Executive Summary

In May 2017, the world of data privacy was irreparably changed when four members of the Chinese military hacked into credit-reporting company Equifax, exposing the personal information of nearly 150 million Americans. The regulatory response was swift. States amended data breach laws and introduced new ones around data security and consumer privacy. The following May, the European Union's sweeping privacy law update, the General Data Protection Regulation, took effect, sending ripples across global businesses. The next month brought the passage of the California Consumer Privacy Act (CCPA).

Fast forward to 2022, and CCPA-like consumer privacy laws have passed in four additional states (Colorado, Connecticut, Utah and Virginia). Several states are currently weighing similar comprehensive legislation to protect consumer privacy. While the measures differ in significant ways, they share key tenets, including granting consumers the right to access, correct, delete and transfer personal data, as well as the ability to opt out of certain targeted advertising. At the same time, there has been more focus on regulating increasingly popular forms of consumer data collection, including precise geolocation data and biometric information.

With state laws set to take effect in 2023, companies must take action now to prepare for stricter requirements, surges in data privacy litigation and continued public scrutiny around safeguarding consumer privacy rights. But where do companies stand today?

To find the answer, Womble Bond Dickinson surveyed nearly 200 executives based across the United States. This elite group - 62% of whom hold C-suite titles - comprised decision-makers from company leadership and key departments including information systems and information technology, privacy and security, legal and compliance, operations and finance, and marketing.

With compliance deadlines looming, the good news is that nearly 6 in 10 respondents say their companies are very prepared to meet the guidelines set forth by new consumer privacy legislation, and 89% have increased their budgets to do so. Yet when asked about particular actions they've taken to comply with state data privacy laws, less than half of respondents say they have completed most key steps, from conducting data assessments to updating privacy policies to establishing metrics and deadlines.

"Companies often feel they are ready for compliance, but that optimism starts to fade when it comes to applying the often unsettled regulations and granular tactics they need to effectively prepare," says Tara Cho, who chairs Womble Bond Dickinson's Privacy and Cybersecurity team. "The new requirements affect so many aspects of how companies do business that it can be challenging, particularly at the executive level, to make sure all the bases are covered."

A significant part of the problem is operational. Respondents who do not feel their organizations are very prepared cite a lack of available staff to address compliance (39%) and challenges around tracking the status of legislation and the differences between state laws (60%).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.