• by Ray Schultz , Columnist, June 23, 2022

Most companies are prepared for the welter of state privacy laws, But almost all would rather see a federal law that preempts individual state regulations, according to the State of US Data Privacy Law Compliance Survey Report, from Womble Bond Dickinson. 

Of the businesses surveyed, 59% say they are very prepared to meet the guidelines contained in state data privacy legislation in California, Colorado, Virginia and Utah. Another 31% are moderately prepared. 

Moreover, 89% have increased their budgets to comply with the varying state laws. But they face challenges:

• Tracking the status of legislation and the differences between state laws — 60%
• Increasing budget to take on the necessary actions — 47%
• Lack of available staff to address data privacy compliance — 39%
• Lack of an appointed leader to manage compliance within our organization — 25%
• Have not prioritized the changes to date — 15%

• Designate an internal project manage or owner — 60%
• Conduct data mapping and understand data practices across the organization — 49%
• Develop platforms and systems to process and respond to data privacy rights requests — 46%
• Engage outside legal counsel to advise on legislative challenges and compliance — 43%
• Plan and conduct data assessments — 43%
• Update privacy policies — 41%
• Set metrics and specific goals/deadlines to track progress — 38%
• Draft or update agreements with third parties — 37%
• Conduct comparison of state privacy laws and frameworks — 34%

Most of the remaining firms have made varying degrees of progress. 

In addition to state laws, firms are also affected by technology company policies. On a scale of one to 10, the average influence of state laws is 7.2.  

But some are also swayed by tech company policies, especially tech executives — their rating is 6.9, while retail execs came in at 5.6.  

Why are they so concerned about tech company policies? A COO of a California-based retailer said: “We are at their mercy due to search and advertising.” 

One of the next threats may come in the area of geolocation data.

Laws in California and Virginia restrict use of precise consumer geolocation data for mobile tracking): Most companies — 86% — are concerned, with 42% saying they are very concerned and 29% saying they are moderately concerned. They have a range of concerns around the use of data.

Securing consent from consumers to gather and apply the data — 68%

Defining the specific business purpose for data application — 64%

Losing the insights that geolocation data has provided — 38%

Facing enforcement actions if found not to be in compliance — 32%

Losing the revenue that geolocation data has provided — 24%

Then there is biometric data — 78% of firms are either using it or planning to start. And 60% have assessed the risks, developed compliance plans and conducted internal training.  

That is not the only potential issue. 

Moving forward, there are two classes of data that companies will need to protect — personally identifiable information and sensitive data (e.g., racial or ethnic, origin, religious or philosophical beliefs, or union membership; email content; biometric information; genetic data; and precise geolocation data),” the study notes. 

Womble Bond Dickinson, a law firm that offers privacy and security assistance, surveyed 200 executives, 62% of whom hold C-suite titles.