By Rob McWilliams,
Consultant – Tueoris

Assessing and responding to privacy risk is essential prior to and following business investment in order to sustain the “privacy balance sheet” of portfolio companies.  Investors must be satisfied – prior to committing to funding – that a target venture’s business plan is sustainable in the light of growing global privacy regulation and consumer privacy awareness.  This includes analysis of the types of data being collected, from which domestic or international regions, and with what third parties it is necessary to share personal data in order to meet a venture’s business objectives.  While some existing risk associated with processing of personal data may be acceptable to investors, these risks should be addressed as soon as is feasible following the investment, in order to eliminate or reduce any legacy privacy risks.

Consumer privacy consciousness is a business consideration that is increasingly as important as privacy laws and regulations.  Consumers form early opinions about which products, services and businesses they trust and are increasingly aware of their privacy rights. Inquiries, requests, and complaints – and risks associated with mishandling them – have become an unavoidable part of running a business.

Outside of certain sectors (notably healthcare), US ventures have a common history of having viewed privacy as an issue to be addressed only when the time comes to expand overseas, particularly into European markets. Even in such instances, privacy management has often been seen as a matter of simply ticking a few compliance boxes.  This position is no longer sustainable. The California Consumer Privacy Act (“CCPA”) gives Californians (with the fifth largest economy in the world and a GDP of $2.9 trillion) the right to know exactly what personal information businesses collect about them and to whom they “sell” it (“sell” is broadly defined to include any disclosure for commercial advantage). Consumers may also request deletion of their data and instruct businesses not to sell it.  The CCPA will not be the last word in US privacy legislation. Other states – and perhaps the US Congress – are quickly lining up to follow suit.

In the rush to bring the product to market, it’s not easy for startups to find bandwidth for privacy, but overlooking this highly visible consumer and regulatory issue can be costly. Bad publicity is hard to undo and difficult to recover from, while products without privacy features may require re-engineering.  In addition, investors may find that they have acquired a loose internal privacy culture that is highly resistant to change.

Taking a reactive position with regard to privacy issues can also be costly for young business ventures.  For example, when critically important new customers insist on the inclusion of contractual privacy assurances, the scramble to understand and meet these obligations often sends start-ups directly into the hands of big law firms that might not be a good fit for their business maturity or corporate culture. Working with the right advisors from an early stage eliminates the scramble and reduces costs.

Later-stage startups and PE-backed ventures with highly data-dependent business models tend to have given privacy more consideration than new enterprises that are often in a rush to get their product or services to market. However, episodic and reactive engagement with privacy risk and personal data management do not result in a “marketable” privacy environment, which would include a company culture of privacy, demonstrable data governance, and established customer trust.

A “privacy program” – operationalized and ongoing – may appear to be a heavy lift to nimble businesses seeking to get to market and react quickly and effectively to market forces.  However, handled appropriately, this need not be the case.  Investors should remain cognizant of the new business reality that a well-developed, risk-focused and right-sized privacy program is a significant consideration in portfolio valuations.

rob.mcwilliams@tueoris.com

Tueoris provides privacy and security solutions for VC and PE firms, including, pre-investment data due diligence, outsourced privacy office for portfolio ventures, comprehensive privacy program development, and virtual CISO services.