It’s a fact of startup life that your company is going to be severely time and resource-constrained. Small teams can only accomplish so much in a day and some initiatives will inevitably fall by the wayside. In the past, privacy was often an afterthought for small companies, but that’s rapidly changing in this new age of big data.
As CEO of TRUSTe, a provider of privacy technology for online companies, I’ve seen firsthand the impact privacy can have on a startup — for better or worse. When it’s bad, it’s ugly. I’ve seen a single user complaint or blogger exposé spiral out of control and become front-page news and fodder for regulators within hours. These fallouts can come at an extreme and sometimes fatal cost to a company with limited resources. They create monstrous distractions that disrupt product development, incur hefty PR and legal fees, and embroil the company in drawn-out lawsuits and investigations.
Good privacy is not just about avoiding pitfalls by minding your legal Ps and Qs, it’s also about accelerating your data relationship with users through increased trust. Whether you run an e-commerce website or a mobile photo app, you cannot succeed without a healthy data relationship with your users. And the more people trust companies, the more willing they are to share data.
So how can your startup pivot on privacy?
1. Practice privacy by design
Privacy by design means proactive investments in privacy. It’s the difference between making privacy an afterthought and embedding it into your product development cycles. You already ask important questions in these cycles. (Is our user experience intuitive? Is this click path optimized?) It’s time to add a few more questions to that list that can save you a lot of future headaches. Questions like: would this data collection negatively surprise users? Do they have meaningful control over their data? Are we accessible and accountable to user privacy concerns? You already design your product to be usable, engaging and scalable. Now it’s time to design with privacy in mind to accelerate and protect your data relationship with users.
2. Respect your audience (especially mobile)
Smartphones carry heightened privacy baggage, because we use them everywhere and they’re constantly collecting data, including such sensitive information as our precise location. You should notify users about these sensitive data collections and give them a choice about whether to share that data, in a manner appropriate to the mobile user interface. Identifying mobile users for personalization and advertising purposes is also a tricky privacy proposition, and you should be aware of industry best practices. Apple, for example, recently forbade developers from collecting UDIDs on its iOS platforms since these user IDs are permanent and provide no ability for consumers to opt-out of targeting.
At the end of the day, privacy is contextual, and you need to understand and respect the context. If you process financial data, consumers will obviously hold you to a higher standard than if you collect data related to their use of an online game. And don’t forget that data about certain audiences carry extra legal privacy protections, such as data about children under the age of 13 in the U.S. and data about EU citizens stored on U.S. servers. Know and respect your audience.
3. Know your data
This sounds obvious, but it’s often overlooked. Let me give you an example: TRUSTe uses Web crawling technology to scan our customers’ sites for third and first party tracking code. I’ve personally presented the results of these scans to companies large and small, and in every single case we found code that surprised their team. Code they weren’t aware of and code that collected user data, such as embedded third party social tools. These days websites and apps pack a lot of tracking code, and much of it comes from such third parties as analytic providers, advertisers and social platforms. You need to know what data you collect, how you collect and protect it, and what you do with it. You need to know the same thing for your partners and third parties with embedded code in your product. Without a complete and accurate picture of the data collection activities on your website or app, you cannot provide users with adequate privacy notices and choices, and this could invite “unpleasant surprises” for users down the road.
4. Communicate openly and actively
5. Name a privacy owner and get cracking
At the outset, small startups rarely have the resources to hire a dedicated chief privacy officer, but it’s important to assign privacy ownership to someone on your team and to educate everyone — from engineering to marketing to sales —because privacy is a shared responsibility that can impact every part of your business. As a bootstrapped startup, your privacy owner will probably be your CEO, general counsel, or a product or engineering lead. Employees at startups have to wear many hats, so embrace titles like “CEO and chief privacy officer” —it’s one more way to openly communicate your privacy commitment. This stuff can’t wait until tomorrow. In many cases, it’s the law. Where’s it’s not the law, the media is chomping at the bit for the next privacy scandal, and you can’t afford to be the target. And don’t forget, your users actually care about this stuff. A recent survey TRUSTe conducted found that 90 percent of adults worry about their privacy online. By investing in privacy, you’ll protect your data relationship with users, and you’ll help expand it through increased trust.
Chris Babel is the CEO of TRUSTe, a leading global provider of privacy technology and certifications for online companies.