Professional Documents
Culture Documents
Privacy Tech's Third Generation, June 2021
Privacy Tech's Third Generation, June 2021
Privacy Tech’s
Third Generation
A Review of the Emerging Privacy Tech Sector
AUTHORED BY
The Future of Privacy Forum launched the Privacy Tech Alliance (PTA) as a
global initiative with a mission to define, enhance, and promote the market
for privacy technologies. The PTA brings together innovators in privacy tech
with customers and key stakeholders. Privacy Tech companies can apply to
join the PTA by emailing PTA@fpf.org.
Overview of Conclusions____________________________________ 3
Overview of Recommendations_______________________________ 6
Introduction______________________________________________ 7
Conclusions______________________________________________31
Recommendations________________________________________ 35
Endnotes _______________________________________________ 48
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 1
EXECUTIVE SUMMARY
T
he privacy technology sector, until and value of personal data held by a busi-
recently composed of relatively small ness (Privacy Tech 3.0).2 This report explains
startups focused on providing con- this typology and describes a taxonomy of
sumer data privacy regulatory solutions for terms and relationships to provide a consis-
businesses, is at an inflection point. The tent understanding of customer needs and
sector is rapidly maturing and expanding privacy tech offerings commonly associated
both in terms of the number of vendors with this privacy stack.
and the products and services those ven-
Second, this report provides an analysis of
dors offer. Business customers increasingly
market dynamics around privacy tech—from
are seeking privacy tech partners that
buyer and seller perspectives—in addition to
provide easily integrated solutions to all of
a description of trends and predictions. The
a business’ data needs, and vendors are
report’s authors found striking consensus
moving rapidly to meet this demand. This
about the direction of the privacy tech in-
report is a review of that market, focused
dustry, potential impediments to its growth,
on current developments and progress.
likely drivers of future acceleration, and
It also identifies misalignments within the
recommendations for industry-led efforts to
market; trends in the future of privacy tech-
eliminate those impediments. Sophisticated
nology; and recommendations to address
providers of privacy tech and sophisticated
current challenges.1
purchasers of privacy tech identified as a
The report offers a privacy “stack” typology major obstacle the lack of common privacy
for analyzing and understanding the privacy vernacular to define terminology and the
tech market today. It suggests that privacy inconsistent typification of the so-called pri-
tech has evolved through three main phases vacy stack, i.e., the technologies that were
into the Privacy Tech 3.0 landscape seen core to the privacy technology industry.
now. The field started with an initial phase
Finally, this report identifies five market
of privacy and security tech industry technol-
trends and seven implications those trends
ogy ideation and vendor formation (Privacy
hold for the future of the privacy tech market.
Tech 1.0), and then developed into a privacy
It then lays out a work plan of recommenda-
and data security privacy tech landscape of
tions to facilitate the growth and maturation
technologies built natively within large com-
of the privacy tech industry.
panies, as well as increasingly sophisticated
privacy tech vendors offering their services This report does not address the market for
chiefly to support privacy regulatory com- cybersecurity services or identity services.
pliance (Privacy Tech 2.0). Now the field has Although many of these vendors provide
started to develop into a new state involv- services often described as privacy related,
ing niche privacy tech vendors offering an they serve a different market purpose. It also
essential or bespoke tool or technology for does not cover the growing number of busi-
sale, and horizontally-integrated vendors or ness-to-consumer services which seek to
joint ventures between providers that offer help consumers request their data, monetize
tools for regulatory compliance and tools to their data, or perform other consumer-driven
maximize control over and the availability functions with respect to data.3
T
o research this report, the authors conduct- › The lack of common understanding about
ed more than 30 hours of interviews with privacy terms is limiting the growth of the
dozens of the world’s leading experts on the privacy tech industry. With respect to some
privacy tech market, including buyers of privacy privacy tech offerings, it is unclear whether
tech services and sellers of privacy tech services. vendor-developed privacy tech is sufficient
These interviews yielded important insights on the to satisfy the regulatory compliance or
state of the privacy technology market from lead- business needs of would-be purchasers.
ing thinkers and industry participants. Several clear › In addition to lacking a common vernacular
themes emerged on key issues, allowing us to offer to describe privacy tech, there is no
the following conclusions and recommendations: commonly accepted methodology for
› The COVID-19 pandemic has globally characterizing what technologies and
accelerated marketplace adoption of privacy services are part of the privacy technology
industry or the so-called privacy stack. Many
technology as individuals and organizations
interviewed for this report, from both the sell-
worldwide became more heavily dependent
side and buy-side, agreed that it would be
on digital technologies and services. It is
useful to classify privacy tech companies by
unclear if this is a one-off event or a growth
the “business needs” their offerings satisfy.
pattern that will sustain, but increased
purchasing of privacy tech is clear. › The lack of common vernacular and
inconsistent typology for the privacy stack
› Common drivers of initial privacy technology
may also be causing some misalignment
purchases are regulatory compliance needs,
between the privacy tech available in the
contractual requirements with customers,
market and the needs of buyers.
and slowly emerging recognition of the
reputational risks associated with data › The leading edge of the market has passed
privacy breaches, broadly defined. These through two initial stages of privacy tech
initial drivers often lead purchasers of and has entered a third. The first stage was
privacy tech to explore other opportunities typified by technologies engineered natively
to deploy additional privacy tech offerings. within some companies and offered by early
Regulations by and large remain the biggest vendors for sale to achieve a modicum of
driver for privacy technology adoption, control over the personal data processed
but the others are growing in importance by a business (Privacy Tech 1.0). The second
to the extent that privacy is becoming a stage was the development of technologies
competitive differentiator in some sectors. engineered natively within large companies
Organizations are also deploying additional well-resourced enough to devote
tools to mitigate potential harms caused by engineering capabilities to regulatory
the use of data.4 compliance solutions and horizontally-
integrated companies or collaborations
› While jurisdictions in the US and around between companies offering personal data
the globe have incorporated key concepts regulatory compliance services and tools for
from other jurisdictions’ consumer privacy sale (Privacy Tech 2.0).
regulatory schemes into their own, the
› Recently, privacy tech offerings are
privacy landscape is expected to become
expanding well beyond products and
more complex and less homogenous as
services that assist in regulatory compliance
jurisdictions begin to diverge and increase
into products and services that assist
regulatory complexity.
businesses in making the personal data they
› Common privacy terms, including those encounter both maximally available and
included in statutes or regulations, are not maximally valuable for business services
uniformly defined or understood. (Privacy Tech 3.0). For example, privacy tech
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 3
OVERVIEW OF CONCLUSIONS
tools are increasingly available to assist “breakthrough” or “highly innovative”
with business needs across the business technology or service, which can justify a
enterprise, serving: (i) CIOs in making contract with a vendor for just one niche
personal information accessible; (ii) CMOs product or service.
in making personal information available › Because of buyers’ increasing preference
for marketing and advertising; (iii) Chief to buy horizontally-integrated privacy tech
Data Scientists in unlocking new insights services, better-resourced privacy tech
from personal information; and (iv) CISOs in companies with numerous, fully developed
securing data; etc. tools and services are leading current
› Because we have entered the Privacy market share.
Tech 3.0 market phase, the key buyers of › There is evidence of companies attempting
privacy tech within many large companies to provide horizontally-integrated services
have shifted from the Chief Privacy Officer as many privacy tech vendors add new
(Privacy Tech 1.0), to the General Counsels, features. However, companies that offer
Chief Information Security Officers, and Privacy Tech 3.0 services focused on
Chief Technology Officers (Privacy Tech maximizing data value within regulatory
2.0), to the Chief Marketing Officers, Chief limits are also increasingly providing
Strategy Officers, and Head Data Scientist offerings in the Privacy Tech 1.0 and Privacy
(Privacy Tech 3.0). The individual who 2.0 services to compete with traditional
continues to have the budget for software privacy tech vendors.
purchases tends to be the Chief Technology
Officer, despite these changes. The Chief › This buyer preference for horizontally-
Privacy Officer continues to be an influencer integrated privacy tech services may lead
of these purchases, but should recognize to industry consolidation in the near term.
this development as a call to embrace For example, recently, some privacy tech
the skills and scope of responsibilities to companies have merged or acquired
maintain a leadership mandate. rivals or providers of adjacent privacy tech
products. Further, some private equity
› For many companies, especially small- or companies appear to be “rolling up” privacy
medium-sized businesses and those that tech startups into larger offerings. Some
tend to serve only one regulatory market, providers are employing a third strategy
Privacy Tech 2.0 or even 1.0 solutions may of formally entering into partnerships,
be sufficient to meet their needs. However, joint ventures, cross-selling, or similar
buyers serving global markets increasingly collaborations. It is perceived by some that
need to build or buy privacy tech that niche providers may increasingly struggle
supports controls, regulatory compliance, unless they are able to offer an entire suite
and data availability and value. In short, of services.
while the market for privacy tech is maturing
› While the privacy tech market and privacy
there is evidence of market segmentation
vendor strategy for ensuring longevity
between buyers, and the most sophisticated
and growth is undergoing transformation,
companies will need all three evolutions of
there is striking consensus about the
privacy tech solutions.
determinative factors of how buyers choose
› Buyers of privacy tech often prefer to whether to buy or build privacy tech.
buy integrated privacy tech products that Our surveys found commonality among
accomplish numerous business needs respondents about who in the corporate
rather than one-off, standalone privacy organizational structure often has the
tech solutions. The exception to this rule budget to purchase privacy tech, who in that
is when a privacy tech vendor offers a structure identifies the business needs to be
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 5
OVERVIEW OF RECOMMENDATIONS
› Privacy tech stakeholders should develop › Further research should explore what
and promote voluntary, shared, consensus- unique needs, if any, small- or medium-sized
driven vernacular in the privacy technology enterprises may have relative to those of
market for the benefit of both buyers and large enterprise buyers of privacy tech.
sellers. Consensus definitions should
› Future research might also explore whether
then be used to facilitate developing a
the needs for privacy tech solutions differ
common typology for descriptions of the
between industry types in a meaningful way.
tools and services developed natively or
made available for sale in the privacy tech › Future research might also consider
marketplace. whether businesses that solely or
primarily interact with the personal data of
› A trusted body should provide common
individuals from just one country or region
definitions and standards for privacy
have different privacy tech interests and
enhancing technologies (PETS) such
needs than do businesses interacting with
as differential privacy, homomorphic
personal data on a multinational level.
encryption, federated learning, and similar
technologies, and should indicate the › Vendors should recognize the need to
maturity and utility of these technologies provide adequate support to customers
for different business cases, as well as to to increase uptake and speed time from
how the uses of these PETS map to legal contract signing to successful integration.
requirements.5 Buyers will often underestimate the time
needed to integrate privacy technologies
› Further research should be conducted
and services into their existing business
to identify market segmentation and
operations and may therefore need further
stratification in buyers based on the size of
assistance in realizing that integration.
the corporate entity, the sophistication of the
buyer, the industry sector, and other factors.
C
ountries around the globe are advancing tion of additional, comprehensive regulatory pro-
regulations that put in place comprehensive posals by other influential members in each body.
requirements for the processing of personal The Federal Trade Commission has traditionally
information. The European Union’s General Data avoided rulemaking due to the rulemaking con-
Protection Regulation (GDPR) went into effect in straints the agency faces, but has recently indicat-
20186 and established extensive requirements on ed that it is ready to advance a rulemaking effort
private and public sector entities providing services in support of privacy requirements, in the absence
to data subjects in the EU, such as requiring a legal of Congressional action.13
basis for processing data, registers of data pro- To support this rapid regulatory explosion, the
cessing, data protection impact assessments and “privacy technology” market is growing rapidly
balancing tests, consent management, privacy by around the world. New or improved technologies
design and making data available for access, dele- are advancing in the market to support de-iden-
tion, and correction. The GDPR has proved to be a tification, privacy impact assessments, consent
spur for global regulation, with numerous countries agreement design, data pipeline management,
adopting legislation influenced by the GDPR or up- and similar techniques that are becoming essen-
dating current laws to maintain or achieve an ade- tial to a business’ regulatory compliance strategy.
quacy determination by the European Commission Meanwhile, emerging techniques like differential
that supports international data transfers. Major privacy, used to assess mathematical guarantees
markets such as India, China, Brazil, Japan, South of disclosure control for a particular privacy mod-
Korea, and Canada have been particularly active. el, are becoming commercialized as well. Venture
At the very end of 2019, India published a draft capital firms are investing in the privacy sector,14
law that would update that nation’s privacy laws. encapsulating a global trend that follows a market
During the drafting of this report, Brazil finalized its demand for privacy technologies driven by the
consumer privacy regulation,7 and both China and GDPR and the CCPA.15 All told, privacy technology
Canada published draft consumer privacy laws.8 is a nascent market but a growing one, and will
South Korea and Japan have updated legislation continue to expand as privacy becomes a more
as part of adequacy negotiations with the EU. important part of regulatory compliance, business
In the US, California in 2018 passed the California competitiveness, and consumer trust around the
Consumer Privacy Act (CCPA).9 Just months after world. It is for this very reason that in 2019, the
finalizing regulations implementing the CCPA, Future of Privacy Forum and the Israel Tech Policy
California voters expanded the law via a ballot Institute established the Privacy Tech Alliance,
initiative to further establish privacy requirements bringing together privacy innovators, academics,
for businesses, seeking to incorporate protections governments, and companies with interest in
inspired by the GDPR.10 In 2021, Virginia passed privacy technology’s growth.16 The International
legislation with similarities to the California Privacy Association of Privacy Professionals has rapidly
Rights Act (CPRA), enhanced by consent require- grown to 70,000 members, and new conferences
ments for sensitive data but greater flexibility for have emerged to serve technology and engineer-
advertising.11 Massachusetts, Nebraska, New York, ing sectors of privacy, such as PEPR (Privacy En-
Florida, and Washington, Connecticut and Colora- gineering Practice and Respect) and The Rise of
do are just a few of the states that have extensive Privacy Tech, joining long established technology
activity around data protection legislation.12 As of or research focused conferences.17
the spring of 2021, Congress has yet to act, but Despite all this, however, there are few compre-
consumer data privacy law proposals have been hensive examinations of this “privacy technology”
set forward in the Senate Commerce Committee, marketplace. Limor Shmerling Magazanik, man-
the leading committee of jurisdiction in that body, aging director of the Israel Tech Policy Institute,
and the leaders of the House Energy & Commerce frames this as a problem of developing bridges
Committee have promised to develop a proposal. to close existing gaps.18 In other words, there is a
Further momentum is evidenced by the introduc- need to assess and evaluate gaps, misalignments,
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 7
INTRODUCTION
and misunderstandings that may exist between › First, it introduces the global growth of
buyers looking for privacy technologies to meet the privacy technology market. Second,
their needs—whether small- or medium-sized it discusses specific regulations driving
businesses or large enterprises with significant
privacy technology adoption by businesses.
amounts of user data and information technolo-
gy infrastructure—and the sellers offering those › Third, it discusses the lack of shared
privacy technologies to said firms. Mapping out vernacular to discuss privacy technologies
these gaps, misalignments, and misconceptions and the privacy technology industry. Fourth,
can help buyers, sellers, and policy analysts work-
it introduces a privacy “stack” typology,
ing in or observing the space to better understand
where the market is today; where the market is broken into three layers, that serve as both
headed; and how these technologies impact a a lens of analysis and a contributing solution
business’ compliance with privacy regulation in- to the problem of shared vocabulary.
creasingly put into place around the world. Fifth and sixth, respectively, it applies this
Written over the course of five months, this report typology to the buy and sell side of the
presents a mapping of the privacy technology mar- market, combined with interviews with
ketplace, the involved buyers and sellers, and the subject matter experts, to capture gaps,
gaps, misalignments, and misconceptions at play. misalignments, and mis-incentives in the
It focuses on privacy technologies and does not privacy tech industry today.
focus on cybersecurity technologies. The report
introduces this mapping of the market by drawing › Seventh, it lays out five market trends
on a literature review, interviews with numerous and seven implications for the future of
experts in the privacy technology space, a survey the market identified in the course of this
of companies operating in the market (attached report’s research. And finally, it concludes
in the appendix), and the authors’ own subject
with numerous observations about the
matter expertise on these issues, and it does so
in several parts. privacy tech industry today and a set of
recommendations to address current and
emerging challenges.
A
“staggering 48,337.2 percent three- legislative language for what became the Cali-
year growth rate” is what propelled Inc. fornia Consumer Privacy Act. This included a
Magazine to put privacy tech vendor number of providers offering privacy enhancing
OneTrust on the cover of their September 2020 technologies (PETs) to help clients with de-iden-
issue and name them #1 on their Inc. 5000 list tification, including homomorphic encryption,
for 2020.19 While Inc. focused on OneTrust in and more sophisticated uses of differential
September, this prominent acknowledgement privacy, among others.20 Alongside these new
could just as easily have signaled the profound entrants into the market, existing vendors grew
growth of the privacy tech industry as a whole. their offerings to help achieve privacy regulatory
Initially created by computer engineers within compliance. Gartner predicted in February 2020
companies who were wrestling with the person- that over 40% of privacy technology vendors will
al data passing through their systems, working use artificial intelligence by 2023, which could
to assume a modicum of control over the pri- help reduce administrative and manual work-
vacy and security of that data, initial privacy loads while enabling business use of data.21
tech solutions were turned into companies to
offer these solutions to other businesses as a
service. These initial companies offered prod- “Organizations should
ucts and services to help companies achieve explore and embrace advances
fidelity with their privacy and security commit-
ments in their public-facing privacy policies, or in cryptography, evolving
to meet contractual requirements imposed by data minimization and analysis
larger companies with which they wanted to techniques, and small data/
do business.
local processing trends to
Many new privacy tech vendors then arose, pro-
pelled forward by the European Union’s drafting sufficiently mitigate risks.”
of its then-forthcoming General Data Protection
Regulation and by legislators in California mod- — Jules Polonetsky and Elizabeth Renieris,
ifying Alastair Mactaggart’s ballot initiative into 10 Privacy Risks and 10 Privacy Enhancing
Technologies to Watch in the Next Decade22
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 9
Recognizing this growth, 14 companies joined to- lions to adjust their entire lives and carry on their
gether in December 2019 to establish the Privacy normal life, schooling, business, and recreation
Tech Alliance to represent the leading edge of this activities online to the extent possible, all while
global growth.23 Since that gathering, the industry's producing previously unimaginable amounts of
growth has continued to accelerate. Several ex- personal data. As the privacy tech industry has
perts surveyed for this report pointed to decisions discovered, while this has been damaging to so
by the European Court of Justice invalidating the many businesses, this pandemic has been cat-
EU-US and Swiss-US Privacy Shield agreements alytic for industry growth by forcing adoption of
(the so-called Schrems II decision) and the demands privacy tech tools by companies of all sizes in
of other C-Suite executives within businesses to various markets. The reasons are perhaps intu-
use personal data profitably for a myriad of needs, itive: “Now, all the employees are online, all the
such as training machine learning and artificial in- customers are online, all the business processes
telligence systems, fine tuning marketing efforts, are online; everything has to be virtual and digital,”
analyzing data to find unforeseen connections or one vendor told the authors. While the catalyst for
make predictions, or speed sales. When new tools the acceleration of adoption of privacy tech was
and services from niche, cutting-edge privacy tech unforeseen by vendors of privacy tech, those ven-
vendors are added to these other, existing lines of dors are universally convinced that the growth of
business and the number of privacy regulations the industry is not merely temporary or likely to
around the world grows seemingly by the month, slow. Experts surveyed pointed to the desire by
it is unsurprising to see the “staggering” growth of many businesses to simultaneously demonstrate
the kind described by Inc. in the fall of 2020. the accuracy of their privacy policies, comply with
Unforeseen and unforeseeable by those gathered regulations, and use their personal data for new
to establish the Privacy Tech Alliance was the sud- business purposes, such as training artificial intel-
den arrival of a worldwide pandemic forcing bil- ligence or fine tuning marketing.
D
uring the last decade, numerous privacy before a regulation comes into effect,” one expert
tech vendors formed companies in re- interviewed for this report said, “and after that you
sponse to regulatory mandates that created see kind of a huge drop-off.” Both the GDPR and
tech needs by updating or overhauling consumer the recent enactment of the California Consum-
privacy regulations or legislation. For example, er Privacy Act and their creation of data subject
consent management tools such as Privo, Yoti, rights have spawned a myriad of data mapping
PrivacyCheq, Onano, and SuperAwesome had tools and companies.
arisen to address long-standing parental consent
As detailed within this report, venture capitalists
requirements for businesses wanting to collect the
and private equity funders are recognizing these
data from minors younger than 13 years of age, in
various drivers of growth and investing more of-
compliance with the US Children’s Online Priva-
ten and in greater dollar amounts in privacy tech
cy Protection Act (COPPA). These tools became
startups, providing seed funding to the most re-
even more widely needed with the May 2018
cently conceived companies through enormous
implementation of the European Union’s General
follow-on investment rounds with later-stage es-
Data Protection Regulation Article 8. “You see the
tablished privacy tech vendors.
biggest blip in privacy activity and demand right
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 11
Lack of Consensus Privacy Tech Definitions
Limiting Growth of Privacy Tech Industry
D
espite the development of the privacy tech functional needs to vendors, while meaning com-
market and its trajectory for accelerating pletely different things in each case. On the seller
future growth, interviewees for this report side, to give another example, multiple companies
identified two impediments to the industry’s might brand their products with similar terminolo-
growth that are slowing both the speed of closing gy when in fact their privacy technology offerings
sales contracts and the adoption of privacy tech meet very different client needs. Though there are
by customers. The impediments repeatedly identi- many other examples: companies might talk past
fied by those interviewed are: (i) a lack of common, one another when using the same terminology;
consensus privacy tech definitions; and (ii) an un- some companies, particularly those newer to pri-
clear privacy stack typology to describe business vacy technology, may lack the terminology needed
needs and how the various privacy tech tools and to specifically describe their needs or offerings;
services available in the marketplace might map to and other companies yet might internally speak
meeting those business needs. Both impediments different languages when describing how privacy
were challenging to vendors and would-be pur- technologies could meet their business needs.
chasers of privacy tech, but together they create
“Most lawyers don’t get tech, and most technicians
compounding difficulties that are limiting privacy
don’t get law, and so it’s not that they necessarily
tech adoption.
want to battle, but they do,” one vendor told the
First, because the privacy technology market is rel- authors. “They don’t listen to each other, and even
atively nascent, there is no clear set of shared ter- when they talk to each other, they use different
minology used by buyers and sellers in the market. words for the same thing.” Further, another vendor
On the buyer side, for instance, three medium-sized said, this shared vocabulary problem is driven by
businesses in search of privacy technology might company self-marketing as well: individual firms
all use the term “data mapping” to describe their that “plant a flag, create a category” and then “try
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 13
The Privacy Technology “Stack”
T
he problem of a lack of consensus privacy This report section therefore introduces a typolo-
tech definitions is compounded by a sec- gy for privacy technologies aimed at tackling this
ondary problem, which is that not only may challenge. The purpose is to address a lack of a
buyers and sellers of privacy tech be using the clear framework and clear set of shared vocab-
same words, terms, and phrases to mean different ulary with which buyers and sellers can analyze
things, but they may be contemplating the use of and discuss the privacy technology market. The
privacy tech for very different purposes than what purpose is also to link together business pro-
was intended due to evolving needs of the busi- cesses that companies perform with business
ness customers purchasing privacy tech solutions. outcomes that companies desire to achieve with
In short, and as discussed in further detail through- privacy technologies. After all, as one vendor put
out this report, some businesses are seeking pri- it to the authors, “You don’t collect and store data
vacy tech that allows them to do more than simply to just keep it—you’re doing it to use it.”
control personal data, or control personal data and
comply with data privacy and security regulation. By no means is this the only framework that has
Now, many businesses may be intending to obtain been introduced to understand the privacy tech-
from privacy tech vendors tools and services that nology market: the International Association of
simultaneously allow their businesses to control Privacy Professionals, for example, published a
personal data, comply with a myriad of regula- typology of privacy technologies in 2019, bro-
tory mandates concerning that data, and extract ken down into privacy technologies for “privacy
value25 from that data. This maturation of privacy program management” and those for “enterprise
tech customer needs has, according to many in- privacy management.” Within each of those cate-
terviewed for this report, caused extra confusion gories, the IAPP report then broke down privacy
between buyers and sellers that requires not only technologies by actions firms might need to take
the creation of consensus definitions but also a (e.g., “data mapping”, “website scanning”).26
new understanding of the “privacy stack.”
LAYER 1: DATA
Data Availability
& Movability
LAYER 2: PROCESSES
LAYER 3: OUTCOMES
Information
& Data
Governance
Environmental,
Data Protection for
Social, & Corporate
People & Assets
Governance
Data Protection
for People &
Personal Privacy
Assets Data Management
Risk
Management
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 15
in the market—and were typified by systems that nologies, stacked on top of and integrating with
attempted to help businesses simply gain control business processes (the second layer), can en-
over the personal data they encountered as part of able the business outcomes at this layer. Privacy
their business. For example, in addition to siloing technologies can also enable these five outcomes
personal data from information about individuals to interrelate and interconnect, and, ideally, to
not requiring protection, these technologies may coexist simultaneously: so that data value anal-
have segmented out “sensitive data” for addition- ysis/creation and ethics and compliance are not
al control features, or simply provided consumers mutually exclusive, for example. The layers of the
with adequate notice to help a business achieve “stack” are described in more detail below.
requisite consent to collect that personal data.
Data is the foundation of any privacy discussion.
The second and middle layer is composed of four
Depending on the legal jurisdictions in which a
business processes: information and data gover-
business operates, terms such as “sensitive data,”
nance; privacy management; risk management;
“personal health information,” or “personally iden-
and privacy operations. Privacy technologies can
tifiable information,” among others, may have par-
pair with or enable business processes at this
ticular importance for a business in the first-layer,
layer, stacking on top of the personal data a busi-
early stage of assessing their privacy technology
ness accesses (the first layer). These processes all
system: they will guide legal and regulatory com-
interact and interrelate, and they may also be in
pliance and possibly contractual compliance as
constant evolution; for instance, risk management
well.29 Businesses may collect, analyze, store, or
is not an action performed just once. Finally, the
move data on customers, employees, contractors,
third and outermost layer is composed of five
and innumerable other actors (clients, prospective
business outcomes: data availability and movabili-
customers, etc.) with which the business interacts.
ty; data protection for people and assets; data val-
Individuals are the center of this data, and it is
ue creation/analysis; data protection components
their privacy that is concerned when businesses
of ethics and compliance28; and environmental,
collect, store, and process their information.
social, and corporate governance. Privacy tech-
LAYER 1: DATA
Personal
Data
Information
& Data LAYER 2: PROCESSES
Governance
Data Protection
for People &
Personal Privacy
Assets Data Management
Risk
Management Tim Sparapani and Justin Sherman
for the Future of Privacy Forum
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 17
The third layer of the privacy tech “stack” is com- comes is being measured as part of environmental,
posed of business outcomes that can be supple- social, and corporate governance analysis.30 This
mented or enabled by privacy tech offerings. For third business outcome layer is stacked on top of
example, a business might build or purchase a tech- the business’ processes, which may themselves be
nology to identify customer data in a visual interface supplemented or enabled by privacy technology
for customer relations and marketing personnel, or offerings. Much like business processes relevant to
a business might build or purchase differentially data privacy, privacy technologies acquired for spe-
private algorithmic tools to mask individual iden- cific business outcomes are driven by contractual
tifiers in a dataset while also enabling analysis on requirements, regulatory requirements, and numer-
the data to create economic value for the business’ ous other factors. There is also a growing business
marketing and data science teams. Increasingly, imperative in some cases for ethical data review
measuring performance for these business out- and/or data-sharing with other firms.
Data Availability
& Movability LAYER 3: OUTCOMES
Information
& Data
Governance
Environmental,
Data Protection for
Social, & Corporate
People & Assets
Governance
Data Protection
for People &
Personal Privacy
Assets Data Management
Risk
Management
Data protection for people Chief Information Security Officers and other information security personnel ensuring data’s
and assets confidentiality, integrity, and availability [not the focus of this report]
Chief Data Officers, Chief Marketing Officers and their marketing teams, and other data
Data value creation/analysis science personnel ensuring data generates and can be used to generate (e.g., through
analysis) value for the business
General Counsels, Chief Privacy Officers, Chief Ethics Officers, legal teams, and other
Data protection as ethics and
compliance personnel ensuring data is legally collected, stored, transferred, and otherwise
compliance
processed based on applicable regulations
Environmental, social, and Investors, board members, and corporations in general increasingly making environmental,
corporate governance social, and governance factors a business priority, including the protection of data
The fact that privacy technologies must integrate stood as representing a static market or a static
with existing business processes may seem ob- set of business activities. As the market introduc-
vious, but it’s worth noting explicitly. The three es new technologies, there may be more potential
layers visualize this: to develop a plan for priva- business outcomes added to the third layer, for
cy, a company must have data or be acquiring instance. As a business acquires new data, new
data. Building out from there, companies must customers, and new technologies, to give another
figure out how data maps to existing business example, it may reevaluate the privacy technology
processes, like risk management or information offerings used to enable or supplement various
governance. From there, companies can “stack” business processes or data outcomes.
privacy technologies on top of those business
The key is understanding that privacy tech offer-
processes in order to achieve specific outcomes
ings in the market can fill different needs in the
with respect to data, which increasingly are mea-
process layer and in the outcomes layer. In this
sured at the Board level or by investors seeking
way, the privacy tech “stack” offers a framework
to assess environmental, social, and corporate
for analyzing the privacy tech market, analyzing
governance vis-à-vis data ethics and compliance.
specific privacy technologies, and moving towards
Privacy technologies can sit in these two outer
a set of shared vernacular about privacy tech. The
layers. For a company to have a mature privacy
next three sections therefore apply this privacy
technology system, it cannot have privacy tech-
tech “stack” to analyzing the buy side of the pri-
nologies to achieve discrete outcomes without
vacy tech market, the sell side of the privacy tech
underlying business processes in place, and it
market, and the future of the market, respectively.
cannot have processes oriented around data
It combines the stack representation with research
without privacy technologies that achieve specific
conducted for the report, including from a litera-
needed outcomes for the business’ data. Mature
ture review and conversations with dozens of sub-
privacy technology systems are also continuously
ject matter experts in the privacy tech field.
evolving: the framework should not be under-
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 19
The Buy Side of the Privacy Tech Market
T
he privacy tech stack can be used to under- applied in this section to better understand this
stand the buy side of the privacy technology buyer side of the market.
market by highlighting the business process-
es and desired outcomes of different buyer stake-
holders. Based on the authors’ conversations with “We’re increasingly seeing on
buyers and sellers in the privacy tech market,
privacy technology vendors might approach any
the business side that they see
number of individuals at a client or potential client [data] as an asset, and they know
organization to sell their offerings: the Chief Priva- they have to worry about the
cy Officer (CPO), Chief Data Officer (CDO), Chief
Technology Officer (CTO), Chief Information Offi- privacy component, but they are
cer (CIO), and Chief Information Security Officer primarily interested in solving a
(CISO), in addition to the likes of marketing teams, business problem.”
legal teams, and customer relations teams. Buying
power tends to be concentrated with CTOs, who — Executive at Privacy Tech Vendor
may have the largest budget for privacy technol-
ogies relative to other stakeholders in the afore-
mentioned list. Any one business, however, may There are often many stakeholders in any one
have a range of individuals within the organization business with interest in buying privacy tech-
with an interest in privacy technology, varied giv- nology. Framing the privacy technology market
en their data needs. They may also have different with the privacy tech stack can help illuminate
budgets and technology interests depending on the processes with which these stakeholders are
the company. The privacy tech stack offered in this involved (e.g., risk management) and how their de-
report, focused on the layering of data, business sired business outcomes (e.g., data value creation/
processes, and business outcomes, is therefore analysis) drive their purchasing outlook. Chief Pri-
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 21
trast, may be more likely to outsource their data
storage functions to third-party cloud providers. Conclusion
Their CTOs and CIOs may therefore have rela-
tively smaller budgets for data and information Buyers increasingly prefer to buy horizontally-
governance. However, no two companies are the integrated privacy tech services.
same, and the cloud computing market’s continu-
ous growth only highlights that many businesses, But the buy-or-build question is not just answer-
large ones included, are shifting to third-party able based on a business’ technology needs,
data storage and application management infra- which is why the privacy tech stack’s focus on busi-
structure. The privacy tech stack speaks to this: ness processes and outcomes can be useful here
a seller looking to market a privacy tech offering too. Some buyers may be motivated to develop
to a large enterprise’s CTO should first assess privacy technologies in-house because they best
the business’ processes before assuming a cer- understand their own business operations and are
tain technology will achieve the CTO’s desired thus best-suited to tailor tools to that environment.
business outcomes. The information and data If those buyers purchased third-party technology
governance process at a firm that outsources all off-the-shelf, it could require what is considered
of its data storage and processing to a cloud com- too much labor to integrate that technology into
puting provider will likely require different privacy the buyer’s systems. Several experts interviewed
technologies to achieve data privacy compliance spoke to their experiences where buying privacy
than a large firm that manages all data in-house. technology was the easy and speedy part relative
Another important question for buyers—in addition to the post-contract signing integrations, and to
to mapping business outcomes to privacy technol- the distraction caused by pulling engineers off of
ogies—is whether privacy technologies should be their primary task to develop products and ser-
purchased from a third-party vendor or developed vices for sale by the business. Buyers might also
in-house. Several buyers with whom we spoke purchase third-party privacy technology but build
identified the nascency of privacy engineering as it into their own technology abstractions them-
one constraint on in-house privacy tech develop- selves, given it’s not too labor-intensive, in order
ment. Simply put, there may not be enough privacy to minimize the number of contact points with
engineering talent to go around in general. Com- the vendor technology. And of course, individual
panies with smaller budgets may focus their in- stakeholders in a business could make different
house IT personnel on more traditional technology buy-or-build decisions based on specific process-
processes, like development and upkeep of other es or desired outcomes: a CTO with a big budget
applications and infrastructure, and may therefore might develop data identifiability tools in-house
not have the time to focus those employees on because they have the funds, while a CPO at the
building privacy technologies. That said, some same company might purchase tools to help with
companies may be willing to make the investment privacy operations off-the-shelf because they
in in-house privacy technology development if they don’t have the budget.
cannot find the requisite offerings on the market Of course, the buy side is only one part of the
or if they only need a small plug-in developed to equation. The next section therefore examines
supplement existing tools. the sell side of the privacy tech market, drawing
on the research conducted for this report, and
also applies the privacy tech stack to understand-
ing sellers in the market.
B
ecause the privacy tech industry is, in many privacy technologies that meet any number of a
ways, in nascent stages, new providers are buyer’s desired business outcomes. For instance,
entering the market each year, in some cas- a data access control technology, which limits who
es offering entirely new products or in other cases can read and write to particular data, could help
competing directly with existing offerings. Firms support the “data ethics and compliance” and the
might specialize in one service, such as cookie “data protection for people and assets” outcome
consent management tools, while others might at once under the US’ Health Insurance Portability
seek to provide a suite of services. The number and Accountability Act (HIPAA). In a similar vein,
and range of privacy tech offerings on the sell side privacy technology to track customer consent
of the market, much like demand on the buy side, agreements could simultaneously help support
is only going to grow in coming years as more data “data ethics and compliance” and “environmen-
privacy regulations are implemented, the desires tal, social, and corporate governance” outcomes.
and needs of businesses to extract value from per- Of course, seller offerings can span layers of
sonal data increase, and competitive pressures for the privacy tech stack as well. Technology using
firms to protect customer privacy grow. noise addition to satisfy differential privacy re-
quirements or masking individual identifiers (e.g.,
Much like the privacy tech stack can illuminate
a customer’s name), while still allowing machine
buyer motivations for acquiring privacy tech, the
learning to be run on the data (e.g., identifying
privacy tech stack can be used to analyze a sellers’
customer buy preferences), can help enable the
privacy tech offerings. Using business processes
“data ethics and compliance” and the “data value
(layer 2) as a lens, sellers might offer a range of
creation/analysis” objectives at once. This tech-
privacy technologies that enable or supplement
nology could potentially plug into a CPO’s privacy
information and data governance, privacy man-
management and risk management processes at
agement, risk management, or privacy operations
the same time as it plugs into and better enables a
stacked on top of data. Sellers could target the
CTO’s information and data governance process.
business process of a particular buy-side stake-
holder—e.g., a CPO’s privacy management pro-
cess—or they could target the overall business’ “There is no single solution that
process with a privacy tech offering, such as selling
risk management technologies to the CTO, CIO, can solve all privacy stuff.”
and other executives. Using business outcomes — Executive at Privacy Tech Vendor
(layer 3) as a lens, sellers might offer a range of
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 23
Vendor privacy tech solutions also differ in their in- solutions, to give another example, might encoun-
teroperability and ease of implementation. Some ter a problem of applying a privacy concept to a
offerings are off-the-shelf in that buyers can li- variety of business activities—where a task like
cense and use immediately. Other seller offerings “conducting a data inventory” may mean very
may require extensive integration. Integrating a different things in different cases based on the
solution with existing tools and technologies can seller’s specific technological offerings and what
also require additional time and resources on the kind of artifacts (e.g., outputs of that process) they
buyer side. For example, a business might want to are promising to potential buyers. Imprecision in
minimize the number of interactions their databas- terminology can come from both the buy and the
es have with a privacy technology and may choose sell side of the market.32
to custom-engineer the back-end setup to reduce
the number of touchpoints. Interoperability also
varies. Some seller products can be used relative-
ly seamlessly alongside other sellers’ privacy tech
offerings, whereas other privacy tech offerings do
not plug-and-play as well with other companies’
Conclusion
products. This, too, can create work on the buyer
side, meaning it can also serve as a point of differ- Additionally, growing fragmentation in privacy
entiation for sellers who can effectively market the regulation regimes worldwide and even within
interoperability of their products. All of this is in countries will only contribute to the shared
part a product of the demand for different specific vernacular problem.
privacy technologies; as one seller put it, “there is
no single solution that can solve all privacy stuff.” Finally, sellers may approach different kinds of
buyers depending on their offerings. There are
companies offering privacy tech solutions that
sell to all sizes and types of firms; some are indus-
try-specific in their offerings; others only market
Conclusion to large enterprises or, in other cases, to small- or
medium-sized enterprises; and others yet will offer
one kind of privacy tech product to larger firms and
Buyers of privacy tech often prefer to
have a different version that is offered to smaller
buy integrated privacy tech products that
ones. Just as there are many stakeholders at a
accomplish numerous business needs rather single business on the buy side who might be in-
than one-off, standalone privacy tech solutions. terested in privacy tech, sellers in the privacy tech
market also have different calculations they make
The sell side of the privacy tech market also con- to determine who they approach to buy their prod-
tributes to the lack-of-shared-vernacular problem. ucts. Focusing on the business processes which
Because the privacy tech industry has developed a privacy tech enables or supplements, and the
quickly and is still very much evolving, it’s not just business outcomes a privacy tech helps achieve,
the buy side that contributes to different, different- is one way to categorize the sellers in the market.
ly used, or even outright confusing terminology
that discusses privacy technologies and how they Just as interviewees were clear that unless and
integrate into the business (e.g., multiple different until consensus definitions for common privacy
uses of the phrase “data mapping”). Individuals tech terms were developed, they were also in near
with whom the authors spoke conveyed that on uniformity about re-imagining the “privacy stack”
the sell side as well, it takes time to develop the to reflect the more recent, third phase of privacy
soft and hard skills to not only manage but discuss tech development: meeting business needs in ad-
privacy technologies. Whereas some sellers may dition to data control and regulatory compliance.
market their products as satisfying “differential Quite simply, buyers and sellers of privacy tech
privacy,” for example, they may not mean the are speaking a different language. They also do
exact same thing as other sellers using the same not share a vision of how privacy tech available
terminology.31 Sellers offering “data discovery” in the marketplace maps with emerging business
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 25
Market Trends and Implications for Competition
R
ecognizing that the privacy tech market is entire buyer’s business, that can be a differentia-
continually evolving and that buyers and tor for a seller. That said, however, enterprise-wide
sellers lack a shared set of vernacular for dis- solutions are not without their own costs; products
cussing it, this section combines insights from the that can be used by more stakeholders in a busi-
authors’ research and interviews with representa- ness are going to require those stakeholders to
tives of buyers and sellers with the privacy tech take part in conversations about purchasing and
stack to analyze the future of the market. It does to likely expend some time and resources on im-
this by discussing five identified market trends and plementing the technology. As one buyer told the
seven implications for future competition in privacy authors, “Technology that can be controlled by
tech. This then feeds into the final report discus- and operated by, exclusively, the privacy team—
sions which offer recommendations. great. But if it is a thing that is going to require the
cooperation of anybody beyond the privacy team,
I think it’s really hard for companies to adopt.”
Five Market Trends Buyers favor integrated technologies. Privacy
Buyers desire “enterprise-wide solutions.” Prod- technologies that interoperate well with other
ucts that work across all parts of their organization privacy technologies (even those offered by dif-
are more attractive from a business perspective. ferent vendors) are more favorable from a buyer
Instead of multiple negotiations with numerous perspective. “Nobody wants a bespoke solution”
vendors for various privacy tech services, a buyer where “they have to deploy nineteen other be-
can, in theory, reduce business and legal negoti- spoke solutions to meet their use cases,” one
ations substantially if there is an enterprise-wide vendor told the authors. Less work to integrate
solution that can accomplish business needs at all privacy technologies into existing business pro-
layers of the privacy stack. These privacy technol- cesses and with existing business technologies
ogies could reduce buyers’ acquisition costs, in means more time and money saved for the buyer.
that a business only needs to purchase one tool As highlighted by the privacy tech stack, a single
for a particular task that many of its stakeholders privacy technology could plug into multiple busi-
(e.g., CTOs, CIOs, etc.) could use, and they could ness processes that each have their own technol-
also reduce the costs of plugging that technology ogies and sub-processes, all of which are stacked
into the business’ systems and processes. When on top of data. One seller offering might also be
privacy technologies fit well into the privacy tech working in concert with numerous other seller
stack not just for one buyer stakeholder but for the offerings in order to achieve multiple business
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 27
For compliance with the US’ HIPAA, for instance, trend of vendors focusing on the interoperability
the US Department of Health and Human Ser- of their privacy tech offerings—whether through
vices lays out two de-identification methods: “a collaboration with other sellers or through inte-
formal determination by a qualified expert”; and gration efforts on their own—buyers will likely
“the removal of specified individual identifiers continue showing a preference for integrated
as well as absence of actual knowledge by the solutions over one-off solutions. If this trend con-
covered entity that the remaining information tinues, it likely will result in the largest privacy tech
could be used alone or in combination with other vendors with the broadest suite of products and
information to identify the individual.”35 The pur- services gaining additional customers faster than
pose is to minimize the risk that the de-identified competitors without these advantages. New buy-
data is linked back to any particular individual’s ers in the privacy tech market may not yet have
identity when the data is made available to an these preferences (or have them as strongly),
anticipated recipient. The EU’s GDPR, to provide but based on author conversations, it does not
another example, defines anonymous information appear this preference is going away. This could
as “no longer identifiable,” where “account should push more sellers towards integrating their priva-
be taken of all the means reasonably likely to be cy tech products better with other sellers’ privacy
used, such as singling out, either by the controller tech products and with traditional IT systems. This
or by another person to identify the natural per- could also reduce the competitiveness, over time,
son directly or indirectly.” of stand-alone privacy tech offerings in the market
that do not integrate well with other technologies.
Of course, these definitions refer to an ideal state;
in practice, de-identification may not work, and Collaborations, partnership, cross-selling, and
it can also be implemented incorrectly. Many joint ventures between privacy tech vendors are
attempts to mask the identities of individuals in increasing to provide buyers integrated suites of
openly published datasets have failed, because it services and to attract additional market share.
was all too easy for researchers to link the alleged- In response to this buyer preference for pre-inte-
ly anonymized data back to individuals through grated suites of privacy technology services, pri-
“auxiliary data,” or information from a third source vacy tech vendors of all sizes are forming mutually
that provided missing links.36 In other words, the advantageous business partnerships. The part-
attacker was able to unmask the real identities nerships are taking many forms from the informal
of the individuals in the dataset because that at- all the way through full joint ventures. BigID, for
tacker had additional information. But regulatory example, announced a partnership with Auritas
jurisdictions are impacting the discussion of this in August 2020 to “[enable] SAP customers to
issue and relevant technologies, and therefore identify at risk data across the enterprise while
the broader issue of a lack of common vocabulary incorporating a solution to dispose of unwanted
in the privacy tech market. and redundant data both inside and outside of
their SAP systems.”37 WireWheel partnered with
Crownpeak in November 2019 to offer a suite of
privacy tools for the California Consumer Privacy
Seven Implications Act before it went into force in January 2020.38
for Competition BigID and WireWheel announced their “expand-
ed partnership and set of integrations” in May of
Buyers favor integrated solutions over one- 2020.39 TrustArc has partnered with such firms as
off solutions. The privacy tech market is always Alibaba Cloud, Evident, and RadarFirst in the last
evolving, but buyers repeatedly told the authors couple of years to bolster offerings on privacy and
that they disfavored one-off solutions that only data protection.40 And OneTrust, to give one more
did one or a few things to satisfy their business’ example, announced a partnership with the Data
privacy needs, unless they were especially novel & Marketing Association in August 2019 to better
or provided true break-through privacy technolo- supply privacy tools and resources to marketers.41
gies that could uniquely solve one of the privacy More recently, OneTrust integrated its services
stack needs for the business. Generally, though, with startup privacy tech vendor Integris and then
they preferred integrated solutions. In line with the acquired the company, following in April 2021 with
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 29
solutions that buyers can easily deploy in their Buyers will face challenges in future-proofing
own information technology environments. This their privacy strategies. The privacy tech stack’s
also means big firms may stay big and provide outer two layers are business processes and
more and more integrated solutions, through both business outcomes, respectively. Processes by
this kind of acquisition strategy and building more definition refer to a series of actions, and in the
technologies in-house to complement existing case of something like risk management, they are
privacy tech offerings. a continuous series of actions; to mitigate risk to
a business, a risk management process cannot
Small startups may struggle to gain market trac-
just be executed once. Similarly, outcomes are not
tion absent a truly novel or superb solution. In
static in that they cannot just be ‘achieved once’
light of the integration and consolidation trends
and then maintained forever; an outcome like
emerging in the privacy tech market, it is possi-
data ethics and compliance or data protection for
ble that small startups will struggle to attract the
people and assets may come under threat or even
necessary funding and secure the necessary
become undone as a business acquires new data
customers in order to gain market traction, absent
or as regulatory requirements change. Building a
a truly novel or superb privacy technology solu-
mature privacy technology system for a business
tion that functions or integrates better than other
must therefore be understood as a process of
offerings or that achieves business outcomes in
continuous reassessment and evolution, not just
ways not yet achieved by other technologies in
as the market evolves, but as new data is collect-
the privacy tech stack. All of that said, much is un-
ed, new customers are acquired, new third-party
certain. Newly developed technologies could shift
cloud technology is leased, the business expands
the market playing field. New regulations, too, will
into new regulatory jurisdictions, and so on. This
remain a driving force for buyer decision-making
will be one of the biggest challenges for busi-
and as such could push the market in new direc-
nesses buying privacy tech: future-proofing their
tions based on new regulatory demands. Startups
strategies in the absence of a regulatory push to
could struggle in various respects as privacy tech-
do so. The GDPR and the CCPA have undoubtedly
nologies are integrated between or consolidated
driven much of the demand for privacy technolo-
among existing, larger vendors. But they might also
gy in the current market—on this point, there was
have new opportunities to introduce innovation as
virtually unanimous consensus among the experts
new regulations mandate new technologies be in-
to whom the authors spoke. Despite the clear fact
tegrated into buyers’ privacy tech stacks. “If you’re
that the privacy technology market is only to be-
building a solution, a mass-market solution, for a
come larger over the coming years, and venture
problem that hasn’t really gone mass-market...you
capital firms’ continued interest in it, buyers may
need to be able to sustain yourself during those
still tend to be reactive rather than proactive in
years of hunger,” one vendor told the authors.
building and maintaining their privacy tech stack.
W
hile the privacy technology industry is functions have moved online. This has
relatively nascent today, it is only poised greatly accelerated dependencies on digital
to grow in the coming years as data priva- services—and by extension, created much
cy becomes more important for businesses. New more data through online activity and forced
laws and regulations will be a large driver of this more data to be digitally available—and
growth, yet so will the maturation of business pri- accelerated business needs for privacy
vacy technology from a Privacy Tech 1.0 or Privacy enhancing technologies in the process. It
Tech 2.0 approach, where the primary concern is is unclear if this growth is a one-off event
compliance, to a Privacy Tech 3.0 approach, where or a growth pattern that will sustain, but
compliance and privacy are meshed with business increased purchasing of privacy tech is clear.
outcomes for personal data like usability and val- › Common drivers of initial privacy technology
ue-generation. This section therefore concludes purchases are regulatory compliance
the report with a number of observations about needs, contractual requirements with
the state of the privacy tech industry today and its customers, and slowly emerging recognition
future directions. Unlike the previous section that of the reputational risks associated with
discussed five clear market trends and their seven data privacy breaches, broadly defined.
main implications for the future, this conclusion Regulations by and large remain the biggest
section lists out numerous, sometimes discrete, driver for privacy technology adoption,
observations about the privacy tech industry. but the others are growing in importance
to the extent that privacy is becoming a
› The COVID-19 pandemic has globally
competitive differentiator in some sectors.
accelerated marketplace adoption of privacy
Organizations are also deploying more tools
technology as citizens and consumers
to mitigate potential harms caused by the
worldwide become more heavily dependent
use of data.52 These initial drivers, however,
on digital technologies and services.
often lead purchasers of privacy tech to
Schooling, work, grocery purchasing, social
explore other opportunities to deploy
communication with friends and family, and
additional privacy tech offerings.
numerous other institutional and individual
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 31
› While jurisdictions around the US and privacy tech companies by the “business
around the globe are likely to incorporate needs” their offerings satisfy. This can also
key concepts from other jurisdictions’ help to further contextualize particular
consumer privacy regulatory schemes into privacy technology solutions in terms of
their own, for the foreseeable future, the their interoperability with other products and
privacy landscape is likely to become more the extent to which they provide a bespoke
complex and less homogenous as additional versus enterprise-wide technological solution
states and countries enact innovative laws to privacy technology problems.
or promulgate innovative regulations. The
United States currently has a somewhat › The lack of common vernacular and
fractured system with the CCPA in California, inconsistent typology for the privacy stack
several other similar bills in consideration in may also be causing some misalignment
various states, and no similar federal law that between the privacy tech ideated and
applies to all companies nationally. Globally, brought to market and that which buyers
data regimes between the United States, the perceive they want, need, and may be
European Union, India, Brazil, Japan, and willing to pay for. Speaking in different
other countries are in various ways fracturing. terms can lead a buyer and a seller to
very different conclusions about what
› Even common privacy terms, such as the other company offers or needs,
those included in statutes or regulations, respectively. This is especially true where
are not uniformly defined or understood. technologies like homomorphic encryption
Courts may interpret the same terminology and differential privacy are concerned, as
differently, just as individual attorneys may no clear certification mechanisms exist for
have different interpretations of technical these technologies which leaves some
privacy terminology. This problem is not firms unclear about the robustness of a
helped by a lack of understanding of privacy particular solution labeled with that term.
technologies on the part of some buyers Furthermore, there are many different
and competitive desires by some vendors to flavors of these technologies, each with
self-preferentially develop terminology for their own strengths and weaknesses
their own marketing purposes. depending on the use case.
› The lack of common understanding about › The market has passed through two initial
privacy terms may be limiting the growth stages of privacy tech and has entered
of the privacy tech industry. With respect a third. The first two were typified by
to some privacy tech offerings, it may technologies engineered natively within
be unclear whether vendor-developed some companies and offered by early
privacy tech is sufficient to satisfy the vendors for sale to achieve a modicum of
regulatory compliance or business needs control over the personal data encountered
of would-be purchasers. Businesses that by a business (Privacy Tech 1.0), and
do not specialize in technology may have technologies engineered natively within
a particular challenge with this vernacular companies well-resourced with enough
problem, as might different stakeholders computer engineers to not only build
within a single business who have varied their core products and services but also
technical expertise. engineer regulatory compliance solutions
› In addition to lacking a common vernacular to and horizontally-integrated companies or
describe privacy tech, there is no commonly collaborations between companies offering
accepted methodology for typifying what personal data regulatory compliance
technologies and services are part of the services and tools for sale (Privacy Tech 2.0).
privacy technology industry or the so-called
privacy stack. Many interviewed for this
report, from both the sell-side and buy-side,
agreed that it might prove useful to classify
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 33
› This buyer preference for horizontally- › Market needs differentiation seems likely
integrated privacy tech services may lead for small- or medium-sized buyers of
to industry consolidation in the near term. privacy tech when compared to large scale
For example, recently, some privacy tech enterprises. Small- and medium-sized buyers
companies have merged or acquired rivals may be operating with not just different
or offerors of adjacent privacy tech products. budgets and organizational structures
Further, some private equity companies but also different information technology
appear to be “rolling up” privacy tech infrastructure, in some cases notably
startups into larger offerings. Some providers differentiating their exact privacy tech needs
are employing a third strategy of formally from those of larger enterprise buyers.
entering into partnerships, joint ventures,
› While large enterprises are the common
cross-selling, or similar collaborations. It is
purchasers of privacy tech services, the
perceived by some that niche providers may
world’s most sophisticated and complex
increasingly struggle unless they are able to
businesses that view themselves as tech
offer an entire suite of services.
companies, and who have the greatest
› While the privacy tech market and privacy number of computer engineers, recognize
vendors’ strategy for ensuring longevity their own complex and unique data needs.
and growth is undergoing transformation, As a result, they are more likely to build
there is striking consensus about the privacy tech natively and purchase fewer
determinative factors of how buyers choose services from privacy tech vendors.
whether to buy or build privacy tech. Our
surveys found commonality among forms All told, the privacy technology industry is on a
in who in the corporate organizational clear growth trajectory. Regulatory and compet-
structure often has the budget to purchase itive drivers, growing business recognition of
privacy tech, who in that structure identifies personal data as an enterprise asset, continued
the business needs to be met by privacy venture capital interest in privacy tech investment,
technologies, and who must be consulted and newly emerging technologies for personal
for successful privacy tech contracts to
data management will continue the evolution of
be signed. The size of a business and
the privacy technology industry. In a feedback
its particular information technology
loop, business’ privacy technology stacks will
infrastructure, as mentioned, is an important
only continue to mature, moving from the inner-
factor in this equation as well.
most layer of simply using personal data to the
› Some purchasers expressed concerns about outermost layer of simultaneously maximizing
the “lock-in” effect of buying any privacy different business outcomes for that data. All the
tech solution. In other words, some admitted while, though, many impediments to growth and
they might not make a purchase for fear gaps between the buy and sell side of the market
that doing so might lead their companies to remain—making an understanding of the market’s
be beholden to that vendor for numerous, present and future states all the more important.
future budget cycles even if better,
competitor technologies emerge or the
enterprise needs change. That some larger
vendors are moving to cooperate or partner
with others in the industry may demonstrate
growing recognition of this fact.
T
his report makes the following seven recom- › Further research should explore what
mendations to address the issues identified unique needs, if any, small- or medium-sized
within: enterprises may have relative to those of
large enterprise buyers of privacy tech.
› Privacy tech stakeholders should develop
and promote voluntary, shared, consensus- › Future research might also explore whether
driven vernacular in the privacy technology the needs for privacy tech solutions differ
market for the benefit of both buyers and between industry types in a meaningful way.
sellers. Consensus definitions should › Future research might also consider
then be used to facilitate developing a whether businesses that solely or
common typology for descriptions of the primarily interact with the personal data of
tools and services developed natively or individuals from just one country or region
made available for sale in the privacy tech have different privacy tech interests and
marketplace. needs than do businesses interacting with
› A trusted body should provide common personal data on a multinational level.
definitions and standards for privacy › Vendors should recognize the need to
enhancing technologies (PETS) such as provide adequate support to customers
differential privacy, homomorphic encryption, to increase uptake and speed time from
federated learning, and similar technologies, contract signing to successful integration.
and should indicate the maturity and utility Buyers will often underestimate the
of these technologies for different business
time needed to integrate privacy
cases, as well as to how the uses of these
technologies and services into their existing
PETS map to legal requirements.
business operations and may theref
› Further research should be conducted ore need further assistance in realizing
to identify market segmentation and that integration.
stratification in buyers based on the size of
the corporate entity, the sophistication of the
buyer, the industry sector, and other factors.
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 35
APPENDIX: Privacy Technology Buyer Survey Results
Methodology
FPF Members were invited to complete the Privacy Technology Survey about their organization’s experience
as privacy technology buyer. The survey was created in SurveyMonkey and made available via email. We
received a total of 17 responses. The survey responses were de-duped and aggregated.
Question 1: How many people are employed at your corporation? Select one answer.
Answered: 17
Less than 50
50 to 500
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Yes 100%
No
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 37
Question 3: What amount describes your corporation’s annual total corporate spend on privacy
technologies provided by third-party software or hardware providers? Select one answer.
Answered: 17
$0 – we do not
spend any money on
third-party software or
hardware providers
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
$0 – we do not
spend any money on
third-party software or
hardware providers
Between $25,000
and $100,000 52.9%
Between $100,000
and $500,000 29.4%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 39
Question 5: What is the title of the person in your corporation who has final budget authority for
purchasing privacy-enhancing technology? Select one answer.
Answered: 17
Chief Technology
Officer
There is no
single person 35.3%
with that
authority
Other (Please
specify)
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
[Question 6 was a question about background report interviews and has been omitted.]
Engineering
talent diversion 41.2%
Speed 47.1%
Legal or
Regulatory 35.3%
Complexity
Distraction 23.5%
Cost 35.3%
Quality 52.9%
Integration
Challenges 41.2%
Enterprise-Wide
Solutions 41.2%
Other 11.8%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 41
Question 8: What might lead your company to decide to build your own privacy tools, rather than buy
them from a third-party provider? Select one answer.
Senior
Leadership
Time Lost
Cost 17.6%
Other 5.9%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Data pseudonymization
or anonymization 60.0%
tools.
Compliance
monitoring tools 86.7%
Other 20.0%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
› Accountability tools
› Cookie management, data mapping
› Data mapping tools, cookie and consent management/tracking
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 43
Question 10: Are there any types of privacy-preserving technologies that you are considerably
hesitant about purchasing or building in general, due to skepticism of their effectiveness or
functionality? Check all that apply.
Answered: 10
Data
pseudonymiza... 60.0%
Data subject
right requires... 10.0%
Privacy
protecting data... 50.0%
Security tools
(e.g., access... 10.0%
Compliance
monitoring... 10.0%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Data
pseudonymiza... 50.0%
Data subject
right requires... 16.7%
Privacy
protecting data... 50.0%
Security tools
(e.g., access... 8.3%
Compliance
monitoring... 41.7%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
› Software development kits that provide individual rights requests, data retention, etc. functionalities
that can be leveraged
› ID verification services
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 45
Question 12: Rate your confidence in third-party privacy technology suppliers’ understanding of your
organization’s needs and resources. Select one answer.
Answered: 17
Total
confidence
High 23.5%
confidence
Some 58.8%
confidence
Low 17.6%
confidence
No confidence
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Total
confidence
High 11.8%
confidence
Some 64.7%
confidence
Low 17.6%
confidence
No confidence 5.9%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Question 14: Please share your experience with privacy technology purchases? What should we know
and what would you want privacy technology vendors to know?
Answered: 4
› Companies trust vendors that offer these services to support compliance with complex laws. But
often the solutions are too simplistic or occasionally entirely unfit to support compliance. Buyers are
becoming wary of this and the trust is eroding.
› The biggest issue we have when engaging vendors is scale. Only a few are ready to take on
supporting the heterogeneous ecosystems of massive media companies.
› SAAS solution providers must be willing to bear the degree of risk presented from processing
personal information in their own environments. With private rights of action across multiple states,
the common “take it or leave it” refrain today will lead organizations to “leave it.”
› The hype and marketing is absurd. The tools are decent, but they’re tools, not magic bullets.
Legwork is still required.
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 47
ENDNOTES
1 Although this report focuses on the business market, users of these services include government agencies, not for profits, and other sectors
that manage personal data. However adoption in these sectors lags the business market and may provide future opportunities.
2 One leading vendor described Privacy Tech 3.0 as facilitating the embedding and enforcement of policies developed during the
immediately preceding Layer 2 processes of “Information and data governance” and “Privacy management” into the data to enable
predictable, auditable, and verifiable compliance while maximizing data utility and value to achieve data-driven business goals and
objectives in a lawful and ethical, sustainable manner.
3 Acknowledgements: The authors would like to thank all of the experts, on both the buy and sell sides of the privacy tech market, who
spoke on background for this report. Their insights were invaluable in better understanding the market, its present challenges, and its future
directions. The authors would also like to thank the Future of Privacy Forum’s Jules Polonetsky, John Verdi, and Barbara Kelly for their
support and Limor Shmerling Magazanik, Managing Director of the Israel Tech Policy Institute and Senior Fellow at the Future of Privacy
Forum, and Omer Tene, Vice President of Research for the International Association of Privacy Professionals, for their insights
4 Jules Polonetsky and Jeremy Greenberg, NSF Convergence Accelerator: The Future of Privacy Technology (C-Accel 1939288) (Washington,
D.C.: Future of Privacy Forum, March 2020), https://fpf.org/wp-content/uploads/2020/03/NSF_FPF-REPORT_C-Accel1939288_Public.pdf.
5 ISO standard ISO/IEC 20889:2018 for “Privacy enhancing data de-identification terminology and classification of techniques” addresses this
in part, but it does not seem to be well-known to the relevant buyers.
6 General Data Protection Regulation. Text available online at: Intersoft Consulting, n.d., accessed July 24, 2020, https://gdpr-info.eu/.
7 “Step Aside GDPR, Brazil has a New Privacy Law That’s Changing the Game,” JD Supra, October 14, 2020, https://www.jdsupra.com/
legalnews/step-aside-gdpr-brazil-has-a-new-19894/.
8 Rogier Creemers, Mingli Shi, Lauren Dudley, and Graham Webster, “China’s Draft ‘Personal Information Protection Law’ (Full Translation),”
New America, October 21, 2020, https://www.newamerica.org/cybersecurity-initiative/digichina/blog/chinas-draft-personal-information-
protection-law-full-translation/; Constantine Karbaliotis and Dustin Moores, “Federal privacy reform in Canada: The Consumer Privacy
Protection Act,” International Association of Privacy Professionals, November 18, 2020, https://iapp.org/news/a/federal-privacy-reform-in-
canada-the-consumer-privacy-protection-act/.
9 California Consumer Privacy Act (CCPA). Text available online at: State of California Department of Justice, n.d., accessed July 24, 2020,
https://oag.ca.gov/privacy/ccpa.
10 Geoffrey A. Fowler and Tonya Riley, “The Technology 202: Privacy advocates battle each other over whether California’s Proposition 24
better protects consumers,” The Washington Post, August 4, 2020, https://www.washingtonpost.com/politics/2020/08/04/technology-202-
privacy-advocates-battle-each-other-over-whether-california-proposition-24-better-protects-consumers/.
11 Emerging Patchwork or Laboratories of Democracy? Privacy Legislation in Virginia and Other States, FPF, February 12, 2021, https://fpf.org/
blog/emerging-patchwork-or-laboratories-of-democracy-privacy-legislation-in-virginia-and-other-states/
12 See, for example, Stacey Gray, Pollyanna Sanderson, and Katelyn Ringrose, “A New U.S. Model for Privacy? Comparing the Washington
Privacy Act to GDPR, CCPA, and More,” Future of Privacy Forum, February 12, 2020, https://fpf.org/2020/02/12/a-new-model-for-privacy-in-a-
new-era-evaluating-the-washington-privacy-act/.
13 FTC Prepares to Expand Rulemaking, Including on Privacy and Data Use, JDSUPRA, Mar 31, 2021 https://www.jdsupra.com/legalnews/ftc-
prepares-to-expand-rulemaking-7281226/.
14 Gené Teare, “Almost $10B Invested In Privacy And Security Companies In 2019,” CrunchBase, January 29, 2020, https://news.crunchbase.
com/news/almost-10b-invested-in-privacy-and-security-companies-in-2019/.
15 Paul Sawers, “5 data privacy startups cashing in on GDPR,” Venture Beat, July 23, 2019, https://venturebeat.com/2019/07/23/5-data-privacy-
startups-cashing-in-on-gdpr/.
16 “Privacy Tech Alliance,” Future of Privacy Forum, https://fpf.org/privacy-tech-alliance/.
17 https://fpf.org/pepr21/; https://www.riseofprivacytech.com/.
18 Author conversation with Limor Shmerling Magazanik, July 30, 2020.
19 Tom Foster, “‘A Growth Industry Like I’ve Never Seen’: Inside America’s No. 1 Fastest-Growing Company,” Inc., September 2020.
20 See, for example, Jules Polonetsky and Elizabeth Renieris, Privacy 2020: 10 Privacy Risks and 10 Privacy Enhancing Technologies to
Watch in the Next Decade (Washington, D.C.: January 2020), https://fpf.org/blog/privacy-2020-10-privacy-risks-and-10-privacy-enhancing-
technologies-to-watch-in-the-next-decade/.
21 “Gartner Says Over 40% of Privacy Compliance Technology Will Rely on Artificial Intelligence in the Next Three Years,” Gartner.com,
February 25, 2020, https://www.gartner.com/en/newsroom/press-releases/2020-02-25-gartner-says-over-40-percent-of-privacy-
compliance-technology-will-rely-on-artificial-intelligence-in-the-next-three-years.
22 Jules Polonetsky and Elizabeth Renieris, Privacy 2020: 10 Privacy Risks and 10 Privacy Enhancing Technologies to Watch in the Next
Decade (Washington, D.C.: January 2020), https://fpf.org/blog/privacy-2020-10-privacy-risks-and-10-privacy-enhancing-technologies-to-
watch-in-the-next-decade/.
23 “Privacy Tech Alliance, https://fpf.org/privacy-tech-alliance/.
24 NIST is leading a number of privacy engineering initiatives. Further work may be needed to understand whether the NIST initiatives will support
the short terms gaps identified by the vendors. See: U.S. National Institute of Standards and Technology. NIST Privacy Framework: A Tool for
Improving Privacy through Enterprise Risk Management. https://www.nist.gov/itl/applied-cybersecurity/privacy-engineering/resources.
25 Extracting value is used in this report to capture a wide range of business activities, including analytics, research, improving the quality
of services, and developing new products. Increasingly, the availability and utility of data for machine learning projects is an important
consideration.
26 How Privacy Tech Is Bought and Deployed (Portsmouth: International Association of Privacy Professionals, 2019), https://iapp.org/media/pdf/
resource_center/privacy_tech_bought_and_deployed_IAPPTrustArc_2019.pdf.
27 Personal Data and the Organization: Stewardship and Strategy (Washington, D.C.: Future of Privacy Forum, May 2019), https://fpf.org/wp-
content/uploads/2019/05/FPF_DataRiskFramework_illo04.pdf.
PRIVACY TECH’S THIRD GENERATION: A REVIEW OF THE EMERGING PRIVACY TECH SECTOR 49
1400 EYE STREET NW | SUITE 450 | WASHINGTON, DC 20005 FPF.ORG | 202-768-8950