The Biggest Hurdle for Chief Privacy Officers? A Lack of Authority

A new report from the National Association of State CIOs offers a glimpse into the evolving landscape of state chief privacy officers, highlighting the challenges state governments face in implementing foundational privacy practices.

NASCIO surveyed 17 state chief privacy officers in the first quarter of 2024, comparing the results to previous surveys conducted in 2019 and 2022. The report revealed that while 25 states now have a CPO position, the role and its challenges are constantly changing.
According to the NASCIO report, there’s a shift in who CPOs directly report to, which may be because state governments are beginning to better understand that privacy is not just a function of technology. According to the 2024 survey, it was more likely that CPOs reported to “other administration officials” than state CISOs or CIOs. That’s a significant change from the leadership hierarchy in previous years.
Compared to NASCIO’s 2022 survey, the amount of CPOs who reported they have established privacy programs in their state is 24 percent, down from 29 percent in 2022.

A plurality of the survey respondents, 41 percent, responded that they were in the process of developing a program. NASCIO’s report suggests that may be the reason for the decrease as “some CPOS may feel like the program is just not mature enough to be considered ‘established’ even if they do have an active privacy program.”

One new duty most CPOs are being called on for is to play a significant role in how their states are approaching artificial intelligence and GenAI. A majority, 77 percent, have been involved in setting policies related to AI for their state.
NASCIO’s survey asked CPOs to share their top three challenges for improving privacy practices in their state, and the top responses were a lack of authority, a lack of funding for privacy initiatives and a lack of qualified staff.

The authority to enforce compliance of enterprise privacy policies was the top challenge for CPOs in 2024. Only 20 percent of CPOs responded they had authority to enforce, compared to 42 percent in the 2022 survey.

According to the report: “We don’t know why this number went down, but with a small number of respondents each year, it’s easy for the numbers to vary if a couple of CPOs interpret their authority differently than someone who filled out the survey in past years.”

The topic of funding, however, is showing some improvement from the 2022 survey results. This year, three states reported having a defined budget for privacy initiatives, up from just one state in 2022.

Read all of NASCIO’s advice to states and CPOs in the full report here.