a must, but keep in mind that even if the startup has complied with these specific regulations, the startup will also still be liable for general state, federal and international privacy regulations unless a specific exemption applies.
If the startup company fits into more than one of the categories listed above (and many do), it is critical that they take action early to ensure that they comply with privacy and security regulations as they grow, while minimizing their cost and time in the process.
6) Startups that are collecting sensitive personal information
Startups that are collecting sensitive personal information must address privacy early because privacy regulations impose much more stringent requirements on sensitive personal information such as gender, age, sexual orientation, health, etc. In addition, a host of separate regulations cover biometric data such as facial images, fingerprints and optical scans. Startups need to understand the conditions under which such biometric data will be regulated. In addition, it is important to remember that information like gender, age and sexual orientation may be treated as sensitive even if it is “inferred” through profiling and not provided directly by consumers. Furthermore, health information may include mental health information.
In cases where sensitive personal information is being collected, US data protection regulations may interact with sector specific regulations, such as HIPAA or credit reporting laws. Handling of that sensitive information should be reviewed during development of applications to ensure the best position for the company. For example, health information that is subject to HIPAA is likely to be exempt from the California Consumer Privacy Act. However, other personal information that is also collected and stored along with health information can also be exempt if it is handled exactly like the health information. In some cases, this may result in fewer regulatory requirements.
It is very important that product developers plan the handling of sensitive personal information into product data architectures as the earliest possible stages.
7) Startups that target children under age 18
Consumer applications that target or allow use by children under the age of 18 will be subject to very different rules for collecting any personal information, which basically means allowing the creation of accounts. Most regulations require opt-in consent for internet-based products and services by the parent or guardian and startups will be required to attempt to verify this consent. The federal Children’s Online Privacy Protection Act (COPPA), regulates access by children under 13 years of age. The GDPR regulates personal data of children under the age of 16 years. However, California has just passed new privacy legislation regulating use of internet based products and services by children under the age of 18. The new California law is modeled after a U.K. law which went into effect in September 2021. Any products and services that are internet based must consider all of these regulations with their differing rules that kick in a different ages.
When Startups Should Act
Based on the foregoing, startups and their advisors need to consider when is the best time to pay sufficient attention to privacy concerns and data security. Given the expanded representations in financing documents, and the potential cost and availability issues with cyber insurance, we would argue that earlier is better. Since the privacy regulations affect not just the external policy statements published on company’s websites but also the behind the scenes policies regarding software development, software and database hosting and data migration across international boundaries, money spent early on can greatly save companies money later on.
Software and technology companies should also consider the stage of development of their products at which implementation of privacy requirements can be most cost effective. For example, software companies implementing user consent screens as part of the account creation process or data capture process may find that the best time to implement the correct privacy practices is during the user interface development and review process. Often, changing the screens and any associated process changes can be much more expensive and time consuming (not to mention disruptive for customers) if done after the first release of the product. Similarly, technology companies that are storing and transferring personal information may find that reviewing their data flows for privacy compliance is best done during the design of their product, so that changes to the data flows or to data organization, and changes to encryption and anonymization can be implemented during the development process. Such changes could be very disruptive if they are made after the product has been implemented.
The Bottom Line
Startups often do not have the luxury of waiting until they are funded and successful in order to address key privacy and security requirements. High profile data breaches and high risk business models have pushed investors, business partners and customers to demand mature privacy practices from startups at the earliest stages. Fortunately, implementing privacy in products and processes is actually much more cost effective when products are still in development and companies are small. For these reasons, startups simply have to get on the privacy bandwagon at the beginning of their life.
In the next blog post, I will address how to do that without breaking the bank.