Privacy > Compliance – or is it?

So far in 2023, Texas, Montana, Tennessee, Indiana, Iowa, and Oregon either passed or signed into law a comprehensive data privacy bill, and the laws in California, Colorado, and Virginia became effective. We’re not surprised US businesses are finding privacy dizzying.  (See more about the state privacy laws in the IAPP’s Privacy Law Tracker.) 

Given the rapid pace of privacy law development, we’re also not surprised about a recent trend we’ve noticed entering social media and corporate reporting: the debate about whether privacy > compliance. (See, for example, IBM’s report about why data privacy is much more than compliance and TrustArc’s paper ‘The Debate Continues: Privacy Program vs. Compliance, Which Reigns Supreme?’) 

Privacy > Compliance – Or Is It?  

As privacy laws continue to develop around the country (and the world), we’re seeing an increase in the number of companies looking to ‘privacy-proof’ their operations. This is a shift from the more checklist compliance approach we’ve seen dominate the privacy landscape for the past decades.  

The Benefits of Prioritizing Privacy Over Compliance 

Trust is arguably the currency of the modern digital landscape. We live in a world where data breaches dominate the headlines, and customer loyalty is fickle. It is widely accepted that privacy is a legitimate competitive advantage that has the added benefit of safeguarding your reputation and minimizing your legal risk.  

We’re also seeing an increasing number of organizations leveraging privacy as an opportunity for innovation. The drive to avoid intrusive and/or excessive data collection practices prompts companies to think outside the box to find practices that resonate positively with customers. These changes can be as simple as not requesting credit card details from potential leads who want a free trial.  

In practice, privacy-first companies tend to prioritize most or all of the following:  

• Data minimization;  
• Privacy by Design; and  
• Regular audits and assessments. 

This doesn’t mean other compliance obligations, like clear consents, transparency, and user controls don’t matter. But prioritizing “big picture” tasks, like limiting the amount of data you collect, building privacy in from the beginning, and identifying privacy risks early can make those other compliance burdens lighter.  

A Case for Compliance-First 

Compliance is not avoidable. While it’s challenging (seemingly impossible sometimes) for companies to become fully compliant with all privacy laws, it’s not advisable to throw compliance and the associated checklists to the wayside.  

A compliance-first approach, while reactive, may have some cost savings over a privacy-first approach – especially in the short term. Compliance can also help you benchmark where your processes are working and where you can make improvements. Finally, compliance is what you will be judged on if you do ever face a complaint or investigation. 

Beyond the Legal Labyrinth:  

Ultimately, however, a privacy-first approach wins when it comes to agility and the desire to develop a more ‘future-proof’ privacy program.  

Regulations, though crucial, lag behind technological advancements and changing consumer expectations. By aligning operational strategies on privacy, businesses are able to be proactive, rather than reactive, in this shifting landscape. They are better positioned to ‘guess’ what future regulation will look like and develop cost-effective and sustainable strategies that stand the test of time. They’re also better positioned to adapt swiftly to emerging challenges and seize new opportunities. 

If your company needs assistance with privacy compliance or you’re considering a privacy-first approach, reach out. Our privacy team would love to help.  

• Privacy