Across every privacy program assessment we do (and we do A LOT OF THEM), no matter the company size, industry, or how long they’ve had a privacy program, similar issues keep showing up. Some are small. Some are significant. All of them are fixable.
These span the core areas of a privacy program, from how you understand your legal obligations to how you manage vendors, and yes, every example below is a real one.
I thought this issue I’d share the most common areas we see time and again that keep popping up.
Regulatory Scoping: “We Know What Laws Apply to Us”
Most companies are confident they know exactly which privacy laws apply to them. Sometimes they’re right. Sometimes they’re very wrong.
I worked with a company once that was completely certain their California employees were not in scope for CCPA. Except they were completely wrong. California residents, including employees, have been covered for years. That was a significant and costly assumption to have made.
Companies often conduct a scoping exercise once, document their conclusions, and most don’t revisit it as the business changes. Meanwhile, they’ve added a division that serves customers in a new region, started recruiting in new states, or acquired a company that brings a whole new set of legal obligations. Some companies forget entirely about the customers or prospects they have in particular states and what that means for their compliance requirements. Others simply get the requirements wrong from the start.
We have also had companies that were the opposite and valued a third-party perspective every few years. Now they have a working roadmap of what they can continue to improve upon, plus what’s new in the ever-changing privacy landscape.
Privacy pros know it’s not static; laws and amendments keep passing. For example, applicability thresholds get lowered, new categories of sensitive data get defined, kids get added, and what can’t be sold gets added (like precise geolocation in VA).
💡 Reader tip: Do a regular privacy regulatory scoping exercise, and make sure it includes amendments, not just the original laws. If you’re curious about when companies should have one, check out this recent blog.
Data Inventories: A Work in Progress
A lot of companies have a data inventory or are in the process of building one. Very few have a truly sophisticated process. The gaps vary, but these are the ones that come up most often.
What are the most common? They don’t have a reliable way to flag sensitive data or children’s data, and both of those categories vary by state. Cross-border transfer information is either missing entirely or incomplete. And there’s often no internal policy actually governing how the data is managed once it’s documented. Friendly reminder, Minnesota requires an internal privacy policy.
One thing that consistently surprises people: data classification policies often started with security-focused definitions of data, including sensitive data. Privacy laws define sensitive differently, and I find these policies are not congruent with each other.
A lot of companies do a system-focused inventory; many are missing the processing activity data inventory. This is why our data inventory masterclass is so popular (we’ll run it again this fall, join the waitlist here). We talk about WHY a processing activity like what GDPR requires is so valuable to any privacy program.
Often missing from data inventories is also an accurate picture of data sold or shared, which is picked up in the processing activity data inventory.
💡 Reader tip: Review your data inventory for sensitive data and children’s data flags, cross-border transfer details, and whether you have an internal policy governing how the data is managed. If your privacy and security classification policies have never been compared, that’s a good place to start.
Privacy Impact Assessments: Done Inconsistently or Not at All
A privacy impact assessment (PIA) is how a company evaluates the privacy risks of a new product, feature, vendor, or internal process before it goes live. Done well, it catches problems early, when they’re far easier and less expensive to address.
In practice, what we find is all over the map. Some companies have no formal process and no documented policy, so assessments simply don’t happen. Other companies have a clear process on paper but no real accountability for following it, so whether a PIA gets done depends entirely on who is asking.
Then there’s the variation problem. Too many versions of the form, built by different teams at different times. Some are so long and complex that people avoid them. Others are so brief they don’t surface anything meaningful. In some organizations, every department has its own version with no central oversight.
Just today, I talked with a company that does ask questions before approving using data. However, their form barely has any questions, and there’s no formal documentation process.
The most frustrating finding of all? The company that has a solid process, follows it, completes assessments regularly, and then does absolutely nothing with the risks identified. Everything is documented. Everything sits in a spreadsheet. The risks stay exactly where they were.
The entire point of the exercise is to act on what you learn. When risks are identified and then ignored, the assessment becomes a false comfort rather than an actual safeguard.
💡 Reader tip: If you have a PIA process, check whether it has a clear trigger so people know when to use it, a single consistent form, and a documented step for what happens to the risks once they’re identified.
Privacy Rights: The Process That Often Has Gaps
Privacy rights, meaning the ability for individuals to access, correct, delete, or opt out of certain uses of their personal data, are legally required under most privacy laws. Most companies have an email or a webform to receive the requests. What they don’t have is a process that runs reliably from start to finish.
What type of processes do we find? Sometimes it’s a manual process with no one assigned to check it regularly. The form exists, the inbox exists, and requests quietly accumulate with no one responding. Or there are multiple intake processes across different parts of the company, built independently by different teams at different times, none of them connected, all of them missing pieces, and none consistently managed.
While companies might have an email or a link, that doesn’t mean they actually function properly. We see a LOT of broken links on the intake form or a broken link within the privacy policy itself.
We also find an email address in the notice that no one monitors, and employees who have never been trained on what to do when a request actually comes in (CCPA requires this, and we also LOVE these trainings!).
💡 Reader tip: Click all the links in your privacy notice and footer. Then submit a test privacy rights request through your own intake process right now. If you find something broken, go fix it!
Privacy Notices: Outdated, Orphaned, and Out of Sync
When we review privacy notices during assessments, the same things come up repeatedly. It doesn’t have the required disclosures for CCPA, the legal basis disclosures for GDPR, or it’s just missing information.
I also see companies list states in the privacy rights section but they still have what I call the base 5 (CA, CO, CT, VA, UT) – and we’re up to 19 passed now, so that list is most likely outdated (I noticed one today that is about 9 months old – we’ve had a LOT of states for years now with active privacy laws).
Other challenges – teams don’t know who owns the privacy notice. The super frustrating one is when the internal process for getting a change published to the website is so slow and unclear that teams batch their updates and hold them even when they really shouldn’t.
The other common one that is a real challenge for companies is the notice no longer reflects what the company actually does. A new product launched, a new marketing activity happened, a new business line was added, and the notice was never updated to match.
💡 Reader tip: Read your privacy notice today as if you’ve never seen it before. Check every link, every email address, and ask yourself whether it still accurately reflects what your company actually does with personal data.
Cookies: The Common Challenge
Cookies sit at the intersection of privacy law, litigation risk, and marketing needs, which makes them genuinely complicated to get right. And then there’s the technical side, which adds another layer entirely. I have written a lot about cookie governance, and there are many articles on our website dedicated to it, because it comes up so often and there is a lot to know.
Companies implement a cookie banner and feel like the job is done (it’s not). Marketing agencies add new pixels and tracking technologies through tag management containers, often without anyone in privacy knowing it happened. Vendors change. The banner still reflects how cookies were categorized two or three years ago. The consent mechanism isn’t configured correctly, so it isn’t actually honoring user preferences the way it should. Regular scans are not happening to check what is actually firing on the site.
One of the most underestimated pieces of cookie governance is categorization. Figuring out what each cookie actually does, what the vendor contract says about it, and how to classify it correctly is a significant undertaking. Most teams don’t have the time or background to do it well, and getting it wrong creates both compliance and trust issues.
A cookie banner is a starting point (if you even need one), not a program. Regulators are actively examining how companies manage their tracking technologies, and pixel-related enforcement actions and lawsuits have been growing. A set-it-and-forget-it approach does not hold up.
💡 Reader tip: Instill a cookie governance program and test what you have. We have written extensively on this topic and have a number of resources on our website to help you get started.
Training: Security Gets the Spotlight, Privacy Gets Overlooked
Most companies have solid security awareness training. Completion rates are tracked, modules are mandatory, and certifications get renewed on schedule. Privacy training tends to be an afterthought, if it exists at all. Sometimes it’s a few slides tucked into a broader annual compliance course.
The problem with that approach isn’t just that it’s brief. It’s that it isn’t relevant to the people sitting through it. What marketing needs to know about privacy is genuinely different from what HR needs to know, which is different from what finance, product, legal, or customer service needs to understand. A few slides buried in security training can’t properly cover what employees need to know about privacy.
Role-based privacy training, built around what each team does with personal data and what decisions they’re actually making, is what creates real understanding. Without it, employees can’t be expected to flag issues, follow the right process when something comes up, or make good decisions in the moment.
💡 Reader tip: Look at what privacy training exists at your company and who is taking it. If it’s one general module for everyone, consider whether role-based training is needed for the teams that handle the most personal data.
Vendor Management: Privacy Often Gets Left Out
Third-party vendor risk management programs tend to be built around security. That’s a good starting point, but it’s not the whole picture. Privacy has its own set of questions that a security review doesn’t cover.
Privacy wants to know: What personal data is this vendor collecting or receiving from us? What are they allowed to do with it? How long are they keeping it? Can they use it for their own purposes? What happens to our customers’ data if we stop working with them? Are the contract terms required by law actually in place?
What we find is that security has a strong review process, legal handles the contract negotiations, and privacy sits somewhere in the middle. Brought in inconsistently, with no formal touchpoint in the standard vendor review workflow. The two functions are rarely well integrated. And the contracts often reflect that: required data processing addenda are missing, privacy provisions haven’t been reviewed against current legal requirements, or legal finalized the paperwork without a close look at the privacy clauses that are required by law or that simply should be there.
Security is essential. It is not the only thing that matters when a vendor is handling your customers’ personal data.
💡 Reader tip: Pick a few of your most significant vendors and check whether privacy had a formal role in the review and whether the contracts include the privacy provisions required by the laws that apply to you.
These Are the Issues We See Most. They Are Not the Only Ones
Every privacy program assessment we do surfaces something different, but these issues come up again and again across companies of every size and type. That’s not a coincidence. It reflects how privacy programs actually get built, in pieces, over time, without always having a complete picture of what’s working and what isn’t.
After years of doing this work, we know what good looks like and we know where the gaps tend to hide. A privacy program assessment is how you find out exactly where you stand, with a clear view of what needs attention and in what order. If you want to start on your own, our Privacy Program Maturity Self-Assessment is a practical place to begin.
Jodi
💡 When you’re ready, here’s how we can help:
⚙ Privacy Advisory & Implementation: We help companies navigate privacy requirements with confidence. Our advisory support covers strategy, operations, and real-world implementation.
⚙ Fractional Privacy Services: We provide fractional privacy leadership tailored to your needs and pace. From program development to day-to-day support, we help you build and sustain a strong privacy program.