Skip to main content

Key takeaways:

  • Today, eight states have enacted data privacy legislation, each with its own slight nuances — tackling this patchwork of state bills can be challenging.
  • Considering the lack of uniform legislation, it’s most effective to create policies that are as harmonized as possible rather than attempt to address policy on a state-by-state basis.
  • Determine the minimum bar for your organization and build your program around that. You can always make reasonable exceptions when there’s a business need.

This year has seen a considerable expansion of data privacy legislation in the U.S.

As of 2023, eight states — California, Colorado, Connecticut, Indiana, Iowa, Tennessee, Utah, and Virginia — have enacted comprehensive privacy laws, with more to surely follow.

During a Data Privacy Board panel discussion on scaling your program, Senior Director of Privacy and Information Governance at Carnival said emerging state bills are one of the primary focuses of their program today.

“It’s dominos falling at this point,” Jennifer told the audience.

As an enterprise privacy lead, how can you tackle the deviations of these regulations and determine the top priorities and risks for your program?

Here’s some key advice from enterprise privacy heads.

Tackling the Nuances of State Regulations

Without uniform data privacy standards in the U.S., enterprises are left to tackle a patchwork of state legislation.

Some companies may choose to enact policy on a state-by-state basis, but Jennifer said it’s often more practical to set a minimum standard where all consumers are afforded the same rights. Not only is this approach easier to manage, but she said it’s, at times, the right thing to do.

“There’s a minimum bar that we work on. We’ve got GDPR, we’ve got California, so it’s easier when you have 90% of the program kind of sitting on top of that; then you just need to manage for the little nuances,” Jennifer explained.

It’s true there are slight variations to consider between these state requirements, but in general, they have more commonalities than differences.

During the panel discussion, Christina Kogan, Senior Director of Privacy at Workday, shared a similar approach.

Prior to this influx of state laws, Christina said they started to specialize and treat policy differently based on region. However, today, they’re quickly moving toward operating a privacy program with a “single line of code.”

She also added that even if you set a minimum bar, you can always consider adjustments and exceptions when there’s a justified business need.

“If you have a large program, you have to go to a single standard, and then you can back off where you need to where there’s a business case,” Christina said.

Furthermore, at many enterprises, there is not enough privacy staff to take a particularly precise approach to policy. Instead, the overall goal should be to develop frameworks that are as harmonized as possible.

“If you have a large program, you have to go to a single standard, and then you can back off where you need to where there’s a business case.”

Christina Kogan, Workday

Prioritizing Your Work When Perfection Isn’t Realistic

When working to ready your enterprise for new regulations, it’s important to keep in mind that perfect compliance is not an unattainable goal. Last year, privacy leaders spoke on this idea during a panel discussion on 2023 legislation.

Harriet Pearson, Senior Counsel at Hogan Lovells and former Chief Privacy Officer at IBM, said, “You could keep working till the cows come home, and there’s going to be data left unmapped. There are going to be contracts that have not yet been swept into your third-party vendor program.”

There are other concerns like cybersecurity issues or data breaches that will, at times, need to take precedence. As a result, Harriet said that enterprise-wide, there needs to be both an assessment and appetite for risk assumption.

“You could keep working till the cows come home, and there’s going to be data left unmapped.”

Harriet Pearson, Hogan Lovells

During the panel on scaling your program, Patrick Chavez, Chief Privacy Officer and Associate General Counsel at Edward Jones, also spoke on how to prioritize your work in navigating incoming regulations.

He pointed out that there’s some implementation time built into the rollout of these laws, saying, “But that’s for a reason because it does take time,” adding that, of course, the effective dates will also play a role in how you prioritize your efforts.

At Edward Jones, Patrick said they often begin by first addressing the technology aspect of compliance.

“That tends to be harder, at least for us, in terms of finding the data and determining how we are going to operationalize it and how we’re going to build a system or process around that,” he said.

Whenever a new law is on the horizon, Christina said the team at Workday does a quick analysis of how it might impact their program and consumer expectations.

She said, “We say, ‘How bad is this going to be? Is this going to require changes to our overall program or software?”

Jennifer also shared that, today, her team is focused on “checking for compliance” rather than just “accepting compliance” based on automated assessments. She said this is the result of word from California regulators that they will be checking on compliance and enforcement internally.

Your internal questionnaires or automated assessments might tell you that your program is checking all the boxes for compliance, but it’s still important to manually test those processes.

Benchmark with Other Privacy Leaders

With so much change on the horizon, it’s beneficial to benchmark strategies with other enterprise privacy leaders. You can learn invaluable insights from leaders operating at similar enterprises among different industries, states, and nations.

The Data Privacy Board is where senior enterprise privacy leaders can receive candid peer insights in a confidential and vendor-free setting.

Interested in learning more about membership?

As a leader, your mission is important. We’re here to help you win.

Apply to Join