Privacy Advice for Startups: Don’t Freak People Out

The past week has been a newsy period for digital privacy, with the Obama administration proposing a new “privacy bill of rights” and the largest online advertisers agreeing to make do-not-track technology available to consumers. So, to help put things in perspective, PEHub checked in with Chris Babel, CEO of TRUSTe, which operates the widespread privacy seal program for Internet companies to certify their data practices.

San Francisco-based TRUSTe is an unusual player in the privacy space in that it started as a non-profit in the late 1990s, but switched hats in 2008, accepting its first Series A round from Accel Partners.   Since then, TRUSTe has raised $37 million from VCs and has been expanding a suite of services mostly around certifying privacy policies to cater to websites, mobile developers, cloud service provider and advertising platforms.  And while big Internet companies are heavily represented among its customers, startups are also a big component.

There’s plenty of reason, Babel says, for startups to be getting more concerned about privacy. For one, enforcement activity is accelerating. The Federal Trade Commission has been stepping up investigation regarding privacy practices in recent months, and it isn’t just Google and Facebook they’re targeting, Babel notes. In November, for instance, the FTC settled charges against ScanScout, a venture-backed online video advertising network, for allegedly claiming deceptively that consumers could opt out of targeted ads by setting their browsers to block cookies.

Then there’s the court of public opinion. Several startups have gotten a lot of flack in the media – and from their users – for their privacy practices. IPhone app developers Path and Hipster, which had been uploading users’ address books to their servers without consent, were the most recent.  With the ability to include location-based information, store data more cheaply and for longer periods than ever, and publish to an ever-expanding array of devices, there will surely be more to come.

“With a startup, you’re moving fast, and you have an engineering mindset. But you don’t’ necessarily put your consumer hat on and say: Is this going to freak people out?” Babel says.  That causes trouble down the road.

Babel’s standard line for startup privacy policies is pretty straightforward: Be transparent in what you’re doing, give consumers a choice, and be accountable to that choice. He also suggests making an effort to avoid including something because it is can be done – such as include a location-based feature – rather than because it’s actually what end-users want. And of course, all data collected needs to be anonymous, and well-scrubbed of personally identifiable information unless there is opt-in consent from the user. But privacy is an unusual area, in that one-size-fits-all data collection practices don’t work because consumers have very different comfort levels.

“In privacy you’re always dealing with the individual, and you don’t know if the end person is an open person who wants to share everything or a closed person and they want to share nothing,” Babel says. The other big area in which startups need to pay heed, as the Path and Hipster cases illustrated, is in the mobile arena. App developers in particular need to keep up-to-date privacy policies and make sure they’re readable on mobile devices.

With public awareness and concern around digital privacy on the rise, TRUSTE isn’t the only venture-backed company developing services to protect personal data. Redwood City, Calif.-based, which provides online reputation management services, raised $41 million in June from backers including August Capital, Bessemer, JAFCO Ventures, Kleiner Perkins Caufield & Byers and Floodgate Fund.  Boston-based Abine, a developer of anti-tracking software, raised $6.5 million in July from Atlas Venture and General Catalyst Partners. Also gaining traction is Personal, a business built around the notion that individuals should be compensated for the marketability of their personal data.