Four senior compliance practitioners share their views on the U.S. data privacy landscape and the actions their companies are taking to keep pace with new state laws set to hit the books in 2023. Today’s question:

Q: Which element of ensuring data privacy compliance do you expect to be most onerous for businesses?

Meet the CCOs

Arthur Kirsten


U.S. Head of Compliance

Years in compliance: 20+



Victoria McKenney


Deputy General Counsel - Regulatory and Compliance and Deputy CCO

United States Steel Corporation

Years in compliance: 15



Kortney Nordrum


VP, Regulatory Counsel & CCO

Deluxe Corporation

Years in compliance: 9



Lisa Norris


Director of Compliance

ABB Optical Group

Years in compliance: 17



DISCLAIMER: The views reflected by the practitioners quoted are theirs alone and do not represent the views of their companies.

ARTHUR KIRSTEN: It’s worth noting briefly that data privacy is an interlocking set of systems. Since removing one from the equation can introduce any number of vulnerabilities, every piece should be viewed with extreme vigilance.

That being said, as the regulatory landscape continues to evolve, we may see protections arrive at a variety of specific ends across jurisdictions. Therefore, conforming our product ecosystem to fit a broad swath of competing requirements could present unforeseen challenges.

As our chief executive officer is fond of saying, ‘There’s no shortcut to operational ethics.’ As such, we’re prepared to tailor solutions to best accommodate our community.


VICTORIA MCKENNEY: What has been challenging for U.S. Steel is that we are in the metals and mining business, not in the business of collecting, using, or selling personal data. But because of the broad way data privacy laws are being drafted, we are often swept into the same category as data brokers or companies that are engaged in extensive personal data collection. That can create seemingly illogical requirements with data rights and deletion requests.


KORTNEY NORDRUM: Trying to keep up with various state laws, including enforcement and implementation schedules, is harrowing. Getting the pieces implemented isn’t nearly as difficult as managing which pieces need to be implemented, where, and for whom.

The hodgepodge of state privacy laws leads to confusion and disconnect. If we’re talking about what privacy element is most onerous, I think it is cookie compliance. Cookie consent is a relatively new concept in the United States, but as state laws get more strict and detailed, we are all going to have to reckon with cookie banners and policies.

The U.S. generally is going to have to realize that the days of freely monetizing personal and user data are waning and the human need for personal privacy is not going away.


LISA NORRIS: I believe our internal audits and assessments are the most onerous tasks because they are solely performed by myself and involve building out audit tools, interviewing staff located in various states and time zones, gathering evidence of compliance, creating reports, and ensuring the follow up of identified corrective actions are successfully implemented.