Jon Hyman has spent a lot of time thinking about privacy. It's an unavoidable concern at Braze, the New York City-based customer-engagement platform he co-founded, which handles millions of pieces of user data for clients such as Domino's, Yelp, and Lyft. Hyman knew Braze had to be proactive in advance of the E.U.'s General Data Protection Regulation and the  California Consumer Privacy Act­­­--the state's sweeping new privacy law, which will likely serve as a national model. He realized that, while creating a meaningful privacy policy can be burdensome, it can also be a golden opportunity to inspire customer trust. The Braze team made themselves experts in compliance. They created a digital magazine explaining the standard, hosted a conference, and generated how-to-comply FAQs. "There was absolutely a huge business impact to it," Hyman says. "The CCPA has changed the conversation, so privacy is top-of-mind for folks." Crafting a world-class approach to privacy may seem daunting, but it comes down to clarity and commitment. Discover the benefits of doing privacy right.

"This is a milestone moment for privacy law in the U.S. The California Privacy Act sends a powerful message that people care about privacy and that lawmakers will act."Marc Rotenberg, executive director of the Electronic Privacy Information Center

1. Know thyself, know thy data.

How well do you understand your data collection practices? A surprising number of entrepreneurs don't know exactly what customer information they're gathering on their websites and what they're doing with it, says Jane Hils Shea, an attorney with Cincinnati-based Frost Brown Todd. "Often, they think it's just boilerplate, that pretty much every privacy policy reads the same," she says. "But they have to really think about what they collect, whom they share it with, and, more and more, what types of automated technology they use that collect website-usage data."

Before drafting a policy, find out what's important to your customers. "Our support team is in regular contact with our user base, so I knew five to six key items I wanted to make sure were addressed," says Steve Hartert, CMO of form builder JotForm in San Francisco. Those include an explicit commitment to privacy, a promise not to sell users' information, and the ability to manage subscriptions "at a micro level. For example, subscribe to our newsletter but opt out of promotional emails," says Hartert.

2. Start smart--write your own draft.

To save on legal fees, generate the first draft of your policy yourself. "We drafted our policy in-house and then asked legal counsel, 'Is there anything we're missing?' " says Case Sosnoff, chief compliance officer for the Chicago brokerage Tastyworks. "That also helps you understand the verbiage, the legality behind it all."

68 percent
of consumers don't trust brands to handle their personal information appropriately.
Source: Gigya.com "State of Consumer Privacy and Trust" survey
Only 55 percent 
of customers say they understand how companies use their personal data, but 95 percent say trust in a company makes it more likely they'll be loyal, according to research conducted by Salesforce in March and April.
Source: Salesforce "Trends in Consumer Trust" report
$23 million
or 4 percent of global revenue (maximum), whichever is higher: the fine for noncompliance with the European Union's General Data Protection Regulation.
Source: InformationWeek.com, "GDPR: A Cost Vs. Benefit Analysis"

Hartert looked at his competitors' policies and those of similar companies in the E.U., Asia, and Australia. While they may be good models, don't copy them verbatim, says Robert Braun, a partner at Jeffer Mangels Butler & Mitchell in L.A. "No two businesses are exactly alike. There's a reason why you're someone's competitor," he says. To ensure your policy will reflect your unique needs, get input about current and future privacy concerns from your leadership team. "Our vice president of customer operations, our vice president of product, our CTO, and our vice president of finance all collaborated," says Ankur Nagpal, founder and CEO of Teachable, a teaching platform based in New York City. "At the end of the day, the policy will affect all those stakeholders."

3. Put it on paper.

When it comes to reviewing and revising your policy, your lawyer should understand your business intimately. That's why Luke Pulverenti turned to one of his own users when he needed legal advice for Emby, his Cornelius, North Carolina-based media-management app. "Having used the software, knowing how it works, is paramount," says Jeffrey Neu, Pulverenti's attorney. "I actually know what's happening instead of just hearing what an engineer or developer tells me."

Since your policy can have such a broad impact on your company's fortunes, ask the right questions. "Go way beyond their substantive knowledge," says James Beckett, co-founder and CEO of Louisville-based legal, tech, and services consultancy Qualmet Legal. "Ask, 'What's your understanding of business risk? How are you held accountable by other clients?' Have those conversations." When working with counsel, set a maximum budget up front. "No offense to the legal profession, but it's in their best interest to keep the process going as long as possible," Nagpal says. "Getting an upfront quote can save thousands, if not tens of thousands, of dollars."

4. Make privacy a part of your marketing.

You'll be surprised at how powerful a strong stance on privacy can be, says Craig Lurey, co-founder and CTO of Chicago password-management software maker Keeper Security. "Tech users go on the App Store and talk in detail about it," he says. And when everyday users ask their IT geeks for help, Keeper Security's name often comes up.

At Emby, which catalogs and streams customers' media to multiple devices, "users constantly tell us privacy is one of the reasons they choose us," founder Luke Pulverenti says. But don't say you're doing something you're not doing. This may seem obvious, yet a surprising number of privacy policies are inaccurate. "A typical case is, someone will ask me to review their policy, and it will not reflect what they do," says Robert Braun of Jeffer Mangels Butler & Mitchell. If your information-gathering processes have changed over the years, your policy is probably insufficient. Make it a priority to update policies often.

From the Winter 2018/2019 issue of Inc. Magazine