Data Privacy Day is the perfect opportunity for organizations to reflect on their privacy practices. There are multiple ways to measure privacy program success and what counts as success also varies based on maturity, risk tolerance, and customer preferences. With nearly half of U.S. states enforcing comprehensive privacy laws, understanding what matters to regulators when they enforce these laws is one effective way to prioritize compliance efforts.
Regulators will focus on whether an organization can demonstrate that it identifies, mitigates, and responds to privacy risks. There are a few easy targets that are more likely to attract a regulator’s attention and prompt investigation:
1. Website privacy notice
Do you have one? Is it accurate? Does it include each requirement under that state’s law? (An Attorney General from any of the other 20 states with privacy notice requirements won’t care if you complied with the California Consumer Privacy Act (CCPA) circa 2018.)
2. Data rights management
Has the regulator received complaints that an individual has been unable to exercise their rights to access, delete, correct, or port data? Is the Global Privacy Control signal recognized by your website? Is your cookie banner properly configured? (Plaintiff’s counsel are also keen to know the answer to that last question.)
3. Incident response
How many incidents have been reported and in what time frame? How quickly were the incidents identified, contained, and remediated? Was there an underlying vulnerability that wasn’t addressed and led to subsequent incidents? Response time, the nature of the incident, and compliance with breach notification requirements provide insight into how prepared the organization is to address data security incidents and whether it maintains a reasonable data security program. (Note: reasonable does not equal zero incidents; it means that appropriate steps have been taken to protect data based on the sensitivity and quantity of data and to detect attacks on the systems.)
After an organization becomes the target of an investigation, a regulator will likely expand its inquiry to other aspects of a privacy program, including:
1. Employee training
How often are employees trained? What does the training cover? Particularly when an incident was caused by a successful phishing attempt, does the organization run phishing simulation tests? If so, what happens if an employee consistently fails the test? (Hint: that employee may need additional training.)
2. Vendor management
Do contracts contain statutorily mandated restrictions on a vendor’s re-use of personal data? Prior to engaging the vendor, did the organization complete due diligence and obtain sufficient information to understand and mitigate potential risks? Has the organization ever audited the vendor? Or asked for any information to confirm that the vendor is complying with its contractual responsibilities, particularly for high-risk vendors? An organization will ultimately be held responsible for a vendor’s mishandling of data, even if it is a vendor that was engaged to assist with privacy compliance. (“My vendor made me do it” is not an acceptable excuse.)
3. Data governance
Did an organization not respond (or incompletely/inaccurately respond) to a data rights request because it has not mapped data and could not identify where all data was being held? Does the organization practice data minimization and appropriately delete/destroy data at the end of its utility or as mandated by a retention policy? Does the organization ensure that its vendors only receive necessary data to perform the services and return or delete the data after termination of the relationship? (Data governance is the glue that holds the privacy program together.)
4. Review and improvement of the privacy program
What is the privacy culture at the organization? Were policies last updated five years ago? Do employees know that the policies exist? What is the process for reviewing and updating policies? A written privacy program is not effective if there is no internal visibility, knowledge, or responsibility. Organizations should be able to show continuous improvement as security standards and legal obligations change over time.
By reviewing the scope of publicly announced regulatory investigations and analyzing the frameworks set out in settlement agreements, organizations can meaningfully translate legal and ethical obligations into metrics that guide decision-making, budgets, resource allocation, and accountability. This approach supports privacy teams in clearly communicating priorities with leadership, demonstrating compliance to regulators, and strengthening consumer trust, making it a great way to celebrate Data Privacy Day.
If you have any questions about your data privacy practices, please contact me or a member of our Privacy & Data Security team.
This article is provided for informational purposes only—it does not constitute legal advice and does not create an attorney-client relationship between the firm and the reader. Readers should consult legal counsel before taking action relating to the subject matter of this article.
