The upcoming EU GDPR is not only relevant to CISOs and DPOs (Data Protection Officers), but has a massive impact on businesses, particularly due to the new consent rules. Instead of a fuzzy consent, given once, in the form of “This site uses cookies. If you continue using the site, you accept that we collect all data we can and do whatever we want to with the information.”, EU GDPR mandates consent per purpose, which has to be given unambiguously and informed. This also means that any new purpose of using data requires additional explicit, informed, and unambiguous consent. And that consent can be revoked at any time.
What has this to do with the valuation of start-ups? Sometimes nothing. Sometimes a lot. If the value is based on the contacts to customers or consumers and the knowledge about these (i.e., data), it has a lot to do with them, for two reasons. The first is that this start-up will have to ask all its EU-resident users for consent. Some might not give consent at all. Some might not give consent for certain selected purposes of using their PII.
However, that is just the tip of the iceberg. It might cost the start-up some few percent of its customers, but rarely more.
Secondly, though, once the start-up is sold to another company, the purpose will most likely change. Just think about merging the data of the start-up’s consumers with that of the acquiring company. Obviously, the way the other company is using data is a new purpose for the consumers of the start-up. Thus, new consent must be given. That is the moment where far more consumers might refuse their consent.
How many consumers will do so will vary. It might be very few, it might be a significant number. The number will depend on the amount of data collected, the purpose, and the balance between such purpose and the value of the service to the customer – the perceived value from the perspective of the customer. The price for consent will increase. That, together with the increasing uncertainty regarding the sustainability of consumer relations will impact the valuation. Sometimes more, sometimes less. Applying Metcalfe’s law, which is used as a foundation for the valuation of many start-ups, will become more difficult because not every “node” will be of equal benefit anymore, with sometimes more, sometimes less consent given – aside of the potential decrease in the number of nodes.
However, we can’t predict whether there really will be a negative impact. Time will tell.
Furthermore, there is also a potential in the EU GDPR for start-ups. EU GDPR will impact the way customer relations are managed. If a business expects a customer giving consent, it must proof the value to the customer. Many existing businesses aren’t well prepared for doing so, leaving room for start-ups with innovative ideas and innovative business models around managing the customer relationships. I also see more room for paid services. If customers understand better what they pay today in the “PII currency” for a “free” service (which they will in the age of consent per purpose), there might be more customers that might choose an option where they pay with money, not with PII. Thus, there is a potential for more direct monetization of services, in contrast to indirect models via adverts.
Let’s wait and see whether and how the EU GDPR finally will impact the valuation of services and whether it will help foster innovation in customer relations.
