How to Buy
          Cybersecurity and Data Privacy

          Data Privacy Comes of Age

          25 November 2021


          When Snap (SNAP) reported its September 2021 quarterly results, it was evident privacy was going to be a focus as social media and other companies reported their latest quarterly results. In its prepared remarks for its September quarter earnings conference call, Snap said the following:

          “Our advertising business was disrupted by changes to iOS ad tracking that were broadly rolled out by Apple in June and July. While we anticipated some degree of business disruption, the new Apple-provided measurement solution did not scale as we had expected, making it more difficult for our advertising partners to measure and manage their ad campaigns for iOS.”[1]

          With iOS 15 Apple expanded its commitment to privacy and with features like App Tracking Transparency and Privacy Nutrition Labels on the App Store, it provided users with features that give them deeper insights and more granular control over their privacy than before. When asked about why Apple is focused on privacy, CEO Tim Cook responded by saying, “no one needs to trade away the rights of their users to deliver a great product.”[2]

          When we see forecasts for the global Internet of Things (IoT) to reach $1.4 trillion by 2026, up from $761 billion in 2020 according to Mordor Research[3], we, like many others, are excited by that opportunity. More connected devices sharing data give us more information and hopefully drive greater productivity and better decisions. Some would argue that is the glass half full view while the glass half empty one is that more connected devices mean greater threats to personal data privacy and more opportunities for information to be compromised. While we would agree with Cook’s assessment above, bad actors who look to profit from data theft and cyber crime aren’t known for their good intentions.

          As we can see by the passage of privacy laws, such as GDPR in Europe, the California Consumer Privacy Act (CCPA), the Brazilian General Data Protection Law (LGPD), and others winding their way through various legislatures, privacy is a growing concern for the individual as it has been for governments and corporations for some time. We say this because violations of these privacy laws can be rather expensive and potentially threaten a smaller company’s existence. Case in point, the CCPA states the maximum civil penalty is $2,500 for every unintentional violation and $7,500 for every intentional violation of the law.[4] The key here is that those penalties are PER violation. Suddenly a company that has 50,000 records compromised, could be on the hook for $250-$750 million. In May 2021, data compiled by Golfdale Consulting found just 62% of enterprise leaders described themselves as knowledgeable or very knowledgeable about CCPA as it pertains to their businesses.[5]

          In the September 2021 quarter alone, fines associated with GDPR totaled more than $1.1 billion, roughly 20 times more than the combined fines assess during the first half of 2021 and triple the total number of fines reported in 2020[6]. Some of those larger fines included Amazon (AMZN) Europe Core S.à.r.l., which was fined ~$867 million for its use of customer data in targeted advertising practices. Facebook (FB) owned WhatsApp Ireland Ltd found itself with a £262 million fine for severe breaches of privacy laws, including not telling users how it shared data with its parent company. Alphabet’s (GOOG) Google was hit with a fine of more than $58 million.[7]

          The growing view is the success of those enforcement measures will embolden EU regulators, leading them to look for more privacy violations and greater fines[8]. And for those thinking the above fines are some small potatoes, consider the Canadian Consumer Privacy Protection Act authorizes administrative monetary penalties and fines of up to 5% of global, annual revenue or C$25 million, whichever is higher, for violations[9]. For an Alphabet or Facebook that would equate to $4.2-$9.1 billion based on reported 2020 revenue.

          If you’re thinking fines of that magnitude have put the scare in companies, you wouldn’t be far off the mark. Earlier this year, the Enterprise Strategy Group asked companies and technology professionals what concerns them the most about noncompliance with government privacy regulations. These were the responses:

          • 17% – legal action;
          • 16% – the cost of recovery;
          • 15% – fines and penalties;
          • 13% – decreased productivity and other internal problems;
          • 13% – impact on public perception and reputation;
          • 12% – loss of business revenue and sales.[10]


          Amplifying those concerns further is a new, more aggressive iteration of CCPA, the California Privacy Rights Act (CPRA) that will go into effect in 2023. CPRA, also known as Proposition 24 permits consumers to:

          • prevent businesses from sharing personal information;
          • correct inaccurate personal information; and
          • limit businesses’ use of “sensitive personal information”—including precise geolocation; race; ethnicity; religion; genetic data; private communications; sexual orientation; and specified health information.[11]


          Under the CPRA, regulators can fine businesses up to $7,500 per violation but where the CCPA contains a provision allowing businesses to correct violations before the California attorney general would issue a fine, the CPRA eliminates the grace period.[12] And yes, a growing number of states are inking consumer privacy acts into law as well, with more recent ones including Colorado, Maine, Nevada, and Virginia.[13]

          This is true outside of the U.S. as well. According to the U.K. Department of Culture, Media, and Sport (DCMS), 96% of businesses in the U.K. now have “some form of digital exposure,”[14] offering more opportunities than ever for cybercriminals to breach digital defenses. Keep in mind the U.K.’s National Health Services (NHS) is a frequent target of phishing and ransomware attacks. The why behind that is tied to re-sale value. Findings from Capsule reveal cybercriminals can sell stolen medical records for as much as $1,000 each, while credit card numbers alone sell for as little as $5 and social security numbers for only $1 each.[15]

          Why the disparity?

          Unlike a credit card which can be canceled, medical records cannot and they are a proverbial treasure trove of personal information, including the patient’s medical history, demographics, health insurance, and contact information. As Capsule points out, this “data can then be used to support numerous other illegal activities, such as obtaining prescription medications, filing bogus medical claims, or stealing the patient’s identity to open credit cards and fraudulent loans.”[16]

          In Singapore, years of compromised data including 1.5 million health care records (25% of the population) in 2018 have prompted the Singaporean government to finally make data breach reporting mandatory in 2021[17]. Mandatory data breach notification rules are fast gaining popularity across Asia-Pacific. Eight jurisdictions (Singapore, mainland China, Indonesia, the Philippines, South Korea, Taiwan, Australia, and New Zealand) now have some form of breach notification rules, and this will become nine when Thailand begins enforcement of its new Personal Data Protection Act later this year.[18]

          As we tend to say, pain points make for great investment opportunities, and in the case of privacy and privacy regulation compliance that thought process holds. These concerns over privacy regulation violations are expected to propel the data privacy software market to $17.75 billion by 2028, up from $1.12 billion in 2020, according to Fortune Business Insights[19]. Examples of companies that provide tools to process consumer data per each country’s rules and regulations include IBM (IBM) and several privately held companies including SureCloud, RSA Security, Ovaledge, and OneTrust. Other solutions, such as access management are provided by the likes of Ping Identity (PING), OneSpan (OSPN), and (OKTA). Others, such as Norton LifeLock (NLOK) acquiring businesses to expand their product offering. In the case of Norton, it is acquiring Avast, a move that will bring Avast’s secure VPN and smart home security and privacy solutions under its umbrella.

          As the data privacy software market grows, investors will likely see more than a few of these private companies file to become public ones. We say this knowing that earlier this year, Crunchbase listed more than 200 privacy startup companies that in aggregate raised more than $3.1 billion over hundreds of individual rounds of funding.[20] If history holds, and we have no reason to think it won’t, those investors will look to monetize those investments either through initial public offerings or M&A activity. Either way, we suspect investors will be hearing much more about data privacy software in the years to come.


          This Featured Article has been produced by Tematica Research LLC. Rize ETF Ltd make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability or suitability of the information contained in this article.


          Related ETF

          CYBR: Rize Cybersecurity and Data Privacy UCITS ETF



          [1] “Snap Inc. Q3 2021 Prepared Remarks” available at

          [2] “Tim Cook goes after Facebook in data privacy speech” available at

          [3] “Internet of Things (IoT) Market Forecast” available at

          [4] “Fines & Penalties for Non-Compliance with the CCPA” available at

          [5] “10 CCPA enforcement cases from the law’s first year” available at

          [6] “GDPR Fines Exceed $1.1B in Q3” available at

          [7] “Infrastructure Bill Delayed, Facebook’s Whistleblower Unveils, GDPR Fines Rise” available at

          [8] IBID

          [9] “Federal privacy reform in Canada: The Consumer Privacy Protection Act” available at

          [10] “10 CCPA enforcement cases from the law’s first year” available at

          [11] “California Privacy Rights Act (Proposition 24): A Summary of Key Changes” available at

          [12] IBID

          [13] “US State Privacy Legislation Tracker” available at

          [14] “Cyber Security Breaches Survey 2021” available at

          [15] “Stolen Patient Records a Hot Commodity on the Dark Web” available at

          [16] IBID

          [17] “Healtcare data breach in Singapore affected 1.5m patients, targeted the prime minister”  Available at

          [18] “Singapore introduces mandatory data breach notification requirements” available at

          [19] “Data Privacy Software Market to Hit USD 17.75 Billion by 2028” available at

          [20] “Privacy Startups” available at

          Related Posts

          You are leaving

          By clicking below you acknowledge that you are navigating away from europe.ark-funds and will be connected to ARK Investment Management LLC manages both web domains. Please take note of ARK’s privacy policy, terms of use, and disclosures that may vary between sites.

          Cancel Proceed