The companies benefiting from fragmenting internet privacy rules

In 2018, California lawmakers mandated that consumers be able to request their personal data from companies through a toll-free number. And then a group of lawyers, engineers and salespeople for a company in Atlanta got to work.

>>David McCabeThe New York Times
Published : 27 Dec 2021, 01:42 PM
Updated : 27 Dec 2021, 01:42 PM

The company, a startup called OneTrust, now based in a suburb on the city’s outskirts, makes software for businesses trying to stay on the right side of the growing number of internet regulations. In response to the new California law, OneTrust made it easy for companies to set up a number to manage the requests.

In an attempt to rein in tech giants such as Facebook and Google, governments around the world in recent years have approved new laws governing how websites must handle consumer data, treat their competitors and protect young people. The European Union has a data-privacy law that governs the entire bloc. California has approved two privacy measures in recent years, and other states have followed suit.

Out of those regulations has arisen something else: an industry to help companies navigate the increasingly fragmented rules of the global internet.

It’s a booming market. OneTrust, a leader in the field, has been valued by investors at $5.3 billion. BigID, a competitor, raised $30 million in April at a $1.25 billion valuation. Another company that targets privacy regulations, TrustArc, raised $70 million in 2019. Yoti, a startup that provides the kind of age-verification services that regulators are increasingly turning to to shield children from harmful content, has raised millions of dollars since it was founded in 2014.

The emergence of these companies shows how complex regulations governing the web have become — and how much more complicated it is expected to get. Several privacy laws will take effect around the world in the coming years, with more countries and states expected to consider their own proposals.

“They are all reactions to an underlying problem — and they all have their own flavor, they all have their own interpretations and they all have their own focus points,” said Bart Willemsen, an analyst at Gartner, a market research firm. “These regulatory changes nudge organisations — in addition to perhaps any ethical concerns they may have had — to really up their game here.”

Many of the new companies owe their start to the General Data Protection Regulation, an EU law passed in 2016 that pushes websites to ask their users if they agree to being tracked online. It also mandates companies to catalog the personal data they hold.

The European rule was a landmark moment in the fracturing of internet regulation, putting Europe far ahead of Washington in creating guardrails for tech.

“We’re definitely kind of a child of GDPR,” said Dimitri Sirota, CEO of BigID, which was founded the year the law passed. In its earliest days, BigID helped companies map out their data holdings so they could respond to requests under privacy laws. The company now has offices around the world, including Australia, Israel and Switzerland.

OneTrust also owes its birth to the European law. CEO Kabir Barday started the company in 2016, when he saw companies preparing to comply with the rules.

Under the European rules, websites largely must get users’ permission to use cookies, the tiny bits of code that can be used to track people as they move around the internet. In practice, that has meant that visitors to a website are often presented with a pop-up menu or a banner asking them if they will agree to be tracked.

OneTrust helps companies add those banners to their sites. Its clients include pocket-tool maker Leatherman, furniture titan Herman Miller and California fashion designer James Perse, who sells $70 white T-shirts that are a favorite of Evan Spiegel, creator of Snapchat.

In 2018, lawmakers in California passed their own privacy rules, which gave users in the state the right to request their personal data from websites. Demand from companies racing to meet the California law was strong, said Barday.

“A customer would say, ‘Kabir, we need to get started today,’” he said. “And I just said, ‘Customer, we just had, in that time period, a thousand customers in about one quarter that came to us and just said the same thing.’”

Today, OneTrust and its competitors advertise that they can help clients comply with privacy laws in numerous countries, including Brazil, and in American states, including Nevada. OneTrust hands out spiral-bound texts of the California and European laws as swag.

Gabrielle Ferree, a OneTrust spokesperson, said its largest customers generally choose products at a price point that “runs in the six- to seven-figure range annually.”

Products meant to meet new internet regulations may vary in how effectively they actually protect the privacy of people browsing the web, experts said.

A website can, for example, nudge a visitor to agree to being tracked by using a more prominent color for the button that accepts cookies than for the button that rejects them. Or they can present a user with an uneven choice: accept ad tracking with one click or disable it using a complicated settings menu on a different page.

“I really think it’s up to the businesses, and they’re well within their power to make it easier for consumers to opt out or opt in,” said Maureen Mahoney, a policy analyst at Consumer Reports.

Barday said the interest of the businesses that use his products were aligned with the interests of their customers. Companies want to reach consumers who want their products or keep them engaged. And consumers prefer an internet experience personalized to them and their interests, as long as websites are upfront about collecting their data, he said.

“What we love about this market is that capitalism and commercial interest is not at odds with doing good for the world and doing good for people,” he said. "If a business can show that they’re trustworthy and respectful and transparent in how they collect that data, guess what? Consumers provide them the data."

The business has faced setbacks: At the outset of the pandemic, OneTrust laid off 10 percent to 15 percent of its 2,200 employees. Some of those employees threatened to sue the company in Britain last year, saying they had been fired en masse for poor performance despite never receiving bad performance reviews. Employees also told the media that the layoffs came after Barday told his staff that no jobs were at risk.

Ferree, the spokesperson for OneTrust, said the company was “not exempt from the impact of pandemic-related uncertainty in 2020.”

“Ultimately, we had to make difficult employment decisions and strived to protect jobs for the long term,” she said.

But OneTrust and other companies in the industry have continued to grow. OneTrust, which is not yet profitable, says it now has more than 10,000 customers. And it has introduced products aimed at helping companies comply with other regulations, including new protections for whistleblowers in Europe.

OneTrust recently moved out of Atlanta’s city limits into an archetypical tech office with glass-walled conference rooms, exposed ductwork and wide bullpens in the nearby suburb of Sandy Springs.

On a recent Thursday, a smattering of employees gathered to watch part of OneTrust’s annual conference for its customers. They tapped away on their laptops while the warmup act — a British duo composed of a man who spins upbeat music from a set of turntables while his partner jams on her saxophone — played in the background.

The DJ and the saxophonist wrapped up and Barday appeared on the screen. In a sleek, prerecorded video, he laid out the company’s priorities.

“No 1: Do not lose focus on privacy because this is complex and getting more complex,” he said.

© 2021 The New York Times Company

Toufique Imrose Khalidi
Editor-in-Chief and Publisher