A few months before the California Consumer Privacy Act would go into effect on January 1, 2020, the California Attorney General, Xavier Becerra, issued a set of proposed regulations as part of the new law. Under CCPA, consumers have the right to access the data a company has collected about them. It was designed to give consumers more control over their data by allowing them to request that it be deleted or that it not be sold to a third party.
Becerra’s new regulations require businesses to match at least three pieces of personal information from the consumer with the information they have on file, in order to grant that person access.
For many companies, complying with this regulation would prove to be a challenge. But the San Francisco-based startup DataGrail had a leg up — it went into business specifically to help companies comply with CCPA and the General Data Protection Regulation in the European Union. Engineers at DataGrail have been working quickly to update their platform, and the privacy management startup will soon release a new feature to help its customers comply with the CCPA’s identity verification requirements.
“How can you delete a customer’s data if you don’t even know where it’s located or what kind of data it is?”
DataGrail isn’t the only startup tackling privacy regulation. With new legislation comes new technology, and since GDPR and CCPA were implemented, startups have emerged in tech markets around the world aiming to help companies comply with these laws.
Segment in San Francisco gives customers a consolidated view of the data that companies store about them, Osano in Austin created a data set that measures the data privacy practices of companies, and San Jose-based Securiti uses AI to efficiently retrieve consumer data.
DataGrail focuses on automating and managing opt-out and deletion requests from consumers under the CCPA and GDPR, but it’s also thinking about what’s ahead. CalPRA — also known as CCPA 2.0 — is a newly proposed law already in the works that would add updates to the CCPA to further protect consumers. It could be on the voting ballot in California as soon as the November elections.
Privacy laws are constantly evolving, which makes writing code for compliance tools a challenge. But DataGrail’s engineering and product team has been able to quickly iterate by writing code that’s adaptable and flexible, and fine-tuning a solid internal process.
Understanding the data
Before founding DataGrail, CEO Daniel Barber was struck by the growing number of different technologies used by modern businesses.
“The sheer number of applications creates an enormous amount of challenges,” Barber said. “Some businesses don’t even know all of the apps they use anymore.”
When GDPR was first proposed, Barber saw that a major component of the proposed regulation required companies to understand the systems and applications they have in place. “How can you delete a customer’s data if you don’t even know where it’s located or what kind of data it is?” Barber asked.
He and his co-founders, Earl Hathaway and Ignacio Zendejas, who all have backgrounds in data infrastructure, understood the increasing need for a tool that would allow businesses to easily retrieve and delete information.
Today, DataGrail uses more than 200 pre-built connectors that do exactly that — they connect with common enterprise applications like Salesforce, Adobe, Oracle and Hubspot, to monitor data across a company’s network. The platform can quickly pull customer data, which can be viewed in a live data map, and delete it when necessary.
After GDPR was passed, Barber noticed an uptick in the number of consumers taking an interest in data transparency. “We saw this social-economic change,” he said. “The consumer was becoming aware that their data is being shared.”
Last year, DataGrail conducted a survey of 2,000 consumers in the United States that found 82 percent of respondents want a national privacy bill. Barber assumed there would be an ongoing need for DataGrail’s product as privacy laws continue to expand.
Not all privacy regulation is created alike
Barber and his team designed their platform to help companies comply with both GDPR and the CCPA, and while the two laws are similar, “the construct of CCPA is different than GDPR,” said Barber, “particularly the ‘do not sell’ component.” Sites that are CCPA compliant give customers the ability to opt-out of having their data sold, which is not a requirement under GDPR.
“You have two strains of privacy reform now, and we support [both],” Barber said. In the current privacy landscape, there are multiple disparate regulations in place by state or by country. “Until there’s one standard, our product will evolve,” Barber said. “When there are nuanced requirements, we will support those for our customers’ customers.”
DataGrail aims to make privacy regulation as uncomplicated as possible since that’s what their customers have come to expect, Barber added.
Creating adaptable code
Because privacy laws are so nuanced, DataGrail’s engineers are focused on writing adaptable code.
“Our goal is to have a platform that will comply with both GDPR and CCPA, or, in other words, we want reusable code,” said Valerie Sui, a software engineer at DataGrail.
Sui and her team, who primarily code in Ruby and Javascript and use React for the frontend, try to be as abstract as possible when coding DataGrail’s platform. “When it comes to new features, we always go through design reviews,” Sui said. The goal is to make sure that the design of each new feature is flexible enough to potentially be reused.
Naturally, this presents challenges because the laws are continually evolving. But DataGrail’s engineers are focused on fine-tuning their overall process. “We’re always making sure we continually evolve our own process internally with product and engineering,” Sui said. “We set ourselves up to produce the product as quickly as possible and we make sure our design is adaptable.”
The future of privacy regulation
As privacy laws continue to expand, Barber thinks that more companies will begin to build their technology with privacy at the forefront.
“The companies that have an advantage today are the ones that push privacy,” he said. “I think consumer brands have an opportunity to gain strategic advantage here.” He points to Apple and Sonic internet as an example of consumer brands using privacy as a competitive advantage in a crowded market. “We’re going to see more consumer brands starting to do this because consumers clearly care about it,” Barber said.
“The companies that have an advantage today are the ones that push privacy.”
He’s also confident that more companies will create tools for greater transparency and control because consumers have come to expect both as par for the course.
DataGrail is already well-positioned for a future where consumers have increased control. The infrastructure and security systems the company puts in place are more advanced than the average company, said Barber, because they’re at the whim of the consumer. “One of our customers might receive 10,000 [data] requests in a week,” he said. “From an infrastructure standpoint, we have to be able to support that.”