"Privacy by Design": A Key Concern for VCs and Start-Ups

(co-authored by Nicole Friess, Esq.)

The privacy landscape appears to be shifting toward a model that promotes greater consumer awareness of and control over data. Reflecting its consumer protection mission, the FTC’s Protecting Consumer Privacy in an Era of Rapid Change issued December 1, 2010 urges companies to adopt a "privacy by design" approach. Senators John Kerry (D-MA) and John McCain (R-AZ) introduced their "Commercial Privacy Bill of Rights" which adopts some of the FTC’s privacy by design principles, requiring companies to implement privacy protections when developing their products and services. The foundational principles of privacy by design, originally developed by Information and Privacy Commissioner of Canada Ann Cavoukian, address the effects of increasing complexity of data usage. With data now ubiquitously available, as well as processed and stored on a multinational level, privacy by design is becoming internationally recognized as fundamental for the protection of privacy and data integrity.

Although privacy by design isn’t set in stone (yet), start-up companies seeking to collect and use personal information as part of their business plan may want to consider incorporating privacy by design into their everyday business practices. Similarly, as part of their due diligence process, venture capital firms scrutinizing startups seeking to leverage personal information would be well-advised to determine if privacy is being “baked into” into the products and services being offered by such startups. It may be both difficult and costly for companies to implement privacy protections retroactively if privacy concerns are overlooked during the early stages of business planning. Start-ups have the advantage of building privacy protections into their business models from the outset, which can keep those companies out of trouble in the form of litigation or agency enforcement. Privacy-conscious VCs will be more inclined to fund start-ups that reduce risk by proactively address privacy issues and potential liability. In turn, VCs that scrutinize whether privacy is part of a start-up’s business plan will be able to better protect their investment (and their investors).

So what does privacy by design mean? How can start-up companies incorporate privacy by design principles into their business practices to attract VC funding? How should privacy and security legal risks (and solutions) be written into a start-up’s business plan? This post tries to answer these questions.

Step 1 - Understand Your Business Model.

Privacy by design advances the view that privacy assurance should be companies’ default mode of operation. To build privacy protections into a business model, organizations (particularly entrepreneurs seeking VC funding) should know their business models better than anyone else. Companies must understand how they will interact with consumers at every step of each transaction when products and services are under development. From consumer solicitation to the sale of products or services, an entrepreneur should consider evaluating whether and how his or her company collects, maintains, shares, or otherwise uses consumer data. Entrepreneurs may want to conduct a run-down of any and all data involved in their business transactions, including personal consumer data (names, addresses, credit card information, etc.) as well as any other information that can be linked to a specific consumer, computer, or other device. A keen understanding of the technology used by the start-up is also crucial as the functionality provided by such technology (or the lack of certain functionalities) may impact privacy, including the ability of consumers to make decisions about their personal information. By understanding the data and technology involved at each step of the way, entrepreneurs will be more likely to spot potential risks their companies face. Companies that fully understand the scope of the data they collect and how that data is handled will be in better positions to address consumer concerns and respond to objections. Most importantly, they will be in a better position to address legal requirements and build privacy into their products and services from the outset.

Step 2: Understand Your Market.

Really understanding your business model also means understanding the market - including the wants and needs of target consumers and the privacy-related activities of similarly situated companies. Consumers are increasingly wary of privacy issues triggered by their online participation. Start-ups may want to tailor their approach to privacy issues based on their target audience, as various studies show that different subsets of the population may have different privacy expectations and concerns.

For example, a Webroot study concluded that mobile device users over the age of 39 are more concerned about the possible risks associated with geolocation tools compared to 18- to 39-year-olds. Teens may be beginning to respond to privacy concerns on online – TRUSTe found that about 64% of teens use privacy controls on social networks. The platform for personal information collection, storage and processing may also impact the scope of consumer concerns. A new report from the market research firm Nielsen confirms that many Americans have strong concerns about losing some privacy by using location-based mobile services. According to the report, 59 percent of women and 52 percent of men reported having privacy concerns with location-based services and check-in apps. Only 8 percent of women and 12 percent of men reported that they are not concerned with the privacy implications of location-based services and check-in apps.

Consumer outcry and regulatory pressure have forced companies such as Facebook and Google to change their practices, offering consumers privacy controls that are simpler and easier to use. However, while many studies and surveys conclude that people are worried about privacy, people continue to use social media sites, location-based apps, and check-in services despite their concerns. From a market point of view, it’s important for companies to attempt to determine the privacy protections consumers want, as well as what practices may be deemed invasive and “over the line” which could result in backlash.

Determining whether products and services are “over the line” is also valuable for attracting business deals and securing investments. According to a report by the Ponemon Institute, privacy issues have prompted marketers to use online behavioral advertising 75% less than they would otherwise. However, in a previous post we noted that despite consumer concerns, Internet tracking companies continue to secure new investments from VC firms. Recently, a Wall Street Journal article noted that VCs in Silicon Valley are dumping money into social start-ups promoting mobile apps. If they haven’t already, VCs may begin to factor privacy concerns into their due diligence process to avoid future consumer and agency backlash that could potentially devalue their investments. As such, incorporating privacy by design - assessing privacy issues and implementing privacy protections every step of the way – may help attract funding and avoid potential liability.

Understanding the market also means understanding the competition. From start-ups to major market players, many companies are offering privacy protective products and services in response to consumer demand. Companies should conduct thorough due diligence regarding the data practices of established, similarly-situated companies. And a thorough understanding of the market isn’t only about evaluating competitors that exist today – companies would be wise to consider what potential business combinations could become competitors in the future.

Step 3 – Understand the Legal Risk Environment.

Keeping tabs on the privacy legal landscape is important for companies and investors looking to capitalize on consumer demand, particularly those interested in tapping into online markets. Additionally, agency enforcement is on the rise. As such, researching the legal and regulatory environment is a crucial part of due diligence for entrepreneurs and VCs alike.

Multiple privacy bills from both the House and the Senate have recently been introduced. In February, Representative Jackie Speier (D-CA) introduced the “Do Not Track Me Online Act of 2011” that would give the FTC authority to establish an online do-not-track system, giving consumers the ability to prevent the collection and use of data on their online activities. Senators John Kerry (D-MA) and John McCain (R-AZ) introduced the “Commercial Privacy Bill of Rights Act of 2011” in April, which would give the FTC significant authority to create rules as to how businesses collect, use, transfer and maintain personal information (for a summary of the bill, click HERE). This month, Senator Jay Rockefeller (D-WV) introduced the “Do-Not-Track Online Act of 2011,” which would create a "universal legal obligation" for companies to honor users' opt-out requests on the Internet and mobile devices, and would give the FTC the power to take action against companies that don't comply. Also this month, Representatives Edward J. Markey (D-MA) and Joe Barton (R-TX) introduced a draft of the “Do Not Track Kids Act of 2011” which would prohibit companies from tracking children on the Internet without parental consent, restrict online marketing to minors and require an "Eraser Button" that would allow parents to eliminate kids' personal information already online. An underlying policy of all of this proposed legislation is the idea that companies should be required to give consumers more notice about the information that is being collected about them, as well as the ability to control such collection.

While much attention has been given to privacy and security legislation at the federal level, there has been a renewed sense of vigor on the state level as well. The privacy legal risk environment is constantly in flux, and the state of law may vary by jurisdiction. For example, Hawaii’s information privacy proposed bill would require breached entities to provide credit monitoring and call center services to impacted individuals. In Colorado, a proposed bill takes a new approach to incentivizing companies to implement good security (for a summary of the bill, click HERE).

This year has also seen an explosion of privacy-related litigation (the RockYou data breach litigation, Amazon privacy litigation, suits involving online tracking, cookies, history sniffing, etc.) as well as agency enforcement actions (Playdom, Google Buzz, Ceridian/Lookout, GunnAllen, etc.). The end results of agency enforcement and privacy-related lawsuits are bound to impact what the government and the public considered “acceptable” from a privacy point of view.

It can be difficult and time-consuming to navigate the legal and regulatory privacy environment, and companies are encouraged to seek the advice of experts to identify potential privacy legal risks. In many cases, to proactively address privacy concerns, it requires careful analysis and prognostication based on the bills, laws, lawsuits and regulatory actions that are in play. Oftentimes, after careful analysis, potential trends and commonalities can be gleaned that can help companies anticipate where the privacy legal environment is going. If the legal risks are identified early and companies keep up-to-date regarding their responsibilities, mechanisms can be built into products and services to allow for compliance with the current legal framework. For example, building in consumer opt-outs of data collection and honoring such requests, as well as encrypting any sensitive personal information collected, are proactive measures that may be used to provide companies with flexibility to adjust to changing legal requirements.

Step 4 – Integrate Privacy by Design.

It’s easier to tailor privacy and security protections to a company’s everyday business practices, products and services once the company has a comprehensive understanding of its business model. the market and legal compliance requirements. It is much easier for a startup company to undertake this exercise at the outset of its business planning and product/service development. As part of its privacy by design framework, the FTC urges companies to systematically consider four substantive privacy protections at all stages of the design and development of their products and services:

Data Collection. One key principle of privacy by design is that companies should automatically protect any consumer data handled by default. However a company chooses to handle consumer data, it may want to consider mechanisms that enable consumers to opt-out or opt-in of data collection practices (even if those mechanisms are not implemented from the outset). Doing so early will decrease the burden of regulatory compliance if offering opt-in or opt-out consent becomes mandatory. Another key principle of privacy by design encourages companies to handle data in a way that is visible and transparent to the consumer, and that allows companies to honor any representations they make to consumers about their business practices. The FTC has increasingly enforced this principle, settling privacy enforcement actions with Twitter and Chitika for deceptive business practices and with Ceridian and Lookout Services for unfair business practices for failing to safeguard personal employee information, among others. Companies are advised to implement data security protocols and privacy policies and to address the concerns of their consumers. Companies can avoid regulatory enforcement by understanding their commitments to protect consumer privacy, being transparent about their business practices, and adhering to their policies and procedures.

The FTC also emphasizes “minimization” – under this concept, the only consumer data that a company should collect is that which is needed to accomplish legitimate business goals. If a company has internal systems and networks, it should consider whether data is routinely saved by default if there is no legitimate business need to do so. By limiting the scope and amount of consumer data collected, companies reduce potential harms that can result in the event of a breach. The information companies need to collect wholly depends on their business model and the consumer data needed to make it work.

Security for Consumer Data. Many companies that conduct internal evaluations of their data practices will conclude that they maintain consumer data in one form or another. Companies that maintain consumer data can proactively employ physical, technical, and administrative safeguards to protect that information. As the FTC notes, the level of security required depends on the sensitivity of the data a company maintains, the size and nature of a company’s business operations, and the types of risks a company faces. A number of federal and state laws require companies to actively protect the data they maintain, and the FTC is increasingly bringing enforcement actions against companies for their failure to do so.

Maintaining adequate security for consumer data helps companies avoid potential lawsuits and FTC enforcement actions in the event of a breach, and mitigates other attendant consequences such as lost productivity and service interruptions. It also helps reduce the possibility that the enormous costs of responding to a breach will be incurred. Symantec Corporation and the Ponemon Institute estimate that the average organizational cost of a data breach in 2010 was $7.2 million and cost companies an average of $214 per compromised record.

To prevent security breaches, data loss, and other headaches, companies can proactively assess their baseline security measures. Again, a company’s thorough understanding of its business model is key in identifying potential protection gaps. Entrepreneurs and established market players alike would be wise to inventory their information assets, and understand where those assets are stored and how they’re accessed. Start-up companies can attempt to forecast their need for antivirus software, firewalls, virtual private networks (VPNs), and intrusion prevention mechanisms to protect their information assets in the face of internal and external risks. The FTC advises companies to use privacy-enhancing technologies such as identity management, data tagging tools, and Transport Layer Security/Secure Sockets Layer (“TLS/SSL”) or other encryption technologies, particularly if a company is handling sensitive consumer data. Start-ups may want to consider their plans for growth and assess whether their network security measures will be able to accommodate increased network traffic or advanced applications without disrupting service.

Data Accuracy. Privacy by design emphasizes that companies should strive to collect accurate consumer data, and that companies ought to implement mechanisms so that consumers can correct the information that companies collect about them, particularly when sensitive data is involved. Kerry and McCain’s "Commercial Privacy Bill of Rights" would require companies that collect data to provide individuals either the ability to access and correct their information, or to request cessation of its use and distribution. Regardless of whether such a requirement is codified, companies - particularly start-ups – may want to anticipate and plan for data correction procedures as well as any attendant costs.

Data Retention and Disposal. Companies can retain data for increasingly long periods of time due to the dramatically decreasing cost of data storage. A concern shared by the FTC and privacy advocates is that companies that retain data for long periods of time invent new, secondary uses for the data that consumers didn’t anticipate when they provided the data in the first place. To promote transparency and consumer notice, companies are encouraged to retain consumer data for only as long as they have a specific business need to do so. Companies are also encouraged to safely dispose of data no longer being used to further a specific business need. The "Do-Not-Track Online Act of 2011" would require online companies to destroy or anonymize personal information after it's no longer needed. We have already seen the concept of limited data retention becoming a regulatory principle in the European Union.

Conclusion

As consumers express an increased demand for privacy protections, entrepreneurs should ask themselves if their products and services provide consumers with notice and choice as to how their data is collected and handled, and tailor their business practices accordingly. Companies are wise to understand their business model and the market in order to tailor their products and services accordingly.

Consumer outcry has caused companies such as Google and Facebook to retroactively change their privacy practices – a process than can be costly with unnecessary attendant negative publicity. Anticipating and preventing privacy violations before they happen mitigates the risk such invasions will occur as well as the costs of remediation. This means having a thorough understanding of the privacy legal risk environment. Doing so is difficult as the environment is in upheaval, therefore companies would be wise to seek professional advice to navigate the legal and regulatory landscape at both the state and federal level.

A start-up company has the advantage of being able to develop and implement a privacy program early, and bake privacy into the design of their products and services, thereby ensuring that these substantive privacy protections become a foundational part of its business model. Employees can be trained early regarding the need for privacy and network security, which helps foster a consumer-protective enterprise culture. Privacy by design makes privacy an essential component of the core product or service a company delivers. Spotting privacy issues and addressing concerns before launch aligns products and services with consumer expectations and can save everyone – entrepreneurs and VCs alike – from future headaches.