Data privacy laws can be daunting for emerging companies. The regulatory landscape is constantly evolving and news reports are filled with stories of lawsuits, fines and penalties for non-compliance. With a better understanding of the types and volume of personal data collected and processed as part of its business and how such data flows to any third parties, an emerging company can better understand the data privacy laws that may apply to it and focus its compliance efforts in a meaningful way. This article sets forth a roadmap that an emerging company can follow to better understand and mitigate the risk associated with data privacy.
As an important note, data privacy laws can apply regardless of the size of the company. Whether an emerging company only collects employee personal data for internal business purposes or profiles individual consumers for marketing initiatives or analytics purposes, some amount of data processed by the company is likely subject to data privacy laws. By prioritizing compliance with these laws, emerging companies will effectively minimize risk, build consumer trust necessary to grow and scale and develop appropriate internal infrastructure and processes at the outset to protect the company’s investment.
Compile a Data Map
Emerging companies should inventory the data it collects or manages by finding each point, whether through its website or offline, where the company collects personal data from individuals, including its employees. At each point of collection, the company should determine the types of personal data categories that are collected from individuals, the reason for collecting such personal data, and retention periods for such personal data. If the company collects sensitive information such as credit card information or race, genetic data, or health data, it may be subject to additional obligations under applicable law. This assessment should also be done with respect to third parties collecting personal data of individuals or employees on the company’s behalf. For example, if the company uses a third-party provider who sets cookies or other tracking technologies on the company’s website, this would also be a collection of personal data.
Companies may assume that if they are only collecting data in the U.S. or within a certain state, no other foreign data privacy law can apply; however, the applicability of data privacy laws often hinges on the location of the individual whose personal data is being collected. For example, a company can be subject to the European Union’s General Data Protection Regulation (GDPR) even if the company does not have a physical location in the EU, as long as the company has minimum contacts in that location (i.e., marketing its products or services or monitoring behavior in the individual’s jurisdiction). For specific U.S. state data privacy laws, like the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), the volume of data collection or revenue requirements must be met for the law to apply to a company.
Prepare and Update Privacy and Security Policies
Companies should also have written information security policies in place, detailing the security practices and measures that are maintained to safeguard company information and IT systems, personal data and intellectual property against unauthorized disclosure, loss or modification and ensure integrity and accessibility of such systems and data by the company when needed. These policies should also include any other security standards required of the company depending upon the types of personal data it collects and any applicable industry standards (i.e., Health Insurance Portability and Accountability Act).
Plan for Data Subject Requests
As previously mentioned, several data subject rights are afforded to individuals that differ slightly based on applicable law. Emerging companies must plan how to respond to data subject requests, whether that is through internal processes or through a third-party service provider hired to handle these requests. Data privacy laws include rigid timelines on when requests must be initially responded to and also resolved by the requested company. Companies should ensure the processes they have in place are meeting those required timelines. Even if data subject requests are not included in the laws applicable to the company or to the individuals’ data it collects, the company should still determine how it will handle responding to any requests that it may receive from ineligible individuals.
Manage Third-Party Relationships
As a matter of good business practice and to comply with data privacy laws, emerging companies should ensure that any contract entered into with third parties has sufficient protections related to data privacy and security, including contractual restrictions and terms required by data-protection laws. These protections typically require a minimum level of security of any sensitive data stored by a third party on the company’s behalf and place restrictions on how third parties may use any personal information that the company provides. Some data privacy laws require additional contractual obligations on service providers, like the commitment for service providers to honor data subject requests related to personal data in the service provider’s possession. Even if these specific third-party contract requirements are not currently applicable to the company, the company should proactively include these requirements both to safeguard its data and to comply with these requirements to the extent they become applicable to the company in the future.
While the above offers a brief overview of key privacy considerations for emerging companies, this overview does not include several other privacy or data security-related laws that may apply to a company’s business and new data privacy laws are being passed or proposed each year. In addition to the above, companies must also keep in mind compliance with state data breach notification laws, the growing number of data privacy laws in other U.S. states (with more proposed in the near future), and certain consumer protection laws (e.g., the Telephone Consumer Protection Act of 1991 and the Telemarking and Consumer Fraud and Abuse Prevention Act).
For further questions or information regarding your business’s compliance with data privacy laws, please contact one of the authors.
Series: Key Considerations for Emerging Companies
Early stage companies have particular legal needs. Bass, Berry & Sims has advised such companies at all phases, from startup to IPO. Our Emerging Companies Practice Group is releasing a “Key Considerations” series, in which we will share our experience by outlining the most critical factors a company should consider in the most relevant subject areas. Previous installments in our series focused on:
- Employment Law Risks (July 22, 2021)
- Equity Compensation (April 6, 2021)
- Formation and Structure (March 3, 2021)
Keep an eye out for future installments over the course of 2021.