As the law develops, many businesses get caught up in expensive and grueling compliance efforts. Consider the scramble to comply with the GDPR when it passed in May of 2018.
Despite the two-year transition period, many people were tearing their hair out right up until the deadline day, trying to jettison personal data that it would suddenly become unlawful for them to hold.
If you're building a business, you have a great opportunity to comply with privacy law right from the start. Too many start-ups focus exclusively on chasing investment or getting their product to market. These things will no doubt occupy most of your attention in the early days. But you can't neglect legal compliance.
We're going to take a look at some of the key challenges that new start-ups face when complying with privacy law. We'll also be looking at some real examples of successful young businesses that have implemented some great solutions.
- 1. Why Privacy Law Matters
- 1.1. Personal Data
- 1.2. The Purpose of Privacy Law
- 2. Some Important Privacy Laws
- 2.1. United States
- 2.2. European Union
- 2.3. Other Places
- 3. Overview of Privacy Law Obligations
- 4. Getting Your House In Order
- 4.1. Conducting a Data Audit
- 5. Determining Your Lawful Basis
- 5.1. When to Get Consent
- 5.2. Processing Under Contract
- 5.3. Your Legitimate Interests
- 6. Being Transparent with Your Customers
- 6.3. Facilitating Your Users' Rights
- 7. Respecting Your Customers' Choices
- 7.1. Consent for Cookies
- 7.2. Consent for Direct Marketing
- 7.3. Consent Via a Mobile App
- 8. Keeping Your Customers' Personal Data Safe
- 8.1. Limiting the Personal Data You Collect
- 8.2. Regularly Deleting Unnecessary Personal Data
- 8.3. Protecting Against Hackers
- 8.4. Assessing Risk
- 9. Conclusion
Why Privacy Law Matters
What's the main purpose of your new start-up? Perhaps you've found a cost-effective way to produce a consumer product. Or you've developed an app that people will want to download. Or maybe you're setting up a website that you hope will draw large amounts of traffic.
Whatever your answer to this question, you will almost certainly need to comply with privacy law. Any business that engages in the processing of personal data will have to think about the legal implications of doing so. And every successful business "processes personal data" to some extent.
Privacy law (and data protection law - we'll be using the terms interchangeably throughout this article) seeks to help consumers maintain control over the way businesses treat personal data.
The term "personal data" (sometimes called "personal information" or "personally identifiable information") can refer to any piece of information that identifies a person. This definition can be interpreted very broadly.
Personal data can include:
- Information that directly identifies a person. A name or an email address are good examples of this.
- Information that could indirectly identify a person. A person's phone number, on its own, won't identify a person. But it could identify a person when combined with other information. The principle extends to online identifiers, such as login credentials, cookies and even IP addresses (under certain circumstances).
Processing personal data means doing something with it - collecting it, storing it, sharing it, erasing it, etc.
The Purpose of Privacy Law
It's increasingly easy, and common, for a business to gather large amounts of personal data.
Privacy law can fulfill some of the following purposes:
- Limiting the amounts or types of personal data that businesses can collect
- Restricting the ways in which businesses can collect, store and share personal data
- Setting rules about how businesses directly communicate with their customers
This means that privacy law is particularly relevant to many common business activities, including:
- Behavioral advertising (sometimes called "targeted" or "personalized" advertising)
- Direct marketing (e.g. email marketing)
- Market research
- Data collection via apps and other software (for example, use of location data)
Some Important Privacy Laws
Different legal jurisdictions have very different approaches when it comes to regulating the processing of personal data.
Many privacy laws have extraterritorial scope, meaning that they apply to any businesses operating within the law's jurisdiction, whether the business itself is based there or not.
Privacy law in the United States is not well-established. There are some important federal privacy laws that apply to specific types of businesses. For example:
- The Children's Online Privacy Protection Act (COPPA)
- The Health Insurance Information Privacy Act (HIPAA)
- The Gramm-Leach-Bliley Act (a law regulating financial institutions)
These privacy laws don't apply to everyone. If you're operating in the United States. However, you need to be aware of some of the state privacy laws of California, such as:
- The California Online Privacy Protection Act (CalOPPA)
- The California Consumer Privacy Act (CCPA) as amended and expanded by the CPRA
Because these laws protect the privacy of California consumers, they effectively apply to all businesses operating in the U.S. (so long as they fit within the definition of a "business" within the scope of the laws).
It's also important to be aware of CAN-SPAM, a federal law which regulates direct marketing activities.
The European Union (EU) is streets ahead of the rest of the world when it comes to regulating online privacy. All EU countries are signed up to these laws (including the United Kingdom).
Two important privacy laws in the EU are:
If your start-up can comply with the strict rules set by the EU, it will be in a position to comply with many other privacy laws as well. With this in mind, the guidance in this article is designed to help start-ups reach this very high standard of compliance.
Of course, not all businesses will actually need to obey EU law. But it does apply to many companies based outside of the EU. You'll have to comply with EU privacy law if you:
- Offer goods and services in the EU, or
- Monitor the behavior of people within the EU, including via behavioral advertising campaigns
This applies regardless of where you're doing business from.
Most major economies have laws regulating the way companies treat personal data and make contact with their customers. Here's just a couple of examples:
Overview of Privacy Law Obligations
First, let's look at a very basic overview of the differences between the world's major privacy laws.
|United States||EU||Other places|
|Who the law applies to||
CalOPPA applies to operators of a commercial website or app that processes the personal data of consumers in California.
COPPA applies only to businesses of a certain size or type. Unless your startup is already making $25 million annually (if so, well done!), or makes most of its money selling personal data, COPPA likely doesn't apply to you.
|The GDPR can apply to any organization or individual operating in the EU. Not only businesses but also sole traders, churches, government departments - everyone has to comply. The size of the operation is irrelevant for almost all purposes.||
Canada's PIPEDA applies to businesses engaged in commercial activity and also certain federal institutions.
Australia's Privacy Act 1988 applies to public bodies, to any Australian company that has an annual turnover of over $3 million AUD, and any that trade in personal information.
|Who the law protects||CalOPPA and COPPA protect "consumers" (private persons residing in California).||The GDPR protects "natural persons," and so applies whenever your company handles anyone's personal data (customers, employees, clients, etc).||
PIPEDA only applies to commercial activity (in respect of private businesses), and so effectively only applies to consumers.
The Privacy Act 1988 applies in a broader range of situations, even for private companies, but is not as pervasive as the GDPR. It will cover customer data and employee data (in some circumstances).
|How the law defines personal data||
CalOPPA lists six types of information that it defines as personal information (personal data) including name, email address, and social security number.
Online identifiers such as cookies or IP addresses are considered personal information when they are stored in combination with one of the six types of personal information above.
COPPA defines personal data in the same way as the GDPR.
The GDPR has a very broad definition of personal data which covers any information that might directly or indirectly identify a person.
Aside from the obvious, this can also include cookies, IP address, Android IDs, GPS data, etc.
The obvious direct identifiers, such as name, address and social security number, will be considered personal data under any privacy law.
Cookies and other online identifiers have an uncertain place in privacy laws outside of the EU and California. In certain contexts, they might be considered personal data.
Please see our article on Cookie Consent Outside of the EU for more information.
|Other obligations the law places on businesses||
COPPA requires businesses to facilitate a number of consumer rights. Consumers may request access to their personal data, request that it is not sold or shared, and request that it is deleted.
The GDPR places a large number of obligations on businesses.
Both PIPEDA and the Privacy Act 1988 require businesses to adhere to certain principles that include providing access to personal data and storing personal data securely.
Getting Your House In Order
The first thing you should do to comply with privacy law is to learn how your start-up processes personal data.
Your start-up is still in its early stages, but you may already know:
- What service or product you're providing
- Which countries you're operating in
- Who you're marketing to
- What methods you're using for marketing
Even with this very basic amount of information, you can start taking practical steps towards privacy law compliance.
Conducting a Data Audit
Conducting a data audit is a crucial first step in preparing for compliance. You must get some idea of how personal data flows around your company.
This is a relatively simple process, but likely to reveal some surprises. Think about the sorts of information that constitute personal data in the laws that apply to you.
|Inbound sources of personal data||
|Types of personal data you collect via these sources||
|Purposes for collecting this personal data||
|Locations where personal data is stored within your company||
|Outbound recipients of personal data||
By thinking about personal data in this systematic way, you can keep it under control and ensure that you're always legally compliant.
Determining Your Lawful Basis
If you're required to comply with the GDPR, you'll need to consider your lawful basis (or "legal basis") for processing personal data. This means thinking about each of the different ways in which you process personal data, and considering whether or how this fits within the GDPR's six lawful bases for processing personal data.
If you've identified something you want to do, and you need to process personal data in order to do it, you need to have a lawful basis before you can go ahead.
The GDPR provides six lawful bases:
- Consent: You've gained the person's permission to process their personal data
- Contract: You need to process personal data to carry out your obligations under a contract, or in order to enter into a contract
- Legal obligation: You're required by law to process personal data in a specific way
- Vital interests: You need to process personal data to preserve someone's life
- Public task: You've been given special legal powers to process personal data for the benefit of the general public
- Legitimate interests: Your business is carrying out a legitimate activity, and it is necessary to process personal data. You've carefully weighed the benefits against the risks to the person whose personal data is being processed.
It's up to you to decide which of these lawful bases apply to the activities of your business. If you can't see that an activity conforms with any lawful basis, you may need to stop doing it, or do it in a different way.
It's likely that you'll be mostly relying on consent, contract, and legitimate interests for the bulk of your data processing activity. Let's take an in-depth look at these three lawful bases.
When to Get Consent
Consent commonly forms the lawful basis for activities that are not essential to carrying out your core services or for activities where your customers might not expect their personal data to be used in a given way.
Certain activities will almost always require consent under the GDPR, for example:
- Using cookies for advertising or tracking purposes
- Sending direct marketing communications, particularly to people with whom you do not have a strong pre-existing business relationship
- Processing sensitive personal data, for example without a contract in place
There might be other reasons to ask for your customers' consent. Here's a real-life example.
Flux launched in 2017. Its business model focuses on the digitization of shopping receipts. Part of Flux's activity involves behavioral advertising. Flux offers information about its users to third-party companies who then target those users with discount offers.
We have a full-length article on consent under the GDPR if you want to know more about this topic. We'll also be looking below at how to request consent for cookies and direct marketing.
Processing Under Contract
Sometimes you have agreed to carry out an activity under a contract, and you need to collect or use someone's personal data in order to do this.
For example, you've sold a customer a product and agreed to deliver it to them. How could you possibly do this without collecting their shipping address?
The lawful basis of contract is not interchangeable with consent. To engage the lawful basis of contract, it must be necessary to process someone's personal data in order to either
- Fulfill your contractual duties to them, or
- Enter into a contract with them
If it's not necessary to process personal data to do either of these things, this lawful basis does not apply.
Let's take a look at an example of the first point above.
Under this contract, it's necessary for Perlego to use a customer's email address to communicate with them.
Your Legitimate Interests
There are some occasions on which it might not be possible or appropriate to get someone's consent to process their personal data in a particular way. You might need to process personal data in pursuit of the legitimate interests of your business.
This is quite a flexible lawful basis that can be used for a broad variety of purposes. But you must exercise caution if you plan to rely on it.
Before you can know whether legitimate interests is an appropriate lawful basis for a given act of data processing, you'll need to carry out a Legitimate Interests Assessment. You can read our article on the 3 Part Test for Legitimate Interests for more information about this.
If you've determined that the data processing you have in mind satisfies the GDPR's requirements, you can process personal data without consent or a contract (or on any of the other lawful bases).
Liguimi is saying that it has a legitimate interest to send, receive and store correspondence with its customers, and also process data about that correspondence. The company identifies several legitimate reasons for which it can do this:
- Communicating with its customers
- Keeping records
- Administrating the site and app
- Exercising or defending against legal claims
Being Transparent with Your Customers
Transparency is a cornerstone of almost every privacy law. You must tell people, at every reasonable opportunity, how you process their personal data. And you need to tell them in a language that they understand - not in complicated legalese.
Want to use Mailchimp to help with your email marketing? Here's what Mailchimp requires from its EU users:
- The practices of your company
- The laws with which you need to comply
- The types of personal data you collect
- The purposes for which you process personal data
- The types of companies with whom you share personal data
Beyond this, different laws have different transparency requirements.
Some companies go as far as to provide two separate policies, such as Industry Guru:
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
You should present information about your privacy practices on your website's homepage, within your app, and whenever you request or collect personal information from your customers.
Let's look at how some recent successful start-ups present their privacy information online.
Amicable launched an app in 2016 to help married couples stay on good terms throughout the divorce process. Amicable has even taught its chatbot to recite some basic privacy information:
Facilitating Your Users' Rights
Your customers have certain rights over their personal data.
Many privacy laws require companies to provide their customers access to any personal data that they hold on them. Some privacy laws go further, requiring companies to amend or erase customer data on request.
You might not be surprised to hear that the GDPR goes the furthest of all privacy laws in this regard. You can read more about this in our article about the 8 User Rights Under the GDPR.
First, the policy lists the GDPR user rights, linking to the website of the Information Commissioner's Office (ICO) which provides further information about each one. Here's an excerpt of the full clause:
Homelyfe then provides contact details for customers who might wish to exercise these rights:
Make sure you're aware of your customers' data rights, that you make your customers aware of these rights, and that you have a system in place to help them exercise these rights.
Respecting Your Customers' Choices
We've talked about when it's appropriate to get consent under the GDPR. You also need to know how to get consent in a way that is compliant with the GDPR.
The GDPR sets a very high threshold for what it considers to be consent. Unlike under some privacy laws, you cannot assume that you have a person's consent. You need to really ask for it, and they need to know what they're getting into.
There are five components of valid consent under the GDPR. Consent must be:
- Freely given: Don't pressure a person into giving consent or impose any detriment on them if they refuse.
- Specific: Don't "bundle" consent for several things up into a single request.
- Informed: Provide clear information about what the request means.
- Unambiguous: Make sure you can demonstrate that the person is clearly happy to consent.
- Given via a clear affirmative action: Ensure you have your customer's express consent by asking them to tick a box or say "I consent."
Once you have a person's consent, you must make it as easy to withdraw the consent as it was to give it.
Consent for Cookies
EU law (specifically the ePrivacy or Cookies Directive) requires you to earn consent for any cookies that aren't essential for communication or necessary to provide the user with a service they have requested.
This means that any cookies associated with advertising or analytics require consent. Cookies used for load-balancing, essential security, or multimedia players generally don't require consent.
If you're using cookies for other purposes, such as analytics, tracking, and advertising, you'll need to get consent before you set these on a user's device. And the same five components of GDPR consent must be met. This is why you might have noticed so many "cookie banners" popping up on websites in recent years.
Frankly, there are few companies that obey the rules around cookie consent to the letter. But it is a legal requirement, even if it's often ignored.
Here's an example of a reasonably good cookie consent solution from management consultant start-up Issoria:
Visitors to Issoria's website are invited to accept cookies, and given the option to decline them. Issoria doesn't simply tell visitors that cookies have already been set - a practice that is all too common, and that is not compliant with the GDPR.
Use our Cookie Consent all-in-one solution (Privacy Consent) for cookies management to comply with GDPR & CCPA/CPRA and other privacy laws:
- For GDPR, CCPA/CPRA and other privacy laws
- Apply privacy requirements based on user location
- Get consent prior to third-party scripts loading
- Works for desktop, tables and mobile devices
- Customize the appearance to match your brand style
Create your Cookie Consent banner today to comply with GDPR, CCPA/CPRA and other privacy laws:
Start the Privacy Consent wizard to create the Cookie Consent code by adding your website information.
At Step 2, add in information about your business.
At Step 3, select a plan for the Cookie Consent.
You're done! Your Cookie Consent Banner is ready. Install the Cookie Consent banner on your website:
Display the Cookie Consent banner on your website by copy-paste the installation code in the
</head>section of your website. Instructions how to add in the code for specific platforms (WordPress, Shopify, Wix and more) are available on the Install page.
Consent for Direct Marketing
The GDPR means that "opt-out" methods of acquiring consent are no longer valid. Consent must be given by a clear, affirmative action.
Some companies have interpreted this as meaning that an unchecked checkbox will always be required to validate consent. Here's an example from snack food start-up Well & Truly:
In fact, clicking "subscribe now" would most likely be enough to satisfy the GDPR's consent requirements. There's no real need to ask the user to also check a box. But there's no harm in it, either.
It's important that consent is specific. So, if you're asking for personal data for one purpose, ensure that you ask specifically for consent if you want to use it for another.
Here's an example from parcel-tracking start-up HubBox. Here's part of its account creation process:
Not everyone who creates an account will want to receive marketing emails. So it's good that HubBox has provided a clear opt-in for this.
Consent Via a Mobile App
If your company provides a mobile app, it's important to be aware that there are strict requirements around how that app collects data from a user's device.
These requirements arise both from privacy law and from third parties such as Apple and Google.
Apple is particularly vigilant when it comes to regulating how apps request "permissions". When a developer wishes their app to access user data, Apple requires them to request the user's permission, and also state the purpose for which they are making the request.
Here's an excerpt from Apple's guidance on Accessing Protected Resources:
Android developers must also carefully consider how their app collects user data and requests permissions. Android developers whose app has EU users are required to comply with Google's EU User Consent Policy. Here's an excerpt from the agreement:
Keeping Your Customers' Personal Data Safe
Your business has an obligation to collect personal data only when necessary, and to keep personal data secure.
If you're still building your product or setting up your processes, you're at an advantage here. You don't need to retrofit your systems with legally compliant security features. You can build data protection into your systems by design and by default.
Limiting the Personal Data You Collect
One of the easiest ways to avoid a data breach is to have as little personal data in your as possible. This means only asking for the personal data that need in connection with a specific purpose.
For example, do you really need anything other than a person's email address in order to sign them up to your mailing list? Educational tech startup Curiscope keeps this process as simple as possible:
You can read more about "data minimization" in our article on the 6 Privacy Principles of the GDPR.
Regularly Deleting Unnecessary Personal Data
Another simple and effective way to avoid a security incident is not to have personal data hanging around in storage for any longer than necessary.
It's important to have a system for regularly reviewing the different types of personal data you keep on file.
You can schedule regular deletion of certain types of personal data. You might decide that you do not need to keep customer invoices for longer than, say, six years.
For other types of personal data, you can set a specific period after which the data will be deleted following a "trigger" event. For example, the personal data associated with an account is deleted 28 days after the account is closed.
Protecting Against Hackers
Cybersecurity becomes more crucial with each passing year. Practically every business needs to consider the steps they can take to keep personal data secure. And this is particularly important for innovative tech startups.
Let's take the example of Israeli startup Pixoneye, launched in late 2016. Pixoneye's product is an app that collects personal data from the photo gallery on a person's mobile phone. This can be used to infer information about their preferences, behavior, and intentions. The company then shares metadata gathered via this process with advertisers.
This activity is potentially very risky and intrusive. So Pixoneye is required to take some extraordinary steps to keep personal data safe. One way in which it does so is to keep data processing local to the user's device as far as possible.
This is just one example of the sort of methods that might be used to secure your customer's personal data.
Of course, the context of your start-up might be very different from that of Pixoneye. You can still implement security methods such as:
- Using methods such as pseudonymization and anonymization wherever possible
- Employing TLS/SSL protocols during data transfers
- Encrypting company devices and hard-drives
- Implementing strict access controls and regularly reviewing permissions
We have an article all about Protecting Personal Data in Your Business if you'd like to read more about this.
If your start-up involves innovative or untested technology that might present some threat to the security of people's personal data, it's important that you fully assess and mitigate the risks.
In the EU, this is known as a Data Protection Impact Assessment, and it can be done in conjunction with a Data Protection Authority. It's a legal requirement to conduct such an assessment under certain conditions.
Even if you're not legally required to run a risk assessment, it's advisable to do so if your business model has significant privacy implications.
We have an article about how to carry out a Data Protection Impact Assessment if you'd like to know more on this topic.
Complying with privacy law might be pretty far down your list of priorities if you're trying to get your new start-up off the ground. But taking steps towards compliance from the very start will save you a lot of work and hassle in the long-run.
- Determine which privacy laws you'll need to comply with
- Figure out how personal data flows in and out of your company
- Determine your lawful basis for processing personal data (if you operate in the EU)
- Consider how you can facilitate your users' rights over their personal data
- Earn your users' consent whenever necessary or appropriate
- Implement technical security measures to ensure you're transferring and storing personal data safely
This is just the start of your journey towards legal compliance. You'll also need to consider creating some of the following agreements:
Remember that it's important to tackle these issues as early as possible.