Privacy & Data Security – Best Practices

by Posted on

cautionAs published in the Winter 2018 issue of Artisan Spirit.

Making spirits is an ancient craft. But today’s distillers live in the age of information, giving them opportunities to connect with consumers all over the world in new and exciting ways. While it used to be a novel occurrence to find an exotic bottle from a faraway location, globalization and the rise of the internet give consumers the ability to explore new flavor profiles from around the world with a few clicks of the mouse. This provides the intrepid distiller the ability to attract fans to her brand from far and wide. A necessary aspect of this opportunity is the collection of consumer data. This is no easy task, but following best practices to ensure the appropriate collection, handling and protection of consumer data will help her avoid possible fines, lawsuits and harm to her brand’s reputation.

Web Sites

One of the main sources of consumer data is a website, a necessary component of the business plan of our heroine (let’s call her MayBelle — that has a nice ring to it) as she tries to launch her brand in the market beyond the boundaries of her hometown. The malleability of websites and multitudes of forms that they can take provide a great forum for MayBelle to communicate information about her brand’s unique identity. But while some websites stop there and encourage consumers to make their way to their local tasting room, MayBelle wants to use her brand’s website to establish deeper connections to her consumers, such as emailing lists, merchandise sales and even the fulfillment of product orders (if legally permitted — MayBelle is reasonably risk averse). Each of these activities will require some level of data collection. And any level of data collection, even as simple as just compiling email addresses, should be accompanied by a privacy policy.

The intention behind a privacy policy is to communicate to consumers how a company will use and protect the personally identifiable information that they provide through the company’s website. A privacy policy can take a number of forms, but there are key components that MayBelle will want to include. For example, the types of information that a website visitor could provide, how that information is collected and how it will be used (including whether that information is shared with third parties), as well as what measures MayBelle will take to store and protect that information. MayBelle wants her website to be able to process payments, first for merchandise and later for her hooch, so she needs to understand and communicate to consumers how the payment data will flow. Sometimes that data is transmitted directly to the seller, necessitating the need for compliance with the Payment Card Industry Data Security Standards. But Maybelle knows it can also be processed through a third party (such as Shopify or Stripe), so she plans to go that route — letting her focus on making spirits while putting the onus on those third parties to ensure compliance with the right standards (and also pointing consumers to their privacy policies).

For a small business, mitigating risks associated with data collection can seem onerous at times, but can also be a make-or-break proposition if the worst happens. One way to reduce risk is to review the agreements that underlie your financial transactions. For instance, if MayBelle wanted to follow the path of processing financial transactions herself, she would likely need to be a party to a merchant agreement (or something similar) with the bank that facilitates the payments from her customers. That agreement will outline a number of requirements and representations for the business, as well as the financial institution, including how implicated data will be handled. But since MayBelle wants to use a third party to take care of payment processing in full (such as when a web portal appears, operated by a third party, when it is time to make the payment) then her business will need to enter into an agreement with that entity. One thing MayBelle will learn (in either case) is that the standard language contained in those agreements will favor the other party (and disfavor her business) on key issues related to data collection, such as indemnity, limitations of liability and vendor-imposed penalties.

To illustrate this point, consider a consumer that has navigated to MayBelle’s website, intrigued by the beautiful labeling, founder’s story and overall brand concept. As he’s navigating the website, MayBelle’s consumer is pleasantly surprised that he can order her product directly through the website and have it delivered right to his home. When he decides on his bottle of choice and clicks the “add to cart” button it directs him to a new page operated by a different company, where he inputs his name, email address, physical address, telephone number and credit card information. When the hooch arrives he thoroughly enjoys it, and has a dram every so often to treat himself to a respite from the rigors of practicing law (or perhaps everyday life). One day he receives a notice in the mail stating that a company he had never heard of — which in reality was MayBelle’s online payment processor — had become the victim of a data breach, compromising the information that he had provided when he ordered MayBelle’s booze. As he looks up from the letter at the now half-empty bottle and contemplates how to proceed from here, he struggles to decide whether he would rather drink the rest in a single sitting to drown his frustration, or the smash the bottle as the source of his newfound predicament. Either way, MayBelle’s excellent product is now linked in his mind with the prospect of identity theft. Unless MayBelle’s strategy is quite unusual, that is clearly off-brand.

MayBelle too has received a notice from her payment processor about the breach. The notice contains information regarding the type of breach, how many consumers sourced from her website were affected and potential mitigation efforts that the processor has undertaken to prevent any further breach or issue. However, it also contains some especially unsettling news: it informs MayBelle that she should consult legal counsel to find out what obligations she has related to the breach. And of course it tells her that in accordance with its standard terms and conditions (that she agreed to when she signed the processor’s form of agreement), all costs associated with such compliance are her responsibility. Furthermore, while the processor is obligated to indemnify MayBelle from direct claims related to the breach, it will only cover those claims up to the nominal monthly subscription fees that she paid. To top it all off, the breach has caused the processor financial hardship that will cause it to cease its operations immediately, severing MayBelle’s online revenue until she can find a new provider.  MayBelle is justifiably howling in pain at this news.

Situations like this can obviously be quite frustrating for any business, but particularly difficult for a small business. MayBelle conducted her operations efficiently and successfully. But now the failures of a third party causes her to dip into her own pockets to cover the hard costs related to regulatory compliance, litigation and potential fines. Not to mention, the damage to MayBelle’s brand is incalculable.

However, all is not lost and you needn’t think of your business as beholden to the standard terms and conditions that MayBelle’s payment processor imposed on her. It can certainly be difficult, if not impossible, to secure unlimited liability for data breaches but even small businesses can be successful in structuring indemnity and limitation of liability sections that reflect the amount of transactions being processed. For instance, rather than limiting the liabilities attributable to a data breach to the fees paid to the vendor, a reasonable proposal could be 10 percent of the transaction total processed within the last year. This sort of proposal can be palatable for the processor while also leaving your business in a much stronger position in a worst case scenario.

Marketing

There are a number of innovative ways to market your products that can involve data collection. While it can be slightly unnerving to navigate from a “craft distilleries” Google search to your Facebook page, only to find ads pertaining to craft distillers pushed into your feed, it truly can be the perfect way to put your product in front of new potential customers. Marketing agencies have a number of creative ways to find large segments of the population who would fit the profile of your average craft alcohol consumer. Taking advantage of these opportunities can give you a leg up on finding new avenues for growth.

Again, these kinds of initiatives require thought on the allocation of risk amongst the parties. For instance, there are many opportunities to purchase data sets that will provide fascinating insights into the types of individuals that are (or could be) interested in your products. Sometimes demographics align with our intuitive thinking about who would be interested in a craft distilled product, but other times everyone is surprised to learn about the types of people that might be interested. While these data sets already exist to some extent, it is even possible to commission more targeted insights about your product in particular. Of course, in either scenario there are rules and regulations surrounding how to achieve these insights (and how to use them in responsible marketing practices).

There are some basic tenets to keep in mind that will help a targeted marketing campaign steer clear of privacy issues, such as consent. At the end of the day, many consumers are happy to be introduced to new products that align with their interests; they just want to feel like they were not forced or coerced into choosing those products. Therefore, when choosing any sort of targeted marketing campaign, securing the consent of consumers can be an essential step.

On Premise Data Collection

In addition to the considerations surrounding data collection from a distiller’s website, there are also many opportunities to collect data sourced from the distillery or tasting rooms. According to the Craft Spirits Data Project, approximately 40 percent of small, distilled spirits producers’ sales are direct-to-consumer sales at the site of production. Since most consumers are not in the habit of carrying cash anymore, this likely requires the processing of credit cards on premise as well. While some distilleries might operate under more traditional processes, MayBelle, like an increasing number of distillers (and businesses overall) has turned to simplified technologies for these transactions, such as an iPad and Square®. In any case, similar to the transactions being processed through her website, it is important for MayBelle to understand the underlying agreement for these transactions in order to address potential risk allocation.

Another area of data collection that can pose issues is the collection of tangible forms of information. For example, MayBelle may want to run a marketing campaign centered on a sweepstakes or contest.  She’s going to need to talk to her lawyer about that, as there are a bunch of legal requirements to meet. But from a privacy standpoint, this will inevitably require the participants to divulge information about themselves in order to facilitate their opportunity to win. There is case law to suggest that a privacy policy posted to a company’s website will be deemed to apply to data collected by the company outside of the website unless it is explicitly stated otherwise. In any case, a distiller will be required to enact standard protections of information gleaned through these more traditional methods.

 Other Avenues of Data Collection

While collecting data from consumers may feel like the top priority, there are other sources of data collection that MayBelle needs to consider to avoid any undue risk to her business. One of the most important is information about employees. Employee data covers the full scope of personally identifiable information, going far beyond the information gleaned from consumers, including social security numbers, health information (potentially implicating HIPAA and other strict privacy laws) and employment record. In fact, a significant portion of lawsuits filed as a result of data breaches are by employees. Sometimes these breaches are due to the direct actions or inactions of other employees. One large beverage company faced a suit from its employees in 2009 based on a stolen laptop, which contained thousands of records holding the personal information of employees. The problem was compounded by the fact that the information on the laptop was not encrypted. This case served as a reminder to many large companies that skimping on data protection for hardware can cause larger headaches down the road. Like all small businesses, MayBelle too should learn this lesson.

Lastly, any business will have significant information about their vendors, and for distillers, their distributors. Even though this information will most often not include personally identifiable information, it will include other sensitive data such as banking information. Most vendor agreements also treat the terms of their agreement, and any information that the vendor shares with your business as proprietary and confidential. Again, it is prudent to understand the obligations that have been undertaken in your business-to-business engagements pertaining to the treatment of confidential and proprietary information. Standard terms and conditions often impose onerous administrative obligations around keeping information confidential, but there are often paths to more reasonable confidentiality obligations.

Conclusion

While the collection of data — particularly personally identifiable data — can seem to bring undue risk to your business, there is substantial upside. Websites provide a platform to creatively market products to a wider segment of the population than ever before and selling merchandise and products through your website can unlock revenue and increase your consumer base. With the rise of alcohol delivery applications and online retailers’ foray into the alcohol industry, the market for craft distilled alcohol can be basically unbounded. For the intrepid distiller, there is even opportunity to fulfill these orders directly. Whatever path you choose to get your product into the hands of new consumers, keeping the data transfers necessary to achieve this in mind will be a necessary aspect.

Special thanks to Brandon Archuleta, an Associate at Lane Powell, who helped author this article.

Published by Brian B. DeFoe

A business lawyer with an emphasis on assisting clients in consumer-facing industries. I have a keen appreciation for spirits, especially single-malt scotch whiskies (the peatier the better, please) and robust bourbons. I live on Bainbridge Island, Washington with my wife, three sons and an ever changing menagerie.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.