Businesses operating in California are required to be in compliance with a sweeping new privacy law, the California Consumer Privacy Act, starting this month. They’ll have a few months to figure out the specifics, because the state’s attorney general is still working out the final rules and isn’t expected to start enforcement until July. But the new requirements are already causing widespread anxiety among many businesses that handle consumer data.
A wave of startups, law firms and consultants are looking to take advantage of that anxiety—and to capture some of the $55 billion that companies are expected to spend on initial compliance with the law. Bart Willemsen, an analyst at Gartner who advises clients on compliance, has identified over 200 companies pitching products to help companies adhere to privacy rules. None of them actually offer a comprehensive solution. “There's no single silver bullet,” he said.
The CCPA mandates that businesses are able to tell customers what data they have gathered about them, and to stop selling that data upon request. That requires companies to be more conscious of what data they keep and where they keep it. Building those tools from scratch can be complicated and expensive.
One startup, TerraTrue Inc., aims to help other businesses keep track of sensitive user data. “What we're doing is building a complete privacy platform that lets companies automate the ways in which they comply all these privacy laws,” said Chris Handman, the startup’s chief operating officer.
TerraTrue grew out of work the startup’s founders, who were previously executives at Snap Inc., did to build that company’s internal privacy systems. The company has raised $4.5 million from investors so far. It joins a host of other startups helping companies prepare for the CCPA, including Austin-based Osano Inc., which has raised over $8 million, and Securiti Inc., which announced a $31 million round of investment in August.
Other companies like DataFleets Ltd. are pitching sophisticated machine learning tools designed to minimize the risk of exposing customers’ private information. “The data never leaves their phone, they retain complete control with it, it remains compliant with data regulations,” said David Gilmore, the company’s chief executive officer.
Some companies have already been adapting to stricter privacy rules elsewhere, such as the European Union’s General Data Protection Regulation, or GDPR. Those that have done so are better prepared to comply with California’s law, according to Peter Reinhardt, CEO of Segment.io Inc., a San Francisco-based startup that is helping customers navigate the new data laws. The laws aren’t identical, but some of the preparation is transferrable. “CCPA hits hard the companies that aren't operating globally and this is the first time they need to deal with it,” said Reinhardt.
The CCPA only applies to companies that generate more than $25 million in annual revenue, handle personal information of more than 50,000 people or devices, or earn more than half their revenue from selling personal information. Many companies are experiencing significant privacy rules for the first time, and some seem prepared to test the limits. Alphabet Inc.’s Google and Facebook Inc. contend that they’re exempt from rules governing companies that sell data, since they say they don’t share consumer data with ad buyers.
Other companies will likely ignore some of the bill’s provisions until they see how it’s enforced. The California Attorney General’s Office has said it has limited resources for enforcement. Handman of TerraTrue says many businesses are unsure about what they need to do, which “creates a greater interest in products that clarify that confusion.”
Even companies who could handle the law independently may be tempted to pay for outside help. Marco Zappacosta, the CEO of the California-based local services company Thumbtack Inc., said he has assigned staff on his engineering, product, marketplace, policy and legal teams to prepare the company for the new rules. But he hopes to have them back to their regular jobs soon. “Look, you talk to any tech company and I bet they will tell you they are engineering or product constrained,” said Zappacosta. “Any effort that takes away from that has an opportunity cost.”
The CCPA likely won’t be the last new privacy rule that companies have to figure out. India is considering sweeping legislation, and the United Kingdom could formulate its own approach once when it leaves the European Union. U.S. states like New York and Washington are considering their own legislation, as is Congress.
Technology industry groups worry that a regulatory patchwork could make compliance more burdensome. That could be bad news for businesses trying not to run afoul of any new laws. But it could be a welcome development for those companies who want to help them do so.