New privacy laws generate business opportunities, compliance headaches

When American intelligence consultant Edward Snowden revealed the breadth of personal data collection by US intelligence agencies back in 2013, many saw a massive privacy violation. Kristina Bergman saw a massive business opportunity.

“When I saw the whole Edward Snowden thing happen, I remember watching how shocked everybody was about how much data was being collected about them,” said Bergman, a venture capitalist with a history in the Big Data industry. “Having worked in data for 20 years, I was not shocked. I was shocked that they were shocked.”

An idea took root. A year later, when Bergman read an early draft of the European Union's then-proposed General Data Protection Regulation, the idea became a plan. She founded Integris Software, a company that helps other companies comb through petabytes of data to flag personally identifiable data that they must map to comply with the GDPR and the new California Consumer Privacy Act.

The founder and chief executive officer of Integris Software is among a new group of entrepreneurs who see the data-protection movement around the world in Europe, California and other places as a powerful business opportunity. They are building companies that help other businesses comply with new data-protection laws, or that help consumers exercise new privacy rights bestowed under GDPR, CCPA and other laws.

“Big companies are created when there are big market shifts,” Bergman said. “That could be new technologies, changing sentiments in the public. Really any type of new innovation creates new markets and new opportunities.” Privacy is one of those big shifts, Bergman believes.

Economic impact

CCPA has received criticism for being a potential drag on the California economy. A fiscal analysis by the state last year forecast that total compliance costs for California businesses would range from $467 million to $16.5 billion over the coming decade.

With CCPA just two months old, it’s too soon to know how many businesses are being launched to take advantage of the new privacy law, particularly since enforcement of the law's new privacy rights won’t start until July 1. But anecdotal evidence suggests the law’s significant compliance costs are only part of the economic story, and that some new privacy-oriented companies and services are being created to take advantage of the business opportunity created by new regulation.

Last year, for example, OneTrust, an Atlanta-based company that offers software and other services to help companies comply with GDPR and CCPA, became the first privacy “unicorn” —Silicon Valley jargon for a startup valued at $1 billion or more — when OneTrust accepted an initial venture capital funding round of $200 million at a valuation of $1.3 billion.

The co-author of the CCPA, Alastair Mactaggart, said he regularly receives calls from startups or entrepreneurs who want to build a business around the new California privacy law. Mactaggart, a real estate developer who describes himself as a businessperson first and a privacy advocate second, said that’s what he wanted CCPA to do from the beginning.

Just as computer viruses and other types of malicious software spawned big companies like Symantec, FireEye or CrowdStrike, Mactaggart says the global data-protection movement will also likely spawn new companies and a privacy industry. Mactaggart told MLex in a recent interview, for example, that during the preceding week, he was approached by entrepreneurs from Australia and France who are interested in moving their companies to California to build businesses around the CCPA.

One of the key new privacy rights in the CCPA allows consumers to opt out of the sale of their personal data to third parties. Mactaggart said he wrote CCPA specifically to allow businesses to act as an agent for consumers who don’t want to pay someone else to do the work of requesting that companies stop the sale of their personal data.

One such privacy startup is Confidently, which co-founder Brent Blackaby said will soon start allowing California consumers a service in which the startup would opt them out of the sale of their data to third parties. As part of a study of more than 160 consumer-facing companies as Confidently prepared to offer that service, the startup found that a significant number are putting obstacles in the path of consumers seeking to opt out of the sale of their data.

“We had to do the analysis, so we would know where we’re going to be sending data and how we’re going to complete [opt-out] requests,” Blackaby said.

Need for Automation

Seattle-based Integris Software uses artificial intelligence to allow companies to dig through massive databases held by companies and pull out data defined as personally identifiable information by GDPR, CCPA, and soon, other privacy laws.

For example, Bergman said, to flag personally identifiable religious data defined as sensitive personal data by GDPR, the company’s software might search for instances of the words “kosher” or “halal,” as well as for more obvious instances of sensitive personal information such as US Social Security numbers and credit or debit card numbers.

“We help automate it, because when you’re dealing with petabytes of data ... it’s too much data for individual people to deal with,” Bergman said. “You need to have automation built in.”

Companies are buying Integris’ services in part because of the financial risk of a GDPR or CCPA fine, she said, but even more so because the potential damage to their brand could be even more costly.

“It’s not just because 4 percent of revenue is a big, scary number,” she said, referring to the maximum fine under GDPR. “It’s because they don’t want to end up on the front page of the Wall Street Journal or the Washington Post as having violated people’s privacy, and risk losing people’s trust." The feeling of the firm’s customers "was consistent. Everybody was worried about brand and reputation, because so many of them depend on the trust of their consumers to collect and enhance their data.”

Mactaggart’s view is that new privacy regulation is part of the law of supply and demand, because people want more privacy and lawmakers are responding to that demand. He believes strongly that GDPR and CCPA are just the earliest instances of what will be a central area of business regulation for the foreseeable future.

“The gravitational pull is toward more user control of their data and I think that’s where it’s going to end up,” he said. “I think this is just where society is heading.”