Privacy Tech's Third Generation - A Review of the Emerging Privacy Tech Sector JUNE 2021
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
AUTHORED BY Privacy Tech Alliance and Future of Privacy Forum with Tim Sparapani and Justin Sherman The Future of Privacy Forum launched the Privacy Tech Alliance (PTA) as a global initiative with a mission to define, enhance, and promote the market for privacy technologies. The PTA brings together innovators in privacy tech with customers and key stakeholders. Privacy Tech companies can apply to join the PTA by emailing PTA@fpf.org. The Future of Privacy Forum (FPF) is a non-profit organization that serves as a catalyst for privacy leadership and scholarship, advancing principled data practices in support of emerging technologies. Learn more about FPF by visiting fpf.org.
TABLE OF CONTENTS Executive Summary _______________________________________ 2 Overview of Conclusions____________________________________ 3 Overview of Recommendations_______________________________ 6 Introduction______________________________________________ 7 Global Growth of the Privacy Tech Industry _____________________ 9 Specific Regulations Driving Growth of Industry __________________ 11 Lack of Consensus Privacy Tech Definitions ______________________ Limiting Growth of Privacy Tech Industry________________________12 The Privacy Technology “Stack”______________________________14 The Buy Side of the Privacy Tech Market_______________________ 20 The Sell Side of the Privacy Tech Market_______________________ 23 Market Trends and Implications for Competition _________________ 26 Conclusions______________________________________________31 Recommendations________________________________________ 35 Appendix: Privacy Technology Buyer Survey Results______________ 36 Endnotes _______________________________________________ 48 PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 1
EXECUTIVE SUMMARY T he privacy technology sector, until and value of personal data held by a busi- recently composed of relatively small ness (Privacy Tech 3.0).2 This report explains startups focused on providing con- this typology and describes a taxonomy of sumer data privacy regulatory solutions for terms and relationships to provide a consis- businesses, is at an inflection point. The tent understanding of customer needs and sector is rapidly maturing and expanding privacy tech offerings commonly associated both in terms of the number of vendors with this privacy stack. and the products and services those ven- Second, this report provides an analysis of dors offer. Business customers increasingly market dynamics around privacy tech—from are seeking privacy tech partners that buyer and seller perspectives—in addition to provide easily integrated solutions to all of a description of trends and predictions. The a business’ data needs, and vendors are report’s authors found striking consensus moving rapidly to meet this demand. This about the direction of the privacy tech in- report is a review of that market, focused dustry, potential impediments to its growth, on current developments and progress. likely drivers of future acceleration, and It also identifies misalignments within the recommendations for industry-led efforts to market; trends in the future of privacy tech- eliminate those impediments. Sophisticated nology; and recommendations to address providers of privacy tech and sophisticated current challenges.1 purchasers of privacy tech identified as a The report offers a privacy “stack” typology major obstacle the lack of common privacy for analyzing and understanding the privacy vernacular to define terminology and the tech market today. It suggests that privacy inconsistent typification of the so-called pri- tech has evolved through three main phases vacy stack, i.e., the technologies that were into the Privacy Tech 3.0 landscape seen core to the privacy technology industry. now. The field started with an initial phase Finally, this report identifies five market of privacy and security tech industry technol- trends and seven implications those trends ogy ideation and vendor formation (Privacy hold for the future of the privacy tech market. Tech 1.0), and then developed into a privacy It then lays out a work plan of recommenda- and data security privacy tech landscape of tions to facilitate the growth and maturation technologies built natively within large com- of the privacy tech industry. panies, as well as increasingly sophisticated privacy tech vendors offering their services This report does not address the market for chiefly to support privacy regulatory com- cybersecurity services or identity services. pliance (Privacy Tech 2.0). Now the field has Although many of these vendors provide started to develop into a new state involv- services often described as privacy related, ing niche privacy tech vendors offering an they serve a different market purpose. It also essential or bespoke tool or technology for does not cover the growing number of busi- sale, and horizontally-integrated vendors or ness-to-consumer services which seek to joint ventures between providers that offer help consumers request their data, monetize tools for regulatory compliance and tools to their data, or perform other consumer-driven maximize control over and the availability functions with respect to data.3 2 PRIVACY TECH ALLIANCE + FUTURE OF PRIVACY FORUM | JUNE 2021
OVERVIEW OF CONCLUSIONS T o research this report, the authors conduct- › The lack of common understanding about ed more than 30 hours of interviews with privacy terms is limiting the growth of the dozens of the world’s leading experts on the privacy tech industry. With respect to some privacy tech market, including buyers of privacy privacy tech offerings, it is unclear whether tech services and sellers of privacy tech services. vendor-developed privacy tech is sufficient These interviews yielded important insights on the to satisfy the regulatory compliance or state of the privacy technology market from lead- business needs of would-be purchasers. ing thinkers and industry participants. Several clear › In addition to lacking a common vernacular themes emerged on key issues, allowing us to offer to describe privacy tech, there is no the following conclusions and recommendations: commonly accepted methodology for › The COVID-19 pandemic has globally characterizing what technologies and accelerated marketplace adoption of privacy services are part of the privacy technology industry or the so-called privacy stack. Many technology as individuals and organizations interviewed for this report, from both the sell- worldwide became more heavily dependent side and buy-side, agreed that it would be on digital technologies and services. It is useful to classify privacy tech companies by unclear if this is a one-off event or a growth the “business needs” their offerings satisfy. pattern that will sustain, but increased purchasing of privacy tech is clear. › The lack of common vernacular and inconsistent typology for the privacy stack › Common drivers of initial privacy technology may also be causing some misalignment purchases are regulatory compliance needs, between the privacy tech available in the contractual requirements with customers, market and the needs of buyers. and slowly emerging recognition of the reputational risks associated with data › The leading edge of the market has passed privacy breaches, broadly defined. These through two initial stages of privacy tech initial drivers often lead purchasers of and has entered a third. The first stage was privacy tech to explore other opportunities typified by technologies engineered natively to deploy additional privacy tech offerings. within some companies and offered by early Regulations by and large remain the biggest vendors for sale to achieve a modicum of driver for privacy technology adoption, control over the personal data processed but the others are growing in importance by a business (Privacy Tech 1.0). The second to the extent that privacy is becoming a stage was the development of technologies competitive differentiator in some sectors. engineered natively within large companies Organizations are also deploying additional well-resourced enough to devote tools to mitigate potential harms caused by engineering capabilities to regulatory the use of data.4 compliance solutions and horizontally- integrated companies or collaborations › While jurisdictions in the US and around between companies offering personal data the globe have incorporated key concepts regulatory compliance services and tools for from other jurisdictions’ consumer privacy sale (Privacy Tech 2.0). regulatory schemes into their own, the › Recently, privacy tech offerings are privacy landscape is expected to become expanding well beyond products and more complex and less homogenous as services that assist in regulatory compliance jurisdictions begin to diverge and increase into products and services that assist regulatory complexity. businesses in making the personal data they › Common privacy terms, including those encounter both maximally available and included in statutes or regulations, are not maximally valuable for business services uniformly defined or understood. (Privacy Tech 3.0). For example, privacy tech PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 3
OVERVIEW OF CONCLUSIONS tools are increasingly available to assist “breakthrough” or “highly innovative” with business needs across the business technology or service, which can justify a enterprise, serving: (i) CIOs in making contract with a vendor for just one niche personal information accessible; (ii) CMOs product or service. in making personal information available › Because of buyers’ increasing preference for marketing and advertising; (iii) Chief to buy horizontally-integrated privacy tech Data Scientists in unlocking new insights services, better-resourced privacy tech from personal information; and (iv) CISOs in companies with numerous, fully developed securing data; etc. tools and services are leading current › Because we have entered the Privacy market share. Tech 3.0 market phase, the key buyers of › There is evidence of companies attempting privacy tech within many large companies to provide horizontally-integrated services have shifted from the Chief Privacy Officer as many privacy tech vendors add new (Privacy Tech 1.0), to the General Counsels, features. However, companies that offer Chief Information Security Officers, and Privacy Tech 3.0 services focused on Chief Technology Officers (Privacy Tech maximizing data value within regulatory 2.0), to the Chief Marketing Officers, Chief limits are also increasingly providing Strategy Officers, and Head Data Scientist offerings in the Privacy Tech 1.0 and Privacy (Privacy Tech 3.0). The individual who 2.0 services to compete with traditional continues to have the budget for software privacy tech vendors. purchases tends to be the Chief Technology Officer, despite these changes. The Chief › This buyer preference for horizontally- Privacy Officer continues to be an influencer integrated privacy tech services may lead of these purchases, but should recognize to industry consolidation in the near term. this development as a call to embrace For example, recently, some privacy tech the skills and scope of responsibilities to companies have merged or acquired maintain a leadership mandate. rivals or providers of adjacent privacy tech products. Further, some private equity › For many companies, especially small- or companies appear to be “rolling up” privacy medium-sized businesses and those that tech startups into larger offerings. Some tend to serve only one regulatory market, providers are employing a third strategy Privacy Tech 2.0 or even 1.0 solutions may of formally entering into partnerships, be sufficient to meet their needs. However, joint ventures, cross-selling, or similar buyers serving global markets increasingly collaborations. It is perceived by some that need to build or buy privacy tech that niche providers may increasingly struggle supports controls, regulatory compliance, unless they are able to offer an entire suite and data availability and value. In short, of services. while the market for privacy tech is maturing › While the privacy tech market and privacy there is evidence of market segmentation vendor strategy for ensuring longevity between buyers, and the most sophisticated and growth is undergoing transformation, companies will need all three evolutions of there is striking consensus about the privacy tech solutions. determinative factors of how buyers choose › Buyers of privacy tech often prefer to whether to buy or build privacy tech. buy integrated privacy tech products that Our surveys found commonality among accomplish numerous business needs respondents about who in the corporate rather than one-off, standalone privacy organizational structure often has the tech solutions. The exception to this rule budget to purchase privacy tech, who in that is when a privacy tech vendor offers a structure identifies the business needs to be 4 PRIVACY TECH ALLIANCE + FUTURE OF PRIVACY FORUM | JUNE 2021
OVERVIEW OF CONCLUSIONS met by privacy technologies, and who must when compared to large scale enterprises. be consulted for successful privacy tech Small- and medium-sized buyers may contracts to be signed. be operating with smaller budgets and › Some purchasers expressed concerns organizational structures. They may also rely about the “lock-in” effect of buying any on information technology infrastructure that privacy tech solution. In other words, some differentiates their privacy tech needs from admitted they might not make a purchase those of larger enterprise buyers. for fear that doing so might lead their › While large enterprises are significant companies to be beholden to that vendor purchasers of privacy tech services, many for numerous, future budget cycles even if of the largest tech companies have the better, competitor technologies emerge or scale, unique needs, and engineering the enterprise needs change. capacity to build privacy tech natively and › Market differentiation is important for small- as such purchase fewer services from or medium-sized buyers of privacy tech privacy tech vendors. PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 5
OVERVIEW OF RECOMMENDATIONS › Privacy tech stakeholders should develop › Further research should explore what and promote voluntary, shared, consensus- unique needs, if any, small- or medium-sized driven vernacular in the privacy technology enterprises may have relative to those of market for the benefit of both buyers and large enterprise buyers of privacy tech. sellers. Consensus definitions should › Future research might also explore whether then be used to facilitate developing a the needs for privacy tech solutions differ common typology for descriptions of the between industry types in a meaningful way. tools and services developed natively or made available for sale in the privacy tech › Future research might also consider marketplace. whether businesses that solely or primarily interact with the personal data of › A trusted body should provide common individuals from just one country or region definitions and standards for privacy have different privacy tech interests and enhancing technologies (PETS) such needs than do businesses interacting with as differential privacy, homomorphic personal data on a multinational level. encryption, federated learning, and similar technologies, and should indicate the › Vendors should recognize the need to maturity and utility of these technologies provide adequate support to customers for different business cases, as well as to to increase uptake and speed time from how the uses of these PETS map to legal contract signing to successful integration. requirements.5 Buyers will often underestimate the time needed to integrate privacy technologies › Further research should be conducted and services into their existing business to identify market segmentation and operations and may therefore need further stratification in buyers based on the size of assistance in realizing that integration. the corporate entity, the sophistication of the buyer, the industry sector, and other factors. 6 PRIVACY TECH ALLIANCE + FUTURE OF PRIVACY FORUM | JUNE 2021
INTRODUCTION C ountries around the globe are advancing tion of additional, comprehensive regulatory pro- regulations that put in place comprehensive posals by other influential members in each body. requirements for the processing of personal The Federal Trade Commission has traditionally information. The European Union’s General Data avoided rulemaking due to the rulemaking con- Protection Regulation (GDPR) went into effect in straints the agency faces, but has recently indicat- 20186 and established extensive requirements on ed that it is ready to advance a rulemaking effort private and public sector entities providing services in support of privacy requirements, in the absence to data subjects in the EU, such as requiring a legal of Congressional action.13 basis for processing data, registers of data pro- To support this rapid regulatory explosion, the cessing, data protection impact assessments and “privacy technology” market is growing rapidly balancing tests, consent management, privacy by around the world. New or improved technologies design and making data available for access, dele- are advancing in the market to support de-iden- tion, and correction. The GDPR has proved to be a tification, privacy impact assessments, consent spur for global regulation, with numerous countries agreement design, data pipeline management, adopting legislation influenced by the GDPR or up- and similar techniques that are becoming essen- dating current laws to maintain or achieve an ade- tial to a business’ regulatory compliance strategy. quacy determination by the European Commission Meanwhile, emerging techniques like differential that supports international data transfers. Major privacy, used to assess mathematical guarantees markets such as India, China, Brazil, Japan, South of disclosure control for a particular privacy mod- Korea, and Canada have been particularly active. el, are becoming commercialized as well. Venture At the very end of 2019, India published a draft capital firms are investing in the privacy sector,14 law that would update that nation’s privacy laws. encapsulating a global trend that follows a market During the drafting of this report, Brazil finalized its demand for privacy technologies driven by the consumer privacy regulation,7 and both China and GDPR and the CCPA.15 All told, privacy technology Canada published draft consumer privacy laws.8 is a nascent market but a growing one, and will South Korea and Japan have updated legislation continue to expand as privacy becomes a more as part of adequacy negotiations with the EU. important part of regulatory compliance, business In the US, California in 2018 passed the California competitiveness, and consumer trust around the Consumer Privacy Act (CCPA).9 Just months after world. It is for this very reason that in 2019, the finalizing regulations implementing the CCPA, Future of Privacy Forum and the Israel Tech Policy California voters expanded the law via a ballot Institute established the Privacy Tech Alliance, initiative to further establish privacy requirements bringing together privacy innovators, academics, for businesses, seeking to incorporate protections governments, and companies with interest in inspired by the GDPR.10 In 2021, Virginia passed privacy technology’s growth.16 The International legislation with similarities to the California Privacy Association of Privacy Professionals has rapidly Rights Act (CPRA), enhanced by consent require- grown to 70,000 members, and new conferences ments for sensitive data but greater flexibility for have emerged to serve technology and engineer- advertising.11 Massachusetts, Nebraska, New York, ing sectors of privacy, such as PEPR (Privacy En- Florida, and Washington, Connecticut and Colora- gineering Practice and Respect) and The Rise of do are just a few of the states that have extensive Privacy Tech, joining long established technology activity around data protection legislation.12 As of or research focused conferences.17 the spring of 2021, Congress has yet to act, but Despite all this, however, there are few compre- consumer data privacy law proposals have been hensive examinations of this “privacy technology” set forward in the Senate Commerce Committee, marketplace. Limor Shmerling Magazanik, man- the leading committee of jurisdiction in that body, aging director of the Israel Tech Policy Institute, and the leaders of the House Energy & Commerce frames this as a problem of developing bridges Committee have promised to develop a proposal. to close existing gaps.18 In other words, there is a Further momentum is evidenced by the introduc- need to assess and evaluate gaps, misalignments, PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 7
INTRODUCTION and misunderstandings that may exist between › First, it introduces the global growth of buyers looking for privacy technologies to meet the privacy technology market. Second, their needs—whether small- or medium-sized it discusses specific regulations driving businesses or large enterprises with significant privacy technology adoption by businesses. amounts of user data and information technolo- gy infrastructure—and the sellers offering those › Third, it discusses the lack of shared privacy technologies to said firms. Mapping out vernacular to discuss privacy technologies these gaps, misalignments, and misconceptions and the privacy technology industry. Fourth, can help buyers, sellers, and policy analysts work- it introduces a privacy “stack” typology, ing in or observing the space to better understand where the market is today; where the market is broken into three layers, that serve as both headed; and how these technologies impact a a lens of analysis and a contributing solution business’ compliance with privacy regulation in- to the problem of shared vocabulary. creasingly put into place around the world. Fifth and sixth, respectively, it applies this Written over the course of five months, this report typology to the buy and sell side of the presents a mapping of the privacy technology mar- market, combined with interviews with ketplace, the involved buyers and sellers, and the subject matter experts, to capture gaps, gaps, misalignments, and misconceptions at play. misalignments, and mis-incentives in the It focuses on privacy technologies and does not privacy tech industry today. focus on cybersecurity technologies. The report introduces this mapping of the market by drawing › Seventh, it lays out five market trends on a literature review, interviews with numerous and seven implications for the future of experts in the privacy technology space, a survey the market identified in the course of this of companies operating in the market (attached report’s research. And finally, it concludes in the appendix), and the authors’ own subject with numerous observations about the matter expertise on these issues, and it does so in several parts. privacy tech industry today and a set of recommendations to address current and emerging challenges. 8 PRIVACY TECH ALLIANCE + FUTURE OF PRIVACY FORUM | JUNE 2021
Global Growth of the Privacy Tech Industry A “staggering 48,337.2 percent three- legislative language for what became the Cali- year growth rate” is what propelled Inc. fornia Consumer Privacy Act. This included a Magazine to put privacy tech vendor number of providers offering privacy enhancing OneTrust on the cover of their September 2020 technologies (PETs) to help clients with de-iden- issue and name them #1 on their Inc. 5000 list tification, including homomorphic encryption, for 2020.19 While Inc. focused on OneTrust in and more sophisticated uses of differential September, this prominent acknowledgement privacy, among others.20 Alongside these new could just as easily have signaled the profound entrants into the market, existing vendors grew growth of the privacy tech industry as a whole. their offerings to help achieve privacy regulatory Initially created by computer engineers within compliance. Gartner predicted in February 2020 companies who were wrestling with the person- that over 40% of privacy technology vendors will al data passing through their systems, working use artificial intelligence by 2023, which could to assume a modicum of control over the pri- help reduce administrative and manual work- vacy and security of that data, initial privacy loads while enabling business use of data.21 tech solutions were turned into companies to offer these solutions to other businesses as a service. These initial companies offered prod- “Organizations should ucts and services to help companies achieve explore and embrace advances fidelity with their privacy and security commit- ments in their public-facing privacy policies, or in cryptography, evolving to meet contractual requirements imposed by data minimization and analysis larger companies with which they wanted to techniques, and small data/ do business. local processing trends to Many new privacy tech vendors then arose, pro- pelled forward by the European Union’s drafting sufficiently mitigate risks.” of its then-forthcoming General Data Protection Regulation and by legislators in California mod- — Jules Polonetsky and Elizabeth Renieris, ifying Alastair Mactaggart’s ballot initiative into 10 Privacy Risks and 10 Privacy Enhancing Technologies to Watch in the Next Decade22 PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 9
Recognizing this growth, 14 companies joined to- lions to adjust their entire lives and carry on their gether in December 2019 to establish the Privacy normal life, schooling, business, and recreation Tech Alliance to represent the leading edge of this activities online to the extent possible, all while global growth.23 Since that gathering, the industry's producing previously unimaginable amounts of growth has continued to accelerate. Several ex- personal data. As the privacy tech industry has perts surveyed for this report pointed to decisions discovered, while this has been damaging to so by the European Court of Justice invalidating the many businesses, this pandemic has been cat- EU-US and Swiss-US Privacy Shield agreements alytic for industry growth by forcing adoption of (the so-called Schrems II decision) and the demands privacy tech tools by companies of all sizes in of other C-Suite executives within businesses to various markets. The reasons are perhaps intu- use personal data profitably for a myriad of needs, itive: “Now, all the employees are online, all the such as training machine learning and artificial in- customers are online, all the business processes telligence systems, fine tuning marketing efforts, are online; everything has to be virtual and digital,” analyzing data to find unforeseen connections or one vendor told the authors. While the catalyst for make predictions, or speed sales. When new tools the acceleration of adoption of privacy tech was and services from niche, cutting-edge privacy tech unforeseen by vendors of privacy tech, those ven- vendors are added to these other, existing lines of dors are universally convinced that the growth of business and the number of privacy regulations the industry is not merely temporary or likely to around the world grows seemingly by the month, slow. Experts surveyed pointed to the desire by it is unsurprising to see the “staggering” growth of many businesses to simultaneously demonstrate the kind described by Inc. in the fall of 2020. the accuracy of their privacy policies, comply with Unforeseen and unforeseeable by those gathered regulations, and use their personal data for new to establish the Privacy Tech Alliance was the sud- business purposes, such as training artificial intel- den arrival of a worldwide pandemic forcing bil- ligence or fine tuning marketing. 10 PRIVACY TECH ALLIANCE + FUTURE OF PRIVACY FORUM | JUNE 2021
Specific Regulations Driving Growth of Industry D uring the last decade, numerous privacy before a regulation comes into effect,” one expert tech vendors formed companies in re- interviewed for this report said, “and after that you sponse to regulatory mandates that created see kind of a huge drop-off.” Both the GDPR and tech needs by updating or overhauling consumer the recent enactment of the California Consum- privacy regulations or legislation. For example, er Privacy Act and their creation of data subject consent management tools such as Privo, Yoti, rights have spawned a myriad of data mapping PrivacyCheq, Onano, and SuperAwesome had tools and companies. arisen to address long-standing parental consent As detailed within this report, venture capitalists requirements for businesses wanting to collect the and private equity funders are recognizing these data from minors younger than 13 years of age, in various drivers of growth and investing more of- compliance with the US Children’s Online Priva- ten and in greater dollar amounts in privacy tech cy Protection Act (COPPA). These tools became startups, providing seed funding to the most re- even more widely needed with the May 2018 cently conceived companies through enormous implementation of the European Union’s General follow-on investment rounds with later-stage es- Data Protection Regulation Article 8. “You see the tablished privacy tech vendors. biggest blip in privacy activity and demand right PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 11
Lack of Consensus Privacy Tech Definitions Limiting Growth of Privacy Tech Industry D espite the development of the privacy tech functional needs to vendors, while meaning com- market and its trajectory for accelerating pletely different things in each case. On the seller future growth, interviewees for this report side, to give another example, multiple companies identified two impediments to the industry’s might brand their products with similar terminolo- growth that are slowing both the speed of closing gy when in fact their privacy technology offerings sales contracts and the adoption of privacy tech meet very different client needs. Though there are by customers. The impediments repeatedly identi- many other examples: companies might talk past fied by those interviewed are: (i) a lack of common, one another when using the same terminology; consensus privacy tech definitions; and (ii) an un- some companies, particularly those newer to pri- clear privacy stack typology to describe business vacy technology, may lack the terminology needed needs and how the various privacy tech tools and to specifically describe their needs or offerings; services available in the marketplace might map to and other companies yet might internally speak meeting those business needs. Both impediments different languages when describing how privacy were challenging to vendors and would-be pur- technologies could meet their business needs. chasers of privacy tech, but together they create “Most lawyers don’t get tech, and most technicians compounding difficulties that are limiting privacy don’t get law, and so it’s not that they necessarily tech adoption. want to battle, but they do,” one vendor told the First, because the privacy technology market is rel- authors. “They don’t listen to each other, and even atively nascent, there is no clear set of shared ter- when they talk to each other, they use different minology used by buyers and sellers in the market. words for the same thing.” Further, another vendor On the buyer side, for instance, three medium-sized said, this shared vocabulary problem is driven by businesses in search of privacy technology might company self-marketing as well: individual firms all use the term “data mapping” to describe their that “plant a flag, create a category” and then “try 12 PRIVACY TECH ALLIANCE + FUTURE OF PRIVACY FORUM | JUNE 2021
and actually identify the people you want in that tify that they are meeting requirements imposed category and then obviously try and push out the through contract by their own customers. Buyers people you don’t” for competitive purposes. This may not have conviction that any privacy tech lack of shared terminology simultaneously reflects obtained from a third-party satisfies regulatory, and contributes to gaps, misalignments, and mis- statutory, or judicial requirements. understandings between buyers and sellers about While it was clear there were not yet consensus regulatory compliance needs, privacy technologies definitions, consensus was clear among those on the market, and how the two fit together in the interviewed that collective action should be taken context of companies’ existing data, technologies, between privacy tech vendors, perhaps working and business processes. with organizations that can convene stakehold- The lack of consensus definitions creates nu- ers from all sides of industry, academia, and key merous business problems. On a basic level, this non-governmental organizations, to develop creates a problem as old as contracting itself in consensus definitions. “Future of Privacy Forum,” which a buyer and seller may not reach a meeting one vendor told the authors unprompted, “could of the minds about what is being offered and what be absolutely the place to develop such a vocab- is being obtained in any privacy tech contract. ulary.” Some of those interviewed would go fur- This leads to lengthy delays and multiple extra ther and utilize standard-setting bodies to further turns before contracts could be consummated confirm legitimacy on definitions developed in to purchase privacy tech services. One expert common, and other interviewees were eager to interviewed suggested that this unnecessarily see any definitions ratified by privacy regulators, slowed the time to closure of any contract by add- legislative bodies, or courts to provide the privacy ing numerous logistical and legal hoops before tech industry with greater certainty; turning to the even getting to the integration of the privacy tech National Institute of Standards and Technology services into the business’ information technolo- (NIST) in the United States was just one example gy environment. Buyers may not be able to cer- provided by a vendor.24 PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 13
The Privacy Technology “Stack” T he problem of a lack of consensus privacy This report section therefore introduces a typolo- tech definitions is compounded by a sec- gy for privacy technologies aimed at tackling this ondary problem, which is that not only may challenge. The purpose is to address a lack of a buyers and sellers of privacy tech be using the clear framework and clear set of shared vocab- same words, terms, and phrases to mean different ulary with which buyers and sellers can analyze things, but they may be contemplating the use of and discuss the privacy technology market. The privacy tech for very different purposes than what purpose is also to link together business pro- was intended due to evolving needs of the busi- cesses that companies perform with business ness customers purchasing privacy tech solutions. outcomes that companies desire to achieve with In short, and as discussed in further detail through- privacy technologies. After all, as one vendor put out this report, some businesses are seeking pri- it to the authors, “You don’t collect and store data vacy tech that allows them to do more than simply to just keep it—you’re doing it to use it.” control personal data, or control personal data and comply with data privacy and security regulation. By no means is this the only framework that has Now, many businesses may be intending to obtain been introduced to understand the privacy tech- from privacy tech vendors tools and services that nology market: the International Association of simultaneously allow their businesses to control Privacy Professionals, for example, published a personal data, comply with a myriad of regula- typology of privacy technologies in 2019, bro- tory mandates concerning that data, and extract ken down into privacy technologies for “privacy value25 from that data. This maturation of privacy program management” and those for “enterprise tech customer needs has, according to many in- privacy management.” Within each of those cate- terviewed for this report, caused extra confusion gories, the IAPP report then broke down privacy between buyers and sellers that requires not only technologies by actions firms might need to take the creation of consensus definitions but also a (e.g., “data mapping”, “website scanning”).26 new understanding of the “privacy stack.” 14 PRIVACY TECH ALLIANCE + FUTURE OF PRIVACY FORUM | JUNE 2021
Rather than focus entirely on specific technologies the unique buyer’s existing processes. And third, or functions, however, the typology introduced in in the future, existing privacy technologies might this report focuses on business process and busi- evolve, market demand for now-emerging privacy ness outcomes. It does this for several reasons. technologies might grow, and innovators could First, numerous buyers and sellers with whom we develop privacy technologies that do not yet exist. spoke conveyed experiencing or encountering While any set of terminology will have to be reas- confusion in the market with how privacy technol- sessed if not updated as the privacy tech market ogies plugged into existing business operations.27 matures, focusing a typology on business outcomes There can be too much focus on single technolo- rather than on specific technical solutions might gies or discrete business needs in ways that ob- help create a terminology with more longevity. scure the broader goal of using privacy tech to fuse processes with desired outcomes. Second, small- The privacy “stack” for understanding the privacy and medium-sized businesses may have different technology market is composed of three “layers” technology needs than large enterprises, and they (see diagram on previous page). The first and may have very different information technology innermost layer is personal data itself. When a infrastructures (e.g., smaller firms outsourcing their business is using privacy technologies, the center data to a third-party cloud provider versus larger is data—and the key questions focus on the ba- firms running their own servers in-house). This can sics: what data fields are available, categorization, further fragment the terminology used by buyers storage and access details. The earliest privacy and sellers to discuss privacy technology, including technologies were either built natively within because it does not adequately include a focus on companies or purchased by the earliest vendors The Privacy Technology “Stack” LAYER 1: DATA Data Availability & Movability LAYER 2: PROCESSES LAYER 3: OUTCOMES Information & Data Governance Environmental, Data Protection for Social, & Corporate People & Assets Governance Data Protection for People & Personal Privacy Assets Data Management Risk Management Data Ethics & Data Value Compliance Creation/Analysis Tim Sparapani and Justin Sherman for the Future of Privacy Forum PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 15
in the market—and were typified by systems that nologies, stacked on top of and integrating with attempted to help businesses simply gain control business processes (the second layer), can en- over the personal data they encountered as part of able the business outcomes at this layer. Privacy their business. For example, in addition to siloing technologies can also enable these five outcomes personal data from information about individuals to interrelate and interconnect, and, ideally, to not requiring protection, these technologies may coexist simultaneously: so that data value anal- have segmented out “sensitive data” for addition- ysis/creation and ethics and compliance are not al control features, or simply provided consumers mutually exclusive, for example. The layers of the with adequate notice to help a business achieve “stack” are described in more detail below. requisite consent to collect that personal data. Data is the foundation of any privacy discussion. The second and middle layer is composed of four Depending on the legal jurisdictions in which a business processes: information and data gover- business operates, terms such as “sensitive data,” nance; privacy management; risk management; “personal health information,” or “personally iden- and privacy operations. Privacy technologies can tifiable information,” among others, may have par- pair with or enable business processes at this ticular importance for a business in the first-layer, layer, stacking on top of the personal data a busi- early stage of assessing their privacy technology ness accesses (the first layer). These processes all system: they will guide legal and regulatory com- interact and interrelate, and they may also be in pliance and possibly contractual compliance as constant evolution; for instance, risk management well.29 Businesses may collect, analyze, store, or is not an action performed just once. Finally, the move data on customers, employees, contractors, third and outermost layer is composed of five and innumerable other actors (clients, prospective business outcomes: data availability and movabili- customers, etc.) with which the business interacts. ty; data protection for people and assets; data val- Individuals are the center of this data, and it is ue creation/analysis; data protection components their privacy that is concerned when businesses of ethics and compliance28; and environmental, collect, store, and process their information. social, and corporate governance. Privacy tech- Layer #1 of the Privacy Tech “Stack” Privacy Tech 1.0: Focus on Data Control LAYER 1: DATA Personal Data Tim Sparapani and Justin Sherman for the Future of Privacy Forum 16 PRIVACY TECH ALLIANCE + FUTURE OF PRIVACY FORUM | JUNE 2021
The second layer of the privacy tech “stack” is control technologies to limit employee access to composed of business processes that can be customer data, as part of the business’ informa- supplemented or enabled by privacy tech of- tion and data governance processes. This layer ferings. For example, a business might build or is stacked on top of the business’ data, which purchase a technology to generate data privacy may be subject to privacy requirements based compliance assessments, as part of the business’ on contractual requirements, regulatory require- existing privacy and risk management processes, ments, legal requirements, business reputational or a business might build or purchase data access goals, and other factors. Layer #2 of the Privacy Tech “Stack” Privacy Tech 2.0: Focus on Regulatory Compliance Information & Data LAYER 2: PROCESSES Governance Data Protection for People & Personal Privacy Assets Data Management Risk Management Tim Sparapani and Justin Sherman for the Future of Privacy Forum There are four business processes in layer 2 of the privacy stack. LAYER 2 PROCESS PROCESS DESCRIPTION Developing internal rules, protocols, and procedures for the Information and data governance collection, handling, transfer, storage, and analysis of data Developing processes, procedures, knowledge bases, and Privacy management other toolkits for internally assessing privacy of data Developing internal rules, protocols, procedures, and strategies for navigating and mitigating risks of data collection, storage, Risk management and use; conversely, also using data to navigate and mitigate business risks Building or acquiring the technologies and services to actualize Privacy operations data privacy definitions PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 17
The third layer of the privacy tech “stack” is com- comes is being measured as part of environmental, posed of business outcomes that can be supple- social, and corporate governance analysis.30 This mented or enabled by privacy tech offerings. For third business outcome layer is stacked on top of example, a business might build or purchase a tech- the business’ processes, which may themselves be nology to identify customer data in a visual interface supplemented or enabled by privacy technology for customer relations and marketing personnel, or offerings. Much like business processes relevant to a business might build or purchase differentially data privacy, privacy technologies acquired for spe- private algorithmic tools to mask individual iden- cific business outcomes are driven by contractual tifiers in a dataset while also enabling analysis on requirements, regulatory requirements, and numer- the data to create economic value for the business’ ous other factors. There is also a growing business marketing and data science teams. Increasingly, imperative in some cases for ethical data review measuring performance for these business out- and/or data-sharing with other firms. Layer #3 of the Privacy Tech “Stack” Data Availability & Movability LAYER 3: OUTCOMES Information & Data Governance Environmental, Data Protection for Social, & Corporate People & Assets Governance Data Protection for People & Personal Privacy Assets Data Management Risk Management Data Ethics & Data Value Compliance Creation/Analysis 18 PRIVACY TECH ALLIANCE + FUTURE OF PRIVACY FORUM | JUNE 2021
There are at least five business outcomes that have been identified in layer 3 of the privacy stack. LAYER 3 OUTCOME OUTCOME DESCRIPTION Data availability and Chief Information Officers and other technology personnel ensuring data is readily available movability for use and is quickly and reliably transferred around the world Data protection for people Chief Information Security Officers and other information security personnel ensuring data’s and assets confidentiality, integrity, and availability [not the focus of this report] Chief Data Officers, Chief Marketing Officers and their marketing teams, and other data Data value creation/analysis science personnel ensuring data generates and can be used to generate (e.g., through analysis) value for the business General Counsels, Chief Privacy Officers, Chief Ethics Officers, legal teams, and other Data protection as ethics and compliance personnel ensuring data is legally collected, stored, transferred, and otherwise compliance processed based on applicable regulations Environmental, social, and Investors, board members, and corporations in general increasingly making environmental, corporate governance social, and governance factors a business priority, including the protection of data The fact that privacy technologies must integrate stood as representing a static market or a static with existing business processes may seem ob- set of business activities. As the market introduc- vious, but it’s worth noting explicitly. The three es new technologies, there may be more potential layers visualize this: to develop a plan for priva- business outcomes added to the third layer, for cy, a company must have data or be acquiring instance. As a business acquires new data, new data. Building out from there, companies must customers, and new technologies, to give another figure out how data maps to existing business example, it may reevaluate the privacy technology processes, like risk management or information offerings used to enable or supplement various governance. From there, companies can “stack” business processes or data outcomes. privacy technologies on top of those business The key is understanding that privacy tech offer- processes in order to achieve specific outcomes ings in the market can fill different needs in the with respect to data, which increasingly are mea- process layer and in the outcomes layer. In this sured at the Board level or by investors seeking way, the privacy tech “stack” offers a framework to assess environmental, social, and corporate for analyzing the privacy tech market, analyzing governance vis-à-vis data ethics and compliance. specific privacy technologies, and moving towards Privacy technologies can sit in these two outer a set of shared vernacular about privacy tech. The layers. For a company to have a mature privacy next three sections therefore apply this privacy technology system, it cannot have privacy tech- tech “stack” to analyzing the buy side of the pri- nologies to achieve discrete outcomes without vacy tech market, the sell side of the privacy tech underlying business processes in place, and it market, and the future of the market, respectively. cannot have processes oriented around data It combines the stack representation with research without privacy technologies that achieve specific conducted for the report, including from a litera- needed outcomes for the business’ data. Mature ture review and conversations with dozens of sub- privacy technology systems are also continuously ject matter experts in the privacy tech field. evolving: the framework should not be under- PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 19
The Buy Side of the Privacy Tech Market T he privacy tech stack can be used to under- applied in this section to better understand this stand the buy side of the privacy technology buyer side of the market. market by highlighting the business process- es and desired outcomes of different buyer stake- holders. Based on the authors’ conversations with “We’re increasingly seeing on buyers and sellers in the privacy tech market, privacy technology vendors might approach any the business side that they see number of individuals at a client or potential client [data] as an asset, and they know organization to sell their offerings: the Chief Priva- they have to worry about the cy Officer (CPO), Chief Data Officer (CDO), Chief Technology Officer (CTO), Chief Information Offi- privacy component, but they are cer (CIO), and Chief Information Security Officer primarily interested in solving a (CISO), in addition to the likes of marketing teams, business problem.” legal teams, and customer relations teams. Buying power tends to be concentrated with CTOs, who — Executive at Privacy Tech Vendor may have the largest budget for privacy technol- ogies relative to other stakeholders in the afore- mentioned list. Any one business, however, may There are often many stakeholders in any one have a range of individuals within the organization business with interest in buying privacy tech- with an interest in privacy technology, varied giv- nology. Framing the privacy technology market en their data needs. They may also have different with the privacy tech stack can help illuminate budgets and technology interests depending on the processes with which these stakeholders are the company. The privacy tech stack offered in this involved (e.g., risk management) and how their de- report, focused on the layering of data, business sired business outcomes (e.g., data value creation/ processes, and business outcomes, is therefore analysis) drive their purchasing outlook. Chief Pri- 20 PRIVACY TECH ALLIANCE + FUTURE OF PRIVACY FORUM | JUNE 2021
vacy Officers are the most likely to have fluency in privacy technology from the buyer side and are Conclusion routinely consulted concerning the suitability of pri- vacy technology offerings to satisfy personal data Roles in the C-suite with stake in buying privacy control and regulatory compliance requirements. tech are expanding beyond CTOs, CPOs, GCs, CPOs may be plugged into several of the layer 2 and CISOs, to include other stakeholders like business processes, like privacy operations and CMOs, CSOs, and Chief Data Scientists. risk management, and out of all the layer 3 busi- ness outcomes, they need to make the business’ For any particular stakeholder on the buyer side, data privacy compliant. Similarly, General Counsels understanding the processes in the privacy tech and legal teams with privacy experience are often stack into which they are integrated, and the busi- consulted to ensure that any privacy technology ness outcomes in the privacy tech stack which being considered will solve, not create, privacy they desire, can help the stakeholder navigate the regulatory or privacy contractual difficulties. Chief privacy tech market through better understanding Technology Officers and Chief Information Of- of what needs a privacy tech offering should fill. ficers are involved with the information and data Conversely, for those selling privacy tech to a po- governance process in layer 2, and they may have tential stakeholder at a company, using the privacy several business objectives in layer 3, including tech stack to understand that stakeholder’s par- making data available and movable. The list goes ticular personal data (layer 1), business processes on: Chief Data Officers need to enable data value (layer 2), and needed/desired business outcomes creation/analysis, for such functions as monitoring (layer 3) can help frame what that individual might internal systems and conducting machine learning be looking to purchase. For instance, privacy tech on customer data to generate economic value; is increasingly intersecting with the information Chief Information Security Officers need to make and data governance process, including such data secure (e.g., ensure its confidentiality, integ- questions as who has access to what data, how rity, and availability); customer service teams need data is described in business terms, how those data to be identifiable, so they can read customers’ business terms are propagated to personal data, data when interacting with them and even possibly and so on. This process-outcome framing may modify it if needed; and so on. As one vendor on help to better illuminate how a privacy tech may the sell side told the authors, “We’re increasingly fit into the business’ activities and technologies, seeing on the business side that they see [data] as and how it could meet needs, without becoming an asset, and they know they have to worry about too focused on technical terminology. This range the privacy component, but they are primarily inter- of stakeholder needs on the buy side, even within ested in solving a business problem.” a single business, contributes to the problem of A clear conclusion emerging from the interviews no shared vernacular to discuss privacy tech in was that the potential set of customers (by role) the market: lawyers may have less exposure to within businesses considering privacy technology technology and may preference legal definitions, purchases is expanding. “It’s an infinite universe technologists may have less exposure to law and of challenges and things you might have to deal may preference technical definitions, various with in terms of business cases,” one vendor business units may have different perspectives on told the authors. Because we have entered the technology, and so on. Privacy Tech 3.0 market phase, the key buyers of From buyer to buyer, the same respective stake- privacy tech within large companies have shifted holder’s budget, specific needs, and business-in- from the Chief Privacy Officer (Privacy Tech 1.0), to ternal technological capacity varies. Large enter- the General Counsels, Chief Information Security prises, for example, may be more likely to maintain Officers, and Chief Technology Officers (Privacy their own information technology infrastructure Tech 2.0), to the Chief Marketing Officers, Chief for data storage in-house, such as managing their Strategy Officers, and Chief Data Scientist (Priva- own servers. CTOs or CIOs at those firms may cy Tech 3.0). The individual who continues to have therefore have disproportionately larger budgets the budget for software purchases tends to be the for data and information governance functions. Chief Technology Officer, despite these changes. Smaller- and medium-sized businesses, by con- PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 21
You can also read