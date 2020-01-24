Privacy headlines often focus on big tech behemoths—and for good reason. Last year alone, the Federal Trade Commission settled a $5 billion civil penalty against Facebook and a $170 million fine for alleged violations of the Children’s Privacy Law against Google and YouTube. These companies have contributed to waves of identity theft, social stigma, and barriers to housing and jobs for the victims of their data breaches.

This year, California’s state privacy law (CCPA) went into effect, and companies will be spending big money to make sure they are on the right side of the law: CCPA estimates companies will spend between $50,000 to $55 billion to get in compliance. For the European Union’s General Data Protection Regulation (GDPR), which went into effect in 2018, 88% of surveyed companies in the U.S. reported spending more than $1 million, according to a PWC survey.

Policymakers created thresholds to exempt firms from certain compliance activities if they fall below an annual revenue level or size in relation to GDPR and CCPA legislation. But the question remains: How might small companies without big budgets or robust legal teams begin to digest the complexities of policy compliance?

I recently spoke with four resourceful, early-stage social impact companies affiliated with MIT Solve that handle sensitive data, such as child developmental information or maps. These companies highlighted three common themes when discussing the individual considerations of their projects: user needs, legal compliance, and privacy culture.

Privacy, defined as the ability to control or limit access to personal information, is an expectation for end users. All the founders pointed to contextualized, often irreversible harms that could arise through data collection.

“We’ve had several meetings thinking about the risks and responsibilities that come with owning and managing the kind of data we are collecting,” said Kamil Shafiq, cofounder of Poket, a mobile app that maps previously unmapped, offline merchants through crowdsourcing in countries such as Nigeria. “It’s important to take a very careful look at both the planned and unplanned use cases for things like location data.” These risk assessments influence their company’s product design, reducing the potential for the compromise of information through data breaches and cyberattacks.

Sindhuja Jeyabal, cofounder of Dost Education, a mobile platform that promotes parent engagement in early childhood development, says its users—currently illiterate women in India with children under six—need to understand their data is safe to be able to reliably use their platform. “Revealing a child is behind with educational milestones [could lead to] further educational displacement or bias against the child,” Jeyabal says. This can prevent users from providing accurate information to the company. So, the team trains staff members doing fieldwork to practice good habits for global data consent and collection.