Privacy Law Compliance for New Start-Ups

New start-ups must comply with certain privacy laws. Understanding what these compliance requirements are and how they apply to your business can be challenging.

Privacy law compliance is the steps that a company takes to meet its regulatory and legal requirements for processing, handling, capturing, and storing personal data.

We're going to take you through exactly what you need to know to get started.

You won't be expected to comply with every privacy law out there (for example, not every start-up will need to comply with the EU's General Data Protection Regulation because it doesn't apply in their territory) but you should still understand the rules that apply just in case your business changes.

Privacy law compliance matters. Mishandling the data entrusted to you by your customers and other individuals can:

• Damage your company's reputation
• Result in lawsuits or fines
• Irreparably damage your business

Understanding your compliance requirements now saves you time, hassle, and resources down the line.

So, now that we're clear on why compliance matters, let's explore privacy law compliance for new start-ups in more detail.

Terms You Should Understand

It's important that you understand what these 5 key privacy terms mean before we go any further, since we'll use these words and phrases throughout the article.

Personal Information

Personal information is any data at all, whether it's a name or email address, that identifies a particular person. Most companies gather some form of personal data from site visitors, even if it's just their IP address.

If you handle any personal data, you must safeguard it and comply with privacy laws.

Consent

You need someone's clear, obvious, and informed consent to certain types of personal data processing, such as capturing email addresses for marketing purposes.

Consent, whenever it's necessary, must be freely given. If a consumer feels "bullied" into agreement, it's invalid consent.

Article 4 of the GDPR contains a useful definition:

Data Protection

Data protection is how you safeguard personal information. It's the processes you use to protect data. It's part of your overall privacy law compliance requirements.

Data Controller

The data controller is the company that collects the personal data in the first place. In other words, the start-up is the data controller.

Data Processor

A data processor is a company that processes data for a certain purpose e.g. a payment processor. The controller supplies them with the information they need to process the data.

The Key Privacy Laws You Should Know About

There are 5 privacy laws in particular that you may need to comply with, depending on where in the world you do business.

General Data Protection Regulation (GDPR)

The EU's GDPR is the most detailed privacy law in the world. It confers many rights on EU citizens, and it strictly regulates how companies capture, process, or handle data.

Informed consent underpins the GDPR. Individuals have the right to know why you need their data, what you plan on doing with it, and how long you'll hold it for.

Personal Information Protection and Electronic Documents Act (PIPEDA)

If you're a commercial business and you handle personal data belonging to a Canadian citizen, you're bound by PIPEDA's terms.

In short, you must safeguard personal data even if you're only handling it. You don't need to be storing or recording it to trigger the Act.

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act, or CCPA, is one of the world's most comprehensive privacy laws. The CCPA gives Californian citizens the right to:

• Opt out of marketing
• Ask companies to delete their personal information

So, if you want to target Californian citizens, you need to get familiar with the CCPA.

Stop Hacks and Improve Electronic Data Security Act (SHIELD)

New York's SHIELD Act protects private data belonging to New York residents.

If you hold any personal information from a New York resident, whether it's a name or a passport number, you must abide by the SHIELD Act terms. You must also report data breaches to affected individuals.

Australian Privacy Act (APA)

If you're based in Australia, or plan on doing business in Australia, you must comply with the AU Privacy Act.

The Act confers various privacy rights on Australians and gives them control over what companies can do with their personal information.

Regardless of what privacy laws apply, there are a few steps you'll need to work through to ensure your start-up is secure and data protection compliant. Let's work through them.

Conducting a Data Audit

First, perform a data audit. The lists provided are non-exhaustive, but you should identify the following:

What Data You Collect

• Names
• Addresses
• Telephone Numbers
• Payment Details

Where it Comes From

• Server logs
• Email correspondence
• Telephone enquiries
• Web forms

Who You Share it With

• Third parties e.g. marketing companies
• Data processors

Who Can Access it

• Managers
• Employees

How it Moves Around Your Company

• Cloud
• Internet
• Laptops and PCs
• Filing cabinets
• Server
• Mail room

Once you've completed your audit, you can move on to the next step.

Determine Your Lawful Basis

You should only ever capture as much sensitive data as you need to complete a specific task.

So, ask yourself:

• Why am I collecting this information?
• How long do I need it for?
• What will I do with it once it's no longer necessary?
• If the customer asks me why I've got this data, do I have an answer?

Having a "lawful basis" for collecting personal data is mandatory for GDPR compliance. We'll look at this in more detail further down.

Data Security

It's your responsibility to keep personal data safe from the moment it's received to the moment it's deleted. So, you must understand what data you're handling and what happens to it once it's in your possession.

To get started, you might want to consider:

• Investing in antivirus and antispyware software for your devices
• Setting up password-protected WiFi
• Network monitoring
• File encryption
• CCTV and other onsite security
• Secure filing cabinets and door access codes

Staff Training

You need a process for ensuring that staff:

• Understand their data protection and compliance responsibilities
• Know who to contact if they have any questions or concerns

Cyber threats and hacking attempts evolve constantly. Ensure that your staff know how to recognise the latest threats and that they:

• Use strong passwords
• Change passwords regularly
• Lock their computer and personal devices if they're away from their desk or workspace

If you plan on allowing staff to work remotely, ensure that they know how to protect business and customer data. Files should be encrypted where possible.

Responding to Data Breaches

No matter which privacy laws apply, every company must have basic procedures in place for:

• Identifying data breaches
• Reporting these breaches to relevant parties
• Mitigating the damage
• Reducing the risk of data breaches occurring

So, how do you deal with data breaches effectively? You need an incident response plan.

Incident Response Plan

The incident response plan is a roadmap for handling data breaches and major data loss. Every plan should include:

• A summary of the main threats facing the business
• Details for a designated point of contact (this can be a single person or an incident response team, depending on the size or complexity of your business)
• Guidance for communicating with affected individuals
• Guidelines for preventing data breaches

The steps you take need only be proportionate to:

• The size of your company
• The financial consequences of a breach
• The risk posed to affected individuals

No one expects a commercial start-up to have the same incident response plan as a multinational financial corporation. But you must have something in place.

Your Privacy Policy

Every company that handles personal data must draft and publish a Privacy Policy on its website. It's the most important document to link to on your website if you collect any personal data at all.

The Policy should be clear, concise, and accessible. At a minimum, this means putting a link to your Privacy Policy in the website footer, like Topshop does here:

Although every company is different, you need a few basic clauses to have a legally compliant Privacy Policy.

Include clauses outlining:

• Your company name and contact details
• The data you collect
• Reason for data collection
• How you use the data
• Who you share the data with e.g. third parties
• How users can revoke consent to data collection or storage
• How users can access the information you store on them and amend it if it's incorrect

When you're drafting your Policy, explain things clearly and ensure that visitors understand what they're agreeing to.

Your Cookie Policy

You need a Cookie Policy if you use cookie technology to capture and store someone's personal information.

There's no need to draft an entirely separate document for this. It's completely fine to include your Cookie Policy as part of the Privacy Policy, like Sage does:

Your Cookie Policy must:

• Declare that you use cookies
• Define what cookies are
• Explain what cookies you use, and why
• Set out how visitors can reject cookies, particularly advertising or analytics cookies

Assume that your customers don't know what cookies are. Explain how cookies work, and why you use them, in simple, jargon-free language.

Post your Cookies Policy the same way you post your Privacy Policy: Conspicuously and in an easy-to-find place on your website or mobile app.

Your Terms and Conditions Agreement

Terms and Conditions agreements set out the rules for how people must use your website, app or platform. It's basically your user guidelines document.

Why are your Terms and Conditions relevant for privacy purposes? Because you should place links to your key Privacy Policies, including your Cookie Policy, within the Terms. This makes it easier for customers to view all your legal terms from one central location.

Briefly, your Terms and Conditions should set out:

• What services you provide
• Your IP rights
• Acceptable and prohibited behavior
• Limitation of liability disclaimer
• Which laws govern the agreement e.g. Canadian law, U.S. state law

Your Return and Refund Policy

If you're running an ecommerce store, or you plan on selling goods as part of your business, you should have a Return and Refund Policy.

This Policy sets out:

• When customers can return items
• The returns and exchange process
• Shipping terms for returned items
• Who is responsible if goods are damaged or lost in transit
• Who pays the shipping cost of returning items
• When you won't offer a refund or exchange
• How long a customer has to cancel their order

Every start-up needs to build a loyal customer base and establish a good reputation.

Some Returns Policies are extremely short, like this one from Black Butterfly Clothing:

Others, like FLEO's Return Policy, specify occasions when all sales are final and other conditions of returns:

You must always consider the privacy implications of:

• Emailing and contacting customers
• Handling parcels (parcel labels have names and addresses on them)

Privacy law compliance, then, affects every area of your business.

Your End-User License Agreement (EULA)

If you plan on letting users download programs for their own use, you need an End User License Agreement (EULA). You need to collect some personal data to let people download software, so the EULA is relevant for privacy law compliance.

Your EULA should specify that:

• You retain all ownership and IP rights over the software
• You can revoke the license at any time
• You're not liable for what happens to a user's machine when they download your software
• You don't warrant that the user will enjoy the product or find it useful

There's no need for every business to have an EULA. You only need it if you're giving people a license to use software.

So far we've covered how start-ups can comply with general privacy laws. If you need to comply with the GDPR, there are some more specific rules and regulations you must understand.

GDPR Compliance for Start-Ups

Remember that if you're drawing visitors from the EU, or you're based in the EU, you must comply with the General Data Protection Regulation.

The GDPR establishes 6 basic principles for processing personal data, and it confers 8 specific rights on EU citizens.

Principles for Processing Data

"Processing" data under the GDPR essentially covers everything from collecting data to storing it. You can find the GDPR's 6 principles in Chapter 2, Article 5:

You should only ever process personal data:

• Lawfully and transparently
• For a legitimate, specified purpose
• To the extent necessary (i.e. don't go beyond the specific purpose you set out)
• That you actually need (e.g. you don't need a home address to send out an email newsletter)
• In a way that you can store it securely
• With confidentiality in mind at all times

What this all basically means is that you should:

• Understand why you need personal data
• Communicate this reason to individuals
• Process it safely and securely, and in line with the purpose you set out

Individual Rights

The 6 principles form the basis of your obligations. The 8 GDPR rights granted to EU citizens should be read alongside these obligations. You can find them in Chapter 3 of the GDPR:

EU citizens have the right to:

• Access whatever data you hold on them
• Know what data you're collecting, and why
• Amend the data
• Receive a copy of the data in an accessible format
• Ask you to delete the data (i.e. "the right to be forgotten")
• Refuse being subject to a decision made on an automated basis
• Object to marketing
• Request that you stop processing their data (i.e. you can still store it but you can't use it)

So, the basic premise is that every EU citizen has full control over what happens to their personal information. But how do you comply with these rights and fulfill your obligations?

Here are the steps you should work through.

Data Identification

First, set out exactly what data you're handling, collecting, storing, and processing. Then, confirm whether you're a data processor or a data controller.

• If you're determining why data is collected and you have a direct relationship with customers, you're a data controller. An example is an ecommerce store.
• If you process data on behalf of another company, you're a data processor. An example is a cloud service provider.

If you're a controller, Article 24 of the GDPR applies. You're responsible for implementing adequate safeguards to protect the personal data you capture, and you should be able to demonstrate this compliance if requested.

If you're a processor, under Article 28 you can only process data for specified purposes set out by the controller. You still have a duty to safeguard data in your possession and keep it confidential.

Your Lawful Basis

Next, you need to identify your lawful basis for capturing or storing the data in the first place. Establishing the lawful basis and communicating this basis to the customer is critical to GDPR compliance for new start-ups.

So, what is a "lawful basis?" It's defined in Article 6 of the GDPR, but basically processing is lawful if:

• The individual gives their consent to you using their data in a particular way
• The processing is necessary to fulfill a contract between you and the customer
• It's in the public interest, or it's necessary to protect the individual in some significant way

For example, Waterstones specifically states that it collects personal information to complete its contract with the customer:

Gymshark sets out the data it collects and its lawful basis in a handy table form:

It doesn't matter how you set out the lawful basis, so long as it's clear and easily understood by the customer.

Getting Consent

If you're collecting data for marketing, tracking, or analytics purposes, you will need the individual's consent.

Consent under the GDPR must be:

• Freely given
• Clear
• Informed

In other words, the user should take a positive step to consent to data processing. Implied consent isn't sufficient under the GDPR.

So, how do you get express consent? You can use checkboxes or buttons at points where you collect data, including:

• Before you use cookies (i.e. on your landing page)
• Account registration
• Checkout screens
• Newsletter signups

In other words, use clickwrap agreements. Here are some examples.

Retailer Everlane uses a checkbox to get consent for marketing communications at account registration:

And fashion startup Balance Athletica uses a "Got It" button to get consent to cookie use:

Bottom line: If you want to collect personal data for nonessential purposes, you need express consent. For more examples, take a look at our article Examples of "I Agree to Privacy Policy" Checkboxes.

Privacy and Cookie Policy

The GDPR sets out Privacy Policy requirements in Article 13, but basically you should include clauses on what data you collect, why you collect it, your legal basis for processing it, and who you share it with.

Most importantly, every GDPR-compliant Privacy Policy must declare that customers have rights under GDPR and set out how they can exercise these rights.

Levi's sets these rights out in clear bullet points:

Just below this clause, they explain how to exercise these rights:

For a Cookies Policy or Cookie Notice within the Privacy Policy, the same principles apply. You need consent for using any nonessential cookies, i.e. marketing and analytics cookies, and you should set out a user's choices in your Policy.

Let's look at two case studies to see GDPR compliance in action.

Example: Moderna

Moderna is a medical startup. When you first land on the homepage, there's a popup banner with an "I accept" button for cookie consent:

Moderna publishes a link to its Privacy Policy in the website footer:

Within the Privacy Policy, personal data is defined and it's disclosed that the company:

• Processes it fairly
• Collects it legally, and with a lawful basis
• Keeps data up-to-date
• Stores it for only as long as it's needed

Moderna states that it shares personal information with third parties if users consent to marketing communications:

Then, what cookies are used and why is set out, and how users can amend their cookie settings or revoke consent:

There's an entire section of the Privacy Policy dedicated to EU citizens. Moderna confirms that it's a data controller, and it names its data processor. It confirms that EU citizens have additional rights over their personal data when it comes to third party transfer:

Example: Everlane

Let's look at some different clauses from another startup, Everlane.

Along the website footer, Everlane has links to its Privacy Policy, Terms of Use, and Returns Policy:

Once Everlane sets out what personal data it collects, it explains how it uses it, thus establishing its lawful basis:

The Privacy Policy also confirms that the company uses cookies, and what data these cookies collect:

There's a lengthy section dedicated to empowering users and giving them information on their various data protection rights.

Within this section, Everlane specifies, for example, that EU citizens have a right to complain to their local authority about how Everlane handles their data:

Conclusion

Every startup that collects any personal data at all must comply with various privacy laws. Essentially, you must:

• Confirm what data you gather, and whether you'll use cookies
• Establish your lawful basis for collecting and using data
• Devise a strategy for processing this data safely and storing it securely
• Get consent before capturing personal information for marketing or other unnecessary purposes
• Have a process for reporting data breaches and mitigating the associated risks

If you plan on doing business with EU citizens, you must comply with the EU's General Data Protection Regulation. This means you need:

• "Unchecked" checkboxes or clear "I Agree" buttons to get consent to handling personal data. Implied consent or a "checked" checkbox isn't acceptable.
• Clear consent before sending out marketing emails or other communications forms
• Processes for deleting personal information if someone requests it
• A Privacy Policy that sets out what specific rights someone has over their information, and how they can exercise these rights