I Just Spent Two Days in D.C. Talking Privacy at the FPF Annual Forum. Here’s What’s on Everyone’s Mind.
Last week, I was in Washington, D.C. for the Future of Privacy Forum’s 17th Annual Advisory Board Meeting and the D.C. Privacy Forum, where Red Clover Advisors was a Silver Sponsor. This gathering is just my style, bringing privacy practitioners from across the industry for candid conversations.
Between the state privacy roundtable, youth & safety discussions, the keynote on trust, the value of the privacy department, and so many conversations in between, here is what stood out.
First, the Big Picture: Why This All Feels So Hard Right Now
After FPF shared an update on the amazing work they are doing globally (be sure to follow all their amazing resources or consider membership), the day opened with a keynote from Bruce Mehlman, founding partner of Mehlman Consulting and author of the widely read Age of Disruption Substack.
He set the stage in a way that made everything that followed feel less surprising and more inevitable. His talk was captivating and truly fascinating.
His argument: we are living through what he called a great acceleration, where cultural, geopolitical, and technological forces are all shifting at the same time and reinforcing each other.
Trust in institutions, including government, media, academia, religion, and large corporations, has been declining for decades. Big business ranks as the second least trusted institution.
Voters are responding by choosing change, and that pattern is showing up in election results around the world. Out of 13 recent US election years, 11 went to the opposition.
Meanwhile, the most valuable companies on the planet are now almost entirely digital. AI is changing how wars are fought and economies are organized, and we are entering what looks like a new world order after thirty years of hyperglobalization.
It’s been said before that history repeats, or some say rhymes. He argued that AI and technology will be a core election issue in 2028 and that we have been here before.
The anxiety people feel about technology disruption, the breakdown of familiar institutions, the sense that nobody is fully in charge of where this is going, is not new (and he referenced the Gilded Age often, a favorite period of time I enjoy reading).
Getting the policy response to privacy and AI right matters enormously, because if we get it wrong, the result is more distrust, and everyone ends up worse off.
As you know, I’ve been talking about trust for years, so I was pretty happy to hear a non-privacy professional connect the dots that privacy exists at the intersection of trust and technology. If people do not trust that their data is handled with care, they disengage, push back, or turn to regulators. The big picture Bruce described is the environment we are all operating in. And this is why every privacy professional matters.
The State Privacy Patchwork: Volume, Variation, and Real Frustration
I will be direct about the mood in the state privacy roundtable: people are frustrated. Some called it their annual therapy session. There were genuine moments where practitioners wished out loud for a magic wand, because the volume of state laws, amendments, and issue-specific bills is genuinely hard to keep up with.
The number of states with active privacy requirements keeps growing, and each state interprets and enforces things in its own way. Some have requirements around sensitive data. Some are building out opt-out mechanisms. Some are layering AI-specific automated decision-making requirements on top of general privacy laws, which creates real tension and overlap. Managing all of this at a program level carries a hidden operational cost that adds up quickly.
Companies are really struggling with the intersection of sector-specific laws and state privacy laws and opt-outs across complex systems. Many companies shared experiences working with legislators who don’t understand tech, data, or even what HIPAA actually covers.
Public policy teams at companies or those at organizations like FPF are trying to encourage laws that are interoperable and make sense (and if you like politics but don’t want to run, this might be a great way to get involved!)
There was also a candid conversation about how state AG offices approach enforcement. They are learning as they go, just like everyone else. Some bring a political lens to their investigations. Some want specific disclosures formatted in particular ways because their office asked for it.
One broader challenge the group raised that I think deserves more attention: today’s privacy laws largely put the burden on consumers to figure out what is happening with their data.
Most people have no real baseline understanding of data practices, what rights they have, or how to exercise them. Consumers need to be investigators through complicated data webs or laws that are not clear or consistent. That’s not helpful to consumers. I believe there’s a massive consumer education gap, and I don’t think the laws are going to fill it.
How can companies help?
Build for the consumer.
The consistent guidance that came through: a program built on transparency, honoring consumer rights, and conducting assessments holds up better across jurisdictions than one designed to meet only the minimum of any single law.
Kids Privacy: Complicated, Contested, and Moving Fast
The kids’ roundtable was another room of candid conversations. With so much significant regulatory activity in youth privacy right now, nearly everyone in the room was working through how to make it operational.
Some honest tensions came up that I think are worth naming. Age verification sounds straightforward until you try to do it. Geofencing works some of the time, but it is not a compliance solution. For many companies, this might be the only business option available, but it comes with risks, as an IP address is not a reliable way to know where someone is actually located.
Different states want age signals collected at different points, whether that is once or each time an app is opened. And the requirements across states do not line up cleanly.
There was also a harder conversation about unintended consequences. Overly aggressive age verification or blanket restrictions can cut young people off from information and services they legitimately need (a common example raised is mental health services, confidential hotlines), and not every home situation is the same. Getting this right matters for real reasons beyond compliance.
Regulators and advocates in the room were focused on what companies are actually doing, not whether programs are perfectly polished. The message was similar to what came up in the state session: have a reasonable plan, document it, set clear expectations, and be willing to defend your approach.
Regulators are looking to see what companies are doing to protect consumers, consider privacy risk, and comply with their regulations. Something allows for a discussion, and while a regulator might disagree, it’s way better than nothing.
AI at Work: Privacy Professionals Getting Their Hands Dirty
One of the afternoon sessions featured practitioners from Meta, IBM, DocuSign, and Medidata talking about how they are actually using AI tools in their own privacy and legal work, not just building governance frameworks around AI, but using AI to do the work itself more efficiently.
The conversation was practical and honest. One company shared that employees do not read long policy documents, but they will interact with a chatbot. That is changing how some teams think about delivering privacy guidance internally.
The reminder was strong that hallucination is real, and any workflow that uses AI to generate content or analysis needs human review baked in. The tool can be wrong, and people will act on it.
I loved the slide that said: think like a designer before architecting an AI agent workflow.
Another example? One company shared that before privacy questions even reach the privacy team, UX teams can run through a privacy checklist with AI assistance. Building that kind of upstream review into the process means privacy is considered earlier, and the privacy team spends its time on the harder questions.
Many companies encourage using company approved AI tools and struggle to make progress. One company solved the accountability challenge by having a performance goal tied to AI for each employee.
The audience was reminded that when using AI tools, people still own the work product. We’ve all read the stories online – “the AI did that.” There is no offloading responsibility to the tool. If AI helped produce something, the person responsible for that work is still responsible for it.
Curiosity was another theme, with one company saying hiring for curiosity is a critical requirement going forward. Those who are curious are willing to experiment and iterate, which is essential for this new fast-paced era.
The Next Frontier: When Agents Make the Decisions
One question that came up and did not have a clean answer: what happens when it is not a person making data-related decisions, but an AI agent? Companies are increasingly deploying agentic AI to handle workflows, and many of those workflows touch personal data.
The privacy frameworks we have today were largely designed around human decision-making. As agents take on more of that role, there are real open questions about accountability, transparency, and how rights requests even work in that environment. This is a conversation the field is just beginning to have, and it is one to watch closely.
Be Flexible
While seated at the awards dinner, a severe thunderstorm swept through, and the now empty outside cocktail reception area turned into flying umbrellas. All of the restaurant staff joined together to try and gain control of them (good news, they did). My table was facing the window, which we originally thought how nice, we’ll get a lovely view of the river, yet that thought turned to I hope this glass is strong enough. I had a front-row seat to see how people just got into action to work together.
I’m guessing that controlling flying umbrellas was not a part of their training. Perhaps what to do in an emergency or just how to work effectively as a team was a part of it and people naturally found their role.
Our dinner was also delayed as the staff was literally outside. All of the attendees? We were all grateful to be inside, safe, and while hungry, we kept talking and getting to know each other.
As privacy professionals, we sometimes want to create complex policies and processes. While I do think having a documented plan, policy, and process are important, it’s equally important to remember to be flexible, as what we planned for very well might change unexpectedly.
The Bottom Line
Two days in D.C. reinforced something I see in my own client work every day. This field is genuinely hard right now. The laws are multiplying. The technology is moving faster than policy can follow. The expectations on privacy teams keep expanding. And yes, people who have been in this work for years are still saying they wish for a magic wand sometimes.
You may be behind on something. You may have gaps you have not fully mapped yet. That is not a sign that you are failing. It is a sign that this is a complex, fast-moving space, and the work is real.
What matters is reminding yourself how important this work is. You’re impacting lives daily. It might feel like slow progress, you’re swimming upstream, or you have a mountain of new amendments and laws to read through. I encourage you to show up, document your decisions, and as Dory (from Disney) says, “keep swimming.”
Want to know where your privacy program stands today? Take our free Privacy Program Maturity Self-Assessment to get started.
Jodi
💡 When you’re ready, here’s how we can help:
⚙ Privacy Advisory & Implementation: We help companies navigate privacy requirements with confidence. Our advisory support covers strategy, operations, and real-world implementation.
⚙ Fractional Privacy Services: We provide fractional privacy leadership tailored to your needs and pace. From program development to day-to-day support, we help you build and sustain a strong privacy program.