Table of Contents
- Executive Summary
- State Data Privacy Laws Preparedness and Challenges
- Progress Toward State Data Privacy Law Compliance
- Perspectives on a Federal Data Privacy Law
- Emerging Risk Areas: Geolocation and Biometric Data
- Conclusion: Get Ready for a New Data Privacy Landscape
- Methodology and Demographics
- Privacy and Cybersecurity Team
In May 2017, the world of data privacy was irreparably changed when four members of the Chinese military hacked into credit-reporting company Equifax, exposing the personal information of nearly 150 million Americans. The regulatory response was swift. States amended data breach laws and introduced new ones around data security and consumer privacy. The following May, the European Union’s sweeping privacy law update, the General Data Protection Regulation, took effect, sending ripples across global businesses. The next month brought the passage of the California Consumer Privacy Act (CCPA).
Fast forward to 2022, and CCPA-like consumer privacy laws have passed in four additional states (Colorado, Connecticut, Utah and Virginia). Several states are currently weighing similar comprehensive legislation to protect consumer privacy. While the measures differ in significant ways, they share key tenets, including granting consumers the right to access, correct, delete and transfer personal data, as well as the ability to opt out of certain targeted advertising. At the same time, there has been more focus on regulating increasingly popular forms of consumer data collection, including precise geolocation data and biometric information.
With state laws set to take effect in 2023, companies must take action now to prepare for stricter requirements, surges in data privacy litigation and continued public scrutiny around safeguarding consumer privacy rights. But where do companies stand today?
To find the answer, Womble Bond Dickinson surveyed nearly 200 executives based across the United States. This elite group – 62% of whom hold C-suite titles – comprised decision-makers from company leadership and key departments including information systems and information technology, privacy and security, legal and compliance, operations and finance, and marketing.
With compliance deadlines looming, the good news is that nearly 6 in 10 respondents say their companies are very prepared to meet the guidelines set forth by new consumer privacy legislation, and 89% have increased their budgets to do so. Yet when asked about particular actions they’ve taken to comply with state data privacy laws, less than half of respondents say they have completed most key steps, from conducting data assessments to updating privacy policies to establishing metrics and deadlines.
“Companies often feel they are ready for compliance, but that optimism starts to fade when it comes to applying the often unsettled regulations and granular tactics they need to effectively prepare,” says Tara Cho, who chairs Womble Bond Dickinson’s Privacy and Cybersecurity team. “The new requirements affect so many aspects of how companies do business that it can be challenging, particularly at the executive level, to make sure all the bases are covered.”
A significant part of the problem is operational. Respondents who do not feel their organizations are very prepared cite a lack of available staff to address compliance (39%) and challenges around tracking the status of legislation and the differences between state laws (60%).
"Companies often feel they are ready for compliance, but that optimism starts to fade when it comes to applying the often unsettled regulations and granular tactics they need to effectively prepare."
Our survey also suggests that companies differ in how they assign primary responsibility for privacy compliance. Less than a third of those who have designated a project manager for data privacy compliance, or are in the process of doing so, have assigned the role to a member of the risk or compliance (18%) or legal (11%) departments. Most reside in technology (56%) or information systems (14%).
That could be an issue, according to Womble Bond Dickinson partner Ted Claypoole.
“Preparing for these new laws – understanding the necessary policies, procedures, compliance and governance practices – is really a risk management and legal issue,” Claypoole says. “Ideally, organizations would have a cross-functional task force that includes tech and compliance professionals, with a primary lead to ensure things get done.”
The survey also delves into two fast-emerging areas of concern: the collection of geolocation and biometric data. Over 70% of respondents are very (42%) or moderately (29%) concerned about state privacy laws that include specific restrictions on collecting and using precise consumer geolocation data. This is especially concerning given the state law restrictions on the collection of specific geolocation data coming in 2023. Primary executive concerns center on securing consent (68%) and defining the specific business purpose for such data applications (64%).
As for biometric data, over half (59%) are already using it and another 19% plan to do so – but fewer than 60% of those respondents have assessed their risks or developed risk management strategies and compliance plans.
Tech and retail executives – who together comprised 47% of all respondents – expressed significantly more concern than their industry counterparts about several issues covered in the survey. This is not surprising, as tech companies are frequently criticized over their handling of consumer data. Retailers, whose core business involves dealing with consumers, also face heavy scrutiny. For example, of the respondents who fear enforcement actions related to geolocation data, 75% of retail executives say it is due to their industry being a likely target (compared to 57% overall).
This is just a snapshot of the report’s key findings. In what follows, we’ll take a closer look at where companies stand in relation to new consumer privacy laws, the challenges they face in preparing to meet their requirements, and what they should do next to stay ahead of an increasingly complex regulatory future.
In the charts and analysis, responses to some questions do not add up to 100% due to rounding, and some exceed 100% because respondents were invited to select more than one answer. Click here for the full survey methodology and a breakdown of respondent demographics.
Five states – California, Colorado, Virginia, Utah and Connecticut – have now passed data privacy legislation or amendments that will take effect in 2023. The Colorado and Connecticut laws are more consumer-oriented, while Utah’s legislation is more business-friendly. California is the only state that enables a private right of action, meaning it allows consumers to bring private legal cases against businesses. While the CCPA has been in effect in California since 2020, provisions from a ballot measure (the California Privacy Rights Act) that amended and expanded that law will go into force next year.
Though the laws have similar themes, there are critical differences that make it increasingly difficult for companies operating in multiple jurisdictions to manage consumer privacy on a state-by-state basis. (A breakdown of each law can be found here.)
Companies that want to stay ahead of the curve may therefore look to implement comprehensive principles governing data privacy. And though retail, tech and highly regulated industries remain uniquely vulnerable to enforcement, most sectors will be affected in some way.
“This is a data economy, and we’re reaching the point where nearly every business should be looking at consumer data privacy as a broader policy issue,” Claypoole says.
Respondents say they’re prepared – but are they?
Please indicate the extent to which your organization is prepared to meet the guidelines set forth by consumer data privacy legislation enacted in California, Colorado, Virginia and/or Utah.
Which of the following best summarizes the overall spend that your organization has allocated this year to complying with new U.S. state privacy laws?
Nearly 6 in 10 respondents say their organizations are very prepared to meet the guidelines set forth by state consumer privacy legislation – and they have allocated the budget to back it up. Forty-five percent increased their compliance budgets by 10%-20%, and nearly a quarter of respondents (24%) have increased them by 20% or more. Only 11% have not increased their compliance budgets for this year. Retail and tech companies led on both preparation and budget measures, with 33% in each group increasing their budgets by 20% or more and nearly 70% of both groups saying their organizations are very prepared.
This optimistic view of preparedness became murky, however, when respondents were asked about the actual steps they have taken to date. Aside from designating an internal project manager or owner – a step 60% of respondents have completed – no other action item was completed by more than half of survey-takers (see next section for an analysis of these actions).
Why the disconnect? Burnout and fatigue related to a pandemic that has consumed a disproportionate amount of IT resources could be one factor. The tight labor market is also likely complicating matters, with 39% of those who feel their organization is moderately, slightly or not prepared for data privacy compliance citing a lack of available staff.
"This is a data economy, and we’re reaching the point where nearly every business should be looking at consumer data privacy as a broader policy issue."
But Claypoole also notes that some of the C-level executives surveyed may not have a full picture of what’s happening on the ground. While 73% of C-suite executives say their organizations are very prepared, only 45% of VP-level respondents feel the same.
“There’s a difference between assigning someone to handle data privacy and cybersecurity, and the day-to-day work of establishing a team, setting metrics and taking actionable steps to ensure an organization is preparing for new legislation,” he says. “There can be a bit of operational resistance and delay – until, that is, compliance deadlines hit or a lawsuit or enforcement action sounds the alarm.”
Which of the following have presented challenges to your organization in preparing for state privacy law changes? (Select all that apply).
This question was only asked of those who feel moderately, slightly or not prepared to meet the guidelines set forth by new consumer privacy legislation.
Among respondents who feel their organizations are moderately, slightly or not prepared, the top challenge is simply tracking the status of legislation and differences between state laws (60%) – unsurprising given the rapid proliferation of such laws and varying rules for how data can be obtained and used. Interestingly, those citing lower levels of preparation do not attribute it to a lack of prioritization: Only 15% of this subset say they have not prioritized changes to date.
Less prepared retail respondents are particularly struggling, especially when it comes to tracking legislation status (73%, compared to 60% of all respondents) and appointing a leader to manage compliance (45%, compared to 25% of all respondents).
Which of the following best explains why your organization has not increased its compliance budget?
This question was only asked of those who have not increased their budgets for complying with new U.S. state privacy laws.
Of the 11% of respondents who have not increased their budgets for complying with new U.S. state privacy laws, most attribute that to the belief that they already have adequate funding allocated (42%) or that a budget increase is occurring later this year or next (21%).
As alluded to in the previous section, an analysis of the steps taken to comply with state data privacy laws shows those actions often fall short of participants’ stated confidence. For instance, though most say they are at least in the process of doing so, less than half have completed key steps toward compliance, including conducting data mapping (49%) and data assessments (43%). Only 38% have set metrics or specific goals and deadlines to track compliance – an important step in keeping on track with the time-intensive task of meeting new compliance requirements.
Only 38% of respondents have set metrics or specific goals and deadlines to track compliance – an important step in keeping on track with the time-intensive task of meeting new compliance requirements.
In verbatim feedback, respondents pointed to other actions their organizations are taking, including training and educating employees, developing task forces and industry groups, and adopting new technology solutions. On the latter front, new data privacy technologies are increasingly being seen as a quick fix – but that can’t replace the hard work of implementing new processes, policies and governance structures.
Below, we dig deeper into critical compliance actions.
1. Designating a project manager or owner
In which department does the individual who oversees your organization’s approach to complying with state data privacy laws work?
This question was only asked of those who have or are in the process of designating a project manager or owner.
Of the 85% of respondents who have designated – or are in the process of designating – a project manager or owner, 70% say the individual overseeing the process of complying with state data privacy laws is in the technology (56%) or information systems (14%) department. A smaller share resides in risk or compliance (18%) or legal (11%).
As noted above, technology or IT departments that are already inundated with other tasks may not be in the best position to single-handedly lead data privacy compliance. The nature of these initiatives lends itself more to a cross-functional task force approach that includes risk, compliance, legal and tech professionals.
“While procuring the right data and enacting some of the necessary changes often requires technical professionals, the process of preparing to comply with state data privacy laws can also benefit from the involvement of broader risk management and governance perspectives,” says Cho.
2. Data mapping
Which of the following steps with regard to data mapping and understanding data practices across the organization have been undertaken to date? (Select all that apply)
This question was only asked of those who have been or are in the process of conducting data mapping.
Data mapping is a key aspect of any data privacy initiative. Nearly half (49%) of respondents have completed this action, and 37% say it’s in progress. Yet when this group was asked more granular questions about the steps they have taken to do so, it became clear that more work needs to be done.
The majority of respondents have undertaken initial actions, with 54% initiating a data mapping and 67% completing a data inventory and mapping of all personal information, data assets and flows. But less than half of respondents to this question have undertaken later steps, such as completing a data mapping and aligning procedures to effectuate individual rights requests and related legal obligations (48%) or being on track to update an existing data inventory or mapping (43%).
The lack of preparedness is significant given that CCPA compliance requires organizations to be able to satisfy a consumer’s request to disclose all personal information they have collected, sold or shared in the previous 12 months.
3. Privacy policies
Which of the following has your organization undertaken when it comes to updating its privacy policies? (Select all that apply)
This question was only asked of those who have updated or are in the process of updating privacy policies.
Of the 81% of respondents whose organizations have updated or are in the process of updating their privacy policies, a large portion has focused on initial actions, including researching new or changing privacy laws (71%) and consulting with a team of stakeholders to discuss policies (63%). Just over half (53%), however, have actually drafted the new or updated policy, and less than half (46%) have informed customers or clients about it.
“Drafting new or updated policies can be difficult right now, as they will need to be amended once the final regulations come down,” says Claypoole. “While initiating conversations on these policies is important, it’s a relatively easy fix compared with the work that needs to be done to build out new structures, bring on the right talent and vendors, and establish the governance and procedures needed to stay in compliance with these laws.”
How does your organization prioritize changing your privacy policies based on consumer privacy-related requirements from technology companies versus requirements in state privacy legislation, or are they equally important?
We also asked survey participants about the influence that consumer privacy-related requirements from tech companies have on their own privacy policies as compared with compliance requirements in state privacy legislation. Though executives on a whole were more influenced by state laws – the average rating fell at 7.2 – tech and especially retail respondents were slightly more swayed by the influence of tech companies. The average rating for tech executives was 6.9. Retail executives fell essentially in the middle, at 5.6, suggesting that each factor influences them relatively equally.
“We depend on those relationships, and we need to stay in compliance with their guidelines,” a VP of information systems for a financial services firm said of tech companies’ influence. A COO of a California-based retail company added, “We are at their mercy due to search and advertising.”
Please indicate your level of agreement with the following statement: I would like to see a federal data privacy law passed that preempts individual state laws and creates a consistent set of requirements.
For years, Congress has tried and failed to pass a federal data privacy law. Sticking points stem from two key issues: whether a federal law should preempt state laws and whether the law should allow for individuals to file lawsuits against companies for violating their privacy (as in the CCPA).
The executives we surveyed largely agree on the first issue – that a federal law should overrule state ones – echoing the opinions of corporate and technology trade groups concerned about a growing patchwork of state laws. Nearly 9 in 10 respondents agree that they would like to see a federal data privacy law passed that preempts individual state laws and creates a consistent set of requirements, with 53% strongly agreeing. A higher percentage of retail executives strongly agreed (63%), in keeping with their higher level of concern expressed throughout this report, as did respondents at the C-suite level (62%).
“If you ask business leaders whether they want their laws simple or complicated, they’ll say simple almost every time.”
For Claypoole, a desire for an overriding federal law makes sense. “If you ask business leaders whether they want their laws simple or complicated, they’ll say simple almost every time.”
While efforts to pass a federal data privacy law haven’t historically been able to gain traction, recent reporting suggests a glimmer of hope for Democratic and Republican lawmakers to reconcile their dueling priorities when it comes to privacy legislation. “There has been more discussion about how you can have a ‘gradation’ of those concepts – meaning a law could override certain but not all aspects of state laws, and provide a tailored private right of action,” a senior advisor to Senate Commerce Chairwoman Maria Cantwell said in April, according to The Washington Post. And The Wall Street Journal reported late in March that senior aides from both sides of the aisle wanted to attempt to “forge a bipartisan agreement” on a privacy law.
Precise geolocation data
Pew Research Center reports that 85% of Americans now own a smartphone and the use of smart wearable devices is on the rise – meaning that most of us are carrying (or wearing) beacons that can constantly report our locations to companies.
Even back in 2018, a New York Times investigation found that at least 75 companies receive “anonymous, precise location data” from location-tracking enabled apps, with many of those businesses claiming to “track up to 200 million mobile devices in the United States.” These companies “sell, use or analyze the data to cater to advertisers, retail outlets and even hedge funds seeking insights into consumer behavior,” according to the report.
While the Federal Trade Commission (FTC) has cited concerns about unfair or deceptive practices involving geolocation data for years, lawmakers have only recently begun to place limits on the ability of businesses to extract and share information from the apps and equipment that track our movements. Starting next year, California residents have the right to ask that companies limit the use of geolocation data to what is necessary to perform the services or provide the goods they have requested. In Virginia, companies will have to explicitly ask for consumer consent to process sensitive personal information, which includes precise geolocation data.
“The FTC has long-standing guidance on consent requirements for precise geolocation tracking, but this issue again became the center of debate during the pandemic amid a surge in mobile apps used for contract tracing,” says Cho. “In the last year, the FTC has articulated a clear focus on data privacy and consumer rights, state laws have tacked on restrictions on geolocation data, and tech giants have required greater transparency and privacy functionality from app developers. Even from the consumer side, there’s more sensitivity to the ‘creepiness factor’ of certain location tracking. The bottom line – companies should be prepared for increased scrutiny across the board.”
To what extent is your organization concerned about state privacy laws (i.e., in California and Virginia) that include specific restrictions on collecting and using precise consumer geolocation data for mobile tracking purposes?
In keeping with the growing focus on this area, the vast majority of survey respondents are very (42%) or moderately (29%) concerned about state privacy laws that include specific restrictions on collecting and using precise geolocation data for mobile tracking purposes. Retail and C-suite respondents are especially alarmed by this issue: 52% of both groups indicate being very concerned.
Which of the following represent concerns for your organization with regard to specific restrictions on the collection and usage of precise consumer geolocation data? (Select all that apply)
Of those who expressed concern about new restrictions, securing consumer consent (68%) and defining the specific business purpose for data application (64%) are the top perceived roadblocks. A significant number of respondents in this group also say they are concerned about losing the insights (38%) and revenue (24%) that geolocation data has provided.
"In the last year, the FTC has articulated a clear focus on data privacy and consumer rights, state laws have tacked on restrictions on geolocation data, and tech giants have required greater transparency and privacy functionality from app developers. Even from the consumer side, there’s more sensitivity to the ‘creepiness factor’ of certain location tracking."
Though only 32% of respondents fear enforcement actions, retail executives showed a much greater degree of concern, with 88% selecting this answer. This likely stems from the exposure retail organizations have to consumers, as well as the reputational risks that come with enforcement actions.
Which reason best explains why you are concerned that your company could potentially face enforcement actions?
Which reason best explains why you are not concerned that your company could potentially face enforcement actions?
When we dug deeper into the reasons why respondents who selected enforcement actions view it as a concern, most noted it is because their company type / industry is a likely target (57% overall, 75% of retail respondents). Of those who are not worried about enforcement actions, 41% said it is because their company type / industry does not fit the profile of likely offenders, with higher numbers for financial services, manufacturing and technology respondents.
In 2020, Facebook (now Meta) agreed to one of the largest consumer privacy settlements in history – $650 million – to resolve claims that the company collected biometric data (i.e., the measurement and statistical analysis of people’s unique physical and behavioral characteristics) without consumer consent. The class action was possible because of the Illinois Biometric Information Privacy Act (BIPA), which gives individuals privacy rights over their biometric data.
That year, more than 80 federal complaints alleged BIPA violations, up from 28 the year before. This issue will continue to garner more attention as other states consider similar legislation.
Which of the following best categorizes your organization’s use of biometric data?
Our survey found that nearly 80% of organizations are currently using (59%) or planning to use (19%) biometric data. Certain industries are currently using it to a greater extent, including manufacturing (87%) – a sector where companies often employ such data for time clock purposes – retail (71%) and technology (67%). Of the 22% who aren’t using or planning on using it, most said it was because biometric data is not relevant to their businesses (69%, largely made up of construction, government and education respondents).
"Companies that collect biometric data and haven’t yet assessed their risks should take steps to do so soon to avoid potential enforcement actions or litigation."
Which types of biometric data does your company use or plan to use? (Select all that apply)
This question was only asked of those who are currently using or planning to use biometric data.
Fingerprints were far and away the top type of biometric data that companies are using or planning to use, selected by 78% of respondents. Facial recognition (47%), voice recognition (40%) and iris recognition (33%) were the next top answers.
How is your company using or planning to use this data? (Select all that apply)
This question was only asked of those who are currently using or planning to use biometric data.
Respondents whose organizations are leveraging biometrics also told us how they are using or planning to use this data. Most said “for initial identification purposes only” (74%), while roughly half selected “for payment purposes” (49%), “for other security functions” (46%) and “collecting and storing for future purposes” (45%). Fourteen percent – mostly financial services, manufacturing, retail and technology respondents – selected “for reading customer emotions.”
Despite the widespread use of biometric data, fewer than 60% of those using or planning to use such data have assessed their risks (58%) or developed risk management and compliance plans (55%). Even fewer have conducted internal training sessions (41%) or drafted notice templates (36%).
“Companies that collect biometric data and haven’t yet assessed their risks should take steps to do so soon to avoid potential enforcement actions or litigation,” says Cho. “Those who don’t operate in Illinois may not have realized how much this issue has evolved in the past few years, with numerous state lawmakers thinking through biometric-related legislation of their own and the availability of state attorney general enforcement in states such as Texas.”
It’s a new world for data privacy in the U.S., and state legislation continues to be the main catalyst for new compliance requirements. While it’s a good sign that most executives we surveyed are concerned about and paying attention to the challenges ahead, there’s clearly plenty of preparation left to do.
“It took 15 years to get to a place where every state had enacted a data breach law, but almost every state has proposed a privacy law,” Kathryn Farrara, General Counsel North America, Health & Wellbeing and US Data Protection Officer at Unilever, said during a recent webinar. “The rate of change has dramatically increased.”
“It took 15 years to get to a place where every state had enacted a data breach law, but almost every state has proposed a privacy law. The rate of change has dramatically increased.”
Moving forward, there are two classes of data companies will need to protect – personally identifiable information and sensitive data (e.g., racial or ethnic, origin, religious or philosophical beliefs, or union membership; email content; biometric information; genetic data; and precise geolocation data).
To do so, companies will need to make operational shifts to establish new processes, governance structures and compliance procedures. These tasks require diverse teams of risk management, legal and IT professionals, as well as a dedicated leader. As businesses get started, they should keep some key action items in mind:
- Involve the company’s data security team with vendor negotiations if those vendors are to handle sensitive data.
- Make sure employee privacy and data protection training happens on a regular schedule.
- Get buy-in and support from the organization’s top leadership.
- Demonstrate competence. Companies don’t need to be perfect – they just need to show they are taking legitimate, good-faith efforts to protect consumer data.
2023 will be a very different year for data privacy. Now is the time for executives to kick their compliance programs into high gear.
From April 20 to May 6, 2022, 182 decision-makers completed this survey through an online survey tool.
Nearly two-thirds of respondents (62%) hold C-suite titles, and all play an active role in data privacy issues within their organizations. Respondents include decision-makers across a range of departments, including general management (17%), information systems / information technology (31%), privacy / security (19%), legal / compliance (18%), marketing (8%) and operations / finance (7%).
In addition to the scope of professionals surveyed, respondents represented a range of industries – with the largest share in technology, telecommunications and software (28%) and retail (19%). Respondents are with organizations based across the United States, including California (26%), New York (10%) and Texas (10%).
Nearly half of those surveyed have annual revenues above $250 million, with 24% reporting a 2021 revenue above $1 billion.
Chaired by a certified legal specialist in Privacy and Information Security Law, Womble Bond Dickinson's Privacy and Cybersecurity Team leverages deep knowledge and experience across the broad spectrum of privacy and cybersecurity legal issues.
Our team of more than 40 attorneys regulatory provides privacy and cybersecurity legal guidance to clients in a broad range of sectors, including retail, financial services, healthcare, manufacturing, technology, education, telecommunications, government entities, utilities and more. Womble Bond Dickinson attorneys counsel clients in the day-to-day privacy and cybersecurity issues affecting their businesses, and we also are trusted advisers should larger issues arise.