As data privacy rules grow stricter, businesses are rethinking how they handle digital risks. This shift is not just about following the law anymore; it’s about ensuring that companies can keep running smoothly while also protecting their long-term interests.
Sonia Cheng, a senior managing director at FTI Consulting, emphasizes that the rising demands for data privacy compliance are changing the way risk managers approach their roles. They now see privacy as a key part of overall risk management, rather than just a box to check for compliance.
Cheng points out that in 2025, twenty U.S. states are enforcing comprehensive privacy laws. With state attorneys general stepping up enforcement and a surge in privacy-related lawsuits, companies face a challenging landscape. Many organizations still do not have a clear view of how data is being tracked across their online platforms, which could lead to significant liabilities.
She warns that businesses can run into major issues if their websites have tracking tools that send user data without proper consent. Often, organizations are unaware of all the tracking technologies they have in place.
Cheng also notes that compliance is not enough if companies work with third-party partners. Under regulations like GDPR, businesses can be held responsible for their partners’ actions. If a partner fails to comply, it can lead to investigations that affect the primary organization.
To address these risks, Cheng introduces the idea of "privacy resilience." This means being able to adapt and recover from privacy-related challenges, such as regulatory inquiries or public backlash. It’s not just about having strong data protection; it’s also about being flexible enough to handle new laws and unexpected events without major disruptions.
Another critical aspect is maintaining trust with stakeholders. Cheng highlights that during crises, organizations that act transparently and consistently are more likely to retain loyalty from their customers. A study from 2024 found that 94% of customers would avoid companies that don’t protect their data properly.
Cheng warns that how a company communicates during a privacy incident is crucial. Poor messaging can worsen the situation. For example, saying "we take privacy seriously" without addressing specific concerns can intensify the crisis.
Financially, privacy failures can impact various areas of a business. Cheng points out that immersive digital experiences, which generate significant revenue, can suffer if privacy issues arise.
As for artificial intelligence, Cheng notes that evolving laws around AI are adding pressure on organizations. This means companies need to adjust their operations to comply with new regulations, which can slow down strategic initiatives.
Third-party relationships also pose risks. If a key vendor suddenly loses functionality, it can disrupt services and harm reputations. To avoid these issues, Cheng stresses the importance of proactive governance, which includes thorough documentation and clear response plans.
In her view, the journey toward privacy and trust resilience starts with honest discussions among leaders about their readiness and objectives. Evaluating whether current practices leave gaps that could lead to unnecessary risks is essential.
Overall, Cheng believes that as the role of privacy expands, organizations must build strong, flexible privacy practices. By doing so, they can better handle crises and thrive in an ever-changing regulatory environment.