What career could possibly be more exciting than serving as a privacy lawyer for tech start-up companies? This is a question I asked myself a few years back, right after I finished clerking for a couple of terrific federal judges and right as I was considering starting the privacy practice I had envisioned as a law student sitting in Prof. Fred Cate’s classes at the Indiana University Maurer School of Law several years earlier. At that time, my answer was a confident “probably none.” I would, after all, get to work with smart and motivated “big idea” people to make their dream ventures become realities, and what’s more, I would have the challenge of tackling cutting-edge privacy issues because tech start-ups would be on the forefront of technology and data-use practices.
Today, after working with numerous start-ups—from wearables software developers to children’s app designers to second-hand clothing, travel, social, real estate, employment, horse racing, mentoring, accounting and other websites and apps—I can tell you that I was correct that being a privacy lawyer for tech start-ups is an extraordinarily exciting career. But about the major challenges of the job, I have to admit I was flat wrong. The real challenge in advising tech start-ups on privacy is not usually the intricacy of the legal issues or the technology involved; it is the fact that start-ups, at least seed-stage start-ups, almost always have no budget for privacy.
Make no mistake: Start-ups face serious privacy issues. They want to collect and use personally identifiable information (PII). They want to be global. They often need to accept some form of payment from consumers. They may plan to obtain personal information from children, possibly even unwittingly through a device-identifier or screen name and password combination. And sometimes, they do need their attorney to walk them through those issues and help them comply with the applicable laws and regulations. But, often, rather than helping start-ups tackle the privacy issues surrounding these practices directly, e.g., those imposed by PCI DSS, COPPA, HIPAA, etc., their privacy lawyer’s job can be the opposite. How, I regularly find myself asking, can I help my client side-step a privacy issue?
Time and again I return to two answers: avoid or outsource.
First Option: Change the Proposed Business Practice To Avoid Major Privacy Issues.
The first way a privacy lawyer can help start-ups avoid expensive privacy law requirements is to consider ways in which the piece of business plan that would require significant privacy work can be delayed or avoided altogether. For example, it may be that a start-up wants to collect information from EU residents when it launches its app. But maybe, instead, an EU launch could wait until after the app has had some success in the domestic marketplace. Why go to the expense upfront when the company has little or no money if an EU expansion might be postponed until the next round of capital is raised and the company has worked out any kinks in its platform?
Or take another example. Rather than collecting personal information from children under the age of 13, a start-up might consider whether it can achieve its goal without all of the notice, consent and security issues required by COPPA by obtaining the same information directly from the parent rather than from the child—COPPA only applies, after all, to information collected “from children.” In that case, it is not just the cost for the legal work or additional privacy or security restraints; there is also the issue of deterring use of the app by forcing parents to jump through a number of hoops—such as enter a credit card or make a phone call or fill out a form—that might prevent the start-up from ever gaining a large user base, which more than likely is one of its goals.
Let me be clear; I am not suggesting that an attorney should counsel a start-up to change its core business model—though, in some cases, say, where the law prohibits that business model, the lawyer should do exactly that. What I am suggesting instead is that the lawyer and his or her start-up client should think creatively about how to accomplish the client’s business goals when faced with privacy requirements that pose crippling financial burdens. A lawyer’s role is to identify the company’s obligations and offer advice, including advice on possibly less expensive alternatives. Ultimately, it is the client’s decision, and consideration of the compliance obstacles becomes one factor for the client to consider in making an informed decision.
Second Option: Hire a Third Party To Tackle What the Start-Up Can’t Handle
The second way a privacy lawyer can often help a start-up avoid expensive privacy law requirements is to advise it to engage a third party that has the proper controls already in place to collect and process the data on the start-up’s behalf. The problem with this option is that, invariably, third parties don’t want to bear any risk or individually negotiate the terms of their agreements. And, under the applicable laws, the start-up is in many cases still the information owner and responsible for the data should something go wrong. This means that a privacy lawyer for a start-up must often advise that vendor contracts are risky ones while recognizing that, in reality, his or her client may have little choice but to execute the agreement if it wants the service and can’t reasonably do the work in-house.
What a privacy lawyer also can and should do is advise his or her client to engage a top-notch vendor that has a reputation for taking privacy and security seriously. If a start-up carries a disastrous level of risk if one of its vendors makes a mistake—and it usually does, because it is next to impossible to negotiate that risk away—it should at least work with a vendor that is less likely to make a major mistake. The ideal vendor is one that has a great reputation and whose reputation will be on the line in the event of a data security incident. That way, the vendor will have an incentive to take extra care of the data and to notify the start-up right away if there is an incident, both of which are provisions a start-up would want in its vendor contracts, if it could get them.
So when your client comes to you to review a vendor agreement—say, for payment processing or cloud-hosting or background checks—and the price is right, you can help your client by taking some time to investigate the vendor for any red flags or at least advising your client that it should do some due diligence of its own. That really inexpensive credit card processing agency located in China is not the great idea it may first appear to your client to be; nor, usually, is the background check service that just launched three months ago and might be out of business in the next three.
At the end of the day, your goal as a privacy lawyer for start-ups is no different than it always is: Learn your client’s business so you can give it the best advice possible.
But start-ups almost invariably have no budget for privacy. Your advice, while perhaps the same as it would be for other clients in terms of your legal recommendations, should therefore be more solution-oriented. You should automatically start thinking about creative ways to address what might be insurmountable privacy obstacles. Can we achieve Goal A without having to do B, C and D legal requirements? Can we outsource B, C and D to a vendor that can do it better and less expensively than we can perform the work in-house?
If you do this now, your clients will thank you. And next year, when they have more funding and are tackling major privacy law challenges head-on, they will look to you to help them.
This article was first published in the March 2015 issue of the IAPP’s The Privacy Advisor. The IAPP is the largest and most comprehensive global information privacy community and resource.