19 February 2020
As the law develops, many businesses get caught up in expensive and grueling compliance efforts. Consider the scramble to comply with the GDPR when it passed in May of 2018.
Despite the two-year transition period, many people were tearing their hair out right up until the deadline day, trying to jettison personal data that it would suddenly become unlawful for them to hold.
If you're building a business, you have a great opportunity to comply with privacy law right from the start. Too many start-ups focus exclusively on chasing investment or getting their product to market. These things will no doubt occupy most of your attention in the early days. But you can't neglect legal compliance.
We're going to take a look at some of the key challenges that new start-ups face when complying with privacy law. We'll also be looking at some real examples of successful young businesses that have implemented some great solutions.
What's the main purpose of your new start-up? Perhaps you've found a cost-effective way to produce a consumer product. Or you've developed an app that people will want to download. Or maybe you're setting up a website that you hope will draw large amounts of traffic.
Whatever your answer to this question, you will almost certainly need to comply with privacy law. Any business that engages in the processing of personal data will have to think about the legal implications of doing so. And every successful business "processes personal data" to some extent.
Privacy law (and data protection law - we'll be using the terms interchangeably throughout this article) seeks to help consumers maintain control over the way businesses treat personal data.
The term "personal data" (sometimes called "personal information" or "personally identifiable information") can refer to any piece of information that identifies a person. This definition can be interpreted very broadly.
Personal data can include:
Processing personal data means doing something with it - collecting it, storing it, sharing it, erasing it, etc.
It's increasingly easy, and common, for a business to gather large amounts of personal data.
Privacy law can fulfill some of the following purposes:
This means that privacy law is particularly relevant to many common business activities, including:
Different legal jurisdictions have very different approaches when it comes to regulating the processing of personal data.
Many privacy laws have extraterritorial scope, meaning that they apply to any businesses operating within the law's jurisdiction, whether the business itself is based there or not.
Privacy law in the United States is not well-established. There are some important federal privacy laws that apply to specific types of businesses. For example:
These privacy laws don't apply to everyone. If you're operating in the US, however, you need to be aware of some of the state privacy laws of California, such as:
Because these laws protect the privacy of California consumers, they effectively apply to all businesses operating in the US (so long as they fit within the definition of a "business" within the scope of the laws).
It's also important to be aware of CAN-SPAM, a federal law which regulates direct marketing activities.
The European Union (EU) is streets ahead of the rest of the world when it comes to regulating online privacy. All EU countries are signed up to these laws (including the United Kingdom).
Two important privacy laws in the EU are:
If your start-up can comply with the strict rules set by the EU, it will be in a position to comply with many other privacy laws as well. With this in mind, the guidance in this article is designed to help start-ups reach this very high standard of compliance.
Of course, not all businesses will actually need to obey EU law. But it does apply to many companies based outside of the EU. You'll have to comply with EU privacy law if you:
This applies regardless of where you're doing business from.
Most major economies have laws regulating the way companies treat personal data and make contact with their customers. Here's just a couple of examples:
First, let's look at a very basic overview of the differences between the world's major privacy laws.
|United States||EU||Other places|
|Who the law applies to||
CalOPPA applies to operators of a commercial website or app that processes the personal data of consumers in California.
COPPA applies only to businesses of a certain size or type. Unless your startup is already making $25 million annually (if so, well done!), or makes most of its money selling personal data, COPPA likely doesn't apply to you.
|The GDPR can apply to any organization or individual operating in the EU. Not only businesses but also sole traders, churches, government departments - everyone has to comply. The size of the operation is irrelevant for almost all purposes.||
Canada's PIPEDA applies to businesses engaged in commercial activity and also certain federal institutions.
Australia's Privacy Act 1988 applies to public bodies, to any Australian company that has an annual turnover of over $3 million AUD, and any that trade in personal information.
|Who the law protects||CalOPPA and COPPA protect "consumers" (private persons residing in California).||The GDPR protects "natural persons," and so applies whenever your company handles anyone's personal data (customers, employees, clients, etc).||
PIPEDA only applies to commercial activity (in respect of private businesses), and so effectively only applies to consumers.
The Privacy Act 1988 applies in a broader range of situations, even for private companies, but is not as pervasive as the GDPR. It will cover customer data and employee data (in some circumstances).
|How the law defines personal data||
CalOPPA lists six types of information that it defines as personal information (personal data) including name, email address, and social security number.
Online identifiers such as cookies or IP addresses are considered personal information when they are stored in combination with one of the six types of personal information above.
COPPA defines personal data in the same way as the GDPR.
The GDPR has a very broad definition of personal data which covers any information that might directly or indirectly identify a person.
Aside from the obvious, this can also include cookies, IP address, Android IDs, GPS data, etc.
The obvious direct identifiers, such as name, address and social security number, will be considered personal data under any privacy law.
Cookies and other online identifiers have an uncertain place in privacy laws outside of the EU and California. In certain contexts, they might be considered personal data.
Please see our article on Cookie Consent Outside of the EU for more information.
|Other obligations the law places on businesses||
COPPA requires businesses to facilitate a number of consumer rights. Consumers may request access to their personal data, request that it is not sold or shared, and request that it is deleted.
The GDPR places a large number of obligations on businesses.
Both PIPEDA and the Privacy Act 1988 require businesses to adhere to certain principles that include providing access to personal data and storing personal data securely.
The first thing you should do to comply with privacy law is to learn how your start-up processes personal data.
Your start-up is still in its early stages, but you may already know:
Even with this very basic amount of information, you can start taking practical steps towards privacy law compliance.
Conducting a data audit is a crucial first step in preparing for compliance. You must get some idea of how personal data flows around your company.
This is a relatively simple process, but likely to reveal some surprises. Think about the sorts of information that constitute personal data in the laws that apply to you.
|Inbound sources of personal data||
|Types of personal data you collect via these sources||
|Purposes for collecting this personal data||
|Locations where personal data is stored within your company||
|Outbound recipients of personal data||
By thinking about personal data in this systematic way, you can keep it under control and ensure that you're always legally compliant.
If you're required to comply with the GDPR, you'll need to consider your lawful basis (or "legal basis") for processing personal data. This means thinking about each of the different ways in which you process personal data, and considering whether or how this fits within the GDPR's six lawful bases for processing personal data.
If you've identified something you want to do, and you need to process personal data in order to do it, you need to have a lawful basis before you can go ahead.
The GDPR provides six lawful bases:
It's up to you to decide which of these lawful bases apply to the activities of your business. If you can't see that an activity conforms with any lawful basis, you may need to stop doing it, or do it in a different way.
It's likely that you'll be mostly relying on consent, contract, and legitimate interests for the bulk of your data processing activity. Let's take an in-depth look at these three lawful bases.
Consent commonly forms the lawful basis for activities that are not essential to carrying out your core services or for activities where your customers might not expect their personal data to be used in a given way.
Certain activities will almost always require consent under the GDPR, for example:
There might be other reasons to ask for your customers' consent. Here's a real-life example.
Flux launched in 2017. Its business model focuses on the digitization of shopping receipts. Part of Flux's activity involves behavioral advertising. Flux offers information about its users to third-party companies who then target those users with discount offers.
We have a full-length article on consent under the GDPR if you want to know more about this topic. We'll also be looking below at how to request consent for cookies and direct marketing.
Sometimes you have agreed to carry out an activity under a contract, and you need to collect or use someone's personal data in order to do this.
For example, you've sold a customer a product and agreed to deliver it to them. How could you possibly do this without collecting their shipping address?
The lawful basis of contract is not interchangeable with consent. To engage the lawful basis of contract, it must be necessary to process someone's personal data in order to either
If it's not necessary to process personal data to do either of these things, this lawful basis does not apply.
Let's take a look at an example of the first point above.
Under this contract, it's necessary for Perlego to use a customer's email address to communicate with them.
There are some occasions on which it might not be possible or appropriate to get someone's consent to process their personal data in a particular way. You might need to process personal data in pursuit of the legitimate interests of your business.
This is quite a flexible lawful basis that can be used for a broad variety of purposes. But you must exercise caution if you plan to rely on it.
Before you can know whether legitimate interests is an appropriate lawful basis for a given act of data processing, you'll need to carry out a Legitimate Interests Assessment. You can read our article on the 3 Part Test for Legitimate Interests for more information about this.
If you've determined that the data processing you have in mind satisfies the GDPR's requirements, you can process personal data without consent or a contract (or on any of the other lawful bases).
Liguimi is saying that it has a legitimate interest to send, receive and store correspondence with its customers, and also process data about that correspondence. The company identifies several legitimate reasons for which it can do this:
Transparency is a cornerstone of almost every privacy law. You must tell people, at every reasonable opportunity, how you process their personal data. And you need to tell them in a language that they understand - not in complicated legalese.
Want to use Mailchimp to help with your email marketing? Here's what Mailchimp requires from its EU users:
Beyond this, different laws have different transparency requirements.
Some companies go as far as to provide two separate policies, such as Industry Guru:
Enter your email address where you'd like your policy sent, select translation versions and click "Generate."
You should present information about your privacy practices on your website's homepage, within your app, and whenever you request or collect personal information from your customers.
Let's look at how some recent successful start-ups present their privacy information online.
Amicable launched an app in 2016 to help married couples stay on good terms throughout the divorce process. Amicable has even taught its chatbot to recite some basic privacy information:
Your customers have certain rights over their personal data.
Many privacy laws require companies to provide their customers access to any personal data that they hold on them. Some privacy laws go further, requiring companies to amend or erase customer data on request.
You might not be surprised to hear that the GDPR goes the furthest of all privacy laws in this regard. You can read more about this in our article about the 8 User Rights Under the GDPR.
First, the policy lists the GDPR user rights, linking to the website of the Information Commissioner's Office (ICO) which provides further information about each one. Here's an excerpt of the full clause:
Homelyfe then provides contact details for customers who might wish to exercise these rights:
Make sure you're aware of your customers' data rights, that you make your customers aware of these rights, and that you have a system in place to help them exercise these rights.
We've talked about when it's appropriate to get consent under the GDPR. You also need to know how to get consent in a way that is compliant with the GDPR.
The GDPR sets a very high threshold for what it considers to be consent. Unlike under some privacy laws, you cannot assume that you have a person's consent. You need to really ask for it, and they need to know what they're getting into.
There are five components of valid consent under the GDPR. Consent must be:
Once you have a person's consent, you must make it as easy to withdraw the consent as it was to give it.
EU law (specifically the ePrivacy or Cookies Directive) requires you to earn consent for any cookies that aren't essential for communication or necessary to provide the user with a service they have requested.
This means that any cookies associated with advertising or analytics require consent. Cookies used for load-balancing, essential security, or multimedia players generally don't require consent.
If you're using cookies for other purposes, such as analytics, tracking, and advertising, you'll need to get consent before you set these on a user's device. And the same five components of GDPR consent must be met. This is why you might have noticed so many "cookie banners" popping up on websites in recent years.
Frankly, there are few companies that obey the rules around cookie consent to the letter. But it is a legal requirement, even if it's often ignored.
Here's an example of a reasonably good cookie consent solution from management consultant start-up Issoria:
Visitors to Issoria's website are invited to accept cookies, and given the option to decline them. Issoria doesn't simply tell visitors that cookies have already been set - a practice that is all too common, and that is not compliant with the GDPR.
The GDPR means that "opt-out" methods of acquiring consent are no longer valid. Consent must be given by a clear, affirmative action.
Some companies have interpreted this as meaning that an unchecked checkbox will always be required to validate consent. Here's an example from snack food start-up Well & Truly:
In fact, clicking "subscribe now" would most likely be enough to satisfy the GDPR's consent requirements. There's no real need to ask the user to also check a box. But there's no harm in it, either.
It's important that consent is specific. So, if you're asking for personal data for one purpose, ensure that you ask specifically for consent if you want to use it for another.
Here's an example from parcel-tracking start-up HubBox. Here's part of its account creation process:
Not everyone who creates an account will want to receive marketing emails. So it's good that HubBox has provided a clear opt-in for this.
If your company provides a mobile app, it's important to be aware that there are strict requirements around how that app collects data from a user's device.
These requirements arise both from privacy law and from third parties such as Apple and Google.
Apple is particularly vigilant when it comes to regulating how apps request "permissions". When a developer wishes their app to access user data, Apple requires them to request the user's permission, and also state the purpose for which they are making the request.
Here's an excerpt from Apple's guidance on Accessing Protected Resources:
Android developers must also carefully consider how their app collects user data and requests permissions. Android developers whose app has EU users are required to comply with Google's EU User Consent Policy. Here's an excerpt from the agreement:
Your business has an obligation to collect personal data only when necessary, and to keep personal data secure.
If you're still building your product or setting up your processes, you're at an advantage here. You don't need to retrofit your systems with legally compliant security features. You can build data protection into your systems by design and by default.
One of the easiest ways to avoid a data breach is to have as little personal data in your as possible. This means only asking for the personal data that need in connection with a specific purpose.
For example, do you really need anything other than a person's email address in order to sign them up to your mailing list? Educational tech startup Curiscope keeps this process as simple as possible:
You can read more about "data minimization" in our article on the 6 Privacy Principles of the GDPR.
Another simple and effective way to avoid a security incident is not to have personal data hanging around in storage for any longer than necessary.
It's important to have a system for regularly reviewing the different types of personal data you keep on file.
You can schedule regular deletion of certain types of personal data. You might decide that you do not need to keep customer invoices for longer than, say, six years.
For other types of personal data, you can set a specific period after which the data will be deleted following a "trigger" event. For example, the personal data associated with an account is deleted 28 days after the account is closed.
Cybersecurity becomes more crucial with each passing year. Practically every business needs to consider the steps they can take to keep personal data secure. And this is particularly important for innovative tech startups.
Let's take the example of Israeli startup Pixoneye, launched in late 2016. Pixoneye's product is an app that collects personal data from the photo gallery on a person's mobile phone. This can be used to infer information about their preferences, behavior, and intentions. The company then shares metadata gathered via this process with advertisers.
This activity is potentially very risky and intrusive. So Pixoneye is required to take some extraordinary steps to keep personal data safe. One way in which it does so is to keep data processing local to the user's device as far as possible.
This is just one example of the sort of methods that might be used to secure your customer's personal data.
Of course, the context of your start-up might be very different from that of Pixoneye. You can still implement security methods such as:
We have an article all about Protecting Personal Data in Your Business if you'd like to read more about this.
If your start-up involves innovative or untested technology that might present some threat to the security of people's personal data, it's important that you fully assess and mitigate the risks.
In the EU, this is known as a Data Protection Impact Assessment, and it can be done in conjunction with a Data Protection Authority. It's a legal requirement to conduct such an assessment under certain conditions.
Even if you're not legally required to run a risk assessment, it's advisable to do so if your business model has significant privacy implications.
We have an article about how to carry out a Data Protection Impact Assessment if you'd like to know more on this topic.
Complying with privacy law might be pretty far down your list of priorities if you're trying to get your new start-up off the ground. But taking steps towards compliance from the very start will save you a lot of work and hassle in the long-run.
This is just the start of your journey towards legal compliance. You'll also need to consider creating some of the following agreements:
Remember that it's important to tackle these issues as early as possible.