Forbes India 15th Anniversary Special

The companies benefiting from fragmenting internet privacy rules

In an attempt to rein in tech giants such as Facebook and Google, governments around the world in recent years have approved new laws governing how websites must handle consumer data, treat their competitors and protect young people

By David McCabe
Published: Dec 28, 2021

Kabir Bardy, CEO of OneTrust, at the company’s headquarters in Sandy Springs, Ga., Dec. 9, 2021. “Capitalism and commercial interest is not at odds with doing good for the world,” Bardy said. (David Walter Banks/The New York Times)

SANDY SPRINGS, Ga. — In 2018, California lawmakers mandated that consumers be able to request their personal data from companies through a toll-free number. And then a group of lawyers, engineers and salespeople for a company in Atlanta got to work.

The company, a startup called OneTrust, now based in a suburb on the city’s outskirts, makes software for businesses trying to stay on the right side of the growing number of internet regulations. In response to the new California law, OneTrust made it easy for companies to set up a number to manage the requests.

In an attempt to rein in tech giants such as Facebook and Google, governments around the world in recent years have approved new laws governing how websites must handle consumer data, treat their competitors and protect young people. The European Union has a data-privacy law that governs the entire bloc. California has approved two privacy measures in recent years, and other states have followed suit.

Out of those regulations has arisen something else: an industry to help companies navigate the increasingly fragmented rules of the global internet.

It’s a booming market. OneTrust, a leader in the field, has been valued by investors at $5.3 billion. BigID, a competitor, raised $30 million in April at a $1.25 billion valuation. Another company that targets privacy regulations, TrustArc, raised $70 million in 2019. Yoti, a startup that provides the kind of age-verification services that regulators are increasingly turning to to shield children from harmful content, has raised millions of dollars since it was founded in 2014.

The emergence of these companies shows how complex regulations governing the web have become — and how much more complicated it is expected to get. Several privacy laws will take effect around the world in the coming years, with more countries and states expected to consider their own proposals.

“They are all reactions to an underlying problem — and they all have their own flavor, they all have their own interpretations and they all have their own focus points,” said Bart Willemsen, an analyst at Gartner, a market research firm. “These regulatory changes nudge organizations — in addition to perhaps any ethical concerns they may have had — to really up their game here.”

Many of the new companies owe their start to the General Data Protection Regulation, an EU law passed in 2016 that pushes websites to ask their users if they agree to being tracked online. It also mandates companies to catalog the personal data they hold.

The European rule was a landmark moment in the fracturing of internet regulation, putting Europe far ahead of Washington in creating guardrails for tech.

“We’re definitely kind of a child of GDPR,” said Dimitri Sirota, CEO of BigID, which was founded the year the law passed. In its earliest days, BigID helped companies map out their data holdings so they could respond to requests under privacy laws. The company now has offices around the world, including Australia, Israel and Switzerland.

OneTrust also owes its birth to the European law. CEO Kabir Barday started the company in 2016, when he saw companies preparing to comply with the rules.

Under the European rules, websites largely must get users’ permission to use cookies, the tiny bits of code that can be used to track people as they move around the internet. In practice, that has meant that visitors to a website are often presented with a pop-up menu or a banner asking them if they will agree to be tracked.

OneTrust helps companies add those banners to their sites. Its clients include pocket-tool maker Leatherman, furniture titan Herman Miller and California fashion designer James Perse, who sells $70 white T-shirts that are a favorite of Evan Spiegel, creator of Snapchat.

In 2018, lawmakers in California passed their own privacy rules, which gave users in the state the right to request their personal data from websites. Demand from companies racing to meet the California law was strong, said Barday.

“A customer would say, ‘Kabir, we need to get started today,’” he said. “And I just said, ‘Customer, we just had, in that time period, a thousand customers in about one quarter that came to us and just said the same thing.’”

Today, OneTrust and its competitors advertise that they can help clients comply with privacy laws in numerous countries, including Brazil, and in American states, including Nevada. OneTrust hands out spiral-bound texts of the California and European laws as swag.

Gabrielle Ferree, a OneTrust spokesperson, said its largest customers generally choose products at a price point that “runs in the six- to seven-figure range annually.”

Products meant to meet new internet regulations may vary in how effectively they actually protect the privacy of people browsing the web, experts said.

A website can, for example, nudge a visitor to agree to being tracked by using a more prominent color for the button that accepts cookies than for the button that rejects them. Or they can present a user with an uneven choice: accept ad tracking with one click or disable it using a complicated settings menu on a different page.

“I really think it’s up to the businesses, and they’re well within their power to make it easier for consumers to opt out or opt in,” said Maureen Mahoney, a policy analyst at Consumer Reports.

On a recent Thursday, a smattering of employees gathered to watch part of OneTrust’s annual conference for its customers. They tapped away on their laptops while the warmup act — a British duo composed of a man who spins upbeat music from a set of turntables while his partner jams on her saxophone — played in the background.

The DJ and the saxophonist wrapped up and Barday appeared on the screen. In a sleek, prerecorded video, he laid out the company’s priorities.

“No. 1: Do not lose focus on privacy because this is complex and getting more complex,” he said.

©2019 New York Times News Service