Californiaâs new privacy law creates $55-billion gold rush for start-ups

Businesses operating in California are required to comply with a sweeping new privacy law, the California Consumer Privacy Act, starting this month. Theyâll have a few months to figure out the specifics, because the stateâs attorney general is still working out the final rules and isnât expected to start enforcement until July. But the new requirements are already causing widespread anxiety among many businesses that handle consumer data.
A wave of start-ups, law firms and consultants is looking to take advantage of that anxiety â and to capture some of the $55 billion companies are expected to spend on initial compliance with the law. Bart Willemsen, an analyst at Gartner who advises clients on compliance, has identified over 200 companies pitching products to help companies adhere to privacy rules. None of them actually offers a comprehensive solution. âThereâs no single silver bullet,â he said.
The CCPA mandates that businesses tell customers what data they have gathered about them, and to stop selling that data upon request. That requires companies to be more conscious of what data they keep and where they keep it. Building those tools from scratch can be complicated and expensive.
One start-up, TerraTrue Inc., aims to help other businesses keep track of sensitive user data. âWhat weâre doing is building a complete privacy platform that lets companies automate the ways in which they comply with all these privacy laws,â said Chris Handman, the San Francisco start-upâs chief operating officer.
TerraTrue grew out of work the start-upâs founders, who were previously executives at Snap Inc., did to build that companyâs internal privacy systems. The company has raised $4.5 million from investors so far. It joins a host of other start-ups helping companies prepare for the CCPA, including Austin, Texas-based Osano Inc., which has raised over $8 million, and Securiti Inc., which announced a $31-million round of investment in August.
Other companies like DataFleets Ltd. are pitching sophisticated machine learning tools designed to minimize the risk of exposing customersâ private information. âThe data never leaves their phone, they retain complete control with it, it remains compliant with data regulations,â said David Gilmore, the Palo Alto companyâs chief executive.
Some companies have already been adapting to stricter privacy rules elsewhere, such as the European Unionâs General Data Protection Regulation, or GDPR. Those that have done so are better prepared to comply with Californiaâs law, according to Peter Reinhardt, CEO of Segment.io Inc., a San Francisco-based start-up that is helping customers navigate the new data laws. The laws arenât identical, but some of the preparation is transferrable. âCCPA hits hard the companies that arenât operating globally and this is the first time they need to deal with it,â said Reinhardt.
The CCPA only applies to companies that generate more than $25 million in annual revenue, handle personal information of more than 50,000 people or devices, or earn more than half their revenue from selling personal information. Many companies are experiencing significant privacy rules for the first time, and some seem prepared to test the limits. Alphabet Inc.âs Google and Facebook Inc. contend that theyâre exempt from rules governing companies that sell data, since they say they donât share consumer data with ad buyers.
Other companies will likely ignore some of the billâs provisions until they see how itâs enforced. The California attorney generalâs office has said it has limited resources for enforcement. Handman of TerraTrue says many businesses are unsure about what they need to do, which âcreates a greater interest in products that clarify that confusion.â
Even companies that could handle the law independently may be tempted to pay for outside help. Marco Zappacosta, the CEO of the California-based local services company Thumbtack Inc., said he has assigned staff on his engineering, product, marketplace, policy and legal teams to prepare the company for the new rules. But he hopes to have them back to their regular jobs soon. âLook, you talk to any tech company and I bet they will tell you they are engineering or product constrained,â said Zappacosta. âAny effort that takes away from that has an opportunity cost.â
The CCPA likely wonât be the last new privacy rule that companies have to figure out. India is considering sweeping legislation, and the United Kingdom could formulate its own approach once it leaves the European Union. U.S. states like New York and Washington are considering their own legislation, as is Congress.
Technology industry groups worry that a regulatory patchwork could make compliance more burdensome. That could be bad news for businesses trying not to run afoul of new laws. But it could be a welcome development for those companies who want to help them do so.
Newcomer writes for Bloomberg.