On April 3, 2025, the National Association of State Chief Information Officers (NASCIO) released a pivotal report entitled “Creating a Privacy Program: A Roadmap for States,” offering chief privacy officers (CPOs) a structured approach to develop statewide privacy programs from the ground up. This report comes at a time when the integration of digital services and generative artificial intelligence (AI) in state governments is escalating, raising significant privacy concerns that need to be addressed.
According to the report, the number of state chief privacy officers has surged from just five in early 2015 to approximately 30 today, highlighting a growing recognition of the importance of privacy governance. The report emphasizes that many states have enacted comprehensive consumer privacy laws in the absence of federal regulations, which has heightened public awareness regarding privacy issues. This shift is critical, as privacy professionals point out the potential risks associated with new technologies like generative AI.
Despite the pressing need for formalized privacy programs, CPOs face numerous challenges in establishing these frameworks, particularly when starting from scratch. The report notes that many existing privacy laws primarily focus on consumer privacy, leaving states to create their own governance structures and enforcement mechanisms for state entities. Additionally, the variability of state IT operating models complicates the ability to implement consistent privacy practices.
The roadmap outlined in the report consists of six essential phases for building a robust privacy program: establishing foundations, developing governance, operationalizing privacy, building awareness, managing incidents, and monitoring and improving. The first phase involves laying a strong foundation with a clear vision and leadership. Following this, states should develop governance by mapping data lifecycles and adopting recognized privacy frameworks, such as the National Institute of Standards and Technology’s Privacy Framework.
Operationalizing privacy is the third phase, which requires states to conduct inventories, implement governance policies, and adopt a privacy-by-design approach in all processes. The fourth phase focuses on building awareness through tailored training and stakeholder engagement. Managing incidents, including breach response plans and clear communication strategies, is the fifth phase. Finally, CPOs are encouraged to monitor and improve their programs using metrics and audits to keep pace with evolving legal and technological landscapes.
The report offers a reassuring message: “Starting a privacy program from scratch can feel overwhelming, but focusing on key priorities like legal compliance and data inventory — while also building a privacy-first culture — will set you up for success.” It acknowledges that achieving perfection from the outset is unrealistic, but emphasizes the importance of regularly refining approaches as programs evolve.
In a related development on the same day, Common Sense Privacy announced the launch of a new privacy seal program aimed at helping consumers, parents, and schools identify leaders in privacy. This initiative is particularly significant in an era where privacy concerns are paramount, especially for children’s data. The new seal allows companies that surpass minimum compliance standards to showcase their commitment to privacy, providing consumers with a quick way to identify trustworthy digital products.
The initial cohort of EdTech companies awarded the Common Sense Privacy seal includes notable names such as MagicSchool AI, Prodigy Education, ClassDojo, Quizizz, Kami, Kira Learning, and Brisk Teaching. This seal signifies that these companies have gone beyond basic compliance to establish robust privacy practices, which is increasingly important to consumers today.
Daphne Li, CEO of Common Sense Privacy, stated, “These companies have demonstrated exceptional leadership in privacy protection, going far beyond minimum compliance to uphold new standards in user data protection.” The seal explicitly prohibits six invasive practices: data sales, third-party marketing, targeted advertising, third-party tracking, cross-app tracking, and commercial profiling, representing a gold standard that consumers are beginning to demand from digital products.
Today’s consumers expect more than just basic compliance; they are looking for leadership in data protection, especially concerning sensitive information. The Common Sense Privacy seal serves as a signal to consumers that a company prioritizes privacy rather than treating it as an afterthought. This initiative is part of a broader effort to elevate privacy standards across the industry.
Common Sense Media, the parent organization of Common Sense Privacy, has been a trusted authority for over two decades, providing gold-standard content and technology ratings. The organization has also played a crucial role in advocating for privacy legislation, including the landmark California Consumer Privacy Act, which set a precedent for privacy standards nationwide.
The process for obtaining the Common Sense Privacy seal involves a rigorous evaluation that includes a comprehensive 200+ question privacy rubric, direct consultation with a privacy analyst, and a commitment to quarterly monitoring with annual policy updates. This thorough approach ensures that the seal represents a meaningful distinction that consumers can trust when selecting digital products for their families.
Ben Johnson, Chief Technology Officer of Prodigy Education, remarked, “We’re honored to be among the first recipients of this seal, reaffirming our commitment to privacy. It’s vitally important that anyone who teaches or learns with Prodigy does so with peace of mind.” This sentiment echoes the growing demand for transparency and accountability in how companies handle user data.
As privacy concerns continue to mount, both the NASCIO report and the Common Sense Privacy seal program underscore the importance of proactive measures in safeguarding personal information. With the landscape of digital services evolving rapidly, state governments and companies alike must prioritize privacy to build trust with consumers and ensure compliance with emerging regulations.
For companies looking to adopt best practice privacy policies, Common Sense Privacy encourages them to explore how they can qualify for the seal. Organizations interested in learning more can visit commonsenseprivacy.net/seal for details. Meanwhile, those attending the ASU+GSV Summit in San Diego from April 6-9 can reach out to arrange meetings with Common Sense Privacy representatives.
