Privacy Persevering: State CPOs Gain Responsibility, Lack Funding Artwork

NASCIO Voices

A podcast from the National Association of State Chief Information Officers (NASCIO). Amy Glasscock and Alex Whitaker interview guests (state CIOs, NASCIO members, strategic partners and colleagues) to get their unique stories and perspectives on state information technology, leadership and lessons learned.

All Episodes

NASCIO Voices

Privacy Persevering: State CPOs Gain Responsibility, Lack Funding

April 08, 2026 • NASCIO • Episode 163

0:00 | 17:02

In this episode of NASCIO Voices, Amy is joined by NASCIO guest host Kalea Young-Gibson to break down NASCIO's latest report on the state Chief Privacy Officer (CPO) role. The report — based on responses from all 28 currently active state CPOs — reveals a role that's growing fast but still fighting for the resources it needs.

Amy and Kalea dig into the rapid expansion of CPOs across state government (from just 5 states in 2015 to 31 in 2026), the push toward formal privacy programs and frameworks, and how AI is reshaping — and sometimes overshadowing — the privacy function. Despite CPOs stepping into enterprise leadership roles, most still lack dedicated budgets, enforcement authority, and sufficient staffing.

The conversation also covers what CPOs say they need most: funding, CIO support, and a stronger seat at the table. Amy's key takeaway? CPOs know exactly what to do — they just need the authority and investment to do it.

Key topics covered:

Growth of the state CPO role
Privacy program maturity and the NIST framework
CPO involvement in AI policy and risk
Top challenges: funding, authority, and awareness
What CPOs need to succeed in 2026 and beyond
And what we're reading!

Amy Glasscock 0:05

Hi, and welcome to Nassio Voices, where we talk all things state IT. I'm Amy Glasscock in Lexington, Kentucky.

SPEAKER_01 0:11

And I'm Kalia Young Gibson in Charlotte, North Carolina. Alex is on vacation this week, so I'm stepping in to talk with Amy about the new Nassio report on the state privacy officer role.

Amy Glasscock 0:22

We recently surveyed 28 state chief privacy officers to find out what they're doing, how their role has evolved over the last two years, and what they need to do their jobs most effectively. Let's get into it.

SPEAKER_01 0:33

Alright, so Amy, give me the TLDR or the too long didn't read for the uninitiated. What's the key takeaway from this report?

Amy Glasscock 0:42

I would say that the key takeaway is something along the lines of state CPOs have more authority and responsibility than they've ever had before. They're having to do these big jobs, and in many cases, doing them without dedicated funding, without enough authority, and they're seeking more support from the top-down.

SPEAKER_01 1:01

That's a pretty good summary. So give us a quick overview. What is this report and what does it cover?

Amy Glasscock 1:06

Yeah. So this is our fourth NASIO state CPO survey. We did the first one in 2019. So we do them every two to three years. It's closer to two years these days. And it captures how the state CPO role responsibilities and programs are evolving. And so this report covers the structure and reporting of folks in the role, you know, like what organization they're under and how the privacy team is structured, privacy program maturity, their involvement in artificial intelligence, and then the challenges and needs of folks in that role. And the report is based on responses from 28 state CPOs, which is 100% of CPOs currently in the role. We count 31 states with the role, but three of them had vacant positions when we took the survey. So pretty good response.

SPEAKER_01 1:59

Yeah, yeah. That sounds like a great response. And I love how you brought up role structuring and reporting. As I continue to work with accessibility officers, I'm also seeing, you know, differences in those structures like where the AO might be housed, who they might oversee. So definitely some interesting distinctions within the organization for sure.

Amy Glasscock 2:17

And and everybody wants to know how it looks in other states. Absolutely. Questions we always get. So it's important to track that.

SPEAKER_01 2:22

Yep. So what did you find about how the CPO role itself is evolving?

Amy Glasscock 2:28

Yeah. So as we see year over year, there continues to be rapid growth in the role. So in 2020, we counted 17 states with the CPO. And like I said, it's 31 as we sit here in 2026. Wow. So that's a big jump. Yeah. We started counting in 2015, and there were five back then. So it's continues to grow. 43% of them are the first person to hold the role as it in its current iteration in their state. So still a lot of states that this role is new for. And you know, also a lot of states where they're not the first person. So we're seeing some maturity there too. And then a bigger chunk than we had realized in the past sit in the CIO organization. So 71%. We used to just track like who do you report to? So, you know, maybe it was like 29% report to the CIO, and then others report to a CDO or a CISO or a deputy CIO. Right. And this year we looked at, okay, well, how many of those folks are in the CIO organization? And so it's actually bigger than we had kind of been talking about before. 71% are in the CIO organization, which is not the case in the private sector. You tend to see CPOs in like compliance or legal, but we're seeing it under technology very commonly in state government. And then I would add that we're seeing that increasingly the CPO role in 2026, they're seen as enterprise leaders and not just compliance people anymore. And there's still a lot of variability in authority, what they have authority over, who they have authority over, their reporting structure, and then kind of the scope across agencies and how they're working.

SPEAKER_01 4:10

Yeah, yeah. That that all sounds very, very interesting, especially, you know, looking at the growth. It really seems like the CPO role in some ways is also following how emerging technologies are growing as well. And, you know, so that could speak to how some of these emerging technologies especially are creating more privacy risk. Very interesting. And hopefully we can get to 50 within the next few years.

Amy Glasscock 4:34

Yeah, yeah, I think so.

SPEAKER_01 4:35

So, where are states today when it comes to building an actual privacy program and how mature are these programs today?

Amy Glasscock 4:43

Yes. Well, I would say in this report especially, we're seeing incredible movement toward program maturity. So we learned that 29% have established privacy programs, 54% have programs that are in progress of being established, and only 18% said that they have no program, which is down significantly from 34% that gave that answer in 2024. So, you know, most states are moving toward establishing a program if they don't already have one. And the other major shift that we saw was toward using privacy frameworks. So 79% reported using the NIST privacy framework. And two years ago, only four states said they were using any framework at all, and three of them using NIST. So, you know, that that's huge. And then some of the common things that they're doing around actually putting the framework into practice are creating policies and guidance, establishing training programs, creating data sharing agreements, and doing privacy impact assessments. So, but I would say, you know, overall using the framework is one of the strongest indicators of progress in in this area.

SPEAKER_01 5:51

Yeah, that's amazing. So, how are CPOs engaging with artificial intelligence or AI in their states?

Amy Glasscock 5:57

Yeah. Obviously, AI is is changing everyone's jobs.

SPEAKER_01 6:02

Oh, yeah.

Amy Glasscock 6:03

So we learned this year that 90% are involved in AI policy development. I believe that number was 79 two years ago. So continuing to be heavily involved in AI, they are creating AI risk assessments, doing procurement reviews for AI products and services, and helping with vendor due diligence around AI products. You know, collaboration with the CIO and CISO is still kind of all over the place. Only 22% said that collaboration is highly integrated with the CIO and CISO on AI-related security risks. So, you know, still some work to be done there. And then we asked what the most impactful data points are when communicating AI-related privacy risks to CIOs and CISOs and executive leadership. And the number one answer was the type and sensitivity of data. So that seems to be what gets people's attention the most. And then I will say AI is definitely CPOs are saying that it's elevating privacy in a lot of ways. So folks are realizing, like, oh, there's a lot of privacy implications when we're using these AI tools. So we better bring in the chief privacy officer, we better hire a chief privacy officer. So that's great. But then there's also kind of a fear that AI could end up overshadowing privacy in some ways. So it's like so big right now that sometimes they feel like in some cases, people are like, oh yeah, privacy, we need you. In other cases, like, oh, privacy who? So, you know, kind of a double-edged sword there sometimes.

SPEAKER_01 7:32

Yeah, and so that that kind of gets into the next question. So, in addition to kind of the looming, you know, A AI elevating privacy, not exactly sure how it's gonna go just yet. What are some of the other big challenges that CPOs are facing right now?

Amy Glasscock 7:47

We asked this question in every CPO survey, and number one is always lack of funding.

SPEAKER_01 7:52

So I think that's uh you know, across the board at this point.

Amy Glasscock 7:55

Yeah, in government for sure. This the second top challenge was lack of understanding of privacy, and and we've seen this before, I believe four years ago was on the top of the list. So still having trouble with folks being confused at the state level about what's privacy. I thought that was just part of security.

SPEAKER_01 8:12

Yeah.

Amy Glasscock 8:13

And then lack of authority, not being able to actually make changes in you know, across government that are needed to be made. So, you know, back to the funding problem. Only six states have a dedicated privacy budget that is growing, but it's growing slowly. And you know, we talk to 28 people. And then a lot of CPOs have a lot of responsibility, but they don't have enforcement authority. So that's that can be tough too. So slightly different question that we also ask is okay, like you've told us your challenges. What do you need most to do your job effectively? And so again, funding number one, number two for the first time, which we thought was interesting, was CIO support, and then after that, support from executive level folks. So really seeking that upper level CIO and executive support for the privacy program, and then also staffing still needed. A lot of a lot of CPOs do have some staff now, but they need more, and of course, it's a challenge to hire highly qualified privacy professionals that want to work for government rates, as we see across across our, you know, issue areas. And then they need enforcement ability, so actually having some some teeth to go along with their suggestions and recommendations. So, you know, we're learning that CPOs, they know what to do, you know, they've got their arms around privacy and creating privacy programs, but they lack the capacity and authority to be able to do it consistently.

SPEAKER_01 9:44

Wow. Okay. So based on the report, and given everything you just said as well, because I think it's very important to, you know, or I think what's sticking out to me is you're saying that CPOs know what to do. They just need more support to do it. So, based on that, where do you think the CPO role is headed next? And do you think that direction will ultimately result in the CPOs gaining the the support that they need?

Amy Glasscock 10:08

To answer the first part of the question, you know, if we're really seeing this shift from the CPO role being a compliance role into this bigger data governance and design discipline role. We're seeing privacy moving upstream into systems and architecture, and we're seeing AI being this huge driver of change for the role. And I think, you know, their success, as I've said a a couple of times already on this podcast, is depends on authority, executive support, and sustained investment. Yeah. So funding. And I guess I I do think that the role will continue to be elevated and get some of that support. And I think us talking about it is important. And absolutely, you know, since we are NASIO, sharing this this need with the CIO community, I think is important too. So yeah, I I think there will continue to be growth and movement as we've pretty consistently seen every survey since 2019.

SPEAKER_01 11:06

Yeah. Wow. So this has been really interesting and some super timely insights. The main thread that I'm hearing is growth, which is always good and always positive. So super excited for this full report to come out. I've taken a peek at it, and as always, anything you write, it's amazing. Oh, thank you. So thank you for sharing this with us. But you know, of course, we cannot call this a Nassio Voices podcast without the lightning round.

Amy Glasscock 11:34

Yes. Let's do it.

SPEAKER_01 11:36

First question for you Do you have any fun trips planned this spring?

Amy Glasscock 11:41

Yes, when this podcast comes out, I will be on a trip with my family for spring break, and we are going to Zion National Park in Utah and Grand Canyon in Arizona. So, yeah, we're gonna be looking at a lot of big red rocks and hiking and things. So really excited for that. Beautiful. Yeah.

SPEAKER_01 11:59

Yeah. I think I'll be not, you know, going anywhere out of state per se, but I'm super excited to go to Folly Beach, South Carolina. Start off Folly. Yes, it's my it's my favorite beach as well. Super excited to start off the beach season. So next up, what is a good book that you've read in the last year?

Amy Glasscock 12:18

So one book that I read last year, and I keep talking about it, is called Your Hidden Genius. And it's a really interesting book. I heard about it, so then I had to buy it. And basically, if you buy the book, it comes with this like hour and a half long aptitude test that you take online, and it puts you through all these like exercises and tests and things, and tells you just like what you're good at and how it categorizes you, and it's based on a lot of science, so you know, I don't you know, people have different feelings about these like tests that put you in categories, but I thought it was it was very validating for me because you're always worried that you're gonna take these things, and it's like you should have been an astronaut, you know, and it's like, well, that ship has sailed. But it kind of it told me that kind of like what I excel at should be studying data and then going and talking to people about it.

SPEAKER_01 13:09

Uh well, it looks like you found your calling.

Amy Glasscock 13:12

Yes. So and then and then sort of on the other side, it was like you're also good at like spatial analysis, so you might be like a good interior designer. That's what I do on the side.

SPEAKER_01 13:21

Hey, listen, you know yourself.

Amy Glasscock 13:24

But the funny thing is, it was like your ultimate career would be professor of architecture.

SPEAKER_01 13:30

You know, I could honestly see that for you.

Amy Glasscock 13:32

I could too.

SPEAKER_01 13:32

I think you'd be a really good teacher. I'd take the code.

Amy Glasscock 13:34

I was like, I do think I would like that, actually. I'm probably not gonna go back to school for all of that, but I will take the win as in like I'm pretty much doing the right things right now. So highly recommend it for anybody who's maybe interested in what their career might look like if they were doing their best work, and even if you're getting ready to retire, because in a lot of cases, you know, the book talked about how maybe you're doing this other career, but you can like pick up hobbies that fulfill your aptitudes and feel pretty satisfied in that way too.

SPEAKER_01 14:04

Absolutely. I'm definitely gonna have to check that out. You said it's called The Hidden Genius.

Amy Glasscock 14:08

Your hidden genius.

SPEAKER_01 14:09

Your hidden genius. Okay. I think a good book that I've read the last year, it's a reread. I reread or started to reread a song of ice and fire, which is um George R. Martin's, you know, the Game of Thrones books. Yeah. So I really enjoyed rereading A Clash of Kings, which is the first one. Um not only because I mean he's just a brilliant writer, I can't believe this entire world just lives in his head. But I also think it's the most accurate with what you see in the first couple of seasons of the show. And so having that vivid imagery of probably the only time in the show where Game of Thrones was closely accurate to the book while you're reading that. It's just like a movie playing in my head, except I'm the narrator. So yeah, that was fun. Right now, I'm halfway through Fire and Blood. That one's a little slower because it's written to be like a history book and not like an actual fantasy novel. But we're gonna get there. We're gonna get there. Yeah, awesome. And so, how do you unwind after a busy day?

Amy Glasscock 15:11

What my family has been doing the last several weeks is we are watching Lost.

SPEAKER_01 15:16

Okay.

Amy Glasscock 15:17

Uh show that came out over, oh gosh, early 2000s, I think, maybe like 2005 or something. I've seen it, yeah. Yeah, and my husband and I had seen it years ago, like watched the last few seasons as they were trickling out on TV, you know, renting the DVDs and all that. But we decided our daughter was old enough to watch it with us. So we're re-watching it with her. I apparently remember nothing from watching it the first time, so it's like a brand new show to me. But it's been really fun just watching uh trying to just watch one every night before getting ready for bed.

SPEAKER_01 15:46

Yeah. Oh yeah, yeah, that sounds nice. So for for us, it's been it's been getting warmer outside in the Carolinas. So making a cup of tea and we'll go outside, sit on the porch for a bit, obviously, depending on the pollen count more so than the temperature. But you know, if too much pollen outside, we'll just kind of crack the windows a little, play with the cats, have some tea, and then we've been watching a lot of reality TV lately. Um, so the current shows are Survivor and House of Villains. Ooh. Um, yeah, it's been or just you know, anything that is not thinking, just taking a mental break. Yeah, just being.

Amy Glasscock 16:25

Exactly. Little escape from the day. Oh, yeah. All right, Kalia. Well, thank you so much for co-hosting with me today and asking me about the CPO report. I appreciate it.

SPEAKER_01 16:34

Absolutely.

Amy Glasscock 16:36

Thanks again for listening to NASIO Voices. NASIO Voices is a production of the National Association of State Chief Information Officers. Learn more at NASIO.org.

SPEAKER_01 16:46

Alex and Emily will join A next time for a Meteor Conference in Philadelphia.

Amy Glasscock 16:52

See you there. Bye. Bye.