More states are taking privacy seriously, but their work isn’t done

More states than ever are starting to take privacy seriously — but, there’s still ample work to do in creating fully operational, enterprise-wide privacy programs, especially as artificial intelligence raises the stakes.

This finding was the key focus of a report published Wednesday by the National Association of State Chief Information Officers. The report was based on a survey of state chief privacy officers, which also found that the CPO role is expanding in scope and influence. As of last year, 31 states had a CPO, compared to 17 in 2020. Despite this expansion — and that many states are adopting privacy frameworks, strengthening governance and expanding training offerings — most leaders said their privacy programs were still under-resourced and unevenly implemented. They cited a number of challenges that might be overcome by making privacy a “core data governance discipline,” as one CPO put it.

While the CPO role is becoming more common, and more formalized in IT organizations, maturity of these roles and their corresponding programs vary widely. This is despite many states increasingly viewing privacy as critical to maintaining public trust and their digital services. Twenty-nine percent of CPOs reported that their state had an established privacy program, up from 24% in 2024; fifty-four percent said that their program is in the process of being developed, up from 41% in 2024; and only 18% reported having no privacy program, down from 35% in 2024.

And the job functions of state CPOs have evolved beyond ensuring legal data-privacy compliance. They told NASCIO their day-to-day responsibilities now include things like enterprise privacy strategy and governance; data management and risk oversight; procurement and vendor privacy review; and AI governance and policy input.

Though AI’s data privacy considerations are pushing CPOs into a more strategic role, and some state CPOs said they see privacy’s importance elevated by AI, they simultaneously fear privacy could be overshadowed by AI. CPOs consistently highlighted a number of other challenges, like limited authority, insufficient funding and staff shortages. These constraints, the report notes, make it difficult for CPOs implement enterprise-wide privacy governance, enforce compliance or scale programs effectively — but most notably, the report notes, these challenges create “a gap between what states know they need to do and what they can consistently execute.”

For states looking to formally establish a chief privacy officer role, or advance the effectiveness of their current CPO and privacy practice, the report recommends ensuring adequate funding and support from leadership, establishing clearer authority and enforcement abilities, and expanding privacy training and awareness.

“The findings in this report make one thing clear: where CPOs have authority, executive support and resources, privacy programs mature quickly and deliver measurable value,” the report’s summary reads. “The next phase of state privacy leadership will depend not only on laws and frameworks, but on sustained investment, cross-functional collaboration and a shared commitment to protecting the public’s trust in digital government.”