Enforcement Drives $1.5B Privacy Compliance Vendor Market, IDC Finds
Growing enforcement and the AI explosion are driving steady growth in the global privacy compliance market, said IDC analyst Ryan O’Leary in an interview this week with Privacy Daily. IDC’s 2025 MarketScape report on worldwide data privacy compliance vendors found that the market grew 18% year over year, hitting $1.5 billion in revenue in 2025.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
IDC expects the market growth to continue at that pace for the next few years, said O’Leary, the report’s author. “We project it to get to $3.5 billion by 2029, with [an] overall capitalized annual growth rate of 18.2%." He added that the growth rate is “pretty high for a market."
Enforcement has been one big driver of the market’s growth, said O’Leary. “Despite the deregulation at the federal level, we're still seeing a lot of enforcement” in the states and Europe. “We’ve seen some pretty hefty fines in California for consent" management issues, including those imposed on Honda, Sephora and Todd Snyder, he said (see 2503120037, 2208240067 and 2505060043).
Enforcement of privacy laws drives the market more than their passage and enactment, noted O’Leary. “Everyone's gonna speed if there's nobody sitting there with a radar gun.”
In reaction to recent enforcements, privacy vendors are likely to start taking a more “hands-on” approach with customers to make sure they’re correctly configuring their products, the IDC analyst predicted. Many of the companies involved in the recent California actions “had actually deployed one of the vendors in our MarketScape [report], but it was misconfigured.” They all switched to a new privacy vendor after getting fined, he said.
Some lawyers say that recent settlements show the vulnerability of companies that buy tools from privacy vendors and think they can just “set it and forget it” (see 2507240056). In a recent interview, an official from the large vendor OneTrust agreed that businesses shouldn't set and forget privacy compliance tools amid increased scrutiny from regulators (see 2510090044).
Another factor driving the market’s growth is generative AI, said O’Leary. As marketing departments and customer data platforms embrace the nascent technology, “a lot of the folks in security and risk and legal” are urging companies to slow down and make sure they’re not exposing customers’ data. Breaches “are already happening every day,” and “to have an unforced error” where a company injects “a million records of personal information into an open AI model,” which it can’t claw back, could cause significant reputational damage.
Privacy compliance vendors emerged with the start of the EU's GDPR in 2018, but much has changed in the market since then, said O’Leary. “They have essentially evolved from what I would call glorified spreadsheets to more connected and deep technologies that … are looking at unstructured data and where it sits.” The analyst added, “We're finding that the core competencies in this area are data discovery and classification, as well as the ability to manage consent dynamically -- and not just cookie banners, but actual consent of known entities.”
OneTrust and Securiti are the two largest vendors in the market, said O’Leary, noting that OneTrust leads with about 25% market share, while Securiti has 15%. IDC’s report reviewed them and 14 other vendors competing for the remaining 60%. OneTrust trumpeted the IDC report on Monday.
It’s “a pretty decent” number of companies in the market, and “a lot of them are very similar in terms of the table stakes functionality, so for buyers, it can be very hard to differentiate,” O’Leary said. Even so, he hasn’t seen much “cannibalization of each other yet.”
OneTrust and Securiti “jockey” for the top position when “we’re comparing the capabilities and strategies,” as opposed to market share, he said, with some other privacy vendors growing quickly, including DataGrail, Transcend and Ketch. “The one vendor that’s fallen is TrustArc,” which was one of the “first in the space,” but “they just have not kept up.”
OneTrust benefited from a “significant first mover’s advantage,” arriving when the GDPR came into force, and it has “grown particularly fast,” said O’Leary. A second wave of vendors, including Securiti, DataGrail, Clarip, Relyance AI, Transcend and Ketch, were built “with data discovery [and] classification in mind and then added on the privacy stuff after."