Key Considerations for Emerging Companies: Privacy

Firm Publication

Data privacy laws can be daunting for emerging companies.  The regulatory landscape is constantly evolving and news reports are filled with stories of lawsuits, fines and penalties for non-compliance.  With a better understanding of the types and volume of personal data collected and processed as part of its business and how such data flows to any third parties, an emerging company can better understand the data privacy laws that may apply to it and focus its compliance efforts in a meaningful way.  This article sets forth a roadmap that an emerging company can follow to better understand and mitigate the risk associated with data privacy.

As an important note, data privacy laws can apply regardless of the size of the company. Whether an emerging company only collects employee personal data for internal business purposes or profiles individual consumers for marketing initiatives or analytics purposes, some amount of data processed by the company is likely subject to data privacy laws.  By prioritizing compliance with these laws, emerging companies will effectively minimize risk, build consumer trust necessary to grow and scale and develop appropriate internal infrastructure and processes at the outset to protect the company’s investment.

Compile a Data Map

Emerging companies should inventory the data it collects or manages by finding each point, whether through its website or offline, where the company collects personal data from individuals, including its employees.  At each point of collection, the company should determine the types of personal data categories that are collected from individuals, the reason for collecting such personal data, and retention periods for such personal data.  If the company collects sensitive information such as credit card information or race, genetic data, or health data, it may be subject to additional obligations under applicable law. This assessment should also be done with respect to third parties collecting personal data of individuals or employees on the company’s behalf.  For example, if the company uses a third-party provider who sets cookies or other tracking technologies on the company’s website, this would also be a collection of personal data.

Companies may assume that if they are only collecting data in the U.S. or within a certain state, no other foreign data privacy law can apply; however, the applicability of data privacy laws often hinges on the location of the individual whose personal data is being collected.  For example, a company can be subject to the European Union’s General Data Protection Regulation (GDPR) even if the company does not have a physical location in the EU, as long as the company has minimum contacts in that location (i.e., marketing its products or services or monitoring behavior in the individual’s jurisdiction).  For specific U.S. state data privacy laws, like the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), the volume of data collection or revenue requirements must be met for the law to apply to a company.

Prepare and Update Privacy and Security Policies

Essential among data privacy laws is the requirement to provide transparency and control by individuals of their data.  In the U.S., several state and federal laws require a privacy policy to be presented to consumers at the point of data collection.  The privacy policy should be clear and tailored to the company’s collection and use of personal data.  This requirement means that a company must have a privacy policy posted on its website when it collects personal data from individuals, even if the only collection is tracking user activity.  As an offline example, companies should also present a privacy policy to prospective and current employees when collecting their information in person.  Privacy policies must also designate the categories of third parties the company is sharing any personal data with and for what purposes.

Privacy policies are also required to notify individuals of any rights they may have under applicable law with respect to their data.  For example, the CCPA and the CPRA provide individuals with several rights in how their data is used, including the right to delete their information and right to opt-out of a company’s sale of their information. The entirety of these rights needs to be outlined in the company’s privacy policy, along with the means the company provides for the individuals (i.e., data subject) to exercise those rights.

Companies should also have written information security policies in place, detailing the security practices and measures that are maintained to safeguard company information and IT systems, personal data and intellectual property against unauthorized disclosure, loss or modification and ensure integrity and accessibility of such systems and data by the company when needed. These policies should also include any other security standards required of the company depending upon the types of personal data it collects and any applicable industry standards (i.e., Health Insurance Portability and Accountability Act).

Plan for Data Subject Requests

As previously mentioned, several data subject rights are afforded to individuals that differ slightly based on applicable law.  Emerging companies must plan how to respond to data subject requests, whether that is through internal processes or through a third-party service provider hired to handle these requests.  Data privacy laws include rigid timelines on when requests must be initially responded to and also resolved by the requested company. Companies should ensure the processes they have in place are meeting those required timelines.  Even if data subject requests are not included in the laws applicable to the company or to the individuals’ data it collects, the company should still determine how it will handle responding to any requests that it may receive from ineligible individuals.  

Manage Third-Party Relationships

As a matter of good business practice and to comply with data privacy laws, emerging companies should ensure that any contract entered into with third parties has sufficient protections related to data privacy and security, including contractual restrictions and terms required by data-protection laws.  These protections typically require a minimum level of security of any sensitive data stored by a third party on the company’s behalf and place restrictions on how third parties may use any personal information that the company provides.  Some data privacy laws require additional contractual obligations on service providers, like the commitment for service providers to honor data subject requests related to personal data in the service provider’s possession.  Even if these specific third-party contract requirements are not currently applicable to the company, the company should proactively include these requirements both to safeguard its data and to comply with these requirements to the extent they become applicable to the company in the future.

Conclusion

While the above offers a brief overview of key privacy considerations for emerging companies, this overview does not include several other privacy or data security-related laws that may apply to a company’s business and new data privacy laws are being passed or proposed each year.  In addition to the above, companies must also keep in mind compliance with state data breach notification laws, the growing number of data privacy laws in other U.S. states (with more proposed in the near future), and certain consumer protection laws (e.g., the Telephone Consumer Protection Act of 1991 and the Telemarking and Consumer Fraud and Abuse Prevention Act).

For further questions or information regarding your business’s compliance with data privacy laws, please contact one of the authors.

Series: Key Considerations for Emerging Companies

Early stage companies have particular legal needs. Bass, Berry & Sims has advised such companies at all phases, from startup to IPO. Our Emerging Companies Practice Group is releasing a “Key Considerations” series, in which we will share our experience by outlining the most critical factors a company should consider in the most relevant subject areas. Previous installments in our series focused on:

Keep an eye out for future installments in this series.

Related Professionals
Related Services
Firm Publication

Data privacy laws can be daunting for emerging companies.  The regulatory landscape is constantly evolving and news reports are filled with stories of lawsuits, fines and penalties for non-compliance.  With a better understanding of the types and volume of personal data collected and processed as part of its business and how such data flows to any third parties, an emerging company can better understand the data privacy laws that may apply to it and focus its compliance efforts in a meaningful way.  This article sets forth a roadmap that an emerging company can follow to better understand and mitigate the risk associated with data privacy.

As an important note, data privacy laws can apply regardless of the size of the company. Whether an emerging company only collects employee personal data for internal business purposes or profiles individual consumers for marketing initiatives or analytics purposes, some amount of data processed by the company is likely subject to data privacy laws.  By prioritizing compliance with these laws, emerging companies will effectively minimize risk, build consumer trust necessary to grow and scale and develop appropriate internal infrastructure and processes at the outset to protect the company’s investment.

Compile a Data Map

Emerging companies should inventory the data it collects or manages by finding each point, whether through its website or offline, where the company collects personal data from individuals, including its employees.  At each point of collection, the company should determine the types of personal data categories that are collected from individuals, the reason for collecting such personal data, and retention periods for such personal data.  If the company collects sensitive information such as credit card information or race, genetic data, or health data, it may be subject to additional obligations under applicable law. This assessment should also be done with respect to third parties collecting personal data of individuals or employees on the company’s behalf.  For example, if the company uses a third-party provider who sets cookies or other tracking technologies on the company’s website, this would also be a collection of personal data.

Companies may assume that if they are only collecting data in the U.S. or within a certain state, no other foreign data privacy law can apply; however, the applicability of data privacy laws often hinges on the location of the individual whose personal data is being collected.  For example, a company can be subject to the European Union’s General Data Protection Regulation (GDPR) even if the company does not have a physical location in the EU, as long as the company has minimum contacts in that location (i.e., marketing its products or services or monitoring behavior in the individual’s jurisdiction).  For specific U.S. state data privacy laws, like the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), the volume of data collection or revenue requirements must be met for the law to apply to a company.

Prepare and Update Privacy and Security Policies

Essential among data privacy laws is the requirement to provide transparency and control by individuals of their data.  In the U.S., several state and federal laws require a privacy policy to be presented to consumers at the point of data collection.  The privacy policy should be clear and tailored to the company’s collection and use of personal data.  This requirement means that a company must have a privacy policy posted on its website when it collects personal data from individuals, even if the only collection is tracking user activity.  As an offline example, companies should also present a privacy policy to prospective and current employees when collecting their information in person.  Privacy policies must also designate the categories of third parties the company is sharing any personal data with and for what purposes.

Privacy policies are also required to notify individuals of any rights they may have under applicable law with respect to their data.  For example, the CCPA and the CPRA provide individuals with several rights in how their data is used, including the right to delete their information and right to opt-out of a company’s sale of their information. The entirety of these rights needs to be outlined in the company’s privacy policy, along with the means the company provides for the individuals (i.e., data subject) to exercise those rights.

Companies should also have written information security policies in place, detailing the security practices and measures that are maintained to safeguard company information and IT systems, personal data and intellectual property against unauthorized disclosure, loss or modification and ensure integrity and accessibility of such systems and data by the company when needed. These policies should also include any other security standards required of the company depending upon the types of personal data it collects and any applicable industry standards (i.e., Health Insurance Portability and Accountability Act).

Plan for Data Subject Requests

As previously mentioned, several data subject rights are afforded to individuals that differ slightly based on applicable law.  Emerging companies must plan how to respond to data subject requests, whether that is through internal processes or through a third-party service provider hired to handle these requests.  Data privacy laws include rigid timelines on when requests must be initially responded to and also resolved by the requested company. Companies should ensure the processes they have in place are meeting those required timelines.  Even if data subject requests are not included in the laws applicable to the company or to the individuals’ data it collects, the company should still determine how it will handle responding to any requests that it may receive from ineligible individuals.  

Manage Third-Party Relationships

As a matter of good business practice and to comply with data privacy laws, emerging companies should ensure that any contract entered into with third parties has sufficient protections related to data privacy and security, including contractual restrictions and terms required by data-protection laws.  These protections typically require a minimum level of security of any sensitive data stored by a third party on the company’s behalf and place restrictions on how third parties may use any personal information that the company provides.  Some data privacy laws require additional contractual obligations on service providers, like the commitment for service providers to honor data subject requests related to personal data in the service provider’s possession.  Even if these specific third-party contract requirements are not currently applicable to the company, the company should proactively include these requirements both to safeguard its data and to comply with these requirements to the extent they become applicable to the company in the future.

Conclusion

While the above offers a brief overview of key privacy considerations for emerging companies, this overview does not include several other privacy or data security-related laws that may apply to a company’s business and new data privacy laws are being passed or proposed each year.  In addition to the above, companies must also keep in mind compliance with state data breach notification laws, the growing number of data privacy laws in other U.S. states (with more proposed in the near future), and certain consumer protection laws (e.g., the Telephone Consumer Protection Act of 1991 and the Telemarking and Consumer Fraud and Abuse Prevention Act).

For further questions or information regarding your business’s compliance with data privacy laws, please contact one of the authors.

Series: Key Considerations for Emerging Companies

Early stage companies have particular legal needs. Bass, Berry & Sims has advised such companies at all phases, from startup to IPO. Our Emerging Companies Practice Group is releasing a “Key Considerations” series, in which we will share our experience by outlining the most critical factors a company should consider in the most relevant subject areas. Previous installments in our series focused on:

Keep an eye out for future installments in this series.

In Case You Missed It: