Balancing Growth with Legal Compliance
Frequently, large technology companies face lawsuits in foreign courts over their failure to comply with foreign laws, primarily those concerning privacy, sales and consumer rights. In Germany, WhatsApp’s Terms of Service violated consumer protection laws; in Canada, Facebook is challenging the application of Canadian privacy law; and in Australia, Valve’s no return policy allegedly violates consumer protection laws. As your startup grows, users may come from major markets across the world and create a challenge – how to balance growth with legal compliance?
Governing law clauses (X law applies and X courts have jurisdiction) are frequently unable to prevent the application of foreign laws to your company – just ask WhatsApp, Facebook or Valve. Therein, to comply with the laws of only one market naturally leaves your startup exposed to legal liability for non-compliance in other markets. While I suggest considering compliance with the law of each market in which you gain traction, I also recognize that cost concerns and a startup’s focus on growth strategies means that compliance is always on the back burner.
When balancing growth with legal compliance, consider:
1. Size of your company in each market: the larger your company is in a market, the more likely the laws of that market will be asserted against you.
2. General size of your company: the larger (and wealthier) your company is, the more likely the laws of foreign markets will be asserted against you.
3. Potential liability: How large is your company’s exposure to liability for non-compliance in each market? How comfortable is the company with this exposure?
4. PR: Does non-compliance create a substantial chance for bad PR in that market?
Small startups (and large technology companies) frequently focus on growth over legal compliance. Indeed, at the start of your company, potential liability is low as the company is flying under the radar – here, focusing on growth makes sense. Once you company grows, legal compliance should be weighed and constantly reevaluated as laws, and your company, change.
FTC Beats Snapchat – Important Privacy Policy Lessons
I often stress the need to keep your Privacy Policy up-to-date; case in point, Snapchat’s settlement with the U.S. Federal Trade Commission. In the action, the FTC found that Snapchat deceived users with incorrect claims about privacy and misrepresented its data collection practices. Ultimately, the FTC subjected Snapchat to 20 years of independent privacy monitoring.
A few key lessons:
1. Don’t misrepresent. All representations about your software must be accurate, especially those concerning privacy. If you don’t secure the app using X methods, don’t say that it is secured that way! As the FTC states, “Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action.”
2. Keep the Privacy Policy up-to-date. The development team should keep track of all information collected by the software and loop the legal team in whenever a new feature or element is added. Often misrepresentations result from outdated privacy policies that do not keep pace with software development. Further, if marketing wants to make claims about software privacy, make sure to run the claims by the legal team first – best not to make public claims that conflict with the privacy policy.
3. If you have information, act! If users point out securities flaws with your software, seriously consider them and document action taken in response. In Snapchat’s case, numerous users pointed out security flaws that were disregarded and such conduct certainly factored into the FTC’s decision.
3rd Party App Developers – Who Creates Your Privacy Policy?
If you hire a 3rd party app developer, be sure to agree in writing on who is responsible for the app privacy policy. Too frequently, the privacy policy is left out of the development agreement, leaving the client to figure out the information collection practices of an app they did not develop.
The privacy policy must detail what information is collected, how information is used and who information is disclosed to. The developer is in the best position to prepare the privacy policy as they know what information the app collects. While the client may have an idea of what information is collected, mere ideas are too speculative for the exactness required in a privacy policy.
When entering into an agreement with a 3rd party app developer, be sure that privacy policy responsibility is addressed in the agreement. Two common approaches are:
1. Assistance: the developer will provide the client with all information necessary for the client to create a privacy policy and, if necessary, will work with the client’s lawyer to collect this information. Limits may be set on the amount of time the developer will devote to this.
2. Create: the developer will create an original privacy policy for the client. Never allow a developer to copy another company’s privacy policy as this policy does not reflect your information practices and may constitute copyright infringement.
If the developer does not want to assist with a privacy policy, consider looking elsewhere. A “finished” app still requires legal documents to protect your company and to comply with the law. A developer that won’t assist with legal compliance is not providing a complete product.
When does COPPA apply to my website, app or game?
If you operate a website, game or app you should consider whether the U.S. Children’s Online Privacy Protection Act (COPPA) applies to your data collection practices. Even if you complied with COPPA in the past, it is surprisingly easy to violate in the future when the development team adds new features without running them by legal counsel.
COPPA applies to your website, game or app in any of these four scenarios:
1. if directed to children under 13 and you collect personal information from them;
2. if directed to children under 13 and you let others collect personal information from them;
3. if you have a general audience, but actually know that you collect personal information from children under 13; or
4. if you operate a plug-in or other third party service, and have actual knowledge that you collect personal information from websites, games or apps directed to children under 13.
What is personal information? Personal information is information that can identify a user, such as their full name, email address (or other persistent online identifier), image, voice or geolocation data.
How do you know if your website, game or app is directed at children under 13? A number of factors are considered, such as subject matter, content, whether animated characters are used, child-oriented activities or incentives, ads directed at children or any other evidence regarding the age of the actual or intended user base.
Can I use an age screen? Maybe (my apologies for the typical lawyer answer). Age screens are permitted if the service does not target children as its primary audience. The determination of primary audience is (once again) a factor-oriented analysis.
Penalty? Penalties depend on a number of factors, but each violation can cost up to $16,000.
COPPA will not always apply to your website, app or game but you should consult legal counsel to determine whether COPPA applies. Additionally, before adding any new features that collect personal information, consult with legal counsel once again to ensure that these new features don’t implicate COPPA.