Data Privacy Isn’t Just for Large Enterprises

Early-stage startups need to pay attention too.

For an early-stage startup, the thought of tackling data privacy, security, and compliance can seem rather daunting.  It may also feel low priority compared to other work on your plate.

You likely have a limited timeframe to show increased traction in your business.  Prioritizing work that is directly tied to growing your customer base or revenue is very rightly at the top of your mind.  Adding a lot of development time or a large spend on a vendor for data privacy and security is an easy task to kick down the road.

Three main factors can influence any business to invest in improving their product.

• Customers.  Who buys your products?
• Regulations.  GDPR, CCPA, and other government regulations around the world.
• Investors.  Depending on your company this may be individuals, funds, or the stock market.

Unless data privacy is putting a large stress on one of these 3 factors, the work will never climb to the top of your queue.

How these factors affect large enterprises.

Equifax suffered one of the largest and most damaging breaches of American consumers’ data in the last few years, effectively releasing everything needed to steal the identity of every adult in the United States. Yikes.

Customers. Who are Equifax’s customers? They are not the people whose data were stolen. Equifax sells consumer data to other large companies. These large companies did not have any data leaked, so they aren’t concerned.

Regulators.  They are concerned, but the settlement with the FTC amounted to around $4.75 per consumer whose data were stolen.  The CEO in charge at the time took home $20 million in bonuses.   This hardly feels like a punishment that will have Equifax or its future leadership worried about the consequences of improperly handling consumer data.

Investors.  When news of the breach became known, Equifax stock dropped by about 40%.  Two years later, their stock has effectively recovered all of its value without any meaningful changes being made.

Equifax is not seeing any large pressure from its customers, regulators, or investors to correct the behavior that led to their data breach.

Facebook similarly does not appear to be under any real pressure from these three groups to be better stewards of our data.

Customers. Interestingly, no matter how poorly Facebook treats its customers and their data, we have not seen any large movement of customers away from their platform. In fact, daily usage of their platform continues to grow.

‍

Regulators. While concerned, the size of the most recent fine from the FTC was not large enough to materially impact Facebook’s bottom line, only amounting to one month of revenue.

Investors. After Facebook settled its latest data privacy breach with the FTC, their stock price went up. Investors clearly are not concerned.

How do these same factors affect early-stage companies?

Some of the largest companies in the world are not being forced by their customers, regulators, or investors to take data privacy seriously. What do these same factors look like to an early-stage company today?

Customers.  The data say consumers are getting fed up with companies mishandling of their data, although many still believe this may be a sacrifice they have to make to use technology.

As an early-stage company, you likely do not have a dominant enough position in the market, like Facebook or Experian, where customers have to use your products.

Data privacy can also be a key feature of what you are selling as well as a differentiator amongst your competitors.

The rise of products like DuckDuckGo, Brave, and 1.1.1.1 has shown that companies are gaining traction by positioning themselves against well-established competitors as the privacy-focused alternative.

Still, it is easy to remain unconvinced.  Are customers really looking for companies to take action on data privacy?   GitLab’s recent reversal on a plan to roll out product analytics based on community feedback is one example that suggests we are starting to see the influence of the customer in privacy decisions.

Regulators. As a small and young company, you may think that the regulators are focused on large organizations and you are safe avoiding compliance until your company has grown. However, in Europe there have been fines against small businesses.

CCPA opens a new risk vector to companies by allowing individuals to bring legal actions, which may create a slew of new law firms overnight in 2020 seeking to bring lawsuits on the behalf of consumers to companies around the US.

CCPA does have exclusions for small businesses. CCPA applies to your business if you have:

• $25 million in annual revenue or
• 50% or more of your revenue is derived from selling California consumer’s personal data or
• 50,000 California customer, household, or device records

Some of these numbers may seem big, but let’s focus in on the 50,000 customer or device records for a moment.  For a Software as a Service business, this is actually quite small.  

Whether you sell to other businesses or you are a direct-to-consumer product, you are likely to have 50,000 customer records while still being well below the $25 million annual revenue threshold.  For B2B companies, landing one small or mid-sized customer could create 50,000 records in your systems.  In a direct-to-consumer SaaS product, 50,000 customers is likely small enough that you still do not yet have real traction in your market.

Are you actively growing email lists as part of your marketing strategy?  Do you have a CRM where you track every potential lead you’ve come in contact with?  How quickly do these systems get to 50,000 distinct records?  It will depend on your business, but it is easy to envision reaching this number fairly quickly.

For early-stage SaaS companies, you are likely to reach the threshold of 50,000 customer records, and therefore have to be concerned with CCPA, while still being in a very early growth stage of your company’s lifecycle.  This is a particularly challenging time for many companies to have to worry about data privacy and security.

Investors.  As an early-stage company, your investors are individuals and funds that you are either pursuing or have already invested.  This is very different from the set of investors involved with a publicly held company like Facebook or Experian.  

The results of regulatory action against an early-stage company are potentially much more damaging than they are for a large and profitable enterprise.  On the customer front, issues with data privacy are affecting potential future customers rather than customers you already have.

Any issues coming from these groups may make potential and current investors nervous about the viability of your company and products, and will likely have data privacy issues higher on the list of investor concerns than they are for large enterprises.

What have we learned about early-stage companies?

• Customers that you are trying to draw to your products are more interested in data privacy than ever before.
• Regulations like CCPA are likely to apply to your company very quickly after you start acquiring customers.
• Investors are paying attention to changes in both of these areas as they directly impact their return on investment in your company.

While this all might sound a bit intimidating, the shifting data privacy landscape shows lots of opportunities for companies that can differentiate themselves from their competitors by making privacy a core value of their products.

So, now that we are all either terrified into behaving well or excited about adding privacy as a differentiator to our business, look out for part 2, where we’ll discuss easy ways early-stage companies can lay the groundwork for a healthy approach to data privacy.

****

This is the first in a series of articles about why data privacy, security, and regulation are important for small and early-stage companies, and how they can start to put good practices into place.