Compliance as a Service. Ethyca: “End-to-End user data privacy: Ethyca is Privacy Infrastructure for developer teams to automate compliance with and management of User Data Privacy”

SaaS API Privacy Tech Developer Tools










Series A



Series B

Series C


Jun 30, 2019


👍I find the approach of Ethyca extremely interesting as it wants to solve the privacy compliance problem at the code level (unlike the majority of other products in the same category which are more pure “front-end” products). Basically, Ethyca acts as a layer that you install on top of your data infrastructure (like a middleware), and which will help you deal with the major privacy regulation requirements through their API.

Let’s take a concrete example to illustrate how it works:

  1. You set up Ethyca

  2. A user sends you a “Subject Access Request” (or DSR Data Subject Request) as he wants to see all the data related to him that your service stores.

  3. You simply achieve an API call to Ethyca with the user ID (see pic below) and it will automatically retrieve the corresponding personal data that you have about this user.


And you can achieve a bunch of similar actions (right to be forgotten, user deletion, data mapping) simply by doing API calls.

👍An aspect that I like about this approach (compliance integrated at the code level) is that once you have Ethyca installed, you potentially don’t have anything to do to comply with other regulations (GDPR, CCPA…) as it will be the middleware which will be in charge of it.


👎Obviously, the major drawback to this ”deeply integrated” approach is that only developers can set up the tool, which takes time and resources. The key for Ethyca will be to remove as much setup friction as possible. In a way, it reminds me of the beginning of tools like Intercom which were made for marketers, but who couldn't install it themselves and needed to convince developers first. Convincing developers was key.



👍I’m personally bullish on the B2B privacy tech market.

Market segmentation:

When it comes to this market, it’s very important to distinguish SMB from enterprise customers:

  • SMBs: generally have no/low budget dedicated to privacy compliance. It’s often done “diy” style - an internal employee, who is not a privacy specialist, is assigned to work on the most important aspects such the cookies and consentment management - with sometimes the help of external services such as attorneys or specialized agencies. For instance, the vast majority of SMBs are still not GDPR compliant.

  • Enterprises: they deal with more complexity when it comes to privacy implementation and face more risks (big fines). As a consequence, they are much more educated about this problem, have specialized staff in the Legal & Compliance department working on it, and a significant budget to implement and maintain compliance.


Customer budget:

  • According to several studies, the budget dedicated to implementing GDPR regulation (for the enterprise segment) is on average $3M. It’s only an average, this budget varies a lot depending on the size of the company and its industry (ex: banks versus manufacturers). This figure includes everything from labor costs (hiring, training, salaries…) to software spending and external services (attorneys etc.)


  • When it comes to SMBs, the budget varies greatly depending on the size and industry of the businesses and ranges from zero dollar to a couple of tens of thousands of dollars.


Market sizing:

  • According to Fortune, “the total amount spent by US companies with more than 500 employees (there are 19 000 of them) on GDPR compliance reached $150B.”

  • Ernst & Young reported that the world’s 500 biggest corporations are on track to spend a combined total of $7.8 billion to comply with GDPR.”

  • You get it, the overall market is big if you take into account all customer segments + different regulations.


Budget cycle:

  • It’s important to notice that the budgets shared above are initial investments. Once privacy compliance programs are launched, companies spend a lower budget for ongoing “maintenance” over time (but it’s a recurring spending).


Regulation trend:

  • The trend is clear: four of the world’s 10 largest economies (Europe, California, India and Brazil) have rolled out new data protection laws in the past year. So there’s no doubt that others will follow.