Category Ketch

Ketch Named Cool Vendor in Privacy 2021 by Gartner®


Ketch Named a Cool Vendor in Privacy by Gartner



SAN FRANCISCO, CA (November 10, 2021) Ketch, the next generation data control platform for privacy, governance and security, named a Gartner® Cool Vendor in Privacy[1]. Ketch provides granular control over protected consumer data, including data discovery and classification. Ketch also offers end-to-end privacy automation including data subject rights (DSR) fulfillment --ensuring people’s privacy preferences are fully honored across data ecosystems.


In evaluating vendors, Gartner notes that: “Digital transformations and continued adoption of cloud services mean that personal data is processed in more locations than ever. It is imperative that organizations automate data discovery and governance functionalities in order to better protect personal data throughout the data life cycle.”


To help with this challenge, Ketch automates the discovery of personal data across a company’s data systems, and uses machine learning to classify and label data (e.g. personal, sensitive, and social security number, address, etc.). Through a central policy center, Ketch customers can articulate and enforce policies for access, security and privacy on data wherever it lies.


“Companies need an automated, scalable way to discover, classify, and inventory data for their privacy and data governance programs,” explained Tom Chavez, Founder and CEO of Ketch. “We believe that Gartner nailed the challenge succinctly: it’s not feasible for any company to comply with globally expanding regulations with a manual approach. We built Ketch to provide a programmatic approach to privacy, to help companies respect and honor people’s privacy rights, while responsibly using data to grow.”


Gartner Disclaimer


GARTNER and COOL VENDORS are a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. Gartner does not endorse any vendor, product or service depicted in our research

publications, and does not advise technology users to select only those vendors with the

highest ratings or other designation. Gartner research publications consist of the

opinions of Gartner’s research organization and should not be construed as statements

of fact. Gartner disclaims all warranties, expressed or implied, with respect to this

research, including any warranties of merchantability or fitness for a particular purpose.


About Ketch

Ketch is the leading data control company for Programmatic Privacy™ and governance. The company was founded in 2020 by data management veterans and serial entrepreneurs who successfully built and scaled enterprise systems for world-leaders like Salesforce and Microsoft. Ketch’s ‘Deploy Once, Comply and Secure Everywhere’™ architecture delivers comprehensive data privacy, governance, and security to organizations seeking to protect data, build trust with consumers, and successfully compete in data-driven markets. Thanks to Ketch’s ability to dynamically adapt to the ever-changing legal landscape, customers can future-proof their businesses while cutting operational and privacy engineering costs by 80%. More information is available at




Bonnie Moss

Moss Networks



[1]  Gartner, “Cool Vendors in Privacy,” Bernard Woo, Bart Willemsen, Michael Hoeck, 21 October 2021.



Book A Meeting

Is Privacy Shield Required For GDPR?

In a ruling made by the European Court of Justice last year, the Privacy Shield policy between the United States and the European Union was nullified. The decision had farther-reaching consequences than most people expected, especially regarding data protection in Europe.

Understanding The EU-US Privacy Shield

Based on the regulations brought forth by the GDPR, only data transferred within the EEA (Norway, Iceland, and Lichtenstein) and the European Union was to be considered unproblematic. 

However, supposing personal data happened to be transferred to a third country, the GDPR requirements state that there should be a comparable level of data protection in the recipient country. 

This was known as the Privacy Shield statute. In more standard terms, it was an agreement between the EU and the US designed to ensure the enforcement of this new level of data protection and replace the Safe Harbor regulation that was in place earlier but had been invalidated. 

This meant that even without the Privacy Shield, one would be allowed to receive personal data from the EU without additional legal measures.

Transfer Of Data To Third Countries

When it comes to GDPR and marketing, the transfer of data to third countries can only occur under the following conditions:

  • The transfer has to take into consideration the EU adoptions made to serve as adequacy decision parameters for countries such as Canada, Israel, Switzerland, Japan, Uruguay, Argentina, Faroe Islands, Isle of Man, Andorra, and New Zealand.
  • There has to be the presence of a legally binding agreement between authorities similar to the now invalid EU-US Privacy Shield.
  • There has to be a set of binding data protection rules and regulations within one or more companies.
  • One has to apply the standard data protection clause adopted by the commission, which aligns with the examination procedures referred to in Article 93 (2).
  • Adopt the code of conduct recommended by the supervisory authority.

One of the main advantages of the Privacy Shield was that it worked like an adequacy decision parameter. This meant that businesses could process the data without any more legal hurdles.

What Invalidating The EU-US Privacy Shield Meant

The decisions made by the European Court of Justice impacted various sectors of the marketing world, in particular, the internet. A wide range of online platforms such as Facebook, Twitter, Youtube, Google Maps, Social Plugin, and Google Analytics were all under US companies that had adopted the Privacy Shield.

If e-commerce website users implemented these new parameters, then data transfer to the USA could be possible. By nullifying the Privacy Shield, using e-services is no longer regulated by the privacy treaty that existed between the EU and the US.

Some Of The Alternatives To The Privacy Shield

If a destination country doesn’t have the right level of data protection, then any transfer of information has to be legitimized using other relevant safeguards. If the data subject gives their consent, then the transfer is possible. 

However, it is essential to state that the permission needs to be understandable, voluntary, and revocable. This means that it is not enough to inform the subject about data transfer in your privacy policy. 

They have to be provided with all the relevant information, and consent must be given before any transfer takes place. Data privacy software might be helpful in this regard.


Operating a website without any external content is next to impossible in today’s highly competitive market. However, to comply with the GDPR, it is a must that websites legitimize all their data transfer. 

Ever since the nullification of the Privacy Shield policy, it has become a necessity for businesses and marketing departments to align with the requirements.

How To Add Cookie Messages To Your Website

Data privacy laws such as Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have made it obligatory for websites—at least those that do business in Europe and the United States and collect information from customers in these areas—to have a cookie message on their homepage. 

But what is it, and how do you add it to a website?

Adding cookie messages to a website is much simpler nowadays, thanks to website plug-ins and data privacy services that allow you to customize your cookie message’s text, appearance, and options, on top of ensuring that it’s compliant with relevant laws. 

You can also add cookie messages by building your own script that lets it pop up as soon as a user visits your site.

What Is A Cookie Message?

A cookie message is a pop-up or banner that appears on your website during a user’s first visit. It communicates your website’s use of cookies and gives people the option to opt-in or opt-out of the use of cookies. 

Cookie messages also usually link to a businesses’ privacy policy, where the consumer rights established by data privacy laws are listed. Follow the link to an article that addresses the question: How often should a privacy policy be updated?

What Should A Cookie Message Include?

To ensure that people’s data privacy rights are upheld, a cookie message should contain:

  • an explanation of the purpose of website cookies
  • the option to opt-in or opt-out from the use of cookies
  • a link to a cookie policy, privacy policy, or website cookie details 

A cookie message can also expand to include customization options, where users can choose which category of cookies they want to allow, e.g. just necessary cookies and marketing cookies, only preference cookies, etc.

Why Does A Website Need A Cookie Message?

Cookies are packets of data that computers receive and send to track users’ information. They’re generally harmless; website developers use them to create a more personalized and intuitive online experience, while business owners use them to get to know their customers better.

However, since cookies contain personal information, they are a potential risk to individuals’ privacy. So data privacy laws require businesses to either obtain consent before using cookies or at least inform consumers about how cookies collect and use their information. 

Businesses can do this using a cookie message that immediately appears as soon as a person arrives at their website, ensuring that consent is obtained before that consumer uses the site.

How To Add A Cookie Message To A Website

To add a cookie message to your website, you can ask a website developer to create a script for your website, use built-in plug-ins (for websites that use development platforms or hosts like WordPress or Squarespace), or add tools from data privacy services. In case you want to know how to block cookies before consent, follow the link to that information.

Built-in Script

If you have an in-house website developer, you can create a built-in script for a cookie message that fits your website. This is a good option if you’d like to have a pop-up or banner that’s cohesive with the general style of your platform. Just make sure that it includes all the necessary details and the opt-in/opt-out choices that comply with data privacy regulations.

Website Plug-ins

Most website development sites and hosting services have created plug-ins that you can add to your website straight from the platform. Wix, for example, has a cookie banner that you can enable and customize on your website—without any complicated codes or scripts from your end. 

Data Privacy Services

Data privacy services can usually hook your website up with a cookie message through ready-made scripts or widgets that you can just add to your website. The advantage of these is that you’re 100% sure that your cookie message is compliant with any international and local data privacy laws.


Adding a cooking message to your website ensures that you are doing your part to follow data privacy laws, essentially upholding people’s data privacy rights. Not all websites need to comply with regulations like the GDPR and the CCPA. But seeing as many international markets are putting value on data privacy, it’s good practice for all businesses to conform to these laws as soon as they can.

How To Block Cookies Before Consent

For data privacy laws to be effective, businesses must comply with regulations that ensure the safety of people’s personal information. This starts with obtaining consent from visitors to your website or app to collect, store, or manage their data. 

Website cookies can complicate this, though, since some of them are set into motion even before getting permission from a consumer. 

That said, there are ways to block cookies before consent is requested, either by turning cookies off completely, hard-coding your website to control cookies, or using data privacy services that help you manage how cookies behave on your website.

Another step you need to take at the same time is to add a cookie message to a website or app, but that topic is addressed in another article.

What Are Cookies?

Cookies are files of data that computers receive and send to track users’ information and activity. It’s an essential component of web browsing; developers use it to create a better online experience and advertisers use it to infer consumer preferences for more effective marketing

Generally, cookies are harmless. But depending on the type and amount of data harvested from a consumer, they can pose a risk to privacy. 

Cookies can be used to track a person without their consent—or worse, to steal sensitive information such as ID and financial details. The California Consumer Privacy Act (CCPA) is very clear on the types of personal data that should be protected. 

It might be a good idea to check the CCPA’s personal information guidelines since additional states are expected to pass similar laws in the future. Businesses must pay attention to how cookies behave on their websites, and it seems wise to not only comply with current privacy laws but to also be prepared for future legislation ahead of time.

What Is Prior Consent?

Prior consent refers to the act of obtaining consent from a person before allowing any cookies into their device except those needed for the website to function. This means that you have to prevent cookies (or any other online tracking devices) from collecting personal data until a user agrees to that collection.

Why Do I Need To Get Prior Consent?

Some data privacy laws such as the General Data Protection Regulation (GDPR) deem it illegal for businesses to process personal information before getting consent from a consumer to do so. So websites aren’t allowed to set any data collecting processes (such as cookies) in motion without prior consent.

How To Block Cookies Before Consent

A website that blocks cookies before consent contains scripts in their source code that prevent any cookies from being placed in a user’s device to collect their personal information until after the user explicitly agrees to it. 

There are three basic ways to ensure that your website is compliant with this part of the data privacy laws:

Turn Off All Cookies

One way to make sure users’ personal information isn't collected without their permission is to stop all tracking tools completely—basically, turning off all cookies.

But while this method is easy, it robs your website of any cool features and widgets. It also prevents you from getting insights into who your customers are.

Hard-Code Your Website

Website developers can hard-code sites to have full control over how cookies are placed in users’ devices. They can identify the cookies and create scripts to block them before obtaining consent from users. 

That said, this can be a difficult task, especially since it involves pinpointing multiple trackers and possibly making individual scripts for each one.

Use Ketch 

With the Ketch experience server, you can consolidate and customize consent requirements into customized privacy experiences-  all with a few clicks. No hard coding or data collection blocking workarounds required. 

All you have to do is add the Ketch tag to your website; then you can begin to customize cookie preferences and how you obtain consent from users. Learn more here.

What Is Personal Information Under The CCPA?

The California Consumer Privacy Act (CCPA) was enacted to provide California consumers more control over the personal information that businesses collect about them. But what exactly is included in the scope of “personal information?” Under the CCPA, personal information includes basic details like names, addresses, and government information such as driver’s licenses and social security numbers. It also extends to data that consumers aren’t even aware of that businesses collect such as browsing history, biometrics, and even data on a consumer’s interaction with websites and platforms that they’ve visited. 

What Is The CCPA?

The CCPA is a data privacy law that secures the right for California consumers to protect their personal information, including:

  • The right to know what personal information a business collects, uses, and shares or sells
  • The right to delete personal information collected by businesses (with some exceptions)
  • The right to opt-out of the sale of personal information
  • The right to non-discrimination for exercising the rights established by the CCPA

For-profit businesses that conduct operations in California or fit the criteria set by the CCPA are required to comply with the law by being transparent about their data practices and providing consumers channels to opt out of data collection or request access to the data collected from them. If you’re wondering: how to block cookies before consent, follow the link for an answer.

What Is Considered Personal Information Under The CCPA?

According to the CCPA, personal information refers to “information that identifies, relates to, or could reasonably be linked with” a consumer or their household. 

The term is broad in order to encompass all the data that is currently being collected through different tracking practices and other information that businesses may begin to collect in the future, given the ever-evolving digital landscape.

Personal information, then, includes:

  • names - full names, aliases
  • addresses - postal address, email address
    • financial information - credit card numbers, bank details
    • government information - social security numbers, passport information
  • commercial information - personal property, purchase or service history
  • professional data - job history, employment details
  • education-related information - educational history, student data
  • geo-location - I.P. address, device location
    • biometric data - fingerprints, medical data
    • browsing activity - search history, website interactions
  • inferred profile - inferences that could point to consumer behavior and preferences

What Is Not Considered Personal Information Under The CCPA?

The CCPA doesn’t include publicly available information such as that from federal, state, or local government records (e.g. professional licenses, real estate, etc.) in the category of personal information.

One option to manage the information your business collects from site or app visitors to ensure compliance with all applicable laws and regulations is to use a data privacy tool—essentially a piece of software that helps your company avoid all the repercussions of breaking the law, however unintentionally.

How Does The CCPA Protect Personal Information?

The CCPA protects the personal information of California consumers by requiring businesses to incorporate transparency measures so people can control how their data is collected, stored, used, and shared or sold.

Some requirements set by the CCPA include adding a “Do Not Sell My Personal Information” link on their website’s homepage that lets consumers opt-out of the sale of their personal data, obtaining consent from minors or their parents, and providing channels for consumers to request access to their data. Businesses must also update their privacy policies to include details of the CCPA, specifically the rights consumers are afforded by the law.

Most of the changes brought about by the CCPA affect how businesses operate, especially concerning data collection and the use of it, e.g. for marketing, ad targeting, etc. The best way for companies to play it safe—and prevent having to pay steep fines—is to be transparent about their data practices, pinpointing exactly how consumers’ personal information is used for profit. By the way, if you are required to get permission from site visitors to use cookies, it will be necessary to learn how to block cookies before consent is given.


Since the CCPA was enacted to help consumers protect their personal information, it’s important to know what kind of information is covered by this legislation. 

The following data is covered by the CCPA: names, addresses, finances, government issued ID (social security number/passport information), purchase history (goods and services), profession, education and so on. Publicly available information such as real estate owned or professional licenses are not protected by the law.

The law requires enterprises doing business with California residents to be very transparent about what information they collect and how they use it. Individuals in this state have the right to prevent any business from selling their personal information collected online to another business.

What Size Of Companies Are Affected By GDPR?

The General Data Protection Regulation, abbreviated to GDPR, came into effect in 2018 and has since changed the way businesses handle customer data. 

Although an EU directive, GDPR affects any company, large or small, that sells its products and services to the European market. 

Regardless of the size, your business must be GDPR compliant if you want to avoid hefty fines, stretching well over $24 million! To find out exactly what happens if you break GDPR laws, follow the link. Google was fined roughly $57 million by the French data protection authority back in 2020 for failing to meet GDPR requirements.

The Extent Of GDPR  

GDPR is a strict data privacy policy designed to protect European Union citizens’ personal data.  

It also limits how much customer information is accessible by business organizations. The aim is to give people more control over their personal information and force companies to handle information in ways that allow individuals to easily exercise that control. 

This regulation extends far beyond the European borders and affects businesses worldwide. Just after its introduction, most companies made efforts to reform their privacy policies to be GDPR compliant. 

You would be wrong to think your company is not subject to the GDPR if it wasn't established in the EU. Furthermore, it doesn't matter whether the data processing takes place inside or outside the EU. 

If your company collects information from anyone in the EU by any means, you're bound by the GDPR rules, no matter where you are located. 

Any company that targets EU citizens with its marketing campaigns, accepts payments in Euros, and/or has European employees also falls under GDPR guidelines. 

What Size Companies Are Affected By GDPR?

It's essential to know if your company is affected by GDPR. Running your business without giving a second thought to its regulations is like an open invitation to fines, and they will come knocking pretty soon! 

As a rule, any company with over 250 employees must be GDPR compliant. They must also hire a data protection officer to keep records of the data processing activities engaged in by the business. 

So, if your company has fewer employees, you may not have to be GDPR compliant. However, that only applies if your company doesn't process data from EU citizens regularly. 

Large-scale companies regularly venture into the international market and, of course, the European market. They sell their products and services to EU citizens and, in doing so, collect data from them for various purposes such as target marketing.

In addition to that, these companies often employ European citizens. So, it's a given that GDPR applies to them, and they must comply with GDPR regulations. 

On the other hand, small companies may also engage in international trading, which binds them to GDPR. Even if you've got a local US-based company and most of your customers are US citizens, chances are you've got a website that is accessible to European citizens. 

This makes your company subject to the GDPR. So, always be careful how you collect data! Now, it's considered good practice to make your company GDPR compliant even if you've got a small business. 

If you haven't done it yet, this is as good a time as any to change your privacy policies to make sure your business is run according to the law and the fines are kept at bay. A good place to begin is with the seven data protection principles of GDPR. Another good move might be to look into a data privacy compliance tool.

Final Words  

GDPR indeed makes the business world a bit more challenging, but we can't deny the opportunities it brings.  

Adhering to the strict rules and regulations of GDPR shows that a company values individual privacy. It helps to build deeper trust with visitors and a better reputation generally. 

So, if you've got a company, make sure it is GDPR compliant—not just to avoid fines but also to respect  people’s privacy.

What Happens If You Break The GDPR Law?

The General Data Protection Regulation (GDPR) is the European Union’s (EU) set of laws for safeguarding the data and data privacy rights of EU citizens. Since the implementation of GDPR in 2018, numerous companies have been penalized for violating it.

Even if your company is not located or based in the EU, your company will be under purview of the GDPR if it has dealings with EU citizens. If you need to know the size of companies affected by GDPR, follow the link for an answer. 

Whatever your company’s size or location, it’s important to know what happens if a business breaks the GDPR law. It may well apply to you in the future, even if it doesn’t right now. Let’s look at the consequences of non-compliance here. 

Consequences Of A GDPR Violation

If your company is found in violation of or non-compliance with GDPR, there are various possible repercussions you may have to face:

Hefty Fines

The GDPR violation repercussion most feared by the majority of tech companies is, simply, economic. If your company is found to be in violation of GDPR, a fine might be imposed of up to four percent of the company’s total annual turnover.

These fines usually don’t exceed a total value of twenty million euros; however, the nature and magnitude of the violation will determine the total fine. 

Moreover, the companies facing the most severe fines will be those unable to complete the most basic steps of protecting user data. Large fines will also be incurred by those companies that transfer their users’ data to unsafe third parties.

Legal Repercussions

Organizations or individuals whose data has been compromised as a result of being stored in your company’s database have the right to take legal action against your company in the event of a breach.  

Lowered Reputation

GDPR violations are certainly damning and not a good look for any company. Your directors, consultants, and the highest levels of management are the ones that will come directly into the spotlight in the event of a GDPR violation because these are the people tasked with ensuring compliance.

Not only that but most companies in GDPR violation are bound to come under public scrutiny. A good deal of transparency is required when it comes to GDPR. A violation on the part of your company may well attract public attention while dealing with the legal and financial repercussions.

This, in turn, results in:

Commercial Repercussions

It’s no surprise that companies that have been found to be in GDPR violation have suffered significant commercial setbacks. If you don’t ensure GDPR compliance, you can expect to lose existing customers and scare off potential ones. It’s only natural — no customer would want to risk their personal data being exposed.

This also extends to dealings with other businesses. No company will want to partner up and share their consumers’ data with an organization that is known to violate GDPR and, therefore, can’t be trusted to keep third-party information safe.

Overall, a lack of trust and some degree of negative public opinion is bound to define any company that is found to violate GDPR.


To wrap it up, not complying with GDPR can have severe consequences for your company and might even force it to cease trading. The economic cost is, of course, devastating for many developing tech companies. But the hit to the reputation can prove to be an even worse repercussion in the long run.

Considering all of this, you can understand why GDPR compliance is an important priority for all tech companies dealing with EU citizen data. How do you know if you’re GDPR compliant? Ketch can help—contact us today.

4 Ways to Optimize 3rd Party Libraries

Web performance is an often overlooked metric of a company's website. It’s pushed to the back of the queue in preference of a site's look, layout and theme. While these areas of a site are important aspects of your visitors' experience, a poor loading and performing website will cause them to leave your site before it’s loaded. This means all the time and effort spent on crafting a great and compelling user experience was for naught.

According to a study conducted by Google in 2017as page load time goes from 1 second to 3 seconds the probability of a user navigating away increases 32%. The performance of your site ensures visitors get to go through the finely crafted experience teams have spent many hours creating.

If you’re a 3rd party SaaS provider, performance is more important. Businesses want to use your service, but if it’s the cause of performance issues on their site, they will be looking to replace your service as soon as they can. 

At Ketch, one of our top priorities is to ensure our libraries are as optimized as they can be for performance. 

Here are 4 ways we use, and so can you, to optimize our libraries to ensure they don’t hinder the loading and performance of our customers' websites and applications.


Use async/defer

If at all possible you should design your library to be loaded asynchronously, rather than synchronously. This is to allow page rendering to occur while the library is being downloaded, unlike synchronous scripts which stop page rendering until the script is downloaded, parsed, and executed. 

Synchronous script execution

You can utilize the `async` or `defer` attributes to instruct the browser to continue parsing the HTML while the scripts are downloaded.

While both the `async` and `defer` attributes tell the browser to download while the page is being rendered, the point at which the downloaded script is executed is where they differ.

The `async` attribute tells the browser to execute the script the first chance it gets after it has been downloaded, but before the `load` event is fired.

Asynchronous script execution

The ‘defer’ attribute tells the browser to execute the script after the HTML has finished parsing, but before the `DOMContentLoaded` event is fired.

Defer script execution


Remove unused code


Room with many stacked arm chairs on one side

Photo by v2osk on Unsplash   

To optimize the loading of your library you will probably run it through a bundling process to reduce the number of round trips to the server. Bundling combines your code files and their dependencies into a single file. 

What we tend to forget is that we rarely use all of the functions available within our dependencies, which come along for the ride during the bundling process. This can lead to an unnecessarily large file to download. 

To reduce this file size, implement a tree shaking process to remove all the code not being used.

Tree shaking looks at the bundled file and attempts to determine which code paths are not called and remove them from the final output.

Note: Tree shaking can have unintended side effects if it is too aggressive in removing what it thinks is unused code. This can cause unintended side-effects or broken logic on your page. You need to thoroughly test your page with the tree shaken file.


Break larger JavaScript files into multiple, smaller logical files


Lego Star Wars Stormtrooper being pulled apart by Darth Vader

Photo by Daniel Cheung on Unsplash

Above we talked about the bundling process, which combines your code and its dependencies into a single file to reduce the need for multiples to the server. Sometimes we don’t need all the functionality immediately upon page load. 

For instance, there may be function calls that require a user to press a button before it’s activated. This code can be separated into another file to be downloaded, or deferred, after the page’s HTML has been parsed. 

Use a Content Delivery Network

World globe with several destinations marked

People illustrations by Storyset

With all the previous optimizations implemented, you may think you’ve done all you can to increase your page’s performance, but visitors to your customers site are not created equal, at least in the case of location.

The further the visitor is away from your web server's physical location, and the speed of the network they’re connected to, affect how long it will take for their device to download your library.

While the previous optimizations will help tremendously with how long a library takes to download, this will move the files closer to the visitor. This can be accomplished by utilizing a content delivery network (CDN), like Fastly, Akamai, or Cloudflare.

The CDN does not replace the need for a web server, but allows caching of a site’s content at strategic locations around the world. This caching closes the distance between your library and the visitor viewing your customers page, decreasing the download time.



As a library creator, your responsibility doesn’t stop at getting the code working as expected. How it loads and affects the page on which it's executed is just as important. 

At Ketch we are continually monitoring and improving the performance of our libraries utilizing the tips above, ensuring we are never a hindrance to a customer’s site. 

Optimizing your library will show customers you care just as much about their site’s performance as they do.

Ketch Expands Go-To-Market Leadership Team; Appoints Three New Executives to Drive Growth

SAN FRANCISCO, CA — (August 5, 2021) Ketch, the next generation data privacy and governance platform announced the appointment of Alysa Hutnik as Chief Privacy and Data Security Advisor, Jim Wangler as the company’s Head of Revenue, and Michele Davolos as the company’s Head of Product Marketing. 

“With these skilled privacy, sales, and marketing leaders on board, we are ready to help every business build trust with consumers and put their data to work responsibly,” said Tom Chavez, CEO and Co-Founder at Ketch. “We are building the future of Ethical Tech, and I’m thrilled to welcome these new additions to the team as we head into our next phase of growth.” 

Chief Privacy and Data Security Advisor working with Ketch to ensure its solutions are designed to address the complexity of privacy and compliance regulations

Hutnik, a data privacy law luminary and partner at Kelley Drye, brings over 20 years of experience advising companies on practical privacy compliance and defending companies before the FTC and state attorneys general. At Ketch, she brings that real-world perspective to help ensure that Ketch’s platform is responsive to the privacy pain points faced by mid-size and enterprise customers and is designed to meaningfully automate compliance tasks, including as new laws are added to the books. A top priority for Hutnik will be helping Ketch enable companies’ ability to future-proof their privacy program with Ketch’s Deploy Once, Secure and Comply Everywhere Platform. 

Head of Revenue to scale company into next phase of growth

Wangler joins Ketch with a proven track record of driving exponential growth at early stage startups. Jim will be responsible for all revenue growth strategy and will be rapidly expanding Ketch’s global sales team to meet increasing customer demand. 

In his prior role as VP of Sales at Onfido, he grew North American Sales 15x over a two year period.  A serial entrepreneur and sales leader, he has spent the last decade building teams that create sustainable and scalable revenue growth. 

Head of Product Marketing to build a world class marketing program

Davolos, a product and marketing veteran from Salesforce, joins Ketch to lead product marketing and help businesses unlock the value of their data responsibly. Michele will play an integral role in defining the company’s marketing and business strategies. She is joining at a critical time to help define and amplify Ketch’s platform message for data privacy, governance, and technology as a force for good. 

Prior to Ketch, Davolos held various leadership positions in sales, product development, and marketing at Demandware and Salesforce Commerce Cloud, the market leading enterprise commerce platform. Salesforce acquired Demandware in 2016 for $2.8 billion.

Interact With Ketch


About Ketch

Founded in 2020 by data management veterans and serial entrepreneurs who’ve successfully built and scaled enterprise systems for the world’s largest companies like Salesforce and Microsoft, Ketch helps businesses build trust with consumers while controlling and harnessing data to fuel core operations and top-line growth. By maintaining dynamic data compliance with fast-shifting national and state regulations, Ketch’s customers cut their operational and privacy engineering costs by 80% and enjoy compliance with all data regulations, now and in the future. Ketch’s deploy-once, comply-everywhere architecture delivers comprehensive data privacy, governance, and security for large and medium-sized businesses seeking to protect data, build trust with consumers, and compete successfully in data-driven markets. More information at

The Privacy Opportunity Blog Post Series: Part 1

Right about now brands are panicking that digital advertising as they know it will come to a screeching halt. Consumers want the big tech companies to stop monitoring their every move and selling their behavioral data to advertisers, and the regulators seem to be on their side.

But we, at Ketch, don’t see the rise of privacy as an existential threat to digital advertising. Rather, we see privacy as an opportunity to demonstrate responsible stewardship of personal data in every interaction across every jurisdiction. This is big. To understand just how important that is, we need to understand the extent to which the consumer’s data dignity has been violated.

Many in the ad-tech industry participated in this violation without realizing the harm inflicted. In the heady days of data-driven marketing, our collective goal was to present relevant ads to consumers, to the benefit of consumers, advertisers and publishers alike.

In hindsight, the ensuing consumer rebellion was inevitable. This blog post series, based on Ketch’s Privacy Primer, looks at:

  • The conditions that led to the privacy rebellion
  • Government, Activists & Litigants: The Web of Players That Shaped Modern Data Privacy 
  • The Gorillas and Privacy
  • The implications of privacy for business, including the core complexities that must be overcome to make data compliance and growth compatible
  • A plan of action to begin solving for those challenges. 

Part 1: Surveillance Capitalism and the Consumer Rebellion

The Internet has always been based on a grand bargain: Advertisers will foot the bill for low-cost content and apps, but they want something valuable in turn, specifically new leads that turn into profitable customers. To deliver on that promise, an entire industry rose up to monitor consumer behavior on an epic scale, segment them on perceived interests and intent, and offer those insights to marketers for a price.

To Shoshana Zuboff, Harvard Business Professor and author of a groundbreaking book, The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power, this digital ad-tech ecosystem represented a grave threat to privacy and democracy itself. Her book shed light on the extent to which we everyday citizens are serveilled as we engage in activities for strictly social and personal reasons.

How We Got Here

According to Zuboff, surveillance capitalism started with Google and its goal to dominate the search engine market by serving up highly relevant results for every search query. Initially, Google’s intentions were honorable, or at least mutually beneficial. Google wanted its search engine to outperform all others, and to become, well, a verb. For their part, users wanted to see useful search results, meaning sites that offered the exact information they were after. By tracking the links its users clicked at scale, Google was able to predict user behavior (i.e. predict which site a user would visit) and optimize its search results based on those predictions.

But Google quickly realized it was sitting on an asset that could make it a lot of money, namely way more behavioral data than it needed to simply optimize its search results. That excess data, which Zuboff calls “behavioral surplus,” could be used to help advertisers improve their campaign returns for a hefty fee. That’s when the company began mining people data in earnest. It’s also when the egalitarian nature of the relationship ended. Google profited from consumers, but we got very little in return.

Zuboff describes how Google took pains to keep its surveillance empire away from public view, but those of us who worked in digital advertising were well aware of just how pervasive surveillance capitalism had become, even though we didn’t think of it in those terms. We called it data-driven marketing. 

Everybody sold people data. Companies like Experian, eXelate, BlueKai and many others vacuumed up great quantities of it -- financial, behavioral, purchase, demographic, psycho-demographic -- to create an endless array of audience segments for advertisers to purchase. The social media platforms joined in on the game, inviting advertisers to reach users based on hyper-specific criteria, such as interest, educational background, group affiliations and so much more, all while consumers assumed they were simply interacting with friends and family.

The reams of data the tech giants collected on us were mind-bogglingly large. By 2016, Facebook had 98 personal data points on each of its 2.2 billion users. Google collected enough data on an individual in one year that if printed and stacked, it would be taller than the Leaning Tower of Pisa (189 feet). 

For the most part, all of that data was collected without the consumer’s knowledge or consent, but that didn’t matter to the ad-tech industry. It was the age of data and data-driven marketing, and the ad-tech industry had a promise to keep: Enable brands to target the right user, at the right time, with the right message, in the right channel. But there was one “right” we didn’t consider: the consumer’s right to privacy.

Although consumers didn’t quite understand how their data was collected or by whom, the extent of the violation rankled, and they were angry. In 2007, Sean Lane purchased an engagement ring from Overstock, and planned to surprise his girlfriend with it, only Facebook’s Beacon feature jumped the gun, announcing his purchase in his news feed for all his connections to see. He, along with many others, hired attorneys and sued. In 2018, a federal judge approved a $9.5 million settlement against Facebook.

Soon a generation of activists and litigants rose up, and their efforts have literally transformed the privacy landscape, as we will discuss in our next blog series. Can’t wait to read about the web of players that shaped the privacy landscape? Download our free white paper, The Privacy Primer now.