Four senior compliance practitioners share their views on the U.S. data privacy landscape and the actions their companies are taking to keep pace with new state laws set to hit the books in 2023. Today’s question:

Q: How does your company plan to comply with varying U.S. state privacy laws?

Meet the CCOs

Arthur Kirsten


U.S. Head of Compliance

Years in compliance: 20+



Victoria McKenney


Deputy General Counsel - Regulatory and Compliance and Deputy CCO

United States Steel Corporation

Years in compliance: 15



Kortney Nordrum


VP, Regulatory Counsel & CCO

Deluxe Corporation

Years in compliance: 9



Lisa Norris


Director of Compliance

ABB Optical Group

Years in compliance: 17



DISCLAIMER: The views reflected by the practitioners quoted are theirs alone and do not represent the views of their companies.

ARTHUR KIRSTEN: As a trusted leader in the crypto space that is already in compliance with GDPR requirements, our first move was to examine which existing (GDPR) policies could be applied to these varying privacy laws. In the third quarter of 2022, we established offices in Gibraltar to work more closely with the forward-thinking regulator, and our embrace of industry oversight remains at an all-time high.

Once we applied any applicable privacy frameworks, our detailed gap analysis helped identify where shortcomings persisted in our approach.


VICTORIA MCKENNEY: As with other compliance areas, we first identify all the laws and regulations that may be applicable to our business operations. Next, we analyze the most stringent standard to see if we can uniformly apply it across the company in a reasonable way. If we think that’s not feasible, we apply that approach where required, then look to the next most stringent standard until we find something that makes sense for broad application.

We have found that managing privacy requirements is easier if you can apply a uniform standard that works for most of the company.


KORTNEY NORDRUM: We have a dedicated privacy function without our compliance function. The privacy office keeps on top of new bills, laws, and regulations, in an effort to get ahead on compliance. We monitor state laws through legal tools (Westlaw) and news alerts.

When something notable happens with privacy, we spin up a team to address the new rule, starting with a gap analysis and assessment to determine where we are compared to where we need to be. Once we have that analysis, we build a work plan to tackle each requirement. All of this, of course, also involves our partners on the business side and IT to combine efforts to meet the requirements.


LISA NORRIS: We are reviewing and updating policies, procedures, and training impacted throughout the organization and taking added protections to educate our customers and staff regarding what the new privacy updates will mean for them and the services we provide.