ARTICLE
From the recently introduced American Privacy Rights Act—which proposes new federal consumer privacy standards—to numerous state-level bills, to recent and impending artificial intelligence legislation, the data privacy landscape is evolving at lightning speed.
Compliance concerns are now front and center for organizations of all sizes—abroad and in the United States. While it is unlikely that legislation will pass at the federal level, states have clearly demonstrated a willingness to pass and implement comprehensive privacy laws.
California led as the first state when it passed the California Consumer Privacy Act (signed into law in 2018 and went into effect in 2020). And it was then joined by Virginia, Colorado, Utah and Connecticut, all of which were implemented in 2023 with new consumer privacy laws. By the date of this article, at least 19 states have passed comprehensive privacy legislation (with implementation dates in 2025 and 2026).
Make no mistake: Maintaining privacy compliance is a complex moving target, and the checks and balances that your company needed 10 years ago do not even scratch the surface of what you need today. As a general counsel, you must be able to assemble a strong, adaptable legal team that can help your company stay compliant with current standards and anticipate and respond to the many changes coming down the pike.
Key considerations for GCs
When preparing for the new frontier of privacy and data security, consider how your department and organization will handle the following critical issues.
1. Ownership of privacy matters. Who is responsible for privacy concerns within your organization—is it the legal department exclusively? If you do have a privacy team, how does your team partner with legal to ensure that all bases are covered? As data privacy concerns become increasingly paramount to your operations and risk management efforts, you may want to consider the benefits of having a separate, dedicated team for these issues. This laser-focused support can help your company keep up to date with regulatory changes and respond with the necessary policies and procedures, thereby reducing the risk of violations and hefty fines. What is more, a freestanding privacy team can be a bridge between various departments, ensuring that privacy is considered across all business functions.
2. Drafting of privacy notices. Given recent and emerging legislation, the drafting of privacy notices and privacy-related contract provisions has taken on new urgency for businesses that handle consumer data. Poorly drafted notices can expose your business not only to legal risks but also to fines and reputational damage. While most lawyers have a degree of skill in drafting these notices, consider whether you have the right person handling this task. A seasoned privacy lawyer understands the legal nuances of your company’s data tracking, collection, processing, storage and sharing practices. They can also help balance legal compliance and user accessibility by making sure that all privacy notices are clear, transparent and easily understandable for consumers.
3. Implications of AI technology. AI is not just the buzzword of the moment; it is likely one of the biggest technological revolutions in human history. Generative AI and other types of machine learning are being implemented in different technologies, by nearly all companies and vendors of all kinds, at a rapid pace. That means that even if your company is not in a regulated industry, you will still have to worry about being regulated by any AI laws on the horizon.
The European Union took the first step in the march toward AI regulation, with the EU Artificial Intelligence Act taking effect across all 27 member states Aug. 1. While some provisions are already active, by 2026, most of this law’s provisions will go into force.
Not wanting to fall behind, Congress has proposed federal legislation, and the White House and agencies, such as the Federal Trade Commission, the Securities and Exchange Commission and the Equal Employment Opportunity Commission have provided guidance on the topic.
Many states are being proactive, with Colorado and Illinois passing AI legislation in 2024 that take effect in 2026. Additionally, at the end of its 2024 legislative session, California passed numerous AI bills.
The plethora of AI legislation will have significant global implications for companies that develop, deploy or operate AI systems—regardless of where they are in the world. Companies worldwide will have to invest in AI governance; adapt their technologies to meet these regulatory standards; and ensure that their AI systems are lawful, ethical and trustworthy (or else face penalties and business restrictions in the EU or other markets).
Even if your company is using AI indirectly (e.g., through a third-party vendor) and not actively developing AI tools, it will face unprecedented new demands in this area. You will be obligated to explicitly outline how you are using AI, implement an AI risk management policy, and perform AI risk assessments.
These matters will not be exclusive to the legal/privacy team. Instead, it requires a multidisciplinary AI team that brings together key business stakeholders, legal, IT, data science, risk, information security, marketing and other functions. As a GC, you have to be able to understand legal’s role in the AI ecosystem and what you are ultimately obligated to do to meet compliance standards.
Consider flexible talent who can make an immediate impact
If you are wondering whether your team has the bandwidth or expertise to manage new and emerging privacy demands and you are not yet ready to add head count, one option to consider is using interim, or temporary, counsel. These lawyers can help lighten your load, whether it is for a specific project or a flexible range of time, bringing in specialized legal expertise as you get your arms around new privacy regulations. A privacy lawyer can help you quickly assess privacy risks, implement corrective measures, and train your internal teams.
In addition to a wealth of privacy and/or AI expertise, interim counsel can often hit the ground running without much assistance. They offer immediate support and strategic guidance for the future—all without the long-term commitment of a permanent hire. That said, if you have an interim privacy lawyer that makes a solid addition to your team, you can often convert them to a permanent employee down the road.
Stay informed, agile and proactive
Preparing your legal team for the evolving privacy landscape is not just a matter of compliance—it is a strategic necessity if you want to stay ahead of the curve. By educating yourself on the changes to come, defining roles and responsibilities, and getting creative with how you build your team, you will be poised to mitigate risk and emphasize your role as a trusted adviser to the business.