That’s a key finding in a new National Association of State Chief Information Officers (NASCIO) report, which indicates around 30 states now have CPOs or an equivalent compared to just five in 2015 — and offers steps for governments to follow when creating a privacy program.
In the U.S., the position reportedly first emerged in 1999 in the private sector — and didn’t take hold with states until 2003, when NASCIO has previously said West Virginia was the first state to appoint a CPO. In the years that followed, the role took hold slowly but steadily — growing more quickly during the past decade.
In NASCIO’s new report, “Creating a Privacy Program: A Roadmap for States,” its creators identify a lack of federal privacy legislation as one driver of the increased push to stand up state-level privacy offices.
Amy Glasscock, the report’s primary author and NASCIO program director for innovation and emerging issues, said key reasons behind the CPO push are the increasing amount of citizen data states are gathering from digital citizen services, and the increasing use of artificial intelligence in state government which brings with it a host of privacy considerations.
“State leaders know that they need to be good stewards of the data they collect, and are therefore hiring chief privacy officers to lead their privacy programs,” she said via email.
The new report outlines a six-phase approach for states looking to develop or strengthen their privacy programs.
The first step for agencies, it said, is to lay a strong privacy foundation by defining a clear vision and mission that aligns with state goals. For those just beginning their journey, Glasscock advises taking an incremental approach.
“I think the first step is to find someone to lead the privacy charge in your state or organization. It could be a deputy general counsel or a program manager to start with,” she said. “Have them get a privacy certification from the [International Association of Privacy Professionals] IAPP (Certified Information Privacy Manager is a great one to start with). Then this privacy lead can start working with leadership in their state or organization to implement the phases of the privacy program that we’ve laid out in our report.”
After governance is established, the report said, agencies should focus on operationalizing privacy by doing data inventories and developing policies on data use, retention and breach response. It also emphasized the importance of continuous monitoring, with agencies tracking key performance metrics such as data breach incidents, response times and training completion rates to assess program effectiveness.
As AI becomes more integrated into state operations, Glasscock noted, CPOs are increasingly playing a critical role in AI decisions, too.
“AI governance has become part of most CPOs’ roles,” she said. “This wasn’t necessarily something they were doing five years ago, but now states recognize that the state privacy officer needs a seat at the table when they consider AI policies.”
Despite CPOs’ increasing presence and the expansion of their role, a difference remains in how their responsibilities are structured in government. Some states have dedicated CPOs, while others assign privacy duties to individuals with dual roles, such as general counsel or CIOs. However, this distinction alone, Glasscock noted, doesn’t necessarily determine a program’s success.
“I wouldn’t say that specifically has an impact on the effectiveness of a privacy program. Some of these folks are doing great privacy work while serving in dual roles,” she explained. “I would say what impacts the effectiveness of a privacy program would be governance (or lack of governance) around privacy, lack of funding for privacy initiatives, and lack of authority for the privacy officer to implement policies.”
During the next few years, Glasscock predicted CPOs’ rise may be affirmed in code.
“I imagine that we’ll see more CPO roles in statute in coming years,” she said. “Right now, I believe only five states have the role in statute, but we’ll see that number continue to grow.”
