The Importance of Establishing Internal and External Procedures for Data Collection, Analytics and Security for Start-Ups
By Richard Eisert & Paavana Kumar, Davis & Gilbert LLP
Davis & Gilbert is a proud sponsor of Ad Think “Emerging Tech in Advertising” presented by The Advertising Club of New York and Advertising Redbooks to be held in New York City on March 18, 2014.
Technology start-ups have a host of issues on their plate at inception – developing products, defining their brand, and honing a marketing strategy. For many start-ups, privacy issues may not be at the top of the to-do list, or even on the list at all. However, few companies can afford to ignore them. As technologies – particularly those that enable data collection – become more innovative and diverse, the corresponding privacy considerations become more wide-ranging and complex.
Privacy By Design
Regulators have been quick to recognize the implications of recent industry developments. In particular, the FTC has recommended a “privacy by design” approach: new businesses should build in consumers’ privacy protections from the outset through every stage of the development process. In an age where various tech platforms solicit increasingly sensitive data from customers, start-ups gathering any sort of information that could be deemed personally identifying information (PII) need to make sure they are instituting the appropriate privacy procedures in order to protect their customers’ information and stay on the right side of the law. This task has become even more daunting as the definition of PII has broadened from traditional categories like names and credit card numbers to even data like IP addresses – which previously had not been considered PII in the United States but now may be in some cases.
As privacy legislation grows in order to catch up with the technology it is intended to regulate, almost no business will be immune. In the U.S., even though federal privacy laws are generally sector specific, with specific regulations in place governing discrete issues like security in the financial and healthcare industries, and protection of children’s information online, the number of such laws are rapidly expanding and state-enacted privacy law can be remarkably broad in scope. For example, California enacted legislation several years ago requiring any application developer collecting PII from California residents to maintain a comprehensive privacy policy under the California Online Privacy Protection Act (OPPA). The state recently expanded this legislation to require companies to disclose how they respond to “do not track” signals from web browsers, as well as certain third party data collection activities. As privacy regulations become more comprehensive, virtually all companies, regardless of their sector, will need to institute appropriate policies. In addition, globally oriented start-ups will need to affirmatively address international regulations governing data collection and transfer.
Best Practices for New Businesses
The legal landscape has been further complicated by a number of new self-regulatory policies and other guidance documents. In 2010, the Digital Advertising Alliance (DAA) launched the Self-Regulatory Principles for Online Behavioral Advertising, based on principles enumerated by the FTC and intended to give consumers greater transparency and control over the collection and use of their data. In 2013, the DAA released additional guidelines for applying the Principles to the Mobile Environment. In addition, the FTC has published a number of business guides; most recently, in 2012, on “Protecting Consumer Privacy” and “Marketing your Mobile App.” These guides lay out standard practices for businesses to comply with privacy laws, such as ensuring data practices are transparent, keeping data secure, and collecting sensitive information only with users’ consent.
In sum, tech start-ups have a responsibility to assess how they are collecting user data, and to ensure they abide by applicable regulations (and potentially even self-regulatory obligations) in gathering, transferring and storing that data. In the process, they need to consider whether they are appropriately obtaining consent from and communicating their policies to customers. In the rapidly evolving technology sector, it will only become more important for start-ups to have a dedicated privacy team to establish both internal and external procedures for data collection, analytics and security. In this way, start-ups will best position themselves to avoid a security breach or consumer lawsuit – either of which could be fatal to the life and success of the new business.