I care about my privacy. I’m one of those folks who read the privacy policy and head to the settings page right after I sign-up to double-check what features and data the tools, apps, and websites I use are accessing.

This quote by Duo’s Dug Song is a perfect starting point for thinking about user privacy and security.

“There are basically three areas that folks should start considering how to bucket those risks. The first is corporate risk in defending your users and applications they access. The second is application security and product risk. A third area is is around production, security and making sure that the operation of your security program is something that keeps up with that risk. And then a fourth — a new and emerging space — is trust, and not just privacy, but also safety.” – Dug Song

One of the hardest things to approach when developing software is having clear definitions of what data you need to collect and figuring out how to responsibly manage and discard this data after it serves the intended purpose and just that purpose. It’s real easy to say “yea just collect all that, we might need it for something.”

Founders! Frantically care about privacy!

I’d like this piece to be both an exploration of how you should think about your startup’s data privacy.

The foundation of good data privacy is to say precisely what you’re doing with a user’s data**and then doing what you say**. It doesn’t matter what you say in your privacy policy if you aren’t taking the steps needed to ensure it.

Empathizing with the fact that you’re dealing with another persons’ information, and understanding, it’s your responsibility to do the right thing by them even when they aren’t looking is how you should always see it.

The most important thing to understand is that you’re dealing with a user’s data, their data! Not yours.

You can use it to provide a service that the user opts into for, but besides that, you don’t and shouldn’t have the right to do anything without a user’s explicit permission. It is also not in good faith to bury clauses into your terms of service and privacy policy and hope that a majority of your users won’t notice or won’t care about it.

Now I fully know some clauses exist to limit liability and allow for things like the sale of a company and promotional advertising. Some of these things (within specific contexts) are simply necessary to stay competitive. These open clauses have unfortunately become the de facto standard across startups, and while no sensible lawyer would recommend that you get rid of them, all these legalese also let you stretch the way you use personal data in many ways.

It’s time to lead by example, and it’ll work in your favor. When the industry leaders and startups alike have attracted a bad rep for being ruthlessly profit-hungry and willing to sell anything to keep the line moving up and to the left, we, the new founders, should be the change.

In my opinion, that’s pretty simple; build solutions that create value in themselves. Then charge your users a fair dollar amount for your services. Don’t even dip your toes in the murky waters, hoping to bait people with freemium and sell their data out the other end. It’s just bad business. You’re better off taking a stand and doing things differently.

If you’re always worried thinking about security and protecting the privacy of everyone using your product, then I think you’re doing it right. If you don’t genuinely care about it, it’ll rarely get prioritized.