PRIVACY BEAT: Data mapping and compliance vendor lands $200M investment as market for privacy services appears to heat up

1. Data mapping and compliance vendor lands $200M investment as market for privacy services appears to heat up

OneTrust, an Atlanta-based data-mapping and privacy-compliance services company reported last week it had received a $200-million equity infusion at an implied valuation of $1.3 billion for a five-year-old company with 1,000 employees and about 3,000 clients in 100 countries. Half the employees are in R&D. 

It was the best valuation yet reported for a young company in the data-privacy marketplace. New York-based Insight Partners, a $23-billion-managed-assets venture and private-equity firm, made the investment. 

OneTrust Chairman Alan Dabbiere has two other Atlanta tech startups under his belt. He says OneTrust works as a dashboard for a company’s privacy department, helping to ensure against inappropriate use of customer data and comply with privacy laws.  He said Atlanta is a center for “global privacy innovation.” 

“Data-privacy compliance companies are enjoying a surge of interest,” VentureBeat.com reporter Paul Sawers wrote in a July 11 story about the OneTrust stake. “The privacy laws being implemented around the world differ in terms of their requirements, but their purpose is the same: to formalize how companies manage and track personal data.” 

On July 10, the privacy compliance firm TrustArc said it had raised $70 million in a Series D round from private-equity firm Bregal Sagemount. Accel Partners, DAG Ventures, Baseline Ventures, Industry Ventures, and Icon Ventures are previous investors. The company helps organizations be compliant with GDPR, CCPA, and other laws, including Fortune 500 companies such as AT&T, IBM, and Alibaba. 

RELATED LINK: BigID Launches Privacy Certification Program to Train the Next Generation of Data Privacy … Business Wire (press release)

2. Washington Post preparing for life after the “cookie” for ad targeting — can other publishers join?

The Washington Post is working on technology that will watch readers on its website and use AI to figure out their interests in order to serve relevant advertising, according to a July 16 story by DigiDay ad-tech reporter Jessica Davies. The Post calls the project “Zeus Insights” and it says it is designed to help adjust to a world in which third-party-cookie-driven ad-targeting goes away. 

“This is about how we build the media businesses of tomorrow,” Jarrod Dicker, VP of commercial technology and development at The Post, told Davies. “It would give publishers a more collective understanding of [being part of] a network, and that then starts to become the opportunity to really challenge the platforms and not feel so closed off because the opportunities are happening on individual platforms.”

The Post plans to license its platform to other publishers, the account said, by integrating it with its Arc technology platform.  It was not clear in the article how Zeus Insights would be networked among publishers.

3. California Senate committee OKs bill that privacy advocates say weakens CCPA’s handling of “deidentified” data; watch Aug. 12; premium-services charge apparently maintained

A California Senate Committee reversed itself and unanimously approved a proposed amendment to the California Consumer Privacy Act.  The amendment would weaken handling of “deidentified data,” say privacy proponents.  

The move comes as Aug. 12 emerges as the next key date for observers to figure out whether the CCPA will be amended before it takes effect Jan. 1.  The California Senate was to adjourn for summer recess on July 12 and return Aug. 12. On that date, multiple CCPA-amending bills are scheduled for committee hearings. 

On July 9, the Senate Judiciary Committee, meeting for nearly 12 hours in Sacramento, approved and rejected various amendments to the CCPA that had already been through the California Assembly. One of them, AB 873, proposes to change the definition of “deidentified” information. First, the committee deadlocked 3-3-3 on the measure, but then on a move to reconsider, approved it 9-0. 

The amendment would also add the word “reasonably” in two places where “personal information” is defined, making it easier for data companies to argue they aren’t responsible for a data hack exposing personal information in an “unreasonable” way. 

The “deidentification” issue is important for advertisers, publishers and other data aggregators, who are seeking ways to continue to personalize ads and content to individuals’ interests without having to know each individual’s unique attributes.  The proposed amending language would substantially lighten the burden on data-tech companies handling deidentified information. 

Here is how the CCPA defines “deidentified” (emphasis added): 

(h) “Deidentified” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information:

(1) Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.

(2) Has implemented business processes that specifically prohibit reidentification of the information.

(3) Has implemented business processes to prevent inadvertent release of deidentified information.

(4) Makes no attempt to reidentify the information.

Here is how AB 873, in the form passed 9-0 in committee last week, defines “deidentified”:

(h) “Deidentified” means information that does not identify and is not reasonably linkable, directly or indirectly, to a particular consumer, provided that the business makes no attempt to reidentify the information, and takes reasonable technical and administrative measures designed to:

(1) Ensure that the data is deidentified.

(2) Publicly commit to maintain and use the data in a deidentified form.

(3) Contractually prohibit recipients of the data from trying to reidentify the data.

Another CCPA amendment that would confirm the right of publishers to charge for “premium services” after a consumer refuses to share personal data appeared to survive and was sent to the California Senate Appropriations Committee on an 8-0 vote. AB 846, if it becomes law, would state that a publisher or other entity is permitted to charge a different price, rate, level, or quality of goods or services,” if a consumer declines “participation in a loyalty, rewards, premium features, discount, or club-card program.”