Starting a consumer-facing technology company or developing a new application to make a consumer’s life easier or more fun is an exciting journey. At this stage, you are all about the development, getting the product or service to market, and making sure it can scale. But neglecting the privacy implications of your product or service during the development stage is a big mistake that will come back to haunt you later.
Imagine, for example, that your dream of building a great company has come true and you are faced with an acquisition offer. During the customary due diligence phase, you quickly discover that your privacy house is not in order. Why? You neglected to plan for a situation in which you might have to transfer user data to an acquirer. The entire shape of the deal is now altered because there are significant tax consequences for the new structure and reserves or holdbacks are required that postpone or lessen the value you worked so hard to build. All this can be avoided with a little privacy by design. Here are a few pointers:
1. If you don’t need the information, don’t collect it. Avoid the engineering gene that says collect as much information as possible because it might be useful in the future.
2. If you collect it, protect it. This is essentially strict liability with the regulators. If you lose the data, you will end up with an FTC-approved third party running your IT for the next 20 years.
3. If you exit via a sale of the company or a merger or have to file for bankruptcy, be up front in your privacy policy and tell your users that you may transfer the data in the event this type of strategic move or a restructuring takes place. If you don’t do this, you will need the express opt-in consent of each user to make the transfer later, which will significantly devalue your assets.
4. If you deal with personal information at all, say what you do and do what you say. Do not cut and paste a privacy policy from another company’s website and hope that you’re adequately covered. Diligence in an acquisition includes a thorough privacy review. Misrepresentations in a privacy policy will get you sued, delay a sale and will increase your costs in the future.
5. If you do anything, think like a user when it comes to privacy just as you would when it comes to the usability of a product or service. Your privacy policy is a direct reflection of your product or service.

When Should I Form a Legal Entity?
As startup lawyers, we often receive inquiries from passionate entrepreneurs and founders seeking guidance on when they should consider taking their side projects to the next step by forming a legal entity. Forming a company is a “crossing the Rubicon” moment for any startup. It’s an essential step…

Investment Company Status Considerations for Cash Positioning in Wake of Bank Failures
Given this week’s headlines, many emerging companies may be asking themselves: “Why am I holding so much cash?” The Investment Company Act of 1940 (the 1940 Act) may be to blame. “But I don’t have any intention of being an investment company. Aren’t those mutual funds or…

Distressed Bank Update as of March 16, 2023
In the three days since federal authorities announced sweeping measures to protect depositors of Silicon Valley Bank (SVB) and Signature Bank and help prevent additional bank failures (as discussed in our update of March 12, 2023), the U.S. banking system appears to have stabilized, at least temporarily.…