California’s big new privacy law is creating a $55 billion opportunity, and tech companies are rushing to get in on it
- The California Consumer Privacy Act, or CCPA, is intended to give consumers a lot more control over the personal data that’s collected by websites and apps.
- California itself estimates that companies will spend $55 billion this year to get into compliance with the law.
- Experts say that startups are well-positioned to capitalize on CCPA by going after a slice of that very large pie.
- While there are many companies, including Box and Very Good Security, that offer tools to help manage a company’s data, there’s no “single silver bullet” solution out there, experts say.
- Click here for more BI Prime stories.
On January 1st, the California Consumer Privacy Act, or CCPA, officially went into effect — a landmark new privacy law championed by Governor Gavin Newsom intended to give consumers in the state more control over the personal data collected by websites, apps, and other online services.
While California’s attorney general is putting finishing touches on the law and isn’t expected to start enforcing it until July, companies are already starting to worry about getting into compliance. Indeed, companies are expected to spend $55 billion this year to get in compliance with California’s law, according to the state’s own estimate.
That’s created a huge opportunity for tech companies, and perhaps especially startups, several Silicon Valley insiders have told Business Insider. The law requires companies to allow their customers to request a copy of all the data it’s collected about them — and, furthermore, requires that data be deleted upon request.
That’s a problem for a lot of companies, who may simply not have the tools to process all of their customer data across various systems and software and put it into a tidy report, let alone to delete all of it as required by the law. For tech companies that specialize in data management, then, this could be a boon.
“We want to be an enabler to companies being able to stay compliant with all of these new, emerging privacy laws. So for us, realistically, this is actually a tailwind to our business model, it’s a positive trend for us,” Aaron Levie, CEO of business cloud-storage company Box, told Business Insider.
That’s good news for established companies like Box, for sure, but also for smaller startups. The scale of the problem is such that no single company can currently tackle it on their own, said Bart Willemsen, an analyst at Gartner.
There are lots of different pieces of the puzzle, here, he says: Not only how companies handle the data they’ve collected, but also the ways and tools they use to collect it in the first place, as well as the customer experience for making it easy and seamless for customers to access that data, as required by law. No one company can do all of it — and, indeed, it falls on the company itself to figure out the best combination of tools to get there.
“There are those that present themselves as the, ‘we do everything for you with the one single silver bullet,’ but I don’t believe that. Nobody makes an organization compliant other than the organization itself,” Willemsen told Business Insider.
Robert Cattanach, a lawyer who specializes in data regulations and data breaches, said right now most companies aren’t equipped to deal with a request from a consumer asking what data they have on them.
“I see the biggest issue as understanding where data is and how to access that data…their data systems have not been developed with that kind of functionality in mind, so they’re having to create it…so I think that response to consumer requests is going to be the biggest challenge,” Cattanach said.
In-Sik Rhee, a partner at Vertex Ventures, said data privacy and compliance is a space where his firm is looking for investment opportunities in the next year. He adds that there’s going to be a huge need for companies to organize and better manage their data.
“I think for a lot of companies they’re not really selling your data or doing other things, but they are capturing the data. But those that have captured data, they now need to have better hygiene in terms of sorting it properly or protecting it,” Rhee said. “So there’s companies that are helping just manage the data as you’ve collected it.”
And there are already many smaller companies being born with the goal of meeting those needs.
Very Good Security (VGS) is one such startup, which layers itself on top of a company’s software and parses out which data is most sensitive. That data then gets shunted to VGS’s own systems for safeguarding and processing, taking the burden of protecting it away from the customer while also making it easier to make sense of all of it. That approach got a vote of confidence from investors from Visa and Goldman Sachs.
“We understand the intent of where and how you’re receiving that data so that you can perform operations on it without necessarily having it. So you’ve shifted custodianship to VGS and all you have is a reference that looks like the real data, but it’s useless,” Mahmoud Abdelkader, co-founder and CEO of VGS, told Business Insider.
Indeed, Rehan Jalil — the founder of a company called Securiti.ai, formed by ex-Symantec employees — says that regulations like CCPR and Europe’s General Data Protection Regulation (GDPR) are going to require a rethinking of how data is handled, with a focus on making it as easy and automatic as possible to protect customer data. Jalil calls this approach “privacy ops.”
“That’s where I see the biggest opportunities and a lot of companies are working on it and will continue to work on it, how to operationalize privacy and automate privacy inside a company,” Jalil said.
No magic bullet
It also remains to be seen what new data privacy regulations come about in other states or nationwide.
Willemsen, the Gartner analyst, said tackling this long term means companies have to acknowledge that data privacy and management is an integral part of their organization, regardless of if laws require it. Those that already see that, and are taking moves to better protect and serve their customers, are further alone the curve than the rest, he says.
“Privacy in itself is infinitely more than just regulatory compliance,” he said. “And if an organization gets it right and understands the principle here, you’ll see that they are further ahead in terms of many different things compared to their opposition.”