Data privacy startup Ethyca had been busy before July 1, the day the California Consumer Privacy Law went into effect.
From April to June, the New York-based company recorded a 150% monthly demand increase, an indication that many companies were struggling to prepare for CCPA compliance, said its co-founder and CEO, Cillian Kieran. .
Even though the law has been in place since the beginning of the year, the state’s attorney general, Xavier Becerra, can now take direct action against companies that violate the regulations.
Several startups had hoped that California would delay the law enforcement date. But after Becerra decided not to, the companies were forced to ensure they would have enough cash on hand for privacy solutions to survive in the coming months, Kieran said.
“It is certainly not a lack of privacy care, but a matter of prioritization,” he explained. “When companies struggle commercially during a pandemic, it’s very difficult to address privacy issues that don’t exactly generate revenue.”
Ethyca develops a privacy cloud that can be integrated with applications like Shopify, Zendesk and Stripe to automate data mapping, track individual consumer requests, and generate reports in accordance with privacy regulations.
The CCPA applies to businesses that generate annual revenues of more than $ 25 million and businesses that collect data from 50,000 or more consumers, homes, or devices. It also applies to companies that earn at least 50% of the income from the sale of consumer information.
Nearly 75% of businesses in the state of California will reportedly be affected by the law.
The CCPA intends to give California consumers control over their personal information, such as the right to know, delete, and opt out of selling personal information that companies collect. When a consumer submits a query to a company that wants to know what personal information is shared, companies generally have 45 days to respond.
If companies cannot respond, the attorney general can prosecute them for general violations. California will give you 30 days to resolve violations. If companies fail to do so, they could face fines of $ 2,500 for involuntary violation and $ 7,500 for intentional violation.
For startups to respond correctly to consumer requests, they must first understand what consumer information they collect, determine who has access to it and why, Kieran said.
Then, they must establish methods that allow consumers to submit requests, train employees on how to retrieve information, and implement appropriate security procedures to mitigate the risk of penalties.
Smaller companies generally tend to settle for manual operations if they can get away with it, said Dimitri Sirota, co-founder and CEO of privacy compliance platform BigID.
But the New York-based company also saw a boost from some of its biggest customers in January, long before the application date.
“They can not pay [to be non-compliant] from the point of view of reputation and responsibility, and they are also more important targets for regulators, “he said.
Other VC-backed startups like Securiti.ai and OneTrust are also helping companies comply with the CCPA with tools to maintain an inventory of consumer information and applying machine learning to classify required information, detect data breaches, and generate reports. of consumers.
Consumer privacy laws have emerged around the world with the General Data Protection Regulation in Europe and various data protection laws in China. With the advent of these measures, companies have been increasingly encouraged to use third-party data security tools to ensure they comply with the requirements.
After the GDPR went into effect, existing data loss prevention solutions did not provide the level of data mapping necessary to comply with parts of the law, said Brendan Burke, an emerging technology analyst at PitchBook.
“Given the uncertainty surrounding these policies, growth companies have the potential to adapt new products to meet these compliance needs and work collaboratively with regulators to clarify enforcement mechanisms,” he said.
As an increasing number of US states, such as Nevada and Maine, adopt some form of data privacy laws, startups seeking to raise new capital are likely to face additional scrutiny from investors.
“By conducting due diligence for startups, investors and their advisers now demand that startups represent and ensure that they have adopted a clear set of policies, procedures, and indeed a mission and architecture, to handle both privacy like protecting personal data. “said Louis Lehot, corporate attorney and founder of L2 Counsel based in the Bay Area.
In 2018, the National Venture Capital Association amended its standard stock purchase agreement forms to require companies to raise risk capital at the earliest stage to ensure they comply with privacy laws.
Featured image via Unsplash