Tech Products Toolkit: Part 2 - Privacy considerations before launching a new tech product

When developing a new tech product, compliance with privacy requirements should be considered from the outset. Privacy and data protection laws now exist in the majority of developed markets - many of them inspired by the EU’s General Data Protection Regulation (‘GDPR’) – and impose detailed requirements applicable to personal data (similar to ‘personally identifiable information / PII’ in the U.S.) – including in many cases “data protection by design and default.” Breaching these laws can lead to heavy fines - up to Euros 20 million or 4 percent of global worldwide turnover under the GDPR - and significant adverse reputational consequences.

As a starting point, determine what personal data your product will use. The definition is wider than you might think. For example, the GDPR defines personal data as ‘any information relating to an identified or identifiable natural person’. It is not necessary to be able to link information to a name to meet this definition; any identifier is enough. This means that, amongst other things, all records of user interactions with your product, or profiles used to personalize user experience, will generally be caught.

Next, consider the privacy obligations applicable to that personal data. Three which are likely to be particularly important are:

  1. Transparency. A primary focus of privacy laws around the world is ensuring that users  understand how and why their personal data is used. Many laws impose detailed lists of information which must be provided. One key means of complying with these requirements is via a privacy policy, presented to users when they sign up to the service and then kept where users can access it. However, if your product involves more intrusive types of processing - for example if you are using data in unexpected ways, or collecting sensitive data - you may need to take additional steps to ensure users are aware of this or ask for their consent.

  2. Security. It is also critical to ensure that appropriate steps are taken to ensure that personal data is held securely and not misused. Many of the biggest fines and news stories are caused by security incidents leading to the loss or misuse of personal data, many of which are initiated by laws requiring organizations to notify regulators or affected individuals of the incident. Robust security measures, including staff training, are your best defense against this. Also note that security does not just mean keeping malicious third parties at bay (although this is an important part of it). It also means making sure your staff do not use personal data inappropriately, for example via access controls, contractual restrictions, and appropriate oversight.

  3. Accountability. Finally, ensure that user privacy is considered as part of product design and on an ongoing basis, and document this appropriately. One way of doing this is through a ‘privacy impact assessment.’ Some laws require this for higher risk processing, but it will in any case help ensure you have identified and appropriately dealt with all relevant privacy concerns, and allow you to demonstrate you have done so if challenged. In addition to transparency and security, this assessment should focus on other relevant requirements under applicable laws, for example user rights, fairness and lawfulness, data minimization, purpose limitation, data accuracy, retention periods, automated decision-making, cookies, direct marketing, and data sharing, and documenting how you have met these requirements.

Following these steps can help ensure you build privacy into your product, helping to develop customer trust, and keep the regulators and shareholders happy.

This article is part 2 of a series of articles, which examine the development considerations and the legal challenges that companies should consider when creating and launching a new technology product. We will take a detailed look at key issues impacting companies bringing innovative products to market and explore the specific factors that should be considered before product launch  including accessibility, product liability, privacy and data protection, product safety, supply chain, antitrust, and intellectual property.

 

Authored by Bret Cohen, Nicola Fulford, Nick Westbrook.

Contacts
Bret Cohen
Partner
Washington, D.C.
Nicola Fulford
Partner
London

 

This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG. For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2024 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.