OneTrust_Square Banner_300x250_DD_ROS_01_19

What career could possibly be more exciting than serving as a privacy lawyer for tech start-up companies? This is a question I asked myself a few years back, right after I finished clerking for a couple of terrific federal judges and right as I was considering starting the privacy practice I had envisioned as a law student sitting in Prof. Fred Cate’s classes at the Indiana University Maurer School of Law several years earlier. At that time, my answer was a confident “probably none.” I would, after all, get to work with smart and motivated “big idea” people to make their dream ventures become realities, and what’s more, I would have the challenge of tackling cutting-edge privacy issues because tech start-ups would be on the forefront of technology and data-use practices.

Today, after working with numerous start-ups—from wearables software developers to children’s app designers to second-hand clothing, travel, social, real estate, employment, horse racing, mentoring, accounting and other websites and apps—I can tell you that I was correct that being a privacy lawyer for tech start-ups is an extraordinarily exciting career. But about the major challenges of the job, I have to admit I was flat wrong. The real challenge in advising tech start-ups on privacy is not usually the intricacy of the legal issues or the technology involved; it is the fact that start-ups, at least seed-stage start-ups, almost always have no budget for privacy. 

Make no mistake: Start-ups face serious privacy issues. They want to collect and use personally identifiable information (PII). They want to be global. They often need to accept some form of payment from consumers. They may plan to obtain personal information from children, possibly even unwittingly through a device-identifier or screen name and password combination. And sometimes, they do need their attorney to walk them through those issues and help them comply with the applicable laws and regulations. But, often, rather than helping start-ups tackle the privacy issues surrounding these practices directly, e.g., those imposed by PCI DSS, COPPA, HIPAA, etc., their privacy lawyer’s job can be the opposite. How, I regularly find myself asking, can I help my client side-step a privacy issue?

Time and again I return to two answers: avoid or outsource.

First Option: Change the Proposed Business Practice To Avoid Major Privacy Issues.

The first way a privacy lawyer can help start-ups avoid expensive privacy law requirements is to consider ways in which the piece of business plan that would require significant privacy work can be delayed or avoided altogether. For example, it may be that a start-up wants to collect information from EU residents when it launches its app. But maybe, instead, an EU launch could wait until after the app has had some success in the domestic marketplace. Why go to the expense upfront when the company has little or no money if an EU expansion might be postponed until the next round of capital is raised and the company has worked out any kinks in its platform? 

Or take another example. Rather than collecting personal information from children under the age of 13, a start-up might consider whether it can achieve its goal without all of the notice, consent and security issues required by COPPA by obtaining the same information directly from the parent rather than from the child—COPPA only applies, after all, to information collected “from children." In that case, it is not just the cost for the legal work or additional privacy or security restraints; there is also the issue of deterring use of the app by forcing parents to jump through a number of hoops—such as enter a credit card or make a phone call or fill out a form—that might prevent the start-up from ever gaining a large user base, which more than likely is one of its goals.

Let me be clear; I am not suggesting that an attorney should counsel a start-up to change its core business model—though, in some cases, say, where the law prohibits that business model, the lawyer should do exactly that. What I am suggesting instead is that the lawyer and his or her start-up client should think creatively about how to accomplish the client’s business goals when faced with privacy requirements that pose crippling financial burdens. A lawyer’s role is to identify the company’s obligations and offer advice, including advice on possibly less expensive alternatives. Ultimately, it is the client’s decision, and consideration of the compliance obstacles becomes one factor for the client to consider in making an informed decision.

Second Option: Hire a Third Party To Tackle What the Start-Up Can’t Handle

The second way a privacy lawyer can often help a start-up avoid expensive privacy law requirements is to advise it to engage a third party that has the proper controls already in place to collect and process the data on the start-up’s behalf. The problem with this option is that, invariably, third parties don’t want to bear any risk or individually negotiate the terms of their agreements. And, under the applicable laws, the start-up is in many cases still the information owner and responsible for the data should something go wrong. This means that a privacy lawyer for a start-up must often advise that vendor contracts are risky ones while recognizing that, in reality, his or her client may have little choice but to execute the agreement if it wants the service and can’t reasonably do the work in-house.

What a privacy lawyer also can and should do is advise his or her client to engage a top-notch vendor that has a reputation for taking privacy and security seriously. If a start-up carries a disastrous level of risk if one of its vendors makes a mistake—and it usually does, because it is next to impossible to negotiate that risk away—it should at least work with a vendor that is less likely to make a major mistake. The ideal vendor is one that has a great reputation and whose reputation will be on the line in the event of a data security incident. That way, the vendor will have an incentive to take extra care of the data and to notify the start-up right away if there is an incident, both of which are provisions a start-up would want in its vendor contracts, if it could get them. 

So when your client comes to you to review a vendor agreement—say, for payment processing or cloud-hosting or background checks—and the price is right, you can help your client by taking some time to investigate the vendor for any red flags or at least advising your client that it should do some due diligence of its own. That really inexpensive credit card processing agency located in China is not the great idea it may first appear to your client to be; nor, usually, is the background check service that just launched three months ago and might be out of business in the next three.

At the end of the day, your goal as a privacy lawyer for start-ups is no different than it always is: Learn your client’s business so you can give it the best advice possible.

But start-ups almost invariably have no budget for privacy. Your advice, while perhaps the same as it would be for other clients in terms of your legal recommendations, should therefore be more solution-oriented. You should automatically start thinking about creative ways to address what might be insurmountable privacy obstacles.  Can we achieve Goal A without having to do B, C and D legal requirements? Can we outsource B, C and D to a vendor that can do it better and less expensively than we can perform the work in-house? 

If you do this now, your clients will thank you. And next year, when they have more funding and are tackling major privacy law challenges head-on, they will look to you to help them.

Written By

Matthew Lawless, CIPM, CIPP/US


If you want to comment on this post, you need to login.

  • Alex Mar 30, 2015

    You're absolutely right that a few smart choices in terms of where to operate, and what vendors to use can avoid many issues of compliance.  Another option that comes to mind is to incorporate "privacy by design."  Designing software with privacy in mind throughout the development process can help a company not only be compliant in the present, but also stay ahead of inevitable regulatory increases in the future.  This doesn't have to be a costly process for a small company of a few people, but merely being aware puts them way ahead of many.
  • Virginia Apr 1, 2015

    Definitely share your passion for helping start ups, particularly in ed tech where there are so many new laws, lots of very small innovators, and where privacy by design is very much in demand.  For some, another option is flexible packaging of legal and implementation services so they can decide how best to deploy the resources they have against customer needs and market risks.
  • Matthew Apr 3, 2015

    Alex and Virginia: thanks for the great comments.  "Privacy by design" is definitely where things are headed.  One challenge I've had with that has been catching a client early enough in the development process to take advantage of the full range of PbD principles.  Usually, the conversations center around things like using privacy as the default, and making sure data is encrypted or otherwise protected at every stage, rather than any real deep-level design changes.  But great thoughts.  Please feel free to reach out on LinkedIn, etc.  I would be happy to connect.
  • Julie May 6, 2015

    Great thoughts, Matthew, and I agree it is difficult to catch the designers in the early design process for PbD.  I think education of the dev community is the key, so they might actually allow us to join the project team at the outset.  We can always hope!


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

IAPP-OneTrust Website Scanning & Cookie Compliance Tool

Scan your website for cookies, tags, forms and policies and create a custom, dynamically updated cookie policy based on the results of your scans.

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds and unparalleled programs—plus a whole new spin on Active Learning!

Canada Privacy Symposium 2017

The Symposium returns to Toronto! Take advantage of Early Bird rates before March 31 and join your fellow privacy pros for a stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is SOLD OUT and the wait list is closed. If you got on the wait list, we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Join us in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

We're bringing the best of the best in privacy and infosecurity to sunny San Diego. Early registration for P.S.R. opens in May.

Europe Data Protection Congress 2017

Your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Registration opens in early June.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»