Skip to main content

22.1 Compliance 🎯

note

This section includes an Activity 🎯

Learning objective

As a product manager, you'll need to be aware of all the dimensions of your product, even the ones you don't have direct responsibility over. One of these areas is legal issues—the laws, policies, and practices that are relevant to your product and your business. Legal issues include legal review processes, specific types of data that are legally protected, and legal obligations that your product needs to fulfill. All of these issues need to be taken into account during product development, iteration, and maintenance.

In this checkpoint, you'll learn about some of the main legal aspects you should keep in mind, and discuss how product managers work with lawyers and legal teams.

By the end of this checkpoint, you should be able to do the following:

  • Identify and prepare for possible legal issues in product development



There are now more laws about technology, information, and products than ever before. It's impossible for PMs to know them all, nor is knowing all the laws a PM's job. That's why companies have lawyers and legal teams. However, if a PM fails to adhere to any of these laws, they could be putting their company, product, and career at significant risk. Not following legal procedures can lead to possible lawsuits, penalties, or bankruptcy.

For this reason, part of your responsibility as a PM is to work with teams that specialize in legal issues, policy, compliance, and risk. You are the expert on the product. The legal team is the expert on the law. Together, you can work out any current or future problems with your product.

Your company's lawyers are responsible for knowing the laws, policies, and guidelines that apply to your product, your specific industry, and the technology world as a whole. As long as you can summarize your product and issues concisely and accurately, you can rely on your lawyers to give you advice on how to proceed. Lawyers can also help you identify opportunities or protect your assets by filing patents or registering copyrights and trademarks.

The best way to protect your company, your customers, and your product's reputation is to thoroughly review your product offerings with an eye to the legal and regulatory conditions you must adhere to. As the PM, it is your job to drive this process. You don't have to have all the answers, but you are responsible for making sure you ask the right questions, get them answered, and take the right actions based on those answers.

Some industries or product types require specific reviews, disclosures, or audits whenever changes are made to your product. Your product might also be subject to contractual obligations with customers or partners. In both cases, your company's lawyers need to understand how your product is about to change and warn you about any issues those changes could cause.

You might be surprised by the range of areas that benefit from legal review. Some of the more obvious ones in technology include copyright protection or infringement, the incorrect use or attribution of available open source components, data protection and privacy, and contractual commitments.

Additional concerns arise if your products operate in specific regulated areas like e-commerce, financial services, or health care. If your product is available in multiple countries, different laws and policies can apply for each country. Your lawyers can help you understand what you need to do to comply with different legal requirements. If you have any doubts about legal issues regarding your product or product decisions, talking to a lawyer is always the best advice.

Lawyers and company size​

Companies handle legal issues in different ways. The simplest way to think about it is to compare startups to large corporations. Startups usually have a lawyer available on a retainer (like a contractor) so that you can discuss legal issues with them only when necessary. Large companies, on the other hand, usually have lawyers on their staff and often have strict review processes for all product changes. A big corporation will probably even have lawyers that specialize in specific kinds of legal matters like contracts, patents, and copyrights. No matter which kind of company you work for and whether your legal counsel is in house or on demand, you'll need to interact with the lawyers in essentially the same way—presenting changes or issues in a clear manner so that you can get answers to your legal concerns.

As a PM, you will be a primary point of contact for whatever legal counsel is available to you. Make sure you know who the point person in your company is to speak to about legal issues. When you're making a significant product change, you'll want to contact them so that you can address any legal concerns early on in your product development process. Your legal contact will work to understand the planned product changes and connect you to the appropriate lawyers or resources to make the right decision.

A comprehensive legal review of a product, contract, copyright issues, intellectual property protections, and other legal issues can take weeks or even months to complete. You need to plan for this well in advance. You might not be able to start creating designs or coding until a legal review has been completed. Similarly, you might not be able to launch your product until finishing the compliance certification process.

Most legal processes begin with an overview of the product or changes that need review. You'll need to summarize the changes and risks so that your lawyers can do their most effective work. It's essential that you are detailed and thorough. For example, if you don't tell your lawyers that you'll be storing credit card numbers, they won't be able to advise you about the security and privacy standards you need to adhere to when building your payment system.

Below, you can read about all the questions you should ask when preparing to discuss legal issues with your lawyers. Follow your lawyers' or company's guidelines on how to assemble and deliver this information for their assessment.

What does your product or service do?​

The first question to ask is what does your website, software, or service do? This will provide the basic context for all the other questions. Consider the below list of follow-up questions:

  • Does it primarily provide information, like nextdoor.com?
  • Is it a space for buying or selling something, like an e-commerce site?
  • Is it a SaaS business application, like salesloft.com or fullstory.com?
  • Is it free for users or is there a fee?
  • Is there a minimum term subscription requirement?
  • Does it show advertisements?
  • Is there an offline component like product fulfillment, such as fractureme.com?
  • Does the product or service collect credit card information for anything?
  • Does it connect to another service that a customer uses, such as linking to their email, bank account, or social media account?
  • Does it serve people in other countries besides the United States?

Who uses your product or service?​

The next question to ask is who your users are and where they come from. The legal team will need you to answer the following questions about your users:

  • Is this a B2C app, in which each individual user signs up on their own?
  • Is this a B2B app with a business as the customer, in which that business adds their users as part of an administrative function?
  • What is the age range of your users? Are any of the users minors?
  • What personally identifiable information is required to become a user? Name? Email address? Phone number? Mailing address? Credit card information? Social Security number?

How do users access your product or service?​

How an application or web service is accessed will have security implications that affect the user contract, compliance, and other legal areas. Your legal team will need you to know the answers to all of the following questions:

  • Do users access the service or product over the open internet?
  • Are users restricted to accessing the service or product through a customer's corporate network or VPN?
  • If the service or product runs on a server, is that server on the internet or physically on the premises (such as in the customer's office)?
  • Is the service or product accessible through a web browser?
  • Is the service or product accessible through a dedicated smartphone application?
  • Is the service or product accessible through a "fat client" desktop application?
  • Does the service or product support or require two-factor authentication?
  • Is the service or product accessed by a third-party application or service (such as to extract data or to manage something for a customer)?

What did you use to build your product or service?​

Another area of legal concern is how your product or service is built. Unless your company wrote every line of code that delivers and runs an application or service (which is unlikely with modern application services), it is probably incorporating other components that should be reviewed. Consider the following questions:

  • Does the product or service use any third-party components that require paid licenses, such as software libraries or compliers, data processing services, authentication mechanisms, or whole functions (for example, a text editor or image processor)?
  • If so, what do the contract terms of these third-party licenses say about distributing them to your own customers? Is there a fee per customer? A bulk-rate fee? Different terms if you sell your service instead of giving it away for free? Are there geographic restrictions?
  • Does your application or service use any open source software components? Which components and what licenses do they use?

Open source software can be used in commercial products, but it is subject to restrictions. Software you license from a third party might also be used in commercial products, subject to the license terms. As the PM, you want to make sure you are complying with all the appropriate restrictions and terms from the very beginning. Discovering a legal violation late in the development process—or, even worse, after your product is on the market—can be very costly. There could be fines or legal penalties, not to mention all the additional work that will be required to bring your product into compliance.

What is unique about your product or service?​

Most parts of a legal review are about mitigating risk or ensuring that you are following guidelines. But there's another side to legal review: protecting your company's intellectual property. If your product uses novel or "cutting edge" technology, you might want to patent it so that competitors can't copy your work. Similarly, you want to use copyright and trademark protection to ensure that others don't steal your code or your product's name. Intellectual property is extremely valuable to companies, and you'll want to work with your legal team to ensure you're protecting as much of your product as you can.

You'll also want to ensure that your product isn't violating the intellectual property rights of others. Does someone else have a patent on a crucial part of your product? Did you choose a name for your product that's already being used by someone else? You should have your lawyers help you with this because violations can be extremely costly, especially if they involve protracted legal battles.

How is your product or service secured?​

Much has been said in recent years about privacy and security in the software business. Security and data breaches have made headlines across the world, compromised billions of people's data, and cost companies hundreds of millions of dollars in direct losses or stock market value. Since security breaches are so serious and can sink companies overnight, you will learn about them in a checkpoint dedicated to product and security later in this module.

For now, here are some questions your legal team will want to understand:

  • What kind of security is built into your product or service?
  • How is your tech infrastructure protected? Who has access to it over the internet? Who has physical access to it? How do they access it?
  • If data encryption is used, what data is encrypted? How are the encryption keys handled?
  • What kind of code security audit has been performed? Who did the audit?
  • What kind of backups do you keep of your data? How are they secured?
  • What is your plan to protect against Denial-of-Service (DOS) attacks?

What kind of data does your app collect, store, or process?​

Some products use data that has specific laws or regulations attached to it. Failure to comply with the applicable laws can result in severe fines. For example, YouTube was fined $200 million because they collected and used data about children in ad targeting.

You're not expected to be an expert on legal issues, but you should know which subjects are highly legislated so that you can include lawyers in the process early on. If your product is adding, changing, or manipulating any data related to the areas listed below, talk to a lawyer:

  • Personally identifiable information (PII). Any information that identifies a single person like their name, ID numbers, address, email, biometric data (fingerprints, face scans), IP addresses, or GPS coordinates.
  • Privacy. Many new laws are being written that require disclosure and opt-in to any data tracking or analytics collecting. You'll learn more about privacy in a future checkpoint.
  • Health privacy. Health and medical records are specifically protected, and any product that makes use of that data must adhere to the highest security and privacy standards.
  • Children's privacy and protection. If your product collects, uses, or shares information from children (usually defined as users under 13 years old), you must comply with specific rules including data confidentiality and parental consent.
  • Email and spam. Marketing emails like advertisements or sales pitches must adhere to specific rules like providing an unsubscribe option or including the sender's contact information.
  • Accessibility. Digital products including websites and mobile apps must have accommodations so that people with disabilities or elderly people can use them. Applicable laws include the Americans with Disabilities Act (ADA) and the European Accessibility Act (EAA).
  • Content moderation. If your site accepts and shares user-generated content like photos, videos, or posts, you need to ensure the content is reviewed to avoid problems like copyright infringement, hate speech, or inappropriate material.
  • E-commerce. Collecting credit cards, bank accounts, or other financial data requires specific protection to ensure that data isn't stolen. Standards like PCI-DSS (Payment Card Industry-Data Security Standard) dictate the methods for accepting and securing this information.

How is your data used?​

Most tech products accept, use, generate, and retain a lot of data. Besides the risk of having that data stolen, there are laws that apply to the use and sharing of that data. Customers and partners expect data to be carefully handled and protected, and they want to know who has access to what data. Consider the following questions when discussing your product with a lawyer:

  • What kind of data is the customer required to provide? How do customers provide it?
  • Is your data anonymized when stored? If so, how?
  • Does your application read or store tracking cookies? Are these cookies you created or are they from other products/services?
  • Is any data shared with third parties, like analytics tools or marketing systems? If so, what data is shared and with which parties? How do these third parties ensure that your data is secure?

How is your product or service sold?​

How and where you sell your products and services can protect or expose you to legal or business risk. Do you require customers to sign multipage contracts as part of a lengthy sales cycle, as many B2B services do? Those contracts are more than just a description of the product. They often include declarations of the rights, responsibilities, and liabilities of the parties that create legal obligations for you and your product.

Some of these are common agreements like the end user license agreement (EULA) checkboxes or privacy policies that you see on most sign-up forms. The details are usually unimportant to PMs, but you still have a responsibility to store and track which people agreed to your terms and when.

Many B2B contracts have a service level agreement (SLA) where you guarantee your product will have high availability. Some examples of these include a promise that your product will have 99.99% uptime or will be available even when maintenance is being performed. Such agreements can affect the way you roll out product changes, roll back changes, or handle bugs when they occur.

If your product has a subscription or accepts payments, you need to keep track of who paid, what they have access to, and how long they have access to it. You might also want to upsell your products to users (such as encouraging them to move up a subscription level), remind users to renew their subscriptions, or inform users when payments have been processed. Even though your sales team is handling many of the details, you might need to implement features to ensure there's a seamless hand off from the sales process to product use.




Governance, risk management, and compliance​

Some companies unify their legal, ethical, and risk issues together into practices under the umbrella of Governance, Risk Management, and Compliance (GRC). The larger the company is, the more likely that their GRC practices will be formalized, especially if they work with data or products that are covered by specific laws. Centralizing the people and processes involved makes it faster, less expensive, and more transparent for companies to adhere to the best practices in managing these complex issues.

A company's governance usually refers to the management aspects of the company—how the executives structure the company, communicate priorities, and ensure compliance with their directives.

Risk management is about identifying, analyzing, and taking action regarding the risks that can impact a company. Companies attempt to prioritize the risks that will be the most harmful or most likely to happen, and take actions to prevent or mitigate those risks.

Compliance is about upholding requirements—including legal, contractual, or internal. This process is focused on helping you find the right balance between what you "must" do versus what you "should" do to mitigate the risks or penalties of noncompliance.

Dealing with a GRC is a lot like working with lawyers. These processes will usually include the same kinds of questions that a lawyer would ask, mainly focusing on what your product does or any changes you are planning, what data is being stored, and how that data is secured and shared.

The best way to manage and avoid legal issues is to plan for them during every step of your product process.

As you look at your roadmap or get started on the design and planning of your next feature, review your development process with an eye toward potential legal issues. The sooner you get started on the legal review process, the less impact the review will have on your product. The result of the review could be as easy as a simple sign-off or as complex as a thorough list of limitations for every element of your design.

When your developers are actually building the product, you should pay attention to the services, libraries, and tools they use, especially if any are new. Many large organizations have a list of preapproved vendors and tools that your team can use without additional approval. If you're using a new tool that has not been preapproved, it could take weeks or months for your legal team to approve your use of it. Plan ahead and work with your legal and dev teams to foresee roadblocks that could occur as you're building the product.

You should also track all the reviews that your product needs before you can launch. For example, your designs might need to be reviewed to ensure that they're compliant with accessibility laws. If your changes accept user input, they might need to be reviewed by a security team to ensure that they don't have bugs that could be exploited by hackers. If your feature needs to store additional data in the database, those changes will need to be reviewed by the team who oversees your database. Most organizations that have these kinds of reviews also have a system for informing the appropriate teams that your product needs a review.

A big part of legal, compliance, and audit requirements is related to the way you operate your product and processes. For example, which people have access to your product's administrative tools? Are there role-based access controls so that employees can only see or manage certain tools and data? How robust is your logging system so that you can tell who made which changes in case you need to audit your access in more detail?

Not all products or changes will bring up these issues. In fact, many times these access and logging issues are handled automatically through tools and systems developed by other teams. But sometimes you'll be adding a new feature that has to fit into an existing compliance scheme, like showing additional customer data to your support team when they receive a phone call from that customer. In that case, you'll need to follow the appropriate rules about who can see what data, how it's logged, etc. Again, these are all issues that are part of the reviews and sign-offs that you'll need to get in a large organization. For smaller organizations, you'll need to take the lead and figure out the operational requirements for any new features.

Managing compliance and audits​

Recurring process and technology audits are required for regulatory and compliance certifications and are good practice for other products, too. For some businesses and contracts, customers will require audits before a contract can be completed. Those audits can include a detailed analysis of your product and even include a review of your code or interviews with you to answer questions about the product.

Work with your security, compliance, and legal representatives to understand what the audit process is like-what it covers, how long it takes, what kind of report it produces, and what types of actions might be needed to respond to anything the audits find. Usually there will be a very comprehensive up front audit for a new product, and then an annual audit review, which takes less time, to make sure you are still compliant and determine what you need to do to remediate any problems if not.

How you inform customers of compliance​

If you advertise your services as PCI compliant or HIPAA compliant, you are required by those regulations to provide documentation to customers and auditors to prove that you have met the requirements and that you continue to meet the requirements. It could also add business value to advertise that you meet these standards, though it would be expensive and time-consuming to earn these certifications if your business doesn't require them.

New privacy laws also require specific methods of compliance like providing a publicly accessible privacy policy, providing users with a complete record of all the data you've collected about them on demand, or deleting their account entirely from your product and all services that you've shared their data to at their request. You might need to build specific features into your product to support this or incorporate tools that manage it for you. If you don't plan for these needs, it could be extremely costly to handle those requests. You might also fail to fully comply with the requests, which can come with extremely high penalties.

Activity 🎯​

Imagine that you're the PM on the products listed below. In your notebook, write a bullet-point list identifying any legal issues that you might want to get ahead of before making the product change described. Respond to each of the following scenarios with a list:

  • Instagram is about to launch a children's version of their product.
  • Namely (an HR management tool) is going to start offering their own health insurance to their customers.
  • Lyft is going to add a feature where you can let other users see your exact location while you're waiting for or taking a ride.
  • For any product, you're about to integrate a new analytics and advertising system so that you can target users with more specific site and ad messages.

Write these answers in your Notion Page