Privacy-Centric Enhancements: CTO Deepak Gupta Shares His Thoughts on Shifting Data Strategies

I have spent more than a decade building consumer identity infrastructure, including founding LoginRadius in 2013 and growing it to serve more than a billion consumer identities. Over that time I have watched privacy go from a compliance line-item managed by a legal team to a first-class product concern owned by the C-suite. Here is what I think about where data strategy is heading and how product leaders should respond.

The shift, in three acts

Act one: privacy as cost

For most of the 2010s, privacy was a function of the legal department. The job was to write the policy, defend it in audits, and otherwise keep out of the way of growth. Data collection was optimised aggressively. Consent was implicit. The cost of mishandling personal data was small and easy to absorb.

Act two: privacy as compliance

GDPR changed the math. Suddenly there were fines large enough to show up on the income statement. CCPA followed. Then a long parade of similar laws in dozens of jurisdictions. The work moved into a Privacy Office, the budget grew, and engineering teams started building data-subject-rights tooling. Compliance became real, but the framing was still defensive.

Act three: privacy as strategy

Today the leading companies treat privacy as a product capability. Apple positioned it as a brand. DuckDuckGo built a business on it. Even ad-driven platforms now ship granular consent surfaces and on-device processing. The shift is structural: consumers care, regulators have teeth, and the platforms have moved. Companies that cling to the compliance-only framing are losing share to companies that lean into privacy as a feature.

What product leaders need to do differently

1. Treat data minimisation as a design principle

Every form, every event, every cookie deserves the question "do we actually need this?" The cheapest data to govern is the data you never collected. The teams that build this discipline into their PRDs spend a fraction of what others do on compliance overhead.

2. Make consent a first-class product feature

A buried checkbox is not consent. Real consent surfaces are layered, granular, and respect the user's choices across every downstream system. Build the consent infrastructure once, well, and connect every analytics, marketing, and personalisation system to it.

3. Build data-subject-rights as self-serve

Access, correction, deletion, portability. Every regime requires them and the volume only grows. Build them as user-facing features in the product, not as a ticket queue. The cost difference at scale is enormous.

4. Default to regional data residency

It is easier to design residency into the architecture than to retrofit it. Country-of-origin data routing, regional encryption keys, regional processing. Future-proofs against the next data-localisation law.

5. Pair privacy with security investment

Privacy and security are not the same discipline, but they share most of their tooling. Identity, access control, audit, encryption, and incident response serve both. A unified investment goes further than two parallel programmes.

The hardest part: governance

The biggest privacy failures I see are not technical. They are governance gaps. Marketing buys a SaaS tool with sensitive data flowing through it. Product launches a feature without privacy review. A research team uses production data for prototyping. Each is solvable with discipline, not technology.

The companies that handle this best share a few patterns:

• A privacy review is a launch-checklist item, not an afterthought.
• The DPO has real authority, not just a title.
• Engineering, product, and marketing share ownership of privacy outcomes.
• The board reviews privacy metrics quarterly.

Where I think this goes next

Three predictions I would bet on:

• On-device processing keeps growing. The browser and the phone become the primary processing environment for personal data. Servers see less raw data, more aggregates.
• Consent fatigue forces simplification. The cookie-banner era will end, replaced by browser-and-OS-level consent signals that respect user defaults.
• AI forces a new chapter. Training data, inference data, and agent actions all create novel data flows that current law barely addresses. The next decade of privacy law will be written in response.

The bottom line

Privacy is not the friction it used to be. It is the foundation of long-term consumer trust, and it pays back in retention, in regulatory ease, and in brand equity. The companies that internalise this now will spend the next decade building. The ones that do not will spend it apologising.