In 1736, Ben Franklin warned the fire-threatened city of Philadelphia that “an ounce of prevention is worth a pound of cure.” When it comes to data privacy and security, emerging companies and start-ups may struggle to follow this advice during the cost-sensitive early years. Many state privacy laws only become fully effective upon reaching certain thresholds for revenue or consumer data, and it may be tempting to push compliance off into a future product cycle.¹
However, as a practical matter, it may actually end up costing more, in the long run, to rebuild or rework your organization or products’ existing architecture when those laws are abruptly triggered. Moreover, although smaller companies may not find themselves in regulatory trouble, poor privacy practices can still trigger reputational harm and loss of customer confidence. Entities should therefore address data privacy concerns from day one. Making emerging consumer data rights a key consideration in the design of your product may prove to be the best approach.
The following are some useful tips to follow that will help you incorporate privacy and security thinking into your product development cycle.
Understand the Data You Have
Keeping an accurate inventory of the data you are collecting is essential to understanding and managing the privacy and security concerns that will require your company’s attention. Effective internal communication is key, as multiple initiatives or product launches may inadvertently cause data to reside in more than one place or lead to inconsistent collection sets between applications or interfaces.
Do More With Less
One of the best strategies for avoiding data privacy and security issues is to only collect the data that is strictly necessary to accomplish the purposes for which it was collected in the first place. The more data you collect, the greater the privacy issues and the more attractive you are to potential threat actors. Committing to data minimization can be challenging in the early stages, as product function and internal processes may still be fluid. However, you should aim to maximize the utility of a limited data set and be thoughtful about collecting additional information from customers as business needs become clearer. It is always better to avoid potential liability and collect the right data at the appropriate time.
A Regime of Good Trust and Privacy Hygiene
Since the passing of the California Consumer Privacy Act in 2020, regulatory attitudes have shifted away from the “notice and consent” model of data collection and use. Instead, the growing expectations of consumers and regulators alike suggest that new products and services should foundationally recognize users’ data privacy rights. Regardless of your actual compliance obligations, building a product that defaults to protect a user’s privacy can provide a significant defense against future liability. In other words, your product should collect as little of your customers’ data as needed while requiring as little action from the customer as possible.
Have a Public Privacy Statement
Even if you effectively calibrate your platform to collect as little customer data as possible, the information that you do use should only be collected with informed and knowing consent. A clear, plain-language privacy statement is an effective and low-cost way to communicate with potential users about how your company collects and uses data and provides a signal to regulators that you understand you have obligations from operating in this space. It also protects your company from claims that it misused data or misled customers. It is imperative, however, that your privacy statement reflects your company’s actual practices. Telling customers one thing and then treating their data in a materially different way can lead to significant liability and could be the worst of all possible worlds.
Security at Any Size
No business is too small to go unnoticed by cybercriminals. Per Verizon’s 2022 Data breach Investigation Report, “very small businesses (10 employees or fewer)” remain targets of threat actors who have a “we’ll take anything we can get” attitude to data exfiltration or ransomware attacks. Unlike larger organizations, many new and emerging companies do not have the resources to hire dedicated security professionals or deploy the most cutting-edge technology. Luckily, there are many cost-effective security practices. First, consider using multi-factor authentication for key systems and make sure that employees do not reuse or share passwords. Second, manage your organization’s technology assets by timely installing software updates and changing default credentials. Finally, carefully scrutinize vendor agreements to make sure that their privacy and security practices provide at least as much protection as your own.
Current Data Privacy Laws Are a Blueprint
In addition to the five comprehensive state data privacy laws that have already passed, there are 14 additional states with privacy bills in the various stages of the legislative process. Though each new law requires careful consideration of the precise compliance requirements, almost all active and proposed privacy legislation provides for certain consumer rights. Specifically, the right to access their information, the right to request that their information be deleted and the right to opt out of the sale of their data.² As you are building your initial inventories and mapping your company’s data, consider how you customers are likely to exercise these rights and how you intend to respond. Even if you are under no legal obligation to provide your customers with these controls, building these processes from the beginning will streamline your eventual compliance.
¹ Also, firms operating in certain industries (i.e., finance, health care) or jurisdictions (such as the European Union) will incur privacy obligations regardless of their size and scale.
² For a more comprehensive review of active data privacy laws, see 2023 State Data Privacy Law: A Quick Reference Guide.