Privacy practices struggling onward in state government, new report shows

The National Association of State Chief Information Officers found that less than one quarter of states surveyed operate an "established" privacy program.
folder icon
(Getty Images)

With the rise of AI, data privacy seems to be a growing concern inside state governments, yet less than one quarter of states operate an “established” privacy program, according to a report published Thursday by the National Association of State Chief Information Officers.

The new report — which hefts the title “The Shifting Privacy Paradigm: State Chief Privacy Officers’ Evolving Roles and Persistent Realities” — shows that the number of chief privacy officer roles has risen: NASCIO counted 25 chief privacy officer or equivalent positions, though not all are filled. But of the 17 privacy chiefs who responded to this year’s survey, only 24% reported their states operate an “established” privacy practice, a decline from 29% in NASCIO’s similar 2022 survey, though 41% this year said they’re in the process of building a privacy program.

The group also points to other more hopeful findings, including that the name of the role is increasingly called “chief privacy officer,” rather than some alternative. Fifteen of the 17 officials surveyed, or 88%, hold that title, a rise from 2022, when only 65% had it.

“This increase is a reflection of the importance of the role,” the report reads. “We are seeing some states hire an official chief privacy officer after having someone else cover the role part-time, which doesn’t add to our overall state CPO count, but shows the role is becoming more established.”


NASCIO found privacy officers are most focused on the privacy of citizen data and internal government operations — only one of the 17 surveyed officials named consumer privacy as their top priority.

Separately, 77% of officials named AI as an important policy area in their states, an unsurprising development as governors issue executive orders tasking agencies with exploring generative AI’s potential risks and benefits. “Privacy professionals are increasingly sought out for their critical input when it comes to AI governance and policy setting,” the report reads.

On AI procurement specifically, 69% of privacy chiefs said they’re involved in approving technology-related contracts, compared to 59% in 2022. Twenty-five percent said they’re “sometimes or in certain situations” involved in AI procurement. 

The California Government Operations Agency on Thursday released its procurement guidelines for generative AI contracts, one of many requirements outlined by Gov. Gavin Newsom’s 2023 executive order.

States’ mixed progress in furthering their privacy practices was partially explained in NASCIO’s probing of privacy chiefs’ top challenges: shortages of authority, funding and staff. The group concludes its report by passing on advice gathered from survey respondents to solve those challenges, which includes placing the chief privacy officer role under the governor, establishing a privacy budget in statute and stationing privacy analysts inside each agency to ensure the state privacy programs are being executed consistently.


One unnamed official quoted in the report suggested that patience may provide the best path forward: “Establishing program, process, policies, procedures and buy-in takes time.”

Latest Podcasts