California helped create the modern Big Data industry, in which tech companies vacuum up and profit off personal information. Now a new law in the state is creating something like a solution to the loss of privacy.
The California Consumer Privacy Act, which took effect Jan. 1, gives people the right to know what large companies know about them and the right to block the sale of that information to others. In effect, it created a market for privacy expertise and software.
A wave of privacy-focused technology startups is offering a variety of services, from personal data scrubbing to business-focused software meant to help companies comply with the law.
A brief list of the nearly 300 companies now selling privacy services includes Privacera, Privsee, Privally, Privitar and Privaon. There’s DataFleets, DataGrail, DataGravity, Dataguise, DataTrue and Datastream.io. And there’s HITRUST, Mighty Trust, OneTrust, trust-hub, TrustArc and The Media Trust, as well as SecureB2B, Securiti.ai, Security Scorecard and Very Good Security.
“We’ve just created a privacy industry,” said Alastair Mactaggart, head of Californians for Consumer Privacy, the organization that pushed the state to pass its landmark new privacy law.
And because many businesses have chosen to apply it nationwide, the privacy industry suddenly has a large potential customer base in the U.S. — with companies to match.
“You have a new startup coming up every day with a proposition around privacy and data protection,” said Enza Iannopollo, senior analyst at the research company Forrester Research, who is tracking the growth of what amounts to a new sector.
By one count, the number of privacy startups assisting corporate clients has grown more than fivefold in three years. The International Association of Privacy Professionals, a nonprofit privacy organization, counted 259 such vendors in October, up from 44 in early 2017.
“It looks like a hockey stick these days,” said Caitlin Fennessy, the association’s research director, referring to the growth in the number of privacy companies. (Silicon Valley startups often use a hockey stick-shaped line graph to represent fast growth.)
And the booming privacy sector even has its first unicorn, defined as a privately held startup with a valuation above $1 billion. OneTrust, based in Atlanta, was valued at $1.3 billion by venture capitalists in a round of fundraising last summer. It sells software to help businesses know what data they have, evaluate their risks and disclose data to customers upon request.
OneTrust said it has more than 5,000 customers worldwide, including more than 40 percent of the Fortune 500.
The company was already seeing a jump in business after Europe implemented its own strict privacy regulation in 2018, but the California law created another ready-made market for the company’s products, CEO Kabir Barday said.
“There’s a law that says you have to do something, and it’s too complicated to implement on your own,” Barday said.
He said he expects demand to grow rapidly as other states and countries consider new privacy laws in response to consumer outrage. “They’re increasingly getting more and more passionate about ‘what are you doing with my data?’” he said.
The number of different markets is part of what’s making the privacy arena an attractive investment: Companies that have sharpened their expertise or software in Europe or California may be able to replicate their work in other jurisdictions.
“The services they are providing are tied to principles that we’ve seen across privacy laws, data protection laws,” Fennessy said.
Some services are simple, like powering the website buttons that prompt people to accept or decline tracking cookies. More advanced services include data “mapping,” in which a company helps a client figure out how information flows within their organization.
Because every large company in California is required to be able to tell users what data it has about them, each of those companies needs a process to respond to user requests. Privacy vendors can handle that, too, by setting up online portals or email systems.
Other startups are focused on selling services directly to consumers, not corporate clients. The app Jumbo launched last year, promising to streamline the numerous privacy settings on sites like Facebook.
“There’s a fraction of people who think they’ve lost control of their data and their privacy. It’s become too complex, and we don’t know where the data’s going,” Jumbo CEO Pierre Valade said. The app, which centralizes privacy decisions in one place and says it doesn’t collect data, plans to announce a subscription plan in March.
It’s a sudden privacy shift for the U.S. tech sector, in which companies such as Facebook and Google built their recent wealth by accumulating vast amounts of personal information from users and using the data to sell advertisements.
But the California law is complicated enough that large, older businesses have found compliance difficult without the help of outside companies. They may feel inundated with requests by customers for their personal information, and that’s where some of the startups come in: automating the process of taking in and fulfilling the requests.
“To be able to respond to these requests as an organization, you need to know the data you have, you need to know how that data links to that entity, and you need to know where the data is,” Iannopollo said.
Mactaggart, one of the architects of the California law, said he sees the startups as a promising sign because, as they grow, they’ll become a powerful bulwark for privacy itself.
Mactaggart, a real estate developer, said the new companies remind him of environmental consultants in the real estate industry: a set of businesses created by regulatory necessity that ultimately become ingrained advocates for strong regulation.
“If you’re them, what’s your friend? Your friend is legislation mandating privacy laws,” Mactaggart said.