Issues for Startups - Privacy, Privacy Protection, and Data Security

An increasing number of legal challenges for startups that utilize the Internet, are in the area of informational privacy protection. To date, there is no single piece of legislation or bill of rights which provides comprehensive regulation of the collection, storage, transmission or use of personal information.[1] Personal information is defined as data that is used to identify, contact, or locate a person, including name, address, telephone number, or email address. [2] Currently, protection of consumer privacy over the Internet is a piecemeal collection of various state and federal statutes. However, as users and regulators become increasingly savvy about the methods of data collection and its uses, that legislation slowly creates a framework that becomes of increasing importance to small businesses and startups that utilize the internet. The Federal Trade Commission has been particularly active in recent years in assessing the threats posed by online data collection and issuing several reports on the subject.[3] In particular, Congress has already taken action with respect to data collection obtained from minors.[4] Failure to take privacy issues into consideration may subject companies to federal or state action, in addition to consumer class action suits. Because enforcement actions are on the rise, startup companies must exercise particular vigilance in this area to protect themselves and the privacy of their users.

Before addressing what startups can do to minimize the risk of privacy related adverse action, it is necessary to briefly address what informational privacy means. Courts and scholars have not agreed on a uniform definition of what information a general right to privacy protects. On one end of the spectrum, some assert private property rights on all personal information.[5] According to this definition, an individual maintains control over how their personal information is used, disclosed, and disseminated by others aside from that individual.[6] Although a seemingly reasonable construction on a surface level, strict construction would impede agency relationships, reporting agencies like newspapers and credit bureaus, and is unworkable on a practical level. On the other end, some critique that informational privacy is an obtuse concept. Indeed, there is little Constitutional or precedential support that protects information privacy.

It is important to note that on a federal level, financial institutions (under the Gramm Leach Bliley Act[7]) and those that deal with sensitive medical information (under HIPAA[8]), cable and telecommunications providers (under various federal statutes) are currently the only organizations that are mandated to develop and disclose to customers their internal policies governing the treatment of non-public personal information.[9] Also, there is no current federal legislation requires commercial websites to post privacy policies for their consumers.[10] However, given the recent developments in state law (discussed later in detail for California), it is prudent for other startups to maintain and implement a security program to deal with privacy issues. As a cornerstone of any program, the startup should publish a copy of their privacy policy on their website and strictly follow that policy. This will not only curtail issues with customers about the unauthorized disclosure of non-public personal information, but startups that fail to abide by their privacy policies may be liable for unfair or deceptive trade practices.[11] Legal scholar, Jeffrey Neuburger, notes that companies should consider what information they collect and how they will use and maintain data on their websites before drafting privacy policies so that they are consistent with that use.[12] Adopting a generic privacy policy or modifying an existing one is simply not enough to ensure adequate protection.

Although there are many important things for company management to consider when formulating their internal privacy policies, the elements of what should be included have been outlined by the Federal Trade Commission in their Fair Informational Practices.[13] These fundamentals are notice, choice, access, and security. Notice entails disclosure to consumers about how their personal information is collected, stored, and used.[14] Generally, this is satisfied with the company’s privacy policy being posted in a place that is easily seen and accessible to consumers.

Choice in its most basic form is defined as a consumer’s right to prevent disclosure of any personal information provided to that it provides to outside parties.[15] Providing choice is usually achieved by one of two basic methods: opt-in and opt-out.[16] Opt-in provisions require that the company keep customer information confidential, except for internal use, unless the consumer specifically consents to share their personal information with third parties. Since obtaining consent from consumers can be an arduous process, especially to smaller startup companies with limited resources to allocate to the task, “opt-out” provisions are far more common. This enables companies to use consumer information freely, including sharing it to outside parties, unless the consumer specifically request that information not be shared. In order to ensure proper compliance with the spirit of the guideline, companies should include an opt-out provision in any unsolicited advertising and mass communications with potential customers. This also helps to prevent potential violations of the CAN-SPAM act.

Access is the idea that customers should have the right to view any personal information that is collected over the Internet and afforded an opportunity to change any data they feel is inaccurate.[17] However, the definition of “access” beyond the right to have the contact information of any third party utilizing personal information is more difficult to properly ascertain. Issues arise as to how much information consumers should be afforded access to, whether access includes the right to future uses of that information, such as demographic profiling, as well as the mechanics of providing that information. Since there is no uniform consensus as to the proper way to grant consumers access to their personal information, a startup should be able to satisfy the element by simply addressing the subject in their privacy policy.

Finally, the principle of security states that companies should take proper steps to minimize the risk of disclosure and properly safeguard the personal information they collect.[18] The importance of this is highlighted in a recent study where eighty five percent of surveyed businesses reported security breaches within the last two years.[19] Most major companies have policies in place to prevent the unauthorized disclosure of information and startups should likewise follow suit. The security element is particularly important for startups, which deal with a lot of sensitive information, or who collect a large volume of information from consumers. As privacy civil actions from increasingly conscious consumers become more prominent, failure to properly protect information can lead a small startup into a potentially debilitating litigation. Few startups can afford to deal tremendous cost of a breach when the “all-in” cost of remedy averages about 4.8 million dollars.[20] In addition to the tremendous financial loss associated with these breaches, enforcement action from federal or state agencies is extremely likely for startups in certain sectors, such as financial and healthcare service industries, which are more prominently on the radar of regulatory agencies. Startups in these industries need to be particularly vigilant. Although which specific security measures are needed to ensure appropriate compliance differ between startup companies, monitoring and auditing data activities on an ongoing basis are the easiest ways to avoid potential legal complications.