When it comes to starting a business, there's a lot of work to do.
Privacy law compliance might not be at the top of your priorities list. However, it's important to ensure your start-up is compliant with privacy laws early on as it will save a lot of headaches further down the line.
Navigating all of the different privacy laws can be tricky, but this article will give an overview of everything your start-up needs to consider and provide practical tips to get you started.
Let's take a look at your privacy law compliance to-do list.
- 1. Consider What Data You Collect
- 2. Do You Have Secure Systems?
- 3.1. Laws to be Aware of
- 5. Do You Have a Terms and Conditions Agreement?
- 5.1. What Should You Include in Your Terms and Conditions Agreement?
- 6. Do You Have a Cookies Policy and a Cookie Consent Notice?
- 6.1. What Should You Include in Your Cookies Policy?
- 6.2. What is a Cookie Consent Notice and What Should You Include in it?
- 7. Create your Cookie Consent
- 8. Will You Engage in Email Marketing?
- 9. Will You Ship Products?
- 9.1. What Should You Include in Your Shipping Policy?
- 10. GDPR Compliance for Start-ups
- 10.1. Clearly-Displayed Legal Policies
- 10.2. GDPR User Rights
- 10.3. Direct Email Marketing
- 11. Summary
Consider What Data You Collect
It's really important to consider what data you'll need to collect as there are strict laws surrounding the collection and processing of personal data.
For example, the General Data Protection Regulation (GDPR) defines personal data as:
"any information relating to an identifiable natural person which enables that person to be identified either directly or indirectly."
This means a person's name, home address, email address, geolocation and even their IP address are all classed as personal data. It's highly likely you will collect some form of personal data and the GDPR requires you to have a 'lawful (or legal) basis' to do so.
The GDPR advises that the following are all lawful bases for processing data:
- You have the individual's consent
- The processing is necessary to fulfill a contract for the individual whose data you're processing
- You have a legal obligation to process the data
- The processing protects someone's vital interest
- The processing is in the public's interest
- The processing is necessary for your legitimate interests or those of a third party
The majority of time, your company is likely to rely on the person's consent or the processing being necessary to fulfill a contract for the person.
For example, will you need to collect billing and shipping addresses? Make sure you know exactly why each category of data is collected and only collect the data you really need. The GDPR requires businesses to minimize personal data collection and to only collect what is necessary.
If you intend to collect data from children this will place additional requirements on you and you will need to comply with parental consent requirements.
You should also identify any categories of personal data that will be shared with third parties. Consider who the data will be shared with and why.
Be prepared to be fully transparent about the way you collect, use and share data.
Do You Have Secure Systems?
Keeping your customers' and employees' personal data safe is important. You need to ensure your start-up has robust cybersecurity systems to protect against cybercriminals.
Don't assume that because your business is small or a start-up that it is less likely to fall victim to hackers. The reality is many cybercriminals prefer to target start-ups and small businesses because they often have weaker security systems.
By making sure you have good systems in place from the start, you can ensure your business is less vulnerable to cyberattacks.
- Only retain personal data as necessary and regularly delete data you don't need
- Encrypt all data and company devices
- Patch software and applications
- Secure physical data, for example, keep files in locked cabinets
- Only allow staff members who have a genuine need to access personal data to do so
- Create strong passwords and ensure staff do not write them down or share them with anyone
- Foster a culture of security from the very beginning and train your employees in this area
- If you have employees who work remotely you should use a reputable Virtual Private Network (VPN) provider - public wifi is not suitable as it is unsecure
- Make sure you have a plan in place for any breaches that do occur. Consider who breaches should be reported to and make sure all employees know how to report a suspected breach
Once you have your systems in place, make sure you tell customers about them so people know your company is one they can trust.
Your security clause doesn't have to give specific information about your security practices. In fact, it probably shouldn't, since that may actually help hackers get past your security.
Just saying that you take steps to protect data is enough.
You should also note that nothing is 100% and that you'll do your best to keep things secure, but that there's always a chance something may happen anyway.
Laws to be Aware of
The California Online Privacy Protection Act (CalOPPA) - This applies to your start-up if any of your customers live in California. You do not need to have any physical presence in California for this law to be applicable. It will apply if you collect personal data from Californian residents.
Consider if you are going to collect any data from children as there are further rules surrounding this.
- What Data You Collect And Why - List the categories of data you collect e.g. names, email addresses, billing and shipping addresses and state why you collect this data.
- How Long Personal Data is Retained For - You must not store personal data for longer than is necessary and you need to ensure your start-up has clear guidelines regarding data storage.
- How You Keep Data Secure - Data security is very important to consumers and your policy should include how you will keep their data secure and how you will notify them if a breach does occur.
- If You Share Data With Third Parties And Why - Make sure you know who you are sharing data with and your reasons for doing this.
- Children's Rights - You should inform users if you collect data from minors. Under COPPA it is unlawful to collect any data from children under 13 years old, unless you have obtained the consent of their parents or guardians.
- 'Do Not Track' - If your start-up's services or website are available to residents of California COPPA states that you must include a DNT clause. This advises users whether or not you comply with DNT requests. You do not have to comply with such requests, however you do need to advise whether or not you do comply.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
Do You Have a Terms and Conditions Agreement?
Another important legal document your start-up needs is a Terms and Conditions agreement.
Notably, the policy is not a legal requirement, but this doesn't mean it isn't important. A Terms and Conditions agreement is an essential part of protecting your business. The agreement creates a contract between your business and the end user.
A Terms and Conditions agreement is a place where you can set out the user's duties and responsibilities. In essence it's a set of rules that your website and app users must agree to. Both parties know what is required of them and what happens if those requirements are breached.
Terms and Conditions agreements are also the ideal place to include any disclaimers you have.
What Should You Include in Your Terms and Conditions Agreement?
As with any legal agreement, you should ensure it's personalized to your business needs. However, it's a good idea to include the following general clauses:
- Payment Terms - Use this clause to set out your start-up's payment terms. For example, when is the payment due? What payment methods do you accept? What happens if a payment is late or if a consumer fails to make a payment? Are the rules the same for both domestic and international customers?
- Limitation of Liability - It's critical to include this clause in your Terms and Conditions no matter what your business is in order to limit your liability as much as possible with regard to any errors on your website or app. The clause needs to explain that your business is not responsible for any inaccurate or incorrect information. It's an important part of risk management.
- Intellectual Property - If you have anything that is protected by copyright law you should inform users of the same and advise what can and cannot be done with your intellectual property.
- Acceptable Use - This clause tells users what is classed as acceptable and unacceptable behavior in terms of using your website or app. For example, outline what constitutes abusive conduct and what may happen if a user displays this type of behavior.
- Termination of Accounts - Advise users that your business reserves the right to terminate, ban or restrict user accounts immediately and the circumstances this might happen in.
- Governing Law - This short clause simply advises where your business, website or app is located and tells users which country's laws govern the Terms.
- User-Generated Content - This is applicable if your start-up enables user-generated content, such as blog posts, photographs or tweets. The clause should include any rules about the type of content users are allowed to post and what happens if users breach this clause.
Our Free Terms and Conditions Generator is created to help you generate a professionally drafted agreement that can include various terms & conditions for your site & app.
- Start the Free Terms and Conditions Generator from our website.
- Select platforms where your Terms and Conditions will be used (website, app or both):
- Answer a few questions about your website or app information:
- Select the country:
- Answer a few questions about your business practices:
Enter your email address where you'd like to receive the new Free Terms and Conditions and click "Generate":
Once generated, you can copy and paste your Free Terms and Conditions agreement on your website or app or link to your hosted Free Terms and Conditions page.
Do You Have a Cookies Policy and a Cookie Consent Notice?
You should also create a Cookie Consent Notice which appears as a pop-up as soon as a user arrives on your website.
A Cookies Policy and Cookie Consent Notice are crucial when it comes to complying with the EU Cookies Directive which demands a separate Cookies Policy. This directive also requires website and app owners to gain informed consent from users prior to placing cookies on their devices.
What Should You Include in Your Cookies Policy?
Cookies Policies can be very short and to the point, especially if you only use a few standard cookies for basic uses. Include the following information in your Cookies Policy:
- What Cookies Are - Briefly inform users what cookies are.
- Types of Cookies - Tell users what types of cookies your website or app uses.
- How Long Cookies Remain on User's Browsers - Advise users how long the cookies will be on their device for.
- If The Data is Shared With Third Parties - Advise what types of cookies are shared with third parties and why.
- How to Disable Cookies - Inform users how they can opt out of cookie use. This clause is a crucial part of GDPR compliance as the regulation requires companies to clearly explain how users can disable cookies.
What is a Cookie Consent Notice and What Should You Include in it?
A Cookie Consent Notice is a pop-up that appears on websites and apps to inform users that cookies are being used, like so:
Create your Cookie Consent
Will You Engage in Email Marketing?
If your start-up intends to engage in email marketing, you will need to get consent from users and record their consent. You will also need to ensure that users are easily able to opt-out of email marketing.
This is essential if your start-up intends to be GDPR-complaint as the regulation requires users to opt-in to marketing, rather than to opt-out of it.
Here's an example from Farfetch of how to place an unticked checkbox on the website's checkout page which requests customers to opt-in to email marketing. The company also makes it clear that the customer is able to unsubscribe at any time:
Using a similar approach to get consent for email marketing is something you should do, and must do.
Will You Ship Products?
If your start-up is going to ship products to customers it should have a Shipping Policy.
This policy is not a legal requirement. However, customers expect to see one and if shipping times and methods are not clear, you risk losing potential customers to other businesses.
Your Shipping Policy should inform your customers about your start-up's policies and answer common questions about what happens once they've purchased a product from you.
This will save your company time as you won't need to respond to separate customer queries. Instead, everything will be summed up in one easy-to-find place.
What Should You Include in Your Shipping Policy?
A few key clauses to include are:
- Shipping Methods and Prices - Inform customers of the availability of different shipping methods and the cost of each method. For example, how long does express shipping take and how much does it cost?
- Which Carrier(s) You Use - Provide a list of carriers you use to ship your products. You may also want to advise if it's possible for customers to track their order.
- Payment Information - Advise customers which payment methods you accept and how you process the same.
- International Shipping - Advise whether you ship internationally and provide guidance on the cost, timescale and whether or not custom duties are included.
- Restrictions - Inform users if there are any restrictions on where you ship to. For example, there may be certain territories or P.O boxes you are unable to ship to.
Urban Outfitters has a Shipping Policy which advises of the timeframes of each shipping method the retailer offers within the U.S. and provides a link to the company's International Shipping Policy:
Practical Tip: Don't make promises you can't keep in your Shipping Policy! For example, if you're using a third party distributor there may be things beyond your control and you may wish to include a disclaimer about this.
Another good tip is to advise customers what they should do if they don't receive their order within the time frame provided. Should they contact you or the third party delivery company?
Lanieri's Shipping Policy includes a disclaimer that the delivery time cannot be guaranteed and that certain events are outside the control of the company. Information is provided about what customers should do if their order fails to arrive:
Include any and all relevant information that you want your customers to know, or that you think they'd want or need to know when it comes to shipping.
GDPR Compliance for Start-ups
Not every start-up will need to be fully compliant with the GDPR. However, your business will need to comply if:
- It is based within the EU, or
- It offers good or services to EU residents or processes their personal data
It is important to note that your start-up does not need a physical presence within the EU for the GDPR to apply to it.
We've already touched on how the GDPR affects the processing of personal data, and the fact that it creates rules regarding legal policies, user rights and consent forms for email marketing.
This section will go into a little more detail for those who need to comply with the GDPR.
Clearly-Displayed Legal Policies
GDPR User Rights
The GDPR creates several user rights. Your start-up needs to inform users of these rights and enable users to exercise them in order to be compliant.
These rights include:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing activities
- The right to data portability
- The right to object
- Rights regarding profiling and automated decision making
It then lets users know exactly how they can go about exercising them:
Practical Tips: Consider how customers will be able to contact you to exercise their rights, how you will respond to their requests and how you will train your employees to recognize requests. You should also decide how you will implement systems to comply with each request. For example, how would you enable a customer to access their data if they requested to?
You should also be aware of the circumstances where you don't need to comply with requests. For example, there are exceptions to compliance of some rights, such as the right to erasure.
Direct Email Marketing
We have already discussed why it is a good idea to gain consent for email marketing, however it is crucial to gain consent for email marketing if you want to comply with the GDPR. The key point to remember is that it's not enough to enable customers to opt-out of marketing - they must explicitly opt in.
In addition, you must include a link in all direct marketing emails which allows customers to 'unsubscribe' from receiving emails.
There's a lot to think about when you're starting up a business and Privacy Law compliance may not be the first thing to cross your mind. However don't let it fall by the wayside. It's critical to ensure your business is protected and compliant with the law.
To ensure you are compliant, make sure you know what personal data your business collects and why.
You should also consider whether or not you will be shipping products to customers and whether you will be sending direct marketing emails to customers.
Additionally, it is never too early to consider the security of your systems. You need to be sure that you have systems in place to keep your customer's data secure.
Finally, you need to know whether or not the GDPR applies to your start-up. If it does, there are additional rules you will need to comply with as this is probably the most onerous of all of the privacy laws.