Startups have bigger concerns than privacy, or so they think.
Many startups have learned that being young and small does not keep them off the radar screens of privacy regulators, and they can be vulnerable to costly investigations. Privacy issues that come to light in the course of the due diligence process for an acquisition can also threaten their valuation. In fact, VCs increasingly report that privacy can affect a startup’s ability to raise capital.
Avoid serious problems down the road by following a few basic steps now.
1. Say what you do. If your website or app (or its affiliates or business partners) collects, uses or discloses information that can be used to identify an individual or a device (e.g., name, email address, cookie identifier, or mobile device identifier), you should have a privacy policy that explains what types of data you collect, how you use it, who you may share the data with, and the steps you take to protect the confidentiality and privacy of the data. Don’t just find a generic policy and post it to your website. Instead, make sure the policy actually reflects your company’s practices by mapping out the data your company collects, how it is used, how it is disclosed, and how it is secured. Additionally, plan for an acquisition now by telling your users in your privacy policy that you may transfer the data in the event of a merger or acquisition.
2. Do what you say. Follow your privacy policy and anything else you communicate to your users about how you use or protect their information. Misrepresenting your privacy practices or deceptively failing to disclose a key fact is the surest way to get in trouble with privacy regulators. If your data collection use or disclosure practices change, make sure your privacy notices also change.
3. When it comes to data, less can be more. If you don’t need it, don’t collect it. Collecting data because it might be useful one day can get you into trouble. For example, collecting the date of birth of your users can trigger obligations under the Children’s Online Privacy Protection Act.
4. Secure it. If you collect information about your users, take reasonable steps to protect it. The Federal Trade Commission offers 12 tips for mobile app security and a general guide for all businesses.
5. Be choosy in selecting who has access to your users’ data. If you give a service provider or other business access to your users’ data, make sure you understand how it is being used. Look for companies that follow industry codes of conduct such as the Network Advertising Initiative’s rules for interest-based advertising or cross-app advertising.

When Should I Form a Legal Entity?
As startup lawyers, we often receive inquiries from passionate entrepreneurs and founders seeking guidance on when they should consider taking their side projects to the next step by forming a legal entity. Forming a company is a “crossing the Rubicon” moment for any startup. It’s an essential step…

Investment Company Status Considerations for Cash Positioning in Wake of Bank Failures
Given this week’s headlines, many emerging companies may be asking themselves: “Why am I holding so much cash?” The Investment Company Act of 1940 (the 1940 Act) may be to blame. “But I don’t have any intention of being an investment company. Aren’t those mutual funds or…

Distressed Bank Update as of March 16, 2023
In the three days since federal authorities announced sweeping measures to protect depositors of Silicon Valley Bank (SVB) and Signature Bank and help prevent additional bank failures (as discussed in our update of March 12, 2023), the U.S. banking system appears to have stabilized, at least temporarily.…