They say that sex sells but in today’s market, it is data that can really land you the big bucks. Whether you are simply collecting email addresses to build a database of loyal customers or on-selling the information you accumulate, data plays a huge role in the lifecycle of nearly all startups.

The sheer volume of data collected from consumers on a day-to-day basis has exploded over recent decades. It is unsurprising, then, that privacy concerns have grown almost as fast.

As a startup owner, what should you be doing about it? We’ve put together a back-to-basics guide to assessing your business’s data use.

1. Define The Data

Like many aspects of your business, taking a big first step sometimes requires a few steps step backwards. Take a moment to consider the bigger picture.

At which points along your startup’s customer experience chain might you find yourself in possession of customer data?

Most businesses these days will find themselves doing one or more of the following:

• Requiring a name and an email address for customers to access a website
• Collecting credit card details for purchases; or
• Collecting home addresses for deliveries.

Examples like this may seem obvious but the more complicated your business model, the more unusual your data collection may be. You may find that you are retrieving and storing a customer’s location, accessing other data stored on their phone, such as photos and notes, or even tracking what they buy at the grocery store each week.

It is important to work out exactly what data you might find in your hands – or indeed, what data you would like to find in your hands – before you can work out how best to handle it.

2. Make The Big Decisions

Once you know what customer data you are likely to need, it is time to decide how you are going to handle it.

You might, for example, find that you want to use the data to create a dynamic and customised consumer experience. This could involve making a decision about whether the data stays with your business or is passed on to third parties.

Alternatively (or additionally), you may wish to use the data to secure a loyal fan base and market new products and services. In this case, you may consider:

• Do you want to be able to directly contact your customers?
• What sorts of things would you like to contact them about? Just your own goods and services, or those of other businesses or causes too?
• How would you like to contact them? Call, text, and/or email?

Perhaps you are particularly savvy and looking to sell the information you collect for the purposes of targeted third party advertising.

It is important to remember that the issue is not only to decide how you plan to use this data but also how you plan to store it. How will you secure it? Will you anonymize it? Will you be making multiple copies of the data? Will owners of the data be able to erase it from your system? If so, how?

Of course, these are only a few suggestions to get you thinking. The only limitation on how you might use customer data for your business is your imagination … or is it?

3. Work Out The Details

Here comes the bad news: now that you have decided how you would like to use and store the data you collect, it is time to work out whether you are allowed to or whether legal restrictions apply.

This is a two-step process.

STEP ONE

The first step is to work out if any laws prevent you from handling customer data in the way you would like.

Two key pieces of legislation will likely apply to you and your business: the Privacy Act 1988 and the Spam Act 2003. Now, there is no need to spend days trawling through these laws but it is important to do some research to find out what you can and cannot do with the data you collect.

Spam Act: To give you a general idea, the Spam Act prevents businesses from sending unsolicited commercial electronic messages – do not assume that you can get around it!

The law determines if a message is ‘commercial’ from the content of the message generally as well as the way the message is presented. In other words, even though you are not advertising your goods or services explicitly, the email you just sent to your list of subscribers (for example, with the aim of testing the market or gauging a prospective customer’s interest) may be considered spam if they were not aware that you would use their email address for that purpose.

These kinds of messages are considered commercial because they seek to establish a commercial relationship. You need to gain consent through other means, such as a letter, a phone call or a face-to-face conversation.

Take home point: Never send an electronic message to a group or an individual if they have not consented to receive it.

Privacy Act 1988: The Privacy Act will govern most of your data activities, particularly, the Australian Privacy Principles (APPs). Although these principles will only govern businesses of an annual turnover of over $3 million, it is best practice to make sure your venture complies regardless.

The APPs cover:

• What to include in your privacy policy (see step 4)
• What to do with data you receive that you asked for … and data you receive that you did not ask for!
• Management systems that must be in place to deal with data-related complaints
• How you can use and disclose data in Australia and overseas
• Expectations around keeping data secure

STEP TWO

Once you know the legal do’s and don’t’s, the next step is to decide whether you have the resources to comply with relevant laws.

If you do not think your business model will cope with the pressure of these restrictions, it is better to reassess now before you go any further.

It is also a good idea to think about whether your data collection is really the best way to foster a positive relationship with your customers, even if you are complying with all your legal obligations.

Take, for example, the recent media frenzy over the alleged privacy invasion by Niantic in their PokemonGO app. It was widely reported that an error in the app required users to give full access to their Google accounts in order to use the app, a permission that it seemed went far beyond the scope of what was reasonably required for the purposes of the app. Though Niantic has now indicated that no data of this kind was collected despite initial reports, the case provides a perfect instance of the potentially damaging effects of dubious data collection on your relationship with your customers.

Ultimately, the more complicated your business, the harder it will be to navigate the rules and restrictions that surround data protection and the more likely it is that you will need to get these details from a lawyer to avoid getting into hot water down the track.

4. Disclose, Disclose, Disclose

After you have sorted through the details, work out what your customers need to know in order for you to store, use or sell their data as planned, and how you are going to tell them.

Enter the Privacy Policy.

Usually tucked neatly away in the “legals” section of a website, the Privacy Policy is your opportunity to tell your customers everything you have worked out in steps 1 and 2 (above), and will be guided by the rules and restrictions you have uncovered in step 3 (above).

In more technical terms, the privacy policy it is a contract between you and your customers. They can either agree to your policy and continue to engage with the business, or they can walk away before their data is captured. The contents of a Privacy Policy will often vary widely in order to accommodate different business models and concepts.

The APPs provide some guidance in Part 1.4, noting that a Privacy Policy must contain the following:

• how you collect and hold personal information
• the kinds of personal information that you collect and hold

• the purposes for which you collect, hold, use and disclose personal information
• how an individual may access personal information about the individual that is held by you and seek the correction of such information
• how an individual may complain about a breach of the APPs, or a registered APP code (if any) that binds you, and how you will deal with such a complaint
• whether you are likely to disclose personal information to overseas recipients
• if you are likely to disclose personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.

In this context, ‘personal information’ means data about an identified individual or a person who is reasonably identifiable.

As a general rule, personal information should not be collected unless it is reasonably necessary for one or more of your business’s functions or activities. The APPs may seem overwhelming at first, but give them a go – there is no better way to learn about how to correctly handle your business’s data collection than to go straight to the source.

A word of warning: It can be tempting to find a similar business and copy their Privacy Policy for your own use.

This is a breach of copyright law, and you may find yourself jumping out of the frying-pan and into the fire if you do it. If you are struggling to put together your own policy, consult a lawyer. Alternatively, if you do not have the funds to seek professional advice and you’re not sure what to do, the best policy is often to disclose, disclose, disclose!

If nothing else, this fosters a positive relationship between you and your customers, indirectly building consumer confidence in your brand and business.

5. Do

It is easy to throw together your Privacy Policy and to sketch out the various data storage and usage procedures, and then to think your job is over. While we might wish this were the case, unfortunately, the reality is a little more complicated.

Buckle up, because here comes one of the toughest parts in handling customer data: making sure you comply with any restrictions you have discovered in the detailing stage and making sure you actually do what you promise in your Privacy Policy.

Don’t be too disheartened. Data collection can offer you infinite opportunities to better market, sell, expand, and diversify your business – just make sure you do it right!

At the end of the day, remember that data collection is as easy as define, decide, detail, disclose, do!

Further Information

For more information and resources to help you understand what rules and restrictions may apply to your business:

• Australian Privacy Principles
• Guide to developing an APP Privacy Policy
• ACMA: Ensuring you don’t spam
• ACMA: Overview of the Spam Act 200 for business 

When was the last time you considered the potential legal and privacy implications of customer data retention for your startup? Let us know in the comments!

Like your stomach is yanked through your mouth while all the oxygen is simultaneously sucked from the room. You feel overwhelmed, helpless and foolish for making one of the classic blunders and trusting the wrong person with your information.

It may have happened in the workplace where a colleague passes off one of your ideas as their own to beat you to a promotion. It may have occurred in a confidential environment, such as a job interview, where an original idea shared to establish your credibility, originality and employability, is misused to that employer’s personal benefit. Worst of all, your idea for a new entrepreneurial or business venture may be stolen by a competitor. This can happen either through information you share directly with that person before launching, or through copycat behaviour once your business is established.

Both scenarios can have a serious negative impact on your personal wellbeing and that of your business.  At the end of the day, nobody enjoys sitting in a reflective mood humming a sad rendition of Sufjan Stevens’ “Should Have Known Better.” 

When someone steals your business idea, you have a few options:

1) take the higher ground and do nothing; or

2) learn from what a lawyer in your position would do and find a mechanism to protect yourself and your business the right way.

A Long History of Idea Thieves 

As human beings, we are hard-wired to share. We love to spread word of our achievements and success.

In the case of an exciting new business or entrepreneurial venture, our propensity to share a new idea can often mean taking a risk and revealing sensitive information.

This split-second decision to exercise trust over caution has defined the careers of many experienced business owners and entrepreneurs. Some of the most famous business ideas in history, for example, were ripped off from someone else. Think Facebook, Twitter, Hulu and Paypal.

These successful enterprises were built on the back of someone else’s idea.

In Australia, a few options are available to you if someone rips off your business idea.

Working Smart: Is It Legally Possible To Protect A Business Idea?

When someone uses your business idea without your permission, your chosen course of action will depend on your specific circumstances and the outcome you seek.

In Australia, protecting an idea under Copyright laws is extremely difficult.

Jamie White, Solicitor Director & Owner of Pod Legal, explains:

It is very difficult to protect a business idea or concept in Australia. Copyright law most certainly won’t protect an idea itself, it will only protect an expression of an idea.

For example, if you have an idea for a new home delivery service, then copyright would only protect your written documents, diagrams or manuals relating to, or describing, the idea.

In some circumstances, a patent may be granted for business methods, processes or products. However, minimum thresholds must be met in terms of inventiveness and innovativeness.”

This means that if someone acts on information that you express to them during a casual conversation, there is very little you can do to protect that original idea, or prevent that person from acting on your information and launching a competing business.

Taking On The Big Bad Fox: What Are Your Legal Rights If Someone Uses Your Business Idea Without Your Permission?

An understanding of your basic rights puts you in a solid position to protect yourself against opportunistic idea thieves.

If you’re not careful, people with their eyes and ears open to fresh opportunities can easily shoot your business out of the water before you even start.

If you have an idea for a business you have not yet launched, or an idea for a new project for your existing venture, plan a watertight strategy to protect yourself and your business from imitators.

When it comes to protecting your business ideas in Australia:

It is very difficult to prevent a person from using or copying your business idea.

Therefore, it is very important to ensure that a good strategy is implemented when launching a new business idea. For example, it may be very useful to keep plans around the new business idea confidential until such time that the idea is launched. This may be achieved via the use of confidentiality agreements and can increase the lead time before any imitators launch their offerings. Also, a strong distinctive brand name for a new offering can be of big benefit, ensuring that consumers are aware of the source of a new product or service and it is not confused with any imitators.

Finally, hitting the ground running with a new idea – this can assist to ensure that you enjoy exclusivity for a longer period of time” explains Jamie White.

Trust No One: What If Your Business Idea Is Communicated In A Confidential Environment? 

In certain situations, it is easy to be lulled into a false sense of security about the level of detail you share about your business ideas.

In environments such as employment interviews, nerves are rife. One targeted question from the selection panel about your past experience, interests or hobbies can easily send you down the path of no return. In this situation, you may unknowingly reveal confidential details about your business venture to impress a potential employer, to demonstrate your ambition and creative vision or to highlight your overall employability.

If someone from your interview panel subsequently makes unauthorised use of this information without your permission:

Action may be taken for breach of confidentiality in these circumstances.

It is always best if the obligation of confidentiality is documented by way of written agreement, as this will assist a court to determine what the confidential information actually comprises of and for what purpose the confidential information was disclosed” says Jamie White.

With Experience Comes Wisdom: What Strategies Are Available To You To Protect Your Business Ideas In The Future?

In the business and startup world, trusting others with information about your business ideas, business model, marketing strategy or business plans, can be a poisoned chalice.

Always be conscious that your competitors may be listening.

If you must share your business ideas with a third party, wherever possible, use a confidentiality agreement (also known as a non-disclosure agreement). This legal contract protects your information and acts as a deterrent against someone disclosing, or acting on, your information without your permission.

In the eyes of the law, confidentiality agreements put matters beyond doubt as to who has breached a legal obligation. This makes it much easier for a court to determine what has been agreed, to what extent someone has breached that agreement and, therefore, what remedies you are entitled to.

O-Rule: Only reveal sensitive information to others, including friends, family and those working within your organisation, on a need to know basis.

What Outcome Or Remedy Can You Expect?

Without written evidence of a breach of confidence, it is difficult to prove that someone has breached an obligation to you.

It would be up to a court to determine whether there has been a breach of an obligation to maintain confidence in relation to your business idea, and whether you should be awarded a remedy. Without documentation to support your claims, litigation can be drawn out, costly and rapidly devolve into a ‘he said she said’ scenario.

If you lose your case, you are responsible not only for paying your own legal fees, but also the legal fees of the person you are bringing an action against.

For small business owners, this option is often unfeasible.

Prepare your business strategy early to avoid nasty surprises.

Always ensure your business ideas are protected with a confidentiality agreement. This way, if someone breaches an obligation to maintain that confidence, you will be in a sound position to prove this in a clearly documented agreement.

Jamie White says:

“In the event that a person threatens or actually breaches an obligation to maintain confidence with respect to a new business idea (or anything else), then remedies may include injunctions and damages.”

Conclusion

While people are biologically pre-programmed to share new ideas and information, we are also predisposed towards opportunistic behaviour, particularly in the business world.

In the right circumstances, everyone (even lawyers) can be drawn in and manipulated into making a decision, or taking action, that is against their better judgement. When it comes to sharing a good idea with others, the best defence is a good offence.

Always exercise hyper-vigilance in your dealings with others and, wherever possible, use confidentiality agreements when you must share sensitive information.

Work smart and take the fight to your competitors the right way by preventing a potential legal conflict before it arises.

Have you had a similar experience in the startup or business world? What did you do about it? Let us know in the comments section below!

Further Information

To get in touch with a legal professional specialising in intellectual property, social media law or technology law, contact:

• Pod Legal (VIC, QLD)
• Phone: 1800 POD LEGAL (1800 763 534)

For more information about patents, contact:

• IP Australia