With state laws looming, where do companies actually stand today? A Womble Bond Dickinson survey examined current corporate preparedness along with progress on steps to manage risk associated with geolocation and biometric data.
With new consumer privacy laws set to take effect in several states in 2023, nearly six in 10 executives say their organizations are very prepared to meet these requirements. Yet when asked about particular actions taken, less than half have completed key steps toward compliance.
That discrepancy is one of the key findings in 2022 State of US Data Privacy Law Compliance Survey Report, which draws on the insights of nearly 200 executives — 62 percent of whom hold C-suite titles — from company leadership and critical departments. In addition to providing a window into where companies stand in their data privacy compliance journeys, the report delves into two increasingly popular forms of consumer data collection: precise geolocation data and biometric information.
The survey was designed and implemented by Womble Bond Dickinson, a transatlantic law firm with offices in 27 locations in the U.K. and U.S.
State data privacy laws: preparedness and challenges
Five states — California, Colorado, Virginia, Utah and Connecticut — have now passed data privacy laws or amendments that will take effect in 2023, while several other states are weighing similar comprehensive legislation.
Though 59 percent of executives say their companies are very prepared to meet the guidelines set forth by new privacy legislation — and 89 percent have increased their budgets to do so — less than half have completed most key compliance actions, including conducting data mapping (49 percent), performing data assessments (43 percent), and establishing metrics and deadlines to track compliance (38 percent).
“Companies often feel they are ready for compliance, but that optimism starts to fade when it comes to applying the often unsettled regulations and granular tactics they need to effectively prepare,” said Tara Cho, chair of Womble Bond Dickinson’s Privacy and Cybersecurity team. “The new requirements affect so many aspects of how companies do business that it can be challenging, particularly at the executive level, to make sure all the bases are covered.”
A large part of the problem is operational, which is exacerbated by the pandemic consuming a disproportionate amount of legal and IT resources. Respondents who do not feel their organizations are very prepared cite lack of available staff to address compliance (39 percent) and challenges around tracking the status of legislation and differences between state laws (60 percent).
The survey data also reveals potential issues in how companies assign primary responsibility for privacy compliance. Less than a third of those that have designated a project manager for data privacy compliance, or are in the process of doing so, have assigned the role to a member of the risk or compliance (18 percent) or legal (11 percent) departments. Most project leads reside in technology (56 percent) or information systems (14 percent).
“Preparing for these new laws, understanding the necessary policies, procedures, compliance and governance practices, is really a risk management and legal issue,” said Ted Claypoole, a partner at Womble Bond Dickinson with extensive experience in privacy and security issues. “Ideally, organizations would have a cross-functional task force that includes tech and compliance professionals, with a primary lead to ensure things get done.”
The growing risks posed by geolocation and biometric data collection
The growing ubiquity of smartphones and wearables offers significant opportunities for businesses but also potential challenges. More than 70 percent of executives say they are very (42 percent) or moderately (29 percent) concerned about state privacy laws that include specific restrictions on collecting and using precise consumer geolocation data for mobile tracking purposes. The primary concerns expressed by respondents center on securing consent from consumers to gather and apply this data (68 percent) and on defining the specific business purpose for such data applications (64 percent).
As for biometric data, while 59 percent of survey respondents are already using it and another 19 percent plan to do so, fewer than 60 percent of those respondents have assessed their risks (58 percent) or developed risk management strategies and compliance plans (55 percent). Even fewer have conducted internal training sessions (41 percent) or drafted notice templates (36 percent).
With an uptick of complaints alleging violations of the Illinois Biometric Information Privacy Act and other states considering similar legislation, now is the time for companies that collect biometric data to conduct risk assessments and take steps to avoid potential enforcement actions and litigation.
Additional key findings
- Retail and tech sectors are more concerned about data privacy compliance. Executives from these industries, who together comprised 47 percent of all respondents, expressed significantly more concern than their counterparts about several issues covered in the survey. For example, of those who fear enforcement actions related to geolocation data, 75 percent of retail executives say it is due to their industry being a likely target (compared to 57 percent of respondents overall). In addition, 33 percent of retail and tech executives say their organizations have increased their budgets for complying with new state privacy laws by 20 percent or more (compared to 24 percent of all respondents).
- Nearly nine in 10 respondents support a federal data privacy law. Eighty-eight percent of executives would like to see a federal law that preempts individual state legislation and creates a consistent set of requirements – echoing the sentiments of corporate and technology trade groups concerned about a growing patchwork of state privacy laws.
- Influence of consumer privacy-related requirements from tech companies. While respondents indicated that their privacy policies are more heavily influenced by state privacy legislation than requirements from tech companies, the latter holds more sway for companies in the tech and especially retail industries. One respondent said of the influence of tech companies: “We depend on those relationships, and we need to stay in compliance with their guidelines.”
The survey was completed by 182 decision-makers who play an active role in data privacy issues across a range of departments within their organizations, including general management (17 percent), information systems and information technology (31 percent), privacy and security (19 percent), legal and compliance (18 percent), marketing (8 percent), and operations and finance (7 percent).