As a seasoned political strategist and a prominent leader in state-level legislation, Donald Gainsborough has spent his career navigating the complex intersection of public policy and emerging technology. Currently at the helm of Government Curated, he has become a leading voice for how state administrations can modernize their infrastructure while safeguarding the fundamental rights of their constituents. The landscape of data management is shifting rapidly, and Gainsborough provides a vital perspective on how states are filling the vacuum left by federal inaction through the creation of specialized executive roles. This discussion explores the evolving mandate of the Chief Privacy Officer, the systemic challenges posed by budget deficits and limited enforcement power, and the delicate balance between fostering innovation in artificial intelligence and maintaining rigorous data protection standards.
More than 30 states have established chief privacy officer roles to oversee data management. How have these responsibilities evolved to include artificial intelligence governance, and what specific steps are you taking to integrate privacy protections into the technology procurement process?
The role of the Chief Privacy Officer has undergone a radical transformation, moving from a specialized, back-office function to a front-and-center leadership position in state government. According to recent findings, 31 states now have a CPO or an equivalent role, a number that reflects a growing recognition that privacy is no longer just about compliance, but about the very core of digital service delivery. As artificial intelligence becomes increasingly embedded in how states operate, these officers are taking on the heavy lifting of AI governance, which includes everything from developing initial privacy rules and statements to conducting high-stakes risk assessments. We are seeing these leaders integrate protections into the procurement process by performing exhaustive due diligence on vendors and ensuring that data sharing agreements are not just legal formalities, but robust safeguards. For example, the percentage of states with established privacy programs has climbed to 29% this year, up from 24% in 2024, signaling a steady march toward institutionalizing these protections at every level of the technology lifecycle. It is a grueling process that involves establishing points of contact in every single agency to ensure that when a new AI tool is purchased, the privacy implications are understood long before the “buy” button is ever clicked.
Many state privacy programs operate without a dedicated budget or clear enforcement power over executive agencies. What are the practical implications of this funding gap, and how can leaders secure the authority needed to ensure agencies actually follow established privacy policies?
The discrepancy between the responsibilities placed on CPOs and the resources they are given is perhaps the most glaring challenge in state government today. While 46% of CPOs report having authority over executive agencies, the reality on the ground is often much grimmer, as only 36% actually have the power to enforce the policies they create. This creates a “tough spot” where an officer might be tasked with safeguarding the data of millions of residents but lacks the financial teeth to back up their mandates; in fact, a staggering 64% of CPOs cite a lack of funding as their primary obstacle. Currently, only six states have a defined, specific budget for privacy—though that is an improvement from just three states in 2024—and without dedicated capital, these programs struggle to hire the necessary staff to conduct audits or privacy assessments. To bridge this gap, leaders must secure explicit backing from governors and Chief Information Officers to transform recommendations into requirements. Without a clear budget and the ability to hold agencies accountable, privacy policies risk becoming little more than “suggestions,” which is why 50% of these professionals are still fighting for the formal authority needed to truly protect the public’s information.
Privacy is sometimes treated as less critical than cybersecurity, with coordination between technology leaders remaining informal in most states. How do you move toward a highly integrated model where decision-making is shared between the CPO, CIO, and CISO, and what metrics prove this alignment works?
For too long, privacy has been the “quiet cousin” to cybersecurity, but we are starting to see a shift where 39% of CPOs now report that privacy risks are treated on par with cybersecurity threats. To move toward a truly integrated model, we have to transition away from the ad hoc or informal coordination that currently characterizes about 26% of state governments. Only 22% of states currently operate under a “highly integrated” model with shared decision-making, which is the gold standard we should all be striving for to ensure that data is not just “secure” from hackers but also “private” from internal misuse. We know this alignment is working when we see a unified approach to AI-related tasks, where one-third of states already report regular coordination with clearly defined roles between the CPO, CIO, and CISO. The metric of success isn’t just the absence of a data breach; it’s the successful implementation of data sharing agreements and the completion of training programs across the entire executive branch. When 21% of states still view privacy as less important than other IT risks, the sensory reality is that we are leaving a door unlocked even while we reinforce the walls, and the only way to fix it is through formal, integrated governance structures.
Artificial intelligence is currently the primary force shaping data privacy, yet some fear it may overshadow fundamental privacy initiatives. How can organizations prevent AI from crowding out basic data protections, and what specific risk assessment frameworks are most effective for these emerging technologies?
There is a very real and palpable anxiety among state technology leaders that the sheer spectacle and demand for artificial intelligence will “crowd out” the foundational work of data privacy. Some experts are already voicing skepticism, fearing that the rush to implement AI will lead to a stagnation in basic privacy progress because the “new and shiny” technology attracts all the political and financial attention. To prevent this, we must treat AI not as a separate entity, but as a massive multiplier of existing privacy risks, which is why CPOs are increasingly involved in AI procurement reviews and vendor due diligence from day one. Effective risk assessment frameworks must be multifaceted, including not just technical security checks but also incident response protocols specifically tailored for algorithmic failures or data leakage. We must ensure that the expansion of digital services doesn’t come at the cost of the “back-office” essentials like privacy rules and guidelines that have been the bedrock of trust between the state and its citizens. If we don’t keep these basic protections front and center, we risk building our AI future on a foundation of sand, where the technology is sophisticated but the underlying data remains vulnerable to exploitation.
What is your forecast for state-level data privacy programs?
I anticipate that the role of the Chief Privacy Officer will continue its rapid ascent from a niche administrative position to a cornerstone of executive leadership, primarily driven by the inescapable gravity of artificial intelligence. We have already seen the percentage of established programs grow from 24% to 29% in a single year, and with more than half of states currently reporting that their programs are “in progress,” we are on the cusp of a nationwide standard for state-level data governance. However, the future will be defined by a “budgetary reckoning,” as it is unsustainable for 64% of these officers to operate without adequate funding while being tasked with managing the most complex technological shift of our generation. My forecast is that we will see a significant increase in the number of states with dedicated privacy budgets—moving far beyond the current six—as governors realize that a single privacy scandal can derail an entire administration’s digital agenda. As states continue to lead in the absence of federal action, the CPO will eventually become as indispensable and as well-funded as the CISO, cementing privacy as a permanent and powerful fixture of the American political landscape.
