What’s Next in Privacy: 2025 Trends Shaping the Future

Well, hopefully folks enjoyed the tunes.
Uh, we, uh, we'll get back into sessions now,
and so, um, I'm going to steer us
for the next few minutes here
and sort of talk through, um, where privacy is headed.
Um, obviously appreciate Tom's guidance on,
on California's position, uh,
but wanted to just kind of give a bit of a backdrop.
Um, we've been obviously in the market since late 2018
and, uh, you know, a lot has changed.
Um, I think privacy really did start with a EU directive.
Um, folks might remember that one,
or maybe it goes back a little bit too far,
but 1995, the, um, EU data protection directive.
Um, this was sort of one of the, the earliest piece
of legislation that that was put into practice.
Um, I think, you know,
obviously the GDPR was a watershed moment, uh,
and we did see enforcement of, of large businesses,
small businesses, but a lot of focus on big tech.
Uh, and I think, um, that made sense given, uh,
at the same sort of period.
Um, we saw Cambridge Analytica, um,
and I think consumers across the US
and globally starting to realize just
how their information may have been used
or being used by new technologies,
whether those are on the web or in mobile.
But I think, um, if we sort of take that one step further,
things have really accelerated the last five years.
Uh, and I would say even the conversations that I've had
with privacy leaders, uh, both recent
and, uh, you know, going back into 2021, um,
it really started with, um, the CCPA.
This was the first, you know, fi sort of comprehensive law
for California, as Tom mentioned.
Uh, but things followed quite quickly.
And I would say, um, you know, 20 20, 20 21, um,
enforcement was a a little slower I,
I think than probably most expected.
Um, but things accelerated into 2023.
Uh, and then at the same time we saw, um, SIP a litigation
and other litigation, um, with the FTC also stepping in, um,
and even class actions taking place as well.
This has really changed the conversation, um,
that we've been having at Data Grail
and I think across the market as well,
in a position towards risk, um, as opposed
to initially it might have been more of a compliance effort
and effort to, you know, ensure that, um,
folks are being transparent,
but really the risk has heightened over the last,
let's call it 12 to 18, even 24 months.
Um, and I think, you know, if we look at where we are now,
you know, 20 plus states we're in to Tom's Point,
a multi-state era in the us, um, it's great
that we have the GDPR in Europe,
but, um, I think in the US it's quite complex for folks.
Um, we see this every day, uh,
and, uh, you know, kind of wanna spend a little bit
of time digging into what that means
and how folks can perhaps think about it as they go forward.
So, um, if we think about the evolution
of ownership within privacy, there's a few things
that I've seen in terms of trends.
Um, late 2018, it was very clear it was a legal foundation.
People were trying to understand the GDPR,
understand the requirements, um,
and then even going into the CCPA,
it was very clear interpretation
of those requirements was important, making sure
that folks really understood
what does this mean for the business.
Um, the interlock started to happen with security, uh,
and I think now as we sort of look at what the,
the cross-functional council looks like,
it's very different than where we began.
Um, the best in class programs
that I see really have legal security
and privacy working together.
Um, and this is when, you know,
privacy is actually implemented across the business,
not just on the privacy policy, um,
but this is an evolution.
It didn't, didn't always begin, um, from a position
of a council, um,
but it is where I see the best in class teams going and,
and what we see in market today.
So why is this happening?
Um, I think there's a couple things going on.
Um, historically, the financial impact, um,
many businesses came to us in, in 20 18, 20 19, even 2020,
sort of suggesting, well, you know,
we don't have a significant presence in Europe,
so maybe the GDPR mostly doesn't apply to us.
Um, things changed with California that led to, you know,
any business that was large enough
and had an online presence, um, the potential
for financial impact became quite real.
Um, and I would say the remediation, um, expense, whether
that be from litigation
or from enforcement, really started to,
to ramp up 20 23, 20 24.
Um, and now I would say, you know, every second conversation
that I'm having is related to a demand letter from,
from a sippa demand letter
or, um, an inve investigation related to, uh, enforcement.
Uh, and I think the,
the overarching point here on reputational damage
shouldn't be overlooked either.
Um, this is something
that I'm sure we're all thinking about in terms
of we don't want our brand
and the front page of the New York Times.
We're not looking to, to have, you know,
negative publicity about the business, particularly related
to data privacy practices.
Um, and as Tom mentioned, um,
it's probably a competitive disadvantage if privacy
practices are not clear, not transparent,
and users don't have control in terms of
how their information is used, processed, or shared.
So at this point, um, you know, I think privacy is following
the track that cybersecurity has.
Um, and as Tom kind of alluded to, um,
we've seen audit requirements for cybersecurity, um,
in terms of breaches at the board level as expectations
for 10 plus years.
Privacy is following the same track,
and we're gonna see that, um,
I have a slide coming up here in terms of
what the audit requirements are for, for California,
but I think now it's become clear that, um,
it is a board level conversation.
It's a conversation that I'm having with, um, you know,
senior executives at businesses across the country
and across, across the globe in terms of
how do they present their privacy posture,
what does that look like?
How do they minimize risk to ensure
they don't see a financial impact,
and that they, you know, take a position
of strength when it comes to their privacy program.
So as we look at the market,
there's some interesting things going on.
Um, I think, you know, the, there's sort of four markets
that I would say are related and converging.
Um, first is the area of compliance. It's very clear.
Um, there are major players in this market, um,
things like SOC two, um, iso these types
of certifications are critical for most businesses,
particularly those that are B2B.
Um, and, you know,
vendors like Vanta have taken a leadership position there.
Um, and obviously we work with them, them quite closely.
Um, I think similarly what's happening in data security, um,
particularly in DSPM, um, vendors,
and I should say businesses really are looking for
best in class security in terms of how
to protect the data they have in their business.
Um, but first try to find out where, where data exists,
the risk that's associated to that data, um,
and that's why you kind of see data security vendors, um,
being good partners to privacy.
Um, and then obviously on, on data grail specifically, um,
for customers, you're probably familiar with some of this,
but for folks that are perhaps not customers yet, um,
you know, we, we support a complete program for privacy.
So this is data discovery, data mapping, DSR management, um,
consent management, and then of course DPAs, PaaS, taas,
and this type of activity.
Um, this is all built on an integration network,
so the largest integration network in the industry.
Um, and that foundation really is set at the identity level.
Um, many of you are probably, uh, an Okta customer
or perhaps a Microsoft Enter ID customer.
Um, these two identity players are definitely taking the
lion share, although we have a large number of customers
that use other, other providers as well.
Um, and you know, I think the, the point that I'm trying to,
uh, present here is that there's convergence
between these, these markets.
Um, and, you know, I think the impact in terms of how, um,
these vendors also configure
and align for privacy will matter over the coming years.
So, as I kind of mentioned,
I think there's a pendulum shift that's happening.
Um, this is really in terms
of legal initiating the conversation when regulations were,
um, fresh and in, in effect, um,
that was really the 20 20, 20 21 period.
Um, these days, I would say we're involved
with a large number of customers where the CISO
or the security organization is driving the conversation.
Um, this is because it's related to remediation.
Um, security teams often understand risk
and the risk associated to the business quite well.
Um, that is part of their mandate.
And so therefore, it's a natural transition
that the pendulum shifts more towards security.
Um, and I would say for, for leaders that are on the call,
um, you know, engaging, um, other folks in the organization
that are passionate about privacy, focused on risks,
so the security organization,
and if you're in security,
obviously the inverse applies as well.
Um, but I think best in class it is legal, security,
privacy working together, um, in a council focused on risk.
So shifting gears a little bit, um,
Tom discussed many things today,
but I wanted to kind of point out this, um,
focus on privacy audits.
Um, these are, uh, new,
they will go into effect in January 1st, 2026.
Um, this is really a, a quite a significant shift.
Um, it's something that I alluded to earlier in terms of,
you know, audits have existed in other areas of security
for quite some time, but these requirements will, you know,
require businesses, folks on this call to submit their,
um, audit documents to the CPPA.
Um, those submissions aren't due in in 2026,
but the, the audit requirements go into effect
January 1st, 2026.
Now, if you follow this thread through, it's very likely
that other states move forward with, um, similar type
of requirements, um, around accountability
and transparency into terms of business practices.
Um, and so, you know, expect California obviously
to lead the way here, um, as it has, um,
with other regulation.
And I think this is a transition towards
really board level conversation, board oversight, um,
specifically related to accountability.
And so last slide for us
before we kick over to the next
session, where are we headed?
Um, I get asked this question on almost every call.
Um, and this is a crazy statement,
but I, I think that it would not be unrealistic for us
to expect 40 states in the US
with different state regulations in 2027.
I realize that's overwhelming for a lot of folks
that are probably trying to deal
with the 20 we have right now.
Uh, but as Tom alluded to, there's a desire
for a federal privacy bill.
Um, it's definitely a bipartisan issue
and there is bipartisan support,
but, uh, at the federal level, it's probably unlikely
for the next 18 to 24 months that we see something
that actually moves forward.
Um, so I think we really need to be ready for
what can happen at 40 states
and what that could mean for pro privacy programs across the
country and across the globe where people are in the us.
Um, on the other side of things, I think there's a lot of,
uh, opportunity in terms of AI agents,
but there's also, um, some challenges that will exist.
Um, many of you might have listened
to a podcast over the weekend, um, where, you know, the,
the, the speaker was talking about this 10 year journey
that we're going on with AI agents.
I think this is pretty early, um,
and businesses will adopt AI agents across all functions,
but you know, this might be the next decade.
And so I think there's going to be, um, some novel privacy
and security challenges that we're gonna see in terms of
what that could mean for the program
and how that integrates into core business workflows.
Um, so on that, on this note, I'll pause.
Um, and I would say very excited
for the session we have ahead.
Um, we have Jason from Anthropic, the only speaker
that actually spoke last year
and this year, um, his session was, uh,
in such demand, we brought him back.
Um, and then we also have, uh, Whitney from from Asana,
SNE from Glean, um, and Nat from Deep View.
So it'll be a really good session.
Um, and, uh, I will go back into the waiting room
and we'll see the next set
of speakers come out in just a moment.
Thank you.