Why Does Data Privacy Matter? It’s About R-E-S-P-E-C-T

January 16, 2024

2023 was a wild year. State privacy laws emerged fast and furious. Broad accessibility to GenAI presented corporations and individuals opportunity (and risk) like never before. Individual privacy is experiencing a pushmi-pullyu moment.


Recall Dr. Doolittle? The pushmi-pullyu is a two-headed llama. Actually, a two-front-half-of-the-body-only llama, with heads and feet facing opposite directions.


Privacy regulations seek to help individuals pull information in, protect it and provide increased control over personal information. In 2023, seven states passed comprehensive privacy legislation – Delaware, Indiana, Iowa, Montana, Oregon, Tennessee and Texas.


See each states’ laws and status on our interactive privacy map.


This trend has continued into 2024. On January 8, New Jersey became the thirteenth state to grant comprehensive consumer privacy protection (governor signature pending) and ten additional states have similar legislation pending.


We may be our own worst enemy, pushing our personal information out in a variety of ways. Some are fiercely protective of their personal info. Others post daily details of their lives across multiple social platforms. Plenty of us fall somewhere in the middle, trading personal information for convenience. Sometimes, we are unwittingly sharing data with smart devices that then share our data with additional third parties. With the speed at which our world moves, we may want to revisit our data sharing and data hygiene posture at a time when customer names, emails and passwords are included in an estimated 52% of all data breaches, a number that has been increasing and a steady rate year over year.


As custodians of personal data, organizations (particularly those who serve consumer markets) must logically bear the brunt of responsibility for protecting it. In tandem with sweeping digital transformation, the past five years saw exponential growth in data privacy laws that spun a global patchwork of regulations and requirements. Importantly, at the root of these protocols lies the concept of “respect,” that is, a focus on respecting consumers, employees and third parties.


Just like in the physical world, respect in the digital world is earned. Organizations can go a long way toward building trust around how they collect, use and share data by providing individuals with more transparency, choice and control. Ahead, we’ll dive into all three.




People constantly share personal information with other entities (businesses, employers, governments) at a rate that’s only increasing. For individuals, it’s reasonable to question how this data is used and with whom it’s being shared. There’s also a digitization dynamic where organizations may seek to extract further value from already-retained data. Should the purpose of this extraction stray from the data’s original purpose, someone’s privacy can be violated.


Given these competing factors, it’s more imperative than ever to maintain transparency around data collection, processing and sharing activities. Without transparency, organizations run the risk of alienating their patrons once they become aware of events relating to the use of their personal information, such as negative press, regulatory investigations or data breaches. To help mitigate these risks, organizations can offer individuals choices about how their data is processed.




While organizations often provide options on how they leverage personal data for marketing purposes, new regulations require more granularity to offer consumers increased autonomy over the process. These additional choices, such as opting out of sharing data with third parties or advanced advertising practices (i.e., geolocation or behavioral indicators), do help address regulatory requirements, but they also allow patrons to feel valued and respected while maintaining control of their data.




Alongside choice, organizations can offer consumers control through a tailored experience, where users adjust their data-sharing preferences. As attitudes and viewpoints continue to change, it’s becoming essential to support the user’s ability to decide the activities connected to their account, purge information when possible and configure settings that align with personal preferences or comfort levels.


Because privacy is a fluid concept, individuals should also have the ongoing ability to offer feedback regarding practices, experiences or decisions around the processing of their data. For example, while some targeted advertisements may appeal initially, consumers should have some control over their delivery and profiling techniques. By retaining control of their data, they’ll feel more secure when sharing information that may be personal or sensitive.



In Closing

Data privacy is foundational to defining relationships in today’s AI-enabled, digital world. Such relationships warrant mutual respect and the recognition that an individual is an actual person, and not just a means to an end. This reinforces that, beyond the latest regulatory requirements, strong privacy programs are best grown organically by building trust, and rooted in respectful transparency, choice and control. Organizations can move forward together with their patrons and avoid a pushmi-pullyu conundrum, empowering individuals with more autonomy and safety — plus confidence to do business.

Jennifer Mahoney
Jennifer Mahoney has 18 years’ regulatory compliance experience in both consulting and enterprise environments. Her experience ranges from small businesses to Fortune 50 corporations particularly in the technology, state and local, manufacturing and pharmaceutical verticals. Areas of expertise include the General Data Protection Regulation (GDPR), the California Privacy Rights Act (CPRA) / California Consumer Privacy Act (CCPA), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach Bliley Act (GLBA), the Personal Information Protection and Electronic Documents Act (PIPEDA), and many others.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.

Related Insights



PCI DSS 4.0 Is Here: When Does My Company Need To Be Ready?


Some companies should update to PCI DSS v4.0 now, while others should wait. This post features helpful details and advice on how to begin preparing.



PCI DSS 4.0: A Primer


The new Payment Card Industry Data Security Standard – version 4.0 – has been released. This post explores the details of the new standard.



Payment Card Industry (PCI) Advisory Services


Our PCI Advisory Services can build around your specific context, helping you to untangle competing requirements from multiple regulations.