Odia Kagan, partner at Fox Rothschild, laid it out clearly at the IAPP Global Summit 2026: privacy still struggles to capture sustained executive attention despite increased enforcement and regulatory complexity. Her analysis published on IAPP brings a useful diagnosis: when a privacy lead asks for budget, it doesn't fail because they lack knowledge, it fails because they pitch the wrong message to the wrong audience. This article lands a concrete reframing so your privacy policy moves from the "legal obligations" drawer to the "strategic decisions" drawer in the CEO's head.
Why your traditional pitch doesn't work
The average privacy lead pitches like this: "We need this to comply with GDPR". The CEO hears: "another regulatory cost". Result: budget to the bottom of the pile. The problem isn't that the CEO doesn't understand; it's that compliance, on its own, doesn't compete with MQLs, ARR, or margin.
Privacy has a structural visibility deficit: unlike OFAC sanctions or FCPA (which have dramatic headlines and explicit fines), GDPR breaches still look abstract to many executives. Changing that requires translating compliance into a language the CEO already respects.
The three reframings that do work
1. Quantified risk, not generic
"If we don't update the privacy policy, we could get a fine" → weak. "Estimate: a fine equivalent to 2% of our EU revenue represents X euros; the cost of shielding the process is Y; the cost/risk ratio is 1:30" → budgetable. Concrete numbers move decisions.
2. Competitive advantage, not obligation
An IAPP study indicates companies with clear, public privacy policies convert better in B2B because buyers check transparency before signing. Reframe: "updating policies isn't to avoid fines, it's to reduce the enterprise sales cycle by 12%".
3. Clear ownership, not diffuse responsibility
Kagan points to a common problem: privacy crosses security, marketing, IT, HR, and legal. When ownership is ambiguous, everyone looks at someone else and nothing moves. Pitch with a single person owning the program and quarterly commitments, not "a company-wide effort".
| Pitch that fails | Pitch that passes filters |
|---|---|
| "We need to comply with GDPR" | "A typical fine would cost us X; shielding costs Y; 30x ROI" |
| "We have to update the policies" | "Clear policies accelerate the enterprise sales cycle by 12%" |
| "It's everyone's responsibility" | "María leads, Q3 milestone, risk if we don't do it: X" |
| "To avoid problems" | "To activate three concrete opportunities with accounts asking for this" |
The operating package of a well-governed policy
Once you have buy-in, the next bottleneck is operations. A useful privacy policy in 2026 includes:
- Version updated per jurisdiction (GDPR, CCPA, LGPD, PIPL depending on the markets you touch)
- Stable public URL (no downloadable PDF; the CEO doesn't want to hear "the link broke")
- Visible version history with date and summary of every change (signal of seriousness to the client)
- Consent banner that records which version the user saw when accepting (evidentiary defense)
- Single responsible owner with quarterly review schedule
Platforms like Termerly generate these multi-jurisdiction policies from your URL, publish them with stable URL, log version on every update, and include an SDK for consent banner that captures which version the user accepted. They reduce the technical cost of pitching the full package to the CEO from day one.
The "GDPR is enough" trap
Kagan warns about a common error: "We comply with GDPR" does not imply compliance with U.S. state laws or China's PIPL. Each jurisdiction has its own package of notifications, user rights, and AI/biometric obligations. If your SaaS operates in multiple markets, you need separate assessments. Frame it for the CEO this way: "GDPR is the floor, not the ceiling. Each new market adds a layer that takes 2 weeks to comply with if we do it now, or 6 weeks if we wait for a fine".
How to build the pitch on 1 page
- Line 1: cost if we do nothing (in euros, with source of comparable fine)
- Line 2: cost of doing it (budget + owner's time)
- Line 3: calculated ROI (risk avoided + commercial advantage activated)
- Line 4: single owner + 90-day timeline
- Line 5: what exactly we're asking from the CEO (binary decision, not debate)
That page turns an endless conversation into a five-minute decision. It's the format that respects the CEO's time and demonstrates the privacy lead's rigor.
"Privacy crosses security, marketing, IT, HR, and legal. When ownership isn't clear, accountability diffuses and nothing moves" (Odia Kagan, via IAPP).
Conclusion
The privacy policy is still the last to capture executive attention because we pitch it as obligation when it's strategic decision. Changing the language (quantified risk, competitive advantage, clear ownership) unlocks budgets the old compliance speech doesn't.
If you want the complete package (multi-jurisdiction policies, stable URL, version history, consent banner) ready in one afternoon to show the CEO before the next committee, try Termerly free: the technical plumbing is done; your work is the strategic conversation.
