PitchBook: Data privacy startups see demand spike as California enforces law

Data privacy startup Ethyca had been busy in the lead up to July 1—the day the California Consumer Privacy Act became enforceable.

From April to June, the New York-based company recorded a 150% month-over-month increase in demand, an indication that many businesses were scrambling to prepare for when the CCPA would be enforced, its co-founder and CEO Cillian Kieran said.

Even though the law has been in effect since the beginning of the year, the state’s attorney general, Xavier Becerra, can now take direct action against companies that violate the regulations.

Several startups had hoped California would delay the law’s enforcement date. But after Becerra decided against it, companies were forced to ensure they would have enough cash runway for privacy solutions to survive the next few months, Kieran said.

“It is certainly not a lack of care for privacy, but an issue of prioritization,” he explained. “When businesses are struggling commercially during a pandemic, it is very difficult to address privacy issues that are not exactly revenue generating.”

Ethyca develops a privacy cloud that can be integrated with applications such as Shopify, Zendesk and Stripe to automate data mapping, track individual consumer requests and build reports according to privacy regulations.

The CCPA applies to businesses that generate annual revenue of more than $25 million, and companies that collect data of 50,000 or more consumers, households or devices. It also applies to businesses that get at least 50% of revenue from selling consumer information.

Nearly 75% of companies in the state of California will reportedly be affected by the law.

The CCPA intends to grant California consumers control over their personal information, such as the right to know, delete and opt out of the sale of personal information that businesses collect. When a consumer files an inquiry with a company wanting to know what personal information is being shared, businesses generally have 45 days to respond.

If companies are unable to respond, the attorney general may prosecute them for general violations. California will give them 30 days to resolve violations. If companies don’t, they could face penalties of $2,500 per unintentional violation and $7,500 for an intentional one.

For startups to correctly respond to consumer requests, they first need to understand what consumer information they collect, determine who has access to it and why, Kieran said.

Then, they need to establish methods that allow consumers to submit requests, train employees on how to retrieve information, and deploy appropriate security procedures to mitigate risk of penalties.

Smaller companies typically tend to settle for manual operations if they can get away with it, said Dimitri Sirota, co-founder and CEO of privacy compliance platform BigID.