Do US state privacy laws require a data map?

No US state statute explicitly mandates a data map, but the practical case for maintaining one is compelling. During regulatory investigations, companies face detailed questions under oath about how they collect, use, and disclose data — particularly sensitive data and marketing analytics. Without a current, organized understanding of data flows, building that narrative from scratch under pressure is both risky and costly. A well-maintained data map helps demonstrate compliance, manage risk, and allocate limited resources toward the areas regulators scrutinize most closely. Beyond state privacy laws, the DOJ bulk data rule — set for enforcement beginning July 8 — creates an explicit expectation that organizations know their data, including third-party and vendor relationships. Insights from a panel of state attorneys general at IAB's Health Insights Workshop reinforced that regulators pay close attention to signals of inattention, starting with outdated privacy policy revision dates. Connecticut's Attorney General published a detailed voluntary enforcement report outlining specific cookie banner failures and sensitive data consent issues — a practical resource that applies well beyond Connecticut. The data mapping conversation is also evolving on the technology side. Many privacy professionals carry negative associations with legacy mapping projects — lengthy questionnaires, stakeholder interviews, and months of effort. But the market has matured significantly, and modern tools offer more seamless, efficient approaches. New Jersey is expected to release privacy rules by summer, making it the third state with implementing regulations, adding further urgency to having clean, current data governance infrastructure in place.

**Colleen:** Hi, Lisa. How are you doing today? **Alysa:** Hello. Good to see you. **Colleen:** Likewise. I feel like it's been a while since we've had you on the huddle. So welcome back. **Alysa:** Well, it's good to be back. I'd love to talk on a few areas today. Number one, we've been traveling quite a bit on the Ketch side at various different conferences and events. And question that keeps coming up is the topic of data map and data map tech. I'd love to get your opinion on whether data map is required by these US state privacy laws. **Colleen:** Oh, that's a good question. I view that as a trick question, and here's why. So there's no state statute that says thou shall have a data map, but and this is a really, really big but. You always think about how do you show that you are in compliance. When you get an investigation, it tends to be focused on particular data practices and you get questions where you have to explain under oath, here are all my sales, here are all the ways that I use data for marketing in x y z, or here's how do I collect, use, and disclose sensitive data. Those are comprehensive requests. And if you have to figure that out on the spot and connect all of your piecemeal assessments over time, that's not the time that you wanna really create the narrative from scratch. You need to know your data, and you can do that in a variety of ways. Even when you say data map, everybody, I think, has their own particular image that comes to mind. But I think to have a current sense and understanding of all of your different data flows with particular heat map emphasis on the sensitive data and the marketing and analytics use case data, you want that at your fingertips as much as possible. And that helps you manage risk. It helps you demonstrate you are complying with state laws, and it helps you really allocate your time. Nobody has infinite resources. And so I think it allows you to focus in on what are some of the most important areas that the regulators really expect you to be able to tell a story pretty efficiently and promptly. We've been talking about state privacy laws, but there is the DOJ bulk data rule, and that is going to be enforced by the DOJ starting this summer, July eighth. Under that rule, there is absolutely an expectation that you know your data, and data mapping is such a key part to that. You need to know what data is the triggering data covered by that rule, including your relationships with different third parties and vendors. So I think sometimes we're very siloed, and you have your privacy people here. You have maybe other regulatory compliance people. This is where you wanna bring people together and mesh resources to make sure that you're meeting both of those different types of obligations. **Colleen:** I think that all sounds so reasonable. But when I speak with privacy professionals in the field, there's a challenging push and pull between, of course, I wanna do that. That sounds like a great idea. And the resources and collaboration, the work it takes to get a data map up and running. And so when it feels like more of a nice to have versus a require that I have this, it's hard to justify the time spent. **Alysa:** Yeah. Some of it I really view as PTSD because many privacy professionals, when they hear data map, I think it comes to mind these gargantuan projects of forty page questionnaires, and you have to go find all of the stakeholders and sit them down for interviews, and that is hours and hours of time. And that sounds like a luxury because there's so many things that have to actually get done. If that's where my head is, yes. I think that is more of a nice to have. I think we're absolutely though at a point where it's a good time to stick your head up and say, is data mapping and how you get to the data mapping answers in the product, is that the way it was five years ago? Is that the way it was three years ago? Has it gotten more efficient? Has it gotten to be a way where I can plug it in a little bit more seamlessly? I'm excited just about where the market has gone in that direction. **Colleen:** That's a great point. And actually just brings to mind, we talk about how easy it is to switch to something like Ketch. People often recall like, oh, last time I implemented a privacy tool, it was terrible, and it doesn't have to be that way anymore. **Alysa:** Right. I think we're all savvier buyers, and if you are not, then you have colleagues or peers who can definitely share some notes. So I think it's a good time to come in with a student mindset. Right? I'm here to take it in in first impressions and prepare to be delighted. **Colleen:** I love it. Yeah. Well, more to come as we have more updates on that topic. I would love to hear more about this workshop that you attended and spoke at last week. Tell me more and maybe some highlights from the regulator comments. **Alysa:** Sure. So we helped sponsor IAB's health insights workshop. It was a half day event in New York. This was a really cool smaller type event where you had a full panel of state AEGs, AAGs. We had New Jersey and Delaware and Connecticut and California, former Texas represented with my colleague Paul Singer. It was really nice to be able to ask questions that I think many of us are asking for and get some pretty thoughtful answers. Some of the things we've heard before, but others I thought were just really it's always a good reminder. We're coming up on July, for example, and usually that's when a lot of companies put up their updated privacy policies with last revised dates. You have to deal with California metrics, refreshes, so that often isn't in line with that. But what we heard from the regulators is, of course, they're looking at privacy policies, but when they see a last revised date that's already a couple years or three years or four years ago, you start planting a flag because what we heard is it gives indications that what else you are not paying attention to. You know, it starts with the privacy notice. That's the quote unquote easy thing to make sure that you're keeping on top of. Just a low hanging fruit issue. That was one. Connecticut, they had released voluntary report that Connecticut Attorney General's office put out on their enforcement, what they've learned from the last year. And I would really direct people to actually read it, and not just the news that it was out because they put some very specific examples in there that I think for many companies you would save yourself a whole lot of headache or investigation by just looking at those do's and don'ts. They're talking about the cookie banners and the wrong way to do a banner in ways that really concern them, different discussions around sensitive data and consent. So I think that one, it's not just Connecticut. We've seen other states also concerned about those same issues, but Connecticut did a really terrific job of memorializing it in a pretty easy to read digestible report that's on their website. So that was one. The other late breaking news, New Jersey just flagged their rules should come out this summer. There's not that many states that have privacy rules to add on to the statute, and this will be the third, and we should expect it out this summer. **Colleen:** Great. We'll look forward to that. Homework from Alisa now. We have to read the Connecticut docs. We'll drop it in the comments so y'all have access. And, Alisa, it's been a pleasure as always catching up. Thanks for sharing your insights. **Alysa:** Good to see you.