Table of contents
- Executive summary
- Key findings
- A changing global data privacy law landscape
- Emerging technologies: AI, biometrics and geolocation
- Conclusion: Preparing for the year ahead
- Data privacy compliance checklist
- Methodology and demographics
2023 is shaping up to be a landmark year for data privacy, on both sides of the Atlantic. In the US, four new state laws go into effect – two on 1 July – while California is expanding its already robust requirements, and several other states have enacted or proposed privacy legislation of their own. Across the pond, the EU-US Data Privacy Framework nears implementation as negotiations around other global agreements – such as those between the European Union and a post-Brexit United Kingdom – intensify.
Against this backdrop, Womble Bond Dickinson’s second annual survey report analyses the fast-evolving global data privacy law landscape and, for the first time, includes over 200 respondents from both the US and UK.
The survey finds that as data privacy compliance gets progressively more complex, only about half of executives are “very prepared” to meet these standards. What’s more, given our global respondents’ lack of readiness with regard to such early measures as understanding where all their data sits across their organisation, even these executives may not be as prepared as they think.
Drawing on insights from business leaders who play a leading or supporting role in data privacy issues – nearly half of whom are in the C-suite – our report illuminates how organisations across industries are preparing for regulatory challenges, the growing use of biometric data and artificial intelligence (AI), differences between operating in the US, the UK, Europe and more.
When it comes to data privacy laws, are organisations as ready as they think they are?
The survey also uncovered that many respondents in the UK and US who say they are very prepared may not have taken the measures needed to justify such a claim. For instance, while many companies might implement external-facing actions, such as putting a cookie banner on their website or updating privacy policies, just 34% of all respondents say they have conducted data mapping and understand data practices across the organisation.
“Companies are often under-resourced and have to focus on cosmetic changes by updating public-facing content; however, this doesn’t eliminate the inevitable need to build out back-end requirements to truly operationalise the compliance requirements,” says Tara Cho, partner and chair of the Privacy and Cybersecurity Team for Womble Bond Dickinson (US). “Data mapping – knowing what data you have and where it lives – is foundational for any effective data privacy and cybersecurity strategy.”
This potential lack of readiness is evident in other areas as well. For instance, 50% of respondents doing business in the EU and/or UK say understanding the data held within their organisation is a key hurdle, while 45% cite increasing their budget.
Meanwhile, nearly 60% of executives with operations in the US view tracking the status of legislation and the differences between state laws as a challenge – yet only 42% have completed comparisons of state privacy law frameworks. And as several state data privacy laws near or reach effective dates, executives with operations in the US are feeling less confident in their preparedness than in 2022: Only 45% say they are very prepared, compared with 59% in last year’s survey.
Actions: Start mapping out what data your organisation has and where it sits – it’s foundational to any successful data privacy and cybersecurity strategy.
UK respondents more prepared than US counterparts
Given the more established General Data Protection Regulation (GDPR) in the UK and EU, as well as the Data Protection Act 2018 (DPA) in the UK, it tracks that more respondents with operations on the continent feel very prepared to meet these requirements – particularly our UK-based respondents (59% of whom say they are very prepared for the GDPR and/or DPA, compared to only 44% of those with US headquarters).
UK respondents are also more comfortable with the impact of privacy regulations on their ability to conduct cross-border business. Forty percent of UK respondents (versus 35% in the US) say these regulations add extra costs but are manageable, while only 10% (versus 17% in the US) believe regulations are a major impediment to such business.
“Overall, these findings tell us that, while cross-border data transfers remain a challenge, many businesses are managing and even seeing value in associated regulations,” says Andrew Parsons, a UK-based partner at Womble Bond Dickinson. Parsons – who focuses on commercial disputes around information rights, privacy and other technology-related issues – adds that: “Though much remains in flux, if and when these rules stabilise, they can have a positive long-term impact.”
Growing adoption of biometrics, geolocation and AI brings new opportunities – and concerns
The majority of UK and US respondents are already using fingerprints, facial recognition and other biometric data. However, new technologies come with new compliance challenges and litigation risks.
Fifty-nine percent of UK respondents indicate that their organisations currently leverage biometric data – and 64% of US respondents say the same, a five percentage point jump for that group from 2022. While most are using fingerprints to generate such data, largely for initial identification or authentication purposes, not insignificant numbers in the US and UK are drawing biometric information from iris recognition (28%), finger/hand veins (24%), heartbeat (8%) and even brain waves (5%). Data privacy litigation will increasingly play a role here, particularly as more and more states and municipalities enact biometric-related regulations.
The use of geolocation data creates similar issues. Forty percent of US respondents (and 32% of those in the UK) say they are very concerned about privacy laws that include specific restrictions on collecting and using such data for targeted marketing purposes. Litigation and enforcement actions – especially among US respondents – were named as top concerns.
As advances in AI generate global headlines, our survey tracks the technology’s accelerating adoption across the business world – for more traditional applications such as data analytics, as well as content generation and other newer uses. More than 1 in 5 respondents (22%), for instance, have started using AI in the past year alone, and only 19% aren’t using it at all. Ethical and legal risks were cited as key obstacles by a significant number of respondents (45% and 34%, respectively).
“Whether it’s evaluating loan applications, filtering qualified candidates for a new job posting, or any number of other use cases, AI tools make complex decisions all the time,” says Ted Claypoole, partner at Womble Bond Dickinson and head of the firm’s US IP Transactions Team. “That’s what they’re there for. The question is, are they doing it in a way that’s improper from a societal and legal standpoint?”
As these trends accelerate in 2023 and beyond, so too will the complexity of the data privacy law landscape. Our hope is that this year’s report provides benchmarks, insights and guidance to help organisations in their compliance journeys.
- ~50% of US and UK organisations say they are “very prepared” to address data privacy laws in both the US and Europe
- 34% of all respondents have conducted data mapping and understand data practices at their organisation
- 55% of US respondents are concerned with enforcement actions around geolocation data privacy laws, while 50% say as much about litigation – a significantly higher share than their UK counterparts, at 45% and 36%, respectively
- Only 10% of UK respondents say data privacy regulations are a major impediment to cross-border business.
- Roughly 6 in 10 respondents are currently using biometric data (59% in the UK, 64% in the US)
- 22% of respondents started using AI within the last year – and only 19% are not using it at all.
In the charts and analysis, responses to some questions do not add up to 100% due to rounding, and some exceed 100% because respondents were invited to select more than one answer. For the full survey methodology and a breakdown of respondent demographics, see pages 30-33 in the PDF available here.
Organisations are confronting new data privacy laws in several US states, as well as stepped-up oversight of GDPR investigations in the EU and uncertainty over the regulation of transatlantic data flows. Meanwhile, in the UK, new proposals that aim to relieve businesses of some of the GDPR’s more strict requirements could jeopardise current legal agreements between the UK and EU.
This year, privacy laws have or will become effective in Virginia (1 January), Colorado and Connecticut (1 July) and Utah (31 December). On the West Coast, the California Privacy Rights Act (CPRA) officially amends the CCPA, though a judge recently declared these new rules wouldn’t be enforceable until next March.
While these laws differ – Utah’s legislation is more business-friendly than Colorado’s and Connecticut’s, for example, and California’s is the only one that enables a private right of action – Cho says the common thread is “giving consumers power as to how they are tracked online.”
With that said, the newly amended CCPA is in a league of its own, raising the bar for compliance.
“All of these five new state laws use the word ‘Consumer,’ and I think we all initially thought it meant an individual customer,” Matthew A. Cordell, Vice President & General Counsel for Privacy and Technology, VF Corporation, said on a recent Womble Bond Dickinson panel. “But on January 1 , the law in California began to apply to employees, job applicants, former employees, beneficiaries of company benefits policies and independent contractors, as well as B2B contacts, all for the first time. That’s a formidable scope to expand privacy rights to.”
This development creates a host of challenges. For instance, should companies with multiple locations treat California employees differently? If they do, will employee morale take a hit? Understanding when and how to apply various CCPA exemptions is crucial, too, as is the necessity of knowing where employee records are housed.
Actions: Understand when and how to apply various CCPA exemptions – and where employee records are housed.
With states including Indiana, Iowa, Montana, Tennessee and Texas passing legislation of their own this year – largely modelled after Virginia’s model – we can see a common thread of core principles running through these state laws. That may be welcome news for the 88% of respondents in the 2022 iteration of this survey who wanted to see a federal data privacy law replace the patchwork of state laws. That said, distinctions will continue to appear in these laws as political divides persist.
In this increasingly complex environment, it’s no wonder that only 53% of those doing business in the EU and/or UK say they are very prepared for the GDPR and/or DPA, despite those requirements having taken effect several years ago. What’s more, fewer than half of respondents with operations in the US (45%) say they are very prepared to address state privacy laws. On the bright side, those headquartered in the UK are particularly prepared for EU regulations (59% versus 44% of US-headquartered respondents), while those based in America are more prepared for US regulations than their UK counterparts (49% versus 40%).
At the industry level, the combined share of retail and financial services industry respondents from the UK and US who feel “very prepared” regarding US state privacy laws dropped to levels below 40%, and to less than 50% when it came to the GDPR and/or DPA.
“Europe has long been ahead of the US when it comes to data privacy laws – they’ve had one in effect since 1995, and the GDPR was adopted in 2016 – so it makes sense that UK respondents are well positioned to comply with these regulations,” says Andrew Kimble, a UK-based partner at Womble Bond Dickinson. Kimble, who focuses on data protection and privacy, adds that: “Employees at all levels of the organisation in the UK tend to be aware of the GDPR and DPA given all the steps companies need to take.”
Yet our survey illuminates that even those who believe they are very prepared may not be as ready as they think.
While 70% say they have designated an internal project manager or owner and 58% say they conduct regular training of staff on data privacy and compliance, less than half of the overall respondent pool have taken the following steps: engaged outside legal counsel (42%), participated in a peer group to keep abreast of changes (40%) or developed a task force/oversight counsel to track privacy law changes (35%).
Most importantly, only 34% say they have conducted data mapping and understand data practices across the organisation. In other words, many say they are prepared to comply with data privacy laws without having a full picture of what data they actually hold.
For respondents with operations in the US, only about 4 in 10 have implemented the following measures to comply with state data privacy laws: conducted comparisons of state privacy law frameworks (42%, up from 35% last year), updated privacy policies (41%), developed systems to process and respond to data privacy rights requests (41%), set metrics and specific goals (39%), and drafted/updated agreements with third parties (39%). Only 36% have planned and conducted data assessments, down from 43% of US-only respondents surveyed last year – though that could be a result of the California Consumer Privacy Act not having yet described what assessments need to be done.
“Senior-level employees may be overly optimistic when it comes to compliance preparedness because they’re not in the weeds – and so don’t even know how many weeds there are,” says Claypoole. “This is understandable, of course, especially in the US, where this is all relatively new," Claypoole notes. "Data privacy is an engineering, technology and risk management issue, and it’s rare to have one person who understands all three. That’s why organisations should view this as a team effort.”
To this end, Claypoole recommends creating a list of the workstreams involved in implementing a solution and which employees need to be involved. This may include working with service providers, contractors and vendors, as well as employees.
Actions: Create a list of the workstreams involved in implementing a data privacy solution that includes which employees, service providers, contractors, and vendors need to take part.
Keeping abreast of the latest changes represents the biggest challenge for respondents on both sides of the Atlantic. Hurdles include tracking the status of legislation and differences between state laws in the US (59%), as well as adapting to new/changing requirements in Europe (55%).
The team effort required to address data privacy issues also leads to numerous operational issues – especially in the US. For those doing business in the states, key challenges include budget increases (52%), lack of available staff (42%), obtaining management approval and support to prioritise changes (30%), and the lack of an appointed leader (21%).
By contrast, each of these selections was chosen by fewer respondents doing business in the UK and/or EU – fitting, given their longer experience with the GDPR and/or DPA, as well as the GDPR mandate to have a data privacy officer. For that group, 45% say budget increases are a challenge, while 39% cite lack of available staff, 23% cite obtaining management approval and support, and just 10% cite the lack of an appointed leader. Understanding the data held within the organisation is also a key challenge for both groups – which tracks with organisations’ lack of progress on data mapping.
In an increasingly global – and digital – business landscape, the ability to transfer data across borders is paramount.
When it comes to transferring data from Europe to the US, however, regulatory mechanisms for doing so are in flux following the Court of Justice of the European Union’s 2020 invalidation of the EU-US Privacy Shield framework. Though the Biden administration has proposed a successor framework to address these concerns – the Trans-Atlantic Data Privacy Framework – it is unclear as of yet whether it will pass the GDPR’s adequacy standard. The US and UK, meanwhile, are currently working through their own agreement aimed at creating a “data bridge” for data flows between the two nations.
Despite these uncertainties, our survey gives some indication that data privacy regulations are generally good for cross-border business – especially for UK respondents, who are more experienced with existing standards. Roughly a third of all respondents say that regulations add extra costs but are manageable and that they encourage international business by providing assurance that data will be treated properly in other countries. Only 10% of UK respondents – and 17% in the US – say data privacy regulations are a major impediment to cross-border business.
When it comes to big-picture concerns around data privacy, respondents ranked data breaches and cybersecurity as the number one issue – with UK executives expressing particular concern. Retail and financial services respondents indexed higher than all other industries in terms of data privacy concerns, with 42% and 41%, respectively, selecting “high level of concern.”
US respondents’ second-ranked issue is litigation and regulatory enforcement action – which plays out in later sections of this report – while in the UK the runner-up spot is split between loss of customer loyalty/trust and cost of compliance with privacy laws. Interestingly, US respondents are more concerned about not fully utilizing data to maximise sales/revenue and less concerned with the cost of compliance than their UK counterparts.
Cho speculates that this result speaks to differences in how data privacy laws are shaped in the EU and UK versus the US.
“Privacy is a fundamental right in the EU, and the GDPR and its predecessor Directive have provided longstanding legal frameworks to protect those rights. In contrast, US laws have historically been sectoral and reactionary – for instance, what happens if personal data is breached. These new state omnibus privacy laws impose proactive requirements and the main impetus is to empower consumers with rights over their data, particularly when that data is being monetised.”
As the use of ChatGPT and other generative AI applications goes mainstream, our survey reveals that businesses are accelerating their adoption of the technology: 22% of all survey respondents say they have started using AI in the past 12 months alone – and only 19% are not using it at all. However, nearly half of technology industry respondents report usage of the technology for five years or longer, reflecting that it was already baked into many business operations before the recent advances in generative AI.
Organisations we surveyed have the budget available to support their use of AI. The majority are either already making material investments in such technology (25%) or plan to within 12 months (26%); only 7% say it is not part of their plans. Those headquartered in the US showed very little deviation from UK-based organisations.
The applications reported for AI are wide-ranging. Half of respondents or more are already using it (or planning to use it in the next year) in nearly all the ways we asked about, from data analytics and automation of business processes to supply chain optimisation, search engine optimisation, customer service assistance, product recommendations and more. Notably, 36% are already using AI to generate content (via ChatGPT and similar applications), and another 24% plan to in the next year.
As expected, the growing popularity of AI comes with its own set of obstacles, led by ethical concerns and followed by a lack of understanding about the technology, unreliable results and legal risks.
“As AI comes into the fore, there are a number of moral concerns that might bleed into legal issues, such as AI’s proclivity to mirror societies’ own biases, therefore perpetuating historical social inequities,” says Parsons. “There are also issues that could arise from these tools’ collection and processing of data, as well as intellectual property risks.”
AI regulations are incoming around the world. The EU’s AI Act, which is expected to pass and could apply to businesses as soon as 2025, aims to be a global standard. In addition to segmenting applications of AI into four levels of risk, the law articulates specific requirements for ChatGPT and other providers of “foundation models.” Existing regulations, such as the GDPR and the EU’s Digital Services Act, could also be adapted to incorporate provisions around AI.
In the UK, the government has released a “pro-innovation” proposal for AI regulation, while the US is taking a patchwork approach, with federal actions aimed at advancing the White House’s AI Bill of Rights. Regulators such as the Federal Trade Commission (FTC) and the Equal Employment Opportunity Commission have released guidance, and numerous states and municipalities have put forth their own regulations. New York City, for instance, has imposed new requirements regarding automated decision-making tools, which various states appear to be taking up.
The UK will also host the first global summit on "AI Safety," which will further shape the approach to regulating AI globally. While the date for the summit is yet to be confirmed, it will have a focus on harnessing AI “for good” and ensuring that AI is “developed and used in a way that is safe and secure.”
Actions: With a complex patchwork of AI regulations on the horizon, intersecting with ethical considerations, it’s important to track the development of various laws and how (and where) they may impact your organisation. Establishing governance frameworks and controls for the use of AI tools will also be paramount.
The use of biometric data has grown in the last year – 64% of US respondents are currently using it, compared with 59% last year, and only 14% are not using it or planning to down the line – but so too have associated compliance risks. The UK shows similar levels of adoption, with 59% using it now, though a higher share of those respondents (20%) isn’t using the technology or planning to.
Several US lawsuits in the wake of Illinois’ 2008 Biometric Information Privacy Act (BIPA) have put biometrics in the spotlight – and lowered the bar for others to file successful BIPA suits. For instance, last October saw the first-ever jury verdict in a BIPA class action suit in Rogers v. BNSF Railway Company, wherein a group of truck drivers successfully sued the freight-rail operator over of its fingerprint scan security requirement at Illinois rail yards. The plaintiffs’ success could encourage other individuals to pursue their own claims.
Texas and Washington have their own biometric privacy laws, though neither provides a private right of action like BIPA, while the new state consumer privacy laws in California, Colorado, Connecticut, Utah and Virginia regulate the processing of biometric data. Other states and cities are likely to follow suit.
It follows, then, that for those respondents who are not considering using biometric data, data privacy compliance is a growing concern (17% said as much this year, versus 10% for the US only in 2022). While another 20% selected concerns about other legal risks, most still cited “not relevant to our business” (60%) as the primary reason for not using such data.
Actions: Using biometrics? Now is the time to mitigate potential litigation risk – particularly in the US, as the success of the Rogers BIPA class action suit could encourage others to pursue their own claims.
The majority of respondents who are using or planning to use biometric data report collecting such information via fingerprints (53%). Other use cases include facial recognition (34%), voice recognition (32%) and iris recognition (28%).
Yet substantial numbers of respondents are currently, planning or considering using more invasive origination sources, such as heartbeat (8% using, 8% planning to use in the next year, 24% considering), ear shape (8% using, 6% planning to use in the next year, 37% considering) and even brain waves (5% using, 6% planning to use in the next year, 18% considering). Respondents that reported current usage of such data mainly hail from the technology industry, but usage of one or more of these was also reported by respondents from the construction, education, financial services, manufacturing and transportation industries.
Uses of such data tend to involve logging into or certifying payment through various apps, with top responses including initial identification or authentication, payment and other security functions. Fewer are using it for employee tracking or monitoring purposes, such as clocking in/out, employee onboarding and attention/focus detection of employees. More UK respondents are using biometrics for security functions, while more US respondents are using this data for clocking in/out and reading customer emotions.
Each of the new US state laws includes something not previously seen in the country: “a special set of extra protections for sensitive data,” says Claypoole. For many states, this sensitive data includes geolocation.
Meanwhile, the FTC is ramping up its enforcement efforts, such as a recent suit against an Idaho-based data broker alleging that it sold precise geolocation data associated with hundreds of millions of mobile devices.
It’s no wonder, then, that 40% of US respondents (versus 32% in the UK) are very concerned about privacy laws that include specific restrictions on collecting and using precise consumer geolocation data for targeted marketing purposes. US respondents are unsurprisingly also more concerned about enforcement actions (55% versus 45% of UK respondents) and litigation (50% versus 36%).
UK respondents, meanwhile, are more concerned about securing consent from consumers (56% versus 51% of US respondents) and defining the specific business purpose (55% versus 50%) – which tracks with their experience with the GDPR’s rights-based principles.
Finally, US respondents placed more focus on losing the insights that geolocation data provides (35% versus 26% of UK respondents), as well as associated revenue (24% versus 22%). This follows a consistent trend in which US respondents tend to prioritise monetisation, whereas in the UK, the relative maturity of the GDPR may have created a more concrete foundation for individual rights and transparency.
As our survey shows, complying with data privacy laws is no small feat – particularly given the evolving nature of not only the laws themselves, but the types of data collected via new technologies.
In this way, compliance itself is a moving target, and must be treated as such. That means, first and foremost, having a dedicated team in place – composed of information technology, human resources, legal, project management and other necessary departments – and ensuring they’re equipped with proper resources from leadership.
It also means that prioritisation is key.
“Ultimately, data privacy compliance is manageable,” Claypoole says. “You don’t need to be perfect, but you do need to make the effort.”
Follow these best practices to prepare for evolving data privacy laws:
- Designate an internal project manager or owner
- Establish a dedicated, multidisciplinary team that includes IT, HR, legal, compliance, marketing and engineering
- Conduct data mapping and understand data practices across the organisation
- Develop platforms and systems to process and respond to data privacy rights requests
- Engage outside legal counsel to advise on compliance, particularly related to the 2023 changes and horizon scanning for subsequent years
- Update company privacy policies
- Plan and conduct data impact assessments
- Set metrics and specific goals to track compliance progress
- Draft or update agreements with third parties to comply with new privacy requirements
- Conduct a comparison of state privacy law frameworks to develop an agile compliance posture.
For more information on the full methodology and demographics, see pages 30-33 in the PDF available here.