Navigating data privacy, tech transfers and licensing

Tech Transactions and Data Privacy Attorney Kathryn Allen shares advice for healthcare startups

In the continuously changing landscape of technology and innovation, understanding the legal complexities surrounding privacy, contracts and intellectual property is crucial for companies, especially startups. We sat down with Kathryn Allen, tech transactions and data privacy attorney at Polsinelli, to discuss what startups should consider when collecting and sharing personal data.

1. As a company innovates and develops new products and services, what should it consider from a privacy perspective?

From a privacy perspective, companies should always consider where they are collecting data. A lot of companies are so focused on making sure that they set up their intellectual property the right way, that they’re protecting themselves, that they’re going to market, that they often overlook an issue that’s really become a big one for any technology or software-based business these days, and that’s the collection of data.

Anytime you have a piece of software, it is going to collect data naturally, and what companies must do is map out all of the points at which that technology is going to collect the data and understand what data it’s going to collect.

For example, you may have a marketing website that people can go to and look at your product and service. There are likely cookies gathering personally identifiable information or PII just from marketing websites. Perhaps your website has a feature that says “contact us” where consumers are actively putting in their PII for you. If you ask somebody to create an account before they can access your platform, they probably have to enter some PII there. Are you taking a payment via credit card? All of these points along the way are possible points of liability.

Here in the US, we’ve been a little slow to regulate PII, but in the last five to seven years, we’ve seen an explosion at the state level. Ten years ago, this was not a conversation I was having with my startup clients, but now there are double digits of states that are enacting their own regulations around PII.

These are all elements that you need to understand about your business and about your technology because regulation requires that you articulate that back to the data subject. You need to let them know what you’re collecting, where, how long you keep it, what you use it for and whom you share it with.

2. What should companies include in their contracts with customers and vendors to limit privacy-related risk?

In the US, we have a permission-based system when it comes to the collection and use of PII. What you need to do with your customers is accurately articulate all the places that you’re collecting PII from them, tell them how you’re going to use it, for example, in the strict provision of services, are you going to de-identify some of it? Are you going to aggregate it with other PII or are you going to run statistical models with it? Are you going to share it with a vendor who is providing marketing services to you?

Many years ago, I had a lot of startup clients just go and grab a privacy policy off of the web from a similarly situated business. This does not fly anymore. The laws require that you articulate how your company is gathering that data and how you use it. There is a lot of difference in the state’s regulation. It can seem very overwhelming for startups when they’re faced with the legal costs, but it doesn’t have to be that overwhelming. We want to make sure that we’re being upfront with consumers and telling them what we’re actually doing, not what a party that we grabbed a privacy policy from is doing with their data.

The second part of that question is, what do I counsel my clients about when they’re engaging vendors? My primary suggestion is to limit the vendor’s use of PII to the strict provision of services. This is helpful to the startup in a number of ways. Number one, it will make sure that that vendor isn’t using you and your customers’ data as another revenue stream.

Number two, it means that your liability has been truncated if a vendor is not allowed to use that data except for the provision of services during the term that you’re doing business with them. They have to delete that data when you’re no longer doing business with them. So, this can be really helpful if the vendor has a data breach. You don’t have to worry that your customers’ data is still with that vendor even though it’s years later and you’re no longer doing business with them.

3. What may other parties require of startups when entering into a new partnership?

Some of the things I see my startup clients get asked for when they are partnering with other businesses, trying to engage vendors, looking for investors is, “Well, that’s okay, you don’t have to pay us. Just give us a percentage of ownership in your company,” or “That’s okay, you don’t have to pay us, just give us a license to your intellectual property.” This can be attractive to startups because they’re cash strapped and those that don’t really understand the implication of giving up these elements might think it’s a good idea.

I strongly encourage clients not to do that. You don’t want to water down the ownership rights you have in your company. You don’t want to give up any rights to your intellectual property if you don’t have to. Doing this once or even twice can really put a startup under.

For example, I had a client that had some fantastic software. A vendor they wanted to engage said, “No problem, we don’t compete with you in this space. Give us a perpetual license to your intellectual property and we’ll use it over here in a totally different market and area than what you’re planning to use it in.” Well, that was not the case because they didn’t have a written agreement setting out those parameters.

What this client ended up doing was basically giving a copy of their fantastic software to a vendor who used it to put them out of business. So I really caution clients on giving up any type of ownership or control if they can help it. Funding is a difficult issue and one that all startups struggle with, but if they can find funding from alternative resources, that’s always going to be my recommendation.

4. Can startups be held liable for the way other parties use their technology?

Any party with technology or intellectual property opens themselves up to certain amounts of liability if you let a third party use it. So, a startup certainly can be liable when a third party uses their IP. I’m going to strongly suggest any startup not share their intellectual property with any third party unless they have a written agreement.

If you don’t have a written agreement, there is a legal doctrine called the naked license that may apply. This generally means that if you don’t care enough about your intellectual property to have a written agreement with those people that you share it with, maybe both parties should share in the intellectual property after all.

You always want to have a written agreement with any third party you share your intellectual property with. Not only do you avoid the naked license, but you also protect yourselves with some legal protections that are standard in any contract. For example, if that third party misuses intellectual property, that third party harms somebody else with the intellectual property, they have to take care of that harm, they have to take care of that lawsuit. That lawsuit doesn’t travel through back to you.

A final element that I always put in contracts for my startups is the startup’s ability to enjoin or stop that third party from using the IP if they misuse it. It’s a powerful tool that is pretty cost effective. You just simply go to a judge, say, “I’ve got this contractual right to stop what they’re doing and here’s why.” It can be a really effective tool when you don’t have a lot of money to pay for a lawsuit.

5. What are the different types of tech transfers, and how should entrepreneurs choose the right one for their startup?

There are all different ways that you can transfer, share, license or monetize your intellectual property. I like to think about intellectual property rights and their monetization as a bundle of sticks. If I hold the whole bundle of sticks and nobody else has any sticks, I am the sole owner, the sole person that can use it, the sole person that can benefit or make money off of it. But, I can give one or two sticks to Sarah and I can give one or two sticks to Paul. I still have the majority of the sticks, but maybe I’m allowing Paul to commercialize the IP in a different vertical. Maybe I’m allowing Sarah to do some of my marketing for me, so she’s allowed a couple of those sticks in order to help me.

Intellectual property protection and sharing laws have been established for eons, and they’re really strong here in the United States. There are a lot of mechanisms that you can monetize or share your intellectual property with somebody else while you still hold control. The thing that I would strongly recommend to any entrepreneur or startup is articulate in plain language exactly what you want to do.

Do you want to hold control of the IP, but let this party monetize it for you? Do you want to hold control of the IP, but give a portion of it to somebody else for a limited period of time? You can chop it up any number of ways, for as many sticks there are in the bundle, we can chop it up. You need to know early on exactly what you want to happen with that IP, and then we can help you make sure that is articulated correctly in the legal documents.

Interested in hearing from more Polsinelli lawyers? Learn more about artificial intelligence.

About Polsinelli

Polsinelli is an Am Law 100 firm with more than 1,000 attorneys in 22 offices nationwide. Recognized as one of the top firms for excellent client service and client relationships, Polsinelli is committed to meeting our clients’ expectations of what a law firm should be. Our attorneys provide value through practical legal counsel infused with business insight, offering comprehensive corporate, transactional, litigation and regulatory services with a focus on health care, real estate, finance, technology, private equity and life sciences. Polsinelli LLP in California, Polsinelli PC (Inc) in Florida.