By Janis Kestenbaum, a partner in Perkins Coie
Startups have bigger concerns than privacy, or so they think.
Many startups have learned that being young and small does not keep them off the radar screens of privacy regulators, and they can be vulnerable to costly investigations. Privacy issues that come to light in the course of the due diligence process for an acquisition can also threaten their valuation. In fact, VCs increasingly report that privacy can affect a startup’s ability to raise capital.
Avoid serious problems down the road by following a few basic steps now:
1. Say what you do.
If your website or app (or its affiliates or business partners) collects, uses or discloses information that can be used to identify an individual or a device (e.g., name, email address, cookie identifier, or mobile device identifier), you should have a privacy policy that explains what types of data you collect, how you use it, who you may share the data with, and the steps you take to protect the confidentiality and privacy of the data. Don’t just find a generic policy and post it to your website. Instead, make sure the policy actually reflects your company’s practices by mapping out the data your company collects, how it is used, how it is disclosed, and how it is secured. Additionally, plan for an acquisition now by telling your users in your privacy policy that you may transfer the data in the event of a merger or acquisition.
2. Do what you say.
Follow your privacy policy and anything else you communicate to your users about how you use or protect their information. Misrepresenting your privacy practices or deceptively failing to disclose a key fact is the surest way to get in trouble with privacy regulators. If your data collection use or disclosure practices change, make sure your privacy notices also change.
3. When it comes to data, less can be more.
If you don’t need it, don’t collect it. Collecting data because it might be useful one day can get you into trouble. For example, collecting the date of birth of your users can trigger obligations under the Children’s Online Privacy Protection Act.
4. Secure it.
If you collect information about your users, take reasonable steps to protect it. The Federal Trade Commission offers 12 tips for mobile app security and a general guide for all businesses.
5. Be choosy in selecting who has access to your users’ data.
If you give a service provider or other business access to your users’ data, make sure you understand how it is being used. Look for companies that follow industry codes of conduct such as the Network Advertising Initiative’s rules for interest-based advertising or cross-app advertising.
Janis Kestenbaum is a Commercial Litigation partner in the Privacy & Security practice and Advertising, Marketing and Promotions group in Perkins Coie. Her practice focuses on consumer privacy, data security, advertising and marketing practices. Janis regularly counsels technology, consumer products, and financial services clients on compliance with federal and state privacy and consumer protection laws and has represented companies before the Federal Trade Commission and Congress.
