Start-ups in any industry have a lot to think about: funding, staffing, intellectual property, market share, product viability, among other considerations. I want to add one topic to the list that should be on the minds of those involved in start-ups in an increasing range of situations: privacy law. Privacy law (and its kissing cousin, data security law) now impacts virtually any company in any industry, anywhere in the world, if it gathers, collects, uses, or analyzes the personal data of employees, customers, consumers, or others. As a consequence of the Internet of Things and smart phones, as well as the ability to collect data from almost anything, more and more companies are using and gathering data, and privacy law increasingly will dictate how a company can use this valuable asset. These issues affect a broad range of critical topics for start-ups, ranging from business partnerships, overall business plan issues, market opportunities, and of course realistic acquisition opportunities. Start-ups failing to think about these issues from the beginning may be missing opportunities and reducing their chances for future success.
A Brief History
Privacy used to be only a constitutional law issue in law schools, with limited implications for businesses and law firms. It dealt primarily with abortion, birth control, search and seizure, and disclosure of membership in the Communist party (along with some common law torts). Privacy was not really a significant issue for corporate America until the mid-1990s. From tentative and narrow beginnings, privacy law is now an enormous compliance and regulatory issue for companies in virtually all industries across the country and the world. It is relevant for company data on employees, customers, consumers, or anyone else. It is front-page news today on a regular basis, leading to highly publicized concerns about artificial intelligence, big data, discrimination, and a broad variety of privacy concerns. It is a top-of-mind issue for consumer advocates, regulators, and legislators around the country.
There are a few terms that come up frequently in the privacy law area:
- “Privacy” means the laws, regulations, and practices surrounding how personal data is used, gathered, maintained, and disclosed.
- “Security” is a related idea, but means the laws, regulations, and practices surrounding how personal information is protected from unintended and unpermitted activity, i.e., the practices that protect decisions made on privacy.
- “Cybersecurity” is another related term, but focuses on protection of the overall technological infrastructure. It is focused on national security and internet interconnections, which may or may not involve personal data.
Privacy Overall in the United States
The United States has a large (and growing) number of laws and regulations at the state and federal levels (and even some international laws to be worried about). These laws have (to date) been specific by industry segment (e.g., health care, banking) or by practice (e.g., telemarketing). Today, there is no generally applicable U.S. privacy law at the federal level covering all industries and all data (although that may be changing), but there is increasing complexity within the regulatory environment. We are beginning to see state-level laws (such as the California Consumer Privacy Act) that apply across industries. We also are seeing a new set of “specialty” privacy laws dealing with emerging technologies like facial recognition and location data. U.S. law also includes data security obligations for any company that collects personal information. These requirements are for “reasonable and appropriate” security.
Outside the United States
There are separate privacy and security rules related to data in and coming from foreign countries. Where these laws exist (and they exist in a growing number of countries), the rules usually are tougher, meaning that they are more protective of individual privacy. Many of these laws apply to U.S. companies either because those companies have a presence in these countries or because of the “extra-territorial reach” of those laws (such as the General Data Protection Regulation in Europe).
Privacy law issues are affecting a broad range of company operations, including core corporate strategy issues. For example, given that current U.S. law is primarily sectoral, determining where your company fits into these sectors is crucial. In the health care space, if your business model is direct to consumer, you typically have modest legal obligations today. If you partner with health insurers or hospitals, you are likely subject to the HIPAA privacy and security rules as a service provider to these entities. Thinking about where your business operates also matters in evaluating whether you are subject to laws in other countries or state-specific laws. These principles matter for overall compliance, product design, customer and vendor relationships, marketing opportunities, and, critically, mergers and acquisition activity, given that purchasers now are drilling down into data assets, data rights, and privacy and security compliance.
Key Issues to Consider
Start-ups should answer the questions below when thinking about business operations, right from the start:
- Data flows—what data are we generating?
- From where are we obtaining other data? Did we (or our source) have the right permissions and rights?
- Are we collecting or using sensitive data categories, including health, financial, genetic, biometrics, facial recognition, location, etc.?
- Can we “aggregate” data for analytics or product improvement?
- Can we legally or practically de-identify the data?
- What are we doing with our data?
- What rights do we have in the data?
- Are we interested in selling the data?
- What happens to relevant data at the end of a client relationship?
- Who are our customers and partners?
The privacy area is rapidly evolving and likely will continue to do so for the foreseeable future. Other states may follow California in passing broad-based privacy laws. The federal government likely will pass a national privacy law in the next five years. New technologies raise concerns, as does the use of artificial intelligence and algorithms. Start-ups should plan for these issues from the beginning—it does not take much to think about these issues, but it will mean real risks and missed opportunities to not think about them at all.
Kirk J. Nahra is a Partner with WilmerHale in Washington, D.C., where he co-chairs their global Cybersecurity and Privacy Practice. A long time member of the IAPP Board of Directors, he teaches privacy law at the Washington College of Law at American University. He also is a Fellow with the Cordell Institute for Policy in Medicine & Law at Washington University in St. Louis. He can be reached at (202) 663-6128 or [email protected]. Follow him on Twitter @kirkjnahrawork. Learn more about his experience at https://www.wilmerhale.com/en/people/kirk-nahra.