State Privacy Fines Undersell True Costs for Penalized Companies: Clarip CEO

Sambandam founded Clarip nearly a decade ago after seeing data collection and tracking increase from an “explosion of IoT devices,” autonomous vehicles and AI. Yet people lacked choices about collection and tracking, he said. It should be up to consumers "to decide what we want to share" and with whom, Sambandam said.

In addition, awareness of privacy was low even among the largest companies when Clarip started in 2016, roughly two years before the EU’s General Data Protection Regulation took effect, he said. “After GDPR, there was a little bit more awareness, but even then, people were” saying “it doesn’t apply to us” since we’re not physically in Europe, he said.

“That has changed a lot now" since some 20 U.S. states have comprehensive privacy laws. For example, he recalled Texas-based clients who hadn’t thought about privacy laws until their state passed one. Enforcement actions since then, from states like California and Texas, have further amplified companies’ attention to privacy, he added.

Enforcement has had an impact regardless of the fine, whether it's the California Privacy Protection Agency’s $632,500 action against Honda (see 2503120037) or the Texas attorney general’s $1.4 billion settlement with Google (see 2505120054), he argued.

While the Honda fine was less than $1 million, the true cost to the carmaker may be far more. That’s because as soon as a regulator inquires about a company’s privacy practices, the business panics and hires an outside attorney, he said. “All of a sudden” the company is charged “thousands of dollars an hour.” In addition, there are costs to start an internal investigation and responding to the problem, he said. “These things go on” for 12-18 months “before it even gets to the settlement stage.”

“Even if the fine is only a million dollars, you’re looking at probably" at least $20 million for a large company, he said. Not to mention “reputational risk,” which can cost a company the loss of near-term sales or result in intangible impacts like a surge of customers opting out of providing their information, he said.

The Honda action was “surprising,” the Clarip CEO said, because “this could have been avoided easily had [Honda] followed some ... best practices that've been in the industry for four years now.”

Another factor driving businesses to think more about privacy is that they are seeing increasing consumers coming to their websites with universal opt-out preference signals activated in their browsers. “Companies are now realizing … there’s a lot of people coming to our sites that are saying to us, ‘Do not track,’ and that’s not just a handful; that’s in the tens of thousands or hundreds of thousands nowadays.”

Despite that, he still sees “a lot of companies” who find honoring those signals “a challenge, even though [the] technology exists” to respond.

Companies’ increased awareness is particularly evident at privacy conferences, where attendance is “much higher now in 2024 and 2025 compared to six [or] seven years ago,” said the vendor CEO: General counsels, chief information officers and other top legal officials at companies “can no longer ignore this.”

“It’s no longer just a compliance initiative ... it’s [about] being transparent.” Businesses see giving customers privacy choices as one way of increasing trust, and companies are starting “to see this as an investment now.”

Sambandam wouldn’t be surprised to see a national privacy law in the U.S. within four to five years, since even the largest tech companies are lobbying for one, he said. “For them, it’s actually beneficial to have a single law, as opposed to them having to deal with 20-30 separate laws, and their goal is to maybe get a version that’s not that severe.”

It's a different situation for federal regulation of AI. Two years ago, a national AI law seemed imminent; but not anymore, said Sambandam. Back then, tech companies were asking for congressional regulation. “But now there's this other side where they're monetizing [AI], and they're realizing, ‘Oh, maybe it shouldn't be regulated as much.” Congress is considering a proposal that would put a 10-year moratorium on state regulation of AI (see 2506060019 and 2506030068).

“Maybe [tech companies are] also getting a little bit more confident that they could tame" AI. However, “there's got to be some form of sensible regulation. … Otherwise, it's going to completely get out of control.”

“If something is getting fed into AI, there's really no privacy there,” said Sambandam. “The moment you share [data with AI] that’s it. You’re not really able to build sophisticated levels of privacy inside AI.”

And due to a complex ecosystem in which AI tools may be used by organizations and their vendors, personal information or sensitive data can get fed into AI as part of another data set without the organization’s knowledge, he said. “It’s a big challenge for privacy professionals.”