Nearly six in 10 executives say their organizations are very prepared to meet new consumer privacy laws set to take effect in several states in 2023, yet when asked about particular actions taken, less than half have completed key steps toward compliance.
The study, conducted by Womble Bond Dickinson -- a law firm with more than 1,100 lawyers in the United Kingdom and the United States -- shows that only 49% have completed data mapping, which is a key step in any data privacy initiative. Some 37% say it’s in progress.
The majority of respondents have undertaken initial actions, with 54% initiating a data mapping and 67% completing a data inventory and mapping of all personal information, data assets and flows.
Less than half of respondents, at 48%, have taken steps such as completing a data mapping and aligning procedures to effectuate individual rights requests and related legal obligations. Only 43% are on track to update an existing data inventory or mapping.
The delay is one key finding in the 2022 State of US Data Privacy Law Compliance Survey Report, which draws on insights of nearly 200 executives, 62% of whom hold C-suite titles. The report also looks into two forms of consumer data collection--precise geolocation data and biometric information.
The study shows that California, Colorado, Virginia, Utah and Connecticut have passed data privacy laws or amendments that will take effect in 2023, while several other states are contemplating similar comprehensive legislation.
Although 59% of executives say their companies are “very prepared” to meet the guidelines from new privacy legislation, 89% have increased their budgets to do so.
Less than half have completed most key compliance actions. About 49% cited conducting data mapping, 42% cited performing data assessments, and 38% pointed to metrics and deadlines to track compliance.
Some 39% of survey respondents who do not feel their organizations are prepared cite lack of available staff to address compliance, and 60% point to challenges around tracking the status of legislation and differences between state laws.
The survey data also shows how companies assign primary responsibility for privacy compliance.
Less than one-third of those have designated a project manager for data privacy compliance, or are in the process of doing so. Some 18% have assigned the role to a member of the risk or compliance, or 11% to legal departments.
Some 56% of project leads are in technology, and 14% are in information systems.
More than 70% of executives say they are very or moderately concerned about state privacy laws that include specific restrictions on collecting and using precise consumer geolocation data for mobile tracking purposes.
The primary concerns point to securing consent from consumers to gather and apply this data, at 68% -- and on defining the specific business purpose for such data applications, 64%.
Not surprisingly, the retail and tech sectors are more concerned about data privacy compliance. Executives from these industries, who collectively makeup 47% of all respondents, expressed “significantly” more concern than their counterparts about several issues covered in the survey. They fear enforcement actions related to geolocation data, 75% of retail executives say it is due to their industry being a likely target, compared with 57% of respondents overall.