Another gold rush was unleashed in California this week with the passage of the state’s consumer privacy law, which has sent startups scurrying for a piece of the estimated $55 billion expected to be spent by companies to bring themselves into compliance with the rules.

The CCPA, or California Customer Privacy Act, went into effect with the new year and is the first of its kind in the U.S. Like the EU’s 2016 General Data Protection Regulation, it gives consumers an element of control over their digital information.

And with the new law, as is often the case with government mandates, comes a host of contractors, consultants and lawyers looking to earn a buck helping companies make sure they don’t break the law. That’s the $55 billion price tag, and it’s already breeding companies providing privacy enhancing services, with venture and private equity investors taking note. 

Under the act, Californians have the right to know if companies are collecting their information and may request to have their information deleted. They may also bar their data from being sold. The CCPA applies to all businesses in California that have either annual revenue of more than $25 million or share personal data of more than 50,000 people.  

About a third of companies surveyed for the law’s impact assesment believe they need to spend between $100,000 to $500,000 to comply with the CCPA. The bulk of the money would be spent on legal and technical fees, according to the California Department of Finance.

Data privacy is being emphasized globally as personal information is stolen, sold and used without permission around the world. German internet company 1&1 Telecom was fined $10.6 million for failing to protect customer IDs under the EU’s GDPR. India is set to pass its first major data protection law that sets limits on how companies can collect, process and use personal data. 

Companies that specialize in data law compliance have sprouted in the wake of the government actions. Cybersecurity startup Osano from Austin, Texas claims that its platform can help companies become compliant with laws of 40 countries, and it raised $5.4 million from LiveOak Venture Partners and Next Coast Ventures last December.  

San Jose, California-based Securiti.ai, developer of an artificial intelligence-powered data protection platform, raised $31 million, according to PitchBook data. 

  • Private investors have long favored cybersecurity companies. Venture capitalists spent a record $8.56 billion in the industry last year, a 40% jump from 2018. London-based Snyk scored $1.25 billion from undisclosed investors last December, the largest capital raised among cybersecurity companies last year. 
  • The most active cybersecurity investors are Plug and Play Tech Center from Sunnyvale, California, which invested 77 deals over the last five years, and London’s CyLon, an investor in 59 deals over the same time.  
  • A more advanced cybersecurity approach, called “security orchestration, automation and response” (SOAR), is on the horizon. The technology saves time and costs by employing machine learning and artificial intelligence to perform security tasks. PitchBook identifies 27 companies working on SOAR, and 8 of them raked in $124 million venture capital investments last year.