96. Startup Privacy Policies 🥷 What you need to know about GDPR, CCPA and beyond!

In this interview, Sabir Ibrahim, an attorney and entrepreneur, provides valuable insights on the implications of privacy and privacy policies for startups.

He emphasizes the importance of privacy laws, particularly highlighting the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), and explains that these laws apply to all companies, regardless of their size.

Sabir advises startups to prioritize privacy policies, starting with a comprehensive privacy policy that includes information about data collection, usage, and sharing.

He also recommends engaging an attorney to ensure compliance with relevant regulations.

Sabir highlights the potential risks and consequences of non-compliance with privacy laws, such as regulatory enforcement actions and lawsuits.

He suggests implementing a plan for data privacy as companies grow, including the concept of privacy by design.

The discussion also explores the relevance of privacy issues in specific sectors, such as Medtech, Fintech, and AI applications, mentioning the need to consider industry-specific regulations.

The interview concludes by emphasizing the importance of engaging legal counsel, budgeting for legal expenses related to privacy policy creation and compliance, and treating privacy compliance as an investment rather than a cost.

This article is part of our series on Running your Business. Find the rest of the articles HERE.

Sabir Ibrahim’s Bio:

During his 15-year career as an attorney and technology entrepreneur, Sabir has advised clients ranging from pre-seed startups to Fortune 50 companies on a variety of issues within the intersection of law and technology. He is a former associate at the law firm of Greenberg Traurig, a former corporate counsel at Amazon, and a former senior counsel at Roku. He also founded and managed an IT managed services provider that served professional services firms in California, Oregon, and Texas.

 

Sabir received his BSE in Computer Science from the University of Michigan College of Engineering. He received his JD from the University of Michigan Law School, where he was an article editor of the Michigan Telecommunications & Technology Law Review.

 

Sabir is licensed to practice in California and before the USPTO. He is a Certified Information Privacy Professional.

 

His website is: https://www.optimedge.legal

You can also find him at:

https://linkedin.com/in/sabir-ibrahim-a9505b1

https://medium.com/@optimedgelegal

https://youtube.com/@optimedgelegal

https://tiktok.com/@optimedgelegal

https://instagram.com/optimedgelegal

 After this, you might be interested in checking out this interview with Attorney Adam Philipp on Patents and other Intellectual Property.


 Transcript:

 

Lance

Hey there. Recently I was talking to entrepreneur and attorney Sabir Ibrahim and we got to talking about implications for privacy and privacy policies on startups. He had some really interesting insights that I thought would be super useful to share with all of you. So we recorded this interview. He has a really impressive background, which I don't want to go into here, but I'm going to paste the entire thing down in the description so you can see why he is such an authority on this topic.

 

Lance

Sabir, welcome to Feel the Boot.

 

Sabir

Thank you. Great to be here, Lance.

 

Lance

So I'm really excited to have you on because I think we're going to be talking about some interesting topics today related to privacy, something that really doesn't get discussed as much as it should among startups. But I know that law wasn't really where you originally started. You actually came to the law from technology. So could you talk just a little bit about what your history is? Sure.

 

Sabir

Yeah. So I've been a techie my entire life ever since I was a kid, been fascinated by technology, went to engineering school and did my bachelor's in computer science and worked in the tech sector for a little while before deciding to go to law school. In going to law school, I wasn't seeking to get away from technology. It was sort of a different path within technology that I was seeking and embarking upon a legal career seemed to be a great way to sort of be engaged with technology, but on a level where I can tackle. Issues that arise from the use of technology and solve problems for engineers, startups, technical people that they often might kind of feel adrift in a way that.

 

Lance

Makes a lot of sense. Most founders are experts in the things they are experts in, but they don't really know a lot about many of these legal issues that are going to come up and ambush them. So how did you come to get really interested in sort of privacy and privacy policies as an issue?

 

Sabir

Yeah, so that was more recent in terms of the types of data. Well, I guess starting at the rise of the Internet, as soon as the Internet kind of became a thing in the think, everybody knew that, okay, this is going to change the way we share information, this is going to change the way we consume information. This is going to change the way we use information. It took a little while, I think, for that to be reflected in policy and the law. I think in recent years, and by recent years, I mean say past three, four years, five years, there's been an explosion in new regulation, new statutes, new ways that you can be held liable for privacy lapses. And so I think because of that, privacy law is now a field that is critically important, more so than it ever was in the past. The sort of major milestone. There was the enactment of the GDPR General Data Protection Regulation in the European Union. That data privacy law is a comprehensive law that introduced a lot of new requirements, a lot of new concepts, and it's been used by countries all over the world, including here in the United States state and federal government as a model of sorts for how data privacy should be approached and regulated.

 

Lance

Yeah, I remember back in the early days of the Internet, I started my company back in 1995. It really was this insane wild west kind of situation where there were no regulations. People talked about privacy a lot. They thought about it, but you could fundamentally do whatever you wanted. And I know that a lot of these situations have changed, but it seems like a lot of startups tend to feel like, well, I'm too small to matter. I can think about this later and push that off down the road. So can they sort of ignore this for now? And what are the implications of these laws for early stage companies?

 

Sabir

I think there was a time when they could, but that time is a thing of the past. The reason for that is the main reason for that is twofold. Number one, the GDPR, which, as I mentioned, is kind of the major piece of data privacy regulation in the world, does not have any exemptions for small businesses. It applies to all companies, all businesses, no matter how big or small they are.

 

Lance

Is this something that's actually impacting these early startups now? Is this a theoretical risk, or are we actually seeing enforcement actions on them?

 

Sabir

We're actually seeing enforcement actions. So I'll give you an example. Here in the US. On the federal level, data privacy, generally speaking, the FTC plays a huge role in regulating or enforcing not regulating, but regulating and enforcing data privacy. The FTC plays a huge role in regulating and enforcing data privacy requirements. And the FTC, obviously the big headline grabbing enforcement actions relate to the Microsoft's of the world, the Metas of the world, the Google's of the world, but they have pursued enforcement actions against smaller companies. And so I'll give you an example. There's a company called Cafe Press. That company, all they do is sell t-shirts and swag online. That is literally all they do. Not a particularly complicated business and not a particularly big company. Cafe Press was hit with an FTC enforcement action for mishandling certain customer data hit with an enforcement action by the FTC for mishandling certain data and not doing the things that it said it was doing in their privacy policy. So that is one concrete way in which a company of any size can be held to task by regulatory authority is that if you're making certain representations in your privacy policy about doing certain things, even if you are not required to do those things, even if there's no regulation that says that you must do those things.

 

Sabir

And you are saying in your privacy policy that you will do those things. The FTC can come after you for not doing those things. So, as an example, if I say in my privacy policy that I'm using encryption both at rest and in transit, and I'm not actually doing that, then the FTC can come after me for saying that I'm doing that and not actually doing it. So the concrete piece of advice here is that if you're not required to do something, then don't say you're going to do it, because you will be held to task if you end up not doing it.

 

Lance

Now, there's a lot of different things that a founder's attention is getting pulled towards, right. They're continuously trying to address billions of different issues. Where should a founder start when they're thinking about trying to deal with privacy for their company?

 

Sabir

Yeah, it's a great question. The first thing where I would recommend that they start is with a privacy policy. That is something that you need to have from day one, and the GDPR requires it. The CCPA, which is the California Consumer Privacy Act, requires it. Many other state laws require it. Some federal laws require it. So a privacy policy is a de facto requirement, if not a formal legal requirement. So the first thing that any startup should start with is their privacy policy.

 

Lance

What needs to go in that privacy policy, and is it okay just to use a boilerplate policy, or is this something that really needs professional review?

 

Sabir

So there are three main things that every business needs to include in their privacy policy. And those three things is informing customers about what data they're collecting, what data the company is collecting, how they're using that data, and whether and how they are sharing that data with anybody. Those three things are absolutely critically important to include in your privacy policy. In addition, there are other things that you have to include, such as processes for opting out of certain things, privacy related contacts and their contact information, information about your company that allows consumers to identify who you are. There are a lot of things that have to go into a privacy policy, but I would say those are the three most important and most critical is what data you're collecting, how you're using that data, and how and whether you're sharing that data. Now, in terms of whether to use an attorney or whether to just kind of do it on your own in various ways, obviously my advice would be to engage an attorney and to have them write that for you. The reason being is because startup founders often have blind spots with respect to these things, which is completely understandable because they're not lawyers.

 

Sabir

It's not their job. So in order to make sure your bases are covered, in order to make sure that you've thought of everything that you should be thinking of, which may not be possible unless you have a trained professional asking you those kinds of probing questions that they would need to ask you in order to prepare your privacy policy. Any sort of ad hoc approach would kind of come up short and could cause problems down the line.

 

Lance

Got it. So someone might be thinking, for example, well, I'm not selling any of this information, but in fact, they're using cloud providers and third party resources to manage a lot of this data, and so it is leaving their hands. That's the kind of thing they need to be, correct?

 

Sabir

That's correct. And as I mentioned, personally, I would say that the GDPR is a de facto requirement here in the US. Or the GDPR is de facto law in the US. Because many companies have European union users. And the way that the GDPR comes into applicability is that if you are handling the data of European Union citizens, irrespective of whether or not your company is based in Europe or even has any operations in Europe, that brings you within the scope of know. As I mentioned, GDPR does not have any exemptions for small businesses.

 

Lance

Yeah, I suppose it would actually be impossible to guarantee that you're not doing it even if you were, say, only allowing US IP addresses. If a European national was in a US hotel or using a VPN, they're still using your service in some way.

 

Sabir

That's correct. I think these days it's pretty much impossible to block people from certain countries from registering for registering an account, even if you say that our service is only intended for US. Users. If you don't take effective measures to block out people from other countries, if you don't provide that notice, and even if you provide that notice, and it's easy for non US. Users to register for, your know, you kind of have to deal with those regulatory requirements.

 

Lance

Got it. So really, almost any set of laws applies to almost everyone. If the law is written in that kind of way, you just always need to assume that that could be coming to bite you at any time.

 

Sabir

That's correct. Now, having said that, I've been an entrepreneur before, so I know that it requires making certain choices and choosing your battles and allocating resources in certain ways. So I would not advise that a company spend any amount of time or money complying with some obscure regulation in some country whose economy is a fraction of the size of ours. But certain things you do have to think about. Like, for instance, GDPR is something that you simply have to be aware of and have to think about. At a minimum, the UK's Data Protection Act post Brexit, that's something that you should be aware of and thinking. China's laws, countries that have very large economies from which you may derive revenue, you have to think about the laws in those countries.

 

Lance

Now, you've dropped a bunch of acronyms. And I know there's the huge rats nest of these different three, four letter acronyms describing these different laws. What are the sort of key ones that people should be aware of so that when they come across them or when their attorneys mentioning them, they kind of understand what they're talking about?

 

Sabir

It's kind of an alphabet soup, isn't it? The key ones, definitely. If I could pinpoint two laws, it would be GDPR and CCPA. The California Consumer Privacy Act. The CCPA, I think, was one of the first state data privacy laws to go into effect. And California is the biggest economy in the US. And I think the fifth biggest economy in the world if it were to be considered by itself. So those are the two main ones that all companies should be thinking about. Fortunately, the CCPA has sort of like cut offs for it applies to your company if you have 25 million a year in revenue, handle a certain or you handle a certain number of records of California consumers and a couple of other criteria. So those are things that you need to think about. The other thing, I think over the past month or so, we're averaging a new state data privacy law being enacted or going into effect practically every week. So there are a lot of these that you should be thinking about. If I had to choose two, it would be those two, CCPA and GDPR.

 

Lance

But I guess if someone's watching this interview, which we're recording in the summer of 23, sometime in 2024, probably a lot's changed and they need to be looking at how that landscape is evolving, correct?

 

Sabir

Yeah, the list could grow, is growing and will grow.

 

Lance

So once someone's got their privacy and policy in place, what's the next step that they should be thinking about?

 

Sabir

Yeah, great question. So once your privacy policy is in place, you need to start thinking about how you will plan your operations internally or as you grow, how you will make sure that you remain in compliance not only with state, federal, and applicable foreign law, but your own privacy policy. Because in your privacy policy, you're going to be making representations on how you will handle your users or your customers data, and you need to comply with those representations. You need to be sure that you're actually doing the things that you say you're going to do. Now, I get it right. When companies are in hyper growth mode, it's easy for things to fall between the cracks. But one thing you should keep in mind is that a regulatory enforcement action or a lawsuit or some type of slip up that can stunt your growth, that can derail you as you're on that growth trajectory. So the thing that I would advise is companies have a plan in place and it doesn't necessarily need to be like a formal plan that's approved by the board of directors and all of this stuff. Just have some kind of a plan in place that as we grow, we will need to account for the following in the data privacy realm.

 

Sabir

So let's structure such and such operation or such and such workflow or such and such procedure or protocol such that it will be easy for us to stay compliant as we grow. There's a philosophy with respect to products anyway. There's a philosophy called privacy by design. And privacy by design is basically that you design products to be compliant from the ground up and to take privacy considerations into account in your process for designing a particular product rather than building the product and then adding privacy related features as a bolt on feature later on. So privacy by design is something that you might want to think about implementing. Not just because for multiple reasons, really, not just because it'll help you avoid problems, but also maybe as part of the value proposition of your product or your service, that you can more confidently make assurances to your customers, prospective customers, users about how privacy is built into your product. And that's especially true if you're in a sector where data privacy is part of the pitch to customers and users.

 

Lance

Yeah, it's been really interesting to see some large companies leaning into privacy as a differentiator right? Something that they're going to talk about to get their bringing in more customers like Apple, for example, has kind of taken a real strong public position on privacy. And I'm not going to debate whether they've been successful at actually doing better privacy, but it is certainly part of kind of the marketing that they're...

 

Sabir

I was really struck by that commercial that they ran. I don't know if they still run it, but of people sort of in everyday situations shouting out their private information like, oh, my credit card number is such and such. My Social Security number is such and such. Now, we all know that was an implicit shot at Android and Google, but yeah, this is something that consumers, users are thinking more and more about and that companies are going to have to account for if they want to succeed in the market.

 

Lance

Now, because these enforcement actions can really derail the growth of a startup, investors are starting to become more conscious of this as an issue, and it's beginning to come up in due diligence more and more. What sort of things should companies be ready for in due diligence? And what documentation do they need to have in place to make sure they can check that box effectively for the investors?

 

Sabir

Yeah, great question. So if I'm a VC or an angel, and I'm contemplating investing in a certain company, the questions that I'm going to ask, especially if that company is in sort of a data heavy field, or if data is part of the business of that company or that company's product or service, I want to know the company's privacy policy. I want to know that the privacy policy complies with all regulations and laws. I want to know that the company is complying with its own privacy policy. And on the infosec side, which infosec and privacy obviously they go hand in hand. On the infosec side, I want to know that the company has all of the protocols in place to ensure that it can comply with its own privacy policy, with all of the laws and regulations that it's required to comply with. Those are the questions that I'm asking if I am a VC as well as I want to know if there are privacy implications of your product or service, the way in which you're offering it, the features you're including, I want to know that you have thought of those implications and you have a way of addressing them.

 

Sabir

The worst thing that can happen to you is if you're in the middle of a pitch and the VC or the angel asks you, oh, but doesn't that introduce a lot of privacy related issues? Or aren't the privacy regulators likely to have something to say about that? And how do you plan to address that and not having an answer for those questions?

 

Lance

Before we go on to the second half of this interview, I wanted to ask you to do me a favor. If you've stuck around this far, clearly you're getting some value out of this episode. So I would really appreciate it if you would (surprise) like this episode, ring the notification bell and subscribe to the channel. Obviously it helps us a tremendous amount and I would really appreciate it. But it also makes sure that YouTube's algorithm knows that this is the kind of content you'd like to see more of and will make an attempt to notify you when new episodes come out. Of course, it's not actually great at that, so I recommend you go over to Feeltheboot.com and subscribe to our newsletter, Boot Prints. This, in addition to notifying you of all the new content, unlocks access to my free office hours so you can set up time to talk with me about any issue related to your startup. I love talking to founders.

 

Lance

Yeah, I know that. I've sat through a lot of pitches, particularly medtech pitches, where they'll be talking about what they're doing, and suddenly I begin to think about HIPAA implications. And so we've been talking in a very generic way about these privacy issues.

 

Lance

But how does that start to evolve as we look into particular verticals like Medtech or Fintech AI applications? What are the other particular concerns people need to be focused on when they're looking in those?

 

Sabir

Yeah, good question. So in specific verticals, obviously, finance and healthcare are two heavily regulated industries, and fintech and health tech, those are both very growing fields. So if you're in those fields, then you got to think not only about the sort of generally applicable privacy regulations and laws, but you've got to think about things that are specific to those fields. So in health tech, for example, obviously you have HIPAA. HIPAA has been around for a very long time, and the sort of knowledge bank around HIPAA, the experience with HIPAA in the community, there's plenty of that out there. But HIPAA only applies if you are a healthcare provider, right? Because HIPAA, when it was passed, didn't necessarily contemplate the scenario in which a lot of companies that are providing quasi health services or health related technology services products but aren't themselves healthcare providers. Those companies sort of fell into a regulatory gap, right? So what we're seeing now is states, the federal government countries, are trying to fill that regulatory gap. And there's an example that I wanted to talk about. The state of Washington recently passed something called the My Health, My Data Act.

 

Sabir

And that act basically aims to regulate companies that provide products like fitness trackers, wellness trackers, these kinds of things, because these things generally aren't subject to, you know, Google, for example, google Fit and Fitbit. Google is not a healthcare provider. So those things, those products that it has, don't fall under HIPAA. So My Health, My Data, basically is an attempt to bridge that gap and bring those things into the regulatory scope. There's two things I want to point out with that law. The first is that that law does not have any exemptions for small businesses. You have to comply with that law no matter how big or how small you are. Second thing is that the state of Washington has done something very clever here. The law applies to companies that potentially have no ties to the state of Washington and have users that have no ties to the state of Washington. And the way they did that is they made it applicable by using language that basically said, if you have users whose data is processed in the state of Washington, then this law applies to you. Now, if you think about it, who are the world's two biggest cloud providers?

 

Sabir

Amazon and Microsoft. Where are those two companies located? State of Washington. Now, yeah, they have data centers all over, but they have a lot of technical operations in the state of Washington. And if it can be argued that those operations are a form of processing that data no matter which data center it's in, then that's a problem for companies that may not think themselves covered by that law. That's kind of a long winded way to say that states and regulatory authorities are thinking of clever ways to enact sector specific laws that apply to the particular peculiarities of a particular field or type of data. In fintech, for example, there's a number of federal laws that apply, and there are efforts by very economically significant states like California and New York to strengthen the regulation or fill gaps in federal regulation. AI is one big area that introduces a lot of new issues with respect to privacy. There's potentially all sorts of things in unstructured data that's included in training data sets. And so if you're using an AI model and you're training that AI model, then you need to think about what is in that training data.

 

Lance

And it sounds like this is a really rapidly evolving area. So if you're in some niche and think that your company isn't covered by the existing rules, or at least not by any of these particular specialty vertical specific rules, probably something that people need to be looking at and reality checking every year, every six months. How often should people be kind of looking at this, calling up their lawyer to see whether they're still in kind of a safe haven scenario or whether the situation has changed under them?

 

Sabir

I think that since I'm the lawyer, I'll also talk about what the burden on the lawyer should be. And you know, this is perhaps can inform companies decisions on who they should hire as their attorney. A good privacy lawyer should be proactive and keep their clients up to date and keep their clients informed on privacy changes, privacy changes in the privacy laws, and should affirmatively reach out to clients and let them know that something has come into effect and that they need to make sure that they remain in compliance with it. With respect to how often companies should themselves take the initiative, I would say obviously it depends on your company's size. If you've grown to a point where you're on everybody's radar, then you need to have an in house professional who stays on top of these things. And if you're on everybody's radar, chances are you can afford to do that because you have the revenue. If you're a startup, if you're just kind of in growth mode, I would say, and it depends on what industry, what sector you're in, but at a minimum, you should have an annual check of, okay, I know that I have to comply with these laws and these regulations.

 

Sabir

Let me undertake an analysis just to make sure that I'm still in compliance with those things, to make sure that there's no new regulations or laws that I need to comply with, to make sure that those laws haven't changed, that there's no amendments that have been passed that I need to stay in compliance with. And quite frankly, it's rare, but there are occasions where privacy laws will become less strict that an amendment will make them that regulators or legislators will become aware that something that they've passed is or something that they've enacted is a little bit overly onerous or not the right approach, and they'll change it later on in a way that's favorable to companies. So it's important to be aware of those things as well, so you can continue to streamline your operations and make it easier on yourself.

 

Lance

So you've made a fairly compelling case for engaging with an attorney. How much should let's say we're looking at a very early stage startup, right? They're just finishing their MVP. They're trying to be conscious of building privacy into their systems. How much should they be anticipating spending on legal to get the privacy policy spun up and some of their internal policies to support that in place? What kind of cost ranges typically?

 

Sabir

Yeah, that's a good point. I know that and this is where I, as an entrepreneur myself, can kind of, having been an entrepreneur, can kind of speak to both sides. I know that startups that cash is at a premium, particularly if they're seed stage. Pre-seed stage or pre-funding. That that's the thought that they first had. Is that how much is this going to cost me? What I would recommend there is try to find an attorney who will work on a fixed fee basis. And by fixed fee, I don't necessarily mean that you want the attorney to give you a bunch of work for free. Fixed fee meaning, okay, how can we arrange something whereby you track this stuff on an ongoing basis for us so that we don't have to worry about it? And we pay you a fixed fee every month, every two months, every three months for that service. In terms of a dollar amount, what I would say is what you should try to do is if you're just starting out right, if you're just getting ready for your launch, you're just getting ready for your open beta, you're just getting ready for even your closed beta.

 

Sabir

Try to knock three things out in one swoop your terms of service, your privacy policy, and if you're an enterprise SaaS company, your enterprise SaaS agreement. Try to find an attorney who will handle all three of those things for you and charge a package deal price, preferably on a fixed fee basis. Depending on the nature of your business, I would allocate anywhere from between 2500 to 7500 for that purpose. And that range can be based on, okay, what type of business do you have, what type of service, what type of product do you have, what markets are you trying to reach, those kinds of things.

 

Lance

Sure. But I mean, I think that's really helpful to give people some sort of ballpark because I think a lot of founders, when they hear that they're going to get lawyers involved, they're immediately beginning to think $50,000, $100,000. But that's a fairly modest amount of money to spend to sort of get your ducks in a row. And those things do come up in due diligence. I remember the first time I went into due diligence with my company. We'd been kind of relaxed about a lot of things. And I believe I spent two months of 100 hours work weeks back to back to back to back to get the company actually ready for, and through that due diligence process. And if I can spare anyone that pain, I really want to do that. In terms of people who are maybe really shoestring, are there any tools or resources or places where people can leverage existing boilerplates or content generators to do some parts of this until they're in a position to be able to afford even that few thousand dollars?

 

Sabir

I'm not one to say as an attorney, I'm not one to say that you should never use online boilerplate tools. They have their place. So in a pinch, with the rise of sort of privacy regulation, there's a lot of online tools that will help you generate a privacy policy. You answer some questions about your business. You answer some questions about the types of data you handle. You answer some jurisdictional questions in terms of where you will operate and where your users will be based. And it auto generates a privacy policy that you can use. So in a pinch, that might not be a terrible approach. If you simply do not have the budget to hire an attorney, then any one of those online privacy policy generators or online boilerplate generators might do the job. For now, I do recommend that when you get funded and you are able to hire an outside attorney, you have that outside attorney review what you have in place to make sure that nothing has fallen through the cracks. But I think the online tools and auto generators out there can be valuable and can provide a lot of value.

 

Sabir

If you're just starting out and you don't have a huge war chest, you haven't taken funding yet, you're bootstrapping, and you're limited in the amount of resources you can allocate.

 

Lance

I guess at some level, it's better than nothing, better than sort of...

 

Sabir

There's a company called that I came across the other day with which I have no affiliation termageddon, I guess that provides some sort of monthly privacy policy and compliance service, but I don't know much about it.

 

Lance

Interesting. That's a hilarious name. Are there any other things that you want to share, things that founders should be thinking about when they're considering sort of privacy specifically, or maybe even more generally, kind of getting their legal ducks in a row early on?

 

Sabir

There's one specific thing I would say regarding privacy policies, and that is you need to make sure your privacy policy is comprehensive. And there are two aspects to that. The first is kind of obvious, but the second is not so obvious. The first is just make sure that your privacy policy covers the bases in terms of what data you collect, how you use it, with whom you share it, anything you're required to include by whatever law or regulation, make sure it's all in there. The second thing that isn't so obvious, what I often see with my clients is that they'll have a privacy policy, and that privacy policy may actually be pretty good, but they'll also have terms of service, terms of use, or whatever other document or agreement, and that document or agreement will contain privacy related terms. And in some cases, those privacy related terms or representations will conflict with the terms and representations that are in their privacy policy. So this may sound a bit counterintuitive, but it makes sense when you think about it. Your terms and conditions, your enterprise SaaS agreement, any other agreements or policies that you have that aren't your privacy policy should not contain any privacy related terms.

 

Sabir

Only your privacy policy should contain the terms and conditions that apply to what data you collect, how you use it, and with whom you share it. That should be the go to for your users in terms of how their data is handled, for what purpose it's used, and with whom it's shared. They should not have to look at any other document. What you could fall into is a situation where you have all these great terms in your privacy policy, and then you have terms in your terms of service that have ended up in there, and that conflict with your privacy policy. And so it's like, okay, what are you bound by?

 

Lance

Got it. Yeah. You want to have one source of truth, right? And no sort of...

 

Sabir

The second thing I would say is more general, you should look at any money that you have to spend on privacy compliance and privacy diligence, privacy related diligence as an investment rather than as purely a cost of doing business. Because the way that regulation and the way that the law is evolving in this area is at a lightning speed. And we all know how slow, especially here in the United States, how slow congress and state legislatures can be in terms of reacting to problems. Keeping that in mind, things seem to be moving at a lightning pace. And so if you don't get on top of this early on, you'll experience problems down the line, and those problems will cost you money. And so spending money on privacy compliance, spending money on professionals who can advise you on that, is more of an investment than a cost of doing business. And I would say that for legal services in general, it's worth it to spend money on the front end so that you don't have to pay more on the back end.

 

Lance

Yeah, I've certainly experienced that. I think things like due diligence, not having this stuff in place, can kill your ability to raise investments because you didn't get well written employment agreements or intellectual property assignments or any of those contracts with vendors or customers. So many of those things that can really bite you hard on the back end, but seem like they're kind of hand wavable on the front, and we're just going to do things with a handshake. So if people wanted to find out more about your background or get in touch, what's the best way for people to reach out.

 

Sabir

My name is SABR Ibrahim. That's S-A-B-I-R I'm on all the major social media platforms. TikTok, Instagram I regularly produce YouTube videos on subjects of interest that contain practical guidance and practical insights on YouTube. So follow me or subscribe on YouTube. I'm also on Medium and I publish articles on issues of interest to technology companies, startup, entrepreneurs. So holler at your boy, as they say. I don't know if...

 

Lance

Perfect. Well, I'll make sure we put up a card there to link to your YouTube channel. And down in the description I will have links to all of your socials, your Medium articles and all of the other content. So anyone who wants to follow up or do a deeper dive can easily find you there. Thank you so much for coming on Feel the Boot. I really appreciate it and I think this is going to be fantastic information for our viewers.

 

Lance

Thanks for watching this episode. I hope you found it useful and interesting, and if so, please do the usual like subscribe and ring that notification bell again. It's a huge help to us. And make sure you get more of this kind of content. Also, then head over to subscribe to Boot Prints, which unlocks access to my free office hours. And I'll also put a link down in the description with information on all the different kinds of advising options that I provide. I love talking to founders and I'm confident I can be a big help to you in making your startup grow. Till next time, Ciao.

 

Lance Cottrell

I have my fingers in a great many pies. I am (in no particular order): Founder, Angel Investor, Startup Mentor/Advisor, Grape Farmer, Security Expert, Anonymity Guru, Cyber Plot Consultant, Lapsed Astrophysicist, Out of practice Martial Artist, Gamer, Wine Maker, Philanthropist, Volunteer, & Advocate for the Oxford Comma.

https://feeltheboot.com/About
Previous
Previous

97. Exposing the top reasons for angel investment pre-screen rejections

Next
Next

95. You’re delivering your pitch deck ask wrong 🤯 What you should say instead 😎