General Data Protection Regulation

Published on 2018-05-25

Greetings Dripsketeers. Happy GDPR Day!

I joined Kickstarter 3 months ago. One week after I started, I had a meeting with our commercial counsel entitled "GDPR sync." Slowly at first, and then quickly, General Data Protection Regulation consumed the bulk of my time at work. For those who are unaware — I'm not sure how you could be since every company you've ever shared your email address with (and even some you probably weren't aware of) has likely contacted you in the past couple of weeks out of an obligatory mandate to let you know that their terms have changed — GDPR is a regulation in the European Union that outlines the rights users have over their personal data and the obligations of a business handling that data. Today, May 25, is the day that this law goes into effect.

It has beleaguered nearly every startup that does any kind of operation in Europe, which is nearly every startup. Some companies have decided to just not bother. Kickstarter, being a global company, is obligated to comply. But Kickstarter is also a different kind of company, a Benefit Corporation. In our charter is clear, unambiguous language:

Kickstarter will never sell user data to third parties. It will zealously defend the privacy rights and personal data of the people who use its service, including in its dealings with government entities.

The work to bring us into compliance with GDPR wasn't just a compulsory chore — it was core to who we are and what we value. I'm very proud to say that we have done a ton of work, both in user-facing features and internal processes. GDPR as a project was an enormous cross-company, cross-functional undertaking. Every engineer in the organization made some contribution.

And the work is complex. The job was to identify every area across our technology stack that touched Personally Identifiable Information, or PII, and contain it, put permissions, access controls, and auditing around it, and when deemed unnecessary, expunge it. In an application like Kickstarter, which involves backers pledging money and then distributing that money to creators, we're exposed to a great deal of PII by necessity. GDPR became a forcing function to formalize processes and introduce a regimen for improving our data hygiene. You can learn more about this work by reading our (quite readable) Privacy Policy (complete with diff!)

Kickstarter's governance as a PBC allows us to veer away from a disturbing trend in tech startups: data gluttony. When a business is stipulated to improve conversion at all costs, to endlessly drive "engagement", the tendency is to bring an overwhelming and ever-increasing amount of data to bear in the interest of marginal improvement, no matter the risk to the user. Having a different governance model allows us to put user privacy (and "user" can sound so divorced — it's people, it's you, it's us) front and center as a business mandate.

I'm really proud of the work we've done to bring us into compliance with this law, and I'm really proud to work for a company that values that work.

We also made shirts. 

The author opting-in to wearing a GDPR shirt.
The author opting-in to wearing a GDPR shirt.