Your Start-Up and Privacy Law Compliance

When it comes to starting a business, there's a lot of work to do.

Privacy law compliance might not be at the top of your priorities list. However, it's important to ensure your start-up is compliant with privacy laws early on as it will save a lot of headaches further down the line.

Navigating all of the different privacy laws can be tricky, but this article will give an overview of everything your start-up needs to consider and provide practical tips to get you started.

Let's take a look at your privacy law compliance to-do list.

Consider What Data You Collect

It's really important to consider what data you'll need to collect as there are strict laws surrounding the collection and processing of personal data.

For example, the General Data Protection Regulation (GDPR) defines personal data as:

"any information relating to an identifiable natural person which enables that person to be identified either directly or indirectly."

This means a person's name, home address, email address, geolocation and even their IP address are all classed as personal data. It's highly likely you will collect some form of personal data and the GDPR requires you to have a 'lawful (or legal) basis' to do so.

The GDPR advises that the following are all lawful bases for processing data:

• You have the individual's consent
• The processing is necessary to fulfill a contract for the individual whose data you're processing
• You have a legal obligation to process the data
• The processing protects someone's vital interest
• The processing is in the public's interest
• The processing is necessary for your legitimate interests or those of a third party

The majority of time, your company is likely to rely on the person's consent or the processing being necessary to fulfill a contract for the person.

For example, will you need to collect billing and shipping addresses? Make sure you know exactly why each category of data is collected and only collect the data you really need. The GDPR requires businesses to minimize personal data collection and to only collect what is necessary.

If you intend to collect data from children this will place additional requirements on you and you will need to comply with parental consent requirements.

You should also identify any categories of personal data that will be shared with third parties. Consider who the data will be shared with and why.

Be prepared to be fully transparent about the way you collect, use and share data.

Do You Have Secure Systems?

Keeping your customers' and employees' personal data safe is important. You need to ensure your start-up has robust cybersecurity systems to protect against cybercriminals.

Don't assume that because your business is small or a start-up that it is less likely to fall victim to hackers. The reality is many cybercriminals prefer to target start-ups and small businesses because they often have weaker security systems.

By making sure you have good systems in place from the start, you can ensure your business is less vulnerable to cyberattacks.

Practical Tips:

• Only retain personal data as necessary and regularly delete data you don't need
• Encrypt all data and company devices
• Patch software and applications
• Secure physical data, for example, keep files in locked cabinets
• Only allow staff members who have a genuine need to access personal data to do so
• Create strong passwords and ensure staff do not write them down or share them with anyone
• Foster a culture of security from the very beginning and train your employees in this area
• If you have employees who work remotely you should use a reputable Virtual Private Network (VPN) provider - public wifi is not suitable as it is unsecure
• Make sure you have a plan in place for any breaches that do occur. Consider who breaches should be reported to and make sure all employees know how to report a suspected breach

Once you have your systems in place, make sure you tell customers about them so people know your company is one they can trust.

Start-up company Deliveroo explains the security measures it uses in its Privacy Policy. The clause also includes a disclaimer at the end:

Your security clause doesn't have to give specific information about your security practices. In fact, it probably shouldn't, since that may actually help hackers get past your security.

Just saying that you take steps to protect data is enough.

You should also note that nothing is 100% and that you'll do your best to keep things secure, but that there's always a chance something may happen anyway.

Do You Have a Privacy Policy?

One legal policy your start-up shouldn't neglect is your Privacy Policy. Not only will this policy offer you crucial legal protection, it will also demonstrate to consumers that your start-up is professional and trustworthy.

There are no federal laws in the U.S. which require companies to have a Privacy Policy, however there are applicable state laws to consider. In addition, if you are dealing with consumers in other countries, you must be compliant with their laws.

Laws to be Aware of

The California Online Privacy Protection Act (CalOPPA) - This applies to your start-up if any of your customers live in California. You do not need to have any physical presence in California for this law to be applicable. It will apply if you collect personal data from Californian residents.

This Act requires businesses to have a 'clear and conspicuous' link to their Privacy Policy. Make sure the link on your website really stands out by using a bigger font and a bright color to ensure you are compliant. Or, at minimum, don't hide it and make it less noticeable than any other links.

It also requires you to include a 'Do Not Track' (DNT) clause in your Privacy Policy.

The Children's Online Privacy Protection Act (COPPA) - If you collect personal information from children under the age of 13, this law applies to you and comes with some strict requirements. Just a few of the requirements is to get parental consent, and post a Privacy Policy.

The California Consumer Privacy Act (CCPA) and its CPRA amendments - The CCPA (CPRA) is a California state law that requires a Privacy Policy. The CCPA (CPRA) applies to businesses that gross $25 million or more annually, make a minimum of 50% of that annual revenue from sharing or selling consumers' personal information, and that buy, share, sell or otherwise receive personal information from at least 100,000 consumers or households.

The General Data Protection Regulation (GDPR) - If you are collecting data from any EU residents, you must comply with the GDPR. This regulation requires businesses to have a Privacy Policy which includes several specific clauses. For example, you must advise what data you collect and why and you must inform users of their rights under the GDPR.

The bottom line is, if your start-up collects any personal data you are legally required to have a Privacy Policy.

Even if you do not collect personal data you should still ideally have a Privacy Policy.

Practical Tips: Make a list of all of the personal data you collect and why before you start drafting your Privacy Policy. Make sure you are clear on your legal basis for processing each category of data so you are able to justify your reasons for collecting data and how data is used.

Consider if you are going to collect any data from children as there are further rules surrounding this.

What Should You Include in Your Privacy Policy?

Your Privacy Policy should be tailored to suit your business needs. However, you should make sure that you include the following clauses:

• What Data You Collect And Why - List the categories of data you collect e.g. names, email addresses, billing and shipping addresses and state why you collect this data.
• How Long Personal Data is Retained For - You must not store personal data for longer than is necessary and you need to ensure your start-up has clear guidelines regarding data storage.
• How You Keep Data Secure - Data security is very important to consumers and your policy should include how you will keep their data secure and how you will notify them if a breach does occur.
• If You Share Data With Third Parties And Why - Make sure you know who you are sharing data with and your reasons for doing this.
• How Payments Are Processed - Advise your customers if your company processes payments or if you use a third party payment processor. If a third party payment processor is used you should provide a link to their Privacy Policy.
• Consumer/User Rights - Your Privacy Policy should include user rights. This is a legal requirement if the GDPR applies to your start-up. These rights include: the right to access, the right to erasure, the right to rectification, the right to object, data portability and controls over automatic decision making and profiling. Your company needs to ensure you have processes in place to enable consumers to exercise these rights.
• Children's Rights - You should inform users if you collect data from minors. Under COPPA it is unlawful to collect any data from children under 13 years old, unless you have obtained the consent of their parents or guardians.
• Changes to Your Privacy Policy - Inform users how you will let them know about any material changes you make to your policy. For example, perhaps you will email them or place a notice on your website.
• 'Do Not Track' - If your start-up's services or website are available to residents of California COPPA states that you must include a DNT clause. This advises users whether or not you comply with DNT requests. You do not have to comply with such requests, however you do need to advise whether or not you do comply.
• Contact Information - Your Privacy Policy should advise consumers who to contact for further information. Ideally, you should include an email address, physical address and telephone number.

How to Create a Privacy Policy

Do You Have a Terms and Conditions Agreement?

Another important legal document your start-up needs is a Terms and Conditions agreement.

Notably, the policy is not a legal requirement, but this doesn't mean it isn't important. A Terms and Conditions agreement is an essential part of protecting your business. The agreement creates a contract between your business and the end user.

A Terms and Conditions agreement is a place where you can set out the user's duties and responsibilities. In essence it's a set of rules that your website and app users must agree to. Both parties know what is required of them and what happens if those requirements are breached.

Terms and Conditions agreements are also the ideal place to include any disclaimers you have.

What Should You Include in Your Terms and Conditions Agreement?

As with any legal agreement, you should ensure it's personalized to your business needs. However, it's a good idea to include the following general clauses:

• Payment Terms - Use this clause to set out your start-up's payment terms. For example, when is the payment due? What payment methods do you accept? What happens if a payment is late or if a consumer fails to make a payment? Are the rules the same for both domestic and international customers?
• Limitation of Liability - It's critical to include this clause in your Terms and Conditions no matter what your business is in order to limit your liability as much as possible with regard to any errors on your website or app. The clause needs to explain that your business is not responsible for any inaccurate or incorrect information. It's an important part of risk management.
• Intellectual Property - If you have anything that is protected by copyright law you should inform users of the same and advise what can and cannot be done with your intellectual property.
• Acceptable Use - This clause tells users what is classed as acceptable and unacceptable behavior in terms of using your website or app. For example, outline what constitutes abusive conduct and what may happen if a user displays this type of behavior.
• Termination of Accounts - Advise users that your business reserves the right to terminate, ban or restrict user accounts immediately and the circumstances this might happen in.
• Governing Law - This short clause simply advises where your business, website or app is located and tells users which country's laws govern the Terms.
• User-Generated Content - This is applicable if your start-up enables user-generated content, such as blog posts, photographs or tweets. The clause should include any rules about the type of content users are allowed to post and what happens if users breach this clause.

How to Create a Terms and Conditions Agreement

Do You Have a Cookies Policy and a Cookie Consent Notice?

The vast majority of websites use cookies, as do many apps. If your website or app uses cookies it's essential to create a Cookies Policy.

You should also create a Cookie Consent Notice which appears as a pop-up as soon as a user arrives on your website.

A Cookies Policy and Cookie Consent Notice are crucial when it comes to complying with the EU Cookies Directive which demands a separate Cookies Policy. This directive also requires website and app owners to gain informed consent from users prior to placing cookies on their devices.

What Should You Include in Your Cookies Policy?

Cookies Policies can be very short and to the point, especially if you only use a few standard cookies for basic uses. Include the following information in your Cookies Policy:

• What Cookies Are - Briefly inform users what cookies are.
• Types of Cookies - Tell users what types of cookies your website or app uses.
• How You Use Cookies - Advise users what your cookies are tracking and for what purpose e.g. for statistics, performance, marketing.
• How Long Cookies Remain on User's Browsers - Advise users how long the cookies will be on their device for.
• If The Data is Shared With Third Parties - Advise what types of cookies are shared with third parties and why.
• How to Disable Cookies - Inform users how they can opt out of cookie use. This clause is a crucial part of GDPR compliance as the regulation requires companies to clearly explain how users can disable cookies.

What is a Cookie Consent Notice and What Should You Include in it?

A Cookie Consent Notice is a pop-up that appears on websites and apps to inform users that cookies are being used, like so:

You should advise that your website uses cookies and provide a link to your Cookies Policy, or to your Privacy Policy if it contains a cookies clause.

Additionally, you should include a way of gaining the user's consent to your use of cookies such as having them check a box or button that says 'I accept.'

Create your Cookie Consent

Will You Engage in Email Marketing?

If your start-up intends to engage in email marketing, you will need to get consent from users and record their consent. You will also need to ensure that users are easily able to opt-out of email marketing.

This is essential if your start-up intends to be GDPR-complaint as the regulation requires users to opt-in to marketing, rather than to opt-out of it.

Here's an example from Farfetch of how to place an unticked checkbox on the website's checkout page which requests customers to opt-in to email marketing. The company also makes it clear that the customer is able to unsubscribe at any time:

Using a similar approach to get consent for email marketing is something you should do, and must do.

Will You Ship Products?

If your start-up is going to ship products to customers it should have a Shipping Policy.

This policy is not a legal requirement. However, customers expect to see one and if shipping times and methods are not clear, you risk losing potential customers to other businesses.

Your Shipping Policy should inform your customers about your start-up's policies and answer common questions about what happens once they've purchased a product from you.

This will save your company time as you won't need to respond to separate customer queries. Instead, everything will be summed up in one easy-to-find place.

What Should You Include in Your Shipping Policy?

A few key clauses to include are:

• Shipping Methods and Prices - Inform customers of the availability of different shipping methods and the cost of each method. For example, how long does express shipping take and how much does it cost?
• Which Carrier(s) You Use - Provide a list of carriers you use to ship your products. You may also want to advise if it's possible for customers to track their order.
• Payment Information - Advise customers which payment methods you accept and how you process the same.
• International Shipping - Advise whether you ship internationally and provide guidance on the cost, timescale and whether or not custom duties are included.
• Restrictions - Inform users if there are any restrictions on where you ship to. For example, there may be certain territories or P.O boxes you are unable to ship to.

Urban Outfitters has a Shipping Policy which advises of the timeframes of each shipping method the retailer offers within the U.S. and provides a link to the company's International Shipping Policy:

Practical Tip: Don't make promises you can't keep in your Shipping Policy! For example, if you're using a third party distributor there may be things beyond your control and you may wish to include a disclaimer about this.

Another good tip is to advise customers what they should do if they don't receive their order within the time frame provided. Should they contact you or the third party delivery company?

Lanieri's Shipping Policy includes a disclaimer that the delivery time cannot be guaranteed and that certain events are outside the control of the company. Information is provided about what customers should do if their order fails to arrive:

Include any and all relevant information that you want your customers to know, or that you think they'd want or need to know when it comes to shipping.

GDPR Compliance for Start-ups

Not every start-up will need to be fully compliant with the GDPR. However, your business will need to comply if:

• It is based within the EU, or
• It offers good or services to EU residents or processes their personal data

It is important to note that your start-up does not need a physical presence within the EU for the GDPR to apply to it.

We've already touched on how the GDPR affects the processing of personal data, and the fact that it creates rules regarding legal policies, user rights and consent forms for email marketing.

This section will go into a little more detail for those who need to comply with the GDPR.

Clearly-Displayed Legal Policies

To ensure you comply with the GDPR your start-up should clearly display your legal policies. The best and easiest way to do this is to make sure your website footer has a place with important links, such as to your Privacy Policy:

GDPR User Rights

The GDPR creates several user rights. Your start-up needs to inform users of these rights and enable users to exercise them in order to be compliant.

These rights include:

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing activities
• The right to data portability
• The right to object
• Rights regarding profiling and automated decision making

It is not enough to tell users about their rights. You must also inform users how to exercise their rights. All of this can be done via your Privacy Policy.

Wool Couture clearly informs users of their rights under the GDPR in this concise Privacy Policy clause:

It then lets users know exactly how they can go about exercising them:

Practical Tips: Consider how customers will be able to contact you to exercise their rights, how you will respond to their requests and how you will train your employees to recognize requests. You should also decide how you will implement systems to comply with each request. For example, how would you enable a customer to access their data if they requested to?

You should also be aware of the circumstances where you don't need to comply with requests. For example, there are exceptions to compliance of some rights, such as the right to erasure.

Direct Email Marketing

We have already discussed why it is a good idea to gain consent for email marketing, however it is crucial to gain consent for email marketing if you want to comply with the GDPR. The key point to remember is that it's not enough to enable customers to opt-out of marketing - they must explicitly opt in.

In addition, you must include a link in all direct marketing emails which allows customers to 'unsubscribe' from receiving emails.

Your Privacy Policy should advise how users can object to direct marketing.

Here's how Deliveroo includes a section on direct marketing in its Privacy Policy which explains the user's rights regarding direct marketing and how to change their preferences if they have previously opted-in to direct marketing:

Nested also includes a section regarding marketing and advertising in its Privacy Policy:

Summary

There's a lot to think about when you're starting up a business and Privacy Law compliance may not be the first thing to cross your mind. However don't let it fall by the wayside. It's critical to ensure your business is protected and compliant with the law.

To ensure you are compliant, make sure you know what personal data your business collects and why.

You should also make sure that you have well-drafted and clearly displayed legal policies, including a Terms and Conditions agreement, a Privacy Policy and a Cookies Policy.

You should also consider whether or not you will be shipping products to customers and whether you will be sending direct marketing emails to customers.

Additionally, it is never too early to consider the security of your systems. You need to be sure that you have systems in place to keep your customer's data secure.

Finally, you need to know whether or not the GDPR applies to your start-up. If it does, there are additional rules you will need to comply with as this is probably the most onerous of all of the privacy laws.