Cillian Kieran is a clear and collected speaker, whether he is introducing an expert webinar – hosting events for privacy practitioners and software engineers is a major conduit to raise the profile of his business – or calmly answering my questions on a transatlantic Zoom call earlier this week. 

Yet the 38-year-old Irish entrepreneur is at a very exciting time in his career. Ethyca, the data privacy technology provider he founded less than two years ago with Miguel Burger-Calderon, has just raised $13.5 million from big-name investors in its series A round and pushed the button on its main product’s public launch– a cloud-based layer of software that promises its B2C customers automated and constantly updated global privacy compliance.

While European business is still coming to terms with the requirement of the EU’s General Data Protection Regulation (GDPR), which came into force just two years ago, the most populous and prosperous state in the US will reach a similar milestone on July 1 when the California Consumer Privacy Act (CCPA) becomes enforceable. The deadline has helped Ethyca and its CEO Kieran find customers and investors. 

“We’ve raised –  the two rounds – $20 million in total,” he says “We’ve grown our team, demand is high for the product. The objective now is to effectively continue to validate and scale as healthily and carefully as possible, given the unusual economic times we all find ourselves in.”

As it goes out into the world in earnest, Ethyca employs 20 people and plans to double this number by the end of the year, with 10 positions currently open. Kieran says the business is doubling its number of customers every month following a soft launch at the end of last year, when staff carefully began to roll out software to each new user. Last month, its mass-distribution product Ethyca Pro became available as a self-service solution.

Kieran says the company’s customers so far have been in the US and Europe, with interest growing in Brazil and India, where privacy legislation is next scheduled to kick in. “It’s across the board from early-stage startups to larger businesses,” he says. Three customers have agreed to be named, all in the US – homewares retailer Parachute, luggage brand Away and online marketing platform Aspire IQ. Kieran assures me there are more, but they are publicity-shy: “Businesses trying to tackle privacy don’t necessarily want to talk very publicly about privacy. I think that will evolve as trust comes to the forefront of consumer concern.”

In the next 12 months, the company’s target is to secure 250 self-service customers and 20 larger companies where bespoke software deployment will be required.

Over the course of our interview, Kieran details the technology behind Ethyca and how it claims to differ from its competitors’, the steady pipeline of privacy legislation around the world and how the ups and downs of his career led him from dropping out of college in Dublin to tackling data protection in New York. 

But first, let’s turn to the funding deal formally announced today.

*****

Ethyca’s main backer is the New York tech venture capital fund IA Ventures, which led both its $4.2 million seed funding last July and the latest $13.5 million series A round. Its managing partner Roger Ehrenberg sits on the board of Ethyca as he does for many other funded companies, such as the successful cross-border money wiring service TransferWise.

The latest round of funding includes big names – not only for the billions at their disposal. SciFi is the investment fund of PayPal co-founder Max Levchin. Prior to his reinvention as a Silicon Valley venture capitalist, Michael Ovitz and his business Creative Artists Agency represented Hollywood talent including Meryl Streep and Steven Spielberg. DJ Patil was the US government’s chief data scientist. 

Thomas Hubert (TH): Can you take through the journey of the two rounds? How did you go about raising those funds, finding and convincing your investors?

Cillian Kieran (CK): Prior to actually raising funds from those well-known institutional VCs, we had raised a very small friends-and-family round and we were using that to essentially develop the technology. We were very aware from day one that to actually promise to solve data privacy was a pretty lofty ambition. And you don’t really want to go public with something unless it’s pretty perfect. I don’t mean that to be smart, but because of the risk, and we’re talking about people’s data and privacy, we needed to know that it worked. So we were probably building technology for about a year and a quarter, a year and a half before we publicly demonstrated anything to anybody. 

At that point, we started publicly demonstrating to our initial pilot customers, as well as to investors. Myself and my co-founder Miguel have a pretty good relationship with the tech community in New York. I’ve been in New York for exactly 10 years now. We were able to demonstrate it to both early-stage funds and some of the early- to mid-stage funds that take interest into developer tools, particularly infrastructure products and security products. 

We accumulated interest very, very quickly. We were very fortunate to meet with Founder Collective in Boston and AI Ventures in New York. In fact, Founder effectively introduced us to AI because they felt so strongly about what we were doing. In the end, they both offered to support us in our seed round, which was terrific validation of the technology, I think for two reasons. 

Founder Collective focuses typically on consumer technology, and so they had a really good visibility of this problem for their portfolio businesses. This was something companies were suffering from and needed a solution to. AI Ventures, obviously, has a storied history in only really investing in data products, infrastructure and developer tools – if you look at DigitalOcean, Datadog, TransferWise, etc. And they saw the opportunity from that point of view. They really, really supported us early on, they spent a lot of time with us. 

“We didn’t actually have an investor deck when we raised our series A. We were approached by several investors in the West Coast that looked to lead the round.”

Validating that was AI Ventures so heavily investing in us in our series A. The opportunity to then bring in amazing other partners like Max Levchin and SciFi Ventures amongst others, I think, was simply down to the work we had done in the 10 to 12 months since our seed. 

We had a lot of inbound interest, a lot of parties that simply wanted to get close to Ethyca, and still to this day continue to try to be close to us, which is tremendous validation for two things: that there’s demand for a solution to the problem, which is good because the tech industry needs to solve this problem; and the other is that Ethyca is the right solution to that problem.

TH: As you said, you started with New York backers that are close to you and where you’ve been working for 10 years. The second round, I’ve noticed, is going into Silicon Valley a bit more. Do you notice a difference? Do you need to approach them differently and do they ask for something different when you go west?

CK: It’s a really good question. The honest answer, trying to leave aside the rumour mill of what people say happens on east versus west: I think we’re slightly further along than, say, a very early-stage business raising a pre-seed or a seed round. So there was a substantial piece of product and technology and intellectual property there when we met with investors on the West Coast. And there were customers and reputation in our ability to bring that product to market. 

Candidly, although it sounds very Silicon Valley, we didn’t actually have an investor deck when we raised our series A. We were approached by several investors in the West Coast that looked to lead the round. We hadn’t intended to raise so early, but the timing was good, the valuation was strong, and the strategic opportunity to work with those investors was very valuable. So in fact, for us, what we did in most cases was demonstrate our actual technology, that was ultimately our pitch. We just used the technology to show people what we could do.

TH: And there’s no pressure to move the company there or to be closer, either from investors or for you to access them? You don’t feel the need to be in San Francisco or the Valley to access those funds at all?

CK: No. I think there are a couple of things – and the pandemic has accelerated this. It’s a very personally held view, so I’m sure it won’t align with everybody’s view. I think Silicon Valley is fantastic in the sense of San Francisco, the Bay Area in the broader sense. And I understand those founders who believe that it’s the only place to be to truly innovate, and it gives you a different perspective. 

“I think it’s very important for those inside the Bay Area to look outside right now and gather inspiration from the things that we should be fixing in society.”

I would argue the counterpoint that, particularly now when we look at the sort of civil liberties issues that we face in the US, being so firmly inside a bubble, I think, can be very risky for founders as they look to innovate. Data privacy is a rights issue. So it’s not about consumer services like cars on demand, or your groceries on demand, which sounds like a great innovation. 

This is about the rights of users as they use any technology, whether it be a legacy business, or a cutting edge tech company. And actually, I think it’s very important for those inside the Bay Area to look outside right now and gather inspiration from the things that we should be fixing in society. 

Thus far, investors certainly haven’t been pushing us to do that [move to Silicon Valley]. I think we all view New York has a very strong base to be, albeit the challenges of the pandemic right now. And we’ll continue to evaluate that in the next six to 12 months – I think the office culture for most companies is going to evolve anyway.

TH: What is this funding round allowing you to do? Are there investments planned or things you need to scale up, apart from hiring enough people – and good people?

CK: The answer is obviously hiring a lot of talent. In many ways, we’re fortunate to be able to continue hiring through a very difficult period economically, which is fantastic insofar as we feel like we’re still contributing economically and we can try for the business, which is wonderful. 

The other thing is that we had historically been investing heavily in the privacy community, but a lot of that is around physical events and sort of community efforts which are challenging to do given the pandemic. So we’ve had to reevaluate a lot of that. We continue in areas that we can. For instance, we’re one of the largest sponsors of the largest privacy engineering degree in the US – there’s a dedicated privacy engineering degree at Carnegie Mellon University. We sponsor the engineers’ final projects there and theses, which we think is an important thing to do to help them with real-world problems that they should be solving. And we support the developer community, and the security engineering community in particular, which are things that are close to our hearts as a culture from our engineering teams point of view. 

But as it relates to the funding, it’s ultimately about growing the team, allowing us to go to market faster. The demand is far greater than we are – 20 people. So we need to grow now to meet those expectations.

TH: Is it mostly software engineers and privacy specialists you need, or is it the sales and marketing as well you need to step up? 

CK: A little bit of all of those. We’re hiring modestly in sales and marketing, but it’s predominantly engineers – senior engineers that work in data and infrastructure, security and machine learning, probabilistic and contextual matching. So typically engineers that like really, really difficult problems, would like to look at Ethyca, I’d say.

*****

Ethyca’s product offering is all at once extremely simple and difficult to grasp. Kieran says it is “a trust platform that automates data privacy for businesses”. For a consumer-facing business subject to increasingly stringent privacy laws in different jurisdictions, the prospect of paying a monthly fee to magic away this compliance headache into the cloud is an attractive proposition.

Kieran likens Ethyca to another US-based company with Irish founders based on a API processing sensitive data: “Nowadays there’s no business that would process a credit card without SSL certificates and [Payment Card Industry standards] PCI compliance. That’s why we all use Stripe to make that easier,” he says. “The same thing is going to happen here, right? Ultimately, consumers, average users will trust in businesses that have a sticker or a label that clearly says they care about your data. ‘Powered by Ethyca’ should be that.”

Its software automates the management of personal data, such as an organisation’s obligation to let individuals access the information it holds about them. But how does it work? 

Kieran explains that it plugs into its customers’ existing systems to identify and manage personal data without copying it to Ethyca’s own infrastructure. Its most accessible product does that for small to medium companies from the outside: “Ethyca Pro is a cloud product in that it’s hosted by us. It’s managed by us, it holds only one piece of personal information, and that is the identity of the user making a request for their privacy. So for example, if you Thomas contacted a company that was using Ethyca’s technology and said, give me access to my information, we would keep just a copy of your email address to prove that you’ve made that request. Just for the audit.”

Ethyca plugs into customers’ existing systems to manage personal data in accordance with privacy laws.

For larger customers with more complex systems, the delivery model is different. “The Enterprise technology is deployed into customers’ infrastructure,” says Kieran. “So it’s internal to the organisation as managed by them, it’s more like developer tools that sit between data storage systems and applications, and it manages privacy obligations for engineers and data scientists.”

Ethyca Pro is priced according to the number of systems a customer needs to plug into. It is free up to three. “There are small businesses that need to comply with privacy regulations that may not be able to pay the fees today. As they grow, that will evolve,” Kieran says – and hit a paywall starting at $700 per month. “We did a lot of modelling over the last two and a half years – the average business, even small businesses, typically have about eight destination systems in which data might reside,” he notes, placing Ethyca’s price point for these customers between $850 and $1,500 per month.

“Ethyca is connected to all of your data stores, anything that holds information on your behalf, and therefore it either retrieves it or erases it.”

The price always includes compliance with privacy laws anywhere in the world. “We have a team dedicated to looking just at regulations and the evolution of those,” Kieran says. This has led Ethyca to tweak its software as California’s attorney general made adjustments to the state’s regulations in recent months. I put it to him that The Currency may choose to manage its subscribers’ personal data with Ethyca and have a person subscribe from the Vatican. Would their data be held in accordance with the Vatican’s privacy laws? “Correct,” Kieran replies.

He adds that any actions required will be truly automated, instead of tasks usually requiring significant manual labour. “With all of our competitors, they talk about automation, but it’s basically signalling, right? It flags an email or a notification on a dashboard, then the business needs to retrieve and manage that data. Ethyca is connected to all of your data stores, anything that holds information on your behalf, and therefore it either retrieves it or erases it.”

In terms of legal liability, Kieran says that Ethyca provides guarantees that such actions are conducted in respect of privacy rights. “For any systems connected, we provide guarantees around identity verification for a user requesting their data, and guarantees around data retrieval for all connected systems. What we don’t cover is a guarantee around a data breach insofar as Ethyca is not a security product and a hack or compromise of a system is a security issue.” With GDPR penalties of up to 4 per cent of a business’s global revenue and Californian fines of $7,500 per individual infraction, “you could look at Ethyca as a very cost-effective way to avoid some very serious fines and some very poor publicity for the business,” he adds.

*****

GDPR sets the global baseline

Ethyca is tapping into an emerging global market where GDPR is only a starting point. Aside from California, Kieran says there are 16 or 17 US states planning privacy bills and a debate going on at the federal level. Privacy laws are already in place in jurisdictions like Canada and South Africa, and will come into force in Brazil in August. “The Indian Person Privacy Bill comes into effect probably in about 18 months’ time,” Kieran adds. 

TH: How big a business opportunity is the CCPA for Ethyca? How much business are you getting out of it?

CK: The short answer is there’s been a very significant spike in demand since January right through to now. Without boring people with the legal stuff, the way a law is passed in a state in the US is quite unusual. The law came into effect on January 1, it can be enforced from July 1, and it can be prosecuted against from October this year. So that basically means that any business not compliant from July 1 can face a fine, although the fines won’t start until October, if that makes sense. 

As a result, we’ve had sort of two waves already – businesses preparing on January 1, because culturally they felt they should. And then others racing towards July 1 now, as they’ve been concerned about it again. It’s very significant. Our team are flat out and we’re hiring significantly to continue supporting that. 

Back in March, when the pandemic was really setting in in the US, there was a lobby of tech companies in California attempting to ask the Attorney General to delay enforcement, because of the concern over pushing businesses at a very difficult time to comply. The Attorney General voiced concerns about delaying it – that it would water down people’s perception of trust and safety, and therefore they will continue with enforcement on July 1.

So you have a strange confluence of events. You have small businesses struggling to survive in a very difficult time financially, but being asked to meet some very stringent, very new regulations. At the same time, as a lot of retail and hospitality businesses started to do  “digital transformation” like buying contactless payment systems, mobile ordering applications because they need to find ways to continue service in this new universe, and so the risk for them from a data perspective is significantly increased as to where it was six months ago.

TH: You’ve worked on GDPR before and I followed a webinar you organised a few weeks ago with US experts who are saying GDPR is very much the reference internationally. The European legislation is a standard you could aspire to, and be compliant as a company with a lot of other ones, including CCPA. Have you as Ethyca got a sort of head start as well, making GDPR compliance products and then going into CCPA and the big ones you’re mentioning coming up next, India and Brazil – has GDPR been that gold standard for you as well as a service provider?

CK: The honest answer is, I think, we go beyond where the GDPR is, and not because we doubt in it. I think we believe in even higher standards, but the cut and thrust of that webinar that you’re referring to is that the GDPR sets the global baseline. CCPA is slightly less, some of the other US states will be slightly less again, but if a business truly believes in the rights of its users and wants to instil trust in their customers, then the GDPR is table stakes. 

That’s how we look at it. That’s what a business should do if it cares. And that’s analogous with, say, PCI compliance back when fraud in credit card processing rose. In the early 2000s, fraud grew so quickly in credit cards that PCI compliance became the thing businesses had to achieve to create trust online. That’s table stakes. 

*****

Ethyca is far from being Kieran’s first start-up. He and Burger-Calderon were already co-founders of a previous New York venture, BrandCommerce. According to Crunchbase, seed funding for that business came from some of the very same investors in Ethyca, including Jon Steinberg, Sinai Ventures and Jonah Goodhart.

Previous to this, he and Simon Keane had a long run with CKSK, a digital transformation consultancy they had in Dublin in 2006, and which went into liquidation last year. Keane is now director of design at Ethyca.

Kieran’s mother is French and, although he was born in Ireland, he spent his childhood in Paris. He came back to Ireland to study computer science and physics at Technology University Dublin (then DIT) – briefly.

CK: I dropped out. Candidly, college wasn’t for me. I went to college a little bit younger than most people do. And so I dropped out, but software was my passion. I was fortunate enough to work briefly as a consultant thereafter, a little bit in the US and then back in Ireland. Very shortly after that consulting period of about a year and a half, two years, I got the opportunity with a co-founder to set up a company called CKSK, which was a digital consulting business back when the industry wasn’t that sophisticated. So you’re talking in the early 2000s. 

Back then, there was basically web development agencies and then consulting companies like Accenture. Now, of course, you have Accenture’s The Dock and things like that in Ireland. Back then, that didn’t exist – digital transformation, hard technology problems for legacy businesses. So we typically built data tooling, infrastructure, large enterprise applications for legacy companies. 

Our customer profile was, you know, Heineken, Sony, Dell, Pepsi, etc. and I ran that business with my co-founder for a little over a decade. I moved to New York with that company, about 10 years ago. Ultimately, we weathered a very tough time in 2008. It took its toll on what was a services business that had never raised any money. It was around 100 people. A challenging period to understand what it’s like to really tighten the belt and have to make some really tough decisions, both personally and professionally, for teams that you’ve been close to for a long time. 

But I think it makes you stronger in your resolve in terms of understanding how to build good culture and good teams and build a safe, scalable company, rather than rely on venture or debt. Ultimately, a few years later, I stepped out of that business and took a small amount of time off in New York, and then started working on a data capture platform called BrandCommerce. 

“A business that runs for over a decade, employs nearly 100 people, pays all its taxes and salaries and keeps the roof over people’s heads is a far greater success than a business that is sold after three years.”

TH: To conclude on CKSK, I saw reports that it did go into liquidation in Ireland. It eventually failed, did it? Is that a fair assessment of what happened?

CK: It did go into liquidation. At the risk of sounding prickly, I take issue with “it failed” because I now understand what businesses are. I would actually argue that a business that runs for over a decade, employs nearly 100 people, pays all its taxes and salaries and keeps the roof over people’s heads is a far greater success than a business that is sold after three years. 

I take huge pride in what we did at CKSK, insofar as CKSK was a business that was the very best at what it did in Ireland, had built in a tremendous brand for digital innovation, had nurtured some of the best talent in Ireland – they now mostly lead business units at Accenture and some of Ireland’s top digital agencies. I think that is a testament to the business. 

That we couldn’t survive the market challenges of Brexit at the time – we CKSK as a business could not – is down to, maybe, difficulties in fundraising or financing and being a single independent business with no larger network backing behind it. And timing is very challenging in that. Of course, you could call it a failure and I’m fine with that, if that’s the choice of words. I think that keeping a business afloat for more than a decade is a not an easy thing to do, I can assure you, and so I take it with great pride that we succeeded for over a decade.

TH: Then you moved on to BrandCommerce. What was that, and are you still involved?

CK: So BrandCommerce is an e-commerce data capture platform. It effectively allows what would be businesses that do not have their own e-commerce capabilities to funnel orders directly to brick-and-mortar retailers from their online platforms and push those orders out for delivery in under an hour through third-party providers (not part of BrandCommerce’s business). 

Effectively, what the brand gets back for that is the ability to own the customer relationship and capture the data that it can’t get in transactions from stands on Walmart or the big retailers. So it allows them to own some of the customer relationship, build direct contact with their customer, and push orders directly to the retailers that have historically struggled against the might of Amazon’s one-hour delivery and Prime systems and so forth.

“We believed the problem was one that you would solve in code, not in regulations.” 

That business grew very quickly and ultimately was sold off about a year and a half ago to a third party that unfortunately I can’t’ name. But it was a larger e-commerce provider than us that wanted to acquire some additional e-commerce capabilities. The main reason for that was, in the process of building that data capture platform, we started to look at how we could solve data privacy compliance for ourselves, because we had large customers that were not just US-based but wanted to deploy the technology in Europe, were concerned about GDPR, and looked for compliance solutions. 

We could use consultants or the products that were on the market at the time, which are still the same competitors that Ethyca has today, but those were effectively consulting services. And we believed the problem was one that you would solve in code, not in regulations, effectively.

*****

Kieran clearly loves New York City. When CKSK outgrew the Irish market, it first set up an office on the continent in Amsterdam. The next logical step was New York in 2010. This is where he met Burger-Calderon. “Miguel is one of the early founding members of Elite Daily, the publisher that was acquired a couple of years ago by [Daily Mail publisher] DMGT. So he’s very well known in the tech community and I guess we’d both been there about a decade,” he says.

At DMGT, Burger-Calderon crossed paths with former BuzzFeed President Jon Steinberg, then head of the Daily Mail’s US digital operation, who has since invested in BrandCommerce and Ethyca.

“The tech community in New York is very tightly knit. When I was looking at solving some of these data capture and data analysis problems, I was introduced to Miguel while he was looking for his next opportunity,” Kieran says. Burger-Calderon was facing the same issues at Elite Daily and then at the Daily Mail. Their responses formed the basis for the two successive start-ups they co-founded.

“The truth is, it’s really hard work, but it’s also a lot of timing – good fortune and timing.”

New York is a different place these days. It is one of the cities worst hit by Covid-19 worldwide, and the scene of some of the recent violent anti-racism protests that has swept the US. I ask Kieran how the disruption has affected Ethyca’s latest funding round and its wider operations. 

“As I mentioned, we had inbound interest from a number of funds to lead the round. We were evaluating that through January, February and March,” he says. “For us, the momentum was already there to make the round happen, which I’m not going to say we planned or architect. We didn’t, we were fortunate.”

Pitching and presenting to investors was largely done before restrictions took hold. “We put tech companies on pedestals for succeeding in growing quickly. The truth is, it’s really hard work, but it’s also a lot of timing – good fortune and timing,” Kieran says.

His team switched to working from home in the middle of preparations for the launch of Ethyca Pro’s self-service version. “Of course there is disruption, anyone that says there isn’t would be telling a fib,” Kieran says. “But we’ve been fortunate that we’re a small enough team, and we’re very tight-knit because we’ve been working closely together for about two years, that ultimately working remotely, really, was a shift from a physical desk to just not being able to see each other.”

He adds that it could be some time before Ethyca’s expanding workforce sits together again, “Of course, we’d love to get back to the office, but I think realistically, that may be some time away. We will always act cautiously and, I think, slower than regulations unwind,” Kieran says. “But that’s the right decision.”