What Do Startups Need to Know About Data Privacy Law?

data privacyIt’s hard to imagine a startup that does not collect some form of sensitive information in digital form, and the collection, use, and disclosure of such information is regulated under federal, state, and even international laws. The purpose of this post is to outline the legal framework that creates your obligations to safeguard customer data and the consequences of failing to comply with these laws. Startup founders that understand their legal obligations and make the investment to comply with them can reduce the likelihood of liability and ultimately compete more effectively by earning a reputation for protecting their customers.

Federal Laws Governing Data Privacy

Currently, the legal framework for data privacy consists of a patchwork of state and federal laws and regulations and industry standards that govern the collection, use, and disclosure of private information. Unlike other countries, the United States has not adopted a comprehensive regulatory regime prescribing the exact activities the government deems permissible. Rather, US law has relied mostly on private litigation and government enforcement actions under laws that predated the modern digital era. Notable exceptions where US lawmakers have adopted specific rules and privacy restrictions are where companies collect financial or medical data.  

Somewhat surprisingly, the primary mechanism for regulating data privacy in the US is under the Federal Trade Commission Act (FTC Act), which prohibits unfair and deceptive business practices. While the FTC Act was not originally aimed at data privacy, the Federal Trade Commission (FTC) has successfully argued in federal court that its claims against companies for weak cybersecurity measures properly falls within the FTC Act’s prohibition against unfair business practices. Although the FTC does not require companies to have a stated privacy policy on their website (discussed in the next section below), the FTC has taken the position that companies that do not comply with their existing privacy policy are engaging in deceptive business practices, which is also prohibited by the FTC Act. In addition to bringing enforcement actions against companies who fail to provide appropriate and reasonable protections for sensitive customer data, the FTC also issues practical tips and guidelines that are not legally binding but outline best practices on a variety of privacy issues that companies should consider implementing.

Unless a company operates its business solely in a single state and has no out of state customers, it will be subject to the FTC’s consumer protection rules. Additionally, there are a number of federal statutes that apply to specific business activities that implicate data privacy issues. Some examples include:

  • The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act addresses commercial email communications and governs the use and collection of email addresses for commercial purposes. It also prohibits using misleading or false information in email headers, or subject lines that are materially misleading.
  • The Telephone Consumer Protection Act (TCPA) applies to marketing activities via telephone calls and text messaging and regulates the use and collection of telephone numbers for commercial calls and messages. Litigation under the TCPA is on the rise, so if you are calling or text messaging consumers, you must obtain their express written consent and give them an opportunity to opt out from receiving messages.
  • The Electronic Communications Privacy Act (ECPA) governs improper access, interception, or disclosure of a wide range of electronic communications (e.g. email). You will want to pay particular attention to the ECPA if you are monitoring your employees’ electronic communications.
  • The Computer Fraud and Abuse Act (CFAA) forbids computer hacking and tampering, and criminalizes certain acts of unauthorized access to government computers and other protected computers.
  • The Children’s Online Privacy Protection Act (COPPA) strictly regulates companies that have websites for kids (or knowingly collects information from kids) and gives parents control over what information the company collects. The FTC has published a helpful guide for complying with COPPA.  
  • The Fair Credit Reporting Act (FCRA) regulates how businesses like credit reporting agencies can use and disclose credit reports, credit card numbers, and other information. If you take an adverse action (e.g. refuse a loan, refuse to hire) based on a credit report provided under the FCRA, you must disclose certain information about that report to the consumer.

In addition, US law takes a much more detailed approach when it comes to protecting consumers’ financial and medical information. If you are operating in these industries, you will need to comply with a number of additional laws and prohibitions including:

  • The Gramm-Leach-Bliley Act (GLBA) governs financial institutions such as banks, insurance companies, securities firms, and other companies that receive customers’ nonpublic financial information in connection with the offering of financial products or services
  • The Health Insurance Portability and Accountability Act (HIPAA) governs any company that comes into contact with personally identifiable medical information and provides specific requirements for the protection and disclosure of that information.

State and International Laws

State laws too can have a far-reaching impact on data privacy. In fact, the reason that most websites have a privacy policy in the first place has its origins in state law. California’s Online Privacy Protection Act, which went into effect in 2004, requires any company operating a commercial website that collects personally identifiable information from California residents to clearly post and comply with a privacy policy that details the kind of information being collected, how it might be shared with other parties, and how users can review and change the information that’s collected about them. While it is a California state law, it is not limited to companies or servers physically located in the state; rather, any company that collects personal information on California residents (which covers many websites), must comply with the law. This state law, combined with the FTC’s requirement that all companies with a privacy policy must actually comply with that policy, underlies the importance of having a well-written privacy policy that actually reflects the internal practices of the company.

Additionally, all states have so-called “little FTC Acts” that prohibit unfair or deceptive business practices. Although these state laws are based on the FTC Act, they are often enforced more aggressively by state attorneys general and private litigants and apply to conduct that would not be illegal under the FTC Act. Similarly, all states, excluding Alabama and South Dakota, have adopted legislation requiring businesses to notify individuals if their personally identifiable information has been subject to a security breach.

Finally, if you have international customers, which many commercial websites do, you will need to be aware of international data privacy standards, which may go farther than US law does in restricting your activities. For example, the European Union (EU) has taken a comprehensive approach to the protection of data and in some cases prohibits companies from transferring the private data of EU residents to countries that do not have similarly strict standards for data privacy, which includes the US.  

What Happens if You Don’t Comply with Privacy Laws?

Startups that fail to follow data privacy and security laws can face serious ramifications. Cybersecurity incidents are often the precursor to investigations and possible enforcement actions by state attorneys general or the FTC. In addition, companies have been held liable for failing to adhere to their privacy policies. These incidents can also lead to private causes of action (or even a class action) typically by consumers whose information was compromised or improperly used or disclosed. Plaintiffs may claim that the company breached its contractual obligation to protect the personal information, claim that the company was negligent in its protection of that data, or bring a claim under a state’s consumer protection statute for unfair or deceptive business practice. Claims may also come from affected third parties; for example, if credit card information was compromised, the credit card company may seek reimbursement from the breached company for the costs of reimbursing the cardholder for fraudulent charges.

Claims can result in civil damages, penalties, sanctions, and fines. Often, the government enforcement actions result in a settlement where the company agrees to pay a sum of money, discontinues or changes a certain aspect of its business operation, or agrees to overhaul its cybersecurity measures. Private litigation can result in similar settlements, but generally, these plaintiffs are looking for compensation for the harm they have experienced.

Perhaps the most important consequence resulting from a data breach is not legal liability but the sometimes-irreversible reputational damage. Small businesses in particular have a difficult time recovering after they are hacked, and a startup company attempting to earn the trust of existing and potential customers or investors will be significantly affected by failing to safeguard its private data or respond properly to a breach. As the sophistication of hackers and challenges of data privacy and security continues to grow, it is important to know your legal obligations to protect information.


© 2017 Alexander J. Davie — This article is for general information only. The information presented should not be construed to be formal legal advice nor the formation of a lawyer/client relationship.

Alexander J. Davie About Alexander J. Davie

Alexander Davie is a corporate and securities attorney based in Nashville, Tennessee. Businesses of many varieties rely on his counsel and judgment throughout all stages of their growth. In particular, fund managers and investment management professionals seek the expertise Alex gained when he served as general counsel to a private investment fund. Alex also has significant experience and enjoys working with companies and entrepreneurial ventures, especially within the technology industry. As a believer in technology's ability to enrich people's lives and allowing people to connect with each other in new ways, he is passionate about helping tech startups achieve success. He is active in Nashville's startup community as a mentor at the Nashville Entrepreneur Center and participates in numerous other events geared towards making Nashville a nationally ranked location for starting a business.

Contact Alex