Building Tech on a Moving Regulatory Target

Building Tech on a Moving Regulatory Target

The “Innovation Double-Click” series highlights the best of the super{set} Hive, featuring insider tips and strategies from startup executives who are driving innovation and propelling their companies to new heights.

The AI revolution is powered by data, but behind every data point is a person, and  companies need to protect the personal data they collect – and the people they collect it from. We’re in the early innings of a seismic shift in data utility, driven by AI. To unlock the value from AI initiatives, businesses need access to responsibly gathered and protected personal and confidential data. 

Enter Ketch: an intelligent privacy platform with data control at the core. Given how hot the topic of data dignity is right now, we sat down with Ketch co-founder Max Anderson to learn about the challenges and opportunities of creating companies and scaling startups in a fast-changing data privacy landscape.

1. jsd: General Data Protection Regulation (GDPR) recently turned 5. How far have we come with privacy regulations around the world? What’s the biggest challenge when building alongside a continuously evolving regulatory landscape?

Max: Privacy regulations have undeniably made significant strides globally. And the landscape continues to grow and evolve. Here in the US, privacy legislation has been codified into law in ten U.S. states, and more are likely to follow. This progress creates challenges for those building technology solutions. Ketch was always designed to be flexible, even when all we had out there was GDPR and California’s first in the nation privacy regulations - California Consumer Privacy Act (CCPA). We had the benefit of building solutions for GDPR at Salesforce, and that process taught us how much configurability this domain required. As a result, we built the technology so that it’s as flexible as possible, assuming there would be high fragmentation in requirements across the globe. With more US states and several international territories likely to follow,  Ketch has focused on a privacy "building blocks" approach, akin to creating a customizable recipe for privacy. By treating laws as a recipe with similar ingredients but nuanced flavors, we work to ensure our technology can cater to various regulations efficiently. For example, depending on the state and law, Ketch can be customized based on the types of rights offered, the type of consent and what you are using the data for. 

As for building tech on a moving regulatory target,  it’s a unique challenge because you never really know what is going to happen. As the world continues to be shaped and reshaped by transformative AI advancements, new questions arise. For instance, what if a user requests access to delete their data from an AI model? What implications does this have for the model's integrity and derivative assets? 

We do our best to minimize the impact of the unknown by staying proactive – we’re diligently following the legislative landscape to ensure our model is well-prepared to handle regulatory shifts that may come our way.

2. jsd: In terms of privacy, what do the regulations get right? What do they get wrong? 

Max: The North Star has to be acknowledging the importance of data dignity for individuals, even in the face of vagueness and uncertainty. And regulations generally get it right. The emphasis on transparency regarding data use and providing individuals with choice and control over their personal information is a crucial step forward in safeguarding privacy rights. 

However, there are certain areas where regulations have definitely underestimated the complexities of the digital ecosystem. Individuals' identities are not as straightforward as they may seem. They are often represented by devices and interconnected bits of data. Seeing people as people rather than devices is a challenging task for both individuals and businesses. Regulations have created significant operational challenges for companies who often spend hundreds or thousands of hours on privacy program management, representing unplanned costs and often pulling critical resources away from other projects. 

In addition, there is a need to strike the right balance between regulation and enabling participation in the data-driven economy. As technology and connectivity continue to advance rapidly, companies need adaptive and future-proof solutions like Ketch to navigate this ever-changing landscape effectively.

3. jsd: What are the major differences across global data privacy laws? What are the ways businesses are approaching this? 

Max: A straightforward way to understand the differences is to start with U.S. and E.U. data privacy laws. The E.U., under GDPR follows an opt-in model, while the U.S. predominantly operates under an opt-out model. In general, the core rights a person has to access and delete data are the same, but the data use paradigms are very different. Of course, there are also laws in Brazil (closer to GPDR) and Canada (mix of both). 

Let’s start with GDPR. One smart thing European regulators have done is not to prescribe the "things businesses do with data" and instead put that obligation onto the business through the concept of purpose limitation. This will make the GDPR much more durable to the changes in data use cases over time as compared to other regulations.

Ironically enough, at the same time, I see many EU businesses assuming that if they have a cookie notice and "block cookies," they have complied with their purpose limitation requirements. Instead, I would hope to see those businesses worrying more about how they control their use of data across purposes and systems, where setting cookies might be a footnote in broader implementation.

In the U.S., regulation has been much more prescriptive about what people should be able to opt out of, like "data sales" in California. That approach, I believe, has made US legislation less able to stand the test of time because, among other reasons, the definition of data sales has been tough to understand and took a long time for people to appreciate the implications of. Another thing – that prescription about “data sales” led to potential exploitation of the ambiguousness of the term. This could have been avoided if we followed a more E.U.-like model.

There are other challenges, too. Businesses In the U.S., by and large, still rely on tenuous legal arguments for why these things don't apply (ie: "I don't sell data") or don’t really think about how they connect a consumer's choice to their data usage operations.

I do believe that the opt-out system is more favorable to businesses because it allows for data processing while still providing users with an option to opt-out if they choose to do so. Under both systems, what’s critical is this idea of coordinating data usage across systems based on permissions from the consumer. Ultimately, this is a solvable problem, but it's more complicated and expensive than it seems the average business wants it to be.

4. jsd: AI is heavily dependent on data. Is there an intersection with data privacy? How does Ketch help businesses participate in the AI revolution? 

Max: Absolutely, there is a critical intersection between AI and data privacy. AI projects heavily rely on access to vast amounts of data, often including personal data, to train and improve their models. However, this reliance on data poses significant challenges for businesses in terms of maintaining data privacy and complying with regulatory requirements.

For businesses to effectively participate in the AI revolution, they must have their privacy game in top shape. This involves ensuring that data is fully permissioned and that they understand the necessary controls to responsibly handle and extract data. AI initiatives are often dead-on-arrival if access to personal data is hampered by privacy and compliance gaps. In practical terms, this means a business can’t move AI projects from pilot to production unless they solve privacy challenges. Ketch assists businesses in navigating these challenges and maximizing the benefits of AI by providing tools and solutions to protect confidential data. Ketch enables businesses to fine-tune AI models and mitigate potential risks. We facilitate the process of freeing up data while ensuring it is fully permissioned, allowing businesses to gain a comprehensive understanding of AI data usage both internally and externally. Businesses can confidently utilize Ketch's capabilities to participate in the AI landscape, knowing that their data privacy is well-maintained, and they are complying with relevant regulations.

5. jsd: The privacy management software space is highly competitive. How does Ketch differentiate and innovate?

Max: Competing in the data privacy landscape is challenging for two reasons.  It feels like there’s a new competitor every week, and you are constantly teaching the market how to solve the problem with technology among audiences who haven’t been big buyers of technology, like lawyers for instance. Many of the platforms in this space offer only surface-level capabilities that focus on addressing specific aspects of privacy programs. Ketch stands out by providing programmatic, automated solutions that unlock real value for privacy programs. Unlike legacy platforms that often cater to isolated functionalities, Ketch takes a holistic approach to data privacy, offering comprehensive and seamless solutions that streamline privacy operations for businesses.

Another one of Ketch's key differentiators is our focus on respecting individuals' data dignity. With data being at the core of AI and other data-driven technologies, we believe that businesses can grow and thrive while still maintaining a strong commitment to privacy and ethical data practices. This idea sets Ketch apart as a privacy partner that not only provides cutting-edge technology but also upholds values that prioritize user rights and data protection.

6. jsd: What should future co-founders and product leaders know about working with the crew at super{set}?

Max: Co-founding a company within the super{set} model has so many advantages. How much time do we have? I’ll try to keep it brief. To me the best thing about building with super{set} is that you have access to the vast experiences of your colleagues and that you can tap into and the collective resources that super{set} provides – like legal, HR, etc. I don’t have to worry about those things, which means I can focus more of my time on the product and our customers. Bottom line is this: co-founding a company is hard work, and there are no sure things, but in the grand scheme of things, if you are into the risk-adjusted, expedient path to company building while there's still risk embedded, it's nicely tempered. Tom and Vivek have done a good job with the model. It's definitely worked for me.