In an era of rapidly evolving privacy legislation and growing public demand for data protection, organizations face increasing pressure to stay compliant while remaining operationally agile. In this exclusive Q&A, SecurityInfoWatch speaks with Mason C. Clutter , a seasoned privacy and data security expert, to explore how businesses can navigate the complexities of federal and state regulations, align internal teams, and leverage technology to manage risk and ensure continuity.
Clutter is a Partner at Frost Brown Todd LLP, leading the firm’s Data, Digital Assets & Technology Practice Group within the Data Security & Privacy service team. Her guidance is rooted in a deep understanding of privacy compliance's legal, technological, and operational nuances. Before joining the firm, Clutter served as Chief Privacy Officer for the U.S. Department of Homeland Security, advising on the national security implications of emerging technologies, artificial intelligence, and personal data usage. Her unique experience at the intersection of privacy, policy, and technology provides invaluable insight for organizations seeking to balance innovation with regulatory compliance.
In the following conversation, Clutter offers practical advice and strategic foresight to help businesses thrive in today’s complex privacy landscape.
SIW: How should organizations approach compliance with the growing patchwork of state privacy laws while maintaining operational efficiency?
Clutter: Currently, 19 states have comprehensive state privacy laws, with eight coming into effect in 2025. In addition to state laws focused on developing and using artificial intelligence, biometrics, and health privacy, compliance can seem virtually impossible. Privacy presents more than a compliance challenge, however. Privacy is a unique business opportunity, separating many organizations from their competitors.
Aside from compliance, customers are demanding smart practices to safeguard their personal data and factor into their decision-making regarding the privacy and security practices of the organizations they engage with. Therefore, privacy and security should be at the top of the mind in board rooms across the United States, and, I argue, a first-tier priority from a legal and business efficiency perspective. Incorporating privacy and security safeguards from the outset of any new program, practice, or technology enhances operational efficiency, facilitates compliance, and builds and maintains customer trust.
Challenges in Aligning Data Privacy Strategies
SIW: What challenges do businesses face in aligning their data privacy strategies with shifting federal and state regulations under the new administration?
Clutter: With uncertainty at the federal level, both from an enforcement and legislative perspective, the states will continue to fill the gaps. Understanding the data an organization collects and for what purposes, how it uses and shares the data and with whom, how long it keeps it, and how it secures it is critical to assessing potential privacy and security risks and implementing appropriate mitigation measures to maintain operational efficiency.
There is no one-size-fits-all approach to privacy, which allows for the creativity and flexibility organizations need to accomplish their goals securely and, in a privacy-preserving way. In uncertain times, it is essential to be transparent about why decisions are made, including any tradeoffs, significant pain points, or alternative approaches to compliance, to demonstrate a good faith approach to compliance with applicable laws and unknowable potential changes in the legal landscape. A meaningful approach to privacy and security mitigates potential risk while meeting operational goals, which include being proactively transparent with consumers and maintaining organizational flexibility.
These are critical factors for striking the right balance for your organization and clients.
SIW: How can security and compliance teams work together to manage regulatory risks while ensuring business continuity?
Clutter: In 2025, most companies are tech companies. Today, companies handle their customers' personal data, maintain websites, engage in targeted online advertising, and outsource services that store or use their data (think cloud service or software as a service providers). They deal with valuable personal data, not only to the individual and the company with which they share it, but also to bad actors. Security and privacy compliance teams must work together – they are not mutually exclusive, and both depend on the other to ensure appropriate privacy and security practices to support business continuity.
Security and privacy experts should be at the table as decisions are being made about developing and implementing new programs, practices, and technology. They must not be an afterthought at the risk of delaying rollout or even requiring costly last-minute changes to ensure compliance, but also mitigating future cybersecurity risks, privacy enforcement actions, and reputational harm that may ultimately impact a business’s bottom line or survival.
SIW: What role does technology play in helping organizations comply with evolving privacy laws across multiple jurisdictions?
Clutter: While technology may present privacy and security challenges, it can also help facilitate compliance. Privacy-enhancing technologies (PETs), for instance, help safeguard data while facilitating its use and realizing its value, including for data analysis and data sharing purposes. Organizations in the healthcare sector or financial services industry, for example, may benefit from using technology to compare data while preserving patient privacy or safeguarding the privacy of financial customers.
Technologies to preserve privacy are even helpful in the AI context, such as for creating synthetic data for testing environments or using federated learning. Privacy-preserving technologies also support cybersecurity by, for example, making any data that may be accessed in a breach virtually useless to a bad actor. While technology can be a force multiplier, relying on basic privacy and security principles is a tried-and-true method for safeguarding data, complying with the law, and achieving your business goals.
The Future of Federal Privacy Legislation
SIW: Do you foresee a push toward a federal privacy law to streamline compliance, or will businesses continue to navigate a fragmented legal landscape?
Clutter: As they say, if I had a nickel for every time I have been asked that question. While a comprehensive federal privacy law could help address the challenges businesses face in complying with the patchwork of state privacy laws, it is unclear if this is a priority for this Congress. Instead, I advise clients to do their best to comply now and develop a privacy and security framework designed for anticipated changes in business practices, technology, and, of course, the law. Security and privacy practices are not one-and-done. Rather, they must consistently be reviewed to account for and mitigate new and evolving risks.
Many of the regulations in place today, from international regulations to state privacy laws, are based on the fundamental principles that guide privacy and security in most sectors: data minimization, purpose specification, use limitation, appropriate security measures, and transparency. Relying on these foundational principles to develop and implement a strong privacy and security framework on the front end will help businesses achieve compliance and business goals, while building public trust in their brand.
