"There's a lot that goes on behind the cookie banner," says Kabir Barday, the founder and CEO of OneTrust. He's talking about that now-ubiquitous pop-up on websites that lets you know the site is collecting data on your visits and activity in order to personalize your experience--or sell your information to third parties. The cookie banner is perhaps the most visibly identifiable sign of his company's software, but the real work is the invisible machinery churning away behind that banner.
Atlanta-based OneTrust, which landed at No. 1 on this year's Inc. 5000, with more than $70 million in 2019 revenue and a staggering 48,337.2 percent three-year growth rate, is among the global leaders in privacy-law-compliance technology. In the most straightforward terms, OneTrust builds a suite of digital tools that gives companies a clearer view of all the user data they accumulate. This enables them to comply with privacy laws, like the European Union's General Data Protection Regulation (GDPR), that give consumers greater control of how and whether companies use their data.
Before lawmakers began to take notice of consumer complaints about data misuse, most companies simply didn't have dedicated technology for managing their users' privacy. Now they must. The California Consumer Privacy Act (CCPA), which went into effect in January, is another of what are expected to be many more laws related to user privacy. The cost of noncompliance is increasing dramatically.
That's why OneTrust is the solution for nearly half of the Fortune 500. The company has some 6,000 clients--including Aetna, Oracle, Raytheon, Bertelsmann, and Maersk--spanning virtually every industry in the world and every size business.
There may be sexier tech companies out there that generate more headlines than OneTrust. But in pure business terms, there's nothing sexier than quietly amassing control of a deep niche that just keeps getting deeper. The initial test for any entrepreneur is to figure out what market gaps they can exploit with their skills, and then defend. Barday, who comes off as equal parts soft-spoken and swaggering, recognized a colossal market in its infancy. How he seized the opportunity is a lesson in diligent prep, great timing, and aggressive action.
Barday's parents, Indian immigrants, landed in Atlanta in 1983 with a vision of achieving the classic American dream--"You can do anything," Kabir says. His dad was a software developer who enrolled Kabir, when he was 10, in community-college computer classes. After the elder Barday quit his software job and turned to entrepreneurship--he opened several gas stations and restaurants--he helped his son start a small web-development company. It was a tidy little profit center that certainly beat mowing lawns. "I would go to all the small businesses in my area and build them websites for $5, $6, $7,000 a pop," Kabir remembers.
Barday's parents always taught him to dream big. When he joined the Boy Scouts, they urged him to earn the top rank, Eagle Scout. "You don't do anything unless you're going to be committed to being the best at it," he recalls their telling him. He avoided organized sports because he didn't think he could live up to that commitment--but his budding career in technology entrepreneurship was something else entirely.
After attending Georgia Tech, Barday landed a job at a fast-growing Atlanta company called AirWatch, which helped companies secure their employees' mobile devices. It was 2010. The mobile-computing revolution was taking over, and BYOD--bring your own device--was a trend that employers were having to reckon with.
Throughout much of the aughts, corporate IT departments owned and controlled the mobile phones that they doled out to employees. But once ownership costs fell and networks improved, people began carrying their own powerful pocket computers--and they needed constant work connectivity. In 2012, AirWatch landed at No. 467 on the Inc. 5000.
Barday was moving up quickly too, working closely with some of the firm's big, multinational clients to implement the software. By 2014, when AirWatch was acquired by VMware for more than $1.5 billion, Barday was conceiving and directing the launch of new products.
Like his father, he felt that he'd paid his corporate dues and that his next move would be entrepreneurial.
In fact, one option that he seriously considered was partnering with his dad to roll out franchises of a California-based pizzeria chain called Pizza Studio across the Southeast. But before he signed the contract, Barday forced himself to reflect on whether the plan was the best use of his talents--whether he could in fact be the best at it. "I love pizza, but I don't know that that's unique about me," he figured. "Anyone out of college can go open a franchise. What am I uniquely positioned for?"
Around the same time, Barday had begun to think about the flip side of AirWatch's technology, which was protecting the privacy of employees' data on their personal devices. As he explains it, the company's software would monitor what apps a person installed on their devices to flag any potential security threats that could expose the company's data. But that monitoring itself could be a problem, because a person's choice in apps could reveal sensitive information, such as religion, sexual orientation, and financial standing. Who wants the boss to know what hookup app or addiction-counseling service they use?
Barday persuaded his bosses to let him lead the development of "a set of features and capabilities that put privacy for employees first," he says. The result, which won an award from the International Association of Privacy Professionals (IAPP), landed Barday at a large privacy-industry conference, where he spotted the opportunity for OneTrust. As he sat in on panel after panel about privacy management, he realized the industry was ill-prepared for the GDPR.
The Europeans were way ahead of the U.S. on personal privacy, appalled in some ways by the Wild West, no-secrets nature of the web.
Despite the tech industry's aggressive lobbying to prevent laws like GDPR, Barday became convinced that they were inevitable--and that businesses everywhere didn't have the technology to deliver the protections that would be needed.
"It was a growth industry like I've never seen," he says. "And I saw a mismatch. A lot of the solution providers were legal-consulting-type companies, but if you read the draft of the GDPR, it was going to require fundamental architecture changes--not just policy changes--to allow for data to be deleted or masked."
"Kabir was a visionary," says Trevor Hughes, the IAPP's longtime CEO. "We all knew this stuff was complex, and it was really hard, and the risks were increasing as data use exploded. But most organizations were still running their privacy programs on Excel spreadsheets and email at the time. Kabir saw immediately that they were going to need a singular platform that provided both visibility into data collection and operational systems for the people managing it."
Out went the pizzeria idea.
By the time Barday was ready to formally launch OneTrust about two years later, his lockup period from the VMware acquisition had expired, so he brought on most of AirWatch's former executive team, including the founders. ("I nailed the date exactly, man," he says, allowing a sly smile.) Barday had self-funded the company's incubation period, but now the AirWatch founders--Alan Dabbiere and John Marshall, who had built another billion-dollar company before AirWatch and led it to an IPO--were able to fund an aggressive public launch with essentially a line of credit. "I had business partners who understood enterprise software, trusted me, and knew that to win a market you've got to go big," says Barday.
That meant that, rather than having to hit investors' benchmarks in the early years to unlock each successive round of venture capital, OneTrust was able to build a full suite of products on spec.
Barday wasn't yet 30, but he had ample experience learning to anticipate customers' needs and devising products to fit them. Drawing on his years at AirWatch, he made a habit of spending lots of time in the field.
GDPR became law shortly before OneTrust's 2016 launch, and took effect in 2018. OneTrust was ready. That same year, California lawmakers passed the CCPA.
With many other states and countries now at various stages of developing their own consumer-privacy regulations, the patchwork of requirements companies must adhere to is growing ever more intricate, and the need for an agile technology is growing ever greater.
The research firm Gartner predicts that by 2023, 65 percent of the world's population will be subject to national privacy laws, compared with 10 percent today. What's more, says Hughes, "with a global digital economy that wraps the entire world in milliseconds, companies can't rely just on complying with a single law wherever they are based; they have to respond to the entire global network of sometimes conflicting privacy laws." Violating the GDPR alone can stick a company with a fine as high as 4 percent of its annual revenue.
Which translates to an expanding industry. Market Study Report estimates the privacy-management-software market will exceed $3 billion a year by 2025.
Today, Barday's startup has more than 100 technology patents and powers more cookie banners (and the privacy operations behind them) than any other company on the planet.
Competitors include legacy companies in the space that have adapted, such as TrustArc; venture-backed startups including London-based Privitar; and established global giants like SAP and IBM. But OneTrust has so far maintained its lead. A recent Forrester Research report puts the company at the front of the pack in every category of its assessment: product offering, strategy, and market presence.
That's why when you tell a website not to sell your information, or ask to see your personal data or delete it, there's a good chance it's OneTrust's technology that will follow through. And if you're an executive wondering whether your company has privacy-law compliance issues, OneTrust's technology will tell you.
"We're like a giant magnet floating over the haystack, sucking out all the needles to find all the hidden issues," Barday explains. "Look, you have people who have downloaded spreadsheets from the CRM and emailed it around. You have Facebook, Google, and all these different tools your developers use to build their apps--and which can start collecting information from your company before you know it. Maybe you simply hosted an event, and your event team collected dietary restrictions from attendees and now knows who's kosher versus who's halal. Now you're collecting religious information." You can see how he kills it in a pitch meeting.
OneTrust's 1,500 employees, spread among offices in eight cities worldwide, have had to push themselves hard to handle large spikes in demand around the introduction of new privacy laws. "With GDPR and CCPA, you had an entire market moving to buy software on a deadline--and we have to deliver, because if we miss an opportunity, it's over. So do we scale our head counts, knowing that it's just for this one period, and then lay those people off? I would never want to do that. So instead, we all just worked harder. We gave people
bonuses, we brought in lunch, dinner, popsicles, massages--we did everything we could."
So far, it's working. After three years of growth funded by the AirWatch founders, OneTrust raised $410 million in venture capital, in two rounds led by Insight Partners over the past year, yielding a valuation of $2.7 billion. And Barday, true to his parents' American-dream ambition, has only expanded what he envisions for the company, which he describes as "an entire infrastructure that becomes part of the fabric of business"--a Salesforce-like platform for privacy management and consumer trust.
It's a vision that, says Insight's managing director Richard Wells, "touches literally every business, big and small, in every geography around the world." As if that weren't enough to tackle, OneTrust's work has only intensified in the past few months as the Covid-19 pandemic has made global business more digital than ever.
Four years of hypergrowth and constant global travel--half of the company's revenue is international, and Barday has logged more than a million flight miles visiting customers--have taken a personal toll on the founder. "I underestimated what it would do to my stress level and health," he says, declining to get specific. "I've made irreversible decisions that compromised my health and that I'm going to have to live with for the rest of my life. Was it worth it?"
That's a question many founders have asked themselves as their companies finally reach cruising altitude, and Barday will have to answer on his own account. But he doesn't show signs of slowing down yet. And the market has certainly spoken.
Behind the Cookie Banner
What's happening back there, according to OneTrust's founder.
1. "We use A.I. to crawl into the network of a company and help it understand and find all the user data it has. You'd think that a company knows that already, but it's surprisingly difficult because there are so many different departments, products, ads, contractors, and partners."
2. "We help companies compare the data they have against all of the laws in the world that apply to them, and determine if they are compliant. If not, we help them remediate the problem. What do we need to encrypt? What do we need to stop collecting?"
3. "We open up control of the data and make it transparent for consumers. And guess what? When you submit one of those forms on a website that says 'Delete all my data,' the company that tries to delete it has to now propagate that request to third parties all over the world that have touched it somehow. That's an incredibly complex problem to solve in real life."