How I Think About Privacy-Tech Businesses
Privacy Tech has been having a big moment recently, as lots of startups have popped up focused on an alphabet soup of different novel technologies, including synthetic data, differential privacy, federated learning, zero-proof, multiparty-computing, clean rooms, and cryptographic approaches to privacy-preserving data sharing. Meanwhile, every major industry has a set of data exchange challenges where this tech can be helpful.
However, despite the boom in the category — I am generally skeptical of most companies in the space, and there is a graveyard of failed privacy tech startups (with a few notable exceptions).
Over time, I’ve formed three hypotheses on the space.
Hypothesis 1: This is a golden age for privacy technology.
There are technical, regulatory, and commercial tailwinds for the space. From a technical perspective, there has been massive progress in the underlying tech for privacy preservation over the last decade, and lots of new approaches have emerged out of academia and into commercial feasibility. From a regulatory perspective, regulations like CCPA, GDPR, HIPAA, and a variety of other privacy laws have created urgency for companies to be thoughtful about privacy preserving tech. From a commercial perspective, use of data (and complex combinations of data sets) is skyrocketing.
Hypothesis 2: To be successful, privacy tech companies need to be specific about what data flows they’re unlocking.
Too many privacy tech companies are focused on tech (or privacy) for its own sake. While there are reasonable academic debates about when federated data exchange is better than a centralized clean room approach, very few customers really care — what they care about is a specific business problem for a data flow they need to unlock.
For example, Datavant was built around two very specific requirements: i) under HIPAA, companies generally have a legal obligation to de-identify health data they use for analytics, and ii) these companies want to be able to combine multiple deidentified data sets for their analyses; we made it easy to check the box on those two business requirements. No customers deeply cared about the cryptographic details of how it worked, as long as it worked and fulfilled those requirements. And because it worked, it unlocked data flows (and business outcomes) that previously weren’t possible — and we found great product-market fit as a result.
Too many privacy tech companies are generic “we make data exchange that’s already happening more privacy-safe” — but the reality is, most clients don’t care about that unless it unlocks a new data flow or business objective on their end.
Hypothesis 3: Privacy tech businesses should follow a network business model.
The other mistake privacy tech companies often make is following a pure tech playbook. “Our technology is great for data sharing in healthcare, financial services, public sector, or marketing” is a typical mantra for privacy tech businesses, and they sell to clients indiscriminately across verticals.
This is a trap — there isn’t enough defensibility or stickiness in the pure tech play as there is a features arms race between lots of privacy tech businesses.
However — the most important data flows involve multiple parties sharing data for some purpose. For example, healthcare organizations sharing de-identified data across institutions for research, banks sharing data across companies to determine creditworthiness, publishers and brands exchanging information to target ads, and e-commerce companies sharing information about fraud risk. In each of these businesses, there are very real needs for privacy-preserving technology for the parties to exchange data safely — but also a need for standardization on a particular means of sharing data across the industry; the technology is much more valuable if counterparties are already using it. That’s where the network effect lies: adoption by a critical mass of the space on a particular privacy tech makes it the de facto standard.
Viewed as a network business, privacy tech companies should be obsessed with network business dynamics — getting critical mass in specific domains, getting key nodes into the network via a land-and-expand approach, and narrowing focus as much as possible. Instead of focusing on multiple verticals, they should generally focus as narrowly as possible.
***
In summary, there are massive tailwinds for the privacy tech space as a whole — but the rewards will only go to the companies that both unlock a specific data flow and focus on building out a network. Companies that don’t do this (most privacy tech businesses), unfortunately aren’t generally great businesses.
