How to prepare your legal team for the changing privacy landscape
From the recently introduced American Privacy Rights Act–which proposes new federal consumer privacy standards–to numerous state-level bills, to recent and impending artificial intelligence legislation, the data privacy landscape is evolving at lightning speed.
Compliance concerns are now front and center for organizations of all sizes–abroad and in the United States. While it is unlikely that legislation will pass at the federal level, states have clearly demonstrated a willingness to pass and implement comprehensive privacy laws.
California led as the first state when it passed the California Consumer Privacy Act (signed into law in 2018 and went into effect in 2020). Virginia, Colorado Utah and Connecticut followed suit in 2023, with new consumer privacy legislation. As of the date of publication of this article, 19 states had passed comprehensive privacy legislation. The implementation dates for these laws are 2025 and 2026. GCs should consider the following issues when preparing for privacy and data security’s new frontier. Ownership of privacy issues.
Is the legal department solely responsible for privacy concerns in your organization? How does your privacy team work with legal to make sure that all bases are covered if you have one? You may want to consider a dedicated team to deal with these issues as data privacy becomes more important to your operations and risk-management efforts. This focused support can help you keep up with regulatory changes, and respond with the appropriate policies and procedures. This will reduce the risk of violations or hefty fines. A privacy team that is independent can act as a bridge to ensure that privacy is taken into account in all areas of business. Drafting privacy notices.
With the recent and emerging legislation, businesses that handle consumer information are under pressure to draft privacy notices and privacy related contract provisions. Poorly written notices can expose you to legal risks, fines, and reputational damage. Even though most lawyers are capable of drafting these notices to a certain degree, you should consider who is handling this task. A privacy lawyer who has experience in the field will understand the legal nuances surrounding your company’s tracking, collection, storage, and sharing practices. They can also help balance the legal compliance with user accessibility by ensuring that all privacy notices for consumers are clear, transparent, and easily understood.
Implications of AI Technology.
AI, not only a buzzword for the moment, is likely to be one of the largest technological revolutions ever in human history. Machine learning and generative AI are being used by all companies, and vendors, to implement different technologies at a rapid rate. The EU Artificial Intelligence Act, which took effect in all 27 member countries on Aug. 1, was the first step towards AI regulation. Some provisions of the law are already in effect, but by 2026 the majority will be. The White House, the Securities and Exchange Commission, and the Equal Employment Opportunity Commission all have issued guidance on this topic. California also passed a number of AI bills at the end its 2024 legislative sessions. Companies worldwide will have to invest in AI governance; adapt their technologies to meet these regulatory standards; and ensure that their AI systems are lawful, ethical and trustworthy (or else face penalties and business restrictions in the EU or other markets).Even if your company is using AI indirectly (e.g., through a third-party vendor) and not actively developing AI tools, it will face unprecedented new demands in this area. You will be obligated to explicitly outline how you are using AI, implement an AI risk management policy, and perform AI risk assessments.These matters will not be exclusive to the legal/privacy team. It is better to create a multidisciplinary AI group that includes key business stakeholders and representatives from legal, IT, data security, risk management, marketing, and other functions. As a GC, you have to be able to understand legal’s role in the AI ecosystem and what you are ultimately obligated to do to meet compliance standards.
Consider flexible talent who can make an immediate impactIf you are wondering whether your team has the bandwidth or expertise to manage new and emerging privacy demands and you are not yet ready to add head count, one option to consider is using interim, or temporary, counsel. These lawyers can lighten your workload, whether for a project or a flexible period of time. They bring in specialized legal knowledge as you learn about new privacy regulations. A privacy lawyer will help you assess privacy risks quickly, implement corrective actions, and train your internal team. They provide immediate support and strategic advice for the future, without the long-term commitment that comes with a permanent hire. That said, if you have an interim privacy lawyer that makes a solid addition to your team, you can often convert them to a permanent employee down the road.Stay informed, agile and proactive
Preparing your legal team for the evolving privacy landscape is not just a matter of compliance–it is a strategic necessity if you want to stay ahead of the curve. By educating yourself on the changes to come, defining roles and responsibilities, and getting creative with how you build your team, you will be poised to mitigate risk and emphasize your role as a trusted adviser to the business.Maureen Dry-Wasson is vice president, group general counsel and global privacy officer with the Allegis Group and Major, Lindsey & Africa. She has been an in-house attorney for more than 25 years and is a fellow of information privacy with certifications from the International Association of Privacy Professionals for AI governance privacy management.Iris Zuckerman is a managing director of client development with Major, Lindsey & Africa’s interim legal talent team in Chicago, working with law firms and legal departments to identify high-quality legal talent to take on short-term, project-based engagements.
Mind Your Business is a series of columns written by lawyers, legal professionals and others within the legal industry. The purpose of these columns is to offer practical guidance for attorneys on how to run their practices, provide information about the latest trends in legal technology and how it can help lawyers work more efficiently, and strategies for building a thriving business.
Interested in contributing a column? Send a query to
.
This column reflects the opinions of the author and not necessarily the views of the ABA Journal–or the American Bar Association.
