When the International Association of Privacy Professionals (IAPP) started analyzing the privacy tech vendor landscape in 2016, there were 44 vendors on the scene.
This year, that number reached more than 350.
“We really started noticing it after GDPR was passed in the EU, during that two-year ramp-up period before it went into effect in 2018,” said Jedidiah Bracy, editorial director of the IAPP, which publishes an annual report tracking the growth of the privacy technology marketplace.
In the past three years – the General Data Protection Regulation celebrated its third birthday this week – the market has naturally started to calm down a bit, although new regulation prompts new entrants. There was another sharp uptick in privacy tech startups in 2019 prior to enforcement of the California Consumer Privacy Act.
With so many options to choose from, privacy professionals, marketers and publishers are left with the difficult task of vetting this large pool of potential partners, Bracy said.
The privacy tech vendor landscape includes everything from data mapping, data discovery, consent management and enterprise communications to website scanning, data subject request management, data de-identification, risk management and incident response.
“It’s not always easy to tell what’s good and what’s not,” Bracy said. “By the same token, though, I suspect that anyone selling snake oil won’t last long. There’s too much on the line for companies. If something isn’t working, they’ll know relatively quickly.”
Bracy spoke with AdExchanger.
AdExchanger: On the one hand, the fact that there are so many new entrants is a good thing. There’s demand in the market, because companies are taking their privacy programs seriously. But isn’t this market getting unwieldy?
JEDIDIAH BRACY: To be honest, some of the feedback we’ve gotten on our tech vendor reports is that they’re so big now it’s becoming hard to go through them. It’s especially challenging for privacy pros that tend to have smaller budgets than, say, their security peers.
Other than the size of the market, what are the main challenges privacy professionals face in trying to sort the wheat from the chaff?
A lot of vendors make hefty promises. The most common one you heard after GDPR was that this or that service will make you fully GDPR compliant. But if you talk to any academic or outside counsel, they would tell you that they don’t know at a philosophical level if it’s even possible to fully comply with all aspects of GDPR.
Any tips for marketers in dealing with all this?
Collaborate. Marketers are business drivers and any skillful privacy pro is constantly working with the marketing department, especially as it relates to privacy-by-design and cookie compliance.
What trends have you seen emerging in terms of the types of services on offer from privacy tech vendors?
One broad trend is the general evolution of the services that are available. Early on we saw a lot of emphasis on data discovery, data mapping and assessment management – foundational things. What data do we have, where is it located and how does it flow through the company?
And then in 2018 and 2019, we saw the emergence of more consumer-facing technologies related to consent, data portability and data deletion. Now there is a bevy of service providers that help companies operationalize different types of data access requests.
We’re also seeing data localization become a bigger issue in the wake of Schrems II [in which the EU's Court of Justice invalidated the Privacy Shield, which had previously regulated the transatlantic exchange of personal data for business purposes between the European Union and the US]. I suspect we’ll start to see more services arise to help with trans-border and multi-jurisdictional data flows.
How much of the privacy tech vendor landscape is being fueled by opportunism and how much by true market need?
I honestly can’t say. There are definitely a lot of niche companies that saw opportunity and just wanted to get bought out by a bigger company. There are also security companies moving into the privacy space.
But I’d say that the winners are starting to get a little clearer – the difference between a truly robust service and the ones that are too niche or not filling a real need.
Organizations that are shopping for solutions are more likely to go with one company that can provide them with multiple services, rather than working one vendor for cookie management, another for data mapping, a third for this and a fourth for that. OneTrust, for example, is huge in the space and they’re positioning themselves as a one-stop shop.
What are some examples of red flags that should set off alarm bells?
Beware of easy buttons and companies that claim to offer the silver bullet solution or make promises that this or that feature will make you fully compliant.
There might be tools that help you achieve compliance, but no matter what service you use, you still need to put in human hours and human work.
This interview has been edited and condensed.