A Startup’s Mindfulness Guide to Data Privacy

In the world of data privacy, startups have an advantage over more established companies with the opportunity to manage customer data more closely and mindfully from the outset. With this mindfulness comes the opportunity to create differentiation and build customer trust by demonstrating responsible management of customer data.

New Data Privacy Laws

On January 1, 2020 data privacy has come to the forefront in the US with the new California Consumer Privacy Act (CCPA) going into effect. This new data privacy legislation follows closely on the heels of the roll out in 2018 of GDPR regulations focusing on European data privacy.

Think CCPA is only for large companies? — think again…You are a startup, how many users to do you have? More than 50,000 — then CCPA would apply to you… And for later stage startups, you are quite possibly generating more than $25M revenue, another threshold for complying with CCPA.

While companies meeting specific CCPA business and location thresholds are required to comply, increasingly customers and employees may expect you to comply with the CCPA standard, irrespective of whether you are technically required by the CCPA or not.

CCPA Business & Location Thresholds for Compliance

  1. Have annual revenue of US$25M or more;
  2. Have data on 50,000 users or more; or
  3. More than half your revenues comes from ‘Selling’ personal data
  4. Is located in California,
  5. Has employees in California
  6. Does business with a California resident

Even if you are not strictly within the scope of the CCPA, you may want to get ahead of compliance — as customers become increasingly used to being able to manage the personal data stored by companies, they will notice the absence of these rights on your website.

In essence the CCPA may be viewed as a de-facto US-wide law in practice.

For new companies starting out there is the opportunity to build data privacy compliance into your processes from the beginning to minimize exposure downstream, and build a relationship of trust with customers from the outset.

Be Mindful: Build privacy protection into your processes from the outset to minimize exposure downstream and build a relationship of trust with customers.

New Data Rights for Individuals

The CCPA provides individuals with new rights regarding their personal data and how it is stored and how it is used by businesses. Under the CCPA, there are 3 main rights individuals related to their data

  • Right to request what personal information you have about them
  • Right to delete the personal information you have about them
  • Right to ask a company to stop selling their data

These rights now place significant responsibilities on companies in terms of being able to know what personal data they are storing, being able to find what data they are storing and also being able to delete this data if requested.

Be Mindful: Keep track and secure any personal data you store, and only store what you really need to store.

Data, Data, and More Data.

Customer data sits in many places, including cloud storage, emails, customer support chats, and cloud SaaS services, such as Salesforce, Marketo, Google Analytics, Zendesk, and Hubspot.

The scope of data covered under CCPA is vast and once a data request is made by an individual, the company needs to be able find ALL the data relating to that person, including any of the following:

  1. Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
  2. Financial, medical or insurance information such as payment cards and financial account numbers
  3. Characteristics of protected classifications under California or federal law such as age, gender, race, citizenship
  4. Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
  5. Biometric information.
  6. Internet or other electronic network activity information, including, but not limited to browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
  7. Geolocation data.
  8. Audio, electronic, visual, thermal, olfactory, or similar information.
  9. Professional or employment-related information.
  10. Education information, defined as information that is not publicly available
  11. Personally identifiable information inferences drawn from any of the information identified to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes

CCPA requires companies to respond within 45 days to a data request and also keep records of requests they receive under the CCPA and how they responded.

Be Mindful: Keep a close inventory of where you are storing customer data and avoid data sprawl to minimize security exposure and the effort to respond to CCPA requests downstream.

Data Security

There are onerous fines and legal liability for data that is accessed without authorization. CCPA allows for regulatory action from the California Attorney General, and/or allows individuals to sue directly (which in California, can mean class action lawsuits). The fines/legal liability range from $250 to $7500 per record violated. This means that the regulatory and/or legal liability can potentially exceed the revenue or assets of the company.

With the high potential liability associated with having unauthorized data access, startups are well advised to get ahead of discovering and managing the kinds of information they have stored in different places and understand how data is being used. Once a data inventory has been performed, decide what data is necessary to keep going forward and what should be deleted.

Be Mindful: Build CCPA compliance into your processes. Don’t wait for a breach to implement a privacy program for personal information.

Please visit us online for more information on the Docuvision Privacy Portal Generator and getting your privacy program up and running.


Good Luck!

DocuVision.ai: Privacy by Design