Privacy > Compliance – or is it?

August 15, 2023

So far in 2023, Texas, Montana, Tennessee, Indiana, Iowa, and Oregon either passed or signed into law a comprehensive data privacy bill, and the laws in California, Colorado, and Virginia became effective. We’re not surprised US businesses are finding privacy dizzying.  (See more about the state privacy laws in the IAPP’s Privacy Law Tracker.) 

Given the rapid pace of privacy law development, we’re also not surprised about a recent trend we’ve noticed entering social media and corporate reporting: the debate about whether privacy > compliance. (See, for example, IBM’s report about why data privacy is much more than compliance and TrustArc’s paper ‘The Debate Continues: Privacy Program vs. Compliance, Which Reigns Supreme?’) 

Privacy > Compliance – Or Is It?  

As privacy laws continue to develop around the country (and the world), we’re seeing an increase in the number of companies looking to ‘privacy-proof’ their operations. This is a shift from the more checklist compliance approach we’ve seen dominate the privacy landscape for the past decades.  

The Benefits of Prioritizing Privacy Over Compliance 

Trust is arguably the currency of the modern digital landscape. We live in a world where data breaches dominate the headlines, and customer loyalty is fickle. It is widely accepted that privacy is a legitimate competitive advantage that has the added benefit of safeguarding your reputation and minimizing your legal risk.  

We’re also seeing an increasing number of organizations leveraging privacy as an opportunity for innovation. The drive to avoid intrusive and/or excessive data collection practices prompts companies to think outside the box to find practices that resonate positively with customers. These changes can be as simple as not requesting credit card details from potential leads who want a free trial.  

In practice, privacy-first companies tend to prioritize most or all of the following:  

This doesn’t mean other compliance obligations, like clear consents, transparency, and user controls don’t matter. But prioritizing “big picture” tasks, like limiting the amount of data you collect, building privacy in from the beginning, and identifying privacy risks early can make those other compliance burdens lighter.  

A Case for Compliance-First 

Compliance is not avoidable. While it’s challenging (seemingly impossible sometimes) for companies to become fully compliant with all privacy laws, it’s not advisable to throw compliance and the associated checklists to the wayside.  

A compliance-first approach, while reactive, may have some cost savings over a privacy-first approach – especially in the short term. Compliance can also help you benchmark where your processes are working and where you can make improvements. Finally, compliance is what you will be judged on if you do ever face a complaint or investigation. 

Beyond the Legal Labyrinth:  

Ultimately, however, a privacy-first approach wins when it comes to agility and the desire to develop a more ‘future-proof’ privacy program.  

Regulations, though crucial, lag behind technological advancements and changing consumer expectations. By aligning operational strategies on privacy, businesses are able to be proactive, rather than reactive, in this shifting landscape. They are better positioned to ‘guess’ what future regulation will look like and develop cost-effective and sustainable strategies that stand the test of time. They’re also better positioned to adapt swiftly to emerging challenges and seize new opportunities. 

If your company needs assistance with privacy compliance or you’re considering a privacy-first approach, reach out. Our privacy team would love to help.  


The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.

Other Articles

External Privacy Policy with hand hovering above it and reading glasses sitting on it Is an External Privacy Policy Enough?
GDPR Explained: A Quick Guide for U.S. Businesses
Children’s Data Privacy: Five Takeaways from the FTC’s Recent Workshop

    Ready to Talk?
    Contact Us

    We would to hear from you

    Please take a moment to tell us a few things about your needs and someone from our team will reach out to you as soon as possible.

    We would to hear from you

    Thank you for reaching out!

    Someone from our team will get back to you shortly

    We would to hear from you