Data privacy startup Ethyca had been busy in the lead up to July 1—the day the California Consumer Privacy Act became enforceable.
From April to June, the New York-based company recorded a 150% month-over-month increase in demand, an indication that many businesses were scrambling to prepare for when the CCPA would be enforced, its co-founder and CEO Cillian Kieran said.
Even though the law has been in effect since the beginning of the year, the state’s attorney general, Xavier Becerra, can now take direct action against companies that violate the regulations.
Several startups had hoped California would delay the law’s enforcement date. But after Becerra decided against it, companies were forced to ensure they would have enough cash runway for privacy solutions to survive the next few months, Kieran said.
“It is certainly not a lack of care for privacy, but an issue of prioritization,” he explained. “When businesses are struggling commercially during a pandemic, it is very difficult to address privacy issues that are not exactly revenue generating.”
Ethyca develops a privacy cloud that can be integrated with applications such as Shopify, Zendesk and Stripe to automate data mapping, track individual consumer requests and build reports according to privacy regulations.
The CCPA applies to businesses that generate annual revenue of more than $25 million, and companies that collect data of 50,000 or more consumers, households or devices. It also applies to businesses that get at least 50% of revenue from selling consumer information.
Nearly 75% of companies in the state of California will reportedly be affected by the law.
The CCPA intends to grant California consumers control over their personal information, such as the right to know, delete and opt out of the sale of personal information that businesses collect. When a consumer files an inquiry with a company wanting to know what personal information is being shared, businesses generally have 45 days to respond.
If companies are unable to respond, the attorney general may prosecute them for general violations. California will give them 30 days to resolve violations. If companies don’t, they could face penalties of $2,500 per unintentional violation and $7,500 for an intentional one.
For startups to correctly respond to consumer requests, they first need to understand what consumer information they collect, determine who has access to it and why, Kieran said.
Then, they need to establish methods that allow consumers to submit requests, train employees on how to retrieve information, and deploy appropriate security procedures to mitigate risk of penalties.
Smaller companies typically tend to settle for manual operations if they can get away with it, said Dimitri Sirota, co-founder and CEO of privacy compliance platform BigID.
But the New York-based company also saw a push from some of its bigger customers in January, well before the enforcement date.
“They cannot afford [to be non-compliant] from a reputational and liability standpoint, and they are also bigger targets for the regulators,” he said.
Other VC-backed startups such as Securiti.ai and OneTrust are also helping companies comply with the CCPA with tools to maintain an inventory of consumer information, and applying machine learning to classify required information, detect data breaches and generate consumer reports.
Consumer privacy laws have cropped up around the world with the General Data Protection Regulation in Europe and various data protection laws in China. With the advent of these measures, companies have increasingly been encouraged to use third-party data security tools to ensure they meet the requirements.
After the GDPR went into effect, incumbent data loss prevention solutions did not provide the level of data mapping needed to comply with parts of the law, said Brendan Burke, an emerging tech analyst at PitchBook.
“Given the uncertainty around these policies, growth-stage companies have the potential to tailor new products to meet these compliance needs and work collaboratively with regulators to clarify enforcement mechanisms,” he said.
As a growing number of US states such as Nevada and Maine adopt some form of data privacy laws, startups seeking to raise fresh capital are likely to face additional scrutiny from investors.
“When conducting due diligence for startups, investors and their counsel are now requiring that startups represent and warrant that they have adopted a clear set of policies, procedures, and indeed, a mission and architecture, to handle both the privacy and protection of personal data,” said Louis Lehot, a corporate lawyer and founder of Bay Area-based L2 Counsel.
In 2018, the National Venture Capital Association amended its standard stock purchase agreement forms to require companies raising venture capital at the earliest stage to ensure they comply with privacy laws.
Featured image via Unsplash