BigID CEO Sees States Blazing Their Own Trail on Data Privacy

BigID started selling privacy compliance services in 2016, the same year that the EU adopted the General Data Protection Regulation. GDPR called for data subject rights like access, portability and deletion, which “flew in the face of the traditional approach to big data,” where companies “saw data as theirs,” Sirota told Privacy Daily. “They could collect as much as they wanted and do with it as they pleased.”

Since then, about 20 state laws in the U.S. have added to the regulatory compliance challenge. In the same way that American “English split off from British English,” the emergence of U.S. state privacy laws created “its own branch” of regulation, said Sirota.

“If you’d asked me” in 2021 if there would be 20 state privacy laws, “I’d probably have said no … because privacy seemed like a European thing,” said Sirota. “And even today, you have folks that kind of say, ‘Oh yeah, [Europeans] just like to restrict and constrain.’ But clearly America is blazing its own path.” The risk for businesses comes not only from privacy regulators but from class-action lawsuits, he added.

If President Donald Trump and Congress could agree on a national privacy law, Sirota doubts it would preempt state laws, because states like Florida and Texas “would probably want [to retain] authority." However, given that the U.S. is “busy with capturing Greenland and Canada, it's unlikely that privacy is going to bubble up like tariffs on China,” he said.

Maryland’s comprehensive privacy law, taking effect this October, adds a data minimization requirement that is unique from other states’ laws. However, Sirota said there are reasons besides regulation for businesses to reduce the amount of data they hold. “A lot of companies want to do it” to reduce costs and enhance security. BigID started building a data minimization capability for its compliance service about three years ago.

“Data is an attack surface,” said Sirota: Bad actors “either want to steal your data or they want to bring your system down.” Data breaches often occur because “there’s a type of sensitive data that’s been floating around that people haven’t deleted” or because bad actors found copies or backups of data, said the CEO: If breached companies “did proper hygiene, they wouldn’t have had that issue.”

The rise of AI could add challenges and opportunities for privacy pros. “AI inherently has a privacy dimension,” said Sirota. “There’s an element of consent” since users must agree to their data being used for AI. In addition, now “when I’m doing a risk assessment, it’s not just from the lens of GDPR or privacy; it’s more broadly from the lens of AI … and what is the risk around me using this data with this model for this purpose?”

At the same time, AI could help offload “meticulous and manual” privacy processes like assessments and data subject requests. It won’t eliminate the privacy professional’s job, however. “You’re still going to need somebody to orchestrate,” but that person “could get more done with less resources.” In addition, Sirota believes AI can help companies identify data and accurately associate it with a subject, he said.

Sirota sees different privacy compliance challenges for customers large versus small. Small companies rely on their websites to communicate with customers. As such, they care about cookies, consent, data rights and privacy preference management, he said. Whereas larger companies have “a wider spectrum of things that they care about in privacy.” Also, big companies have a greater diversity of data sources and “existing infrastructure they need to integrate with,” which isn’t usually an issue for small businesses.