Why is it still so hard to get corporate buy-in for privacy compliance?

In 2026, with privacy enforcement ramping up, class actions multiplying and artificial intelligence throwing gasoline on the data governance fire, privacy compliance still doesn't get the same boardroom urgency as the Committee on Foreign Investment in the U.S., Anti-Money Laundering regulations or antitrust enforcement. Why is that? And more importantly, what can privacy professionals do about it?

I discussed these issues in a panel at the recent IAPP Global Summit 2026 with Subaru’s Dan Brewer, Genetech’s Kim Gold and Wells Fargo’s Mark Quist about what we are seeing in the market and what to do about it. Below are the highlights of our discussion. 

Why are we still having this conversation?

After years of EU General Data Protection Regulation enforcement, a patchwork of U.S. state privacy laws and a steady drumbeat of FTC actions, why is privacy compliance still fighting for a seat at the table?

It's genuinely hard to explain

Privacy is more complex than most compliance domains. You're not dealing with one law; you're dealing with dozens of overlapping, sometimes contradictory obligations across jurisdictions. It’s not easy to distill that into a crisp three-minute pitch for your CEO. Antitrust has bright lines. AML has clear triggers. Privacy has a shifting patchwork with daily updates and changes. That complexity makes it hard for leadership to grasp the scope and, therefore, the urgency of what needs to happen.

It's hard to point to the enforcement bogeyman

Unlike, say, the Office of Foreign Assets Control sanctions or Foreign Corrupt Practices Act enforcement where the penalties are eye-watering and well-publicized, privacy enforcement has historically been more diffuse. Especially in the U.S., actions are spread across different regulators, different jurisdictions, and different legal theories. Demand letters and enforcement actions aren't always fully transparent. That makes it easy for leadership to say, "Show me the company in our space that got hit," and hard for you, the privacy pro, to respond with one single example that makes the case.

'If it ain't broke, don't fix it' 

The changing legal landscape and requirements are sometimes happening too fast. It is not easy to articulate why the structure that worked for automated tools a year ago would now require two new types of risk assessment. The risk level for website cookie compliance has also dramatically changed over the past year, requiring companies to reassess their strategies. 

'But all of our competitors are doing it' 

This is one of the most persistent objections. If nobody in your industry has been sued or fined, there is often an assumption that the current approach must be adequate. But is it? Enforcement is accelerating. The plaintiffs' bar is innovating. And the fact that your competitor hasn't been hit yet doesn't mean their practices are compliant; it may just mean they haven't been caught. 

People don't 'get' why privacy matters vis-à-vis the private sector

There's still a widespread perception that privacy is really about government surveillance, not about what companies do with consumer data. The U.S. cultural narrative hasn't fully internalized that private-sector data practices carry real risk, both to individuals and to the business.

'We're good on the GDPR, so we're fine in the US' 

This is a dangerous assumption. GDPR compliance and U.S. state law compliance are not the same thing. There are different frameworks, different triggers and different enforcement mechanisms. Yes, you are a big part of the way there if you have a strong GDPR-based program. However, you would need to revise your privacy notice, address additional consumer rights, conduct some extra data risk assessment, and comply with new-data sharing agreements, biometric data compliance, AI compliance and more. 

Who owns what? 

Privacy overlaps with security, marketing, IT, HR, and legal. When ownership is unclear, accountability diffuses and nothing moves. The result? Resources may get allocated to things with clearer ownership and more visible consequences.

Is it getting better or worse?

The honest answer: It's complicated.

On the 'worse' side of the ledger

The EU Omnibus proposal is being perceived by some as a signal that Europe is downshifting on privacy enforcement. Whether or not that perception is accurate, it gives ammunition to the "see, even Europe is backing off" crowd. Meanwhile, AI is hijacking both the conversation and pieces of the budget. 

On the 'neutral' side

Enforcement is increasing, but it hasn't fully broken through the noise yet. More actions are being filed, and more demand letters are going out. Despite this, the cumulative effect hasn't hit the tipping point where every general counsel is on high alert.

On the 'better' side

Once litigation or enforcement hits close to home, a competitor gets sued, or a company in your sector receives a demand letter, the conversation changes overnight. 

There's also a silver lining in the maturation of the field: Established privacy budgets are easier to defend and fund than new ones. 

The regulatory environment is more complicated and constantly changing, but teams that have been doing this for a few years have muscle memory. You don't have to reinvent the wheel every time a new state law passes. Compliance fatigue is real, but so is institutional capability.

What do we do about it?

So, you're the privacy professional or outside counsel trying to move the needle. What actually works?

Get access to leadership and be smart about the message

The single biggest structural problem is that privacy often doesn't have a direct line to the C-suite. The message goes through layers of management, gets diluted and arrives at the top as background noise. The governance fix is straightforward in theory: Give the privacy function more direct access. In the EU, the mandatory data protection officer with access to the board is the model. Does it work in practice? Not always. In these cases, actual receptiveness from leadership is more important than the formal structure. 

But the principle is sound: Privacy needs a voice at the table to directly pass the message.

When you do get in front of leadership, be sharp and quick. You don't have an hour. You might have five minutes. Use a vehicle that gets attention. Tie it to something the C-suite already cares about. This may be Securities and Exchange Commission disclosure obligations for U.S.-traded companies, the U.S. Department of Justice's rule on access to U.S. sensitive personal data and government-related data — the Bulk Transfer rule — or the fact that data protection impact assessments increasingly need C-suite sign-off. The threat of personal liability gets attention in a way that abstract regulatory risk does not. Once a regulator looks under the hood, everything is on the table.

Articulate it differently to different people

This is critical. The pitch to the CEO is not the same as the pitch to the chief marketing officer, the chief technology officer or the board. For some audiences, it's about risk: There is a real risk to you personally, and you need to be involved. For others, it's about value: Privacy-compliant data practices let you do more with data, not less. For still others, it's about how privacy fits into the bigger picture of the company's strategy, brand and market position.

Make the risk tangible

One of the biggest challenges is that privacy risk feels abstract. Make it concrete. Work with outside counsel to visualize enforcement trends, benchmark your program against peers and track the litigation landscape in your sector. Outside counsel can help translate diffuse regulatory activity into a clear picture: here's what's happening, here's how it affects companies like yours, and here's what the trajectory looks like.

Be pragmatic and don't cry wolf

Nothing kills credibility faster than overstating the risk. If you flag every development as a five-alarm fire, leadership will tune you out. Stay humble about your role as part of legal and part of a business. Give practical advice that balances risk management with operational reality. When you push back, make sure it's on something that matters.

Quantify the benefit

This is where many privacy professionals struggle and where the conversation can really shift.

For business-to-consumer companies
Privacy compliance builds trust. Trust builds lifetime customer relationships. Trust is what makes a consumer pick you over a competitor. And yes, "less creepy" can be a real brand differentiator. The counter argument you'll hear is, "What do cookies have to do with trust?" This is a fair question, and part of the answer is that the regulatory framework isn't always perfectly aligned with consumer expectations. But the bigger point is this: If you are compliant, you can actually collect more data and do more with it because you have the consent and governance framework to support it.

For business-to-business companies
Your customers' privacy programs are maturing, and they are increasingly unwilling to buy from vendors who can't demonstrate adequate data protection. Privacy compliance isn't just a legal obligation — it's a sales enabler.

For investment
Investors and acquirers are looking at privacy posture as part of due diligence. A weak privacy program is a deal risk. A strong one is a value driver.

Bottom line

Privacy compliance buy-in isn't a one-time pitch, it's an ongoing campaign. The complexity and fast pace of the regulatory landscape, the diffusion of enforcement and the competition for budget and attention from AI and other priorities all make privacy compliance very challenging. But the trajectory is clear: Enforcement is increasing, litigation is expanding, and the companies that treat privacy as a strategic priority — not a check-the-box exercise — will be better positioned for what's coming. Privacy pros should continue to prioritize access to leadership, convey the risk in clear terms, tailor the message to the board and quantify the upside of increased consumer trust. That's how you move the needle.