Our 2023 New Year’s resolution is to help as many businesses comply with data privacy regulations as possible. That’s our goal every year, so we like to reflect back and look ahead to prepare for upcoming data privacy laws and regulations.
2022 was a big year for consumer privacy legislation:
- In the US, we didn’t get a federal law, but five states passed data privacy legislation, with more to come in 2023
- Data privacy non-compliance fines surpassed $1 billion
- ChatGPT and other language models opened up discussions around AI ethics, information security, and privacy issues, leading to various legislative approaches
- Due to the new EU-US Data Privacy Framework, companies may soon be able to send data through to the US
- The European Union (EU) is fighting for a humane future of digital transformation and fair data monetization practices
Thanks to our legal team and data privacy experts, we’re more than ready to help your business comply with the developing data privacy regulations and changes happening around the globe.
Let’s look back at the major data privacy events from 2022 and see how we’re prepared to help you with the changes coming in 2023.
A Look Back at Data Privacy in 2022
It’s hard not to get nostalgic looking back on data privacy news and events from 2022; what an eventful year. Take a walk down memory lane with us while we discuss some of the major data privacy events that took place last year, including:
- US Data Privacy Laws
- EU-US Data Privacy Framework
- EU Proposed Data Privacy Laws
US Data Privacy Laws from 2022
In 2022, businesses prepared for the new data privacy laws adopted by five different US states that went into effect in 2023, and a federal bill was introduced that could supersede similar provisions if enacted.
The first comprehensive US state privacy law ruling was for the California Consumer Protection Act or CCPA, after which a plenitude of privacy-related legislation in the US followed.
Since then, California plus four other States — Colorado, Virginia, Utah, and Connecticut — passed their respective privacy legislation coming into effect in 2023:
- California Privacy Rights Act (CPRA) — effective January 1, 2023
- Colorado Privacy Act (CPA) — effective July 1, 2023
- Virginia Consumer Data Protection Act (VCDPA) — effective January 1, 2023
- Utah Consumer Privacy Act (UCPA) — effective December 31, 2023
- Connecticut Data Privacy Act (CTDPA) — effective July 1, 2023
We were also introduced to a federal bill known as the American Data Privacy and Protection Act (ADPPA).
Currently making its way through Congress, it’s the first federal privacy bill in the US to gain bipartisan and bicameral support. If it passes into law, it will preempt most state and local laws, invalidating similar state-level legislation.
With five comprehensive state privacy laws going into effect and a federal bill in the works, compliance has become an increasingly complex issue for privacy professionals in the US, and there’s no sign of anything slowing down as we enter the new year.
EU-US Data Privacy Framework
A new EU-US data privacy framework fostering transatlantic data flow has been drafted, and the launch of the adoption process began on December 13, 2022.
If the decision is published, companies can rely on the new framework when sending data from the European Union to the US. However, the final decision is not expected before the spring of 2023, and users may challenge the decision via national and European courts.
This framework would replace Privacy Shield, which was invalidated by a case brought to court by Austrian lawyer and data privacy advocate Maximillian Schrems.
But Schrems has again criticized the European Commission for turning a blind eye to US law and allowing continued spying on Europeans. His organization, NOYB, has issued a statement that characterized the changes in US law as minimal and assessed that this third deal between the US Government and the European Commission might fail and not satisfy the Court of Justice of the European Union.
What Happened to Privacy Shield?
Two years ago, in a decision from the Schrems II case, the Court of Justice of the EU invalidated Privacy Shield — the previous set of safeguards in place for legally transferring personal data from the EU to the United States.
The Court of Justice of the EU found that US surveillance programs are not limited to what is strictly necessary and proportional, as required under the General Data Protection Regulation (GDPR). They also found that EU data subjects are not given the ability to challenge US surveillance decisions, another human right under the GDPR.
After it was invalidated, the companies were left to self-assess whether their transatlantic transfer of EU user data complies with data protection rules like the GDPR or not. This led to many uncertainties, and some experts believe it is impossible to transfer data from the EU to the US legally.
In 2022, President Joe Biden signed an executive order mandating new legal safeguards over US national security agencies’ access and use of EU and US personal data. In response, the European Commission published a Q & A outlining the US order and announced its intentions to “prepare a draft adequacy decision, as well as launch its adoption procedure” based on the new US commitments.
The process launched on December 13, but its future remains to be determined as we move into 2023.
EU and UK Proposed Data Privacy Laws
In 2022, the EU and the UK proposed several data privacy laws, including the:
- Cyber Resilience Act Proposal
- UK’s replacement of the UK GDPR
- Data Governance Act (DGA) and Draft Data Act (DDA)
Let’s discuss each of these in more detail.
Cyber Resilience Act Proposal
The Cyber Resilience Act Proposal aims to establish a uniform regulatory framework of essential cybersecurity requirements that must be met for a product with digital elements to be placed on the EU market.
In other words, it aims to minimize the flaws and vulnerabilities of hardware and software offered on the EU market, leading to fewer security breaches and better protecting the personal information collected about data subjects.
And nobody wants to end up on the list of the biggest security breaches of all time.
If it passes, it would be the first EU-wide legislation of its kind.
UK: Replacing the UK GDPR While Retaining Data Adequacy
The UK’s Department for Digital Culture, Media, and Sport (DCMS), announced its plans to replace the UK General Data Protection Regulation (UK GDPR) with a new data protection regime built from scratch.
The goal is to simplify the UK data protection regime further, as the current UK GDPR limits the potential of UK businesses.
We will continue to monitor any changes made to the UK GDPR as the year progresses.
Data Governance Act (DGA) and Draft Data Act (DDA)
In 2022, the European Commission published the Data Governance Act (DGA) and introduced the Draft Data Act (DDA) to create a framework to facilitate the transfer of personal data across the European Union. It also aimed to create fairness in the data economy and foster access to and use of personal user data.
While the goal of the DGA is to enable the voluntary sharing of personal data by individuals and businesses and harmonize requirements for the use of specific public sector data, the DDA expands upon the DGA by clarifying who can create value from the data and under which conditions.
The ultimate objective of the DGA and DDA is to maximize data value in the EU economy.
A Look Ahead at Data Privacy in 2023
With the new year comes new and changes to global data privacy laws, like:
- The California Privacy Regulation Act (CPRA) entering into force
- The Virginia Consumer Data Protection Act (CDPA) entering into force
- AI laws proposed across the EU, UK, and US
In the following sections, let’s look at what’s happening to data privacy compliance in 2023, and rest easy knowing we’re here to help your business navigate through it all.
The CPRA Takes Effect
On January 1, 2023, the California Privacy Rights Act of 2020, or CPRA, finally become effective, adapting and expanding upon the CCPA by creating several new privacy rights for consumers and obligations for businesses.
The law introduced a new definition for the sharing of personal user information from a business to a third party for cross-context behavioral advertising and clarified that the sharing of data does not have to produce monetary or other valuable considerations.
It also introduced a different threshold to the CCPA: Businesses that buy, sell, or share the personal information of 100,000 or more California residents or households are subject to the law, compared to 50,000 under the CCPA.
While this law is now in effect, particular details and specifics are still being debated. For example, in November 2022, the California Privacy Protection Agency (CPPA) released a revised version of the proposed CCPA regulations and requested public comments for 30 days.
One of the proposed changes is that businesses that disclose sensitive personal information for specified purposes will no longer be required to provide a ‘Notice of Right to Limit’, nor provide a method for submitting a request to limit the use of sensitive information.
Instead, it would qualify opt-out preference signals for things like privacy policies as a valid indicator of opting out of the sale or sharing personal information.
The Virginia CDPA Takes Effect
Another law that became effective on January 1, 2023 is the Virginia Consumer Data Protection Act (CDPA), and it regulates privacy and data protection matters in Virginia by:
- Providing consumers with an accessible privacy notice
- Enabling opt-out consent options from targeted advertising and selling
- Establishing security practices to protect the confidentiality, integrity, and accessibility of personal data,
- Mandating that companies conduct risk assessments for specific processing activities
Along with opt-out rights, this law also grants Virginia consumers the right to access, correct, delete, or get portable copies of their collected personal data.
AI Laws Proposed in the EU, UK, and US
Artificial intelligence (AI) technology is developing at a fast rate, and laws have been proposed in the EU, UK, and US to regulate its use, especially as more consumers start relying on products that use the network known as the “Internet of Things” (IoT), providing more opportunities for gathering, collecting, and storing certain types of personal user information.
EU Approach — AI Act
In April 2022, the European Commission presented the Artificial Intelligence Act (AI Act), which would be the world’s first comprehensive resolution of high-risk AI if adopted.
It is currently in the hands of the European Parliament and EU Council.
Just five years after the adoption of the GDPR, the AI Act is shaping out to be another potential disruptive regulation on the horizon for businesses.
The AI Act would regulate systems that affect employment, health care, personal credit, and other high-risk processes. Under this law, organizations utilizing high-risk AI applications would have certain transparency, record-keeping, and risk assessment obligations.
UK Approach — AI Policy Paper
In 2022, the UK government released a policy paper titled ‘Establishing a pro-innovation approach to regulating AI’, more commonly referred to as ‘the AI Policy Paper’, which sets out to create a proportionate, light-touch, and forward-looking regulatory framework that will allow the UK to keep pace with its global competitors.
The UK Government believes that their approach will promote a customized regulatory response to better reflect the adoption of AI across a broad range of sectors.
In comparing this paper to the AI Law proposed by the EU, the AI Policy Paper criticizes the EU’s approach, calling their blanket AI-specific regulation inappropriate.
In the US, several case-specific AI rules appeared in 2022, but most had to do with recruitment and employment more so than user data privacy.
However, AI regulatory initiatives may arrive in 2023, especially through state data privacy laws, Federal Trade Commission (FTC) rulemaking, and the new National Institute of Standards and Technology (NIST) AI standards.
Predictions for Data Privacy in 2023
We see data privacy compliance in your future — and some changes to business best practices regarding laws and legislation around the globe, like:
- Updated Global Privacy Controls
- A cookieless world
- EU 2030 Digital Compass Objectives
Let’s discuss what our legal team and data privacy experts predict for the coming year, and how Termly will adapt to best support and protect your business.
Updated Global Privacy Controls
In October 2020, Mozilla Corporation, Abine, Inc., DuckDuckGo, Inc., and others announced the launch of Global Privacy Control (GPC), an open standard for web browsers that aims to streamline the handling of online privacy requests by allowing users to download browser extensions and set up their global cookie preferences.
As of 2023, the California Attorney General amended their frequently asked questions (FAQ) concerning the CCPA to include information about GPC and inform businesses that sell personal information that they should respect GPC and users’ consent choices.
The revised FAQs also provide information on how users can submit an opt-out request using the GPC.
A 2022 court settlement, People of the State of California vs. Sephora USA, Inc., also demonstrates the importance of complying with a user’s requests to opt out of the sale of information, particularly through GPC.
Sephora had reportedly neglected to process user requests to opt-out of the sale of their data using user-enabled global privacy controls. This breach of the CCPA led to a settlement of $1.2 million and underscores the importance of properly complying with your users’ consent choices as we move deeper into 2023.
A Cookieless World
A major change happening online is the movement towards a “cookieless world”, which refers to the 2020 announcement from Google that they will remove third-party cookies from the Chrome browser.
While the shift towards a cookieless world was postponed until 2024, as the internet continues towards this change, we anticipate seeing lots of news, updates, and reports covering terms like:
- First-party data — Information collected directly from app or website users that the company owns
- Privacy sandbox — New initiative from Google facilitating online advertising without third-party cookies
- GPC — Browser settings notifying websites about the user’s consent preferences
- Internet balkanization — A phrase used to describe the splintering of the internet into factors like technology, ecommerce, politics, and more
EU 2030 Digital Compass Objectives
In December 2022, the Presidents of the European Parliament, the European Commission, and the European Council signed the European Declaration on Digital Rights and Principles (the Declaration), in support of the 2030 Digital Compass objectives.
The Declaration presents the EU’s commitment to a sustainable digital transformation that puts individuals’ rights at the center. Its purpose is to steer the EU’s approach to digital transformation globally. This includes:
- Placing people at the center of the digital transformation
- Advocating inclusion through connectivity, digital education, adequate working conditions, and access to digital public services
- Emphasizing the significance of freedom of choice and a fair digital environment
- Increasing safety, security, and empowerment in the digital environment, in particular for young people
- Promoting sustainability
The Declaration commits to privacy and individual control over data, stating that everyone has the right to privacy and the protection of their personal information.
In addition, the Declaration states that everyone has the right to the confidentiality of their communications and the information on their electronic devices and not to be subjected to:
- Unlawful online surveillance
- Unlawful tracking
- Interception measures
Everyone should be able to define their digital legacy and choose what happens with their accounts and information, including after their death.
The Commission will monitor progress and make announcements through the annual report on the State of the Digital Decade.
Termly’s Plans for 2023
As our world continues to develop data privacy legislation, our privacy experts and product engineers will be updating our complete suite of compliance solutions to help you stay on the right side of the law.
- DSARs: This year, you can expect our new Data Subject Access Request (DSAR) managed solution for businesses to help you track and maintain your DSAR requests, forms, and more.
- Global Privacy Controls: We’re continuing to pay attention to news surrounding Global Privacy Controls to help the businesses we work with prepare for a cookieless world.
As we step into 2023, it’s clear that data privacy legislation will continue to change, grow, and develop globally, but we’re watching closely and will be here to help your business comply with the relevant laws.
Upcoming AI technology will not only change how we live and do our jobs, but it may also affect how we perceive human rights. Addressing the issues of ethics, IP, security, and privacy through regulatory efforts and industry frameworks will affect all businesses, no matter the size and industry. Our prediction? This will lead to an exponential increase in global privacy legislation and requirements that need to be fulfilled.
Companies will have to adopt a reactive approach and prepare for the new privacy legislation changes ahead of time to remain at the top of their game.
We recommend that forward-thinking companies adopt a privacy-first strategy and start recognizing that users’ privacy is a valuable asset for building both trust and value.
Maintaining your users’ trust with implemented data privacy and security measures will allow your company to move forward, research, innovate and stay competitive in the upcoming years as these laws, regulations, and technologies continue to develop.