This Week in Startups - E1127: Data privacy deep dive with Transcend CEO Ben Brook; tracking pixels, GDPR, privacy as a selling point & more | Rising Stars of SaaS 2
Episode Date: October 22, 2020Check out Transcend: https://transcend.io FOLLOW Ben: https://twitter.com/bencmbrook FOLLOW Jason: https://linktr.ee/calacanis ...
Transcript
Discussion (0)
Rising Stars of SaaS is brought to you by
Pipe.
SaaS companies, this is for you.
Pipe helps you unlock your recurring revenue as upfront capital.
No debt, no loans, no dilution.
Sign up in minutes and start trading on Pipe free for 12 months at pipe.com slash twist.
Odo is a fully customizable and fully integrated suite of software that
lets you build and scale your stack as you build and scale your business. Your first app is free
forever and right now O-Doo is offering $1,000 off your first implementation pack at O-Doo.com
slash twist. That's O-D-O-O-O-O-com slash twist. And Outcro. With Out-Crow, any marketer can build
calculators, assessments, chatbots, and recommendation tools to
double your conversion rates.
Go to Outgrow.com slash
Twist for a 30-day free
trial and a $250
credit. That's Outgrow.
com slash twist.
Hey, everybody, welcome to another episode of this week
in startups. We're doing our rising
stars of SaaS, Software as a Service.
You know that
category that every venture capitalist wants to invest
in and a lot of founders are attracted to
because you get to sell to businesses and businesses
tend to like to pay money for software and services.
So it's a very cool business.
And when it's a subscription,
software as a service,
not subscription,
but when you're doing a subscription,
wait,
or SaaS stand for software as a service, right?
As a service.
Yeah.
I was just thinking if people were,
I heard somebody say software as a subscription.
And I was like, no, that's not the right word for SaaS.
It's software as a subscription.
So we're doing our top 10,
rising stars in the space.
And we did this through a combination of looking at the funding raised and who was
investing in companies, who their customers were.
And today's subject, Ben Brooke from Transcend, has, his company, Transcend, has a lot of
great customers.
And that's what we're looking for in the series so that we can break down exactly what
it takes to build these companies.
And we'll, of course, delve into what they do.
So we're going to talk about building SaaS companies.
and also, obviously, in this case, the subject, Ben, is privacy and data privacy specifically.
What does Transcend do and why did you start it?
Sure.
So Transcend starts.
So Transcend makes it simple for any company to give their users data rights.
So data rights is this sort of new concept that's coming into the world.
It largely started with GDPR, which is a modern privacy.
regulation in Europe.
And that's now going to other regions like California with the CCPA coming into effect
to Brazil with LGPD and to many other countries around the world.
And in these laws, consumers are getting the right to actually access all of their personal
data, to erase all of their personal data, as well as opt out from a variety of different
forms of processing personal data.
So users are getting choices over how companies process your data.
And these are a new set of rights that are coming in.
And effectively, companies have to comply with these requests on a very short timeline.
So this is usually within 30 to 45 days.
They have to respond to the user saying that they have successfully erased all data within their business about that user.
Now, the problem is companies have been basically spewing data.
into dozens, if not hundreds of different data systems for decades.
And your personal data is scattered across orgs.
And so what Transcend builds is data privacy infrastructure.
And you can kind of think of that as a layer that sits over top of all types of data
systems, whether that's a database, a warehouse, a SaaS tool like Salesforce or Zendesas
or Google Analytics, and actually manages all the personal data inside that.
So when a user does request to erase their data, we can receive that on behalf of our customer
and precision strike that person's data across all different systems.
So that's the data privacy infrastructure.
And then we also make that entirely self-serve for the end user.
So we offer our customers something that we call the Privacy Center.
And this is basically a website that lives at privacy.
our customer name.com.
And that's where users can go to understand in simple terms
what the heck this company is doing with your data
without having to read a full privacy policy.
And then actually offers a control panel
where users can exercise these choices
in an entirely self-served way.
So this would be at your website
or at as a white label at Robin Hood,
I know is one of your customers
and obviously I'm an investor in that company.
So if I went to privacy.
Robinhood.com, I would see this?
Yeah, so if you went to privacy dot, for example,
patreon.com, you would say this.
Not all customers use the privacy center.
So that part is optional.
The data privacy infrastructure can be interacted with
through the privacy center or just through an API.
Got it.
So if you go to privacy.
dot patreon.com, which I just clicked on,
as you said it, you will see what data Patreon is
keeping on me.
and I can take control of that.
So instead of them having to build this,
you built this for them, basically.
And they just put their data hooks into it.
And how long does it take a company like Patreon
to set up this privacy data center?
So it shouldn't take more than an afternoon.
Oh, really?
Yeah, it's really quick.
So the privacy center basically comes out of the box.
They customize it to match their brand.
and they can override any of the text,
but the defaults are all good.
And so you can really set that up within minutes.
The part that takes the rest of the afternoon
is hooking up data systems.
So if they have, for example, an analytics tool
or a database or maybe a support system like Zendesk,
we're going to connect into those
because we build first class integrations
with each of those systems.
And we partner with those other SaaS companies who process personal data to make sure that we can hook into them and serve customers like Patreon together.
Now, the GDPR was a, which is the general data protection regulation that the EU, the European Union decided to do as a group, was the most intense privacy regulation to date.
it got implemented in 2018, I believe, because I remember all these websites basically were so far behind in doing this that they just blocked off access to European countries.
And they just said the New York Post is not available in Europe.
I know because I use a VPN.
And sometimes I have a European address.
And it was incredible to see that.
People were just like, we give up.
We're not even going to try to serve yourself.
We don't want to get fined.
Has everybody caught up in dealing with that here in the United States in terms of,
catching up with that regulation.
And then what is the gist of what the GDPR does versus, and I know this is a big question,
the CCPA, which was California's Consumer Privacy Act, which it passed in, I guess,
2018, I'm not sure what the state of that is in terms of when did you have to start
complying to it.
So explain to us those two big swaths of regulation.
in a nutshell.
Sure.
So to start, the first question was, have companies caught up to GDPR?
The simple answer is not yet.
A lot of companies are still working with fairly temporary solutions that throw a lot of
manual work toward the processing that goes in place.
So something that we see a lot and something that.
that is actually new with GDPR is that there are all these sort of day-to-day recurring action
items that just come in because users are now exercising choices.
Historically, privacy laws have been like be transparent, have a privacy policy,
tell people what you're doing, right?
That's not something that goes into your day-to-day business processes,
but now that users have rights and choices, it means there's just a continuous stream
of preferences coming in.
typically today via email.
And so what happens is in that privacy policy, you can pretty much go to any website and
find this.
Scroll down and you'll find something that says your rights and choices.
And it will say, if you would like to exercise your data rights, email us at privacy
at company name.com.
And so you basically have to write in a letter saying, I want to delete my data, I want
to see my data, I want to opt out of this.
That seems completely insane and inefficient.
You're absolutely right. And it's bad UX and it also translates to really rough internal processes. So there's actually a legal person sitting on the other end of that email address, right? And they're receiving these emails and they have to basically scramble around the organization, shoulder tapping people to log into their respective systems and operate on this user's data. Wow. That's crazy.
Yeah. And so it takes forever. And more often than not, as you can imagine, it's not really complete. So it takes a lot of manual labor to get one request done. But you can imagine what happens when you have dozens, hundreds, thousands of these coming in.
Yeah. I mean, you just. And so when we get back from this quick break, I want to know what's at stake for startups if they were to miss that email or forget it and not delete a person's data. What happens? And has anybody started getting fined?
by the European Union over GDPR when we get back on the sweet startups.
SaaS companies with reoccurring revenue used to have two ways to grow.
You could get equity from an investor like myself.
Or you could get debt from a bank and get a loan.
Well, now there's a brand new third way to grow without debt or dilution.
And that's pipe.
It's a two-sided marketplace that connects a SaaS company, software as a service,
you know, subscription software company.
And they basically take your monthly, quarterly,
reoccurring revenues and they have institutional investors who want to bid to purchase those revenues
for their annual value up front. So let's say you're getting paid monthly. Somebody will buy the year
from you, give you that money up front, and then you pay it back. Pipe is a smarter way to grow your
business. It's the most founder-friendly way to finance your growth and it's not even close. With Pipe,
there's no debt, no loans, and no dilution. Pipe is also frictionless and completely transparent.
It only takes a couple of minutes to sign up, and you'll have this cash in your bank for all those yearly contracts within 24 hours.
So you're charging monthly, maybe quarterly.
They take the value for a year.
They put it in their marketplace, and financial investors will buy that from you.
And you'll find out what that revenue's worth.
So Pipe is so confident you'll love trading your SaaS subscriptions that if you sign up by the end of October,
they'll eliminate your trading fees for one full year.
Wow, a full year.
this could save you tens of thousands of dollars
depending on the size of your business and the volume you trade.
So happy piping everybody.
Sign up today at pipe.com slash twist to get that first year free.
So once again, pipe.com slash twist.
Okay, let's get back to this amazing episode.
Hey, it's the rising stars of SaaS here on this week in Startups, Ben Brooke from Transcend
is our guest today.
It's our second Rising Stars of SaaS.
Rapid Deploy was on the first episode. They were helping people decrease, decrease nine, one call response time. Very cool SaaS company. And today we're talking with Ben from transcend.io. You can go check it out. So with people in GDPR and businesses, has the EU started giving fines and how hardcore are they about this?
it's a great question so they are starting to issue fines so the pace of regulation and enforcement is
it's pretty slow in general I mean this isn't something that's a new concept that everyone knows
government moves quite slow right what GDPR actually did was it also started standing up
data protection authorities which are effectively like the privacy cops in a way right and so these are
bodies of government that have to be stood up.
And then they can start prosecuting.
They can start charging companies.
They can start going through trials.
And this actually takes years to get the first finds out.
But we are starting to see them now.
And that's actually kind of light speed for a new regulation being enforced.
We're still seeing trials held for things like Cambridge Analytica, which were years ago, right?
So to see the first fines come out has shown that they're actually moving very quickly.
They're also staffing these data protection authorities very quickly.
These are government jobs.
They're not deputizing third-party companies to do this.
They're literally creating a police force.
Do you know the scale of it?
Are we talking about a dozen people or hundreds of GDPR officers out there?
So each country is different.
Each country within the European Union will have their own data protection authority.
Some of these will be hundreds or thousands of people.
Wow.
Yeah.
And then how, and are they each looking at American companies as targets?
Because we've seen the American companies are the biggest.
We have a different privacy regulation here.
So are they, you know, is this going to be a cottage industry for generating revenue for a company
where Italy or Spain or Greece or some country that is, you know, got to balance their
budget is going to look at American companies and say, oh, we should just find the heck out of them
and try to find mistakes?
What's the, I know that's a little cynical, but I have seen these fines act that way.
We all know how speeding tickets work when you have to balance the budget in a particular,
you know, town or county.
Yeah.
So GDPR applies to any company that is operating in Europe is serving Europeans.
So if there's a European whose data is sitting over in a Silicon Valley,
company, that company has to comply with GDPR.
So data protection authorities are absolutely going over after American companies, but they
are also going after European companies.
We see penalties across the board here.
So it's mixed, but American companies are absolutely in scope here.
And do American companies have to record the origin of where a citizen,
and was coming from, or if I wanted to, you know, run my own version of Reddit, let's say,
and I didn't want to keep IP addresses. So I created like Reddit or Hacker News, my own little
news forum, message board, let's say a message board. I started a message board, but I said, you know,
I'm not tracking IP addresses and you can't use it if you're from the European Union. You can
only use it if you're in America, but I'm not tracking IPs. Then can the GDP park come after me
if somebody says, I'm going to just sign up anyway? Yeah, technically.
So if you have personal data of a European citizen,
it doesn't matter whether you tried to prevent them from using your platform.
Frankly, it's still in scope.
And a lot of companies may do this, do what you just mentioned,
and decide that the legal risk is worth it
because it's not at the scale at which they believe a DPA,
a data protection authority is going to pursue them.
So it doesn't completely absolve you of GDPR, but it may be a way for a small company to try to avoid that.
Because that has become the dialogue in America, which is, you know, I've heard people say,
your data is my liability, and I don't want to even store your data.
And that's the approach I've taken.
Even with this podcast, I told my team and everybody, I don't want any of these crazy analytics companies,
cooking the listeners to the podcast or figuring out who they are and then selling that data
other people.
We're going to use no tracking or metric software.
I mean, we do have metrics like downloads and something like that.
But I don't want to start tagging my customers.
To me, it's just, I don't know, distasteful, I guess would be the word or whatever.
But the GDPR has started giving up fines.
I saw one.
I don't know if you're familiar with the case of H&M got hit with this giant fine.
But that wasn't for their users.
This was for their employees.
I guess they had kept their employees data
and their employees' data got hacked.
So a lot of this,
if you didn't take steps to lock up the data
or that you were recording it in general?
So data breaches under GDPR are in fact illegal.
And so it actually doesn't matter whether you were collecting it
or whether you tried to protect it.
it will still be in violation of the criminal code.
So,
so wait a second.
This GDPR fine was for 35 million euro,
something like 41 million USD at the time of this article I'm reading.
If you get hacked by somebody,
you're responsible for being broken into whether that was the most sophisticated hacker
in the world or not.
you're still responsible.
That's correct, yeah.
And I will say that...
Not the person who broke in.
I mean, they're also responsible.
I guess at a criminal basis,
but is this not crazy that if you took reasonable precautions
and you had your servers updated
and some hackers very sophisticated
and they figure out how to break into your system
that you're now responsible?
I mean, what if an employee gave the passwords
that they had and they weren't supposed to do that now?
could the GDPR then still find you?
Well, I think it's good that there are financial incentives in place to protect data.
And so at the end of the day, it is about the result of your security practice.
And the courts can actually decide whether to be lenient because, you know, maybe H&M did everything within their power or to a reasonable degree to protect data.
And frankly, 35 million on GDPR scales actually isn't that high.
So under a data breach, the European Union could have actually fined H&M for 2% of their global
revenue.
If H&M were failing to respond to data rights requests, so this is like access erasure and
things like that, that can go up to 4% of their global revenue.
Wow.
So they're looking at this, I guess.
like the way, I guess they were doing speeding tickets in Norway or whatever.
Like, we're not just giving you a fine in a vacuum.
They were giving speeding tickets.
I think it was Norway or Sweden.
We're giving fines based upon your income.
So it was a percentage of your income.
So if you were like a famous NHL player famously, they got a speeding ticket.
It wound up costing about $100,000.
Like the speeding ticket was the price of the car in that case.
So they're really going after you for a percentage of,
your revenue for the year.
Do you know what the largest fines have been to date?
And do they feel fine?
And British Airways facing a $230 million GDPR fine.
Wow.
Yeah, that was one of the big ones.
Yeah.
I'm not sure what the current record is,
but I do expect they will continue going up.
As I said, the regulators are effectively only getting started
and they're internally spinning up their own organization.
organization. There also hasn't been a very large window to see these big breaches. So,
for example, Facebook and Cambridge Analytica are very lucky that that came out in 2017
before the GDPR came into effect, because that would have been one of the cases where it would
have gotten closer to the maximum penalty. Four percent of revenue or four percent of the value
of the enterprise? Was what you said? Four percent of the...
4% of global revenue.
Wow.
So it doesn't even impact that that seems,
that they even have the authority to do that to tax your global revenue?
I would think it would be 4% of the revenue in Italy or whatever.
It makes sense that occurred in Italy.
But that's not a little overreaching?
Well, that's something that will be determined in court because
whoever gets that penalty first is going to fight that in court.
and then there will be jurisprudence set on whether that actually is something that the European Union has authority over.
All right.
When we get back from this quick break,
I want to know if it's even worth it for American companies to operate in Europe,
given this type of framework,
or if people are considering like they did early on,
which was just saying we're not making that much money in Europe anyway,
we just block those IP addresses when we get back on this week in startups.
One of the toughest parts of building a company is choosing,
which tools and providers to use. You want to pick the best solution for each and every department
to help your employees succeed because they all deserve the best and you want to make their
lives easy. But there are so many functions in a startup and each space has endless vendor sales
tools, email marketing, accounting, HR and payroll, project management, customer support,
point of sale, e-commerce, it goes on and on and on. Eventually, you end up with a
Frankenstack of tools that cost a lot and don't integrate properly with each other.
While Odo is here to change that, Odo is a fully customizable and fully integrated suite of
software that lets you build and scale your stack as you build and scale your startup.
It's that simple.
It's simple and modular, so you use what you need and all their apps integrate perfectly
with each other.
Plus, it's open source.
So you can spend your freshly raised capital on talent instead of expensive.
software. So here is the CTA, the old call to action. Your first app is free forever. And right now,
O-Doo is offering you $1,000 in credits on your first implementation pack. Think about that.
$1,000. It's one of the best offers in the history of the show. So I want you to go to O-D-O-com
slash twist. That's O-D-O-O-O-com slash twist. Go ahead and do it now, sign up, get that $1,000
credit before it goes away because these things don't always last.
and thank you to Odu for supporting
this week in startups.
Let's get back to this amazing episode.
Welcome back to this week in startups
are guest today, Benbrook, from Transcend.
You can go check the matter of transcend.io.
They build tools to help companies be compliant.
Did I get it right?
So if you're a company,
you can either spend 10,000 hours
doing this with your internal developer team
or you can just buy your software.
That's right.
I would also say that we go a little bit
beyond that and help companies from a more first principle find a way to really build trust
with users and actually respect their privacy choices without putting them through kind of a maze
to exercise their choices.
So some companies may still have that maze up front.
We try to get rid of that because we've actually automated the processes to such a point
where it has no incremental work for the company to fulfill a new request.
What should companies, I'm going to put aside should you operate in Europe or not,
based on this. I think people will make that own decision on that.
But I think a more interesting thing is what is the right balance of what should be
stored by a SaaS company or a consumer company.
Obviously, these are two different things.
And we're doing our Rising Stars are SaaS right now.
Thanks for being the second guest on the series.
but they're obviously different.
So if I was starting my own clubhouse or space or Twitter today
versus I was starting my own Slack or, you know, Asana,
what is the right amount of data to store in order to enable me to do,
you know, to have a rich product offering versus it's just you're keeping too much stuff?
Yeah.
So the reality is it really depends on the use case.
And there's kind of two like simple principles that you can follow.
One is just start from a place of respect for your end users.
Like at every step, ask if you're serving your customers best and if they knew about these processes, would they object to it?
And so have you baked in a good default, right?
Is that something that users expect of your platform?
And then furthermore, use data minimization.
So are you collecting data because you think it might be useful later,
but you don't have a use case right now?
You probably don't need that data.
Are you collecting data to perform the service?
Then, yeah, I mean, so it depends on the company, right?
So some companies may require audio recordings because we're hosting podcasts or something.
But that shouldn't apply to, you know,
your weather app.
The weather app may need geolocation,
but the podcast app probably doesn't.
And so there's a lot of context that you bake in,
but by starting from those principles,
I think you can kind of navigate that territory for yourself.
And companies like Facebook,
who's the biggest offender of everybody,
they just basically took the philosophy of,
let's store everything in case we need it at some point.
It's all signal.
It'll all make the ad network better.
Where does that philosophy stand
you know, in 2020, that philosophy of just store it all, throw it into the machine learning,
and let's learn, because that is Zuckerberg's approach. And I mean, he's part of the reason
this GDPR and all this stuff actually happened, correct? Yeah. I mean, I would argue any platform
with that much data and that much, that many eyeballs has a long way to go. And I think
they've inspired a lot of the legislation. That's incredibly diplomatic. So the translation,
to that for me would be
they've made horrible decisions
to store everything
and they've been reckless with
how to keep it private.
I mean,
that's call it what it is, right?
I mean,
this stuff would not have gone down
this severely if there wasn't
the bad actor of Facebook bear.
So your best practices,
unless you have the need for it today,
don't store it.
And if you would be ashamed
or embarrassed
if your users found out you were storing this, don't do it.
Yeah.
Okay.
It seems completely fair and logical.
Just not something that Zuckerberg or some competitors you might be up against would do.
And it's surprising how many companies have very similar tracking technologies, often through SaaS, right?
So you don't have to have 100,000 or 10,000 engineers to build surveillance infrastructure.
pretty much every website, news website,
will be sharing your visit
with hundreds of other companies, right?
If not thousands.
Through cookies.
Through cookies and other tracking technologies.
Yeah.
Cookies, cookies are one of them.
What are the other tracking technologies
people are doing there?
Fingerprinting your browser
to kind of know it to you?
Is that the big one?
That's another one.
Explain what that is to people,
because I don't think they understand
the fingerprinting of a computer.
Sure. So when you visit a website, there is a pretty easy way of finding out some characteristics of your browser.
For example, are you using Firefox?
What's the dimension of your browser window right now? What language are you using?
There's a series of things that websites can access for perfectly good purposes.
But then what they do is they actually structure that to assign a probability that you are a given person.
So because your browser is probably the full width of your screen, that's a piece of information that can help identify you.
And so by amalgamating that information, you can actually fingerprint individuals.
So even if I have an ad blocker on, you still know the width of my browser.
You still know my operating system.
I logged in one time from that sort of footprint.
and it's kind of like maybe you didn't get the picture of my face on the surveillance camera,
but you saw my sneakers,
you know my gate,
you know my body type,
my height,
my weight.
You kind of got an idea that that's me and you could serve me ads.
And then there's, of course,
your IP address,
which for your household doesn't change.
And so if somebody in the house is looking at a certain,
you know,
I don't know,
iPhone case,
you're going to see it come up and retargeting all the time
It's kind of a charming narrow kind of scope there.
What can users do to protect themselves?
What is the state of the art there?
Because it does seem to me that a conscientious individual could remove a large portion of tracking from their life.
Am I read or wrong?
Unfortunately, I don't think it's possible today.
I think there are so many different methods of tracking that it,
putting the burden on the consumer to find all of those methods that are becoming increasingly
covert, it's just not feasible.
Kind of like the current default today is like there are 50,000 hidden cameras and wiretaps
in your house, and it's on you to find them and disable them.
And like, that's not a good default right now.
And so it's very hard as a consumer.
And this is why regulators are stepping in and saying,
we need to change the playing field a little bit
where we change these defaults.
And we give these users a very clear way
of understanding where all those trackers are
and have an easy way to push the off button.
So if I had a VPN and I put my IP address
in another state, another country,
and I have Ad Blocker Plus or whatever on my browser.
I'm using, I think the Brave browser has that built in,
and I'm using Duck. Dot, Go, and I pay for it, my email from Proton Mal.
How safe would that person be using a VPN, an ad blocker, or the Brave browser, and not using Gmail as an example?
How much more private would I be?
You would be more private.
So you would be able to slice away a lot of technologies by doing that.
you may be able to get rid of common third-party cookies.
You may be able to get rid of tracking pixels in your email.
But at the end of the day, there are signals which can easily fingerprint you.
And so you can try really hard as a consumer, but you will never get through everything.
And because there's no, there's very, very few laws around this.
at least in America,
those will continue to exist.
So fingerprinting is one example,
but when I say there are many others,
I mean, there are like thousands of many other ways.
What are some of the others?
I'm curious.
Sure.
So just in terms of like protocols and technologies,
there are web beacons.
There are...
What's a web beacon?
It's a browser technology.
There are so many ways.
So, like, a pixel tracker is like a sort of one by one GIF that sits in an email or
or on a website.
And when it gets loaded, it pings a URL to say, hey, this user just click this unique pixel.
Yeah, that's when you're using an email client.
It says the other person's opened the email or they opened it.
If you're using something like outreach or something, they've opened it 17 times,
which means they forward it to some internal list or whatever.
So you can track the number of times it's open.
So there really is no way in your mind for a good.
consumer to take control of this, really?
Yeah, really.
Really right now, there are things that you can do to limit it, but you can't get rid of it.
What's the best browser to stop people from tracking me?
Does the brave browser or one of these browsers?
Does that actually stop fingerprinting?
It'd be cool if there was an anti-fingerprinting technology available for browsers.
You can only mitigate.
So I'll give you a more complex example of,
fingerprinting. So Apple has the Apple Watch and there are applications that exist on there which
have the ability to track to use the Motion API. Perfectly good reasons to do that.
Like if you're building a swimming app or a running app, you want to know your shirt.
Every person's gate, the way they walk, has a uniquely identifiable fingerprint of that person.
And so there are advertisers that create basically machine learning models that look at that API
and they're able to say, okay, this is a unique person.
So every time we see this gate, this way they walk, we know that this is Jason.
Oh, boy, that is dark.
All right.
When we get back from this quick, no, no, it's totally terrifying and awesome.
When we get back from this quick break, I want to know what you think of Apple's recent,
jihad against Facebook and Google and, you know, their desire to protect privacy on the hardware level
and on the operating system level. And if that will give people a reprieve or not,
when we get back on this week and startups.
What do Adobe Salesforce and Marquetto all have in common? Well, they're obviously the heavyweights in marketing in the technology space.
So what else do you need to know? They all use Outgrow.com to boost
their marketing and lead generation.
With Outgrow, any marker can build, calculators, assessments, chatbots, and recommendation
tools to double their conversion rates.
And you need these tools as well.
They have ready to use templates, powerful integrations, analytics, and segmentation options
that are built for the modern marketer.
When you think Outgrow, you should think growth.
It's really that simple.
So I want you to go to Outgrow.com slash Twist for a special 30-day free trial with no
credit card required and a $250 credit with their small business incentive package.
So go to outgrow.co slash twist and get that 30-day free trial and $250 in credits.
Thanks again to outgrow.com for supporting the show.
Welcome back to this week in startups.
We're having a terrorizing dystopian discussion about privacy and the lack of privacy people
have.
But there is now regulation, which is making it extremely cool.
costly and all this scary stuff we've been talking about and my misconception that consumers
could protect themselves to a certain extent. I still believe they can sort of protect themselves,
but I'm kind of getting education here that it's in your mind a never-ending battle. And that's
probably correct. So, Ben, tell me, what about Apple now doing interesting things like I noticed
when I was logging into a bunch of apps, they said, hey, you want to log in with your iTunes
credential, which is Jason at Calacanus, and do you want to use an email relay so they don't actually
get your email, which is sort of like the Craigslist email relay, I think, where I guess they're
going to give that person a unique forwarding email. This seems like they're really going over the top.
And then I noticed they fixed the camera roll thing where I guess people were taking your camera
roll. You give them access to your camera. They would have access to all your photos. Now they're saying,
only give this app access to the photos that I specifically explicitly give them, not give them
access to it. And then I think the clipboard was another issue. TikTok had access to people's
clipboard. So if you were using a password manager and you clipped your password, now the Chinese
government has your password for whatever app that was and people don't change your passwords.
And okay, now they're in your Gmail, your bank account, create terrorizing stuff. What do you think of
Apple's performance here.
Can Apple save consumers' privacy or not?
I think they can do a lot as a hardware platform.
So locking down APIs is something that we're seeing across most major platforms.
And there's good reason for it because we do find that there are our companies that find
ways to sort of abuse those APIs, which may otherwise be used for perfectly good reasons.
So, you know, the geolocation API, it does make sense that an app should ask you before getting your geolocation.
So you may not want to disclose geolocation to, you know, a newspaper app or something, right?
Or Facebook.
Like, why should I be going to Facebook mine location?
Right.
Yeah.
And so Apple is pursuing that and making sure that they aren't leaking more data than they need to.
And if you look at Cambridge Analytica, this is the exact same thing.
So image Analytica was using Facebook APIs that were more permissive than maybe they should have been.
And they were able to find a way to exfiltrate data on about 70 million Americans and build psychological profiles from that.
So yeah, it makes sense what Apple is doing.
And they've also taken this charge on privacy in general.
So I think they've really woken up to the fact that consumers are,
having this growing distrust of Silicon Valley
and that they are starting to value companies
who go out of their way to protect their privacy
and start turning this narrative around.
So, yeah, I applaud Apple for what they're doing.
And that is a viable way to do it.
They took out the Mac address, right?
You used to be able to know the Mac address,
I think is what it's called of the iPhone.
So you would actually be able to know
the hardware basis, whose phone that was.
I mean, talk about fingerprinting.
You knew the actual hardware.
But when you were undergrad at Harvard, you reached out to 21 companies to try to get your data.
Explain that little experience that you did.
And why did you choose to do that?
Yeah.
So my co-founder and I were classmates.
And we would spend a lot of late nights together, just hacking.
on personal projects.
One of them that we decided to do was basically study ourselves.
So let's do data science and let's figure out how things like our sleep patterns
correlate with our productivity during the day.
And the first step of that is let's go get our behavioral data, right?
And so we knew these apps on our phones, on our laptops.
They had all this behavioral data.
And really, this data kind of paints the picture of our lives.
It's kind of our life story.
And so we went to these companies and we asked, you know, can we get a copy of this information?
When was this?
Five years ago, 10 years ago?
Five years.
Four and a half, yeah.
And immediately we hit a brick wall.
No company was willing to give us access to any of that information.
And we didn't think that made any sense.
surely as a consumer I should be able to know the information.
Did Twitter have the download feature?
You could download.
I guess you'd download all your tweets, but you wouldn't know the data they had on you,
like IP addresses you'd use or whatever.
Yeah.
So a lot of companies started building some export features.
It's kind of like a layer one export.
Under new laws like CCPA, under GDPR,
and under upcoming federal privacy regulation,
and it's like everything.
You have to go all the way down
into the full stack.
And so that's a pretty big change there.
When you look at the backing up of data,
I always thought this was interesting
because I tried to close my Facebook account
at one point.
It was like really hard to do.
They make it just insufferably hard
to get your data off of there.
But I'm curious,
if I would successfully get my data
from Facebook and ask them, I don't want you to have any data on me.
All my data I want it wiped.
Don't they have backups over time of the entire system?
So in cold storage or maybe on tape somewhere, I know it sounds crazy.
So what happens to that data?
If I ask them to wipe my stuff with GDPR and they've got a backup tape somewhere in a server
room or somebody made a mirror of that data, whatever, how does backup policies, I know this is
wonky play into this because then couldn't they restore my entire profile down the road?
Yeah, it's a great question.
And this is something that gets covered a lot in GDPR and CCPA.
What we see is either the company stops backing up personal data.
That's the rare scenario.
The more common scenario is they keep a list of who not to restore.
So they technically have it.
But they have a do not restore list.
Yeah.
And that's about the best that most companies can do.
And it's a hard problem, right?
I can't blame them for having that.
You have to go restore the tape, delete it, and back it up again.
It's like almost impossible, right?
Yeah.
So it's fairly common practice to see that.
Whether the law permits it is another question.
But I think most companies have decided that that is something that is,
kind of crosses the threshold of like risk first reasonable.
What are these virtual assistants, whether it's Alexa or Siri?
What kind of data are they storing?
And are you personally concerned about that?
What would you tell your mom, your dad, your cousin, your brother in terms of should I have
these in my house?
Yeah, I mean, and I'm not an expert on this, but
I know they have audio recordings, right?
So they actually do take the audio recordings.
They don't transpose it on the device.
So it goes to a server and it gets backed up.
So it is a little bit concerning.
You know, we have microphones in our houses now.
To some extent, we are putting our own wiretaps in.
I am not just, yeah.
I mean, I'm personally, I'm like everyone else in terms of like what consumers want.
I think these technologies are also great, right?
I have an Alexa in my house.
And so I'm not overly paranoid about, you know, having these microphones in the home.
But I do think it's important that these companies are making it very clear to consumers, right?
Like the fact that these recordings are safe, right?
I think that's something more consumers should know.
I think.
What do you charge for your service?
I'm curious.
And what point should a startup start using your product?
Yeah.
So I'll start with the former.
So sorry, with the latter.
So it depends on the region that the company is operating in.
So just to zoom out for a second, we've talked to a lot about GDPR today.
But these laws are going everywhere, right?
It's like every region in the world has a privacy law,
including or has a privacy law being made, including the United States.
And so I think within two and a half years, we'll have something as strict or stricter than GDPR in America.
This is actively being drafted in Washington right now.
And everything that's in GDPR is basically already a given.
And it's about what else.
So this is coming no matter what.
And so actually, just to go back to that European question, should companies leave Europe,
they can only hide for so long.
So startups should
startups in California should check out CCPA,
see if it applies to them.
It doesn't apply to all startups.
So once you cross a certain threshold of users
or if you sell user data,
then you should start working to comply with these laws.
At Transcend, the companies that we typically serve
are larger mid-market companies, right?
So these are the Robin Hoods, the Patrions, the Indiegogoos, the Hashy Corps.
And that's kind of our sweet spot, but it doesn't mean that startups shouldn't start
from a place of thinking about privacy by design.
And so how do you charge?
I'm curious.
Is it the footprint is somebody like a Robin Hood level, you know, let's say millions
of accounts, tens of millions in revenue.
So put Robin Hood out of that.
But just let's say somebody had, not Robin Hood, but somebody had millions.
of accounts.
They did tens of millions in revenue.
Do you charge them based on the users, the revenue, the jurisdiction, and are you charging
them $10,000 a year or a million dollars a year?
What does it cost to use this software for that level of startup?
Yeah.
So we charge based on a base platform fee plus usage.
So the usage is when users exercise their rights.
Got it.
So if someone says download my data.
And then it also, the usage is also based on.
how many data systems there are.
So at Company X, there may be 100 data systems and 1,000 requests.
So 100,000 credits there.
And so it scales like that.
So typically we charge in, I don't want to disclose everything here,
but typically the pricing is like within 50.
$50,000 to half a million.
A year.
Yeah, it seems completely reasonable.
If you were to put two or three engineers on it, you'd be spending a lot more.
So, I mean, that's sort of how SaaS works best, right?
Is when the cost of doing it yourself is five times more or ten times more in terms of time and headache and cost than just finding a solution for it.
And a big part of what you're doing, too, is if I have data and I'm using something awesome like Zendesk or I'm using sales for,
I have copies of my user data, not just on my platform, but Patreon, if they were using Zendesk as an example, or Robinhood was using Zendesk or they were using Salesforce or a HubSpot, they might have that data in five locations.
So when they delete it on their servers, who's responsible for deleting that data off of a Zen desk or those tickets off of a Robin Hood or a Salesforce rather or a HubSpot?
Is that the responsibility of HubSpot or the responsibility of the company that was using HubSpot?
It's the responsibility of the company that was using HubSpot.
Got it.
HubSpot does have the obligation to the customer to provide a way to do that.
So if HubSpot has an API, if HubSpot has an API or some method that their customers can follow to run those erasures, then HubSpot is clear.
And that's what we do is we power that whole vendor relationship network, because to us, those are
just more data systems.
And so, you know, you said there may be five vendors.
Typically, this is like hundreds.
Like, it is incredible how many data systems there are in these businesses.
And when you look at just the dispersion of personal data, it really is like throwing
confetti into a ceiling fan.
It's just literally everywhere.
Yeah, I mean, if you had, if you were using like Twilio or Sendgrid, they probably have a whole
set of data they're storing where they might have the phone number and the number of times
you've called them or the emails, the number of times they've opened the email on their servers
in addition to yours. And that's the reason you guys exist. Yeah. That's right. Fascinating. Is there the
equivalent of ambulance chasers who are looking at this new regulation to specifically shake down
companies? I know there were people who were taking accessibility and they were going and
which with ostensibly good intent saying,
hey, this doesn't work for somebody who's blind or who, you know, is deaf.
But they were basically going after people and just shaking them down.
These law firms were taking 30K a pop.
Every time they found somebody who was venture back,
they would just go down the venture list.
If you raised $5 million and your accessibility wasn't good,
they would just bam you with a $50,000 fine.
Or they would shake you down.
basically they're threatened to sue you and take it to all the way.
Does that exist yet in this space where people are filing complaints on behalf of people
to try to sort of make a quick buck?
Well, it looks like that under CCPA that this is very likely.
So CCPA does have a private right of action,
which means that people like you and me can bring civil suits and say,
I'm suing company X because they've violated my data rights,
which means you can have class action suits.
You can have legal teams who earn money based on this.
In Europe, it's a little bit different where it's a governing body, right?
It's like you have the police and you have the courts.
So there's a little bit less of those civil lawsuits.
what we're likely to see in the federal government with a new federal privacy law is
the current thinking is that it will probably be no private right of action if there's a
Republican government and a private right of action if there's a Democratic government.
It's not for sure.
It could go either way still.
And the other part that's likely to happen is that the federal law will over
override CCPA.
So whatever happens at the federal level will become,
uh,
will become unanimous.
And this would become civil litigation.
You basically have the GDPR providing a framework for people that then sue.
And get some monetary damages.
Well, the,
the CCP.
Yeah.
The CCP.
The California one.
Yeah.
Because the GDPR one, you're saying, they have their own enforcement team.
So you can't take an individual can't take action.
or they could file a complaint with the GDPR, I guess.
They can file a complaint to the government, to the DPA.
Do they get money if there's a fine or the fine gets taken by the EU?
Who gets the money from the fines?
I think it's the DPA.
There may be some ability to recoup in GDPR.
I actually can't remember on that point.
Yeah, I wonder what the...
CCPA is going to happen.
Companies are paying damages.
Yeah.
Companies are paying damages to individuals.
What should the damages be?
If you, you know, expose my reading habits, my password, what would be a, what's the fine, do you think?
What should be the penalty on companies that, you know, are tracking stuff they didn't tell me about?
Or they, I asked them to remove my stuff and they didn't actually remove it.
Yeah, so this typically comes with data breach.
So at the next data breach, if you're a part of it, you may get one of those letters saying, you know, we're opening a
class action, you're entitled to compensation of up to $750 or any additional actual damage.
So if you, if like it resulted in your identity being stolen and you can prove that like you lost
$100,000, you're also entitled to recruit.
And so there's no disclaimer you can put on your website or service that says, hey, listen,
this is this service is as you.
is provided as is.
We're not soaring any of your data.
There's really no way to get around this now.
This is legislation.
It's going to be the law of the land.
You're going to have to be compliant as a at-scale startup and quickly, probably all
startups.
Absolutely.
Yeah.
Yeah.
And just to show the more positive spin and the opportunity that we're also, that we're
also seeing now, users really want.
to work with companies who respect their privacy.
We did a survey with Kelton, the research firm,
and we do this annually.
And we asked consumers whether they would switch to a company that,
you know, all other things equal would,
it protects their privacy better.
And 93% would switch.
Consumers really do care.
And it is something like 43% would pay more.
So there actually is a strategic opportunity.
And this is why we see Apple spin up an entire privacy marketing division and all these like privacy,
that's iPhone ads.
It's a result of this new consumer trend where consumers really, really want to work with
companies that are.
It's going to become a marketing plan.
I don't understand why Facebook doesn't just, you know, tomorrow prompt people and say,
if you want to pay $10 a month or $15 a month for Facebook, we will not start.
or share any of your data.
And done.
Because if they did that,
how are people going to complain?
It's like,
it's free if we can sell your data.
And it's paid if you don't want us to even have your data.
The end.
I mean,
wouldn't that be acceptable to you?
I wouldn't be,
I think it would be acceptable.
I think it would probably be,
feel like extortion to some,
reading that, you know, we, if you pay up, we won't sell your data.
But I could see that being a way to have people switch over.
But I don't know.
I mean, I don't know the internals of Facebook.
I don't know what it's worth to them and what the tradeoff is.
I mean, what percentage of people do you think would actually take them up on that?
I don't know.
I don't really use Facebook.
Neither do I.
It's too creepy.
I don't get a lot of value out of it.
I got to think it would be like low one,
maybe one or two percent of people would opt for a paid version.
And just to see no ads,
just like Hulu has like the Hulu premium with no ads.
So you can get it for five extra dollars.
You get it with no ads or I'd pay for my NBA league pass with no advertising.
It's not really a privacy issue,
but it's more just the annoyance of ads.
And they just show you the cat for an extra 10,
20 bucks a year.
Instead of showing you ads during the commercial breaks,
they show you the in-house camera of the garden,
which I just like to see what they're doing
and if they're throwing t-shirts in the audience or whatever.
It's just sort of interesting watching anyway for 20 extra bucks.
But it does feel like security and privacy as a service
will be a great marketing tool.
And Apple is leading that.
Google and Facebook can't hope to compete in that
because their entire businesses are predicated off of data.
Will those businesses collapse if they can't?
I mean, I think they are constantly complaining that they can't provide these kind of free services if they didn't have data.
Do you think that's true?
Do you think they need as much data as they have?
I think it would.
They don't, but I think they've benefited greatly from the amount of tracking they've done.
And to some extent, they've kind of already got.
in their lead here.
And so even if this disappeared tomorrow, you know, the machine learning models have
been trained to an extent.
It may not be trained better tomorrow.
But even if they threw out the raw data, they have a pretty big lead and they've figured
out a lot of the psychological profiles of folks.
So it's a difficult one, you know, even if you force Facebook to minimize the new data they
collect.
It's pretty,
they're pretty far along, right?
And so.
So they have this psychographic profile of everybody already and they have all the
algorithm strain.
They know who should be getting ads for depression medication versus high blood pressure
medication versus pregnancy tests or birth control, whatever it is.
They just know already.
So they need to worry about it.
Would you, do you think, uh,
apps out of China are safe for Americans to use.
If you were the president, would you block a TikTok from being in the United States?
I'm curious how you think about that.
Yeah.
So I do believe in the national security concern around it.
This is the same thing that's happened with other apps.
So under the Obama administration, they did the same thing and they requested that hinge.
or sorry, grinder,
switch to an American
company and they split it.
Because they were concerned that
this information maybe
wouldn't be so good if the Chinese
government had access to this.
I mean, explicitly think about it. If there were somebody
who was closeted, I mean, that's the classic
compromise that Russia used against
people, tragically. Somebody was
a closeted homosexual in the United States in the
Cold War or whatever. And now
they've got that over their heads, hey, we're going to tell your family you're gay or your
wife, now your whole life's going to come apart. And if you have that data on Grindr, you know,
when people were meeting up with and who was meeting up with who? I mean, can you imagine
what the Chinese could do with that data? Oh, my Lord. Exactly. Yeah. So you don't want this data
to be in the hands of intelligence. And I actually think it's perfectly reasonable.
Yeah. Me too.
And yeah, so it's going to happen.
And it's actually a good thing that we're being a little bit more careful about the information held by other companies.
I mean, the reality is it's all just happening in our backyard instead.
Yeah.
You know, the Snowden Revelation showed very clearly that this is happening in America as much as you might suspect it would be in China.
As much or maybe not as much.
and certainly we're not putting people into concentration camps based on that data.
So, you know, when we do the, when we do the alsoism or whatever they call that,
like but-isms, like it's like a communist country might actually act on this data,
whereas an American company might spy or the American government might spy or an American
company might spy and they might have edge cases of people using it.
It's institutionalized to put the Uyghurs into concentration camps.
institutionalized to find dissidents or people selling books and have them re-educated.
I'm using air quotes here, which is colloquialism for torture.
So I agree that the U.S. government is not using it in extremely malicious ways right now,
but I think it is something to be concerned about when the government has that degree of information.
and I mean, Edward Snowden would call this turnkey tyranny, right?
Where it's like, as soon as you get the wrong person, it's pretty scary.
You have the infrastructure in.
So I wonder where that puts you on the issue of like full-scale encryption,
the unlocking of the iPhone case or point-to-point encryption.
You know, we've heard, hey, it's going to be impossible to catch pedophiles or terrorists
if they have this end-to-end encryption.
And law enforcement has always had it previously.
and all the FBI agents who speak on the subject are like,
listen, we really need this tool.
If you take this away from us,
we're not going to be able to catch these,
you know,
child trafficking rings or terrorists.
That's obviously true.
They're going to have a really hard time catching them if they,
if they use that end-to-end encryption.
So where do you stand on that?
Do you think the iPhone should be or WhatsApp
or any point-to-point encryption signal?
I'm not sure which ones have the best encryption,
but do you think the government with a subpoena
should be able to backdoor those systems?
With a subpoena, yes.
And so I,
but we're not in that default right now.
So end-end encryption can still have backdoors
that can be opened through subpoena.
Where we're at right now is actually a different default,
which enables drag nets,
which means all of our data,
all of our communications,
are being analyzed today.
The metadata,
Not the actual calls themselves?
The metadata is more than enough to figure a lot of things out.
So, you know, someone calls their sister and then immediately calls their husband or something.
And, like, there's all these little stories that come out of the metadata.
And so we're in the default of allowing for a dragnet.
And I don't think we should have drag nets on U.S. citizens.
That's my stance.
And so end encryption, I think, blocks that.
But it's not hard to, you know, be able to open a back door if the subpoena comes in through legitimate.
Except for the iPhone.
We had to go to Israeli companies to unblock that iPhone, I think, for the San Bernardino shooter back in the day.
seems like the Israelis have some pretty good technology on this front.
Well, listen, Ben, you've been tremendously honest and helpful in all of us thinking about this.
And congratulations.
You guys have raised a bunch of money and you're off to the races.
And I think it's really great that you're helping companies navigate this and think about this from first principles.
Because for anybody who's building a company out here, just assume that, you know, whatever shady shit you're doing, you're going to get caught at some point.
and it's going to be a pretty big, you know,
hole in the side of your ship.
And if your ship's big, it could sink your ship or any hole could sink a ship.
Like, be careful and only collect what you need and what you would be proud to share with your users.
I mean, if you said to a user, hey, you programmed in in your Tesla home and office
so that when you get in the car, it automatically turns on the navigation,
seems reasonable, but may not want the cameras on my Tesla on all the time and may want to
have the option to turn those off, right?
Like, I think there's some common sense here that seems to have gotten lost in an industry
that just said the default is collect all data.
The default means to collect no data now.
I say collect nothing.
Just don't even collect it.
Just build the business without the data.
And then if you have a real reason to use the data, that makes sense.
Yeah.
Basically the best part.
Starting from that place of respect, giving consumers easy choices.
I mean, I don't know if you've ever gone to that Facebook privacy center on the choices there.
I mean, that is, I can't figure it out.
I'm in the industry.
You know, I've been on Facebook since the day it opened, and I can't figure it out.
Convaluted.
Yeah.
I really think if Facebook, I think if Facebook hadn't, if we didn't have Zuckerberg in the industry,
I think that how people would look at the entire industry would be different right now.
I think they really just poisoned the well.
And a lot of the goodwill is gone, right?
For our industry.
Interesting.
You believe that?
That there were the big offender.
I certainly agree that Facebook is one of the bigger offenders right now.
I think if it weren't Facebook, it would be someone else as well.
So I think we have been in a void.
where there's been very little regulation and a lot of money to make.
Yeah.
I think there has to be regulation.
I mean,
after this discussion with you for an hour,
what I realize is my position has been take control of this.
You know,
don't be a victim.
Use a VPN.
I've always used fake accounts on certain sites just so,
you know,
like people don't have a recognizable name.
It's misspelled at Ellis Island.
But,
you know,
like,
and I'm using privacy.
com burner cards now.
And, you know,
I'm proactive about my privacy to a certain extent.
But the truth is, you know, we need to have some sort of standards here for people to take it more seriously because there are bad actors or, you know, clever actors are even probably worse than the bad actors.
The bad actors, at least you know why they're doing it.
It's people who are clever, right?
Like Facebook's a little too clever.
Yeah.
And their approach to all this.
All right.
Listen, continued success, Ben, and I really appreciate you be on the pot.
And we'll see you all.
next time on this weekend service.