Data Privacy Basics for Startups

 If you’re a startup beginner, data privacy might seem like something that doesn’t concern you at all. It’s probably the last thing you’re worried about. However, it’s going to be VERY important, sooner or later…

What is it I hear? You have better things to do with your time? You don’t want to read about this?

I mean, you do you – but don’t quit reading before reading some horror cautionary tales of startup founders just like you who got into big trouble.

But first… LEGAL DISCLAIMER! Anything that you read in this article is NOT legal advice. We’re not recommending ANYTHING, it’s purely informational. Get your own lawyers and take your own risk!

No really. I don’t want you guys to blindly follow any advice on the internet (including the Eightception blog) and burn money (and legal blunders can cost you millions).

Read my stuff as a story and then think. You do you.

Aaand… One more disclaimer: Things differ in different countries. What I wrote here will be relevant for most regions like the US, Canada, EU, UK, India, Philippines, Australia, Malaysia, Indonesia, and other major countries. In other regions, data privacy may vary. Do. Your. Own. Research.

Cue the scary suspenseful music…

Data Privacy Horror Stories: Don’t Write The Next One!

Data privacy can seem like the most boring thing you’ve ever heard of. I mean, you’ve got a product to build, funnels to create, services to deliver…

BUT… (and you knew there was a ‘but’ coming, didn’t you?)

…It’s actually super important. Like, REALLY important. Look at what can happen if you make a data privacy blunder:

In 2022, Sephora failed to process user opt-out requests and violated the California Consumer Privacy Act. Basically, customers asked Sephora not to sell their data and they failed to comply… leading to a hefty fine of $1.2M.

This year, Meta was accused of “massive, illegal” data processing and faced a fine of $1.3 BILLION by the EU. I mean, it’s Meta, it wouldn’t be the first time, right?

And right when you thought that only tech giants could get fined for data privacy issues…

Enter CafePress, an online retailer known for custom products. They faced a $500,000 fine from the Federal Trade Commission (FTC) in 2022. They were fined for failing to protect sensitive customer data, like Social Security numbers and passwords, after a data breach exposed millions of users’ personal information. The company also didn’t notify users in a timely manner about the breach, which made the fine even worse.

Or, for example – Drizly, a smaller online alcohol delivery service. They had ‘inadequate data security practices’ and exposed the data of 2.5 million users. The FTC intervened and made sure Drizly fixed their errors. While there was no financial penalty, the stress was probably enough to make the CEO want a drink… Or ten.

If you still don’t think data privacy applies to you, let me show you something. Sooner or later, you’re probably going to sell your products to your email list. Even there, you have to be careful…

If you violate the CAN-SPAM Act in the USA, fines can reach up to a staggering $51,744 per violation. Both the sender and any third-party companies involved in the email marketing can be held liable. It’s a scary number, yes, but following the rules is not rocket science. (more on it here).

Practical Part: What Every Business Owner Needs to Know

Now that your legs are shaking from the fear of the FBI bursting through your door because of a data privacy mishap, here’s what you need to know:

Firstly, learn about the 7 core data privacy principles of GDPR:

• Lawfulness, Fairness, and Transparency: You have to process the data legally, fairly, and transparently. Say what, why, and how you’re using it.
• Purpose Limitation: Obviously use the data for specific and legitimate purposes. Use it for what you said you would use it.
• Data Minimization: Don’t collect more data than you need to. You probably don’t need birthdays for a newsletter, Sherlock.
• Accuracy: Keep the data accurate and up-to-date. If something is inaccurate, either delete it or correct it to maintain data integrity.
• Storage Limitation: When the data is not needed anymore, throw it in the bin or anonymize it.
• Integrity and Confidentiality (Security): Process the data in a way that ensures its security, inducing protection against unauthorized access, loss, or damage. Set up the appropriate technical precautions.
• Accountability: You’re responsible for compliance with these principles and you HAVE to be able to demonstrate it. Document processes, conduct audits, implement compliance mechanisms – and you should be just fine.

Aside from not having to pay enormous fines, handling data this way also builds trust with your customers. People really appreciate when they can see that their data is safe.

Second, understand the difference between data controllers and data processors:

• Data controller: Most likely what you are. It’s the entity that determines the who-what-why of data processing. For example, a retailer that collects customer info is a data controller. A startup founder who collects data for their app is a data controller.
• Data processor: Solely processes data on behalf of the controller. For example, this can be a marketing/sales software you use to collect and use the data.

Under the General Data Protection Regulation (GDPR), controllers (you) are held to a stricter compliance standard as they have full decision-making power over the data they collect and process.

Third, understand what counts as ‘personal’ information:

• The GDPR defines personal information as any data “related to an identified or identifiable natural person.” Basically, it’s any data you collect about someone.
• In the United States, the Department of Labor defines personal information as “any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.” Or in simple words… Personal information is anything that helps someone figure out who you are, either by showing your name or by giving hints that lead to you, like your address or phone number.

While definitions vary slightly, most countries and states align with the broad EU definition, focusing on information that can be tied to an individual, either directly or indirectly.

There’s also a deeper subset of personal information that you have to be especially careful with…

• Sensitive Information: Social Security numbers, driver’s licenses, national identifiers, health data, race/ethnicity, religious beliefs…

And number four, understand the rights people have regarding their personal data:

• Access: If someone wants to, they should be able to access the data and see what magic you’re doing with it.
• Copy: Hit that CTRL+C and CTRL+V for them.
• Deletion: If they ask for it… Poof! The data is gone!
• Withdraw Consent: No means no.
• Correction: They can put their nerd glasses on and “Umm, actually 🤓” you.
• Restriction: In certain cases, they can restrict the processing of their data.
• Opt-Out: Bye-bye automated decision-making processes.

A bird also told me that having your data privacy game on point helps with attracting investors… Just saying 😉

What’s New In the Data Privacy World?

Lately, there have been some data privacy law developments you should know about. For starters, The European Data Protection Board (EDPB) has recently made the rules for using facial recognition much stricter. If you want to use Face ID, you better have a good reason for it. You now need a clear legal basis, strict necessity, and proportionality when using the technology.

The U.S. Federal Trade Commission (FTC) has made significant changes to the Children’s Online Privacy Protection Act (COPPA) Rule. The use of personal information for targeted advertising to children is now prohibited. If your business collects data from or about children, you might have to reassess and maybe overhaul your consent mechanisms.

In 2023, the EU and the U.S. announced a new Trans-Atlantic Data Privacy Framework. It’s extra important for businesses that work in both Europe and the U.S. By joining the new EU-U.S. Data Privacy Framework, you get a clear, legal way to transfer personal data from across the vast Atlantic Ocean without breaking privacy rules.

Key Data Privacy Laws Worldwide

If you’re not strictly a local business and you’re doing business on planet Earth, the CCPA/CPRA and GDPR will most likely be your focus:

• The California Consumer Privacy Act (CCPA/CPRA) governs the collection, use, and sharing of personal information of California residents. This law is one of the most robust data protection regulations in the U.S. and other states are beginning to follow California’s lead.
• The General Data Protection Regulation (GDPR) of the European Union regulates the processing of personal information for people located in the EU. The GDPR is known for its strict standards, make sure to respect it!

Industry-Specific U.S. Privacy Laws

For all you freedom-loving eagles, here are some industry-specific U.S. data privacy laws:

• HIPAA (Health Insurance Portability and Accountability Act of 1996): Covers health data privacy.
• GLBA (Gramm-Leach-Bliley Act): Covers financial data privacy.
• COPPA (Children’s Online Privacy Protection Act): Specific to children’s online privacy.
• FERPA (Family Educational Rights and Privacy Act): Protects student record privacy.
• FTC Act Section 5: Regulates privacy by prohibiting unfair practices and deceptive claims.

If you’re in any of these businesses, make sure to do your research on these laws, so you don’t get blindsided by a massive fine.

Takeaways

Let’s be honest: not all businesses are fully compliant. Just notice that on the websites you browse: not all of them show you the proper Cookie Consent forms. And these websites can still exist for years! Don’t be like them. Here’s what you should know to respect your users:

• Businesses get fined all the time for not following data privacy laws (Sephora, Meta, CafePress, Drizly…)
• The 7 core data privacy principles of GDPR: 1) Lawfulness, Fairness, and Transparency, 2) Purpose Limitation, 3) Data Minimization, 4) Accuracy, 5) Storage Limitation, 6) Integrity and Confidentiality, 7) Accountability
• Data controllers make decisions about the data, and data processors simply process it. You’re most likely a data controller and you have most of the responsibility when it comes to the data you collect.
• Personal information is anything that helps someone figure out who you are.
• Sensitive information: social security numbers, driver’s licenses, national identifiers, health data, race/ethnicity, religious beliefs…
• People’s rights regarding their data: Access, Copy, Deletion, Withdraw Consent, Correction, Restriction, Opt-out
• Be careful when it comes to facial recognition.
• Possibly overhaul your consent-gathering system for children
• If you’re operating in the EU and the US, the Trans-Atlantic Data Privacy Framework can help you comply with all the necessary laws.
• Remember to look for industry-specific laws regarding data privacy!

I cannot state this enough – do your OWN research. These things are important and they can ruin your business. Don’t blindly trust anyone on the Internet (not even the Eightception blog)!