Startups beware! Privacy statement pitfalls to avoid

Paid advertisement by Parsons Behle & Latimer.

Too often, a well-meaning startup looking to avoid costs in its early stages will make the mistake of adopting a privacy statement—often “borrowing” a statement from another company—that is not tailored to the startup’s current operations or its vision for expansion. Adopting a generic privacy statement can give rise to significant problems, including compliance complications due to lack of infrastructure to meet legal commitments and limitations of future growth flowing from unnecessary, self-imposed constraints.

What is a privacy statement?

A privacy statement, often called a privacy policy, is a document that describes how a company collects, uses and stores data, including personal identifiable information (PII)—information that could identify, on its own or combined with other information, an individual, e.g., a person’s name, address, credit card number, device ID or even geolocation. The statement also typically explains what type of information a company may collect, including through its website, chat functions, email communications and other interactions, and whether that information may be sold to, or shared with, other parties.

Why do startups need a privacy statement?

Many countries have laws and regulations that require companies that solicit or do business in their jurisdiction to implement and post a privacy statement on company websites and apps that collect PII from users. These laws and regulations may also specify what can be done with such information, including how it can be stored and transmitted. Failure to comply with these laws and regulations can result in investigations and penalties, including considerable fines. Ethical business practice demands that startups be transparent with users about how user data will be processed.

When implementing a privacy statement, startups should consider adhering to the following tips:

Tip #1: Avoid using too much “user-friendly” language.

While it is important for a privacy statement to be understandable to users, the most important readers of the privacy statement are the applicable regulators, as they will most likely be the actors monitoring the statement to confirm the statement is in compliance with laws and regulations and also to ensure the startup implements the policy in accordance with its terms. Unfortunately, in an effort to appeal to privacy-conscious users, some startups will adopt privacy statements that contain language professing a vigorous dedication to protecting user data, e.g., “We will always take great care to protect your data.” While providing such a simple assurance to users may seem harmless (and the startup should strive to always take great care to protect user data), using such language may lead to unintentionally imposing a heightened legal standard of care on the startup regarding the protection of user data. Instead of offering such assurances, clearly and accurately stating how the startup processes user data should be sufficient to appeal to privacy-minded users.

Tip #2: Don’t make promises you can’t keep. 

One danger of adopting a privacy statement not tailored to the startup is that the startup may bind itself to legal obligations that it lacks the infrastructure or knowledge to fulfill. For example, many privacy statements have language informing users that the company will respond to user requests for rectification or deletion of user data in a certain period of time or that the company will honor user preferences regarding different classes of cookies. If the startup does not understand or have the capacity to carry out each privacy practice it is adopting via its privacy statement, it could very quickly bury itself under a heap of infractions. 

Tip #3: Don’t limit future growth.

A startup can limit exciting growth opportunities by needlessly restricting itself through the data use prohibitions they assume. For example, while a startup should be cautious about selling data, if done in compliance with applicable law, it can be a very profitable line of business. User data is often a key cog in the development of new or improved products or services. A startup may need the flexibility to pivot based on data collected. Some startups adopt privacy statements that severely limit their ability to use or sell user data or fail to elicit user consent to utilize data in a particular way. In these circumstances, while such startups can certainly amend their privacy statements to account for changes in business procedure going forward, they may be stuck with a mountain of valuable data and limited flexibility to utilize or monetize such data. Startups should take care to implement a privacy statement that is legally compliant and ethical, while still leaving room for future ventures.

Tip #4: Know what laws apply.

When implementing a privacy policy, a startup should analyze its actual business model and practices and ask various questions, such as the following: In what jurisdictions will the company do business? Do those jurisdictions have specific data privacy laws that could impact the business? For example, California law imposes various requirements and limitations on companies that collect and use data regarding California citizens if certain thresholds are met or if the company undertakes certain activities with the data. The General Data Protection Regulation (GDPR), the principal regulation protecting the personal data of individuals located in the European Economic Area (EEA), imposes limitations on what personal information can be collected in other countries and whether that information can be transmitted out of the state. Additionally, some industries, such as the healthcare industry, have specific regulations and requirements as to what can be done with personal information. A startup needs to evaluate these special circumstances that could affect its operations.

Tip #5: Talk to a privacy attorney!

Avoiding legal fees, especially when trying to bootstrap your startup at the beginning, is understandable. However, talking to a skilled, startup-friendly privacy attorney to ensure your startup’s privacy statement matches its current capabilities and plans for expansion can save you from headaches later and prevent substantially greater legal fees down the road.

The Parsons Lift team has extensive experience partnering with founders from idea to exit and beyond, including providing full-stack startup support without an onslaught of legal fees. If your startup needs help with privacy compliance, please reach out to us!

Kevin Dorman is an attorney with Parsons Behle & Latimer and a team member of Parsons Lift, a full-stack legal services provider for startups and investors. Kevin helps emerging companies distribute their cloud-based services, license software and establish data privacy protections and protocols. Kevin can be contacted by calling 801.533.5897 or by sending an email to [email protected].