They say that sex sells but in today’s market, it is data that can really land you the big bucks. Whether you are simply collecting email addresses to build a database of loyal customers or on-selling the information you accumulate, data plays a huge role in the lifecycle of nearly all startups.

The sheer volume of data collected from consumers on a day-to-day basis has exploded over recent decades. It is unsurprising, then, that privacy concerns have grown almost as fast.

As a startup owner, what should you be doing about it? We’ve put together a back-to-basics guide to assessing your business’s data use.

1. Define The Data

Like many aspects of your business, taking a big first step sometimes requires a few steps step backwards. Take a moment to consider the bigger picture.

At which points along your startup’s customer experience chain might you find yourself in possession of customer data?

Most businesses these days will find themselves doing one or more of the following:

• Requiring a name and an email address for customers to access a website
• Collecting credit card details for purchases; or
• Collecting home addresses for deliveries.

Examples like this may seem obvious but the more complicated your business model, the more unusual your data collection may be. You may find that you are retrieving and storing a customer’s location, accessing other data stored on their phone, such as photos and notes, or even tracking what they buy at the grocery store each week.

It is important to work out exactly what data you might find in your hands – or indeed, what data you would like to find in your hands – before you can work out how best to handle it.

2. Make The Big Decisions

Once you know what customer data you are likely to need, it is time to decide how you are going to handle it.

You might, for example, find that you want to use the data to create a dynamic and customised consumer experience. This could involve making a decision about whether the data stays with your business or is passed on to third parties.

Alternatively (or additionally), you may wish to use the data to secure a loyal fan base and market new products and services. In this case, you may consider:

• Do you want to be able to directly contact your customers?
• What sorts of things would you like to contact them about? Just your own goods and services, or those of other businesses or causes too?
• How would you like to contact them? Call, text, and/or email?

Perhaps you are particularly savvy and looking to sell the information you collect for the purposes of targeted third party advertising.

It is important to remember that the issue is not only to decide how you plan to use this data but also how you plan to store it. How will you secure it? Will you anonymize it? Will you be making multiple copies of the data? Will owners of the data be able to erase it from your system? If so, how?

Of course, these are only a few suggestions to get you thinking. The only limitation on how you might use customer data for your business is your imagination … or is it?

3. Work Out The Details

Here comes the bad news: now that you have decided how you would like to use and store the data you collect, it is time to work out whether you are allowed to or whether legal restrictions apply.

This is a two-step process.

STEP ONE

The first step is to work out if any laws prevent you from handling customer data in the way you would like.

Two key pieces of legislation will likely apply to you and your business: the Privacy Act 1988 and the Spam Act 2003. Now, there is no need to spend days trawling through these laws but it is important to do some research to find out what you can and cannot do with the data you collect.

Spam Act: To give you a general idea, the Spam Act prevents businesses from sending unsolicited commercial electronic messages – do not assume that you can get around it!

The law determines if a message is ‘commercial’ from the content of the message generally as well as the way the message is presented. In other words, even though you are not advertising your goods or services explicitly, the email you just sent to your list of subscribers (for example, with the aim of testing the market or gauging a prospective customer’s interest) may be considered spam if they were not aware that you would use their email address for that purpose.

These kinds of messages are considered commercial because they seek to establish a commercial relationship. You need to gain consent through other means, such as a letter, a phone call or a face-to-face conversation.

Take home point: Never send an electronic message to a group or an individual if they have not consented to receive it.

Privacy Act 1988: The Privacy Act will govern most of your data activities, particularly, the Australian Privacy Principles (APPs). Although these principles will only govern businesses of an annual turnover of over $3 million, it is best practice to make sure your venture complies regardless.

The APPs cover:

• What to include in your privacy policy (see step 4)
• What to do with data you receive that you asked for … and data you receive that you did not ask for!
• Management systems that must be in place to deal with data-related complaints
• How you can use and disclose data in Australia and overseas
• Expectations around keeping data secure

STEP TWO

Once you know the legal do’s and don’t’s, the next step is to decide whether you have the resources to comply with relevant laws.

If you do not think your business model will cope with the pressure of these restrictions, it is better to reassess now before you go any further.

It is also a good idea to think about whether your data collection is really the best way to foster a positive relationship with your customers, even if you are complying with all your legal obligations.

Take, for example, the recent media frenzy over the alleged privacy invasion by Niantic in their PokemonGO app. It was widely reported that an error in the app required users to give full access to their Google accounts in order to use the app, a permission that it seemed went far beyond the scope of what was reasonably required for the purposes of the app. Though Niantic has now indicated that no data of this kind was collected despite initial reports, the case provides a perfect instance of the potentially damaging effects of dubious data collection on your relationship with your customers.

Ultimately, the more complicated your business, the harder it will be to navigate the rules and restrictions that surround data protection and the more likely it is that you will need to get these details from a lawyer to avoid getting into hot water down the track.

4. Disclose, Disclose, Disclose

After you have sorted through the details, work out what your customers need to know in order for you to store, use or sell their data as planned, and how you are going to tell them.

Enter the Privacy Policy.

Usually tucked neatly away in the “legals” section of a website, the Privacy Policy is your opportunity to tell your customers everything you have worked out in steps 1 and 2 (above), and will be guided by the rules and restrictions you have uncovered in step 3 (above).

In more technical terms, the privacy policy it is a contract between you and your customers. They can either agree to your policy and continue to engage with the business, or they can walk away before their data is captured. The contents of a Privacy Policy will often vary widely in order to accommodate different business models and concepts.

The APPs provide some guidance in Part 1.4, noting that a Privacy Policy must contain the following:

• how you collect and hold personal information
• the kinds of personal information that you collect and hold

• the purposes for which you collect, hold, use and disclose personal information
• how an individual may access personal information about the individual that is held by you and seek the correction of such information
• how an individual may complain about a breach of the APPs, or a registered APP code (if any) that binds you, and how you will deal with such a complaint
• whether you are likely to disclose personal information to overseas recipients
• if you are likely to disclose personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.

In this context, ‘personal information’ means data about an identified individual or a person who is reasonably identifiable.

As a general rule, personal information should not be collected unless it is reasonably necessary for one or more of your business’s functions or activities. The APPs may seem overwhelming at first, but give them a go – there is no better way to learn about how to correctly handle your business’s data collection than to go straight to the source.

A word of warning: It can be tempting to find a similar business and copy their Privacy Policy for your own use.

This is a breach of copyright law, and you may find yourself jumping out of the frying-pan and into the fire if you do it. If you are struggling to put together your own policy, consult a lawyer. Alternatively, if you do not have the funds to seek professional advice and you’re not sure what to do, the best policy is often to disclose, disclose, disclose!

If nothing else, this fosters a positive relationship between you and your customers, indirectly building consumer confidence in your brand and business.

5. Do

It is easy to throw together your Privacy Policy and to sketch out the various data storage and usage procedures, and then to think your job is over. While we might wish this were the case, unfortunately, the reality is a little more complicated.

Buckle up, because here comes one of the toughest parts in handling customer data: making sure you comply with any restrictions you have discovered in the detailing stage and making sure you actually do what you promise in your Privacy Policy.

Don’t be too disheartened. Data collection can offer you infinite opportunities to better market, sell, expand, and diversify your business – just make sure you do it right!

At the end of the day, remember that data collection is as easy as define, decide, detail, disclose, do!

Further Information

For more information and resources to help you understand what rules and restrictions may apply to your business:

• Australian Privacy Principles
• Guide to developing an APP Privacy Policy
• ACMA: Ensuring you don’t spam
• ACMA: Overview of the Spam Act 200 for business 

When was the last time you considered the potential legal and privacy implications of customer data retention for your startup? Let us know in the comments!