Cyberspace hurdles: Bane of fragmented internet privacy rules

In 2018, California lawmakers mandated that consumers be able to request their personal data from companies through a toll-free number. And then a group of lawyers, engineers and salespeople for a company in Atlanta got to work. 

The company, a start-up called OneTrust, now based in a suburb on the city’s outskirts, makes software for businesses trying to stay on the right side of the growing number of internet regulations. 

In response to the new California law, OneTrust made it easy for companies to set up a number to manage the requests.

In an attempt to rein in tech giants like Facebook and Google, governments around the world in recent years have approved new laws governing how websites must handle consumer data, treat their competitors and protect young people. 

The European Union has a data privacy law that governs the entire bloc. California has approved two privacy measures in recent years, and other states have followed suit.

Out of those regulations has arisen something else: An industry to help companies navigate the increasingly fragmented rules of the global internet. It’s a booming market. 

OneTrust, a leader in the field, has been valued by investors at $5.3 billion. BigID, a competitor, raised $30 million in April at a $1.25 billion valuation. Another company that targets privacy regulations, TrustArc, raised $70 million in 2019. Yoti, a start-up that provides the kind of age-verification services that regulators are increasingly turning to shield children from harmful content, has raised millions of dollars since it was founded in 2014. 

The emergence of these companies shows how complex regulations governing the web have become — and how much more complicated it is expected to get. Several privacy laws will take effect around the world in the coming years, with more countries and states expected to consider their own proposals. “They are all reactions to an underlying problem — and they all have their own favor, they all have their own interpretations and they all have their own focus points,” said Bart Willemsen, an analyst at Gartner, a market research firm. 

“These regulatory changes nudge organisations — in addition to perhaps any ethical concerns they may have had — to really up their game here.” Many of the new companies owe their start to the General Data Protection Regulation, a European Union law passed in 2016 that pushes websites to ask their users if they agree to being tracked online. 

It also mandates companies to catalogue the personal data they hold. The European rule was a landmark moment in the fracturing of internet regulation, putting Europe far ahead of Washington in creating guardrails for tech.

“We’re definitely kind of a child of G.D.P.R.,” said Dimitri Sirota, the chief executive of BigID, which was founded the year the law passed. In its earliest days, BigID helped companies map out their data holdings so they could respond to requests under privacy laws. The company now has offices around the world, including Australia, Israel and Switzerland. 

OneTrust also owes its birth to the European law. Kabir Barday, the company’s chief executive, started the company in 2016, when he saw companies preparing to comply with the rules. Under the European rules, websites largely must get users’ permission to use cookies, the tiny bits of code that can be used to track people as they move around the internet. 

In practice, that has meant that visitors to a website are often presented with a pop-up menu or a banner asking them if they will agree to be tracked. OneTrust helps companies add those banners to their sites. 

Its clients include the pocket-tool maker Leatherman, the furniture titan Herman Miller and the California fashion designer James Perse, who sells $70 white T-shirts that are a favourite of Evan Spiegel, the Snapchat creator.

In 2018, lawmakers in California passed their own privacy rules, which gave users in the state the right to request their personal data from websites. Demand from companies racing to meet the California law was strong, said Barday.

“A customer would say, ‘Kabir, we need to get started today,’” he said. “And I just said, ‘Customer, we just had, in that time period, a thousand customers in about one quarter that came to us and just said the same thing.’” Today, OneTrust and its competitors advertise that they can help clients comply with privacy laws in numerous countries, like Brazil, and in American states, like Nevada. OneTrust hands out spiral-bound texts of the California and European laws as swag. Gabrielle Ferree, a OneTrust spokeswoman, said that its largest customers generally choose products at a price point that “runs in the six- to seven-figure range annually.” 

Products meant to meet new internet regulations may vary in how effectively they actually protect the privacy of people browsing the web, experts said. 

A website can, for example, nudge a visitor to agree to being tracked by using a more prominent color for the button that accepts cookies than for the button that rejects them. Or they can present a user with an uneven choice: accept ad tracking with one click or disable it using a complicated settings menu on a different page.

“I really think it’s up to the businesses, and they’re well within their power to make it easier for consumers to opt-out or opt-in,” said Maureen Mahoney, a policy analyst at Consumer Reports.

Barday said the interests of the businesses that use his products were aligned with the interests of their customers. Companies want to reach consumers who want their products or keep them engaged. 

And consumers prefer an internet experience personalised to them and their interests, as long as websites are upfront about collecting their data, he said. “What we love about this market is that capitalism and commercial interest is not at odds with doing good for the world and doing good for people,” he said. “If a business can show that they’re trustworthy and respectful and transparent in how they collect that data, guess what?” he said. “Consumers provide them the data.” 

The business has faced setbacks: At the outset of the pandemic, OneTrust laid off 10 to 15 percent of its 2,200 employees. Some of those employees threatened to sue the company in Britain last year, saying they had been fired en masse for poor performance despite never receiving bad performance reviews. Employees also told the media that the layoffs came after Barday told his staff that no jobs were at risk. Ferree, the spokeswoman for OneTrust, said that the company was “not exempt from the impact of pandemic-related uncertainty in 2020.” 

“Ultimately, we had to make difficult employment decisions and strived to protect jobs for the long term,” she said. 

But OneTrust and other companies in the industry have continued to grow. OneTrust, which is not yet profitable, says it now has more than 10,000 customers. And it has introduced products aimed at helping companies comply with other regulations, like new protections for whistle-blowers in Europe.