Privacy Tech's Third Generation - A Review of the Emerging Privacy Tech Sector JUNE 2021
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
JUNE 2021 Privacy Tech’s Third Generation A Review of the Emerging Privacy Tech Sector
AUTHORED BY
Privacy Tech Alliance and Future of Privacy Forum
with
Tim Sparapani and Justin Sherman
The Future of Privacy Forum launched the Privacy Tech Alliance (PTA) as a
global initiative with a mission to define, enhance, and promote the market
for privacy technologies. The PTA brings together innovators in privacy tech
with customers and key stakeholders. Privacy Tech companies can apply to
join the PTA by emailing PTA@fpf.org.
The Future of Privacy Forum (FPF) is a non-profit organization that serves
as a catalyst for privacy leadership and scholarship, advancing principled
data practices in support of emerging technologies. Learn more about FPF
by visiting fpf.org.
TABLE OF CONTENTS
Executive Summary _______________________________________ 2
Overview of Conclusions____________________________________ 3
Overview of Recommendations_______________________________ 6
Introduction______________________________________________ 7
Global Growth of the Privacy Tech Industry _____________________ 9
Specific Regulations Driving Growth of Industry __________________ 11
Lack of Consensus Privacy Tech Definitions ______________________
Limiting Growth of Privacy Tech Industry________________________12
The Privacy Technology “Stack”______________________________14
The Buy Side of the Privacy Tech Market_______________________ 20
The Sell Side of the Privacy Tech Market_______________________ 23
Market Trends and Implications for Competition _________________ 26
Conclusions______________________________________________31
Recommendations________________________________________ 35
Appendix: Privacy Technology Buyer Survey Results______________ 36
Endnotes _______________________________________________ 48
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 1EXECUTIVE SUMMARY
T
he privacy technology sector, until and value of personal data held by a busi-
recently composed of relatively small ness (Privacy Tech 3.0).2 This report explains
startups focused on providing con- this typology and describes a taxonomy of
sumer data privacy regulatory solutions for terms and relationships to provide a consis-
businesses, is at an inflection point. The tent understanding of customer needs and
sector is rapidly maturing and expanding privacy tech offerings commonly associated
both in terms of the number of vendors with this privacy stack.
and the products and services those ven-
Second, this report provides an analysis of
dors offer. Business customers increasingly
market dynamics around privacy tech—from
are seeking privacy tech partners that
buyer and seller perspectives—in addition to
provide easily integrated solutions to all of
a description of trends and predictions. The
a business’ data needs, and vendors are
report’s authors found striking consensus
moving rapidly to meet this demand. This
about the direction of the privacy tech in-
report is a review of that market, focused
dustry, potential impediments to its growth,
on current developments and progress.
likely drivers of future acceleration, and
It also identifies misalignments within the
recommendations for industry-led efforts to
market; trends in the future of privacy tech-
eliminate those impediments. Sophisticated
nology; and recommendations to address
providers of privacy tech and sophisticated
current challenges.1
purchasers of privacy tech identified as a
The report offers a privacy “stack” typology major obstacle the lack of common privacy
for analyzing and understanding the privacy vernacular to define terminology and the
tech market today. It suggests that privacy inconsistent typification of the so-called pri-
tech has evolved through three main phases vacy stack, i.e., the technologies that were
into the Privacy Tech 3.0 landscape seen core to the privacy technology industry.
now. The field started with an initial phase
Finally, this report identifies five market
of privacy and security tech industry technol-
trends and seven implications those trends
ogy ideation and vendor formation (Privacy
hold for the future of the privacy tech market.
Tech 1.0), and then developed into a privacy
It then lays out a work plan of recommenda-
and data security privacy tech landscape of
tions to facilitate the growth and maturation
technologies built natively within large com-
of the privacy tech industry.
panies, as well as increasingly sophisticated
privacy tech vendors offering their services This report does not address the market for
chiefly to support privacy regulatory com- cybersecurity services or identity services.
pliance (Privacy Tech 2.0). Now the field has Although many of these vendors provide
started to develop into a new state involv- services often described as privacy related,
ing niche privacy tech vendors offering an they serve a different market purpose. It also
essential or bespoke tool or technology for does not cover the growing number of busi-
sale, and horizontally-integrated vendors or ness-to-consumer services which seek to
joint ventures between providers that offer help consumers request their data, monetize
tools for regulatory compliance and tools to their data, or perform other consumer-driven
maximize control over and the availability functions with respect to data.3
2 PRIVACY TECH ALLIANCE + FUTURE OF PRIVACY FORUM | JUNE 2021OVERVIEW OF CONCLUSIONS
T
o research this report, the authors conduct- › The lack of common understanding about
ed more than 30 hours of interviews with privacy terms is limiting the growth of the
dozens of the world’s leading experts on the privacy tech industry. With respect to some
privacy tech market, including buyers of privacy privacy tech offerings, it is unclear whether
tech services and sellers of privacy tech services. vendor-developed privacy tech is sufficient
These interviews yielded important insights on the to satisfy the regulatory compliance or
state of the privacy technology market from lead- business needs of would-be purchasers.
ing thinkers and industry participants. Several clear › In addition to lacking a common vernacular
themes emerged on key issues, allowing us to offer to describe privacy tech, there is no
the following conclusions and recommendations: commonly accepted methodology for
› The COVID-19 pandemic has globally characterizing what technologies and
accelerated marketplace adoption of privacy services are part of the privacy technology
industry or the so-called privacy stack. Many
technology as individuals and organizations
interviewed for this report, from both the sell-
worldwide became more heavily dependent
side and buy-side, agreed that it would be
on digital technologies and services. It is
useful to classify privacy tech companies by
unclear if this is a one-off event or a growth
the “business needs” their offerings satisfy.
pattern that will sustain, but increased
purchasing of privacy tech is clear. › The lack of common vernacular and
inconsistent typology for the privacy stack
› Common drivers of initial privacy technology
may also be causing some misalignment
purchases are regulatory compliance needs,
between the privacy tech available in the
contractual requirements with customers,
market and the needs of buyers.
and slowly emerging recognition of the
reputational risks associated with data › The leading edge of the market has passed
privacy breaches, broadly defined. These through two initial stages of privacy tech
initial drivers often lead purchasers of and has entered a third. The first stage was
privacy tech to explore other opportunities typified by technologies engineered natively
to deploy additional privacy tech offerings. within some companies and offered by early
Regulations by and large remain the biggest vendors for sale to achieve a modicum of
driver for privacy technology adoption, control over the personal data processed
but the others are growing in importance by a business (Privacy Tech 1.0). The second
to the extent that privacy is becoming a stage was the development of technologies
competitive differentiator in some sectors. engineered natively within large companies
Organizations are also deploying additional well-resourced enough to devote
tools to mitigate potential harms caused by engineering capabilities to regulatory
the use of data.4 compliance solutions and horizontally-
integrated companies or collaborations
› While jurisdictions in the US and around between companies offering personal data
the globe have incorporated key concepts regulatory compliance services and tools for
from other jurisdictions’ consumer privacy sale (Privacy Tech 2.0).
regulatory schemes into their own, the
› Recently, privacy tech offerings are
privacy landscape is expected to become
expanding well beyond products and
more complex and less homogenous as
services that assist in regulatory compliance
jurisdictions begin to diverge and increase
into products and services that assist
regulatory complexity.
businesses in making the personal data they
› Common privacy terms, including those encounter both maximally available and
included in statutes or regulations, are not maximally valuable for business services
uniformly defined or understood. (Privacy Tech 3.0). For example, privacy tech
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 3OVERVIEW OF CONCLUSIONS
tools are increasingly available to assist “breakthrough” or “highly innovative”
with business needs across the business technology or service, which can justify a
enterprise, serving: (i) CIOs in making contract with a vendor for just one niche
personal information accessible; (ii) CMOs product or service.
in making personal information available › Because of buyers’ increasing preference
for marketing and advertising; (iii) Chief to buy horizontally-integrated privacy tech
Data Scientists in unlocking new insights services, better-resourced privacy tech
from personal information; and (iv) CISOs in companies with numerous, fully developed
securing data; etc. tools and services are leading current
› Because we have entered the Privacy market share.
Tech 3.0 market phase, the key buyers of › There is evidence of companies attempting
privacy tech within many large companies to provide horizontally-integrated services
have shifted from the Chief Privacy Officer as many privacy tech vendors add new
(Privacy Tech 1.0), to the General Counsels, features. However, companies that offer
Chief Information Security Officers, and Privacy Tech 3.0 services focused on
Chief Technology Officers (Privacy Tech maximizing data value within regulatory
2.0), to the Chief Marketing Officers, Chief limits are also increasingly providing
Strategy Officers, and Head Data Scientist offerings in the Privacy Tech 1.0 and Privacy
(Privacy Tech 3.0). The individual who 2.0 services to compete with traditional
continues to have the budget for software privacy tech vendors.
purchases tends to be the Chief Technology
Officer, despite these changes. The Chief › This buyer preference for horizontally-
Privacy Officer continues to be an influencer integrated privacy tech services may lead
of these purchases, but should recognize to industry consolidation in the near term.
this development as a call to embrace For example, recently, some privacy tech
the skills and scope of responsibilities to companies have merged or acquired
maintain a leadership mandate. rivals or providers of adjacent privacy tech
products. Further, some private equity
› For many companies, especially small- or companies appear to be “rolling up” privacy
medium-sized businesses and those that tech startups into larger offerings. Some
tend to serve only one regulatory market, providers are employing a third strategy
Privacy Tech 2.0 or even 1.0 solutions may of formally entering into partnerships,
be sufficient to meet their needs. However, joint ventures, cross-selling, or similar
buyers serving global markets increasingly collaborations. It is perceived by some that
need to build or buy privacy tech that niche providers may increasingly struggle
supports controls, regulatory compliance, unless they are able to offer an entire suite
and data availability and value. In short, of services.
while the market for privacy tech is maturing
› While the privacy tech market and privacy
there is evidence of market segmentation
vendor strategy for ensuring longevity
between buyers, and the most sophisticated
and growth is undergoing transformation,
companies will need all three evolutions of
there is striking consensus about the
privacy tech solutions.
determinative factors of how buyers choose
› Buyers of privacy tech often prefer to whether to buy or build privacy tech.
buy integrated privacy tech products that Our surveys found commonality among
accomplish numerous business needs respondents about who in the corporate
rather than one-off, standalone privacy organizational structure often has the
tech solutions. The exception to this rule budget to purchase privacy tech, who in that
is when a privacy tech vendor offers a structure identifies the business needs to be
4 PRIVACY TECH ALLIANCE + FUTURE OF PRIVACY FORUM | JUNE 2021OVERVIEW OF CONCLUSIONS
met by privacy technologies, and who must when compared to large scale enterprises.
be consulted for successful privacy tech Small- and medium-sized buyers may
contracts to be signed. be operating with smaller budgets and
› Some purchasers expressed concerns organizational structures. They may also rely
about the “lock-in” effect of buying any on information technology infrastructure that
privacy tech solution. In other words, some differentiates their privacy tech needs from
admitted they might not make a purchase those of larger enterprise buyers.
for fear that doing so might lead their › While large enterprises are significant
companies to be beholden to that vendor purchasers of privacy tech services, many
for numerous, future budget cycles even if of the largest tech companies have the
better, competitor technologies emerge or scale, unique needs, and engineering
the enterprise needs change. capacity to build privacy tech natively and
› Market differentiation is important for small- as such purchase fewer services from
or medium-sized buyers of privacy tech privacy tech vendors.
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 5OVERVIEW OF RECOMMENDATIONS
› Privacy tech stakeholders should develop › Further research should explore what
and promote voluntary, shared, consensus- unique needs, if any, small- or medium-sized
driven vernacular in the privacy technology enterprises may have relative to those of
market for the benefit of both buyers and large enterprise buyers of privacy tech.
sellers. Consensus definitions should
› Future research might also explore whether
then be used to facilitate developing a
the needs for privacy tech solutions differ
common typology for descriptions of the
between industry types in a meaningful way.
tools and services developed natively or
made available for sale in the privacy tech › Future research might also consider
marketplace. whether businesses that solely or
primarily interact with the personal data of
› A trusted body should provide common
individuals from just one country or region
definitions and standards for privacy
have different privacy tech interests and
enhancing technologies (PETS) such
needs than do businesses interacting with
as differential privacy, homomorphic
personal data on a multinational level.
encryption, federated learning, and similar
technologies, and should indicate the › Vendors should recognize the need to
maturity and utility of these technologies provide adequate support to customers
for different business cases, as well as to to increase uptake and speed time from
how the uses of these PETS map to legal contract signing to successful integration.
requirements.5 Buyers will often underestimate the time
needed to integrate privacy technologies
› Further research should be conducted
and services into their existing business
to identify market segmentation and
operations and may therefore need further
stratification in buyers based on the size of
assistance in realizing that integration.
the corporate entity, the sophistication of the
buyer, the industry sector, and other factors.
6 PRIVACY TECH ALLIANCE + FUTURE OF PRIVACY FORUM | JUNE 2021INTRODUCTION
C
ountries around the globe are advancing tion of additional, comprehensive regulatory pro-
regulations that put in place comprehensive posals by other influential members in each body.
requirements for the processing of personal The Federal Trade Commission has traditionally
information. The European Union’s General Data avoided rulemaking due to the rulemaking con-
Protection Regulation (GDPR) went into effect in straints the agency faces, but has recently indicat-
20186 and established extensive requirements on ed that it is ready to advance a rulemaking effort
private and public sector entities providing services in support of privacy requirements, in the absence
to data subjects in the EU, such as requiring a legal of Congressional action.13
basis for processing data, registers of data pro- To support this rapid regulatory explosion, the
cessing, data protection impact assessments and “privacy technology” market is growing rapidly
balancing tests, consent management, privacy by around the world. New or improved technologies
design and making data available for access, dele- are advancing in the market to support de-iden-
tion, and correction. The GDPR has proved to be a tification, privacy impact assessments, consent
spur for global regulation, with numerous countries agreement design, data pipeline management,
adopting legislation influenced by the GDPR or up- and similar techniques that are becoming essen-
dating current laws to maintain or achieve an ade- tial to a business’ regulatory compliance strategy.
quacy determination by the European Commission Meanwhile, emerging techniques like differential
that supports international data transfers. Major privacy, used to assess mathematical guarantees
markets such as India, China, Brazil, Japan, South of disclosure control for a particular privacy mod-
Korea, and Canada have been particularly active. el, are becoming commercialized as well. Venture
At the very end of 2019, India published a draft capital firms are investing in the privacy sector,14
law that would update that nation’s privacy laws. encapsulating a global trend that follows a market
During the drafting of this report, Brazil finalized its demand for privacy technologies driven by the
consumer privacy regulation,7 and both China and GDPR and the CCPA.15 All told, privacy technology
Canada published draft consumer privacy laws.8 is a nascent market but a growing one, and will
South Korea and Japan have updated legislation continue to expand as privacy becomes a more
as part of adequacy negotiations with the EU. important part of regulatory compliance, business
In the US, California in 2018 passed the California competitiveness, and consumer trust around the
Consumer Privacy Act (CCPA).9 Just months after world. It is for this very reason that in 2019, the
finalizing regulations implementing the CCPA, Future of Privacy Forum and the Israel Tech Policy
California voters expanded the law via a ballot Institute established the Privacy Tech Alliance,
initiative to further establish privacy requirements bringing together privacy innovators, academics,
for businesses, seeking to incorporate protections governments, and companies with interest in
inspired by the GDPR.10 In 2021, Virginia passed privacy technology’s growth.16 The International
legislation with similarities to the California Privacy Association of Privacy Professionals has rapidly
Rights Act (CPRA), enhanced by consent require- grown to 70,000 members, and new conferences
ments for sensitive data but greater flexibility for have emerged to serve technology and engineer-
advertising.11 Massachusetts, Nebraska, New York, ing sectors of privacy, such as PEPR (Privacy En-
Florida, and Washington, Connecticut and Colora- gineering Practice and Respect) and The Rise of
do are just a few of the states that have extensive Privacy Tech, joining long established technology
activity around data protection legislation.12 As of or research focused conferences.17
the spring of 2021, Congress has yet to act, but Despite all this, however, there are few compre-
consumer data privacy law proposals have been hensive examinations of this “privacy technology”
set forward in the Senate Commerce Committee, marketplace. Limor Shmerling Magazanik, man-
the leading committee of jurisdiction in that body, aging director of the Israel Tech Policy Institute,
and the leaders of the House Energy & Commerce frames this as a problem of developing bridges
Committee have promised to develop a proposal. to close existing gaps.18 In other words, there is a
Further momentum is evidenced by the introduc- need to assess and evaluate gaps, misalignments,
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 7INTRODUCTION
and misunderstandings that may exist between › First, it introduces the global growth of
buyers looking for privacy technologies to meet the privacy technology market. Second,
their needs—whether small- or medium-sized it discusses specific regulations driving
businesses or large enterprises with significant
privacy technology adoption by businesses.
amounts of user data and information technolo-
gy infrastructure—and the sellers offering those › Third, it discusses the lack of shared
privacy technologies to said firms. Mapping out vernacular to discuss privacy technologies
these gaps, misalignments, and misconceptions and the privacy technology industry. Fourth,
can help buyers, sellers, and policy analysts work-
it introduces a privacy “stack” typology,
ing in or observing the space to better understand
where the market is today; where the market is broken into three layers, that serve as both
headed; and how these technologies impact a a lens of analysis and a contributing solution
business’ compliance with privacy regulation in- to the problem of shared vocabulary.
creasingly put into place around the world. Fifth and sixth, respectively, it applies this
Written over the course of five months, this report typology to the buy and sell side of the
presents a mapping of the privacy technology mar- market, combined with interviews with
ketplace, the involved buyers and sellers, and the subject matter experts, to capture gaps,
gaps, misalignments, and misconceptions at play. misalignments, and mis-incentives in the
It focuses on privacy technologies and does not privacy tech industry today.
focus on cybersecurity technologies. The report
introduces this mapping of the market by drawing › Seventh, it lays out five market trends
on a literature review, interviews with numerous and seven implications for the future of
experts in the privacy technology space, a survey the market identified in the course of this
of companies operating in the market (attached report’s research. And finally, it concludes
in the appendix), and the authors’ own subject
with numerous observations about the
matter expertise on these issues, and it does so
in several parts. privacy tech industry today and a set of
recommendations to address current and
emerging challenges.
8 PRIVACY TECH ALLIANCE + FUTURE OF PRIVACY FORUM | JUNE 2021Global Growth of the Privacy Tech Industry
A
“staggering 48,337.2 percent three- legislative language for what became the Cali-
year growth rate” is what propelled Inc. fornia Consumer Privacy Act. This included a
Magazine to put privacy tech vendor number of providers offering privacy enhancing
OneTrust on the cover of their September 2020 technologies (PETs) to help clients with de-iden-
issue and name them #1 on their Inc. 5000 list tification, including homomorphic encryption,
for 2020.19 While Inc. focused on OneTrust in and more sophisticated uses of differential
September, this prominent acknowledgement privacy, among others.20 Alongside these new
could just as easily have signaled the profound entrants into the market, existing vendors grew
growth of the privacy tech industry as a whole. their offerings to help achieve privacy regulatory
Initially created by computer engineers within compliance. Gartner predicted in February 2020
companies who were wrestling with the person- that over 40% of privacy technology vendors will
al data passing through their systems, working use artificial intelligence by 2023, which could
to assume a modicum of control over the pri- help reduce administrative and manual work-
vacy and security of that data, initial privacy loads while enabling business use of data.21
tech solutions were turned into companies to
offer these solutions to other businesses as a
service. These initial companies offered prod- “Organizations should
ucts and services to help companies achieve explore and embrace advances
fidelity with their privacy and security commit-
ments in their public-facing privacy policies, or in cryptography, evolving
to meet contractual requirements imposed by data minimization and analysis
larger companies with which they wanted to techniques, and small data/
do business.
local processing trends to
Many new privacy tech vendors then arose, pro-
pelled forward by the European Union’s drafting sufficiently mitigate risks.”
of its then-forthcoming General Data Protection
Regulation and by legislators in California mod- — Jules Polonetsky and Elizabeth Renieris,
ifying Alastair Mactaggart’s ballot initiative into 10 Privacy Risks and 10 Privacy Enhancing
Technologies to Watch in the Next Decade22
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 9Recognizing this growth, 14 companies joined to- lions to adjust their entire lives and carry on their gether in December 2019 to establish the Privacy normal life, schooling, business, and recreation Tech Alliance to represent the leading edge of this activities online to the extent possible, all while global growth.23 Since that gathering, the industry's producing previously unimaginable amounts of growth has continued to accelerate. Several ex- personal data. As the privacy tech industry has perts surveyed for this report pointed to decisions discovered, while this has been damaging to so by the European Court of Justice invalidating the many businesses, this pandemic has been cat- EU-US and Swiss-US Privacy Shield agreements alytic for industry growth by forcing adoption of (the so-called Schrems II decision) and the demands privacy tech tools by companies of all sizes in of other C-Suite executives within businesses to various markets. The reasons are perhaps intu- use personal data profitably for a myriad of needs, itive: “Now, all the employees are online, all the such as training machine learning and artificial in- customers are online, all the business processes telligence systems, fine tuning marketing efforts, are online; everything has to be virtual and digital,” analyzing data to find unforeseen connections or one vendor told the authors. While the catalyst for make predictions, or speed sales. When new tools the acceleration of adoption of privacy tech was and services from niche, cutting-edge privacy tech unforeseen by vendors of privacy tech, those ven- vendors are added to these other, existing lines of dors are universally convinced that the growth of business and the number of privacy regulations the industry is not merely temporary or likely to around the world grows seemingly by the month, slow. Experts surveyed pointed to the desire by it is unsurprising to see the “staggering” growth of many businesses to simultaneously demonstrate the kind described by Inc. in the fall of 2020. the accuracy of their privacy policies, comply with Unforeseen and unforeseeable by those gathered regulations, and use their personal data for new to establish the Privacy Tech Alliance was the sud- business purposes, such as training artificial intel- den arrival of a worldwide pandemic forcing bil- ligence or fine tuning marketing. 10 PRIVACY TECH ALLIANCE + FUTURE OF PRIVACY FORUM | JUNE 2021
Specific Regulations Driving Growth of Industry
D
uring the last decade, numerous privacy before a regulation comes into effect,” one expert
tech vendors formed companies in re- interviewed for this report said, “and after that you
sponse to regulatory mandates that created see kind of a huge drop-off.” Both the GDPR and
tech needs by updating or overhauling consumer the recent enactment of the California Consum-
privacy regulations or legislation. For example, er Privacy Act and their creation of data subject
consent management tools such as Privo, Yoti, rights have spawned a myriad of data mapping
PrivacyCheq, Onano, and SuperAwesome had tools and companies.
arisen to address long-standing parental consent
As detailed within this report, venture capitalists
requirements for businesses wanting to collect the
and private equity funders are recognizing these
data from minors younger than 13 years of age, in
various drivers of growth and investing more of-
compliance with the US Children’s Online Priva-
ten and in greater dollar amounts in privacy tech
cy Protection Act (COPPA). These tools became
startups, providing seed funding to the most re-
even more widely needed with the May 2018
cently conceived companies through enormous
implementation of the European Union’s General
follow-on investment rounds with later-stage es-
Data Protection Regulation Article 8. “You see the
tablished privacy tech vendors.
biggest blip in privacy activity and demand right
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 11Lack of Consensus Privacy Tech Definitions
Limiting Growth of Privacy Tech Industry
D
espite the development of the privacy tech functional needs to vendors, while meaning com-
market and its trajectory for accelerating pletely different things in each case. On the seller
future growth, interviewees for this report side, to give another example, multiple companies
identified two impediments to the industry’s might brand their products with similar terminolo-
growth that are slowing both the speed of closing gy when in fact their privacy technology offerings
sales contracts and the adoption of privacy tech meet very different client needs. Though there are
by customers. The impediments repeatedly identi- many other examples: companies might talk past
fied by those interviewed are: (i) a lack of common, one another when using the same terminology;
consensus privacy tech definitions; and (ii) an un- some companies, particularly those newer to pri-
clear privacy stack typology to describe business vacy technology, may lack the terminology needed
needs and how the various privacy tech tools and to specifically describe their needs or offerings;
services available in the marketplace might map to and other companies yet might internally speak
meeting those business needs. Both impediments different languages when describing how privacy
were challenging to vendors and would-be pur- technologies could meet their business needs.
chasers of privacy tech, but together they create
“Most lawyers don’t get tech, and most technicians
compounding difficulties that are limiting privacy
don’t get law, and so it’s not that they necessarily
tech adoption.
want to battle, but they do,” one vendor told the
First, because the privacy technology market is rel- authors. “They don’t listen to each other, and even
atively nascent, there is no clear set of shared ter- when they talk to each other, they use different
minology used by buyers and sellers in the market. words for the same thing.” Further, another vendor
On the buyer side, for instance, three medium-sized said, this shared vocabulary problem is driven by
businesses in search of privacy technology might company self-marketing as well: individual firms
all use the term “data mapping” to describe their that “plant a flag, create a category” and then “try
12 PRIVACY TECH ALLIANCE + FUTURE OF PRIVACY FORUM | JUNE 2021and actually identify the people you want in that tify that they are meeting requirements imposed
category and then obviously try and push out the through contract by their own customers. Buyers
people you don’t” for competitive purposes. This may not have conviction that any privacy tech
lack of shared terminology simultaneously reflects obtained from a third-party satisfies regulatory,
and contributes to gaps, misalignments, and mis- statutory, or judicial requirements.
understandings between buyers and sellers about
While it was clear there were not yet consensus
regulatory compliance needs, privacy technologies
definitions, consensus was clear among those
on the market, and how the two fit together in the
interviewed that collective action should be taken
context of companies’ existing data, technologies,
between privacy tech vendors, perhaps working
and business processes.
with organizations that can convene stakehold-
The lack of consensus definitions creates nu- ers from all sides of industry, academia, and key
merous business problems. On a basic level, this non-governmental organizations, to develop
creates a problem as old as contracting itself in consensus definitions. “Future of Privacy Forum,”
which a buyer and seller may not reach a meeting one vendor told the authors unprompted, “could
of the minds about what is being offered and what be absolutely the place to develop such a vocab-
is being obtained in any privacy tech contract. ulary.” Some of those interviewed would go fur-
This leads to lengthy delays and multiple extra ther and utilize standard-setting bodies to further
turns before contracts could be consummated confirm legitimacy on definitions developed in
to purchase privacy tech services. One expert common, and other interviewees were eager to
interviewed suggested that this unnecessarily see any definitions ratified by privacy regulators,
slowed the time to closure of any contract by add- legislative bodies, or courts to provide the privacy
ing numerous logistical and legal hoops before tech industry with greater certainty; turning to the
even getting to the integration of the privacy tech National Institute of Standards and Technology
services into the business’ information technolo- (NIST) in the United States was just one example
gy environment. Buyers may not be able to cer- provided by a vendor.24
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 13The Privacy Technology “Stack”
T
he problem of a lack of consensus privacy This report section therefore introduces a typolo-
tech definitions is compounded by a sec- gy for privacy technologies aimed at tackling this
ondary problem, which is that not only may challenge. The purpose is to address a lack of a
buyers and sellers of privacy tech be using the clear framework and clear set of shared vocab-
same words, terms, and phrases to mean different ulary with which buyers and sellers can analyze
things, but they may be contemplating the use of and discuss the privacy technology market. The
privacy tech for very different purposes than what purpose is also to link together business pro-
was intended due to evolving needs of the busi- cesses that companies perform with business
ness customers purchasing privacy tech solutions. outcomes that companies desire to achieve with
In short, and as discussed in further detail through- privacy technologies. After all, as one vendor put
out this report, some businesses are seeking pri- it to the authors, “You don’t collect and store data
vacy tech that allows them to do more than simply to just keep it—you’re doing it to use it.”
control personal data, or control personal data and
comply with data privacy and security regulation. By no means is this the only framework that has
Now, many businesses may be intending to obtain been introduced to understand the privacy tech-
from privacy tech vendors tools and services that nology market: the International Association of
simultaneously allow their businesses to control Privacy Professionals, for example, published a
personal data, comply with a myriad of regula- typology of privacy technologies in 2019, bro-
tory mandates concerning that data, and extract ken down into privacy technologies for “privacy
value25 from that data. This maturation of privacy program management” and those for “enterprise
tech customer needs has, according to many in- privacy management.” Within each of those cate-
terviewed for this report, caused extra confusion gories, the IAPP report then broke down privacy
between buyers and sellers that requires not only technologies by actions firms might need to take
the creation of consensus definitions but also a (e.g., “data mapping”, “website scanning”).26
new understanding of the “privacy stack.”
14 PRIVACY TECH ALLIANCE + FUTURE OF PRIVACY FORUM | JUNE 2021Rather than focus entirely on specific technologies the unique buyer’s existing processes. And third,
or functions, however, the typology introduced in in the future, existing privacy technologies might
this report focuses on business process and busi- evolve, market demand for now-emerging privacy
ness outcomes. It does this for several reasons. technologies might grow, and innovators could
First, numerous buyers and sellers with whom we develop privacy technologies that do not yet exist.
spoke conveyed experiencing or encountering While any set of terminology will have to be reas-
confusion in the market with how privacy technol- sessed if not updated as the privacy tech market
ogies plugged into existing business operations.27 matures, focusing a typology on business outcomes
There can be too much focus on single technolo- rather than on specific technical solutions might
gies or discrete business needs in ways that ob- help create a terminology with more longevity.
scure the broader goal of using privacy tech to fuse
processes with desired outcomes. Second, small- The privacy “stack” for understanding the privacy
and medium-sized businesses may have different technology market is composed of three “layers”
technology needs than large enterprises, and they (see diagram on previous page). The first and
may have very different information technology innermost layer is personal data itself. When a
infrastructures (e.g., smaller firms outsourcing their business is using privacy technologies, the center
data to a third-party cloud provider versus larger is data—and the key questions focus on the ba-
firms running their own servers in-house). This can sics: what data fields are available, categorization,
further fragment the terminology used by buyers storage and access details. The earliest privacy
and sellers to discuss privacy technology, including technologies were either built natively within
because it does not adequately include a focus on companies or purchased by the earliest vendors
The Privacy Technology “Stack”
LAYER 1: DATA
Data Availability
& Movability
LAYER 2: PROCESSES
LAYER 3: OUTCOMES
Information
& Data
Governance
Environmental,
Data Protection for
Social, & Corporate
People & Assets
Governance
Data Protection
for People &
Personal Privacy
Assets Data Management
Risk
Management
Data Ethics & Data Value
Compliance Creation/Analysis
Tim Sparapani and Justin Sherman
for the Future of Privacy Forum
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 15in the market—and were typified by systems that nologies, stacked on top of and integrating with
attempted to help businesses simply gain control business processes (the second layer), can en-
over the personal data they encountered as part of able the business outcomes at this layer. Privacy
their business. For example, in addition to siloing technologies can also enable these five outcomes
personal data from information about individuals to interrelate and interconnect, and, ideally, to
not requiring protection, these technologies may coexist simultaneously: so that data value anal-
have segmented out “sensitive data” for addition- ysis/creation and ethics and compliance are not
al control features, or simply provided consumers mutually exclusive, for example. The layers of the
with adequate notice to help a business achieve “stack” are described in more detail below.
requisite consent to collect that personal data.
Data is the foundation of any privacy discussion.
The second and middle layer is composed of four
Depending on the legal jurisdictions in which a
business processes: information and data gover-
business operates, terms such as “sensitive data,”
nance; privacy management; risk management;
“personal health information,” or “personally iden-
and privacy operations. Privacy technologies can
tifiable information,” among others, may have par-
pair with or enable business processes at this
ticular importance for a business in the first-layer,
layer, stacking on top of the personal data a busi-
early stage of assessing their privacy technology
ness accesses (the first layer). These processes all
system: they will guide legal and regulatory com-
interact and interrelate, and they may also be in
pliance and possibly contractual compliance as
constant evolution; for instance, risk management
well.29 Businesses may collect, analyze, store, or
is not an action performed just once. Finally, the
move data on customers, employees, contractors,
third and outermost layer is composed of five
and innumerable other actors (clients, prospective
business outcomes: data availability and movabili-
customers, etc.) with which the business interacts.
ty; data protection for people and assets; data val-
Individuals are the center of this data, and it is
ue creation/analysis; data protection components
their privacy that is concerned when businesses
of ethics and compliance28; and environmental,
collect, store, and process their information.
social, and corporate governance. Privacy tech-
Layer #1 of the Privacy Tech “Stack”
Privacy Tech 1.0: Focus on Data Control
LAYER 1: DATA
Personal
Data
Tim Sparapani and Justin Sherman
for the Future of Privacy Forum
16 PRIVACY TECH ALLIANCE + FUTURE OF PRIVACY FORUM | JUNE 2021The second layer of the privacy tech “stack” is control technologies to limit employee access to
composed of business processes that can be customer data, as part of the business’ informa-
supplemented or enabled by privacy tech of- tion and data governance processes. This layer
ferings. For example, a business might build or is stacked on top of the business’ data, which
purchase a technology to generate data privacy may be subject to privacy requirements based
compliance assessments, as part of the business’ on contractual requirements, regulatory require-
existing privacy and risk management processes, ments, legal requirements, business reputational
or a business might build or purchase data access goals, and other factors.
Layer #2 of the Privacy Tech “Stack”
Privacy Tech 2.0: Focus on Regulatory Compliance
Information
& Data LAYER 2: PROCESSES
Governance
Data Protection
for People &
Personal Privacy
Assets Data Management
Risk
Management Tim Sparapani and Justin Sherman
for the Future of Privacy Forum
There are four business processes in layer 2 of the privacy stack.
LAYER 2 PROCESS PROCESS DESCRIPTION
Developing internal rules, protocols, and procedures for the
Information and data governance
collection, handling, transfer, storage, and analysis of data
Developing processes, procedures, knowledge bases, and
Privacy management
other toolkits for internally assessing privacy of data
Developing internal rules, protocols, procedures, and strategies
for navigating and mitigating risks of data collection, storage,
Risk management
and use; conversely, also using data to navigate and mitigate
business risks
Building or acquiring the technologies and services to actualize
Privacy operations
data privacy definitions
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 17The third layer of the privacy tech “stack” is com- comes is being measured as part of environmental,
posed of business outcomes that can be supple- social, and corporate governance analysis.30 This
mented or enabled by privacy tech offerings. For third business outcome layer is stacked on top of
example, a business might build or purchase a tech- the business’ processes, which may themselves be
nology to identify customer data in a visual interface supplemented or enabled by privacy technology
for customer relations and marketing personnel, or offerings. Much like business processes relevant to
a business might build or purchase differentially data privacy, privacy technologies acquired for spe-
private algorithmic tools to mask individual iden- cific business outcomes are driven by contractual
tifiers in a dataset while also enabling analysis on requirements, regulatory requirements, and numer-
the data to create economic value for the business’ ous other factors. There is also a growing business
marketing and data science teams. Increasingly, imperative in some cases for ethical data review
measuring performance for these business out- and/or data-sharing with other firms.
Layer #3 of the Privacy Tech “Stack”
Data Availability
& Movability LAYER 3: OUTCOMES
Information
& Data
Governance
Environmental,
Data Protection for
Social, & Corporate
People & Assets
Governance
Data Protection
for People &
Personal Privacy
Assets Data Management
Risk
Management
Data Ethics & Data Value
Compliance Creation/Analysis
18 PRIVACY TECH ALLIANCE + FUTURE OF PRIVACY FORUM | JUNE 2021There are at least five business outcomes that have been identified in layer 3 of the privacy stack.
LAYER 3 OUTCOME OUTCOME DESCRIPTION
Data availability and Chief Information Officers and other technology personnel ensuring data is readily available
movability for use and is quickly and reliably transferred around the world
Data protection for people Chief Information Security Officers and other information security personnel ensuring data’s
and assets confidentiality, integrity, and availability [not the focus of this report]
Chief Data Officers, Chief Marketing Officers and their marketing teams, and other data
Data value creation/analysis science personnel ensuring data generates and can be used to generate (e.g., through
analysis) value for the business
General Counsels, Chief Privacy Officers, Chief Ethics Officers, legal teams, and other
Data protection as ethics and
compliance personnel ensuring data is legally collected, stored, transferred, and otherwise
compliance
processed based on applicable regulations
Environmental, social, and Investors, board members, and corporations in general increasingly making environmental,
corporate governance social, and governance factors a business priority, including the protection of data
The fact that privacy technologies must integrate stood as representing a static market or a static
with existing business processes may seem ob- set of business activities. As the market introduc-
vious, but it’s worth noting explicitly. The three es new technologies, there may be more potential
layers visualize this: to develop a plan for priva- business outcomes added to the third layer, for
cy, a company must have data or be acquiring instance. As a business acquires new data, new
data. Building out from there, companies must customers, and new technologies, to give another
figure out how data maps to existing business example, it may reevaluate the privacy technology
processes, like risk management or information offerings used to enable or supplement various
governance. From there, companies can “stack” business processes or data outcomes.
privacy technologies on top of those business
The key is understanding that privacy tech offer-
processes in order to achieve specific outcomes
ings in the market can fill different needs in the
with respect to data, which increasingly are mea-
process layer and in the outcomes layer. In this
sured at the Board level or by investors seeking
way, the privacy tech “stack” offers a framework
to assess environmental, social, and corporate
for analyzing the privacy tech market, analyzing
governance vis-à-vis data ethics and compliance.
specific privacy technologies, and moving towards
Privacy technologies can sit in these two outer
a set of shared vernacular about privacy tech. The
layers. For a company to have a mature privacy
next three sections therefore apply this privacy
technology system, it cannot have privacy tech-
tech “stack” to analyzing the buy side of the pri-
nologies to achieve discrete outcomes without
vacy tech market, the sell side of the privacy tech
underlying business processes in place, and it
market, and the future of the market, respectively.
cannot have processes oriented around data
It combines the stack representation with research
without privacy technologies that achieve specific
conducted for the report, including from a litera-
needed outcomes for the business’ data. Mature
ture review and conversations with dozens of sub-
privacy technology systems are also continuously
ject matter experts in the privacy tech field.
evolving: the framework should not be under-
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 19The Buy Side of the Privacy Tech Market
T
he privacy tech stack can be used to under- applied in this section to better understand this
stand the buy side of the privacy technology buyer side of the market.
market by highlighting the business process-
es and desired outcomes of different buyer stake-
holders. Based on the authors’ conversations with “We’re increasingly seeing on
buyers and sellers in the privacy tech market,
privacy technology vendors might approach any
the business side that they see
number of individuals at a client or potential client [data] as an asset, and they know
organization to sell their offerings: the Chief Priva- they have to worry about the
cy Officer (CPO), Chief Data Officer (CDO), Chief
Technology Officer (CTO), Chief Information Offi- privacy component, but they are
cer (CIO), and Chief Information Security Officer primarily interested in solving a
(CISO), in addition to the likes of marketing teams, business problem.”
legal teams, and customer relations teams. Buying
power tends to be concentrated with CTOs, who — Executive at Privacy Tech Vendor
may have the largest budget for privacy technol-
ogies relative to other stakeholders in the afore-
mentioned list. Any one business, however, may There are often many stakeholders in any one
have a range of individuals within the organization business with interest in buying privacy tech-
with an interest in privacy technology, varied giv- nology. Framing the privacy technology market
en their data needs. They may also have different with the privacy tech stack can help illuminate
budgets and technology interests depending on the processes with which these stakeholders are
the company. The privacy tech stack offered in this involved (e.g., risk management) and how their de-
report, focused on the layering of data, business sired business outcomes (e.g., data value creation/
processes, and business outcomes, is therefore analysis) drive their purchasing outlook. Chief Pri-
20 PRIVACY TECH ALLIANCE + FUTURE OF PRIVACY FORUM | JUNE 2021vacy Officers are the most likely to have fluency
in privacy technology from the buyer side and are Conclusion
routinely consulted concerning the suitability of pri-
vacy technology offerings to satisfy personal data Roles in the C-suite with stake in buying privacy
control and regulatory compliance requirements. tech are expanding beyond CTOs, CPOs, GCs,
CPOs may be plugged into several of the layer 2 and CISOs, to include other stakeholders like
business processes, like privacy operations and
CMOs, CSOs, and Chief Data Scientists.
risk management, and out of all the layer 3 busi-
ness outcomes, they need to make the business’ For any particular stakeholder on the buyer side,
data privacy compliant. Similarly, General Counsels understanding the processes in the privacy tech
and legal teams with privacy experience are often stack into which they are integrated, and the busi-
consulted to ensure that any privacy technology ness outcomes in the privacy tech stack which
being considered will solve, not create, privacy they desire, can help the stakeholder navigate the
regulatory or privacy contractual difficulties. Chief privacy tech market through better understanding
Technology Officers and Chief Information Of- of what needs a privacy tech offering should fill.
ficers are involved with the information and data Conversely, for those selling privacy tech to a po-
governance process in layer 2, and they may have tential stakeholder at a company, using the privacy
several business objectives in layer 3, including tech stack to understand that stakeholder’s par-
making data available and movable. The list goes ticular personal data (layer 1), business processes
on: Chief Data Officers need to enable data value (layer 2), and needed/desired business outcomes
creation/analysis, for such functions as monitoring (layer 3) can help frame what that individual might
internal systems and conducting machine learning be looking to purchase. For instance, privacy tech
on customer data to generate economic value; is increasingly intersecting with the information
Chief Information Security Officers need to make and data governance process, including such
data secure (e.g., ensure its confidentiality, integ- questions as who has access to what data, how
rity, and availability); customer service teams need data is described in business terms, how those
data to be identifiable, so they can read customers’ business terms are propagated to personal data,
data when interacting with them and even possibly and so on. This process-outcome framing may
modify it if needed; and so on. As one vendor on help to better illuminate how a privacy tech may
the sell side told the authors, “We’re increasingly fit into the business’ activities and technologies,
seeing on the business side that they see [data] as and how it could meet needs, without becoming
an asset, and they know they have to worry about too focused on technical terminology. This range
the privacy component, but they are primarily inter- of stakeholder needs on the buy side, even within
ested in solving a business problem.” a single business, contributes to the problem of
A clear conclusion emerging from the interviews no shared vernacular to discuss privacy tech in
was that the potential set of customers (by role) the market: lawyers may have less exposure to
within businesses considering privacy technology technology and may preference legal definitions,
purchases is expanding. “It’s an infinite universe technologists may have less exposure to law and
of challenges and things you might have to deal may preference technical definitions, various
with in terms of business cases,” one vendor business units may have different perspectives on
told the authors. Because we have entered the technology, and so on.
Privacy Tech 3.0 market phase, the key buyers of From buyer to buyer, the same respective stake-
privacy tech within large companies have shifted holder’s budget, specific needs, and business-in-
from the Chief Privacy Officer (Privacy Tech 1.0), to ternal technological capacity varies. Large enter-
the General Counsels, Chief Information Security prises, for example, may be more likely to maintain
Officers, and Chief Technology Officers (Privacy their own information technology infrastructure
Tech 2.0), to the Chief Marketing Officers, Chief for data storage in-house, such as managing their
Strategy Officers, and Chief Data Scientist (Priva- own servers. CTOs or CIOs at those firms may
cy Tech 3.0). The individual who continues to have therefore have disproportionately larger budgets
the budget for software purchases tends to be the for data and information governance functions.
Chief Technology Officer, despite these changes. Smaller- and medium-sized businesses, by con-
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 21You can also read
