From the recently introduced U.S. Privacy Rights Act (proposing new federal consumer privacy standards) to numerous state-level bills and recent artificial intelligence bills, the data privacy landscape is evolving at lightning speed. Masu.
Compliance concerns are now top of mind for organizations of all sizes, both internationally and in the United States. While legislation is unlikely to pass at the federal level, states have clearly demonstrated a desire to pass and enforce comprehensive privacy laws.
California was the first state to lead the way when it passed the California Consumer Privacy Act (signed in 2018 and effective in 2020). Virginia, Colorado, Utah, and Connecticut have since joined in, enacting new consumer privacy laws in 2023. As of the date of this article, at least 19 states have passed comprehensive privacy laws (with effective dates of 2025 and 2026).
Don’t get me wrong. Maintaining privacy compliance is a complex and fluid goal, and the checks and balances that companies needed a decade ago barely scratch the surface of what they need today. As general counsel, you must be able to assemble a strong and adaptable legal team to help your company stay compliant with current standards and anticipate and respond to the many changes that will occur.
Important considerations for GC
As you prepare for the new realm of privacy and data security, consider how your department or organization will address the following key issues:
1. Ownership of Privacy Matters. Who is responsible for privacy issues within your organization? Is it exclusively the legal department? If you have a privacy team, how does it work with the legal department to ensure all bases are covered? • As data privacy concerns become increasingly important to operations and risk management efforts, you may also want to consider the benefits of having a separate dedicated team for these issues. This focused support helps businesses stay up to date with regulatory changes and respond with the necessary policies and procedures, reducing the risk of violations and costly fines. Additionally, an independent privacy team can act as a bridge between different departments and ensure that privacy is considered across all business functions.
2. Draft Privacy Notice. In light of recent new legislation, drafting privacy notices and privacy-related contract terms has taken on new urgency for companies handling consumer data. A poorly drafted notice not only exposes your business to legal risk, but can also expose you to fines and reputational damage. Most attorneys have some skill in drafting these notices, but consider whether you have the right person to handle this task. An experienced privacy attorney understands the legal nuances of your company’s data tracking, collection, processing, storage, and sharing practices. You can also balance legal compliance with user accessibility by ensuring all privacy notices are clear, transparent, and easy to understand for consumers.
3. Impact of AI technology. AI is more than just a current buzzword. It is perhaps one of the greatest technological revolutions in human history. Generative AI and other types of machine learning are rapidly being implemented in a variety of technologies by nearly every company and vendor of every type. This means that even if your company is not in a regulated industry, you should be concerned about the possibility of being regulated by AI laws in the future.
The European Union has taken the first steps towards AI regulation, with the EU Artificial Intelligence Act coming into force in all 27 member states on August 1st. Most of the provisions of this law are expected to take effect by 2026, although some provisions are already in force. .
Not wanting to fall behind, Congress has proposed federal legislation, and agencies such as the White House and the Federal Trade Commission, Securities and Exchange Commission, and Equal Employment Opportunity Commission have provided guidance on the subject.
Many states are actively working, with Colorado and Illinois passing AI legislation in 2024 and implementing it in 2026. Additionally, California passed a number of AI bills at the end of the 2024 legislative session.
A number of AI laws have significant global implications for companies that develop, deploy, and operate AI systems, regardless of where they are located in the world. Companies around the world need to invest in AI governance. Adapting technology to meet these regulatory standards. Ensure that your AI systems are legal, ethical and trustworthy (otherwise you may face penalties or business restrictions in the EU or other markets).
Even if companies are using AI indirectly (e.g. through third-party vendors) and are not actively developing AI tools, they will face new and unprecedented demands in this space. They have an obligation to clearly explain how they will use AI, implement an AI risk management policy, and perform an AI risk assessment.
These issues are not exclusive to the Legal/Privacy team. Instead, you need a multidisciplinary AI team that integrates key business stakeholders, legal, IT, data science, risk, information security, marketing, and other departments. As a GC, you must be able to understand the legal department’s role in the AI ecosystem and what you are ultimately obligated to do to meet compliance standards.
Consider flexible talent who can make an immediate impact
If you doubt whether your team has the bandwidth or expertise to handle new privacy demands, and you’re not yet ready to add staff, one option to consider is an interim or temporary Hire a good lawyer. These attorneys bring specialized legal expertise to help ease your burden when dealing with new privacy regulations, whether for a specific project or for a flexible period of time. A privacy attorney can help you quickly assess privacy risks, take corrective action, and train your internal team.
In addition to extensive privacy and AI expertise, interim attorneys are often able to hit the ground running without much assistance. They provide immediate support and strategic guidance for the future without the need for long-term contracts of permanent employment. That being said, having a temporary privacy attorney who is a solid addition to your team can often convert to a permanent position down the line.
Stay informed, stay agile and proactive
Preparing your legal team for the evolving privacy landscape is not just a compliance issue, but a strategic necessity if you want to stay ahead of the curve. By learning about upcoming changes, defining roles and responsibilities, and being creative in how you build your team, you can reduce risk and emphasize your role as a trusted advisor to the business.
Maureen Dry-Wasson is Vice President, Group General Counsel and Global Head of Privacy for Allegis Group and Major, Lindsey & Africa. She has been an in-house lawyer for over 25 years and is a Fellow in Information Privacy with the International Association of Privacy Professionals certification in AI Governance Privacy Management.
Iris Zuckerman is Managing Director of Client Development for Major, Lindsey & Africa’s Interim Legal Talent team in Chicago, where she works with law firms and legal departments to develop high-quality talent to take on short-term, project-based work. We are searching for talented legal professionals.
Mind Your Business is a series of columns written by attorneys, legal professionals, and others in the legal industry. The purpose of these columns is to provide lawyers with practical guidance on how to run their practices, learn about the latest trends in legal technology and how they can help lawyers do their jobs more efficiently, and help their businesses thrive. It is to provide information on strategies for
Interested in contributing to a column? Send your query to (email protected).
This column reflects the opinion of the author and does not necessarily reflect the views of the ABA Journal or the American Bar Association.
