Home > Our Insights > 5 Key Privacy FAQs for Startups & Growing Businesses
Publication

5 Key Privacy FAQs for Startups & Growing Businesses

Published:

January 26, 2021

Author(s):

We udpated this publication on March 4, 2022.

Privacy is critical to every business in every sector, including startups and growing businesses: to comply with the law, to foster positive customer perception, and to be attractive to investors. The consequences of getting privacy wrong can be significant, and for a startup or a growing business, perhaps even fatal. When to start: right from day one – or right now. Where to start: with “Privacy by Design”. How to start: with these five key privacy questions that startups and growing businesses frequently ask.

1. Why is “privacy” relevant for my business; isn’t it only relevant for businesses in certain sectors, like information technology, or for large businesses?

If your business has users or customers, or in any way collects, uses or discloses personal information (in other words, pretty much every business in Canada), “privacy” is not just relevant to your business: it’s critical.

Privacy law compliance. Canada has a mosaic of privacy laws. It’s important that you understand which apply to your business – and it’s likely more than one:

Customer perception. It’s equally important that your customers feel your business is transparent about its privacy practices, and that your use of their personal information is in line with their expectations. If you use your customers’ personal information in a way they don’t expect, such as collecting cell phone numbers to confirm a customer’s account but then also using it to send promotional text messages, it can be perceived as “creepy” and invasive – something your business will want to avoid – in addition to possibly being illegal.

Investor readiness. Investors are also attuned to the importance of privacy law compliance – and the effects of non-compliance – on a business. Sophisticated investors will include privacy in any due diligence investigations, and failing to pass privacy muster could cost you a deal. If your goal is to attract investors for growth, or even ultimate acquisition now or down the road, understanding how privacy issues affect your business and ensuring your business’s privacy practices are both legally compliant and commercially sound will play an important role in making it attractive to investors.

2. What happens if I get “privacy” wrong?

The consequences of getting privacy wrong can be significant – and for a startup or a growing business, perhaps even fatal:

Failed investment or acquisition due diligence. Like everyone else, investors and purchasers are acutely aware of privacy and data security and of the liability risks of privacy and data security breaches. Missing the mark on privacy will likely to lead to failing the due diligence inquiries of an investor or a purchaser – and ultimately, failing to close the deal.

Bad press, reputation damage, lost customers – and lost value. Today’s media is all over news of a data or privacy breach, and is not sympathetic to either the breaching companies or the people associated with them. Think Marriott/Starwood, Equifax, and Capital One, to name but a few. The prevalence of digital and social media makes it easier than ever to spread negative publicity further than ever before. That can immeasurably harm a business’s reputation, and lead to lost customers – and ultimately lost value of the business.

Expensive fixes. There are upfront costs required to bake privacy compliance into business practices and processes at the building stage, which can be discouraging to often cash-poor startups and growing businesses. But the upfront costs of doing it right the first time are significantly lower than the cost to fix those same practices and processes later on.

Expensive (or impossible) insurance. In the business-to-business sector, customers are increasingly demanding that their service providers have cyber-risk insurance coverage. Unless you can demonstrate your privacy and cybersecurity diligence, this insurance is either extraordinarily expensive – or impossible – to get.

And expensive defences. Those upfront costs are also significantly lower than both the legal costs to defend a privacy or data breach civil lawsuit or regulatory complaint, and the financial liability exposure to which such a claim exposes the business. It’s all about risk mitigation: planning upfront reduces the chances that a breach (and thus a lawsuit or complaint), will occur at all, and if it does, then your business will have a better shot at successfully defending against it.

Serious fines for the business – and its directors. Fines for beaching the Digital Privacy Act can be serious. For example, if a business fails to comply with the Act’s breach response regulations, both the company and its corporate directors personally can be liable for fines of $100,000 per incident. Fines for breaching CASL can also be serious. For example, on March 5, 2015, the Canadian Radio and Television Commission (CRTC) handed out its first corporate penalty for a breach of Canada’s Anti-spam Law (aka CASL): $1.1 million against Compu-Finder.  On April 23, 2019, the CRTC handed out its first personal penalty for a breach of CASL: $100,000 against the President and CEO of nCrowd, Inc. And when the CPPA becomes law, fines for beaching it will be significant: it authorizes the imposition of administrative monetary penalties and fines of up to 5% of global revenue or $25 million, whichever is higher, for the most serious offences.

3. When should a business start thinking about – and acting on – “privacy”?

Start right from day one – or if you didn’t start then, start right now.

4. Where do I start?

Start with “Privacy by Design” (or PbD): the concept that a business can’t rely only regulatory compliance to ensure privacy, but instead must make privacy its “default mode of operation”, “embedded in every standard, protocol and process”. Developed by Dr. Ann Cavoukian, Ph.D. and former Information & Privacy Commissioner of Ontario, Privacy by Design (PbD) (for which she named McInnes Cooper’s David Fraser an “Ambassador”) advocates that businesses can achieve this objective by practicing these “7 Foundational Principles”:

  • Be proactive and preventative – not reactive and remedial.
  • Make privacy the default setting.
  • Embed privacy into the design – of everything.
  • Privacy is a positive-sum goal: it’s privacy AND, not privacy OR.
  • Employ end-to-end data security.
  • Practice privacy visibility and transparency.
  • Keep it user-centric and human-centered.

5. How do I implement PbD in my startup or growth-stage business?

Startups and early growth stage businesses are in the best place to implement Privacy by Design because they can build it into their culture right from the ground up. To help your business build a “privacy first” culture, keep these key issues in mind:

Data. Think about it, track it, understand its full cycle, and who has access to it throughout.

Marketing. Balance data analytics goals with user privacy.

Human Resources. Train your employees on privacy issues.

Vendors/infrastructure. Think about your vendors and third party suppliers (for example, cloud service providers), and know and understand their privacy policies.

Developers. Make sure developers you work with understand privacy issues.

Privacy Design Documentation. For each and every element of each and every project, ask yourself these questions and document and understand the answers:

  • Collection. What information from or about users do we collect? Is it personal information? How sensitive is the information?
  • Use. How do we use each data element?
  • Sharing. Do we ever externally expose the information? How and for what purpose.
  • Notice & Control. How are we telling our users what’s going on with their personal information and how do we make sure they have control over their information and how we’re using it.
  • Storage & Access. Where do we store the information? On a device? In the cloud? Whose cloud? How’s is it secured.
  • Deletion & Retention. How long do we keep the information? Why?

Please contact your McInnes Cooper lawyer or any member of the Privacy, Data Protection & Cyber Security Law Team @ McInnes Cooper to discuss how we can help your startup get privacy right.

McInnes Cooper has prepared this document for information only; it is not intended to be legal advice. You should consult McInnes Cooper about your unique circumstances before acting on this information. McInnes Cooper excludes all liability for anything contained in this document and any use you make of it.

© McInnes Cooper, 2021. All rights reserved. McInnes Cooper owns the copyright in this document. You may reproduce and distribute this document in its entirety as long as you do not alter the form or the content and you give McInnes Cooper credit for it. You must obtain McInnes Cooper’s consent for any other form of reproduction or distribution. Email us at [email protected] to request our consent.

View Related Content

Related Lawyers

Related Services

Related Industries

Related Publications

View All Publications
Connect With Us:
Lex Mundi Logo MC Advisory Logo