The Privacy Due Diligence Clubhouse VCs Should’ve Conducted
Audio social media app Clubhouse and Andressen Horowitz (a16z) recently announced closing a Series C round at a $4 billion valuation with an undisclosed funding amount, after already raising $110M in previous funding rounds.
Privacy is one of the most critical issues of our time, and VCs play a significant role in introducing technologies that infringe on individual privacy at massive scales. In Clubhouse’s case, a16z played a key role in fueling Clubhouse’s meteoric rise, leading its $10M Series A, $100M Series B, and recent Series C funding rounds.
Previous posts in this series covered: Clubhouse’s privacy failures, how its rollout signals to consumers that it cares more about growth than them or their privacy, and a blueprint for how Clubhouse can leverage privacy for growth, instead of growing at privacy’s expense. This piece focuses on the privacy due diligence points that VC firms like a16z should explore when investing in startups like Clubhouse.
It’s hard to ignore Clubhouse’s privacy problems — unless the ignorance is actually a willfully turned blind eye. Instead of sweeping their privacy problems under the rug, Clubhouse investors should guide their founders to build in response to customer demand for privacy and create privacy value, instead of incurring privacy liability and building an anti-privacy brand that would just turn off their prospective customers.
The emergence of ESG, SRI, and impact investing lends to the need for privacy due diligence
Today’s investors no longer just care about returns. More and more limited partner (LP) investors — investors who invest in venture funds like a16z — want their money to make a positive impact on society and the world at large, including when it comes to privacy.
It turns out that socially responsible investing (SRI) — investments that are socially responsible due to the nature of the business the company conducts — accounted for more than $1 out of every $4 under professional management in the United States. Investors also used environmental, social, and governance (ESG) criteria to evaluate companies for investment, and these accounted for $16.6 trillion in investment assets in 2020. It seems LPs care enough about their investment dollars to the tune of a $715 billion impact investing market, and some LPs are even looking to link a fund’s carried interest to quantifiable impact metrics.
Given the emergence of ESG, SRI, and impact investing, accompanied by the increasing global regulatory scrutiny over privacy, and the marketplace demand for privacy, it’s irresponsible for VC firms to ignore privacy’s effects on their portfolio companies and such companies’ impact on society, including privacy.
Clubhouse investors — and investors, in general — should be assessing the privacy impact of their investments. This is largely a nonexistent practice today. VCs like a16z can conduct the much-needed privacy due diligence by exploring the covering points early on:
1. Understand the increasing marketplace demand for privacy.
There is a clear marketplace demand for privacy, as supported by a recent Consumer Reports study. Similarly, Pew Research, which has been tracking consumer privacy sentiment throughout the years, found in their study last year that more than half of Americans have abandoned an online service due to privacy concerns. Perhaps most damning are the various research studies that found that people weren’t willing to use contact tracing tech due to mounting privacy concerns, despite the compelling individual and public health interests involved.
In the consumer space, Signal saw surges in downloads throughout the pandemic, the national wave of racially charged protests, and the recent US election season, with users signaling that they value private messaging. Privacy-first browser, Brave, and search engine, DuckDuckGo, have reported similar usage upticks in recent months. Of Android users who switched to iPhones, 32% indicated doing so because of Apple’s privacy posture.
To tie it back to Clubhouse, it’s pretty damning that Clubhouse’s meteoric rise slowed down considerably around the same time Clubhouse came under public scrutiny over its privacy and security gaps. (In addition to this Privacy & Technology series, The New York Times, Forbes, WIRED, Vox, and several other media outlets covered Clubhouse and its privacy and security failures.)
2. Assess the privacy implications of a portfolio startup’s business model.
Investors should look at a target company’s business model and ask whether it involves monetization of user data. If so, they should ask whether the data monetization is conducted transparently and fairly and reflects its users’ true choice. Investors could help their portfolio founders brainstorm and consider less privacy-invasive business models before they get stuck with highly problematic ones and feel that it’s too late to pivot.
3. Ask portfolio founders about their privacy strategy.
Investors should ask its portfolio founders basic questions about their privacy strategy. Following Zoom’s privacy and security failures, its CEO, Eric Yuan, infamously admitted he never previously thought about privacy and security issues. Investors could help their portfolio founders anticipate and avoid such costly mistakes by developing a thoughtful privacy strategy early on.
4. Consider privacy’s impact the portfolio company’s bottomline and brand.
As covered in one of the preceding posts in this series, privacy has been shown to both decrease and increase a company’s bottom line. VCs should keep this in mind in making investments for two reasons: 1) they need to safeguard their LPs’ investment dollars and 2) they need to assess their portfolio companies’ viability in a regulatory landscape and in a marketplace that highly scrutinize privacy practices.
Beyond the numbers, investors should raise brand privacy risks issues with potential and existing portfolio founders. Recall the Android users who switched to iPhones, 33% of whom cited Apple’s privacy posture as their reason for switching. It is perhaps due to privacy’s brand implications and effect on the bottomline that we’re recently seeing Google take a page out of Apple’s book, announcing the phasing out of third-party cookies and a serious app privacy overhaul on its Play store.
5. Ask portfolio founders to assign responsibility for privacy in the early days and connect founders to privacy experts.
At the very early stage when it’s just the founders and their lean founding team, investors should push their portfolio founders to identify who would be responsible for owning privacy during product development. Depending on the product and industry, explore whether it makes sense to hire a privacy engineer as part of the founding team.
Alternatively, or as a supplement to the small founding team who may not have the requisite privacy expertise, investors should connect their portfolio founders to counsel, advisors, and/or board members with privacy expertise. Privacy discussions at the board level have increased in recent years. Depending on the startup’s stage and maturity, investors should also connect their portfolio founders with competent data protection counsel, especially as they scale globally and face strict data protection laws all over the world.
Securities and privacy are both highly regulated spaces. It’s not too far-fetched for regulators to step in and take a look at the privacy impact of investments, especially given the unprecedented investment rounds for Clubhouse, a pre-revenue social media app riddled with privacy and security failures. The time is now for investors to self-regulate when it comes to assessing the privacy impact of their portfolio companies.
Conducting privacy due diligence would not just be good for a VC’s own brand, but would also positively impact their portfolio startups’ bottomline and help meet their LPs’ impact investment goals. Privacy is no longer just a regulatory concern, but also a valuable market, business, and investment opportunity.
This post is the fourth part in a series exploring Clubhouse and privacy. The first outlines Clubhouse’s early privacy failures. The second is about how Clubhouse’s app rollout signals to consumers it values growth over them and their privacy. The third provides a privacy blueprint for Clubhouse to leverage privacy in scaling, instead of growing at privacy’s expense.
